Eliana Willis

I’m very excited to share my latest research on best practices for successfully influencing employee cybersecurity behavior. Excited may not be the right word exactly, as this research was born out of the disappointment I started feeling when hearing of security leaders and teams implementing disciplinary sanctions for employees who fail phishing simulations, cybersecurity quizzes, or fall victim to scams such as business email compromise. 

see also

Best VPN services

Virtual private networks are essential to staying safe online — especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

This punishment ranges from extreme sanctions, such as disciplining or terminating the offenders or victims, to less severe forms, including forcing employees to sit through more training. While the latter may sound okay, employees disagree. The debate raged about the ethics and effectiveness of these practices. And hence it took me a while to put pen to paper, because I get all sides of this dilemma. This is what I decided: Sure, there is a time and place for disciplinary action, but leaders seemed to jump to it too readily. It seemed as though we could not see that some of the interventions we were putting in place reinforced negative perceptions and resentment of security, humiliated employees, caused psychological damage, and encouraged employees to hide failures and mistakes. Education and shame are not synonyms. You may win the battle, but the war is much bigger. As a security leader, your bigger opportunity is to engage, influence, and benefit your employees as well as your organization’s customers, and even society, and to do this, you need to: Be aware of the impact of each security intervention. When weighing consequences for negative security behaviors, security leaders often think of extreme punishments like formal disciplinary action or dismissal as deterrents. However, employees also view many well-meaning interventions as punitive, particularly if they overtax employee time and productivity and seem to lack empathy. Tread that fine line between engagement (e.g., quizzes), empathy (e.g., ask-and-listen hours), and punishment (e.g., dismissals). Start by designing an environment tolerant of human fallibility — this isn’t purely an awareness or training problem. Before proceeding to punishment — or indeed any sort of intervention — you need to be very clear that you’ve done all that you can to support employees who have made a mistake or have become a victim. Your employees fall for scams — real or simulated — for many reasons, including: your test or simulation is too difficult to detect; your security awareness training is dull and tedious; you’re not helping employees avoid errors; or you failed to design security processes and technologies that stop people from making errors. Find positive ways to influence good security behavior and creativity. Instead of scaring employees into complying with your security rules, use empathy and recognition to create engagement. Employees who feel empowered can focus on solutions without fear. Forrester’s Employee Experience Index shows that empowerment is the most significant predictor of engagement. Initiate positive reporting and messaging (e.g., communicate successes such as “X% completed the exercise this month, up from Y%” and “Clicks are down by Z%, and nonreporting is down by X%.”) so employees are encouraged and respond to self-reported mistakes, nudge behaviors toward the correct action, and recognize and reward positive behaviors as they occur. Consider safety culture, where organizations celebrate success and change behavior via initiatives such as incentives, leaderboards, safety moments, and walls of fame. Choose the appropriate behavior modification action. Outside gross negligence, employees should never suffer when their employer falls victim to a data breach, cyberattack, fraud, or scam. Before making the call about what intervention to use, decide whether your employee is a victim or has been blatantly and regularly breaching the rules. Use our severity versus repetition framework to segment offenders and create different interventions for each type of offender. Make the tough calls when necessary, and always do so ethically. Listening, coaching, and changing processes are all well and good, but at some point, you need to face reality and discipline anyone who has been maliciously flouting the rules. To know when you’ve reached the point of making the tough call, consider these questions: Is their intent malicious? Are they bypassing processes repeatedly for inappropriate reasons, such as their seniority in the organization? If the answer to either of these is yes, you have every reason to act with ethics, integrity, empathy, candor, and transparency. My key takeaway? Make empathy your new superpower in all the big and small things that you do. All of this recognition and behavioral change requires you to become a coach — not a boss– not only for your team, but also for all employees and stakeholders within your organization. Level up your leadership skills by eliminating passive management practices and fostering a strong coaching mindset. It is through this mindset that the suggestions above will seem less of a chore or a practical guide and more of a lifestyle that you and your team can implement. As organizations seek to leverage emerging technology and intelligent automation in new ways, employees need to feel they can innovate and experiment consistent with the security and privacy values of the enterprise. But many organizations manage human risk through a model of control, coercion, and punishment — from penalizing users who fail simulations or training to terminating offenders or victims of breaches. Security programs founded in fear not only drive down employee engagement and inspiration, but also stifle creativity. Instead, organizations must learn how to nurture positive behavior to foster a security culture that deals with human fallibility with positivity, instead of distress, reprimand and shame. To learn more, register for Forrester’s virtual events, Technology & Innovation APAC here and Security & Risk event here. This post was written by Principal Analyst Jinan Budge, and it originally appeared here.    More

An Android Trojan has now achieved a victim count of over 10 million in at least 70 countries. 

According to Zimperium zLabs, the new malware has been embedded in at least 200 malicious applications, many of which have managed to circumvent the protections offered by the Google Play Store, the official repository for Android apps.  The researchers say that the operators behind the Trojan have managed to infect so many devices that a stable cash flow of illicit funds, “generating millions in recurring revenue each month,” has been established.  Believed to have been in operation since November 2020, the “GriftHorse” campaign relies on victims being duped into handing over their phone number, which is then used to subscribe them to premium SMS messaging services.  Victims first download Android apps that appear innocent and legitimate. These apps vary from puzzle games and utilities to dating software, food and drink, with the most popular malicious app — a translator — accounting for at least 500,000 downloads. 
zLabs
Upon installation, however, the GriftHorse Trojan, written in Apache Cordova, constantly bombards the user with messages, alerting them to a fake prize they have won and then redirecting them to a website page based on their geolocation, and, therefore, their language.  Mobile users are then asked to submit their phone numbers for verification purposes. If they submit this information, they are then subscribed to premium services “without their knowledge and consent,” zLabs noted.

Some of the charges are upward of €30 ($35) per month, and if a victim does not notice this suspicious transaction, then they could, theoretically, be charged for months on end with little hope of ever clawing back their cash.  In order to avoid discovery, the malware’s operators use changeable URLs rather than hardcoded addresses.  “This method allowed the attackers to target different countries in different ways,” the team says. “This check on the server-side evades dynamic analysis checking for network communication and behaviors.” zLabs reported its findings to Google who promptly removed the Android apps marked as malicious from Google Play. However, these apps are still available on third-party platforms. 
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Akamai Technologies has acquired Guardicore to enhance the content delivery network (CDN’s) cybersecurity portfolio. 

The deal was announced on Wednesday. Under the terms of the agreement, Akamai will pay roughly $600 million to acquire all outstanding equity.   Tel Aviv, Israel-based Guardicore is a cybersecurity company that offers the enterprise a micro-segmentation solution to reduce the potential attack surface of corporate networks, secure applications, and to meet compliance standards. The firm’s software is based on zero-trust and strict permissions architecture, with process-level rules implemented to bolster secure access across public, private, and hybrid cloud environments.  Akamai says the micro-segmentation solution will be added to the company’s Zero Trust security portfolio, including Web Application Firewall (WAF), Zero Trust Network Access (ZTNA), Domain Name System (DNS) Firewall, and Akamai’s Secure Web Gateway (SWG).  “Their solution enables deep visibility into application flows, across data center and cloud applications, allowing businesses to more granularly understand and protect their infrastructure, from the core of the enterprise to the cloud,” Akamai says. “As a result, breaches can be detected early on so that corrective actions can be taken as quickly as possible.” The acquisition, subject to regulatory approval, is expected to close in Q4 2021. Akamai says that the purchase may generate between $30 and $35 million in revenue over FY2022, with Akamai’s non-GAAP operating margin anticipated to be in the range of 29-30%, returning to a minimum of 30% in 2023.  

“Given the recent surge in ransomware attacks and increasingly stringent compliance regulations, investing in technologies to reduce the spread of malware has become mission-critical,” commented Tom Leighton, CEO of Akamai. “By adding Guardicore’s leading micro-segmentation products to Akamai’s comprehensive portfolio of zero trust solutions, we believe Akamai will be able to provide the most effective way to combat ransomware on the market today.” Guardicore CEO Pavel Gurvich said the team “greatly look forward to joining Akamai to protect the user and the enterprise — no matter what the user is doing or where end-users and workloads are located.” Morgan Stanley & Co. served as Akamai’s financial advisor.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has launched a new development program targeting the Tsunami Security Scanner.

On September 28, Guoli Ma, Sebastian Lekies, and Claudio Criscione, members of Google’s vulnerability management team, said in a blog post that the new program is designed to improve Tsunami’s security detection capabilities.The Tsunami Security Scanner, open sourced in July 2020, was originally an internal Google tool and has since been published and made available to the public.  The scanner is designed to check large-scale enterprise networks for open ports and then to cross-check vulnerability exposure based on the initial reconnaissance results. Plugins can be implemented by users to check for specific security flaws. Tsunami can also check for basic security issues including the use of weak enterprise credentials.  Google says that the new, experimental program will give researchers patch rewards for creating plugins and application fingerprints. The former requires contributors to develop plugins that can be used for enhanced vulnerability detection, whereas the latter asks for web application modules that can be used to detect off-the-shelf web apps in an enterprise network.  The company is most interested in high and critical-severity bugs that can have a real-world impact on enterprise security.  “The vulnerability should have a high or critical severity rating if there is already a CVE ID assigned (CVSS score >= 7.0),” Google says. “If there is no severity assigned yet, the Tsunami scanner team will perform the triage and determine the severity. This usually includes vulnerabilities like Remote Code Executions (RCEs), arbitrary file uploading, security misconfigurations that result in the exposure of sensitive admin panels, and so on.”

The tech giant says that Tsunami also needs more fingerprint data for popular web apps which may contain bugs that impact the security of a wider network. If IT teams do not realize they are present, this could mean they are overlooked in patch processes.  Contributions are overseen by Google’s vulnerability management team.  In July, Google announced a new bug bounty platform, https://bughunters.google.com. The resource center brings together all of the firm’s Vulnerability Rewards Programs (VRPs), including Google, Android, Abuse, Chrome and Play to streamline the vulnerability disclosure process.  It is on this platform that those interested in the Tsunami program can find the in-scope lists for contributions to open source tools and Tsunami.  Financial rewards vary. For web application fingerprints, Google is willing to pay a flat fee of $500 for each fingerprint added to Tsunami’s database. When it comes to plugins, up to $3,133 is on offer, depending on the severity of a vulnerability and whether or not it is emergent. .Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ransomware attacks against hospitals are having direct consequences for patient care as a result of the reduced availability of systems and services when cyber criminals encrypt networks. According to a survey of healthcare organisations, ransomware attacks have resulted in patients being kept in hospital longer, delays in tests and procedures – and, most disturbingly of all, an increase in patient deaths. 

ZDNet Recommends

The research into the impact ransomware has on hospitals and patient care was conducted by The Ponemon Institute think tank and cybersecurity company Censinet. SEE: A winning strategy for cybersecurity (ZDNet special report)  Ransomware is a major cybersecurity issue for all industries, but attacks against healthcare have a huge impact because of the potential consequences for patient care. If a retailer or a supermarket is compromised with ransomware, customers can often go elsewhere for their products – but in the case of hospitals, that’s not really an option. It’s why targeting hospitals has become a lucrative business for criminal ransomware operations – the nature of healthcare and the requirement for constant access to systems means that, in many cases, the victim will give in and pay the ransom demand for a decryption key. The results of the survey, based on answers from 597 IT and IT security professionals working in healthcare, paint a picture of hospitals struggling to protect against and deal with the fallout from ransomware attacks – and all of this at a time when healthcare has been feeling the strain of the coronavirus pandemic. 

Just over a third (36%) of respondents at hospitals affected by a ransomware attack saw an increase in complications for patients following medical procedures, while seven in 10 saw delays in procedures and tests resulting in what’s described as “poor outcomes”. Seven in 10 patients also had a longer stay at the hospital due to the ongoing consequences of a ransomware attack. One in five respondents who worked at a hospital that had been hit by ransomware said the incident lead to an increase in deaths. Official reporting that examines the direct impact of ransomware on patient mortality is opaque at best. In September last year, it was reported that a patient at a German hospital died after the facility was hit by a ransomware attack as they were being transferred to another hospital. Police launched an investigation into the death to determine if the cyber criminals who launched the ransomware attack were responsible for the patient death. However, they came to the conclusion that the patient was in such poor health condition that it was still likely they would have died.

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

While healthcare is a tempting target for ransomware because of the critical nature of the industry, funding issues around cybersecurity don’t help. Hospital budgets are often stretched, meaning that investment in IT infrastructure and cybersecurity can end up low down the priority list.  SEE: A cloud company asked security researchers to look over its systems. Here’s what they foundThis can lead to cybersecurity issues like failing to patch known vulnerabilities or updating operating systems to the latest version becoming big problems, both of which can be exploited by cyber criminals to launch ransomware attacks.  Budgets are tight, but if healthcare organisations can invest in the technology and security staff required to help discover and fix vulnerabilities in endpoints and networks, it can go a long way to helping to keep hospitals – and patients – safe from the impact of cyberattacks. “Our findings correlated increasing cyberattacks, especially ransomware, with negative effects on patient care, exacerbated by the impact of COVID on healthcare providers,” said Larry Ponemon, chairman and founder of the Ponemon Institute. MORE ON CYBERSECURITY More

Telegram-powered bots are being utilized to steal the one-time passwords required in two-factor authentication (2FA) security. 

On Wednesday, researchers from Intel 471 said that they have seen an “uptick” in the number of these services provided in the web’s underground, and over the past few months, it appears the variety of 2FA circumvention solutions is expanding — with bots becoming a firm favorite.  Two-factor authentication (2FA) can take the form of one-time password (OTP) tokens, codes, links, biometric markers, or by tapping a physical dongle to confirm an account owner’s identity. Most often, 2FA tokens are sent through a text message to a handset or an email address.  While 2FA can improve upon the use of passwords alone to protect our accounts, threat actors were quick to develop methods to intercept OTP, such as through malware or social engineering.  According to Intel 471, since June, a number of 2FA-circumventing services are abusing the Telegram messaging service. Telegram is either being used to create and manage bots or as a ‘customer support’ channel host for cybercriminals running these types of operations.  “In these support channels, users often share their success while using the bot, often walking away with thousands of dollars from victim accounts,” the researchers say.  The Telegram bots are being used to automatically call would-be victims in phishing attempts, to send messages claiming to be from a bank, and to otherwise try and lure victims into handing over OTP codes. Other bots are targeting social media users in phishing and SIM-swap attack attempts. 

In order to create a bot, there is a basic level of programming required — but nothing in comparison to developing custom malware, for example. What makes matters worse is that in the same way as traditional botnets, the Telegram bots can be leased out — and once the phone number of an intended victim is submitted, attacks can begin with only a few clicks.  The researchers cited two particular bots of interest; SMSRanger and BloodOTPbot.  SMSRanger’s interface and command setup are similar to the Slack collaboration platform and it can be used to target particular services including PayPal, Apple Pay, and Google Play. BloodOTPbot is an SMS-based bot that can also be used to generate automatic calls that impersonate bank staff. 
Intel 471
“The bots show that some forms of two-factor authentication can have their own security risks,” Intel 471 commented. “While SMS- and phone-call-based OTP services are better than nothing, criminals have found ways to socially engineer their way around the safeguards.”In April, Check Point Research disclosed the existence of a Remote Access Trojan (RAT) dubbed ToxicEye that abuses the Telegram platform, leveraging the communications service within its command-and-control (C2) infrastructure.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has recommended for the Bill that would provide government with step-in powers whenever an organisation suffers from a cyber attack to be swiftly passed.”The committee received compelling evidence that the complexity and frequency of cyber attacks on critical infrastructure is increasing globally. Australia is not immune and there is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure,” committee chair Senator James Paterson said.The Bill in question, the Security Legislation Amendment (Critical Infrastructure) Bill 2020, as currently drafted seeks to provide government with powers to step in and provide “assistance” to entities in response to significant cyber attacks on Australian systems, create enhanced cybersecurity obligations for those entities most important to the nations, and introduce sector-specific positive security obligations (PSO) for critical infrastructure entities.The PJCIS noted in an advisory report [PDF], however, that only portions of the Bill that focus on government assistance mechanisms and mandatory notification requirements should be passed, with the “less urgent” aspects of the Bill to be introduced under a second, separate Bill following further consultation.The PJCIS believes this two-step approach would enable the quick passage of laws to counter looming threats against Australia’s critical infrastructure, while giving businesses and government additional time to co-design a regulatory framework that provide long-term security for the country’s critical infrastructure.Along with this main recommendation, the advisory provided other recommendations detailing how the Bill should be split.The powers that the PJCIS wants to see passed immediately are the government assistance mechanisms, colloquially termed as “last resort” powers, which entail giving government powers to direct an entity to gather information, undertake an action, or authorise the Australian Signals Directorate (ASD) to intervene against cyber attacks. This also includes the proposal for software to be installed that the Department of Home Affairs claims would aid providers in dealing with threats.

It also wants one of the PSOs in the current Bill, which seeks to require organisations to formally notify government if they experienced a cyber attack, to be immediately passed.While the PJCIS supports the introduction of the “last resort” powers, tech giants operating in Australia, such as Amazon Web Services, Cisco, Microsoft, and Salesforce, have all taken issue with them, saying more clarity is needed regarding how and when those powers can be exercised.Meanwhile, Google believes the assistance mechanisms would only provide more problems.”I do not believe that there is a situation where installing ASD software on our networks or our systems, especially in the heat of an incident, is actually going to cause anything except more problems, and it’s not going to help the solution and it’s not going to help the problem at hand,” Google threat analysis group director Shane Huntley said in July.    “The committee acknowledges that affected entities will still have reservations with the enablement of the assistance measures, especially within the technology sector. However, the committee recognises that the potential threat faced to critical infrastructure assets is too great to stall introduction of these essential measures for any longer,” the committee wrote in response to those concerns.Among the less urgent powers that the PJCIS would like to see introduced in a later Bill are the enhanced cybersecurity obligations and remaining PSOs in the current Bill. These PSOs are adopting and maintaining an all-hazards critical infrastructure risk management program, and providing ownership and operational information to the Register of Critical Infrastructure Asset.The PJCIS said this second Bill should be drafted through consultation with industry.Since the Bill’s introduction into Parliament at the end of last year, the Department of Home Affairs has repeatedly requested for it to be rushed through, saying the sector-specific rules could be nutted out later.MORE ON THE BILL More

A working exploit for CVE-2021-22005 — a vulnerability with VMware vCenter — has been released and is reportedly being used by threat actors, according to experts tracking the issue. Last week, VMware warned of a critical vulnerability in the analytics service of vCenter Server and urged users to update their systems as soon as possible. On September 21, VMware said that its vCenter Server is affected by an arbitrary file upload vulnerability in the Analytics service which would allow a malicious actor with network access to exploit this vulnerability to execute code on vCenter Servers. By September 24, VMware had confirmed reports that CVE-2021-22005 was being exploited in the wild and dozens of security researchers online reported mass scanning for vulnerable vCenter Servers and publicly available exploit codes. CISA followed up with its own warning on Friday, writing on Twitter that they expected “widespread exploitation of VMware vCenter Server CVE-2021-22005.” Like VMware, they urged users to upgrade to a fixed version as quickly as possible or apply the temporary workaround provided by VMware. That same day, cybersecurity company Censys released a report showing that there were around 3,264 hosts that are Internet-facing and potentially vulnerable. More than 430 had been patched and 1,369 are either unaffected versions or have the workaround applied.In a statement to ZDNet, VMware reiterated that it has released patches and mitigation guidance to address multiple vulnerabilities affecting VMware vCenter Server 6.5, 6.7 and 7.0. They have also issued a public security advisory. 

“Customer protection is VMware’s top priority, and we strongly recommend that affected customers patch immediately as indicated in the advisory. As a matter of best practice, VMware encourages all customers to apply the latest product updates, security patches and mitigations made available for their specific environment and deploy our products in a security hardened configuration,” the company said. “Customers should also sign-up for VMware’s Security-Announce mailing list to receive new and updated VMware Security Advisories.”Derek Abdine, CTO of Censys, confirmed to ZDNet that they have reliably proven that remote execution is possible and easy to do. “I can confirm in-the-wild exploitation now. It looks like it’s related to the second vulnerability that is part of CVE-2021-22005. I haven’t seen evidence of exploitation using the hyper/send endpoint (the other part of CVE-2021-22005), but that endpoint is slightly less viable because it has a prerequisite condition. The /datapp endpoint is more concerning as there are no prerequisites and it is thought to exist on more versions of vCenter,” Abdine explained. “Also, internal exposure is still a big deal. There are quite a number of these externally facing, but that should not be the norm. Many organizations have private VMware clusters, and this issue will still present a significant risk to them if an attacker is able to leverage the exploit internally.”Will Dormann, vulnerability analyst at the CERT/CC, also confirmed on Twitter that the exploit for CVE-2021-22005 is now fully public. A map of where all VMware vCenter hosts accessible via the Internet are located. 
Censys
Hosts from Hong Kong, Vietnam, the Netherlands, Japan, Singapore and other countries across the globe continue to scan for the vulnerability, according to Bad Packets.Abdine noted that while a patch has been available for days, there is a “patch saturation” phenomenon where patching never really reaches 100%. “For example, 5 days after the Atlassian Confluence blog post went out, we only saw a drop of 30% on total exposed vulnerable confluence services. When the Western Digital My Book Live issue came up recently, we observed the same thing even in the consumer space (versus enterprise software for Confluence/VMware),” Abdine said.”I think there are still plenty of hosts out there that are a concern. Greynoise.io and Bad Packets are both seeing opportunistic scanning that some are calling mass exploitation. However, from what I can tell so far, whoever is running these requests that are captured by Greynoise and Bad Packets are simply lifting URLs from community research (by Censys and @testanull on Twitter) and attempting to hit the URLs for those without full working knowledge of how to achieve execution.” Now that an exploit has been released, Abdine added that the “floodgates opened,” allowing any attacker with lower technical skills to perform mass exploitation.”So all in all, I don’t think we’re out of the woods yet — and again, it’s very common to run VMware clusters in internal datacenters that are only accessible via company VPNs. Virtual machines should continue to run. However, the operations and management you get with vCenter will absolutely be affected while the upgrade takes place, and may likely impact operations for organizations regularly using vCenter,” Abdine said. John Bambenek, principal threat hunter at Netenrich, told ZDNet that remote code execution as root on these types of devices is pretty significant. Almost every organization operates virtual machines and if a threat actor has root access, they could ransom every machine in that environment or steal the data on those virtual machines with relative ease, Bambenek said. Other experts, like Digital Shadows threat intelligence team lead Alec Alvarado, noted that threat actors follow the news as much as security researchers. Alvarado echoed what Abdine said, explaining that less sophisticated actors now have a chance to take advantage of the vulnerability thanks to the proof of concept. But for Bud Broomhead, CEO at Viakoo, the situation boiled down to patch management. “Managing patches manually leaves an organization at risk due to the slow (or non-existent) nature of the process, leaving an organization vulnerable,” Broomhead said.  More