Eliana Willis

The average cost of a data breach has now reached over $4 million, hitting a record high during the COVID-19 pandemic. On Wednesday, IBM Security released its annual “Cost of a Data Breach” report, which estimates that in 2021, a typical data breach experienced by companies now costs $4.24 million per incident, with expenses incurred now 10% higher than in 2020 when 1,000 — 100,000 records are involved. 
IBM
So-called “mega” breaches impacting top enterprise firms responsible for the exposure of between 50 million and 65 million records now also come with a higher price tag — reaching an average of $401 million to resolve. After analyzing data breaches reported by over 500 organizations, together with a survey conducted by Ponemon Institute, IBM says that the “drastic operational shifts” experienced by the enterprise due to the pandemic, stay-at-home orders, and the need to quickly turn processes remote prompted higher costs and increased difficulty in containing a security incident once it had taken place. IBM estimates that roughly 60% of organizations moved to the cloud to keep their businesses running — but ramping up security controls did not necessarily follow. When work from home was reported, so was an increase of up to $1 million more when a data breach occurred — with the highest rates of $4.96 million in comparison to $3.89 million. The most common attack vector for enterprises experiencing a data breach was compromised credentials, either taken from data dumps posted online, sold on, or obtained through brute-force attacks. Once a network was infiltrated, customer Personally identifiable information (PII) including names and email addresses was stolen in close to half of cases. 

Over 2021, it has taken an average of 287 days to detect and contain a data breach, 7 days longer than in the previous year. In total, on average, an organization will not detect intrusion for up to 212 days, and then they will not be able to fully resolve the issue until a further 75 days has passed. 

Data breaches in the healthcare industry were the most expensive, at an average of $9.23 million, followed by financial services — $5.72 million — and pharmaceuticals, at $5.04 million. However, according to IBM, companies that employ security solutions based on artificial intelligence (AI) algorithms, machine learning, analytics, and encryption all mitigated the potential cost of a breach, saving firms, on average, between $.1 25 million and $1.49 million. “Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic,” said Chris McCurdy, VP of IBM Security. “While data breach costs reached a record high over the past year, the report also showed positive signs about the impact of modern security tactics, such as AI, automation, and the adoption of a zero-trust approach — which may pay off in reducing the cost of these incidents further down the line.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

While Facebook, Twitter, Google and other popular web-service providers are busy deploying legions of people to mitigate online toxicity in the forms of hate speech, bullying, and sexual/racial abuse, two lesser-known companies have come together in a new research and development project to try and resolve these problems in the live-streaming video industry.The Meet Group, which develops software for interactive dating websites, and Spectrum Labs, which makes an AI-based audio-content moderation platform, on July 27 announced an expansion of their partnership to include a significant R&D commitment into voice moderation aimed at protecting users from online toxicity in TMG’s live-streaming applications.The Meet Group owns several mobile social networking services including MeetMe, hi5, LOVOO, Growlr, Skout, and Tagged. The company has registered millions of mobile daily active users and facilitates tens of millions of conversations daily. Its mobile apps are available on iOS and Android in multiple languages.Hate and personally abusive speech are increasing in many channels, as social-networking companies have reported. Voice moderation is currently a major challenge because recording all content is not possible nor privacy-friendly in an ephemeral live-streaming video context, TMG said. Existing methods of AI voice moderation are slow, tedious, and cost-prohibitive, because they require voice content to be transcribed before the text AI can be applied. Recording, analyzing content at the right timeThe Meet Group and Spectrum Labs are partnering to record content at the right time and proactively and cost-effectively detect toxicity, improve accuracy for moderators, and expand safety measures for users, TMG said.”The method of monitoring live streaming video today is twofold,” TMG CEO Geoff Cook told ZDNet. “One is algorithmic sampling of the stream every five to seven seconds, analyzing it, and taking actions accordingly. The other is the report side; we have 500-plus moderators who are staffing this and putting eyes on the stream in less than a minute after that report button is tapped. We want to record and transcribe that content, analyze it based on what’s going on, index it potentially in some kind of category, take action on it, then make that transcription or recording available to the moderator.”This R&D project is concerned with being more thoughtful about filling in the gaps in the existing moderation.”

Voice tracking will begin recording from two different triggers: The first happens when a report button is tapped; the tool will begin recording the voice track and automatically send it for analysis. The second trigger will begin voice recording automatically based on comments in the video. If an issue is believed to exist in the video based on the comments in the chat, the live stream proactively will be reported. If a content violation is believed to exist, the recording, along with the behavior flag and transcription, in addition to the live stream itself, if still in progress, will be sent to one of The Meet Group’s 500+ human moderators, who will review the content under the company’s Content and Conduct policy to see if a policy was violated. Live-streaming usage increasing on social networksSocial, dating, and gaming companies are increasingly moving into live streaming video to improve community engagement, Spectrum Labs CEO Justin Davis told ZDNet. “With that shift comes a growing demand for effective moderation for voice,” Davis said. “With a billion minutes spent in its live-streaming platform per month and nearly 200,000 hours of content broadcast per day, The Meet Group is a fantastic partner with whom to work in deploying Spectrum’s toxic-voice detection and moderation platform to deliver best-in-class user safety controls for their moderation team and consumers alike.””User safety is fundamental to what we do, and effective moderation of live-streaming video requires effective moderation of all aspects of the stream, including voice, text chat, and video,” Cook said. “The combination of Spectrum’s technology and moderation solutions with our safety standards and processes create what we believe is a model that others in the live-streaming video industry may look to follow.”The expanded partnership announced July 27 also includes algorithmic moderation of all chats sent within The Meet Group’s live-streaming solution and AI private-chat moderation.The algorithmic chat moderation which will be available to The Meet Group apps as well as the company’s expanding list of vPaaS partners will be screening the nearly 15 million daily chats within the live-streaming feature for hate speech, sexual harassment, and other code-of-conduct violations, TMG said. More

Google announced a new bug bounty platform as it celebrated the 10-year anniversary of its Vulnerability Rewards Program (VRP). The program led to a total of 11,055 bugs found, 2,022 rewarded researchers and nearly $30 million in total rewards. Jan Keller, technical program manager for Google’s VRP, said that in honor of the program, they are unveiling a new platform:  bughunters.google.com.”This new site brings all of our VRPs (Google, Android, Abuse, Chrome and Play) closer together and provides a single intake form that makes it easier for bug hunters to submit issues,” Keller said. Keller added that the platform will have gamification features and offer more chances for interaction or competition. There will be per-country leaderboards and chances to acquire awards or badges for specific bugs. The company is also creating a more “aesthetically pleasing leaderboard” as a way to help those using their achievements in the VRP to find jobs. There will even be more chances for bug hunters to learn through the new Bug Hunter University.”We know the value that knowledge sharing brings to our community. That’s why we want to make it easier for you to publish your bug reports. Swag will now be supported for special occasions (we heard you loud and clear!),” Keller wrote. The blog post notes that more people should take advantage of other VRP features like the ability to submit patches to open-source software for rewards and potential rewards for research papers on the security of open source. 

Some open-source software may even be eligible for subsidy, Keller explained. “When we launched our very first VRP, we had no idea how many valid vulnerabilities — if any — would be submitted on the first day. Everyone on the team put in their estimate, with predictions ranging from zero to 20,” Keller said. “In the end, we actually received more than 25 reports, taking all of us by surprise. Since its inception, the VRP program has not only grown significantly in terms of report volume, but the team of security engineers behind it has also expanded – including almost 20 bug hunters who reported vulnerabilities to us and ended up joining the Google VRP team.”Keller went on to thank the Google bug hunter community for their work and urged them to give feedback about the new platform. Hank Schless, senior manager at Lookout, said his company has reported nearly 600 malicious apps found in the Play Store and commended Google for “essentially crowdsourcing their bug and vulnerability reporting.””Google has always taken a more open approach to its software than comparable companies. Android, for example, is built on open-source technology that enables more customization of the OS,” Schless said. “Relying on others to help report on issues is a key part of creating a secure customer experience that can continue to improve. This type of community-based knowledge only serves to make the world a more secure place.” More

The latest AppSec Stats Flash report from NTT Application Security has found that the remediation rate for severe vulnerabilities is on the decline, while the average time to fix is on the rise.The report, which is compiled monthly, covers window of exposure, vulnerability by class and time to fix.The latest report found that the window of exposure for applications has increased over the last six months while the top-5 vulnerability classes by prevalence remain constant, which the researchers behind the report said was a “systematic failure to address these well-known vulnerabilities.”According to NTT Application Security researchers, the time to fix vulnerabilities has dropped 3 days, from 205 days to 202 days. The average time to fix is 202 days, the report found, representing an increase from 197 days at the beginning of the year. The average time to fix for high vulnerabilities grew from 194 days at the beginning of the year to 246 days at the end of June.Remediation rates have also decreased across all vulnerability severities, with rates for critical vulnerabilities falling from 54% at the beginning of the year to 48% at the end of June. Rates for high vulnerabilities decreased from 50% at the beginning of the year to 38% at the end of June.The report notes that many of these vulnerabilities are “pedestrian” and require a low level of effort and skill to exploit. HTTP Response Splitting is one issue that is on the rise, according to the report, and the authors suggest organizations pay closer attention to upgrading underlying open-source components. The vulnerability allows attackers “to modify the user-facing content of a website by tricking the target user into clicking a malicious link or visiting a malicious website.”

More than 65% of applications in the utilities sector have at least one serious exploitable vulnerability throughout the year, leading all other industries. Education, manufacturing, and retail and wholesale trade applications each saw an increase in their windows of exposure this month. The window of exposure for the education, retail trade and manufacturing industries saw increases of 4% and healthcare rose by 2%.”The Wholesale Trade sector has seen a 15% increase in Window of Exposure, while Utilities has experienced an 11% increase since the beginning of the year,” the researchers wrote. “Manufacturing, Public Administration and Healthcare are large sectors that have each seen a decline in their respective window of exposures, likely due to an increased focus on security following targeted breach activity and/or new regulations.”Two other sectors saw improvements in their window of exposure. The finance and insurance sectors reported a 2% drop in their window of exposure. “This data indicates that industries like Education, Retail, Manufacturing, Healthcare, Utilities and Public Administration continue to suffer more than other industries, including Finance and Insurance,” the report said. “The top-5 vulnerability classes identified in the last three month rolling window remain constant: Information Leakage, Insufficient Session Expiration, Cross Site Scripting, Insufficient Transport Layer Protection & Content Spoofing.”  More

Cloud content management provider Box has released its native e-signature feature, Box Sign, to business and enterprise customers. The company has included this as part of its overall lifecycle of managing content versus selling it as a standalone product. 

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

The technology that enables this came to Box through the February acquisition of SignRequest. The release on July 26 gives customers unlimited signatures plus access to a set of application programming interfaces (APIs) to modernize and digitize the process of managing signed documents. The service is available to a subset of customers now but will be rolled out to all users in the next few months. Box Sign includes the following features: documents now can be sent for signature from within the Box web application; ability to sign and request signatures with four standard fields: signature, date, checkbox, and text; templates for common and repeatable processes, such as NDAs;email reminders and deadline notifications to keep projects on track; serial and parallel document processing, so users can sign documents at the same time or sequentially; real-time tracking; and security controls, such as signer authentication via email, tamper seal indicators, and the inclusion of electronic record and signature disclosures if required. Pandemic hastened use of e-signaturesThe use of e-signatures saw a sharp rise during the stay-at-home period of the COVID-19 pandemic. There are many processes that pre-pandemic required an actual wet signature that shifted to e-signatures due to the need for physical distancing. This includes real estate transactions, sales contracts, and even some legal documents, such as employee onboarding. Now that people have grown accustomed to the ease of e-signatures as businesses trust the process, the increased use of them is likely to stay and even grow.While there are many standalone signature services, the use of them can cause some business challenges, particularly in large volumes. The first one is simply the additional cost of paying for a service. Some charge by the document, others by the user, some have capacity limits, etc. Also, there can be issues with version control when creating the document. For example, a salesperson may create a document in Word and then upload it into a standalone service to send to the customer. If the customer then asks for a change, the Word file is updated and re-uploaded, creating another copy–if the original isn’t deleted. Then there is the process of protecting, archiving, and storing executed agreements. Typically, each e-signature service has its own file storage, and the user would need to remember to download the document from that service and then upload it into the corporate content management system.This is where Box’s approach is different, because it thinks about the lifecycle of the e-signature, which includes the actual signature but also the upstream and downstream processes. For example, consider a contract being created where the sales team and legal team would need to collaborate and send versions back and forth, make comments, assign tasks, and so on. This is made easy with the core Box platform when compared with something like email, because everyone is working with the same document. Instead of having to log into a separate tool, the e-signature process is done in Box natively, which means there’s nothing to upload. Once the contract is signed, it stays in Box, and any kind of governance policies can be applied to it. This might include something such as ensuring only certain key people can access the document once it is signed. Difference between e-signatures and digital signatures

Those new to this area should understand there is a difference between e-signatures and digital signatures. A digital signature is an e-signature with enhanced security. When a document goes through the signing process, the signature is authenticated to validate the person’s identity. That information is stored in the document and will show if anyone tampers with the document after it has been signed. I asked Box about the service, and a spokesman explained that the company is starting with e-signatures but working on digital-signature verification capabilities for release later this year. This includes the ability to use SMS and/or passwords. In parallel, Box is working to integrate with a third-party trust provider to bring full digital-signature capabilities. Customers who require this today can work with a number of partners, such as DocuSign. Box also launches Enterprise Plus suite of toolsBox also introduced its Enterprise Plus suite. This is a new plan that includes the following add-ons: Box Shield, Box Governance, Box Relay, Box Platform, and Box Sign. The suite also includes the ability to send documents for signature directly from Salesforce. Enterprise Plus is available now to Box customers. Businesses currently using Box Digital Suites can keep their current plan or upgrade to Enterprise Plus at no additional cost. Box has done a nice job with the evolution of its product to meet the constantly changing demands of an increasingly digitized world. When the term “collaboration” is used, many people think of products such as Webex and Zoom. While those are certainly important, workers collaborate by sharing, editing, securing, and now signing content; no one does that better than Box, and I look at this company as one of the vendors enabling businesses to shift to composable organizations. The pandemic had an interesting impact on society, because it forced us to try many things with which we may not have been comfortable previously, such as signing documents electronically. Now that people have been exposed to this and have experienced the benefits, the demand is likely to stay high. As businesses adopt e-signatures, it’s important to think of this as part of the overall document management process, versus something done in isolation. More

Windows internet-facing servers are being targeted by a new threat actor operating “almost completely in-memory,” according to a new report from the Sygnia Incident Response team. The report said that the advanced and persistent threat actor — which they have named “Praying Mantis” or “TG1021″ — mostly used deserialization attacks to load a completely volatile, custom malware platform tailored for the Windows IIS environment.”TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine’s memory and leaves little-to-no trace on infected targets,” the researchers wrote.”The threat actor utilized the access provided using the IIS to conduct the additional activity, including credential harvesting, reconnaissance, and lateral movement.”Over the last year, the company’s incident response team has been forced to respond to a number of targeted cyber intrusion attacks aimed at several prominent organizations that Sygnia did not name.”Praying Mantis” managed to compromise their networks by exploiting internet-facing servers, and the report notes that the activity observed suggests that the threat actor is highly familiar with the Windows IIS platform and is equipped with 0-day exploits.”The core component, loaded onto internet-facing IIS servers, intercepts and handles any HTTP request received by the server. TG1021 also use an additional stealthy backdoor and several post-exploitation modules to perform network reconnaissance, elevate privileges, and move laterally within networks,” the report explained. 

“The nature of the activity and general modus-operandi suggest TG1021 to be an experienced stealthy actor, highly aware of operations security. The malware used by TG1021 shows a significant effort to avoid detection, both by actively interfering with logging mechanisms, successfully evading commercial EDRs and by silently awaiting incoming connections, rather than connecting back to a C2 channel and continuously generating traffic.” The actors behind “Praying Mantis” were able to remove all disk-resident tools after using them, effectively giving up on persistency in exchange for stealth. The researchers noted that the actors’ techniques resemble those mentioned in a June 2020 advisory from the Australian Cyber Security Centre, which warned of “Copy-paste compromises.”The Australian notice said the attacks were being launched by “sophisticated state-sponsored actor” that represented “the most significant, coordinated cyber-targeting against Australian institutions the Australian Government has ever observed.”Another notice said the attacks were specifically targeting Australian government institutions and companies. “The actor leveraged a variety of exploits targeting internet -acing servers to gain initial access to target networks. These exploits abuse deserialization mechanisms and known vulnerabilities in web applications and are used to execute a sophisticated memory-resident malware that acts as a backdoor,” the Sygnia report said. “The threat actor uses an arsenal of web application exploits and is an expert in their execution. The swiftness and versatility of operation combined with the sophistication of post-exploitation activities suggest an advanced and highly skilful actor conducted the operations.”The threat actors exploit multiple vulnerabilities to leverage attacks, including a 0-day vulnerability associated with an insecure implementation of the deserialization mechanism within the “Checkbox Survey” web application.They also exploited IIS servers and the standard VIEWSTATE deserialization process to regain access to compromised machines as well as “This technique was used by TG1021 in order to move laterally between IIS servers within an environment. An initial IIS server was compromised using one of the deserialization vulnerabilities listed above. From there, the threat actor was able to conduct reconnaissance activities on a targeted ASP.NET session state MSSQL server and execute the exploit,” the report noted.It added that the threat actors have also taken advantage of vulnerabilities with Telerik products, some of which have weak encryption. Sygnia researchers suggested patching all .NET deserialization vulnerabilities, searching for known indicators of compromise, scanning internet-facing IIS servers with a set of Yara rules and hunting for suspicious activity on internet-facing IIS environments.  More

According to the latest HP Wolf Security Threat Insights Report, email is still the most popular way for malware and other threats to be delivered, with more than 75% of threats being sent through email messages. The report — covering the first half of 2021 — is compiled by HP security analysts based on customers who opt to share their threat alerts with the company. HP’s researchers found that there has been a 65% rise in the use of hacking tools downloaded from underground forums and filesharing websites from H2 2020 to H1 2021. Some of the tools are able to solve CAPTCHA challenges using computer vision techniques. Some of the most targeted sectors include manufacturing, shipping, commodity trading, maritime, property and industrial supplies. Ian Pratt, global head of security at HP, said the proliferation of pirated hacking tools and underground forums are allowing previously low-level actors to pose serious risks to enterprise security.””Simultaneously, users continue to fall prey to simple phishing attacks time and time again. Security solutions that arm IT departments to stay ahead of future threats are key to maximizing business protection and resilience,” Pratt said. The report notes that affiliates of Dridex — which is now the top malware family isolated by HP Wolf Security — have been selling access to breached organizations to other threat actors, including ransomware groups. 

Some criminal groups are now also using CryptBot malware to deliver banking trojan DanaBot, and cyberattackers are increasingly targeting business executives. “In March 2021, HP Wolf Security isolated a multi-stage Visual Basic Script malware campaign targeting senior executives. The targets received a malicious ZIP attachment by email, named using their first and last names,” the report said. “It is likely the threat actor obtained employee names and email addresses from publicly available information online. The archives contained an obfuscated VBS downloader that downloads a second VBS script from a remote server to the user’s %TEMP% folder. The first stage script was heavily obfuscated and had a low detection rate — only 21% of anti-virus scanners on VirusTotal detected it as malicious.”  The company also found a résumé-themed malicious spam campaign that targeted shipping, maritime, logistics and related companies in Italy, Japan, Chile, UK, Pakistan, the US, and the Philippines. According to HP, these attacks exploit a Microsoft Office vulnerability to deploy the commercially available Remcos RAT and gain backdoor access to infected computers.”Threat actors are continuing to exploit old vulnerabilities in Microsoft Office, underlining the need for enterprises to patch out-of-date Office versions in their environments,” HP’s researchers wrote. “We saw a 24% increase in CVE-2017-11882 exploits in H1 2021 compared to H2 2020. Otherwise, there was no significant change in the vulnerabilities exploited by attackers over the reporting period compared to H2 2020.”Alex Holland, the senior malware analyst at HP, said the cybercrime ecosystem continues to develop and transform, with more opportunities for petty cybercriminals to “connect with bigger players within organized crime, and download advanced tools that can bypass defenses and breach systems.” “We’re seeing hackers adapt their techniques to drive greater monetization, selling access on to organized criminal groups so they can launch more sophisticated attacks against organizations,” Holland said. “Malware strains like CryptBot previously would have been a danger to users who use their PCs to store cryptocurrency wallets, but now they also pose a threat to businesses. We see infostealers distributing malware operated by organized criminal groups — who tend to favor ransomware to monetize their access.”The report adds that threats downloaded using web browsers rose by 24%, driven mostly by cryptocurrency mining software.Nearly half of all email phishing lures used invoices and business transactions, while another 15% were replies to intercepted email threads. The days of cybercriminals using the COVID-19 pandemic as a lure seems to have ended, considering less than 1% of emails used the pandemic, and there was a 77% drop from H2 2020 to H1 2021 in its usage. 
HP
The report attributes the stolen email thread technique to Emotet, which law enforcement agencies took down in January. “We saw large Emotet campaigns targeting Japanese organizations using lures created from stolen email threads — a technique called email thread hijacking. Following the takedown, the proportion of malware being distributed via Word documents fell significantly because Emotet’s operators preferred to use a Wordbased downloader,” the report said. Archive files, spreadsheets, documents and executable files were the most common types of malicious attachments. According to HP’s team, almost 35% of malware captured had not been previously known. “Cybercriminals are bypassing detection tools with ease by simply tweaking their techniques. We saw a surge in malware distributed via uncommon file types like JAR files — likely used to reduce the chances of being detected by anti-malware scanners,” Holland added. “The same old phishing tricks are reeling in victims, with transaction-themed lures convincing users to click on malicious attachments, links and web pages.”Pratt explained that as cybercrime becomes more organized and smaller players can easily obtain effective tools and monetize attacks by selling on access, there’s no such thing as a minor breach. He noted that the endpoint continues to be a huge focus for cybercriminals. “Their techniques are getting more sophisticated, so it’s more important than ever to have comprehensive and resilient endpoint infrastructure and cyber defense,” Pratt said. “This means utilizing features like threat containment to defend against modern attackers, minimizing the attack surface by eliminating threats from the most common attack vectors — email, browsers, and downloads.” More