December 2022

A recent Threat Pulse research report from NCC Group found that the highest number of Distributed Denial of Service (DDoS) incidents between January and September 2022 took place in the month of September. This represented a 14% increase and a total of 2,090 DDoS attacks. Ransomware attacks, meanwhile, were down 7% from the previous month with Lockbit 3.0 (30%), Black Basta (13.3%), and BlackCat (12.8%) remaining the most prevalent threat actors. Lockbit has been the most active group for every month of the year.  

Sector-wise, all areas experienced a high volume of attacks. But Industrials (34%) were the most attacked vertical, followed by Consumer Cyclicals (18%), Healthcare (10%), and Technology (8.5%). The geographical distribution of attacks showed no surprises: North America suffered 84 attacks (45%), making it the most targeted region. Europe was next with 27%, then Asia with 14%. 

Interestingly, ransomware attacks overall were found to be 50% lower than a year before. It seems likely, therefore that 2021 will remain the highest year on record – unless there is an unprecedented upsurge in ransomware to end the year.  

 Shift of Tactics  

Make no mistake. Ransomware remains a potent threat. But stepped-up law enforcement efforts, better international legal collaboration, and organizations deploying a raft of ransomware protection solutions probably combined to lessen its impact.  

The bad guys may be criminals, but they are not fools. They know what is going on. Thus, they have adjusted their tactics by increasing the volume of DDoS and launching more targeted ransomware campaigns. More than likely, 2021 was a freak year. Due to the success of ransomware in 2020, just about everyone among the cybercriminal gangs decided to get in on the act. Entire cybercrime supply chains formed up to facilitate ransomware. Lots of little outfits would probe enterprises for weaknesses. They would get a finder’s fee for passing on the details of a ripe target. More organized groups would then execute the ransomware attack and seek to collect the funds. Ransomware as a Service, too, emerged. Criminal developers created kits that could be sold to people with little or no computing experience. These developers got a cut of every successful extortion scheme.  

But the unprecedented funds raised through ransomware let to a glut in the market in 2021. Hence, the downturn in 2022. That doesn’t mean ransomware will go away. It is expected to remain an important part of the cybercrime toolkit for some time to come. But stronger defences against it mean that the bad guys will turn to tried and tested means of breaking into enterprise IT systems.  

They will scan networks looking for server, website, operating system (OS) and application vulnerabilities. They will scour the web for unpatched systems. When they find them, they will exploit them relentlessly. Bad actors know that items on the Common Exposure and Vulnerabilities (CVE) list remain weak spots in many organizations. Despite these threats being publicized broadly and patches and remediation steps being clearly laid out, a great many organizations fail to act. There are many cases on record of vulnerabilities remaining unremedied years after the issuance of a patch. We have known about Log4j, for example, for a year now yet it is still being exploited. Similarly, the Heartbleed exploit from 2014 remains something that the bad guys can exploit in some businesses.  

Syxsense Protection 

Syxsense Enterprise offers comprehensive vulnerability management, remediation, and patch management. It intelligently distributes patches with the click of a button without tying up bandwidth across the enterprise. It does this automatically, using technology that is designed to send software and patches across the wire once, using peer-to-peer within the network for local distribution.  

Further features include:  

• Patch supersedence addresses the fact that vendors sometimes include older updates in current patches. Therefore, if a company is deploying patches sequentially, it can place the new patch at the end of the queue and not deploy it immediately while it takes care of the oldest patches. However, the new patch a) may be higher priority, and b) includes the old patch in any case. The patch supersedence features of Syxsense would deploy the new patch and not the old one.  
• Patch Roll Back: The last thing you want is for an update to cause incompatibilities in other systems. That’s why software vendors and IT departments conduct testing to ensure patches are benign. But despite the precautions, faulty patches can occasionally happen. Syxsense includes a patch roll back feature that allows you to return your systems to the state that existed before the implementation of the new patch.  
• Testing and release within three hours: Hackers and cybercriminals move fast. There is no time to lose in installing patches. Within a couple of hours of a patch being released, Syxsense has tested it, validated it, and has it ready for distribution.  
• Automation: With hundreds or even thousands of endpoints to manage, manual patch distribution is too slow. Syxsense is fully automated to ensure critical patches are implemented right away. There is no need to formulate scripts, hop from one screen to another, or manually push out patches to various destinations.  

For more information, visit www.syxsense.com

Application Programming Interfaces (APIs) have become ubiquitous in IT. There are now more than 400 billion API calls per month. They enable applications to interact and systems to connect with external services.  

Think about the many layers of the networking stack. It begins with the physical layer and then there are additional layers dealing with different aspects of computing and interaction. Above them all are the APIs. They usually harness the HTTPS protocol to communicate or relay requests and responses. Thus, APIs are the glue that bring software elements together. In the cloud, they connect the client and the provider.  

But popularity usually creates other problems. Nobody bothered much with malware for Apple platforms until the company rose to dominance in the 2000s. Until then, almost all viruses were squarely aimed at Windows as it accounted for an overwhelming majority of all PCs and laptops. Once you reach a certain size or level of market penetration, though, cybercriminals are likely to take notice. In the case of APIs, getting close to half a trillion calls a month certainly warrants attention.  

The State of API Security  

API security has not been a topic of lengthy conversation until recently. APIs were thought of as something happening in the background – a relatively minor aspect of overall IT infrastructure. Due to their lack of stature, they haven’t received the attention they deserve from developers with regard to overall security.  

In some ways, this isn’t too dissimilar to the way applications were developed. Until quite recently, developers created their apps and then security features or patches were added after the fact. It has only been in the last few years with rampant data breaches and ransomware that we have seen the appearance of DevSecOps and other movements that aim to make applications more secure from the very early stages of their creation. The goal is to bake in security rather than cobble it on at a later point once use in the real world exposes its vulnerabilities.  

APIs have been late to the party. They have been somewhat neglected as a potential weak point in organizational defenses. And the bad guys are onto it.  

APIs, after all, are what expose services to the outside world. And they can be compromised. Common problems include vulnerabilities within the APIs themselves, misconfiguration issues, lax access controls that allow APIs to share too much information, personally identifiable information (PII) being exposed via APIs, and in general, not getting APIs enough attention from security tools. No wonder hackers have learned different ways they can use to exploit insecure APIs as a means of compromising systems or stealing data.  

Safeguarding APIs  

There are several steps that organizations should take to safeguard the APIs they utilize:  

1. Add API security best practices to internal development efforts so you don’t perpetuate the API insecurity challenge.  
2. Inventory all APIs in use: Due to the prevalence of APIs in just about every aspect of IT operations, few organizations have a good idea of the many ways their applications are touched by APIs. What is needed is a complete API inventory. Only by possessing such an inventory does it becomes possible to spot misconfigured, insecure, or unprotected APIs.  
3. Reveal how access controls interact with APIs to determine whether they reveal too much information by inspecting API gateways and the micro-services involved.  
4. Ensure APIs are configured to prevent exposure of PII and to prevent violations of the many privacy regulations that apply.  
5. Monitor how APIs are consumed to detect abnormal behavior or potential abuse.  
6. Adopt sensible safeguards to keep the organization secure such as mobile device management, patch management, and vulnerability management.  

Syxsense Enterprise delivers real-time vulnerability monitoring and instant remediation for every single endpoint in your environment, as well as IT management across all endpoints. This represents the future of threat prevention as it brings everything needed for endpoint management and protection onto one console. Breaches can be detected and remediated within a single solution. Unusual activities originating from API insecurity can be spotted quickly and dealt with. The Syxsense platform can scan for all vulnerabilities on any device, block communication from an infected device to the internet, isolate endpoints, and kill malicious processes before they spread. It can automatically prioritize and deploy OS and third-party patches to all major operating systems, as well as Windows 10 feature updates. IT and security teams can use Syxsense Enterprise to collaborate on the detection and closing of attack vectors. It offers management, control, and security for any and all desktops, laptops, servers, virtual machines, and mobile devices. 

For more information, visit www.syxsense.com

Security is always in principle a conversation of trust. Do you trust the vendors providing your company with products and services? This is a question which every company should be continually evaluating and reevaluating as part of their ongoing security posture maintenance.  

Microsoft is the latest example of a company providing trust to entities, wherein that trust was abused, through no major fault of their own. As early as August 2022, a small set of accounts within Microsoft’s Hardware Developer platform began using their trusted authority to sign drivers which contained malicious code. The payload of this code has been found to effectively disable security platforms on an endpoint basis. With the endpoint security tools disabled, malware payloads can then propagate freely across an enterprise network, preparing for, and then executing on a set of commands which cryptographically lock down the contents of end user devices. The originator of the malware then sends a trigger sequence, turning the lock on the encryption mechanism, removing access to the end user, then presenting them with a ransomware demand. This ransomware has been named Cuba, after the cyber-crime organization (not related to the nation of Cuba) responsible for its dissemination.  

Malicious drivers are traditionally classified as trojan horse attacks. An end user experiences a problem with their computer. To solve the problem, they search the internet for an answer, and click a link providing a download which promises to fix a malfunctioning driver causing the original problem. Once installed, that driver then executes code providing unapproved access to the device.  

But the Cuba Ransomware is more sophisticated. Rather than relying on an end user going outside of the traditional support channels for help, the Cuba Ransomware relies on a supply chain breach, using a reasonably assumed trust which most companies give to one of the world’s largest software vendors, Microsoft, to provide their payload. They were able to do this by utilizing signing certificates stolen as part of the Lapsus$ group’s targeted attack of Nvidia back in February. These same leaked signing certificates were never removed from Microsoft’s Hardware Developer Program and were therefore available for Cuba to use in their supply chain attack.  

To read the full Cybersecurity Advisory on Cuba Ransomware released by CISA, click here.

Why You Should Care 

In the context of the Cuba ransomware event, your company can do everything correctly and still be a victim by simply installing recommended drivers from Microsoft (which is a perfectly reasonable thing to do). This is why supply chain attacks are so powerful.   

As of the writing of this article, Microsoft has removed the fraudulently signed drivers, and the accounts responsible for signing them within their Hardware Developer Program.  If no one in your organization has performed any kernel driver updates within the last few months, then this attack may not be relevant to your organization. That said, the number of companies that can definitively say that they have not performed kernel driver updates within the last 6 months is vanishingly small. Again, this is the power of supply chain attacks. That being the case, it is safe to assume that there is a non-trivial chance that your organization has had the Cuba Ransomware driver compromise imbedded somewhere in your environment.  

To their credit, Microsoft has added the affected kernel driver versions to their blacklist, which helps ensure that these malicious drivers don’t end up on your devices in the future, and existing versions are now being removed as part of standard OS patching. But, for those environments still affected, the Cuba Ransomware group has a potentially viable link into your environment which they can use to inflict severe damage to your company.  

And Cuba has been busy.  

According to the United States Cybersecurity and Infrastructure Security Agency (CISA), the Cuba Ransomware group has successfully disrupted operations at 101 organizations since August 2022, 65 of which are within the United States. From these 101 organizations, the Cuba Ransomware Group has extracted $60,000,000 dollars in extortion payments.   

How Syxsense can Help 

Syxsense can help keep your organization safe from this supply chain attack in two distinct ways. First, our vulnerability scanning tool can alert your team to existing possible Cuba related breaches using a process called indicator of compromise detection (IoC). IoC detections are small scripts that analyze configuration files, device driver versions, and other aspects of a device’s operating system to see if the OS matches a known state associated with the supply chain attack. Using these IoC’s your organization can then determine if the Cuba ransomware attack is a relevant concern to your organization.  

Additionally, Syxsense can also facilitate the standard deployment of Microsoft patches, ensuring that the latest set of patch Tuesday updates are applied to your environment universally.  

Between these two mechanisms, your organization can have confidence that the Cuba ransomware is not currently present in your environment, and that the ransomware won’t be present in the future.  

It has become increasingly apparent in recent years that more cybersecurity professionals are needed urgently. But the pace at which new people are trained is tortoise-like in comparison to the hare-like pace of cybercrime. And unlike the popular children’s story, the tortoise isn’t likely to win over a longer race. The bad guys show no signs of slowing down and appear to have the stamina to maintain the speed of malware distribution, or even accelerate it.  

But the shortage of security workers isn’t going to abate anytime soon. There are currently more than 1.1 million working in cybersecurity in the US. that may seem impressive. Yet there are currently more than 750,000 job openings with many of them unlikely to be filled for some time to come.  

Understandably, there are a great many industry initiatives ongoing to combat this staffing crisis. The White House launched a National Apprenticeship Week in November along with various supporting programs. The InfoSec Institute has stepped up its efforts to train a new workforce and reskill existing workers. These efforts aim to change alarming trends in the talent pipeline.  

For example,  computer science is being studied by 5.6% of high school students despite being offered by more than half of all U.S. high schools. We need state and local governments to incentivize schools to further incorporate (and even mandate) computer science courses. By doing so, more young people will possess a baseline of tech competencies, bolstering talent pipelines. 5.6% may be shockingly bad, yet it is up from 4.7% only a year ago. Clearly, progress is being made, but not at the speed necessary to fill the cyber-skills chasm.  

Further efforts include the development of industry career paths that go beyond the traditional focus of degrees. This includes Community College programs and training people on industry credentials to take up entry level positions in cybersecurity.  

Hiring practices, too, are being asked to change their usual requirements. Almost every entry-level position in cybersecurity demands a degree in IT or security. Many also ask for certifications and several years of experience. With the current job shortage, setting the bar much too high may be one big reason for lack of applicants. The fight over unicorn candidates is one ramification of this. While bidding wars go on for a select few highly qualified and experienced individuals, the industry has a dearth of promising newcomers. It could be likened to all NBA teams fighting over one superstar such as Lebron James and utterly neglecting any other standard player recruitment practices and largely ignoring new draft picks.  

The Applicant Tracking Systems (ATS) used by HR may also be contributing to the problem. These systems work primarily based on certain parameters and keywords. If someone doesn’t have X degree, or Y certificate, they are automatically excluded. Their resume is never viewed by human eyes. If they have no experience in the workforce, ATS disqualifies them. Yet sitting there might be a diamond in the rough. Should anyone take the time to peruse the resume, they would discover that the person has been developing applications since they were 10 years old, or won an award at a Black Hat conference as a teenager.  

Additional actions being encouraged are continuous training of IT staff in security and other parts of the workforce. The more certifications that existing staff obtain, the better off the industry as a whole becomes.  

Automation  

These efforts are all laudable and vitally necessary. But it becomes increasingly apparent with each passing day. That the world of security will have to get used to doing far more with far fewer people. That is where automation comes in. IT security can no longer consist of manually intensive labor or troubleshooting actions that consume hour after hour trawling through logs in an attempt to find a cybercriminal needle in the infrastructural haystack.  

Nor is it appropriate to rely on veteran staffers to gaze solve all our cybersecurity woes. Granted, there are some superstars out there who have an intuitive ability to zero in on the root cause of security issues. But dependence on the few only plays into the hands of the criminal fringe. These talented individuals may soon be up for retirement. They are likely to be headhunted by other organizations overly focused on attracting unicorns. In any cases, as IT and multi-cloud environments grow in size and complexity, there are just too many inputs, too many logs, and too many workloads to manage security threats manually.  

It takes end-to-end automation to take care of modern IT security. Such automation not only encompasses detection of potential issues. It must also address remediation. Syxsense provides security services that automatically take care of functions such as endpoint management, mobile device management, patch management, vulnerability scanning, and remediation. In patch management, for example, Syxsense guarantees to test and critical patches within four hours of their release. It automatically deploys patches based on a priority system to safeguard all organizational systems and devices by providing the correct updates and patches. And it provides end-to-end integrated automation a cross its suite of endpoint and security management tools.  

For more information, visit www.syxsense.com

The insurance industry is in somewhat of a crisis. Home insurance rates have climbed. Providers are pulling out of the market in some parts of the country. Flood insurance, too, is a major issue. It is mandated in many coastal and floodplain areas, yet insurance carriers are often reluctant to award it due to the risk of high-volume payouts.  

Similarly in cyber insurance, premiums are rising sharply. Some companies are even being told they don’t qualify (or no longer qualify). A survey by Delinea of 300 US-based IT decision makers revealed one of the reasons for the challenges many face in obtaining affordable cyber insurance: nearly 80% of companies have had to use their cyber insurance at least once already, and more than half have used it multiple times.  

While 40% said risk reduction was the main reason for applying for cybersecurity insurance, and 33% of respondents claimed it was also due to requirements from executive management and Boards of Directors. Another 25% cited recent ransomware incidents as a primary decision driver. Other drivers behind applications for cyber insurance included business contract requirements (24%) and having suffered a data breach (17%).  

The report also demonstrated that cyber insurance has now become ubiquitous. Many companies have leveraged coverage more than once. That’s one of the reasons why the insurers are becoming more hesitant and choosier. They are covering less, asking for more, and making it more difficult for companies to receive comprehensive coverage. Only 30% of organizations confirmed their policies covered critical risks such as ransomware, ransom negotiation, and decisions on ransom payment. About 48% indicated their policy covered data recovery. A third said it covered incident response, regulatory fines, and third-party damages. 

Tough Requirements  

The report highlighted the fact that insurers are getting tougher to please. More and more, they require organizations to implement a broader set of security controls. By forcing organizations to adopt tougher layers of security, they seek to reduce the number of customers needing payouts from their cyber-policies. 51% said their insurer required that they implement cybersecurity awareness training and another 47% were required to have malware protection, antivirus software, multi-factor authentication (MFA), and to comprehensively backup their data. 42% had to acquire Privileged Access Management solutions to meet cyber-insurance requirements.  

Although about 93% of applicants are approved for coverage, the number receiving comprehensive coverage for everything has dwindled sharply. Gone are the days when insurers happily signed off on wide-ranging coverage. They got burned too much by surges in the number of claims due to the latest strain of malware such as Log4j or the latest rash of ransomware outbreaks. That’s one of the big reasons why 75% of respondents said that their cyber-premiums increased in their last renewal. 

Not only were their monthly payments hiked up, but they also faced far greater scrutiny from potential insurers. They wanted to know every detail of their security posture, their risk profile, and areas of potential vulnerability. Some of this was used as grounds for refusal of cyber insurance. In other cases, these assessments by insurers led to demands to implement a variety of different security tools.  

Any prospective cyber insurance policy holder, and anyone coming up for renewal, therefore, is advised to carefully assess their security basics before applying. Things like lack of comprehensive backup, inadequate patch management, and a lack of vulnerability management tools could form immediate grounds for refusal.  

 Get ahead of the game by implementing Syxsense Enterprise. It provides automated tools to help meet the standards required by cyber insurance providers. It offers access to real-time data and device monitoring so security personnel have access to live, accurate information on the existing security picture, potential vulnerabilities, the state of patch management, mobile device security, and more. It helps IT to keep BYOD and company-issued devices secure from threats in remote, hybrid, or roaming work models. And it provides a way to enforce security standards, install and delete applications, set auto update policies, deploy patches automatically, and remotely lock, reset, and wipe mobile devices. It also helps satisfy underwriter demands for higher levels of automation in the enterprise before they approve new cyber insurance policies.  

Why face steeper premiums or even cyber insurance rejection? Implement Syxsense Enterprise today.