Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Top Stories

 

GUEST ESSAY: These advanced phishing tactics should put all businesses on high alert

By Zac Amos

Phishing attacks are nothing new, but scammers are getting savvier with their tactics.

Related: The threat of ‘business logic’ hacks

The Iranian hacker group TA453 has recently been using a technique that creates multiple personas to trick victims, deploying “social proof” to scam people into engaging in a thread. One example comes from Proofpoint, where a researcher began corresponding with an attacker posing as another researcher.

Other Iranian-based cyberattacks have included hackers targeting Albanian government systems and spear phishing scams. According to a new study, phishing attacks rose 61 percent in 2022, with cryptocurrency fraud increasing 257 percent year-over-year.

Companies and consumers must be more cautious than ever when using their devices. Here are four new phishing trends keeping businesses on their toes.

Spear phishing

Spear phishing attacks have taken the dangers of traditional phishing to another level, mainly because it’s highly targeted and precise.

Nowadays, small businesses are more susceptible to spear phishing since they lack the IT security infrastructure in larger organizations. As more people work remotely, companies must be vigilant when sending and filling out online forms, such as login pages — a newly-preferred mode of enticing potential victims.

FIRESIDE CHAT: Why ‘digital resiliency’ has arisen as the Holy Grail of IT infrastructure

By Byron V. Acohido

Digital resiliency has arisen as something of a Holy Grail in the current environment.

Related: The big lesson of Log4j

Enterprises are racing to push their digital services out to the far edge of a highly interconnected, cloud-centric operating environment. This has triggered a seismic transition of company networks, one that has put IT teams and security teams under enormous pressure.

It’s at the digital edge where all the innovation is happening – and that’s also where threat actors are taking full advantage of a rapidly expanding attack surface. In this milieu, IT teams and security teams must somehow strike a balance between dialing in a necessary level of security — without unduly hindering agility.

Digital resiliency – in terms of business continuity, and especially when it comes to data security — has become a must have. I had the chance to visit with Paul Nicholson, senior director of product at A10 Networks, a San Jose, Calif.-based supplier of security, cloud and application services.

Guest expert: Paul Nicholson, Senior Director of Product, A10 Networks

We discussed how and why true digital resiliency, at the moment, eludes the vast majority of organizations. That said, advanced security tools and new best practices are gaining traction.

There is every reason to anticipate that emerging security tools and practices will help organizations achieve digital resiliency in terms of supporting work-from-home scenarios, protecting their supply chains and mitigating attack surface expansion. As part of this dynamic, Zero Trust protocols appear to be rapidly taking shape as something of a linchpin.

“When you say Zero Trust, people’s ears perk up and they understand that you’re basically talking about making sure only the right people can get to the digital assets which are required,” Nicholson told me.

For more context on these encouraging developments, please give the accompanying podcast a listen. Meanwhile, I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is … more

GUEST ESSAY: The case for an identity-first approach ‘Zero Trust’ privileged access management

By Raj Dodhiawala

Today’s enterprises are facing more complexities and challenges than ever before.

Related: Replacing VPNs with ZTNA

Thanks to the emergence of today’s hybrid and multi-cloud environments and factors like remote work, ransomware attacks continue to permeate each industry. In fact, the 2022 Verizon Data Breach Investigation Report revealed an alarming 13 percent increase in ransomware attacks overall – greater than past five years combined – and the inability to properly manage identities and privileges across the enterprise is often the root cause.

As enterprises continue to fall victim to increasingly complex attacks, there’s one topic that cybersecurity professionals and vendors can agree on: the importance of Zero Trust. Still, ways to properly identify and tackle this strategy often remains one of the biggest challenges to overcome.

A ‘Zero Trust’ core

The Zero Trust buzzword has exploded in use over the last few years. Through endless redefinitions, it’s difficult to find a reliable one. While this continuous pivot can be tough to track, it does not diminish the need for a real, executable strategy for tackling its core tenants.  One helpful perspective is to view Zero Trust as a three-legged tripod:

•The first leg of this tripod is the network – protecting the perimeter and ensuring organizations are safeguarded from the outside in, as well as inside out.

•The second is the endpoint – protecting the workstations, servers, laptops, cloud instances, network devices, etc. – the crown jewels are on

GUEST ESSAY: The rise of ‘PhaaS’ — and a roadmap to mitigate ‘Phishing-as-a-Service’

By Zac Amos

Cybersecurity is a top concern for individuals and businesses in the increasingly digital world. Billion-dollar corporations, small mom-and-pop shops and average consumers could fall victim to a cyberattack.

Related: Utilizing humans as security sensors

Phishing is one of the most common social engineering tactics cybercriminals use to target their victims. Cybersecurity experts are discussing a new trend in the cybercrime community called phishing-as-a-service.

Why should companies be aware of this trend, and what can they do to protect themselves?

Phishing-as-a-Service (PhaaS)

Countless organizations have adopted the “as-a-service (-aaS)” business model. It describes companies that present customers with an offering, as its name suggests, to purchase and use “as a service.” Popular examples include artificial intelligence-as-a-service (AIaaS), software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS).

Phishing-as-a-service, also called PhaaS, is the same as the SaaS business model, except the product for sale is designed to help users launch a phishing attack. In a PhaaS transaction, cybercriminals or cybercrime gangs are called vendors, and they sell access to various attack tools and technical knowledge to help customers carry out their crimes.

SHARED INTEL: Poll highlights the urgency to balance digital resiliency, cybersecurity

By Paul Nicholson

The pace and extent of digital transformation that global enterprise organizations have undergone cannot be overstated.

Related: The criticality of ‘attack surface management’

Massive global macro-economic shifts have fundamentally changed the way companies operate. Remote work already had an impact on IT strategy and the shift to cloud, including hybrid cloud, well before the onset of Covid 19.

Over the past two years, this trend has greatly accelerated, and working practices have been transformed for many workers and organizations.

Yet, with all these changes, the specter of security breaches remains high. This explains the rise and popularity of Zero Trust as a framework for securing networks in these new realities as an effective tool to drive cybersecurity initiatives within the entire enterprise.

Fundamentally, Zero Trust is based on not trusting anyone or anything on your network by default and using least required privilege concepts. Every access attempt by any entity must be validated throughout the network to ensure no unauthorized entity is moving vertically into or laterally within the network undetected.

SHARED INTEL: The cybersecurity sea change coming with the implementation of ‘CMMC’

By Byron V. Acohido

Finally, Uncle Sam is compelling companies to take cybersecurity seriously.

Related: How the Middle East paved the way to CMMC

Cybersecurity Maturity Model Certification version 2.0 could  take effect as early as May 2023 mandating detailed audits of the cybersecurity practices of any company that hopes to do business with the Department of Defense.

Make no mistake, CMMC 2.0, which has been under development since 2017, represents a sea change. The DoD is going to require contractors up and down its supply chain to meet the cybersecurity best practices called out in the National Institute of Standards and Technology’s SP 800-171 framework.

I sat down with Elizabeth Jimenez, executive director of market development at NeoSystems, a Washington D.C.-based supplier of back-office management services, to discuss the prominent role managed security services providers (MSSPs) are sure to play as CMMC 2.0 rolls out. For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:

GUEST ESSAY: The drivers behind persistent ransomware — and defense tactics to deploy

By Eric George

The internet has drawn comparisons to the Wild West, making ransomware the digital incarnation of a hold-up.

Related: It’s all about ‘attack surface management

However, today’s perpetrator isn’t standing in front of you brandishing a weapon. They could be on the other side of the globe, part of a cybercrime regime that will never be discovered, much less brought to justice.

But the situation isn’t hopeless. The technology industry has met the dramatic rise in ransomware and other cyber attacks with an impressive set of tools to help companies mitigate the risks. From sharing emerging threat intelligence to developing new solutions and best practices to prevent and overcome attacks, it’s possible to reduce the impact of ransomware when it happens.

Prevalence

The FBI’s Internet Crime Complaint Center (IC3) received 3,729 ransomware complaints in 2021, representing $49.2 million in adjusted losses. Healthcare and public health, financial services, and IT organizations are frequent targets, although businesses of all sizes can fall victim to these schemes.