Information Technology

Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack on July 2, over the American Independence Day weekend. 

It appears that attackers have carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) – and their customers.SEE: Network security policy (TechRepublic Premium)The attack is reminiscent of the SolarWinds security fiasco, in which attackers managed to compromise the vendor’s software to push a malicious update to thousands of customers. However, we are yet to find out just how widespread Kaseya’s ransomware incident will prove to be. Here is everything we know so far. ZDNet will update this primer as we learn more. 

What is Kaseya?

Kaseya’s international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries. Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform. The firm’s software is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain. 

What happened?

On July 2 at 2:00 PM EDT, as previously reported by ZDNet, Kaseya CEO Fred Voccola announced “a potential attack against the VSA that has been limited to a small number of on-premise customers.”At the same time, out of an abundance of caution, Voccola urged clients to immediately shut down their VSA servers. “It’s critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA,” the executive said. Customers were notified of the breach via email, phone, and online notices. As Kaseya’s Incident Response team investigated, the vendor also decided to proactively shut down its SaaS servers and pull its data centers offline. By July 4, the company had revised its thoughts on the severity of the incident, calling itself the “victim of a sophisticated cyberattack.” Cyber forensics experts from FireEye’s Mandiant team, alongside other security companies, have been pulled in to assist. “Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service,” Kaseya said, adding that more time is needed before its data centers are brought back online. Once the SaaS servers are operational, Kaseya will publish a schedule for distributing a security patch to on-prem clients. In a July 5 update, Kaseya said that a fix is being developed and would first be deployed to SaaS environments. “We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration,” the company said. “We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers.”

The ransomware attack, explained

The FBI described the incident succinctly: a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.”Huntress (1,2) has tracked 30 MSPs involved in the breach and believes with “high confidence” that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface. According to the cybersecurity firm, this allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process. “Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks,” Sophos noted. “As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted.”The vendor has also provided an in-depth technical analysis of the attack. Security expert Kevin Beaumont said that ransomware was pushed via an automated, fake, and malicious software update using Kaseya VSA dubbed “Kaseya VSA Agent Hot-fix”.”This fake update is then deployed across the estate — including on MSP client customers’ systems — as it [is] a fake management agent update,” Beaumont commented. “This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya’s customers were still encrypted.”With a tip from RiskIQ, Huntress is also investigating an AWS IP address that may have been used as a launch point for the attack. 

Who has been impacted?

Over the weekend, Kaseya said that SaaS customers were “never at risk” and current estimates suggest that fewer than 40 on-prem clients worldwide have been affected. However, it should be noted that while a small number of Kaseya clients may have been directly infected, as MSPs, SMB customers further down the chain relying on these services could be impacted in their turn. According to reports, 800 Coop supermarket chain stores in Sweden had to temporarily close as they were unable to open their cash registers.Huntress said in a Reddit explainer that an estimated 1,000 companies have had servers and workstations encrypted. The vendor added that it is reasonable to suggest “thousands of small businesses” may have been impacted.”This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen,” commented Ross McKerchar, Sophos VP. “At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”

What is ransomware?

Ransomware is a type of malware that specializes in the encryption of files and drives. In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations. Once a victim’s system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key (which may, or may not, work). Today’s ransomware operators may be part of Ransomware-as-a-Service (RaaS), when they ‘subscribe’ to access and use a particular type of ransomware. Another emerging trend is double extortion, in which a victim will have their information stolen during a ransomware raid. If they refuse to pay up, they may then face the prospect of their data being sold or published online. Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside. Read on: What is ransomware? Everything you need to know about one of the biggest menaces on the webSee also:

Who is responsible?

Charlie Osborne | ZDNet

The cyberattack has been attributed to the REvil/Sodinikibi ransomware group, which has claimed responsibility on its Dark Web leak site, “Happy Blog.”In an update over the weekend, the operators claimed that more than “a million” systems have been infected. REvil has offered a decryption key, allegedly universal and, therefore, able to unlock all encrypted systems, for the ‘bargain’ price of $70 million in the bitcoin (BTC) cryptocurrency.REvil has been previously linked to ransomware attacks against companies, including JBS, Travelex, and Acer. 

Ransomware payment terms

The ransomware note claims that files are “encrypted, and currently unavailable.” A file extension .csruj has reportedly been used. Operators are demanding payment in return for a decryption key and one ‘freebie’ file decryption is also on the table to prove the decryption key works. The operators add (spelling unchanged):”Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests. If you will not cooperate with our service –for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice – time is much more valuable than money.”Sophos malware analyst Mark Loman shared a screenshot on Twitter of a ransomware note planted on an infected endpoint demanding $44,999. John Hammond, senior security researcher at Huntress, told ZDNet that the company has already seen ransom demands of up to $5 million. Kevin Beaumont says that, unfortunately, he has observed victims “sadly negotiating” with the ransomware’s operators. Fabian Wosar, CTO of Emsisoft, has also explained in a Twitter thread why using a key obtained by a single organization paying up is unlikely to be a viable path for unlocking all victims. “REvil absolutely has the capability of decrypting only a single victim without these purchased decryption tools being applicable for other victims hit by the same campaign public key,” the security expert noted.

Reactions

At the time of the breach, Kaseya notified law enforcement and cybersecurity agencies, including the Federal Bureau of Investigation (FBI) and US Cybersecurity and Infrastructure Security Agency (CISA).The FBI and CISA have released a joint statement on the security incident and are urging customers to run a tool provided by Kaseya to determine the risk of exploit, and to both enable and enforce multi-factor authentication (MFA) on enterprise accounts, wherever possible.The White House is asking organizations to inform the Internet Crime Complaint Center (IC3) if they suspect they have been compromised.On Saturday, US President Biden said he has directed federal intelligence agencies to investigate. “Targeting [an] MSP platform (that is managing many customers at once) was very well thought and planned,” Amit Bareket, CEO of Perimeter 81, told ZDNet. “What’s unique is that hackers are becoming more strategic and targeting platforms that will filtrate down to many companies with one shot. RMMs [remote monitoring and management] are basically keys to many many companies, which amount to the kingdom for bad actors.”

Recovery plans

As of July 4, Kaseya says the company has now moved on from a root cause analysis of the attack to recovery and patch plans, consisting of:Communication of our phased recovery plan with SaaS first followed by on-premises customers.  Kaseya will be publishing a summary of the attack and what we have done to mitigate it.   Some lightly-used legacy VSA functionality will be removed as part of this release out of an abundance of caution. A specific list of the functionality and its impact on VSA capabilities will be outlined in the release notes.  There will be new security measures implemented including enhanced security monitoring of our SaaS servers by FireEye and enablement of enhanced WAF capabilities. We have successfully completed an external Vulnerability Scan, checked our SaaS Databases for Indicators of Compromise, and have had external security experts review our code to ensure a successful service restart.Data centers starting with the EU will be restored, followed by the UK, APAC, and then North American systems. 

What can customers do?

Kaseya has released a tool, including Indicators of Compromise (IoC), which can be downloaded via Box. There are two PowerShell scripts for use: one on a VSA server, and the other has been designed for endpoint scanning. The self-assessment scripts should be used in offline mode. However, the scripts are only for potential exploit risk detection and are not security fixes. Kaseya will release patches as quickly as it can, but in the meantime, customers simply have to wait. “All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations,” the firm said. “A patch will be required to be installed prior to restarting the VSA.”Cado Security has provided a GitHub repository for responders, including malware samples, IoCs, and Yara Rules. Kaseya has also warned that “customers who experienced ransomware and receive a communication from the attackers should not click on any links  —  they may be weaponized.” More

The gang who used the REvil ransomware service to attack IT firm Kaseya and its customers have offered a universal decryption key at a record price of $70 million, if anyone wants to pay for it.Kaseya, a well-known enterprise IT firm, is at the centre of the latest data encryption attack by REvil. The FBI attributed last month’s ransomware attack on US meatpacker JBS to REvil.    

Kaseya on Saturday confirmed it and its customers were the victim of an attack on its VSA product, software for remotely monitoring PCs, servers, printers, networks, and point-of-sale systems. “Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only.” SEE: Network security policy (TechRepublic Premium)However, it seems that because Kaseya’s customers are managed services providers, there has also been a knock-on impact on their customers that also rely on VSA to deliver remote-monitoring services. Huntress Security said that Kaseya’s VSA software had been used to spread ransomware that had encrypted “well over 1,000 businesses”.For example, the attack on Kaseya had a significant impact on Sweden’s Coop supermarket chain, forcing many of its stores to remain closed on Sunday. Coop is one of the largest supermarket chains in Sweden. Coop’s online ordering and delivery systems were still available, but its point-of-sale systems were not. The retailer kept its doors open on Sunday, but staff were refusing customers entry and giving them complimentary strawberries, snacks and coffee. 

The attack on Kaseya appears to be financially motivated, but its impact is reminiscent of the Kremlin-backed attack on SolarWinds’s Orion network management software.REVil has now demanded $70 million for a universal decryption tool to end the Kaseya attack. “More than a million systems were infected,” the REvil group claimed. “If anyone wants to negotiate about universal decryptor our price is $70 000 000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than one hour.” The group had been asking for $5 million for affected managed service providers and $44,999 for affected Kaseya customers, according to BleepingComputer. The attackers appear not to have stolen data from networks prior to the attack – a technique commonly used to apply pressure on victims to pay or risk the exposure of sensitive information. The attack exploited a zero-day or previously unknown vulnerability in Kaseya VSA. “All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations,” Kaseya said in a statement. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

US president Joe Biden on Saturday said the US believed the Kremlin was not connected to the attack, but that, if it was, he’s told Putin that the US will respond. On Sunday, deputy national security advisor for cyber and emerging technology Anne Neuberger urged victims to report incidents to the FBI’s IC3 (Internet Crime Complaint Center).  SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefThe US Cybersecurity & Infrastructure Security Agency (CISA) and FBI issued joint guidance on Sunday.  CISA advised VSA customers to download the VSA detection tool, which helps security teams search for the presence of REvil components on their networks. It also recommended enforcing multi-factor authentication “on every single account that is under the control of the organization”. That is, not just admin accounts with high privileges. “Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network,” CISA said.  More

Didi Global has been removed from appstores in China following an order from the government to do so. The move comes just days after the popular Chinese ride-sharing app made its debut on the New York Stock Exchange. The Cyberspace Administration of China (CAC) on Sunday said the Didi app breached regulations governing the collection and use of personal data. It instructed the removal of the app from local appstores and Didi to rectify “existing problems” and “effectively protect” users’ personal data. The government agency, however, did not disclose any details on what these issue were and how they violated local laws.  The move came after the CAC issued a notice Friday stating it had put Didi under a cybersecurity review, to “prevent national data security risks” and safeguard public interest. It then instructed the app developer to stop registering new users while the review was ongoing. On its part, Didi issued two statements over the weekend confirming it was subject to a cybersecurity review and its app had been scrubbed from appstores. The vendor also affirmed it had suspended new user registration in China, though, it continued to maintain operations during the review. Existing users still would be able to access the app in the Chinese market and it remained available on appstores in other markets, including Singapore. It has 493 million annual active users as of the first quarter of 2021. The ride-sharing platform offers a range of services in more than 15 international markets across Asia-Pacific, Latin America and Africa, Central Asia, and Russia, including taxi hailing, hitch, food delivery, and financial. Didi added that it would “fully cooperate” with the Chinese authority and conduct a “comprehensive examination” of cybersecurity risks and enhance its cybersecurity and technology systems. 

Its vice president Li Min said in a Weibo post that Didi stored personal data of all its China users’ locally and that it was “not possible” to transfer data to the United States. Didi last week launched its IPO of 316.8 million American Depositary Shares with a total offering size of $4.4 billion. It was formally listed on the New York Stock Exchange on June 30, 2021. China’s tech giants including Alibaba and Tencent have come under government scrutiny in recent months, which saw Alibaba hit with a record 18.2 billion yuan ($2.77 billion) fine for breaching China’s antitrust regulations and “abusing [its] market dominance”.RELATED COVERAGE More

UPDATE: In a statement late Friday evening, Kaseya CEO Fred Voccola confirmed that the company’s Incident Response team caught wind of the attack mid-day and immediately shut down their SaaS servers as a precautionary measure, despite not having received any reports of compromise from any SaaS or hosted customers.”[We] immediately notified our on-premises customers via email, in-product notices, and phone to shut down their VSA servers to prevent them from being compromised. We then followed our established incident response process to determine the scope of the incident and the extent that our customers were affected,” Voccola said. “We engaged our internal incident response team and leading industry experts in forensic investigations to help us determine the root cause of the issue. We notified law enforcement and government cybersecurity agencies, including the FBI and CISA. While our early indicators suggested that only a very small number of on-premises customers were affected, we took a conservative approach in shutting down the SaaS servers to ensure we protected our more than 36,000 customers to the best of our ability.”   So far, the company said they believe their SaaS customers “were never at-risk” and expects to restore service to them in the next 24 hours once it is confirmed to be safe.According to Voccola, about 40 customers worldwide were affected and the company is preparing a patch to mitigate the vulnerability for any on-premises victims. “We’ve heard from the vast majority of our customers that they experienced no issues at all, and I am grateful to our internal teams, outside experts, and industry partners who worked alongside of us to quickly bring this to a successful outcome,” Voccola added. Comment sections on Reddit are now inundated with responses from customers trying to respond to the attack and restore systems. 

PREVIOUSLY: Kaseya has announced that it is dealing with a massive ransomware attack that now may be affecting at least eight MSPs and hundreds of organizations.In a message posted to its website, the remote management solutions provider said it is “experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today.” “We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us,” the company said. “It’s critical that you do this immediately, because one of the first things the attacker does is shut off administrative access to the VSA.”Kaseya has taken down all SaaS instances of its VSA remote monitoring and management tool in light of the attack. John Hammond, senior security researcher at Huntress, told ZDNet that they were first notified of the attack at 12:35 ET and said it “has been an all-hands-on-deck evolution to respond and make the community aware.” Hammond attributed the attack to the prolific REvil/Sodinikibi ransomware group and Bleeping Computer, The Record and NBC News all also reported that REvil or an affiliate was the culprit. Through an update to VSA software, REvil is allegedly spreading the ransomware widely. “We cannot emphasize enough that we do not know how this is infiltrated in Kaseya’s VSA. At the moment, no one does. We are aware of four MSPs where all of the clients are affected — 3 in the US and one abroad. MSPs with over thousands of endpoints are being hit,” Hammond said before Huntress updated its total to 8. “We have seen that when an MSP is compromised, we’ve seen proof that it has spread through the VSA into all the MSP’s customers. Kaseya’s VSA could be either on prem or cloud hosted. They currently have all of their cloud servers offline for emergency maintenance.” Hammond added that three of Huntress’ partners have been impacted, with “roughly 200 businesses encrypted.” He explained that agent.crt is dropped by the Kaseya VSA and is then decoded with certutil to carve out agent.exe, and inside agent.exe it has embedded `MsMpEng.exe` and `mpsvc.dll`. 
Huntress
“The legitimate Windows Defender executable was used to side-load a malicious DLL. It is the same exact binary for all victims,” he said. Huntress has a Reddit threat of updates about the situation and said there are indications that VSA admin user accounts are disabled only moments before ransomware is deployed.CISA released a statement on Twitter that said the organization is “taking action to understand and address the supply-chain ransomware attack against Kaseya VSA and the multiple MSPs that employ VSA software.” Mark Loman, a malware analyst for Sophos, shared a lengthy thread on Twitter about the attack and said some victims are already seeing a ransom page demanding $44,999. Hammond told ZDNet that Huntress has seen ransom demands of $5 million already. This is far from the first time Kaseya’s tools have been used to spread a ransomware attack. As ZDNet has previously reported, REvil’s predecessor Gandcrab leveraged Kaseya twice in 2019 to launch attacks, first using a Kaseya plugin then VSA products later that year. Ransomware actors typically launch attacks on weekends or at night because there are less people watching systems. Sophos released a detailed guide for potential victims to figure out if they are under attack.  Chris Grove, technology evangelist with Nozomi Networks, said these types of supply chain attacks, like SolarWinds, go “straight to the jugular of organizations looking to recover from a breach.” “These types of technology management solutions can have high concentrations of risk due to their large collection of enterprise accounts with elevated privileges, unrestricted firewall rules needed for them to operate, and a cultural ‘trust’ that the traffic to/from them is legitimate and should be allowed,” Grove said. 

SolarWinds Updates More

London-based reinsurance broker Willis Re told Reuters on Thursday that cyber reinsurance rates are skyrocketing due to a spate of devastating ransomware attacks on major companies in recent months.For the July renewal season, rates have risen by up to 40%, according to James Vickers, chair of Willis Re International.Enterprises are increasingly turning to cyber insurance and reinsurance companies for help with the recovery process following a ransomware attack. Cyber insurance and reinsurance companies handle everything from network restoration to public relations costs and business losses resulting from system downtime. But cyber insurers have struggled to handle the wave of attacks that continue to damage hundreds of major corporations like Colonial Pipeline and JBS. Both attacks drew headlines for their devastating downstream effects on the gas and meat supply of the US.  Vickers told Reuters that reinsurers “that have been writing cyber are looking at considerably worse results than a few years ago.” There has been considerable debate about cyber insurance’s effect on ransomware and ZDNet reported this week that a research paper from think tank Royal United Services Institute found cyber insurance policies are both encouraging cybercriminals and have become unsustainable for the industry. The paper said cyber insurance has not helped organizations improve their cybersecurity and is actually “facilitating the behavior of cybercriminals by contributing to the growth of targeted ransomware operations.”

Other experts that spoke to ZDNet said there are indications that ransomware groups have been explicitly targeting companies they know have cyber insurance because they are more likely to pay ransoms. A report from cyber insurance provider Coalition in September noted that ransomware incidents represented 41% of all cyber insurance claims filed in the first half of 2020. The company said there was a 260% increase in the frequency of ransomware attacks among their policyholders and they found that the average ransom demand increased 47%. Claims ranged from as low as $1,000 to $2 million.The problem has gotten so bad that earlier this year, insurance provider AXA revealed that, at the request of French government officials, it will end cyber insurance policies in France that pay ransomware victims back for ransoms paid out to cybercriminals.AXA is one of Europe’s biggest insurers and was considered the first to make such a drastic move. The plans would still cover ransomware recovery costs but would no longer include ransoms after cybersecurity leaders within the French government and French Senators aired concerns about the massive payouts going to cybercriminals during a roundtable in Paris in April.Eight days after the ransom announcement, AXA itself was hit with a ransomware attack. Vickers told Reuters on Thursday that France is considering forcing all cyber insurers to stop reimbursing ransom payments due to how lucrative they have become for cybercriminals. There are already multiple companies reducing the level of cyber insurance coverage they offer and industry sources told ZDNet that some reinsurers are realizing they didn’t properly understand the exposure of companies to cyberattacks before offering certain coverage. Insurance companies are now trying to reduce their risk exposure and this is driving significant premium increases, according to industry sources. Shawn Melito, chief revenue officer at BreachQuest, said he has been involved in the cyber insurance industry for more than ten years and speaks with dozens of brokers and insurers on a daily basis. The rate increases and interest in cyber insurance has long been expected, he said.”You have the perfect storm of media coverage, lax data security, ease of use hacking tools like ransomware as a service and massively increasing ransoms making this so attractive,” Melito explained.Shaun Gordon, CEO of BreachQuest, noted that for certain industries, the trickle-down effect of reinsurance rate increases is driving significant increases in premiums to clients. “In industries, such as manufacturing and healthcare, we are hearing the premium increases can be as much as 100% and sometimes exceeding 150%,” Gordon said. “A key driver of this is ransomware and the fact that many organizations have failed to implement technologies such as MFA in areas such as email, remote access and privileged account access.”Jack Kudale, CEO of insurance managing general agent Cowbell Cyber, said policyholders should expect to be asked more questions at renewal because of the recent wave of ransomware attacks, cybercrimes and other threats.Kudale told ZDNet that cyber insurers are taking steps to clarify their coverage and remove ambiguous policy terms because of the rise of standalone cyber insurance. “Moving forward, the role of the insurers must go beyond response and recovery to include education and prevention. For example, organizations need cyber policies which are bundled with complementary cybersecurity training for all insured employees,” Kudale said. “This will eradicate one of the basic root causes of many attacks: an employee clicking on a phishing email. Organizations must increase employees awareness on cybersecurity so that they can be the first line of defense and recognize malicious activities.”

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More More

Organizations are losing millions of dollars in revenue each year due to leaked infrastructure code, credentials and keys, according to a new report from 1Password. 1Password’s report “Hiding in Plain Sight” said that on average, enterprises lose an average of $1.2 million each year due to leaked details, which researchers at the company called “secrets.” Researchers found that IT and DevOps workers leave infrastructure secrets like API tokens, SSH keys, and private certificates in config files or next to source code for easy access and to make things move faster.The report features analysis from 1Password researchers as well as an April 2021 survey of 500 IT and DevOps workers in the US. For 10% of respondents who experienced secret leakage, their company lost more than $5 million. More than 60% of respondents said their organizations have dealt with secrets leakage. In addition to the money lost, 40% said their organizations suffered from brand reputation damage and 29% said clients were lost due to the consequences of secrets that had been leaked. According to the report and accompanying survey, 65% of IT and DevOps employees say their company has more than 500 secrets, with almost 20% saying they have more than they can count. Employees have to spend about 25 minutes every day managing these secrets and more than half say that number has increased significantly over the last year. More than 61% said multiple projects had to be delayed because their organization could not effectively manage its secrets. 

Alarmingly, 77% of respondents said they still have access to a former employer’s systems and 37% said they had full access, highlighting one of the main reasons why secrets continue to be leaked. Another factor contributing to the problem is the growing use of cloud applications, which 52% of IT and DevOps workers said made it harder to manage secrets. But IT and DevOps workers acknowledged some of the blame, with 80% saying they did not do a good job of managing secrets. About 25% said their organization’s secrets are in 10 of more locations. IT and DevOps workers also admitted to sharing information about company secrets over less-than-secure channels including email (59%), Slack (40%), spreadsheets/shared documents (36%) and text (26%). Almost all respondents said their organization has a secrets policy but less than 40% said it is enforced. The problem is particularly acute among organizations leaders. More than 62% of respondents said team leads, managers, VPs and others have ignored security rules due to COVID-19 demands on work.  “Secrets are now the lifeblood for IT and DevOps as they seek to support the explosion of apps and services now required in the modern enterprise” 1Password CEO Jeff Shiner said.”Our research reveals that secrets are booming, but IT and DevOps teams are not meeting rigorous standards to protect them — and in the process are putting organizations at risk of incurring tremendous cost. It’s time for companies to take a hard look at how they manage secrets, and adopt practices and solutions to  ‘put the secret back into secrets’ to support a culture of security.” More

On Wednesday, Senator Rick Scott ended his objection to the unanimous consent needed for the Senate to vote on the nomination of Jen Easterly to be Director of CISA.Scott had been holding up the vote as a way to force Vice President Kamala Harris to visit the US-Mexico border. He said he would refuse to confirm any Department of Homeland Security nominees until Harris went to the border, which she did last Friday. “This isn’t about Ms. Easterly. This isn’t about cybersecurity,” Scott said last week. Despite lifting his hold on her nomination, all of Congress is away for the July 4 holiday and Easterly will not be confirmed until after Congress returns on July 9. CISA has not had an official director since former President Donald Trump fired Chris Krebs in November. His deputy, Brandon Wales, has been holding the position on an interim basis ever since, even as the country continues to deal with the fallout from the SolarWinds hacks and a number of other state-sponsored attacks on government organizations. A number of lawmakers and experts, like Krebs, took to Twitter to criticize the decision to hold up Easterly’s confirmation. Krebs even joked that Easterly’s confirmation was being “ransomed” by politicians and said the situation was “one more reason it’s time for a conversation about splitting up DHS.”Rep. Jim Langevin, one of the most vocal members of Congress on cyber issues, told ZDNet that the Cyberspace Solarium Commission looked at several different models for civilian and critical infrastructure cybersecurity, including spinning off a separate agency.  

“However, our ultimate conclusion was to double down on CISA in its current form. We passed a number of new provisions intended to do just that last year, and the House just released draft legislation increasing CISA’s budget by nearly 20 percent,” Langevin said.  “I believe CISA can be perfectly effective within DHS if properly resourced and given the right authorities.”Among former government officials, opinions were more mixed on the topic. Drew Jaehnig spent more than 20 years managing networks and IT services and other technology at the Department of Defense. Jaehnig, who is now a director of Bizagi Government Services, said that before CISA’s creation in 2018, DHS already had the task of securing US critical physical and cyber infrastructure with the National Protection and Programs Directorate (NPPD). The NPPD was created in 2007 and was charged with tracking all visitors to the country, providing federal protective services for federal owned and leased assets, assuring the reliability of the nation’s cyber and communications infrastructure, and reducing risks to the nation’s critical infrastructure, according to Jaehnig, who added that the cyber component was originally organized under the Office of Cybersecurity and Communications (CS&C). “It is important to understand that the Department of Defense was working to protect the DoD cyberinfrastructure initially with the JTF-GNO (Joint Task Force – Global Network Operations) that was later to be part of the Cyber Command,” Jaehnig said.  “The civil agencies and national infrastructure needed something similar and as such, the CS&C was created. The CS&C’s resources and standing were not sufficient to accomplish the given task, and in 2018 the Cybersecurity and Infrastructure Security Agency Act elevated the agency to a higher standing in DHS. Subsequent actions have substantially increased the resources available to CISA. Indeed, in the upcoming year, Congress is seeking $2.42 billion for CISA, $300M above what the President’s budget requested.” Jaehnig said there is a lot of overlap between the jobs of CISA and DHS, and the idea of spinning CISA into its own agency “would probably only complicate the nation’s response to any major cyber or infrastructure incident.” “The mission to secure borders, uphold economic prosperity, and increase our preparedness and resilience are all tied to the cyber and physical infrastructure,” he said.  Despite advocating that the organizations stay connected, Jaehnig acknowledged that the arguments for splitting CISA from DHS are centered around it not getting enough attention and voice within DHS.  He also noted that the situation with Easterly was part of a larger problem of CISA-related issues being lumped into the controversies that typically swirl around DHS in relation to border policies. He added that others have argued that any coordination issues created by separating CISA from the DHS can be overcome, as they have with DHS and the FBI on cybercrimes. Some private industry cybersecurity groups have also expressed hesitancy about working with DHS due to the public debates over border policies, according to Jaehnig.  But in the end, Jaehnig agreed with Langevin that CISA simply needed more resources and increased focus by the private and public sectors on infrastructure protection and resiliency.  “With the continued blurring of the line between the cyber and the physical, this is more apparent than ever. These would be steps in the right direction and would address many of the concerns of those wishing a split and avoid a messy reorganization that would interrupt operational responses at a critical juncture,” Jaehnig said. “In the current environment, this is an issue that is likely to be more troublesome to the hill than keeping the status quo and adopting the Solarium recommendations. The Solarium recommendations are more practical to pass in legislation, as already accomplished with the appointment of a National Cyber Director, also in the CSC’s 2020 recommendations. Indeed, Congress adopted 27 of the 80 recommendations last year, and this year the CSC is working on getting 30 more of its recommendations codified into law. Politically, this approach is working even in today’s polarized political landscape.” Other former government officials took a different stance, arguing that CISA’s ties to DHS complicated the organization’s mission and added additional red tape that made it harder for the agency to respond quickly to cyber incidents. Jake Williams, who spent years in the US Army and now serves as CTO at BreachQuest, told ZDNet he was working in the intelligence field when DHS was created and said, “even then it wasn’t clear it could perform its mission without adding more bureaucracy.” Williams said it is time to have discussions about a cabinet-level position for cybersecurity. “Politics aside, what we’re seeing now is budget and focus being split within DHS between immediate cybersecurity and physical security needs. In these types of ‘immediate need’ dilemmas, cybersecurity almost always loses,” Williams explained. “I would fully support a cabinet-level directorate focused on cybersecurity. It’s sorely needed today and not something we can kick down the road.”Others who have worked alongside the US government on cybersecurity issues also said CISA may be better served by operating within another agency. Bill O’Neill, a vice president at ThycoticCentrify, has spent years at companies that worked with the Defense Department and other agencies on cybersecurity.He noted that the previous presidential administration succeeded in ensuring CISA became a more fully realized government agency and added that Krebs’ leadership — coupled with its role in protecting the integrity of the 2020 election — resulted in a new level of credibility, visibility, and autonomy for CISA.O’Neill said DHS’s agenda, regulatory focus, and priority to work with sector-specific agencies “undermines and supersedes CISA’s mandate to handle civilian cybersecurity issues, diminishing the country’s ability to fight cybercrime on a united front.” “If CISA were decoupled from DHS and integrated instead into the ranks of US Cyber Command, the agency would have much greater efficiency and independence to implement policies for civilian incident response unencumbered,” he said. “You can correlate a sharp rise in cyberattacks across the country with the lack of defined oversight of US cyber defense strategy. And although Jen Easterly was nominated for the role of CISA Director three months ago, the Senate failed to confirm her. At a time when cyberattacks are at an all-time high, a vacuum in cybersecurity leadership only emboldens cyber criminals.” More

Columbia University’s School of International and Public Affairs will be collaborating with SAP to help identify and develop more diverse talent in the cybersecurity sector in the coming years. The software giant is hoping to help promote diversity in cybersecurity through increased funding and a variety of internships, job opportunities, curriculum assistance and events at Columbia University. Jason Healey, cyberthreat intelligence expert and senior research scholar at Columbia University’s School of International and Public Affairs, said the funding provided by SAP would help the school attract a wider pool of candidates interested in cybersecurity. “Due to SAP’s funding, we’re already finding new opportunities to reach out to our diverse student body to let them know about the amazing job prospects in cybersecurity, even for those outside of STEM,” Healey said. “The events, projects, information and first-hand experience our students will have access to will be extremely valuable for their career development.”Tim McKnight, the chief security officer at SAP, explained that it was the software industry’s responsibility to devise new ways to protect valuable data and support business operations and secure enterprises of all sizes. SAP’s relationship with Columbia University will allow the company “to identify diverse talent to keep SAP’s customers and products safe while providing students and recent graduates an opportunity to launch a new and exciting career,” McKnight added. 

In addition to funding and campus events, SAP will also sponsor “Capstone workshops” that allow students to “work with and advise external clients.”There is an outsized need for cybersecurity talent across the country as organizations struggle to protect themselves from an evolving cyberthreat landscape. Elena Kvochko, the chief trust officer at SAP, noted that there was still a significant gender disparity in the cybersecurity workforce despite the increased demand. She said she was hopeful that the program would help diversify the industry and “bring new ideas, skills and creativity when solving security challenges.”Kvochko told ZDNet that much of the collaboration would consist of SAP’s support for campus hiring and recruiting to provide a greater opportunity for graduates to start their careers in the cybersecurity and technology sectors. “The goal is to immerse students in the cybersecurity world and give them the opportunity to explore this fast-growing field. The capstone projects will be designed and developed around the most pressing needs of the cybersecurity sector, so that students, graduates and SAP employees have exposure to diverse perspectives from around the world,” Kvochko said. “SAP is excited to have the first group of recent graduates joining us this summer. We are prepared to lead groups of students of different sizes in their cybersecurity journey while helping to close the diversity gaps in our field and ensure diversity of perspectives.” More