The IT Nerd

The IBM X-Force Cloud Threat Landscape Report 2023 tracked 632 new cloud-related vulnerabilities between June 2022 and June 2023 and saw a 194% increase over the previous year bringing the total number tracked by the vendor to 3900, a number that has doubled since 2019. 

In 36% of the real-world cloud incidents, the top initial access point for cloud compromises was the use of valid credentials either attained during an attack or stolen prior to targeting a specific victim. That is a significant jump from the 9% observed the previous year.  

“[It] highlights the need for organizations to move beyond human-reliant authentications and prioritize technological guardrails capable of securing user identity and access management,” IBM analyst Chris Caridi said. 

The X-Force team found examples of poor security practices such as plaintext credentials located on user endpoints in 33% of incidents involving cloud environments. 

The next two most common access strategies, each 14% of engagements, were exploitation of public-facing applications and phishing and spear phishing.

Dave Ratner, CEO, HYAS had this to say:

   “Chris Caridi is correct that organizations need to do a better job of securing and authenticating user identity.  At the same time, bad actors will always break in, so the report also highlights the need for improved visibility and observability of anomalous communication patterns via Protective DNS — the telltale sign of an initial breach beaconing out to its command-and-control for instructions.  Only through a defense-in-depth strategy will organizations truly be able to implement business and operational resiliency.”

With the cloud being as pervasive as it is within most organizations, there really needs to be a focus on clouds security to ensure that this isn’t a threat to an organization’s security.

According to IBM’s Cost of a Data Breach Report released today, the average healthcare data breach has reached $10.93 million which is an 8% jump from a year ago, when the average cost topped $10 million for the first time.  

For the 13th year in a row, the healthcare industry has suffered more expensive data breaches than any other sector. By comparison, the average cost of a data breach across all industries is less than half at $4.45 million.  

“We’re seeing a very big increase for healthcare organizations, probably because they’re really in the crosshairs of attackers. And there is no relenting so far,” said Limor Kessem, a senior cybersecurity consultant for IBM Security.  

Meanwhile, healthcare organizations have trailed other industries in their cybersecurity defenses as health systems have had trouble attracting top cybersecurity talent, because other industries pay better.  

“Security folks are going to work for places where they could get the bigger paycheck, and it’s not always going to be a healthcare organization,” Kessem says. “It’s a tough industry to get very skilled staff.” 

I have three comments on this. The first is from Carol Volk, EVP, BullWall:

   “Work smarter, not harder. There is good affordable automation available (and coming) in the cybersecurity field. Even the best cybersecurity teams get overwhelmed by too many alerts, so there is a serious effort to automate the filtering of those “alerts” to just those requiring immediate human interaction, effectively slowing down the alert pace to a manageable, human speed.  This is why the automation of detection and containment of attacks is more and more the focus. The attack is slowed or stopped before data can be affected, allowing defenders time to respond. The application of AI is expected to greatly accelerate this effort of determining what must be reviewed by humans for response.”

The second is from Emily Phelps, Director, Cyware: 

   “Healthcare will always be an attractive target for threat actors because of the valuable data they collect and store. Adversaries don’t only outnumber available cybersecurity pros; they collaborate effectively too. To mitigate the risks, healthcare organizations should leverage automation tools that enable lean security teams to efficiently address threats; they should ensure they invest in regular security awareness training so employees are armed to recognize and avoid common threat tactics such as phishing attacks; and they should consider partner with security providers that can act as an extension of their teams, gaining expertise that is more difficult to resource and retain internally.”

And the last is from Stephen Gates, Principal Security SME, Horizon3.ai:

   “The healthcare industry is being impacted by an enormous threat landscape with vast numbers of threat actors who are looking to breach organizations’ networks, steal their data, hold them for ransom, and potentially destroy their businesses. The defensive technologies they have in place are proving to be insufficient in blocking today’s attacks. Continuously assessing your network attack surface, finding your weaknesses, remediating them immediately, and verifying that your remediations worked is the best way organizations can stay ahead of attackers. Consider attacking yourself daily, then fixing what matters most.”

The challenges with securing the healthcare space need to be fixed, and that needs to happen now. Whether that’s through automation, people, or both, the status quo cannot be allowed to continue.

Security researchers with Rapid7 have disclosed threat actors are exploiting a critical vulnerability in an IBM file-exchange application to install ransomware on servers. The IBM Aspera Faspex critical vulnerability, tracked at CVE-2022-47986, was patched by IBM in January.

Sylvain Cortes, VP of Strategy at Hackuity had this comment:

     “It is unsettling to note that for the same vulnerability (CVE-2022-47986) many cyber security companies have their own information that remains fragmented. It is important to be able to unify this information from several vendors in order to maximize its defense operations and trigger the right response. Solutions that aggregate vulnerability-related data from vulnerability scanners, EDRs or even service practices provide organizations with the critical visibility they depend on.”

This reminds me of the  GoAnywhere file transfer solution vulnerability that has led to multiple organizations being pwned by the Cl0p ransomware group. Except that we haven’t seen threat exploit this to the same degree that Cl0p has. If you use IBM Aspera, you should be applying these patches ASAP, assuming you haven’t already so this doesn’t turn into another GoAnywhere situation.

According to IBM, ransomware prevention saw massive improvements in 2022, while ransomware time to deploy (TTD) dopped by 94%, just two findings derived from billions of datapoints collected in 2022 from network and endpoint devices by IBM and reported on in their “X-Force Threat Intelligence Index 2023.” This is a wide-ranging report with excellent stats:

• 27% – Percentage of attacks included extortion – 30% aimed at manufacturing
• 21% – Share of incidents that saw backdoors deployed – the top action on objective
• 17% – Ransomware’s share of attacks (down from 21% in 2021)
• 41% – Percentage of incidents involving phishing for initial access
• 26% – Exploited public-facing applications
• 100% – Increase in the number of thread hijacking attempts per month

Top impacts 2022

• 21% – Extortion
• 19% – Data theft
• 11% – Credential harvesting
• 11% – Data leak
• 9% – Brand reputation

This is a bit of mixed bag. But at least the fact that ransomware is being stopped is good news.

Morten Gammelgaard, EMEA, co-founder of BullWall had this to say:

   “It is excellent news that ransomware prevention is improving, if for no other reason than it diverts cybercriminals away from executing attacks to developing new tactics, which they will. With extortion, data theft, data leaks and brand reputation being the top 4 out of 5 ways ransomware impacted organizations in 2022, organizations cannot rely solely on prevention and need to also consider active defense/containment strategies to catch the attacks that bypass prevention-based tools. When an active attack is unable to encrypt or exfiltrate data, organizations are given time to respond, eliminating 80% of the potential impact to their business.”
 

David Maynor, Senior Director of Threat Intelligence at Cybrary followed up with this:

“There are three kinds of lies: lies, damn lies, and ransomware stats. For the last couple of months depending on who you ask ransomware attacks and becoming less of a problem or they are increasing. If your risk model is based on arbitrary thresholds like at 20% we don’t address it but we take it seriously at 21% of attacks seen…you have already lost and a ransomware actor is probably watching you read this.”

Hopefully when this report comes out in 2024, we see more ransomware being stopped which means by extension that ransomware is less profitable for the people behind ransomware.

The tech layoffs continue with IBM being the latest company to lay staff off. They announced yesterday that nearly 4000 had gotten the axe:

Chief Financial Officer James Kavanaugh told Reuters that the company was still “committed to hiring for client-facing research and development”.

The layoffs — related to the spinoff of its Kyndryl business and a part of AI unit Watson Health — will cause a $300 million charge in the January-March period, IBM said.

But here’s the really bad part about this. Investors don’t think the cuts went far enough:

Shares of the company fell 2% in extended trading, erasing earlier gains on the largely upbeat results. Analysts said news of the job cuts and free cash flow miss was behind the drop.

“It seems as if the market is disappointed by the size of its announced job cuts, which only amounted to 1.5% of its workforce,” said Jesse Cohen, senior analyst at Investing.com.

“Investors were hoping for deeper cost-cutting measures.”

If that is true it really is a sad commentary on the times that we live in. Having people lose their jobs shouldn’t be seen as a sport where the biggest job cuts announced by a company wins. But clearly that’s how Wall Street sees things. And that’s sad.

IBM has released the annual ‘Cost of a Data Breach’ report, conducted by Ponemon Institute, which found that the cost of a data breach in 2022 totaled $4.35 Million, an increase of 2.6% since last year’s total of $4.24 Million.

Sanjay Raja, VP of Product, Gurucul had this comment:

     “The follow-up attack effect, as described, is a significant problem as the playbooks and solutions provided to security operations teams are overly broad and lack the necessary context and response actions for proper remediation. For example, shutting down a user or application or adding a firewall block rule or quarantining a network segment to negate an attack is not a sustainable remediation step to protect an organization on an ongoing basis. It starts with a proper threat detection, investigation and response solution. Current SIEMs and XDR solutions lack the variety of data, telemetry and combined analytics to not only identify an attack campaign and even detect variants on previously successful attacks, but also provide the necessary context, accuracy and validation of the attack to build both a precise and complete response that can be trusted. This is an even greater challenge when current solutions cannot handle complex hybrid multi-cloud architectures leading to significant blind spots and false positives at the very start of the security analyst journey.”

What’s worse than the economic cost is the repetitional damage that can happen. And that’s a dollar amount that you can’t calculate. Thus companies need to make sure that they don’t become the next headline.

A bombshell dropped earlier today from IBM who announced that they are getting out of the facial recognition business. This news came via IBM CEO Arvind Krishna in a letter to Congress today. Here’s the reasons why:

IBM no longer offers general purpose IBM facial recognition or analysis software. IBM firmly opposes and will not condone uses of any technology, including facial recognition technology offered by other vendors, for mass surveillance, racial profiling, violations of basic human rights and freedoms, or any purpose which is not consistent with our values and Principles of Trust and Transparency. We believe now is the time to begin a national dialogue on whether and how facial recognition technology should be employed by domestic law enforcement agencies.

Artificial Intelligence is a powerful tool that can help law enforcement keep citizens safe. But vendors and users of Al systems have a shared responsibility to ensure that Al is tested for bias, particularity when used in law enforcement, and that such bias testing is audited and reported.

Finally, national policy also should encourage and advance uses of technology that bring greater transparency and accountability to policing, such as body cameras and modern data analytics techniques.

Clearly this is related to the protests tied to the death of George Floyd at the hands of police. Companies like IBM are clearly re-evaluating their relationships with police agencies and making adjustments. However, I would say that into this void other companies will step in. Clearview AI who appear not to have the same moral standards as IBM is likely to fill this void. Which means that this tech will still be out there.

IBM today announced that it has entered into a definitive agreement to acquire The Weather Company’s B2B, mobile and cloud-based web properties. This includes WSI, weather.com, Weather Underground and The Weather Company brand. The TV segment – The Weather Channel – will not be acquired by IBM, but will license weather forecast data and analytics from IBM under a long-term contract. The combination of technology and expertise from the two companies will serve as the foundation for the new Watson IoT Unit and Watson IoT Cloud platform, building on a $3B commitment made by IBM in March 2015 to invest in related offerings and services.
Some interesting related information:

• The Weather Company’s data platform hosts the fourth-most used mobile app in the U.S.
• Cloud-based service handles 26 billion requests a day.
• IBM ramps up new Watson IoT unit with powerful cloud platform for cognitive business.

Upon closing, IBM will acquire The Weather Company product and technology assets that include the world’s leading meteorological data science experts, precision forecasting capabilities and a high-volume cloud platform that ingests, processes, analyzes and distributes enormous data sets at scale in real time. The company’s sophisticated models analyze data from three billion weather forecast reference points, more than 40 million smartphones and 50,000 airplane flights per day, allowing it to offer a broad range of data-driven products and services to more than 5000 clients in the media, aviation, energy, insurance and government industries.