Archive for July 15, 2022

The Cyber Safety Review Board Releases Their First Report 

Posted in Commentary with tags on July 15, 2022 by itnerd

Last year, President Biden created the Cyber Safety Review Board, with the intention that (akin to the National Transportation Safety Board) the new organization would review cyber incidents, examine root causes and, where necessary, make recommendations. In relation to that, The U.S. Department of Homeland Security (DHS) released its first Cyber Safety Review Board’s (CSRB) report. It should be considered required reading:

Chris Clymer, Director & CISO, Inversion6 had this to say:

Log4J shined a light on long-standing problems in our software supply chain.  IT systems have become incredibly complex, with layers and layers of components put together by layers and layers of integrators and developers.  All of which is often compiled and built in ways where it is extremely difficult to know what components are included in a system your business relies upon.

This CSRB report is filled with great recommendations, and helps to reinforce that the Log4J issue has not gone away, and that there are likely numerous similar problems out there still unidentified.  CISA has done really great work raising awareness on security the last few years, becoming a singular voice on cybersecurity for the government.  So its striking that this report says that for all that, CISA should be doing MORE to assess and raise awareness.  Theres clearly more improvements to keep making.  They also recommend that the CISA guidance be taken from optional to mandatory by state and federal regulators.  I’m skeptical that many laws will pass here in our current political environment…and sadly, I agree that short of regulations REQUIRING organizations to do things like maintain a Software Bill of Materials, organizations are unlikely to prioritize investing the significant time and money into these efforts.  Many would like to…but the costs to really address these problems will be high.  Without regulatory cover, it is difficult to explain to stockholders why you’re making these investments…especially if you’re the first one making that shift.

This is fundamentally a good thing. For too long, cyber incident response has been uncoordinated, with a lack of systematic review at the Federal level. I look forward to seeing future reports as this one is very instructive.

Leave a comment »

The State of Mobile App Security in 2022 Report Released

Posted in Commentary with tags on July 15, 2022 by itnerd

Approov and Osterman Research today issued “The State of Mobile App Security in 2022”. Key findings include:

  • 75% of companies say mobile apps are now “essential” or “absolutely core” to their success, up from 25% two years ago.
  • 75% Would Face Substantial Consequences from a Successful Attack on Their Mobile App: An attack against APIs that rendered a mobile app non-functional would have a significant effect on 45 percent of businesses and a major impact on an additional 30 percent.
  • 78% Have Low Confidence in Mitigation Against Specific Threats: Seventy-eight percent of respondents are not highly confident that their organizations have the appropriate level of security defenses and protections in place to protect against specific threats posed by mobile apps.
  • Poor Visibility into Security Threats Against Mobile Apps:
    • 60% lack visibility into credit fraud attempts
    • 59 % lack visibility into the creation of fake accounts
    • 56% lack visibility into data stolen from PIs by scripts
    • 54 % cannot detect the use of stolen API keys being used to mimic genuine requests
    • 53% percent lack visibility into credential stuffing attacks
    • 51% lack visibility into secrets exposed on mobile platforms,
    • 50 % cannot detect access by cloned, fake or tampered apps.
  • Third-Party APIs Create Pathways for Threat Actors:
    • On average, mobile apps depend on more than 30 third-party APIs, and half of the mobile developers surveyed are still storing API keys in the app code – a massive attack surface for bad actors to exploit.
    • 42% of organizations don’t require third-party developers to attest to following required standards, and 38% do not pen test the security of third-party code.

Aimei Wei, CTO and Cofounder of Stellar Cyber had this comment:

     “Mobile apps are certainly a growing attack surface rapidly. Mobile app developers need to follow practices such as not hard code secrets or storing API keys in a secure place. It will help to reduce the attack surface. On the other hand, having visibility of runtime threats against mobile apps and APIs is critical, having a detection and response system that can provide visibility and detect attacks in real time will help to provide the overall coverage and fill the gap.”

Edward Roberts, VP of Marketing, Neosec added this:

     “APIs are a very important part of mobile apps and their adoption is widespread. But APIs in mobile apps are focused on business to consumer API behavior and usage. There is another large attack surface of business-to-business APIs that connect commerce globally which are unfortunately largely unprotected. The vulnerabilities and potential abuse of these b2b APIs is increasingly concerning to security professionals worried about the risk exposure of their organization.”

Hopefully mobile app developers get the message and improve their code so that they are not threats. That helps them and it helps the rest of us.

Leave a comment »

Canada Learning Code Hosts TeacherCon to Help Educators Implement Computer Science Curriculums into Classrooms

Posted in Commentary with tags on July 15, 2022 by itnerd

The last two years have been demanding and strenuous for teachers having to overcome many extraordinary challenges. While the world stopped during COVID, technology development and reliance did not, only adding to the challenges teachers face. Even schools are embracing these changes, for example, starting September 2022, coding will be mandatory from Grades 1-9 in the Ontario curriculum.

Canada Learning Code (CLC) is looking to remove barriers to success for teachers by providing them with the tools and resources they need to teach students computer science and build the essential digital skills required to succeed in the future. And this is being done via TeacherCon.

TeacherCon is a free multi-day conference hosted by CLC designed to help teachers with little-to-no coding experience teach coding fundamentals with confidence. It’s an opportunity to provide educators will the assets and tools they need to teach code the easy way as curriculums modernize across Canada. The three-day virtual conference, happening from August 9th to 11th, is filled with multiple workshops across different subjects, lesson plans, guidelines, and fun ways to introduce computer science into the classroom at any grade level using CLC-created materials and methods.

You can register for free here.

Leave a comment »

Research On Lilith Ransomware Released

Posted in Commentary with tags on July 15, 2022 by itnerd

Researchers at Cyble have released new research on Lilith, a new ransomware that has already posted its first victim on a data leak site created to support double-extortion attacks. Lilith, discovered by JAMESWT, was designed for 64-bit versions of Windows.

Darren Williams, CEO and Founder, BlackFog had this comment:

     “Double extortion is the new norm for all these new variants. We are seeing very few perform encryption as in the past and highlights the need for tools that focus on data exfiltration as the main mechanism of action. We have also seen a dramatic rise in attacks on sectors with the weakest security and investments such as Education, Government and Manufacturing with a 33%, 25% and 24% increase in attacks during June  (https://www.blackfog.com/the-state-of-ransomware-in-2022/).”

Given the fact that threat actors have evolved into blackmail artists, you need to ensure that your security is on point so that you avoid becoming the next headline.

Leave a comment »