The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.
Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.
According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.
In addition, 82 percent of security breaches involved human behavior due to stolen credentials, phishing, misuse, or error, the report found.
"If I had to sum up this year's DBIR: the more things change, the more they stay the same," Rick Holland, CISO and vice president of strategy at cybersecurity firm Digital Shadows, told The Register in an email.
"The use of stolen credentials, phishing, and vulnerabilities remains the top way threat actors gain initial access to organizations. Companies are spending billions of dollars on defense, yet these problems persist."
The report, now in its 15th year, was based on 23,896 security incidents analyzed by Verizon researchers. Of those, 5,212 were confirmed intrusions.
The 107-page report touches on a range of areas in the cybersecurity space, though ransomware was again a key topic. Beyond that and human behavior again playing a key factor in most breaches, the researchers also noted that supply chains are a growing target for bad actors, including groups that are more interested in espionage rather than financial gain.
That was illustrated in 2020 by the SolarWinds fiasco masterminded by Russia-linked crew Nobelium, during which malicious code was slipped into a software update to open a backdoor in government agencies and companies. Leveraging a partner in a supply chain can be a force-multiplier for an attacker, who can use the access to that one company to compromise and infiltrate the IT environments of their partners.
"2021 illustrated how one key supply chain breach can lead to wide ranging consequences," they wrote. "Supply chain was responsible for 62 percent of system intrusion incidents this year. Unlike a financially motivated actor, Nation-state threat actors may skip the breach and keep the access."
The rise in ransomware shouldn't surprise many in the industry. Governments have been putting pressure on ransomware gangs and urging organizations to protect themselves, while software developers continue to release products aimed at stemming the flow of and damage from such attacks. Still, the list of significant ransomware attacks continues to grow, as illustrated last year with those against high-profile corporations including Colonial Pipeline, meat processor JBS Foods, and software and services company Kaseya.
Ransomware by itself is really just a model of monetizing an organization's access
In addition, the tactics are also evolving. Where once threat groups would use ransomware to encrypt a victim's data and refuse to release the decryption keys unless the ransom was paid, they now are getting deeper into extortion. This includes exfiltrating the data and threatening to release it publicly, or wiping storage drives clean, unless demands are met, or going after a victim's customers.
What isn't so new are the ways ransomware gangs are gaining initial access into a corporate network, according to the Verizon researchers. These methods include stealing credentials, phishing, exploiting vulnerabilities, and using botnets, they wrote. Those same methods also tend to be the way in for cybercriminals looking to commit crimes other than extortion.
"It's important to remember, ransomware by itself is really just a model of monetizing an organization's access," they wrote.
In addition, three-quarters of ransomware incidents involve an intrusion via either desktop-sharing software (at 40 percent) or email (35 percent), which continues to be a soft spot that bad actors exploit. The researchers wrote that "there are a variety of different tools the threat actor can use once they are inside your network, but locking down your external-facing infrastructure, especially RDP [remote desktop protocol] and emails, can go a long way toward protecting your organization against Ransomware."
A common theme running throughout the report was the role of the human factor in breaches. Human behavior, aka the Layer Eight problem, continues to be a glaring weak spot in cybersecurity, with individuals letting crooks into their companies' IT environment by falling for phishing scams, clicking on malicious documents or links that lead to malicious websites.
"The most important research by and for the cybersecurity industry is out and it feels like the movie 'Groundog Day,' where we are waking up to the same results year after year since the first report in 2008," John Gunn, CEO of authentication specialist Token, told The Register in an email.
"Compromised user credentials and the 'human element' are still the direct cause of about 80 percent of breaches. We can collectively wake up from this problem by implementing more secure authentication and going passwordless. Biometric and wearable authentication is more secure and more convenient and would almost instantly mitigate a massive amount of cybersecurity vulnerability."
The researchers wrote that "even when a breach is not directly caused by a person, the information systems were still built by people. Frankly, we'd rather have people solving the problems since asking the AI to do it sounds much trickier. Unfortunately, nothing is perfect. Not people, not processes, not tools, not systems. But, we can get better, both at what we do and what we build."
"Don't discount security awareness training," he said. "It is not uncommon for security practitioners to complain about and mock security awareness training. Security awareness training can be engaging and improve your security posture. Is security awareness going to stop all the attacks? Of course not, but even a modest improvement can reduce defenders' detection and response burden." ®
In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.
Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies.
"If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."
More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.
These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.
PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.
Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.
According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.
"The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.
Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.
That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.
The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.
America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance.
A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.
Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.
Cloud security company Lacework has laid off 20 percent of its employees, just months after two record-breaking funding rounds pushed its valuation to $8.3 billion.
A spokesperson wouldn't confirm the total number of employees affected, though told The Register that the "widely speculated number on Twitter is a significant overestimate."
The company, as of March, counted more than 1,000 employees, which would push the jobs lost above 200. And the widely reported number on Twitter is about 300 employees. The biz, based in Silicon Valley, was founded in 2015.
A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.
The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.
Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.
Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.
"The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.
Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.
HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.
Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.
Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.
HR and finance application vendor Workday's CEO, Aneel Bhusri, confirmed deal wins expected for the three-month period ending April 30 were being pushed back until later in 2022.
The SaaS company boss was speaking as Workday recorded an operating loss of $72.8 million in its first quarter [PDF] of fiscal '23, nearly double the $38.3 million loss recorded for the same period a year earlier. Workday also saw revenue increase to $1.43 billion in the period, up 22 percent year-on-year.
However, the company increased its revenue guidance for the full financial year. It said revenues would be between $5.537 billion and $5.557 billion, an increase of 22 percent on earlier estimates.
The UK's Competition and Markets Authority is lining up yet another investigation into Google over its dominance of the digital advertising market.
This latest inquiry, announced Thursday, is the second major UK antitrust investigation into Google this year alone. In March this year the UK, together with the European Union, said it wished to examine Google's "Jedi Blue" agreement with Meta to allegedly favor the former's Open Bidding ads platform.
The news also follows proposals last week by a bipartisan group of US lawmakers to create legislation that could force Alphabet's Google, Meta's Facebook, and Amazon to divest portions of their ad businesses.
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2022