Ransomware’s continued success speaks volumes about what’s at stake for businesses and people, and, perhaps, the cybersecurity industry’s inability to adapt quickly enough to protect everyone.

Healthcare organizations are once again under attack by ransomware syndicates: Medical facilities in at least three states were hit in the past week, spurring a warning by US cyber-response organizations and underscoring the success of cybercriminals in attacking critical infrastructure for profit with impunity.

Yet, while those attacks make the headlines, they represent only a small share of the successes. Healthcare is not even in the top 10 of the most attacked industries, according to a May survey conducted by cybersecurity firm Sophos. Instead, entertainment, IT, and energy are the top 3 targets, with at least 55% of companies in those industries suffering a ransomware attack in the last year and almost three-quarters of all attacks successfully encrypting data.

The continued success of ransomware highlights the heightened stakes for businesses — and, because healthcare, local government, and other critical infrastructures are targeted, the general public — in combatting cybercrime and bad actors on the Internet.  

“We are doing all the things that we have always done for malware, but they are just not sufficient,” says Greg Conti, principal consultant and co-founder of cybersecurity consultancy Kopidion. “Often it comes down to, do we have backups? If you have a hardened cloud backup or an air-gapped backup system, then you can recover. And if you are not doing those things, then you have a major problem.”

The continued success of ransomware also underscores the failures of multiple stakeholders to adapt quickly enough to the increasingly dire issues of cybersecurity — companies, vendors, and governments have all failed to reign in malicious cyberattacks. The lack of consequences for the perpetrators, the relatively easy profits for cybercriminals, and the continued vulnerability of corporate networks makes ransomware unlikely to go away.  

“The security industry is, or course, trying to build things that people will buy but also that solve real problems,” Conti says. “The threat actors are agile and they are moving fast. The big companies might be keeping up, but the small companies are not. The root of the larger cybersecurity problem is, how do you defend those under-resourced defenders in a constant game of one upmanship?”

Worse, the cost of failure is increasingly high, with the average ransom topping $1.4 million and the average cost of recovery more than $700,000 for organizations that did not pay a ransom, according to Sophos’ May survey. Local governments, small businesses, and school districts are hard-pressed to defend against the attacks, Conti says.

Ransomware is not the only cybercrime enjoying continued success. Business e-mail compromise and invoice scams continue to siphon off millions of dollars from US companies and organizations every year. Suffering from just such as scam, the Wisconsin Republican Party claims that cybercriminals modified invoices for direct mail and other services to steal $2.3 million from an account to re-elect President Donald Trump. Add to those crimes the continuing threat of nation-state espionage and disinformation attacks, and the scope of malicious online activity can easily overwhelm all but the largest companies. 

No wonder, then, that a bipartisan 184-page report released by the Cyberspace Solarium Commission that focused on how the United States could defend its interests in cyberspace opened with a warning: “Our country is at risk … .”

Mitigating that risk is expensive for every business and hard to do right, says Jason Crabtree, CEO of risk management firm QOMPLX.

“Cybersecurity, clearly, is not something that every company is going to be successful in, even if it runs a great program and has the right people and does all the right things,” he says. “You could still be targeted for a variety of economic or strategic reasons and have a problem.”

Companies can take steps. A well-tested backup strategy combined with good visibility into network anomalies can head off massive ransomware attacks. While only 24% of companies detected and stopped ransomware before it could encrypt data, more than half of companies that did suffer a ransomware attack were able to restore the data from backup, according to the Sophos report. 

Because of the losses due to ransomware, however, more companies are taking notice. SEC filings are increasingly citing ransomware and data-destructive attacks as a potential business risk, says Greg Baker, senior associate with consultancy Booz Allen Hamilton (BAH).

“Back five or 10 years ago, there was no engagement nor understanding of cybersecurity at the executive level. That is changing,” he says. “We are seeing a lot more requests from companies to help them become more resilient because they understand the risks associated with these events.”

Yet much of the progress toward a secure Internet will rely on policy and government action. The Cyberspace Solarium Commission concluded that deterrence of attacks in cyberspace is possible, but to do so requires the private sector to secure their systems, government reform, and an economy that mitigates the impacts of attacks.  

Defenders have to be able to make responses to malicious attacks personal for the attackers, says Kopidion’s Conti. 

“Increasing pain for attackers — that is a government and law enforcement problem — but the question is, how much can government do when the actors are being shielded by their governments?” he says. “Inherent to the problem of cybersecurity is what can you do when you cannot punish enough of the bad actors to dissuade them from coming back.”

Overall, shifting defenders’ mindset will require more time, while attackers are able to quickly adopt new ways of exploiting defensive weaknesses, says BAH’s Baker. Yet companies and vendors are making environments more resilient with comprehensive security testing, creating playbooks for incident response, and gaining more visibility into their environments, he says.

The shift to a proactive strategy may be what tips the balance, he says. 

“It is not just on the incident response side, either,” Baker says. “We are talking about the proactive services, which I think in time will prove to be very fruitful in perhaps not limiting the number of events, but limiting the effects of those events.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

More Insights

After years of mostly targeting users in Japan, Korea, and other countries in the region, operators of the Trojan expanded their campaign to the US this week.

A new malware campaign targeting smartphone users in the US is the latest sign that mobile devices are becoming the next big target for cyberattackers.

Kaspersky this week said its threat-monitoring systems had detected malware known as the Wroba Trojan, which targets Android and iOS device owners in the US with a fake package-delivery notification.

Android device users who click on a link in the notification are taken to a malicious site with an alert that warns users about their mobile browser being out of date and needing to be updated. Users tricked into clicking “OK” to download the purported browser update end up installing the malware on their device instead.

The download does not work on iPhones. So, users of iPhones who fall for the fake package-delivery notification are instead sent to a phishing page designed to look like Apple’s login page, which attempts to steal their Apple ID credentials.

Once Wroba is installed on a device, it can carry out a variety of malicious activities, according to Kaspersky. This includes sending fake SMS messages, checking installed packages, accessing financial transaction data, stealing the user’s contact list, and serving up phishing pages for stealing credentials, including those associated with bank accounts.

Kaspersky malware analyst Alexander Eremin says the origins of the phone numbers being targeted in the latest campaign are unclear. He surmises they could either be targeted at random or are, for example, numbers stolen from some e-commerce service that performs package deliveries.

In some aspects, Wroba is not unlike other mobile malware — like its distribution via SMS. “But it utilizes some unusual techniques to hide its communication with its command-and-control [C2] server, like using MessagePack format and DES encryption to send the data.”

Wroba also has the ability to update its list of C2 servers with the help of information in social media accounts. The C2 information, for example, might be stored in encrypted form in the “Bio” or similar field in a social media account, Eremin says.

Wroba is not new malware. Malwarebytes first reported on Wroba — then masquerading as a legitimate Google Play store app — back in 2013. But up to now, Wroba, aka FunkyBot, mainly has targeted users in Korea, Japan, and other countries in the Asia-Pacific region. The campaign launched this week marks the first time the operator of the malware has targeted US mobile devices owners, according to Kaspersky.

In a report earlier this year, and in at least two more in 2018, Kaspersky has described Wroba as being part of a broader mobile malware campaign called “Roaming Mantis.” Earlier versions of the malware were distributed via DNS hijacking. The operators of the malware basically hijacked DNS settings on home routers and redirected users of those routers to malicious sites.

Since at least 2018, versions of Wroba have also been distributed via malicious SMS messages (aka smishing) using spoofed package-delivery notices. According to Kaspersky, the operators of Wroba have customized the spoofed notices, so the messages appear to come from trusted domestic package delivery services in each targeted country. Other vendors, such as Fortinet have also been tracking the threat for some time now.

Growing Problem
The latest Wroba campaign is another sign of the growing threat that mobile users and organizations face from malware, adware, and other unwanted software on smartphones and other mobile devices. Thirty-nine percent of more than 875 mobile security professionals surveyed for the 2020 edition of Verizon’s Mobile Security Index said their organizations had experienced a security compromise involving a mobile device in the past year. Two years ago, only 27% reported such a breach. Two-thirds of those who experienced a mobile-related breach described the impact as major.

Malware is not the only issue. Adware — designed to serve up unwanted ads on mobile devices — is another big problem. In first half of this year, adware accounted for more than 35% of all malicious files that mobile users encountered on their devices, according to Kaspersky.

Phishing is a growing problem as well. According to Lookout’s 2020 “Mobile Phishing Spotlight Report” enterprise mobile phishing encounters jumped 37% globally between the fourth quarter of 2019 and first quarter of 2020. In North America, the number was much higher, at 66.3%.

“Threat actors are building more-advanced phishing campaigns beyond just credential harvesting,” says Hank Schless, senior manager of security solutions at Lookout.

Through the first nine months of 2020, almost 80% of phishing attempts were designed to get users to install malicious apps on their mobile devices, he says.

“Threat actors have learned how to socially engineer at scale by creating fake influencer profiles with massive followings that encourage followers to download malicious apps,” Schless says. “Personal apps on devices that can access corporate resources pose serious risk to enterprise security posture.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

Attackers are hiding malicious payloads in phishing emails via a technique traditionally used to hide malicious code planted on websites.

JavaScript, the ubiquitous scripting language used across Web applications worldwide, is becoming a key ingredient in phishing campaigns looking to plant malicious code on victims’ computers, new research shows.

Phishing attacks using JavaScript obfuscation techniques rose more than 70% from November 2019 through August 2020, according to Akamai lead researcher Or Katz.

Katz says that the reason for the rise in this attack technique is simple. “The fact that JavaScript is a scripting language that runs on the client side gives [attackers] the ability to create content, but only once that content is rendered on the browser of the potential victims, will the actual page be rendered and be presented to the victim,” Katz says. “Only at that point in time will you see the actual phishing website asking for credentials or other personal information.”

In the first of a series of blog posts on his research, he said “content escaping,” while not a sophisticated obfuscation technique, is effective at hiding – or obfuscating – the malicious content of a message. It is also far more commonly used on malicious websites than in phishing or scam email messages. It’s the technique’s growing use in email that caught Katz’s attention.

JavaScript has been used in fairly simple obfuscation techniques, but the obfuscation is becoming more sophisticated, he found. Take XOR decryption, which he’s seeing in more and more campaigns. XOR (exclusive-or) is a technique taken from cryptography that makes contents smaller while creating a block of text that is unique for each message. The result is something that can’t easily be defeated by simple signature-matching anti-malware techniques.

Katz then took a closer look a specific campaigns using the JavaScript obfuscation techniques. He notes In the second blog post that single malicious email messages are now carrying JavaScript code that uses multiple obfuscation and re-direction techniques, including URL cloaking, content escaping, and polymorphic functions at the same time. These techniques are “just the tip of the iceberg, as more complex techniques, including huge chunks of embedded dead code and anti-debugging, are constantly being used in the wild,” he said in the post.

He told Dark Reading he believes JavaScript obfuscation will increase in email phishing attacks.

“There is a movement from using solely emails as a way to propagate phishing scams into social networks and messaging and social messaging platforms to deliver a lot of those scams,” he says. “When you try to distribute attacks through of social media, then you are actually using the power of that platform to do a very rapid kind of distribution that is dependent on the trustworthiness of the people that are distributing them.”

Because the techniques are being so successful, Katz says that they’re not limited to a single criminal organization or geographic area: they’re being used worldwide by a wide variety of threat actors. And because they can come from so many sources, and hide in so many ways, Katz says that basic user education may still be one of the most powerful tools to use against them.

It starts, he says, with reminding users that an email message that seems too good to be true probably is. And if the URL seems unusual, or appears from an unusual location in a message or on a Web page, that should be a red flag.

“Stop at that point, think twice and try to figure out if you need to give any personal information.” If it’s suspicious enough to make you think, he says, then it’s almost certainly suspicious enough to make you stop.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Recommended Reading:

More Insights

The vulnerability, patched in August, has been weaponized by APT groups and prompted CISA to issue a security alert.

Microsoft today warned of continued attack activity exploiting Zerologon (CVE-2020-1472), a critical elevation of privilege flaw affecting the Netlogon protocol. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert to spread awareness of the activity.

Zerologon was patched in August but became a top security concern after discovery of publicly available exploit code. A remote attacker could exploit this vulnerability and breach unpatched Active Directory domain controllers, then obtain domain administrator access.

Earlier this month, Microsoft observed an Iranian advanced persistent threat (APT) group known as Mercury using the vulnerability in active attack campaigns. CISA has also detected nation-state activity exploiting Zerologon that has often, but not exclusively, targeted federal and state, local, tribal, and territorial (SLTT) government networks.

“Deploying the August 11, 2020 security update or later release to every domain controller is the most critical first step toward addressing this vulnerability,” Aanchal Gupta, vice president of engineering for the Microsoft Security Response Center (MSRC), writes in a blog post.

“Once fully deployed, Active Directory domain controller and trust accounts will be protected alongside Windows domain-joined machine accounts.” He advises businesses to find devices making vulnerable connections by monitoring event logs, and to address noncompliant devices.

CISA urges administrators to patch their domain controllers immediately: “Until every domain controller is updated, the entire infrastructure remains vulnerable, as threat actors can identify and exploit a vulnerable system in minutes,” officials write. 

Read the Microsoft blog post and latest CISA alert for more details.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

As public and private spaces are opening up, the need for a converged approach to cybersecurity and physical security is essential, as is integration with health measures and tech.

Since the start of the coronavirus pandemic, one thing has been clear: Protecting the health, safety, and security of individuals is increasingly challenging and a core priority for helping the US get safely back to business and back to school, as well as for a sense of well-being. And all of this amid a changing view of the future of work and the core factors for quality of life.

Early on in the urgent attempt to prevent the spread of the virus, stay-at-home mandates swept the nation as restaurants and retailers were forced to close their doors, and employees were adjusting to a new work remote/work-from-home lifestyle. As a result, several organizations, including the World Health Organization, experienced a dramatic rise in attempted cyberattacks on the workforce. The FBI reported a 400% increase in cybersecurity complaints compared with before the pandemic. Now, as both public and private spaces are opening up — and offices are inviting employees back slowly and in reduced capacity — the need for a converged approach to cybersecurity and physical security is essential, as is integration with health measures and tech.

Physical Security & Safety in a Pandemic Era
Early on in the pandemic, many businesses were vacant and therefore more susceptible to crime and theft. This spiked demand for security systems such as alarms and monitoring, especially for small and midsize businesses, including bars, restaurants, and retail.

Responsible use of facial recognition technology is also being further developed and put to use in modernized airports and for public safety and access control uses. There has been concern about people wearing masks being a barrier to effective identification. Fortunately, there are facial recognition technologies available that are not hindered by masks. The technology can still verify an individual’s credentials, and as a result, enable a number of contactless solutions (such as touchless sign-in and payment) and access monitoring. In addition, if an individual enters a venue, office, or store without wearing a mask, or is not wearing it correctly, facial recognition technology can be used to help detect the individual and discreetly alert staff.

Regarding personal safety, which has been affected by the pandemic, individuals are very aware of their health and safety needs and are adapting to social distancing rules. There is also increased demand for contactless access control solutions. For example, pre-COVID, many employees would be granted access to their office building by a simple key fob or key card. However, post-COVID, this won’t be enough. In fact, many office buildings already have been experimenting with access control technology that prevalidates individuals who are permitted to enter the building, utilizes mobile phones, and can also ensure that capacity limits are being followed.

Product development is underway for integration of security and health technology, including access control systems that combine functionality of identity verification and temperature checks. We are also rapidly seeing this with multipurpose use of video technology, across the spectrum of surveillance for threat detection, temperature checks, and capacity counts. While these are effective steps for this phase, to establish large-scale reopenings, real-time testing needs to be deployed pervasively while work continues on producing a safe vaccine and distribution process.

Rethinking Cybersecurity for Employees: Rise of Vishing Fraud
As professional workers continue to do their jobs remotely, even as offices are reopening, bad actors have been clever during these COVID times with tailored campaigns designed to prey on consumers’ increasing vulnerability. Recently, the FBI and the US Cybersecurity Infrastructure Security Agency (CISA) issued an alert regarding vishing (voice phishing) scams aimed at workers. Here’s a quick look at how vishing works:

First, a bad actor compiles every bit of information he or she can on an employee via public website information and social media. Next, that person calls the employee pretending to be an IT staff member with some excuse about troubleshooting an issue and subsequently ask the staff member to use a new — and fake — virtual private network (VPN) page to access company servers. Ultimately, if an employee obliges, this provides the fraudster credentials and access to private information.

There are a number of actions an organization can take to prevent social engineering attacks like this, including but not limited to employee software that can actively scan and monitor for unauthorized access and anomalous activity. Above all else, employees must be educated on these new threats, get training on how to spot malicious access attempts, and be provided clear instruction on how to flag them via the proper channels.

Cybersecurity, Physical Security, and Health Tech: The Pandemic Trio
One of the biggest takeaways for the security community as we continue to emerge through the pandemic is that cybersecurity along with physical security and health tech safety must be prioritized together.  Industry professionals have to be wary of increasingly sophisticated cybersecurity threats, and quickly deploy proper physical and health safety protections and solutions that will address all equally and with strong collaboration.  

In the last four years, this trend of organizational collaboration emerged due to increasingly pervasive connectivity and Internet of Things-enabled devices. Now with health issues being a long-term, front-burner priority, this will further stimulate the need for cross-departmental communications and a command center approach. Physical security, facilities, operational technology, IT, and HR professionals have a core essential role to take the lead to ensure the safety of employees, customers, and the public. 

Will Wise is Group Vice President, Security Events, at Reed Exhibitions. He oversees ISC Security Events, ISCnews.com, ITS America Events, CNP/CardNotPresent.com, Natural Disaster & Emergency Management Expo, and G2E Events and G2E Insider. View Full Bio

Recommended Reading:

More Insights

Cybersecurity researchers have disclosed details about a new watering hole attack targeting the Korean diaspora that exploits vulnerabilities in web browsers such as Google Chrome and Internet Explorer to deploy malware for espionage purposes.

Dubbed “Operation Earth Kitsune” by Trend Micro, the campaign involves the use of SLUB (for SLack and githUB) malware and two new backdoors — dneSpy and agfSpy — to exfiltrate system information and gain additional control of the compromised machine.

The attacks were observed during the months of March, May, and September, according to the cybersecurity firm.

Watering hole attacks allow a bad actor to compromise a targeted business by compromising a carefully selected website by inserting an exploit with an intention to gain access to the victim’s device and infect it with malware.

Operation Earth Kitsune is said to have deployed the spyware samples on websites associated with North Korea, although access to these websites is blocked for users originating from South Korean IP addresses.

A Diversified Campaign

Although previous operations involving SLUB used the GitHub repository platform to download malicious code snippets onto the Windows system and post the results of the execution to an attacker-controlled private Slack channel, the latest iteration of the malware has targeted Mattermost, a Slack-like open-source collaborative messaging system.

“The campaign is very diversified, deploying numerous samples to the victim machines and using multiple command-and-control (C&C) servers during this operation,” Trend Micro said. “In total, we found the campaign using five C&C servers, seven samples, and exploits for four N-day bugs.”

Designed to skip systems that have security software installed on them as a means to thwart detection, the attack weaponizes an already patched Chrome vulnerability (CVE-2019-5782) that allows an attacker to execute arbitrary code inside a sandbox via a specially-crafted HTML page.

Separately, a vulnerability in Internet Explorer (CVE-2020-0674) was also used to deliver malware via the compromised websites.

dneSpy and agfSpy — Fully Functional Espionage Backdoors

The difference in the infection vector notwithstanding, the exploit chain proceeds through the same sequence of steps — initiate a connection with the C&C server, receive the dropper, which then checks for the presence of anti-malware solutions on the target system before proceeding to download the three backdoor samples (in “.jpg” format) and executing them.

What’s changed this time around is the use of Mattermost server to keep track of the deployment across multiple infected machines, in addition to creating an individual channel for each machine to retrieve the collected information from the infected host.

Of the other two backdoors, dneSpy, and agfSpy, the former is engineered to amass system information, capture screenshots, and download and execute malicious commands received from the C&C server, the results of which are zipped, encrypted, and exfiltrated to the server.

“One interesting aspect of dneSpy’s design is its C&C pivoting behavior,” Trend Micro researchers said. “The central C&C server’s response is actually the next-stage C&C server’s domain/IP, which dneSpy has to communicate with to receive further instructions.”

agfSpy, dneSpy’s counterpart, comes with its own C&C server mechanism that it uses to fetch shell commands and send the execution results back. Chief among its features include the capability to enumerate directories and list, upload, download, and execute files.

“Operation Earth Kitsune turned out to be complex and prolific, thanks to the variety of components it uses and the interactions between them,” the researchers concluded. “The campaign’s use of new samples to avoid detection by security products is also quite notable.”

“From the Chrome exploit shellcode to the agfSpy, elements in the operation are custom coded, indicating that there is a group behind this operation. This group seems to be highly active this year, and we predict that they will continue going in this direction for some time.”

Free program lets students solve real-world security problems – and learn about cybersecurity.

K-12 computer science teacher Scott Dooley a few years ago was facing a conundrum: he saw massive job growth in cybersecurity and a pipeline of great entry-level jobs, but he couldn’t find the right resources or content to connect his students with the opportunities to truly learn cybersecurity and gain an interest in the field.

“I wanted something they could actually use,” says Dooley, who teaches inner-city and low-income students at Indianapolis-based Christel House Academy South. But most of what was out there was “really dry,” he says.

“I found I was teaching about cybersecurity rather than teaching cybersecurity,” Dooley says. “I needed inquiry-based things where the kids could get in and play around with stuff.” Indeed, he went so far as to ask the school’s IT department to open up their network for his students to probe (they said no).

Fortunately, Dooley eventually heard about Girls Go CyberStart, a program from the SANS Institute aiming to introduce more high school girls to cybersecurity as a career field. “I started looking at the content and thought, ‘this is exactly what I need!'” he recalls. “It’s inquiry-based, I don’t have to mess around with the IT department to get security permissions, the barrier to entry is super low, it’s a gamified thing… It was perfect for what I was doing.”

Now SANS has opened up the CyberStart program to all US high school students – not only girls – aiming to have some 56,000 students participate. SANS’ CyberStart competition for 2020 officially opened today for enrollment, and it’s free. The competition begins on November 15, 2020, and students can play through the end of February 2021.

More than 30,000 young women from 2,500 US schools participated in the Girls Go CyberStart competition between 2018 and 2020, according to Alan Paller, director of research at SANS Institute and president of SANS Technology Institute. 

This year’s CyberStart competition includes $2 million in college scholarships for finalists to compete for in a challenge round in March or April 2021, courtesy of sponsorship by the National Cyber Scholarship Foundation.

Another change this year is that SANS is now also working with school counselors in order to connect more students with CyberStart and ensure underprivileged students learn about it and have the opportunity to participate. “This program doesn’t require a technology teacher,” Paller says. “The kids learn everything they need to know in the game. So it opens it up to rural kids, inner city kids… but only if somebody says, ‘hey give it a try.'”

Students who participate in CyberStart will essentially get to act as protection agents “solving real problems that come up when an attack happens,” he explains. Players can expect to learn skills including Linux and Windows programming, forensics, and cryptography, all within the context of a realistic, continuous story setting. Videos and hints within the game are available to help students if they get stuck. Overall, the competition measures students’ curiosity, tenacity, and ability to learn new things quickly.

While there’s no way to get knocked out of the competition, some students lose interest after a while, says Paller. “There’s a subset of students who don’t like this way of learning. They like to sit in a class and have a lecturer tell them things and then they like to be tested on mastery of what they read in a book or were told, he explains. 

Finding the On Ramp

The ultimate goal of CyberStart is to equip students with cybersecurity know-how as a way of closing the skills shortage in the workforce, but the connection between a program like this and an actual career hasn’t been seamless. 

“The key to the transition for these students – the ones who do well in the game – is that they continue to get hands-on experience,” Paller says. “It turns out that is rare in American colleges. So we have, for the last 10 years, turned off these kinds of kids. They love doing hands-on stuff and then get pushed into a lecture hall.”

But, he says, that seems to be changing with the introduction and growth of cyber clubs on college campuses: more colleges are starting to see cybersecurity as almost a “sport” and have a growing interest in attracting cyber talent. “They get into teams, do weekly meetings, teach each other… That looks like the pathway for a lot of these kids.”

Mind the Gender Gap 

The reason the 2020 version of CyberStart expanded beyond girls only is bittersweet: Despite the participation of 30,000 young women over three years, there’s been greater interest in the program from boys. So SANS thought it only made sense to open up the program to everyone rather than “lose half the talent,” Paller says.

Both Paller and Dooley attribute higher interest among male students to societal and systemic factors, rather than an actual lack of interest amongst young women.

“I found that when I segregate the girls, they value that less. Some of that is twisted socioeconomic crap and cultural stuff. But they were saying, ‘If the boys aren’t doing it, why is it important for me to?'” Dooley explains. He also admits he started quietly adding boys to the program last year since there was so much interest – that it increased participation amongst female students as well.

One former Girls Go CyberStart participant, Haya Arfat, credits her own involvement in the program to having female high school teachers for computer science who were intentional about getting young women interested in the field.

“Representation is just a really big thing,” Arfat says. “I was really lucky. My high school has a lot going on for computer science. All the teachers who taught were women, they all had experience, and they were passionate about getting more girls involved.” 

Arfat says that before she participated in Girls Go CyberStart, she didn’t really know what cybersecurity was beyond “having a strong password.” But the competition taught her that cybersecurity is fun and engaging, she said. 

She also learned she’s really good at it: Arfat’s school team ranked among the top 10 in the country, and Arfat herself received a scholarship for being among the top three individuals to score the most points.

Now a student at Texas A&M University, Arfat is active in the school’s cybersecurity apprenticeship program as a developer for the organization’s capture-the-flag competition. She plans to major in computer science and minor in cybersecurity and hopes to get involved with Women in Cyber Security (WiCyS) as a student mentor – none of which was on her radar before Girls Go CyberStart.

For Christel House Academy’s Dooley, being able to introduce his students to CyberStart is a chance to create an on-ramp for career opportunities, especially for his lower-income and minority students. “This can change a generation for some of these families,” he says.


Nicole Ferraro is a freelance writer, editor and storyteller based in New York City. She has worked across b2b and consumer tech media for over a decade, formerly as editor-in-chief of Internet Evolution and UBM’s Future Cities; and as editorial director at The Webby Awards. … View Full Bio

Recommended Reading:

More Insights

But the number of records put at risk experiences a massive increase. Here’s why.

In the first three quarters of 2020, the number of data breaches fell to its lowest level in five years, while the number of records put at risk by those breaches skyrocketed to more than four times the level of the same nine months in 2019, according to Risk Based Security’s  (RBS) latest quarterly breach report.

The massive rise in the number of records exposed during breaches in 2020 is partly due to a handful of large misconfigured databases, RBS states in the Q3 report. Two breaches exposed more than 1 billion records each, and another four breaches put at risk more than 100 million records each.

While the number of breaches is typically a measure of malicious activity, the number of records exposed to risk is generally due to an increase in the discovery of misconfigured databases and services, says Inga Goddijn, executive vice president at RBS. 

“When we look at the records exposed, it is important to keep in mind that the real driver behind that is the misconfigured databases and services, where folks find the open data sets, they explore and look around, and then the incident gets reported,” she says. “They are more focused on the entire dataset put at risk.” 

There may not necessarily be fewer breaches, says Goddijn. The different numbers underscore the differences in what can be considered a data breach. RBS defines a data breach as the “unauthorized access to, or loss of control of, confidential or sensitive information,” the report states.

In addition, companies hit with ransomware do not always report the incident as a breach, especially if they do not know what data has been copied by the attackers. For the first nine months of the year, RBS researchers found reports of 440 ransomware attacks that also contained a data-breach angle — whether information had been taken or the attacker had access to the information in the course of the attack.

Add to that the uncertainty of the pandemic, which has pushed a lot of breach news from the headlines, and fewer breaches may gain public notice, Goddijn says.

“I hate blaming everything on COVID because everyone does that, but I really do think that there is COVID effect,” she says. “Because of world events, less breach news is being surfaced … and information that does become public is a little bit slower to come out.” 

RBS also notes the election has spurred the interest of data thieves. Voter databases have appeared for sale in underground forums where stolen data is often sold. A variety of actors were selling data dumps of purported voter databases, including information on 7 million voters from Michigan, 8 million voters from North Carolina, 5 million voters from Washington state, and several files containing information of Florida voters, RBS states in its report.

Since voter registration information is often publicly available, the files do not necessarily represent breaches, but they do underscore that such data may allow attempts to meddle in the US election or enable cybercriminals to craft convincing lures as part of phishing campaigns.

“While much of this data might have been collated from older or publicly accessible sources, the potential dangers are still very real,” RBS states in the report. “The increased attention and cooperation between hackers points to a growing interest and overall risk. They would most likely prefer for us to think that hacktivism isn’t a real issue, given the current climate, but circulating these types of databases can leave voters feeling vulnerable and feed mistrust of voter systems.”

The healthcare industry, information brokers, and the financial industry represent the top three reporting industries for breaches, highlighting how companies with the most personal information are often attacked by cybercriminals. 

Companies cannot expect a one-size-fits-all approach to securing their data, Goddijn adds. They should take the effort to assess their risk, create a strategy around that risk, and keep those valuable assets protected.

“I come back to process, process, process,” she says. “Your security process needs to be strong. You need to be double checking, triple checking, and having ways to discover those security weaknesses on their own.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

More Insights

New additions are built to help organizations better respond to threats and protect applications and data in the cloud.

McAfee today released multiple new security products during its MPOWER Digital 2020 event. Tools debuted today focus on cloud application security, remote browser isolation, and extended detection and response (XDR) to help defend against, and address, security threats.

MVISION XDR is a cloud-based threat management platform that covers the attack life cycle before and after an incident. Businesses can view and control threats across the endpoint, network, and cloud; prioritize threats based on risk and potential effect on the organization; and integrate with external threat intelligence and security operations center (SOC) tools. 

Today’s SOCs face three key challenges, McAfee says: reactive processes and workflows, alert fatigue and fragmented tools, and limited staff and expertise. The XDR platform is meant to eliminate the complexity of fragmented tools and help SOCs improve their prioritization and orchestration.

Initial XDR capabilities are available today within MVISION EDR; additional XDR capabilities will be available to early access users in the first quarter of 2021.

The company announced its Cloud Native Application Protection Platform (CNAPP), a tool that brings together Cloud Security Posture Management (CSPM) for public cloud infrastructure and Cloud Workload Protection (CWPP) to protect virtual machines (VMs), containers, and serverless functions.

The idea is to extend the data protection, threat prevention, governance, and compliance of MVISION Cloud into cloud native applications. CNAPP’s capabilities include deep discovery of workloads, data, and infrastructure; vulnerability assessments across VMs, containers, and serverless environments; automation of security controls; and the ability to both build policies based on zero trust access and map cloud native threats to the MITRE ATT&CK framework. 

McAfee today updated its MVISION Unified Cloud Edge (UCE) with an integration of remote browser isolation (RBI) technology, as well as data loss prevention (DLP) and incident management across devices, networks, cloud, and the Web. These new functionalities give UCE a “more comprehensive converged approach to security within the Secure Access Service Edge (SASE) framework,” officials said in a statement.

RBI provides greater protection for Web-based threats such as ransomware and credential phishing, while data classification and management tools will protect data where it resides. The RBI technology will be directly incorporated into the MVISION UCE threat protection stack, McAfee says, and users will be able to opt into beta access for integrated RBI in coming months. Its unified DLP incident management capabilities will be available in November.

Read more details on MVISION XDR, CNAPP, and Remote Browser Isolation.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

The Department of Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) this week issued Alert (AA20-301A) titled North Korean Advanced Persistent Threat Focus: Kimsuky warning U.S. businesses, and particularly those in the commercial sector, about tactics used by North Korean advanced persistent threat (APT) group Kimusky. https://us-cert.cisa.gov/ncas/alerts/aa20-301a

The Alert, co-authored by the Federal Bureau of Investigation (FBI) and the U.S. Cyber Command Cyber National Mission Force, “describes the tactics, techniques and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government.”

The key findings of the government on Kimsuky’s activities include:

  • The Kimsuky APT group has most likely been operating since 2012.
  • Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission.
  • Kimsuky employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate desired information from victims.
  • Kimsuky is most likely to use spearphishing to gain initial access into victim hosts or networks.
  • Kimsuky conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States.
  • Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.
  • Kimsuky specifically targets:
    • Individuals identified as experts in various fields,
    • Think tanks, and
    • South Korean government entities.
  • CISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training.

The methods used by Kimsuky include social engineering and spearphishing, which are outlined in the Alert and are worth reviewing. After obtaining access, Kimsuky uses BabyShark Malware, PowerShell or the Windows Command Shell to execute the malware.

The Alert lists the indicators of compromise, including domains that have been used by Kimsuky, which IT professionals may wish to consult.