Companies need to understand the differences between management and leadership, and provide the means to work effectively with employees and teams during challenging times.
Speaking at the Infosecurity Europe Virtual Conference, Sajed Naseem, CISO for New Jersey Courts, said businesses need to identify “all degrees of bad,”citing a recent senior sporting official, and identify the “least bad” challenge.
Naseem said that a lot of leadership is about knowing how you feel, how your team feels and how teams connect to other teams. He called leadership the “skills of motivating, guiding and empowering a team towards a socially responsible vision” and “in cybersecurity, leadership is required to provide opportunities to make cyberecurity stronger in the organization.”
Whereas management, he added, requires “a set of well-known processes like planning, budgeting, structuring jobs, measuring performance and problem solving. The difference between management and leadership is that cybersecurity management “must make sure upper management’s business objectives and cybersecurity tie together and there are no misunderstandings.”
With regards to questions that should be asked in order to achieve the goal of creating an effective management/leadership strategy, Nassem cited the following:
- Who will set the vision?
- Who will set the strategy?
- Who will break the silos?
- How will digital transformation be sustained?
- Who will shop for the 'groceries?'
- Who will stand up to say the “budget is decreasing” and “the workforce is expected to be cut?”
- Who will speak with empathy in the decreasing workforce?
- Who will stand up against “budget is decreasing” and “workforce is expected to be cut”?
- Who will make the right decision even when it isn’t a popular one?
- Who will say “I don’t know” and who will find out the answers?
- Who will look past the fears?
Naseem also encouraged knowing each member of your team, and to ensure they are engaged, and that you are engaged with them.
To conclude, Naseem encouraged CEOs to hire and support cybersecurity people, and to keep them abreast of mergers and acqusitions so they can measure cyber-readiness and performance. “Your business may be a money making business, but if you miss cybersecurity, you miss the point.”
Confidential documents have been swiped from a US military nuclear missile contractor in a cyber-attack, according to Sky News.
Today the news service reported that cyber-criminals were able to gain unauthorized access to the computer network of New Mexico company Westech International.
Headquartered in Albuquerque's Louisiana Boulevard, Westech was established in 1995 by founder Dr. Betty Chao to provide services to federal agencies and commercial enterprises. The company has a staff of 150 employees hired to carry out various Department of Energy (DOE) and Department of Defense (DoD) contracts at 15 locations in 11 American states.
Westech, as a sub-contractor for Northrup Grumman, provides critical support for the United States' Minuteman III nuclear deterrent. The intercontinental ballistic missile LGM-30G Minuteman III is a three-stage missile with a range of over 6,000 miles.
As of February 2018, America's ICBM force consisted of 400 Minuteman III missiles located at the 90th Missile Wing at F.E. Warren AFB, Wyoming; the 341st Missile Wing at Malmstrom AFB, Montana; and the 91st Missile Wing at Minot AFB, North Dakota.
Westech provides engineering and maintenance support for the Minuteman III ICBMs.
According to Sky News, files stolen from Westech in the cyber-attack have been leaked online. The files appear to contain sensitive data, including company emails, payroll, and what Sky describes as "personal information."
Westech confirmed that the company had been hacked and that its computers had been encrypted. No information was shared regarding when the attack took place or how the criminals gained entry to Westech's computer system.
A spokesperson for Westech told Sky News that an investigation into what data the criminals had accessed and exfiltrated was still ongoing.
"We recently experienced a ransomware incident, which affected some of our systems and encrypted some of our files," said the spokesperson.
"Upon learning of the issue, we immediately commenced an investigation and contained our systems.
"We have also been working closely with an independent computer forensic firm to analyze our systems for any compromise and to determine if any personal information is at risk."
Abe Crannaford admitted hacking into the servers of the American multinational tech giant in mid-2017 and early 2018. Once inside, the 24-year-old extracted information relating to Apple employees that he later shared via his Twitter account.
It was alleged that Crannaford also provided links to the corporation's firmware on GitHub.
Crannaford pleaded guilty in February to two counts of unauthorized access or modification of restricted data. These offenses could have seen the guilty man locked up for two years and fined a maximum of $10,000.
However, instead of imposing a custodial sentence on Crannaford, Magistrate Doug Dick placed the malicious hacker under a recognizance order. The order, handed out on June 3 in Eden Local Court, requires Crannaford to abide by the law for an 18-month period.
In addition, Dick fined Crannaford $5,000. If the hacker reoffends within the period of recognizance, he will be ordered to pay an extra $5,000 penalty.
Dick said that by targeting people's privacy, Crannaford's crime targeted a matter of vital importance to today's general public.
"What you did strikes at the heart of modern society—people rightly worry about their privacy," Dick told Crannaford.
Ines Chiumento, Crannaford's defense lawyer, suggested that by awarding hackers for finding exploits and bugs through its bounty program, Apple "in some sense" promotes hacking. Chiumento argued that such a program sent mixed messages to impressionable youngsters.
"Apple does promote in some sense the ability to delve into a computer and find a bug or a glitch—and then knowing about it helps the company improve its product," Chiumento said.
"With that ability being treasured and sought out, it's difficult to send a message to young people [about the illegality and punitive measures] if the companies don't send the same message."
The Commonwealth prosecutor acknowledged the existence of Apple's bounty program but said Crannaford's "intrusions into websites and restricted data" occurred on multiple occasions and were shared with others, "so the concept of a bounty is contrary to his actions."
Dick told Crannaford: "In the beginning I can believe you may have been enticed by a 'bounty,' but these charges relate to later matters."
Employee work from home habits are putting businesses at a higher risk of cyber-attacks, according to a study by CyberArk. It revealed that a large proportion of remote workers in the UK regularly engage in practices including using unmanaged, insecure BYOD devices to access corporate systems (60%).
Working from home has risen at an exponential rate in the UK and elsewhere as a result of the COVID-19 pandemic. This is posing additional security risks for businesses, due to firms rushing to put in place applications and services that enable remote work as well as more insecure connections.
These risks are being increased further by bad cybersecurity behaviors by remote workers, according to CyberArk’s new analysis.
In a survey of 300 remote office workers and 300 IT professionals in the UK, the security firm also found that 57% of remote workers use communication tools such as Zoom and Microsoft teams, which have had well-publicised security problems in recent months.
Risky cyber-practices were shown to be particularly prevalent amongst working parents included in the study, who face additional distractions such as childcare and home-schooling. Of this cohort, 57% insecurely save passwords in browsers on their corporate devices while 89% said they reuse passwords across applications and devices. Additionally, 21% allow other members of their household to use their corporate devices for activities like schoolwork, gaming and shopping.
Despite the additional security risks posed by the huge rise in remote working, 57% of IT professionals surveyed said they haven’t increased their security protocols in this period.
Rich Turner, SVP EMEA, CyberArk, said: “Responsibility for security needs to be split between employees and employers. As more UK organizations extend remote work for the longer-term, employees must be vigilant. This means constantly updating and never re-using passwords, verifying that the operating systems and application software they use are up-to-date, and ensuring all work and communication is conducted only on approved devices, applications and collaboration tools.
“Simultaneously, businesses must constantly review their security policies to ensure employees only have access to the critical data and systems they need to do their work, and no more. Decreasing exposure is critical in the context of an expanded attack surface.”
The impact of the COVID-19 pandemic is the most prominent trend in cybersecurity for 2020, according to Infosecurity Magazine's latest State of Cybersecurity Report.
As outlined in a session at the Infosecurity Europe Virtual Conference, in the annual report, which this year surveyed 75 people including 25 cyber-practitioners, 25 people working in academia and 25 venture capitalists and entrepreneurs, 30% of those polled said that COVID-19’s impact on cybersecurity is an influential trend affecting the industry.
Reasons for this varied, including the escalation of phishing and malicious attacks related to the pandemic, as well as the mass movement remote workforces, deployment of VPN and collaboration tools, and the rapid nature in which they were deployed.
BluBracket CEO and founder Ajay Arora said the spread of COVID-19 “has completely changed the cybersecurity landscape” as companies are straining to quickly enable remote workers securely. Tech innovator and entrepreneur Dmitry Akulov said even before COVID-19, more and more companies were becoming more and more dependent on remote work, but the pandemic accelerated that. “I believe that the pandemic will have lasting results on the workplace with more and more businesses who were (at first) slow to the race allowing for workers to stay remote (at least partially),” he added.
“Now more than ever, it’s crucial for companies to create an emergency security plan. It has become important to educate your workers on the risks they face, not just keeping security issues as an internal task that gets handled by experts. We must all become to some degree experts in security for the safety of companies worldwide. Security will no longer be an issue for the IT guy, security is now dependent on all of us.”
Arno Robbertse, chief executive of ITC Secure, cited increased cyber-attacks against the healthcare industry as cyber-criminals make use of the pandemic in various attack vectors. “Examples we’ve seen include phishing emails pretending to be from the World Health Organization, to more sophisticated forms of intrusion via encryption methods,” he said.
Otavio Freire, Safeguard Cyber CTO and president, also cited the “issues of disinformation and cybersecurity” as continuing to converge. He said: “COVID-19 is just one example where it is both being tuned on corporations and consumers for ransomware and spear-phishing, and used by nation states to further destabilize and wreak havoc on countries and its citizens by creating panic and confusion.”
However, we have also seen support operations form as a result of the pandemic, including C5 creating the C5 Cyber Health Allliance to secure European healthcare organizations, the formation of the CV19 volunteer group and malicious URL collection services launched.
These he collaborative initiatives will provide the necessary support and means for hospitals and clinics to protect their internal systems and defend against unwanted cyber-threats.
The other top five trends were cloud (26%), Machine Learning and AI (25%), the human factor (24%) and phishing (18%). In total, 34 trends were cited in this year’s research, which was conducted between March and May 2020.
Surprisingly compliance did not feature in this year’s top five trends, after it was the top trend in our 2018 report, and came in third place in 2019. Also not appearing in the top five were ransomware, IoT and patch management.
Download the Infosecurity 2020 State of Cybersecurity Report here
Speaking at the Infosecurity Europe Virtual Conference Dr Jessica Barker, co-CEO of Cygenta, discussed the importance and effectiveness of positive reinforcement in managing the human element of risk.
Dr Barker said: “Using the ‘carrot’ or rewarding people is the most effective avenue to go down. In security, we have this tradition of always being very negative and first thinking how we can ‘scare’ people and how we can use authority to tell people off if they get things wrong. That has created such a negative culture around security.”
Dr Barker argued that, when managing human-related risk, it is much more effective to use positivity. “For example, with phishing simulations, there are a couple of things organizations could be doing better. The first is, if we are reporting on how many people have clicked or haven’t clicked on a phishing email, organizations will generally always focus on how many people clicked,” ignoring the positive message of how many people did not click, which is very often higher.
In that case, businesses should use “positive reinforcement and social proof to demonstrate that the majority of people are engaging with positive behavior and encourage the minority to join them next time.”
Beyond that, Dr Barker continued, the behavior we really want to see with regards to phishing simulation is reporting: how many people reported an incident, how long did it take, do some emails get reported more than others? “These are the kind of metrics that are far more insightful and useful and focus on the behaviors we actually want to be seeing, rather than just trying to drive down the click rate.”
If we only focus on the negatives and punish people for clicking on phishing links or for reporting incidents, all we are doing is “driving a culture of fear – driving incidents underground and creating more distance between security and the rest of the business. That creates more risk.
“We know the culture of fear around security doesn’t work – what we need is a much more empowering, much more positive culture.”
In a session at the Infosecurity Europe Virtual Conference, a panel of security experts were asked to define the human element of risk to help organizations quantify and manage it.
David Boda, head of information security at Camelot (National Lottery) said that a significant factor in defining human risk is understanding that a large amount of human risk is generated as a result of accidental actions.
“There’s obviously a place for monitoring malicious activity, but the vast amount of what I see is accidental and human behavior often comes down to people just trying to get their jobs done but struggle to do so for whatever reason – and that creates risk.
“I think it’s our job as security professionals to try and understand the root causes of that and try to help people to do their jobs in a risk-managed way.”
For Dr Jessica Barker, co-CEO of Cygenta, defining the human element of risk requires us to put the human at the forefront of processes at all times. “When we’re defining the human side of risk, it is important we consider the fact that, with all technology or element of security, people are involved at every stage of the lifecycle – the designing, developing, use, testing, destroying or deleting.”
Therefore, we need to think about our developers and how they are trained in cybersecurity, “taking the conversation much wider than just to people that are using technology,” she added.
Mark Osborne, CISO of JLL, also highlighted the important role that CISOs must play in defining and managing human-related risk.
“Most CISOs tend to like a ‘bogeyman’ – they want to make a bit of a drama [of human risk]. We’re always talking about the ‘insider threat,’ but really even the most educated and diligent user is going to click on a phishing link. I think, in this day and age, breaches can not only be classed as accidental, they’re also down to neglect or a lack of intent to comply.”
Osborne argued that the security rules implied on businesses therefore need to be better-enforced by CISOs who are the ones that “tend to let the side down, rather than the users.”
A prolific ransomware group has begun auctioning data stolen from victim organizations that refuse to pay up, marking an escalation in its monetization efforts.
The gang behind the REvil (aka Sodinokibi) variant this week took to its dark web blog to announce the first auction, related to a Canadian agricultural company it compromised which has declined to pay a ransom.
The group claimed the three-database trove contains accounting documents and other “important information” which may be of use to competitors. A starting price of $50,000 was set for the 22,000+ files.
REvil has threatened to auction stolen data before: when it claimed to have stolen 756GB of data from New York-based celebrity law firm Grubman Shire Meiselas & Sack.
On that occasion the promised auction of data relating to client Madonna never materialized, although there are signs it may yet happen, with a starting price of $1 million.
However, it’s unclear how much of this is classic cybercrime bluster. A previous post claimed the group had “a ton of dirty laundry” on Donald Trump, even though reports suggested he was never a client of the law firm. It conveniently later claimed that a private bidder had bought all the info on the US President, so it would not be releasing the trove.
REvil’s latest auction tactics can be viewed either as sign of its insatiable greed, or of a group struggling to extort as much money from victims during the pandemic.
According to Group-IB, it is one of the top three “greediest ransomware families with highest pay-off.”
The group is noted for targeting managed service providers (MSPs) to access customer documents, as well as local governments in the US. It uses quasi-APT tactics such as exploitation of VPN system vulnerabilities to gain a foothold in systems, Mimikatz to steal credentials, and PsExec to perform lateral movement and reconnaissance.
Almost 80% of US companies have suffered at least one cloud security breach over the past 18 months, with misconfiguration the number one concern among CISOs, according to Ermetic.
The cloud security vendor commissioned IDC to interview 300 US cybersecurity leaders in organizations ranging in size from 1500 to more than 20,000 employees. The aim was to better understand the level of risk their organizations are facing and where their biggest challenges are.
Over two-fifths (43%) reported 10 or more breaches over the past year-and-a-half, while 79% said they’d suffered at least one incident.
The top three threats were listed as security misconfiguration of production environments (67%), lack of visibility into access in production environments (64%) and improper IAM and permission configurations (61%).
Configuration errors are a common occurrence in the cloud space, thanks to the growing complexity of deployments, limited in-house expertise and growing interest from researchers and cyber-criminals.
The findings align somewhat with Verizon’s most recent Data Breach Investigations Report (DBIR), which revealed that 22% of breaches last year were down to human error, with misconfiguration featuring strongly. In fact, the report claimed that breaches featuring configuration mistakes had jumped nearly 5% from the previous year.
Ermetic also argued that users and applications often accrue excessive access permissions in public cloud deployments. These are often granted by default or go unnoticed, but can be hijacked by attackers to steal data, deliver malware or disrupt business processes,
Perhaps unsurprisingly given their challenges, the CISOs IDC spoke to claimed their top three cloud security priorities are compliance monitoring (78%), authorization and permission management (75%) and security configuration management (73%).
“Even though most of the companies surveyed are already using IAM, data loss prevention, data classification and privileged account management products, more than half claimed these were not adequate for protecting cloud environments,” said Shai Morag, CEO of Ermetic. “In fact, two-thirds cited cloud native capabilities for authorization and permission management, and security configuration as either a high or an essential priority.”
Security experts are warning of growing dark web demand for access to users’ YouTube accounts.
Etay Maor, CSO at cyber-intelligence firm IntSights, explained that in recent weeks his team has noticed an uptick in demand for stolen credentials for prominent accounts on the video site.
While account access can be used to spread malware and launch fraud scams against viewers, it is also used to blackmail the account owner.
“YouTube accounts from compromised computers or from logs of credentials can be of high value,” explained Maor.
“While smaller channels may not be as lucrative as larger ones, YouTubers rely on them as revenue streams and might be willing to pay money to attackers to get their content and access to their channels back.”
One snap poll run by an underground forum revealed that 80% of members wanted to see more YouTube credentials put up for sale. Another screenshot posted by IntSights showed a seller auctioning over 680 accounts for a starting price of $400, some of which had as many as 40,000 subscribers.
These auctions are often given a time limit of just 24 hours so that the credentials can be used before their owner has had a chance to contact YouTube support.
As mentioned, most of the log-ins are taken from either malware-infected computers or databases of Google credentials.
“In the past, attackers used sophisticated phishing campaigns in combination with reverse proxy toolkits like Modlishka to defeat Google’s two-step verification. However, none of the current sellers mention 2FA, which may mean these accounts did not opt in for this additional security step,” concluded Maor.
“While 2FA is not a silver bullet against cyber-criminals, it is highly recommended to opt in to this additional security step, have a properly patched computer, understand the risks and types of phishing attacks and use a recovery phone number or email.”
The winners of the annual European Cybersecurity Blogger Awards have been announced.
With over a 1000 names put forward, the shortlists for the 12 awards were put to the public vote, and winners were announced via a video conference. The awards were organized by Eskenzi PR and sponsored by Qualys. Yvonne Eskenzi said: “The European Cybersecurity Blogger Awards celebrate the brilliant bloggers, vloggers and podcasters that inform and educate our industry.
“In the true spirit of the event, we didn't let COVID-19 stop us this year; and thanks to the headline sponsor, Qualys, we were able to deliver a fun, virtual event complete with a cocktail making experience. Congratulations to all the very deserving winners!”
Anne Lenoir, corporate communications and events director EMEA at Qualys, said: "The security sector relies on information sharing to keep ahead of attacks, ensure that new vulnerabilities are understood properly, and that we can all help organizations keep their IT operations protected. There’s a great community of bloggers and podcasters in the security sector that help this process, sharing their expertise and insight to help people in their roles.
"Whether it’s about sharing experiences around the personal issues and skills side, or deep technical knowledge on new problems, the security community helps everyone keep improving. We are really happy to be sponsoring this year’s Cybersecurity Bloggers Awards and support that community development."
The winners were announced as follows:
Best New Cybersecurity Podcast - Weegiecast
Best New, Up-and-Coming Cybersecurity Blog - Security Queens
Best Corporate Blog - Sophos Naked Security
Best Corporate Twitter - Infosecurity Magazine @InfosecMag
Best Podcast - Darknet Diaries
Best Cybersecurity Video OR Cybersecurity Video Blog- Troy Hunt’s Weekly Update
Special Mention: IT Security Guru Rant of the Week, featuring Quentyn Taylor
Best Personal Security Blog - ZeroSec
Special Mention: Andy Gill
Most Entertaining Blog - Thom Langford – the Lost CISO
Most Educational Blog for User Awareness - Jenny Radcliffe Human Factor
Special mention: KnowBe4
Best Technical Blog - Security Affairs
Special Mention: ObjectiveSee
Best Personal Twitter - Kevin Beaumont @GossitheDog
Legends of Cybersecurity: Best Overall Blog - Sophos Naked Security
Resilience and adaptability are key to organizations coming through the COVID-19 crisis, according to Uber CIO, Shobhana Ahluwalia, speaking at the Infosec Europe 20 Virtual Conference. She described to the audience how the company has had to display perseverance and agility on a number of occasions during the last five years in order to be successful, and must continue this mindset in regard to the current crisis, which has caused unprecedented levels of damage to the business.
In the first phase of Uber’s recent journey, the company had to respond to its rapid growth across the world, such as in terms of technological capacity; in the second, it responded to and survived frequent criticisms about the company’s culture, ensuring the business adapted and continued in light of this negativity. In the third, the brand evolved to meet a changing environment in areas such as regulations throughout the world, and finally, the current COVID-19 crisis. Ahluwalia acknowledged that the latter of these is the toughest challenge of all, resulting in a large decline in revenue and the enforced laying off 20-25% of its staff.
She emphasised how the soft skills of resilience and perseverance are traits that trump all others at a time such as this: “Understanding, and coming to terms with instability, unfairness, and change being a constant in life no matter your station – that flexibility is key,” Ahluwalia noted.
In response to an audience question, Ahluwalia went on to describe the status and importance of cybersecurity personnel to Uber’s success: “In tech, security is the new noble job because you have to succeed every time at locking – you have to have a 100% success rate to protect the company and IP, as the attackers have to get through just once to succeed,” she said.
She also outlined her belief that a collaborative approach to security is one that needs to be employed across the sector: “Our teams have a lot of relationships in the industry where they work with several different organizations, which help us be secure. I believe security is one of those areas where we are stronger when we are together,” she stated.
Finally, the importance of mentorship for those working in the cybersecurity industry as they progress in their careers was strongly advised by Ahluwalia. In particular, she highlighted the female CIO group that she is part of.
She commented: “We meet every quarter and we have certain rituals like talking about something personal we are struggling with and something professional we are struggling with and there is so much outpouring of support from people who are doing the same thing or who might have struggled with it in the past.”
New York City's cybersecurity bootcamp partner is offering free introductory training courses to all American citizens.
As a result of lockdown measures introduced to slow the spread of COVID-19, over 30 million Americans have been left without work.
The free training program was originally scheduled to become available in late 2020 to specifically support under-served New York City residents. However, Fullstack brought the launch forward to today and expanded the program nationwide to help people across the US recover from the economic impacts of the novel coronavirus pandemic.
"Cybersecurity is one of the fastest growing sectors in New York City," said James Patchett, president and CEO of the New York City Economic Development Corporation (NYCEDC).
"Fullstack's free training courses will introduce New Yorkers to a field that provides good-paying jobs. As the city faces a long economic recovery, programs like this, which offer an opportunity to learn in-demand skills and a path to a new or better job, are key."
Fullstack's program gives Americans the chance to participate in nearly 40 hours of entry-level cybersecurity training courses free of charge.
Those who take advantage of the opportunity can take a self-paced Hacking 101 course online, complete a Linux Command Line for Beginners course, and get to take part in a live 3-hour practical hacking workshop online.
Those who wish to continue their education can enroll in the full Fullstack Cyber Bootcamp, where they can learn the skills necessary to become an employable cybersecurity professional in 17 weeks.
"Fullstack Cyber Bootcamp has already become a national leader in cybersecurity training since opening its first campus in New York City last year," said Nimit Maru, co-founder and co-CEO of Fullstack Academy.
"Our partnership with NYCEDC enables us to support the country's economic recovery, introducing Americans to new careers, while also filling the significant skills gap in the cybersecurity industry."
WatchGuard announced the signing of a definitive agreement to purchase Panda in March 2020. Three months on, 30-year-old company Panda is now a wholly owned subsidiary of WatchGuard.
In a statement released today, the combined company said the completed deal will "enable current and future customers and partners to consolidate their fundamental security services for protection from network to endpoint under a single company."
CEO of WatchGuard Prakash Panjwani said the finalized deal would bring both immediate and long-term benefits.
“Our customers and partners need access to enterprise-grade security built for the unique needs and requirements of the midmarket. WatchGuard is focused on delivering these security services via an MSP-focused security platform that simplifies every aspect of security delivery and solidifying our position as the de facto security solution for the midmarket,” said Panjwani.
“The completed acquisition of Panda Security, and the subsequent integration of its portfolio into WatchGuard Cloud, represents a significant milestone for the company and will result in both immediate and long-term benefits for our customers and partners that will address common challenges with security complexity, rapidly changing network topologies, purchasing models, and more.”
One of the first orders of business for the new combined company will be to provide partners and customers from both companies access to the newly expanded portfolio of security solutions.
By integrating portfolios, the company hopes that partners and customers will benefit from advanced threat detection and response functionality fueled by modern AI capabilities, behavior-profiling techniques, and cutting-edge security event correlation, as well as additional operational benefits such as a centralized management across network and endpoint security.
WatchGuard is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. The company describes itself as a leading global provider of network security and intelligence, secure Wi-Fi, and multi-factor authentication.
Prior to its acquisition by WatchGuard, Panda was owned by Investing Profit Wisely (IPW), an investment company focused exclusively on software publishing companies and based in Spain. Panda is headquartered in Madrid and Bilbao.
A Virginia software company specializing in cloud-based solutions has agreed to be acquired by private equity firm Thoma Bravo.
Exostar was developed as a joint venture between some of the world’s leading businesses, including BAE Systems, Boeing, Lockheed Martin, Raytheon, Rolls-Royce, and, more recently, Merck.
Initially formed as a B2B aerospace and defense industry exchange, the company’s secure platform now serves over 150,000 organizations in over 150 different countries in not only aerospace and defense, but the life sciences and healthcare markets as well.
After 20 years of joint-venture ownership by five global aerospace and defense industry leaders and one of the world’s largest pharmaceutical companies, Exostar has reached an agreement to be acquired by Thoma Bravo.
A spokesperson for Exostar said that the owners “whose careful guidance has been integral to Exostar’s success”—BAE Systems, Boeing, Lockheed Martin, Merck, Raytheon Technologies, and Rolls-Royce—will “remain actively engaged as valued customers and trusted advisors.”
Exostar CEO and president Richard Addi said that the planned transaction “reflects the logical next step in our company’s evolution.”
“Thoma Bravo’s strategic investment positions us to more rapidly expand our community and deliver the digital trust that must exist between an enterprise and its suppliers, customers and partners,” said Addi.
“We can leverage Thoma Bravo’s deep technology and security experience to take full advantage of our unique market position. Together, we plan to accelerate time-to-market for the Exostar suite of solutions that enable global enterprises to execute their mission-critical supply chain and drug development initiatives.”
Carl Press, a principal at Thoma Bravo, said the PE firm was thrilled to partner with Addi and the Exostar team.
“Exostar’s identity access management and secure collaboration software is utilized by some of the most respected and well-known enterprise customers in aerospace and defense, life sciences and healthcare,” said Press.
“The company’s understanding of complex organizations’ procurement and collaboration needs is a key differentiator inherent in its products.”
Thoma Bravo said it was hoping to expand Exostar's capabilities, particularly in the realm of cybersecurity.
The transaction is subject to customary closing conditions and regulatory approvals. Terms of the transaction were not disclosed.
Enterprise mobile phishing encounters increased by 37% in the first quarter of 2020 compared with quarter four of 2019, according to the Lookout 2020 State of Mobile Phishing Spotlight Report. The rate of growth was especially high in North America, at 66.3%, exacerbated by the unprecedented rise in people working from home due to the COVID-19 crisis.
While the authors acknowledged that organizations have sought to combat the threat of phishing by educating employees and deploying email phishing security software, cyber-criminals have increasingly been targeting mobile devices. Using this method, phishing risks no longer need to simply hide in email, they can instead target users through SMS, messaging apps and social media platforms. This is a particular issue at the moment, with many employees working remotely using personal devices such as smartphones and tablets to be productive.
In addition, Lookout noted that detecting the characteristics of a phishing link via mobile is harder than with email due to having a smaller form factor and simplified user experience. This results in a higher success rate for cyber-criminals attacking mobile devices compared to desktops.
“Phishing has evolved into a massive problem that expands far beyond the traditional email bait and hook,” explained Phil Hochmuth, program vice-president of enterprise mobility at IDC. “On a small screen and with a limited ability to vet links and attachments before clicking on them, consumers and business users are exposed to more phishing risks than ever before. In a mobile-first world, with remote work becoming the norm, proactive defense against these attacks is critical.”
The report also calculated that unmitigated mobile phishing threats have the potential to cost businesses with 50,000 mobile devices up to $150m per incident.
David Richardson, vice-president of product management at Lookout, commented: “Smartphones and tablets are trusted devices that sit at the intersection of their owner’s personal and professional identity. Cyber-criminals are exploiting the ability to socially engineer victims on their mobile device in order to steal their credentials or sensitive private data.”
The COVID-19 crisis has highlighted how home working makes organizations particularly vulnerable to phishing campaigns.
With the acquisition, Thycotic adds three new products to its PAM portfolio to further protect enterprise cloud apps and ensure remote worker productivity.
Commenting on the deal, James Legg, president and CEO at Thycotic, said that with the sudden growth of remote workforces across the globe, privileged access security controls must account for ordinary business users who are accessing sensitive and privileged corporate data from untrusted devices on untrusted networks.
“With the addition of Onion ID, we are now able to implement fine-tuned role-based access controls across any web-based application, IaaS console and cloud-hosted database, while providing flexible multi-factor authentication that gives security leaders a significantly easier way to ensure secure access paths for remote employees,” Legg added.
Anirban Banerjee, CEO and founder, Onion ID, said: “By joining forces with Thycotic, we are enhancing our commitment to delivering user-friendly authentication, authorization and auditing to cloud servers, databases and applications. We are launching a diverse set of next-generation PAM 2.0 offerings in the market which will enable enterprise customers to elevate their security controls above and beyond current best of breed solutions and reduce costs with secure remote access.”
Financial terms of the acquisition have not been disclosed but, as part of the transaction, Onion ID will operate under Thycotic brand and leadership.
The fourth year of the government-backed online cybersecurity training program Cyber Discovery will begin earlier than planned.
Capitalizing on the thousands of young people who are currently unable to attend school, Cyber Discovery officially opened registration today to allow students to take part at home.
Aimed at 13-18-year-olds, led by the Department for Digital, Culture, Media and Sport (DCMS) and delivered by global IT security training organization SANS Institute, Cyber Discovery allows participants to participate in their own time and is comprised of four phases: an initial assessment stage called CyberStart Assess, CyberStart Game and CyberStart Essentials, designed to enhance the skills of those who have made it through the initial assessment stage.
The CyberStart Assess phase will begin during the summer, and those successful participants will qualify for the advanced learning phases of the program beginning in October.
Digital Infrastructure Minister Matt Warman said: “This initiative gives teenagers something fun and educational to do from home and provides a glimpse into the life of a cybersecurity professional.
“We have a world-leading cyber-sector protecting the country and our digital economy and we must continue to inspire the next generation of talent to help maintain this position. As the assessment phase opens I encourage all teens who enjoy a challenge to put their skills to the test."
James Lyne, CTO at SANS Institute and co-creator of the program, said the third year of the Cyber Discovery program saw many highly talented young people take part, many of whom are now motivated to pursue a career in cybersecurity. “With so many young people spending time away from school as a result of the coronavirus pandemic, we were happy to bring forward the all-new assessment phase of the 2020/21 program.
“This is an ideal opportunity for students to put their problem-solving skills to the test with a range of fun, interactive challenges where they’ll get to try out cracking codes and solving tricky problems. Those that are successful will then go on to enhance their skills in the core stages of Cyber Discovery. The UK needs cyber-defenders and technologists to secure our increasingly digital future. Help us get young people involved and let’s see if they have what it takes!”
Security experts are warning of a potential deluge of mobile SMS-based phishing (smishing) attacks as the UK’s Test and Trace service launches to mitigate a potential second wave of COVID-19 infections.
The government scheme will require contact tracers to proactively reach out via email, text or phone call to anyone they believe has been in contact with someone with the virus, to ask them to self-isolate.
The NHS has said that anyone contacted in this way “will not be asked to provide any passwords, bank account details or PIN numbers” or asked to download anything. However, they may require full name, date of birth, sex, NHS Number, home postcode and house number, telephone number and email address — more than enough to craft highly effective follow-on attacks and identity fraud.
There are therefore fears that especially older and more vulnerable members of society may still be tricked into handing over their details or unwittingly downloading malware.
In fact, experts are already warning of unsolicited text messages claiming the recipient may have been in contact with a COVID sufferer and urging them to click through on a malicious link to find out more.
Bogus text messages were also sent out during the trial of the UK's contact tracing app on the Isle of Wight.
One UK-based social engineering company, The AntiSocial Engineer, explained in a blog post over the weekend how easy it is to register legitimate-looking but fake domains and spoof Sender IDs to launch a smishing campaign.
“We have closely followed SMS-based scams since our company was founded and sadly many contributing factors seem to be exacerbating text message fraud. One key trend is that email security is getting better and it’s harder for criminals to reach the inboxes and conduct phishing scams,” he explained.
“SMS is the perfect solution to this problem as only the bare minimum is being done in this sector to stop fraudsters. Messages land straight in the target’s inbox all the same. Criminals can reach out to thousands of people at once and if you don’t understand about Sender ID spoofing you are an easy target.”
RSA Security’s district manager UK & Ireland, Ben Tuckwell, argued that UK adults are “sitting ducks” for such scams, that exploit a heightened sense of concern over the virus.
“Consumers can protect themselves by acting smart and pausing to consider each communication they receive, while remembering the three key smishing don’ts: don’t respond to texts from unknown or unusual numbers; don’t click on any links in text messages; and don’t share any banking information, usernames or passwords or other personal details after receiving a text message, unless you can verify who you are speaking with,” he added.
A new survey from iProov out today reveals that a quarter (26%) of Brits feel more vulnerable to hackers as a result of COVID-19.
Law enforcement activity over recent years is eroding trust on the dark web and forcing cyber-criminals to try new tactics, according to new Trend Micro research.
The security vendor’s latest report, Shifts in Underground Markets, charts changes over the past five years, which has seen the takedowns of numerous marketplaces including Evolution, AlphaBay and Hansa.
Trend Micro found widespread concern among cyber-criminals frequenting such sites that police may be monitoring them or the administrators themselves may try an exit scam. Others complained of login problems and frequent DDoS attacks, which may also stem from law enforcement efforts.
In the absence of a stable and secure forum to advertise their wares, some cyber-criminals are taking to gaming comms platform Discord and e-commerce platform Shoppy.gg to buy and sell.
Trend Micro principal security strategist, Bharat Mistry, argued that the firm expects to see new tools and techniques flood dark web sites going forward.
“AI will be at the centre of these efforts. Just as it’s being used by Trend Micro and other companies to root out fraud, sophisticated malware and phishing, it could be deployed in bots designed to predict roll patterns on gambling sites. It could also be used in deepfake services developed to help buyers bypass photo ID systems, or launch sextortion campaigns against individuals,” he explained.
“Some emerging trends are less hi-tech but no less damaging. Access to devices, systems and accounts is so common today that we’re already seeing it spun out in ‘as-a-service’ cybercrime offerings. Prices for access to Fortune 500 companies can hit as much as $10,000.”