The restaurant industry has been hit with a rising number of cyberattacks in the last two years, with major fast-food chains as the primary targets. Here’s a summary of the kinds of attacks to strike this industry and what happened afterward.

Data breaches have been a significant issue, with several large restaurant chains experiencing incidents that compromised the sensitive information of both employees and customers. In one notable case, a breach affected 183,000 people, exposing names, Social Security numbers, driver’s license numbers, medical information, credentials, health insurance information and other financial data. Another attack compromised employee data, including names and driver’s license numbers, though it did not affect store operations or customer data.

Ransomware attacks have also become increasingly common, particularly in the food and agriculture sectors. One significant incident resulted in the temporary closure of nearly 300 restaurants in the UK for a day. These ransomware attacks often target industries with discoverable security lapses.

In addition to these, some breaches have involved unauthorized access to employee email accounts. For instance, a security breach accessed two employee email accounts, impacting a small number of people.

The impact of cyberattacks on restaurant chains

The impact of these cyberattacks on restaurant operations has varied. Some have caused temporary corporate operation disruptions and systemwide tech outages affecting digital ordering, while others have led to brief closures of physical locations. The compromised data often includes employee information, such as names, Social Security numbers and driver’s license numbers, as well as financial information. In response, affected companies typically notify those impacted, offer credit monitoring or identity theft protection services, implement incident response plans and engage cybersecurity experts and law enforcement to restore and secure systems.

Legal consequences have also arisen, with some companies facing class-action lawsuits.

One super trend is the rise of digital payments for restaurant transactions — now, some 80% of transactions are digital — which means there’s more digital customer data and other information.

As with attacks in other industries, these expose increased sophistication and frequency, mostly phishing, ransomware and credential harvesting. These attacks often target employee email accounts and Point-of-Sale (POS) systems, exploiting the high turnover and low cybersecurity awareness among restaurant staff.

Costs for restaurant breaches are rising and can also lead to reputational damage, operational disruptions, loss of customer trust and legal penalties.

While attacks on the big-chain restaurant companies get all the press, smaller restaurant organizations are even more vulnerable, as they’re more likely to lack the resources and expertise of the bigger chains and can often use consumer-grade security tools, which are not up to the task of protecting against major threat actors.

Guidelines to stay safe

Restaurants of all sizes should adhere to the following menu of guidelines for protecting against such attacks:

• Employee training
• End-to-end encryption for online transactions
• Robust POS security
• Regular software updates
• Strong, updated network security
• AI-based vulnerability management
• Patch management
• Third-party vendor vetting
• Cyber insurance
• Incident response planning

It’s reasonable to assume that restaurants and food-based enterprises will continue to be targeted for cyberattacks over the next few years, with the costs of breaches continuing to rise. It’s far better to invest in advance so you don’t get burned.

The post The rising threat of cyberattacks in the restaurant industry appeared first on Security Intelligence.

The Department of Homeland Security (DHS) has awarded $18.2 million in grants through the Tribal Cybersecurity Grant Program to boost cybersecurity defenses among Native American Indian Tribes. The program takes a big step in addressing the unique digital threats faced by tribal communities — a dedicated effort to improve cybersecurity infrastructure across these regions.

The $18.2 million grant is just one component of DHS’s broader strategy to enhance national cybersecurity. Administered by the Federal Emergency Management Agency (FEMA) in partnership with the Cybersecurity and Infrastructure Security Agency (CISA), the goal of the Tribal Cybersecurity Grant Program is to provide tribes with the necessary tools to assess cybersecurity risks, implement effective solutions and strengthen their overall cyber defenses.

Distributing $18.2 million: Expectations and guidelines

The grant monies come with specific expectations and guidelines for any tribe receiving the grants, which include:

Conduct risk assessments: Identify and assess potential cybersecurity threats and vulnerabilities for risks within networks and infrastructure.

Implement cybersecurity solutions: Use the funds to deploy advanced cybersecurity technologies and solutions tailored to specific needs and operations.

Enhance cyber defenses: Improve cybersecurity postures by developing robust defense mechanisms against cyber threats.

Training and awareness: Invest in cybersecurity training and awareness programs to educate tribal members and IT staff about best practices, emerging threats and basic security principles.

When tribal communities adhere to these guidelines, they are in a better position to build a more resilient cybersecurity framework and protect their digital assets and critical data from malicious actors or any internal misconfigurations.

A historical perspective on federal policy

While this $18.2 million grant is a milestone for the country, it’s important to look back at the historical context of federal support for Native American tribes.

Throughout the 19th and 20th centuries, the federal government’s policies swung between assimilation and support — an inconsistency that created a turbulent relationship between Native Americans and the federal government.

Many initiatives and policies aimed at supporting Native American communities were underfunded, which hindered the effectiveness of programs initiated by the Bureau of Indian Affairs (BIA) and other federal entities.

Continuous lack of adequate financial support from the federal government hampered efforts to improve conditions on reservations, including education and health services.

This background is important to understand the complexities and challenges in the relationship between Native Americans and the federal government, particularly in the context of funding and support. Federal investments in tribal nations have been sporadic and frankly insufficient to meet the growing technological needs, which has understandably created long-lasting impacts on Native American communities.

In recent years, however, there has been a tangible shift towards more substantial and targeted funding.

Recent federal efforts in cybersecurity

American Rescue Plan

One notable example of recent federal investment is the American Rescue Plan, which provided $32 billion to support tribal governments. The White House press release describes this plan as the “largest single financial assistance investment to tribal governments in history, which includes investments towards expanding healthcare, access to temporary housing, assistance and supportive services to survivors of domestic and dating violence, as well as supplemental funding for the StrongHearts Native Helpline, and additional funding for services for sexual assault survivors.” It also included funding for IT and cybersecurity to demonstrate the federal government’s commitment to enhancing tribal infrastructure.

$400 million was allocated to the USDA’s ReConnect program, which was created to deploy broadband to unserved areas, particularly tribal regions. The initiative aims to bridge the digital divide and ensure tribal communities have access to high-speed internet, which is crucial for a robust cybersecurity posture.

Biden administration’s efforts

The Biden administration has put forth a concerted effort to address the unique challenges faced by tribal communities. The administration’s budget proposals have consistently included provisions for improving IT infrastructure and cybersecurity among Native American tribes. The investments reflect a broader recognition of the importance of digital security in protecting tribal sovereignty and providing equal access to technological resources.

Past federal efforts in cybersecurity

Obama administration

During the Obama administration, the focus on cybersecurity began to gain traction. Initiatives such as the National Cybersecurity Protection System (NCPS) were established to provide federal support to various sectors, including tribal governments. While these programs were not exclusively geared to tribal nations, they laid the groundwork for future efforts to include tribal nations in national cybersecurity strategies.

Trump administration

In 2017, the Trump administration signed Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which focused on modernizing federal IT infrastructure and collaborating with state, local and private sector partners to secure critical infrastructure. While the order didn’t directly address tribal cybersecurity efforts, it was a step in the right direction toward the Tribal Security Grant Program.

Building blocks for success

To ensure the program succeeds, consistent monitoring of the implementation and impact of the grants is key. Regular assessments, great communication and feedback loops can help identify areas for improvement to ensure that the funds are being used effectively. Most importantly, building partnerships and relationships between tribal governments, federal agencies and private sector entities will go a long way toward improving the overall cybersecurity landscape.

Federal support for tribal cybersecurity is critical, but it must also come with technical assistance and resources to help tribes navigate the complex cybersecurity landscape. By building on the foundation established by the Tribal Cybersecurity Grant Program, the federal government can continue to support the digital sovereignty and security of Native American tribes.

The DHS’s $18.2 million grant to Native American tribes is a big step towards enhancing tribal cybersecurity. But by examining the historical context of federal support and the evolving landscape of IT and cybersecurity investments, it’s clear that this grant is very important as a milestone and a launching point for future efforts. As tribal communities continue to navigate the complexities of an evolving threat landscape, consistent and continual federal support is crucial.

Ultimately, this program, rooted in a collaborative approach between FEMA and CISA, will hopefully provide the necessary tools and resources to strengthen tribal cyber defenses.

The post DHS awards significant grant to improve tribal cybersecurity appeared first on Security Intelligence.

Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes.

After the Log4Shell vulnerability, securing open-source software became a top priority for the federal government. The goals of this new initiative are:

• Unifying the federal government’s voice on open-source software security
• Establishing a strategic approach for the federal government’s secure use of open-source software and the broader ecosystem
• Encouraging long-term sustained security investment in the open-source software ecosystem
• Engaging and building trust with the open-source software community

Shortly after OS31 was released, various government agencies, including the Office of the National Cyber Director (ONCD) and the Cybersecurity Infrastructure Security Agency (CISA) put out a request for information (RFI) to “invite public comments on areas of long-term focus and prioritization on open-source software security.”

The White House released a summary of the RFI in August 2024. The result offers a broad list of suggestions of areas the respondents want to see prioritized to improve security across the open-source software ecosystem. Here are the top three.

1. Secure open-source software foundations

It appears that one of the top priorities for respondents is setting standards to secure the foundations on which open-source software is built. Securing legacy systems, for example, has long been problematic for developers and IT staff, so it isn’t surprising that the respondents highlighted the need for OS31 to address the security issues that are found in legacy code. One such suggestion around this was to automate “legacy code translation into memory-safe code [which] would create a more secure open-source software ecosystem.”

Securing the open-source software infrastructure is also important to respondents, particularly having a government-dictated set of best practices of package repositories to ensure sustained security improvements. Other suggestions covered the standardization of software bill of materials (SBOMs) as the “bedrock requirement” and having processes in place to use tools designed to create SBOMs during the build process.

The quality of open-source software is critical, especially as it is used across the software supply chain. Both the public and private sectors recognize that a strong foundation for open-source software security is a must to prevent situations like Log4Shell, and the responses in the RFI offer a clear vision of what developers see as needed to create the necessary open-source security framework.

2. Sustaining open-source software communities and governance

Respondents make it clear that they want the federal government to take the lead in the governance of open-source software communities. They want to see open-source move beyond individual volunteer maintenance to a shared responsibility model, stating that this support for the open-source ecosystem is the best way to sustain and secure projects.

Within the open-source community, there is a call for professional training opportunities and maybe even paying independent open-source developers that could lead to more sustainable and consistent coding models. Some respondents called for even greater oversight through a federal Open-Source Program Office (OSPO). According to GitHub, an OSPO manages an organization’s open-source operation and “is responsible for defining and implementing strategies and policies.” RFI respondents believe a federal OSPO would bring continuity of policies across the entire ecosystem.

3. Behavioral and economic incentives to secure the open-source software ecosystem

Following up on the desire to offer pay to independent developers, respondents want to go a step further and have the federal government add legal protections and governance structures, especially for software used in critical infrastructure. Funding and oversight for open-source projects should include identifying and remedying vulnerabilities found in the software.

The logical next step would be a new NIST framework, a Responsible Open-Source Software Consumption Framework, that could stand alone or be included in NIST’s existing Secure Software Development Framework.

Moving forward with securing open-source software

Now that the RFI is complete, the next step is to move forward with plans to improve the security of all technologies used by the federal government. OS31’s action items will include advanced research and development around open-source software security and addressing RFI suggestions such as secure package repositories, more development of SBOMs and building a partnership with open-source communities.

The post ONCD releases request for information: Open-source software security appeared first on Security Intelligence.

In the past, cyber criminals directly distributed malware on GitHub using encrypted scripting code or malicious executables. But now threat actors are turning to a new tactic to spread malware: creating ghost accounts.

A highly effective malware campaign

Check Point Research recently exposed a new distribution-as-a-service (DaaS) network, referred to as the Stargazers Ghost Network, that has been spreading malware on GitHub for at least a year. Because the accounts perform typical activities as well, users did not realize that the accounts were performing malicious activities.

By targeting users who wanted to increase their followers on YouTube, Twitch and Instagram, the ghost accounts distributed malicious links through Discord channels to the GitHub repositories. Because the malicious links go to content that is starred and verified, other users assume that the repositories are legitimate. However, the high number of stars is what tipped off Check Point researchers that the accounts were suspicious.

“In a short period of monitoring, we discovered more than 2,200 malicious repositories where ‘ghost’ activities were occurring. During a campaign that took place around January 2024, the network distributed Atlantida stealer, a new malware family that steals user credentials and cryptocurrency wallets along with other personally identifiable information (PII). This campaign was highly effective, as in less than four days, more than 1,300 victims were infected with Atlantida stealer,” wrote Antonis Terefos in the Check Point Research report.

By using three GitHub accounts working together, Stargazers Ghost Network manages to avoid detection by GitHub. The attack begins when a threat actor attaches a README.md file containing a phishing download link to an external repository’s release. One account serves the phishing repository template, while another account provides the phishing image template. The third account then serves the malware as a password-protected archive in a release, which is sometimes where the attack is detected, and then the third account is banned by GitHub. If that happens, then the threat actor starts the attack again with a new link in the first account.

Dark web payouts

As part of the investigation, Terefos also discovered another part of the scheme — using the ghost accounts to make money on the dark web. CheckPoint estimates that malicious activity between mid-May and mid-June 2024 earned the Stargazers Ghost Network approximately $8,000. Over its entire lifespan, Check Point estimates the scheme brought in around $100,000.

On July 8, 2023, Terefos’s team discovered that the Stargazers Ghost Network had taken out a banner advertisement on the dark web. Cyber criminals could “hire” the ghost account for a wide range of services on GitHub, including starring, following, forking and watching both accounts and repositories. The prices for these services varied, such as $10 for starring 100 accounts and $2 to provide a trusted account with an “aged” repository. In addition to ad banners, the cyber criminals also used another typical marketing tactic: discounting. Threat actors who spend over $500 with Stargazers Ghost Network can get a discount on the services.

GitHub takes action

After learning about the 3,000 ghost accounts, GitHub took action to stop the spread of malware. “We disabled user accounts in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms,” Alexis Wales, Vice President of Security Operations at GitHub, told Wired. “We have teams dedicated to detecting, analyzing and removing content and accounts that violate these policies.”

However, Check Point researchers believe that they have just uncovered the beginning of the operations for Stargazer Goblin, which is the group organizing the network. The report explains that they think the universe of ghost accounts operates across many other platforms, including YouTube, Discord, Instagram and Facebook. Because these channels can also be used to distribute links and malware through posts, repositories, videos and tweets, Check Point thinks that these accounts are operating like the GitHub scheme, meaning that this is likely just the beginning of a new tactic.

“Future ghost accounts could potentially utilize artificial intelligence (AI) models to generate more targeted and diverse content, from text to images and videos. By considering targeted users’ replies, these AI-driven accounts could promote phishing material not only through standardized templates but also through customized responses tailored to real users’ needs and interactions. A new era of malware distribution is here, where we expect these types of operations to occur more frequently, making it increasingly difficult to distinguish legitimate content from malicious material,” concluded the Check Point report.

The post 3,000 “ghost accounts” on GitHub spreading malware appeared first on Security Intelligence.

The United States cyber insurance industry continues to see strong profits, according to Fitch Ratings. Average premium increases, meanwhile, have moderated over the last three years: While 2021 saw a 34% jump in premium pricing and costs rose 15% in 2022, increases were under 1% in 2023.

As noted by the Fitch Ratings report, “segment underwriting profitability at current levels is unsustainable as cyber insurance pricing is likely to remain flat or down going forward.” While this is good news for enterprises looking to limit the impact of cybersecurity incidents, cyber insurance providers are concerned about the uncertain costs that come with fully covering companies if networks are breached or data is compromised.

The result? Words of warning from Warren Buffett: “You may get an aggregation of risks that you never dreamt of, and maybe worse than some earthquake happening someplace.”

The problem for providers

Berkshire Hathaway is the sixth-largest provider of cyber insurance policies in the United States. And while current policies are profitable, Berkshire’s top executive Ajit Jain says that total cyber losses are often hard to pin down. “The aggregation potential can be huge,” he says. “And not being able to have a worst-case gap on it is what scares us.”

Consider recent news-making cyber incidents that led to companies worldwide facing millions (or billions) in outage costs. The scale and scope of these incidents create a potential problem for insurers. Depending on the terms of cyber insurance policies, payouts could end up significantly outpacing profitability.

Buffett’s concern is that insurance agents are rushing to sign up new commercial clients without conducting thorough cyber risk assessments, in turn putting providers in a precarious position if claims fall within the scope of policies and costs spiral out of control. He warns that even if policies have a relatively low $1 million limit, large-scale cyber events that affect hundreds or thousands of policies could cause serious problems. “You’ve written something that in no way we’re getting the proper price for,” says Buffett, “and could break the company.”

The challenge for companies

For companies, cyber insurance is now a must-have to combat the rising cost of breaches and ensure compliance with evolving government and private sector regulations.

As noted by Cybersecurity Dive, however, 80% of organizations have suffered a cyberattack that wasn’t fully covered by their policy. Research from CYE found that on average, cyber insurance policies fell $27.3 million short.

This shortfall is tied in part to growing lists of insurance exclusions. For example, if enterprises do not have adequate security controls in place or fail to follow compliance expectations, cyber insurance coverage may be null and void.

In much the same way that insurance agents are eager to sell policies, enterprises are eager to obtain coverage. As a result, both providers and purchasers may find themselves faced with an insurance gap, one that isn’t easy to quantify, track or manage.

Doubling down on due diligence

For enterprises to find effective coverage and insurers to reduce the risk of spiraling costs, both sides need to double down on due diligence.

Consider the case of organizations facing a sudden cloud outage. If the issue isn’t tied to a security breach, the costs may be covered under their general insurance, rather than requiring a separate cybersecurity policy. Understanding the difference between unexpected IT events and security-driven issues can help organizations address potential security shortcomings before they purchase new policies.

When it comes to cyber insurance providers, meanwhile, clarity is critical. During a recent White House summit, big tech, infrastructure and insurance providers met to discuss the challenge of creating a more secure business landscape. According to Cybersecurity Dive, three recommendations emerged from the event: Insurers should be clearer about the expectations of security standards, provide an actionable list of security practices and offer companies something in return for engaging with new behavioral and procedural standards.

Bottom line? There are challenges on both sides of cyber insurance. To reduce risk and minimize loss, providers and purchasers need to meet in the middle with policies that clearly spell out obligations and fully disclose payout policies.

The post Warren Buffett’s warning highlights growing risk of cyber insurance losses appeared first on Security Intelligence.

The Cybersecurity and Infrastructure Security Agency (CISA) recently conducted a comprehensive study of various small and medium-sized businesses to help identify common challenges and opportunities associated with Single Sign-On (SSO) adoption.

SSO has garnered considerable chatter across several industries, especially regarding its ability to improve security while extending a certain level of convenience to employees using this protocol. However, it hasn’t yet been widely adopted as a best practice standard. Some businesses rave about SSO’s security benefits, while others are skeptical of its value and concerned about the costs.

In 2024, CISA released a report summarizing the viewpoints of multiple SSO vendors and customers while providing recommendations to help companies overcome the common barriers to implementing more secure SSO policies in their organizations.

What is Single Sign-On (SSO), and why is it important?

Single Sign-On (SSO) has gained traction in various industries since the early 2000s, although not all businesses widely understand its practical application. SSO is a centralized authentication protocol that gives users access to multiple applications or systems using a single set of credentials.

By working with a chosen SSO provider, businesses can have their employees use one central login that verifies their identity and gives them access to a set number of authorized applications rather than needing to have employees remember multiple usernames or passwords.

Businesses can experience significant convenience when using this type of solution, but its security benefits are much more pronounced. Since SSO eliminates the need to create and remember multiple credentials, it significantly reduces the risks of employees experiencing password fatigue and opting to reuse credentials across various platforms, leading to weaker security.

With the addition of SSO, organizations can harden their digital security practices while mandating stronger password-building practices, enforcing the use of multi-factor authentication (MFA), and supporting a centralized administration of all their access controls.

What are the common barriers to SSO adoption?

When polling various third-party vendors and organizations, CISA identified common barriers associated with SSO adoption. Some of these barriers include:

Financial constraints

As with all security initiatives, SSO requires a certain level of financial investment to establish itself. This can be a difficult cost of entry for smaller businesses with more limited budgets.

Since some organizations still don’t fully recognize or accept the importance of SSO adoption, it can often be viewed more as an additional “expense” rather than a long-term investment that can lead to “cost-savings” since it helps to maximize productivity while minimizing the chances of a costly data breach.

Lack of technical expertise or resources

Depending on the size of the organization, SSO implementation and management can require varying levels of technical expertise, which may not be immediately available in-house. The configuration of SSO solutions can involve the configuration of various applications and third-party tools, which can take time and resources to manage.

Misconceptions about the complexity or relevance of SSO

One of the largest barriers to adoption is the need for organizations to be more aware of the relevancy of SSO in their business. Many need to pay more attention to their current security risks by trusting employees to manage a diverse set of login credentials across multiple platforms and applications.

According to a LastPass report, only 3 in 10 employees actually set strong enough passwords for their work accounts. It is hard to police since many organizations make it a point not to let their employees share their credentials with anyone. Other businesses overestimate the effort it can take to set up SSO in their organization and abandon the idea altogether.

Misalignment between SSO vendors and SMB needs

SSO implementations are believed to provide the most amount of value to large enterprises with hundreds or even thousands of employees.

However, this demand has created a certain amount of segmentation in the market, with many SSO vendors primarily catering their services (and pricing models) to larger businesses. This has made SSO solutions less affordable to SMBs and with limited options for more flexible deployments.

CISA’s recommendations to improve SSO adoption rates

CISA’s study revealed an apparent disconnect between SSO vendors’ perceptions of what the business market needs and their customers’ actual experiences. While SSO vendors have traditionally focused on providing solutions with a comprehensive list of features and services, they haven’t always considered how to make their solutions more approachable for businesses of all sizes.

In an effort to help bridge this gap and improve SSO adoption rates, CISA has offered recommendations to both SMBs (small and medium-sized businesses) and third-party vendors.

Recommendations for SMBs

1. Conduct a thorough needs assessment: Businesses should complete a thorough needs assessment before deciding whether or not an SSO solution is appropriate for their organization. This includes identifying the number of applications being used, the number of users, and the desired level of security readiness. This will help to determine the appropriate type of SSO solution required.
2. Prioritize affordability and scalability: To ensure long-term adoption of SSO, organizations should look for more flexible pricing options, including subscription — or usage-based solutions. This ensures the business can adapt and grow along with the organization and prevent costly replacements down the road.
3. Get vendor support and training: Businesses should make SSO training a priority and work with vendors that offer clear documentation and support for their solutions. This can also include creating a pilot program of SSO implementation to test the solution’s effectiveness while training staff on best practices for its use.

Recommendations for third-party vendors

1. Unbundle SSO and offer more tailored solutions: Third-party vendors should consider decoupling their basic SSO services, allowing smaller businesses the ability to purchase only the features they need. This helps to lower costs and ensures each organization maximizes the value of its investment.
2. Provide flexible licensing options: SSO providers should begin offering more flexible user seat thresholds and licensing options. This includes the potential for managed service providers or smaller business groups to pool their licensing, accommodating the varying sizes and unique requirements of smaller organizations with limited budgets.
3. Improve support and training materials: Vendors should start prioritizing the development of clear, accurate support materials to provide adequate training resources to businesses. User-friendly guides and responsive technical support are critical to help ensure long-term SSO adoption in businesses, especially post-implementation.

CISA’s guidance on SSO adoption is a timely reminder for third-party vendors and business organizations not to devalue its importance. By working collectively together, vendors and their clients can increase the rate of SSO adoption while improving the overall security posture of all organizations.

The post New CISA guidance for organizations adopting Single Sign-On appeared first on Security Intelligence.

On July 25, 2024, a new form of legislation was introduced by United States Senators Jacky Rose and Marsh Blackburn. This new Senate bill, labeled the Cyber Ready Workforce Act, is intended to add additional financial support through government grants to help create and expand the availability of cybersecurity apprenticeship programs across the country.

This new bill outlines new guidelines for the U.S. Department of Labor when it comes to providing financial support to approved organizations registering new apprenticeships while also tasking them with coordinating between employers and training providers to maximize the efficiency of their programs.

Why was the Cyber Ready Workforce Act created?

Currently, there are over half a million open cybersecurity jobs in the nation. While minor progress has been made in reducing the cybersecurity staffing shortage crisis over the past few years, states like California, Texas and Virginia have tens of thousands of unfilled cybersecurity jobs.

Many of these employment gaps are due to how quickly the cybersecurity landscape has shifted over the last few years. With cyber threats evolving every day, primarily driven by advancements in next-generation technologies, organizations find it much harder to source applicable skills during their recruitment efforts.

According to the Cybersecurity Supply and Demand Heat Map provided by Cyberseek, some of the largest gaps that exist in the sector are centered around oversight and governance, design and development, and protection and defense. For example, between May 2023 and April 2024, there were over 139,000 gaps present in systems authorization skills, over 125,000 gaps in data analysis skills and over 85,000 gaps in vulnerability analysis skills.

The introduction of the Cyber Ready Workforce Act promises to help shift this narrative by making cybersecurity training and certification programs more accessible to everyone.

What are the expectations and requirements for seeking grant approvals?

The Cyber Ready Workforce Act outlines several guidelines on how organizations can seek approval for receiving grants toward cybersecurity apprenticeships. Below is a summary of the guidelines associated.

Eligible workforce intermediaries

Grant funding will be available to both public and private sector entities that meet the following eligibility:

• Business or industry organizations
• Community-based organizations
• State or local workforce boards
• Postsecondary education institutions
• Joint labor-management partnerships
• Institutions of higher education
• Nonprofit organizations

It is welcoming news that the recent grant provision has been extended to encompass both public and private sector organizations. According to RAND Corporation, in the private sector, salaries tend to be considerably higher than in the public sector, with a 20-35% average difference and roles like computer and information research scientists being compensated 47% more on average.

This new provision afforded by the Cyber Ready Workforce Act will help provide the financial support necessary for organizations to raise the skillsets of their cybersecurity workforce, helping to close the gap in compensation brackets across multiple roles.

Specific program requirements

The new legislation outlines requirements for the Department of Labor regarding what should be considered grant-worthy program activities. These include:

• Technical instruction, workplace training and industry-recognized certification in cybersecurity
• Certifications in CompTIA Network+, CompTIA A+, CompTIA Security+, Microsoft Certified System Administrator, Certified Ethical Hacker or other industry-recognized certifications
• The encouragement of stackable and portable credentials
• Training for occupations in computer support, cybersecurity, cloud computing, programming, systems analysis and security

How funds need to be used

Regarding fund allocations, grant approvals will stipulate an 85/15 split, with the majority of funds being used in the planning and executing of apprenticeship programs and a small portion of funds being used for supporting elements.

Below is how this split is defined.

85% of grant funding should be allocated to:

• Development and technical support for apprenticeship registration and assisting employers
• Developing curricula and technical instruction in cooperation with local businesses and organizations
• Providing support services to apprentices, such as career counseling and mentorship and assistance with transportation, housing and childcare

15% of grant funding may be allocated to:

• Marketing apprenticeships to employers and secondary school administrators
• Recruiting potential apprentices, including underrepresented populations, youth and veterans
• Connecting and collaborating with other workforce intermediaries to share best practices and resources

Looking to the future

In support of this new bipartisan legislation, Senator Jacky Rosen (D-NV) stated, “As the cybersecurity industry grows and cyber threats become more common, we need to ensure we have the workforce with the training and skills necessary to fill jobs in this critical sector.”

Referencing the new Senate bill, Rosen also stated that it would “help fill gaps in our cybersecurity workforce through a new grant program that will support Registered Apprenticeships and technical skills training in this field. It’ll open the door to more good-paying, cutting-edge jobs for Nevadans and all Americans, including for those without a college degree.”

The post Cybersecurity apprenticeships to come with new Senate bill appeared first on Security Intelligence.

Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights Services.

I recently sat down with Kevin Albano, Associate Partner with IBM X-Force, to learn more about this new managed services offering.

Tell us how IBM X-Force Cyber Exposure Insights Services works?

Albano: With IBM X-Force Cyber Exposure Insights Services, the team first holds a kickoff meeting with the client to learn what matters most to the organization and about their external digital risks.  We also ask about keywords and key phrases that expose their organization, such as domain names, IP blocks and email addresses. Next, we begin basic monitoring for potential external threats. If there’s an instance of a fraudulent website or a brand impersonation then we can work with providers to take down the impersonation sites, which protects the organization’s brand reputation.

We started this service over a year ago in the Americas and Europe. Now, we are offering this service more consistently and are excited to amplify the successes we’ve already seen.

Can you share an example of how IBM X-Force Cyber Exposure Insights Services protected an organization?

Albano: With one organization we protect, we identified a fraudulent website before there was an attempt at fraud and had it taken down. Because we were looking for websites that were like our client’s official website, we detected threat actors creating the domain and hosting URL. We then contacted the domain register and hosting provider before the threat actors launched the website.

How do clients benefit from using IBM X-Force Cyber Exposure Insights Services?

Albano: One of the biggest benefits that our customers tell us about after using our services is that they have assurance that their data and their client’s data is protected. We also see that our clients see a reduction in the number of notifications of credential issues or fraudulent websites because we are proactively resolving issues. When they know about a potential issue ahead of time, the company can manage identity and access controls in a more internal way.

Resources are always a big challenge with cybersecurity. How does IBM X-Force Cyber Exposure Insights Services help with resource management?

Albano: Before using IBM X-Force Cyber Exposure Insights Services, our clients typically used a portal to update keywords and manage notifications, which takes a lot of time and resources. With IBM X-Force Cyber Exposure Insights Services managing the indications of the keywords, our clients are able to use those resources in other ways.

Through monthly meetings, we go over all keywords and operations review practices to make sure that our efforts are best protecting the client’s environment. Our team works with both sides of the business — business and technical — to help the organizations understand both the cybersecurity and business perspective which helps us better protect their brand.

Do you have any other thoughts to share on your team’s managed services offerings?

Albano: As an organization and even as individuals, we have to manage our online risk and exposure. More than ever today, as both a society and a community we have to be conscious of what we put online. Each of us needs to realize how others can use data and information both for good and malicious.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

The post Protecting your data and environment from unknown external risks appeared first on Security Intelligence.

Billions of people’s data was published on the dark web around April 8, 2024 — from a single breach of National Public Data. However, many of the victims are still unaware of their exposure because they have yet to receive a notification or statement from the company.

Recently, one of the victims filed a class action lawsuit after learning that their data was breached when they received a notification from an identity theft protection service provider. What will this mean for people whose data was unknowingly sold on the dark web?

What happened in the National Public Data breach?

National Public Data, owned by Jerico Pictures, Inc., collects data as a Florida-based background check business. The consumers included in National Public Data’s databases did not consent to giving their data to the company.

According to the lawsuit filed by Christopher Hofmann, a cyber criminal group called USDoD has posted a database containing the private data of 2.9 billion U.S. citizens, including full names, social security numbers and addresses on the dark web. The data also included information about the individuals’ relatives. One of the unique aspects of the data was the longevity — the addresses spanned decades of residence, and some relatives have been deceased for as long as two decades.

The hacker group put a purchase price on the database of $3.5 million. VX-Underground, an educational website focused on cybersecurity, confirmed that the information in the 277.1GB database was real and accurate after being informed by the group of its intention to leak the database. Because National Public Data is not bound by the CIRCIA requirements for critical infrastructure, the company was not required to report the breach within 72 hours.

“This unencrypted, unredacted PII was compromised, published and then sold on the Dark Web, due to the Defendant’s negligent and/or careless acts and omissions and their utter failure to protect customers’ sensitive data. Hackers targeted and obtained Plaintiff’s and Class Members’ PII because of its value in exploiting and stealing the identities of Plaintiff and Class Members. The present and continuing risk to victims of the data breach will remain for their respective lifetimes,” stated the lawsuit.

No public statement from National Public Data

In addition to neglecting to inform the victims, National Public Data has not released a public statement regarding the breach. The Los Angeles Times reported that the company responded to email inquiries with “We are aware of certain third-party claims about consumer data and are investigating these issues.” The lawsuit mentions the lack of notification as a top concern of the Plaintiff.

In the lawsuit, Hofmann asked for specific actions from National Public Data, including providing monetary relief. He requested that National Public Data purge all breached PII. In addition, he wants the company to encrypt all data going forward, use data segmentation, scan its databases and launch a threat-management program. Additionally, he would like a cybersecurity framework evaluation to be conducted annually until 2034.

Impact of the breach

While the details are still evolving, this breach appears to be the largest — or one of the largest — data breaches of all time. Because the 2013 Yahoo Breach included 3 billion accounts and the National Public Data breach appears to include 2.9 billion people, Yahoo may still hold the record after the dust settles from this latest breach. The previous second and third place-holders will move to third and fourth after this breach hits the records books. The 2017 River City Media breach involved 1.37 billion records, while the 2018 Aadhaar breach contained 1.1 billion.

As experts are predicting the decision in this matter, many are turning to past events for comparison. In a similar lawsuit filed against Yahoo, U.S. District Judge Lucy Koh rejected Yahoo’s settlement for payout in 2019 to 200 million impacted individuals with close to 1 billion accounts. Koh rejected the settlement offer for the following reasons:

• Inadequate disclosures of breaches that also occurred in 2012
• Release of the 2012 claims was “improper”
• Improper disclosure of the settlement fund size
• Settlement fund “appears likely to result in an improper” reverter of attorneys’ fees
• The settlement doesn’t sufficiently disclose “the scope of non-monetary relief”
• The size of the settlement class isn’t clearly defined

Moving forward

Consumers should continue to monitor the current situation as it evolves to learn if their data was breached. As a precaution, individuals should carefully monitor their credit reports and bank accounts and not respond to unsolicited information or account requests.

“If this in fact is pretty much the whole dossier on all of us, it certainly is much more concerning than prior breaches,” Teresa Murray, Consumer Watchdog Director for the U.S. Public Information Research Group told the Los Angeles Times. “And if people weren’t taking precautions in the past, which they should have been doing, this should be a five-alarm wake-up call for them.”

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

The post National Public Data breach publishes private data of 2.9B US citizens appeared first on Security Intelligence.

Phishing attacks in the wake of a service, system or network outage are always a danger. For example, during the massive PlayStation Network outage in 2011, phishers took advantage of user confusion and frustration. Intruders sent phishing emails pretending to be from Sony, offering solutions or compensation to resolve outage problems. These emails contained links to rogue websites designed to steal login credentials and other personal information.

Year after year, threat actors continue to take advantage of outages to deploy malware via phishing attacks. The IBM X-Force Threat Intelligence Index 2024 revealed that, overall, phishing was the top initial access vector of 30% of cases in 2023. Also, 92% of organizations fell victim to a successful phishing attack in their Microsoft 365 environment in 2023.

This scenario continues to play out after the most recent outage that occurred with Microsoft Windows, which impacted 8.5 million systems. So, if you get an email advising you to update your systems due to an outage, be wary. And the plot thickens from there considerably.

Multi-headed phishing problem

In the aftermath of the latest Microsoft-related attack, reports have surfaced about a malware campaign targeting BBVA bank customers, where a fake update installs the Remcos RAT. This bogus update was promoted through a phishing site, portalintranetgrupobbva[.]com, masquerading as a BBVA Intranet portal.

The malicious archive included instructions for employees and partners to install the update to prevent errors when connecting to the company’s internal network. The “instrucciones.txt” file, written in Spanish, read, “Mandatory update to avoid connection and synchronization errors to the company’s internal network.”

In a separate warning, AnyRun highlighted another campaign in which attackers distributed a data wiper disguised as an update. “It decimates the system by overwriting files with zero bytes and then reports it over #Telegram,” AnyRun stated. The wiper attack was attributed to the pro-Iranian hacktivist group Handala, who allegedly claimed responsibility for the malicious activity on Twitter.

More system headaches

As if that wasn’t bad enough, new Windows threats were also reported during July that require immediate protection. And many millions of PCs remain at risk.

On July 9, Check Point issued a warning that attackers are using special Windows Internet Shortcut files. When these files are clicked, they trigger the retired Internet Explorer (IE) to visit attacker-controlled URLs. By using IE instead of more secure browsers like Chrome or Edge on Windows, attackers gained significant advantages in exploiting victims’ computers, even if they were running modern operating systems like Windows 10/11.

Just days later, Trend Micro provided more threat intelligence, revealing that the vulnerability was being used as a zero-day to access and execute files through the disabled Internet Explorer using MSHTML. This allowed attackers to infect victim machines with the Atlantida info-stealer, which targets system information and sensitive data such as passwords and cookies from various applications.

Following Check Point’s disclosure, the U.S. government added the vulnerability to its Known Exploit Vulnerability catalog. They warned users about a spoofing vulnerability in Windows that poses a high risk to confidentiality, integrity and availability.

Although the vulnerability has been patched, users need to ensure their Windows PCs are updated. CISA has mandated that U.S. federal employees apply the update by July 30 or stop using their PCs. All other organizations — and even home users — are strongly advised to follow update recommendations as well. According to Check Point, Trend Micro and CISA, this vulnerability has been exploited in the wild, with attacks ongoing for more than 12 months.

Breaking the vicious cyber cycle

With the myriad of phishing attacks occurring but with actual system updates required, many might be confused about what to do. Or maybe an email paranoia might set in, where everything seems suspicious, even legitimate update advice. The best practice is to check directly with official channels and representatives about updates. And think two (or three) times before you click.

The post The cyberattack cycle: First comes outage, next comes phishing appeared first on Security Intelligence.