Cyberattacks wreak havoc on the U.K., LockBit brings big business to its knees and a massive VMware ransomware campaign. Here are the latest threats and advisories for the week of February 10, 2023.   

Threat Advisories and Alerts 

Massive Ransomware Campaign Targets VMware ESXi Servers 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a script for retrieving VMware ESXi servers encrypted by the massive ESXiArgs ransomware campaign. The attack began last week when cybercriminals launched their attack. At the time of writing, 2,800 servers are know to have been encrypted. As for the script, the U.S. cybersecurity organization has said, "CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac." To avoid complications, CISA has warned users to understand how the script affects their systems before using it. 

Source: https://www.bleepingcomputer.com/news/security/cisa-releases-recovery-script-for-esxiargs-ransomware-victims/  

Atlassian Releases Patches for Critical Vulnerability in Jira Software 

Australian software company Atlassian has released security patches to fix a critical vulnerability (CVE-2023-22501) in its Jira Service Management Server and Data Centre. If successfully exploited, the vulnerability could allow cybercriminals to impersonate other users and obtain remote access to affected systems. The affected Jira versions include 5.3.0 to 5.3.1 and 5.4.0 to 5.5.0. Users and admins are advised to apply the appropriate patches immediately.  

Source: https://www.csa.gov.sg/en/singcert/Alerts/al-2023-016  

Emerging Threats and Research 

IT Professionals Fear ChatGPT Could Be Beginning of AI-Driven Cyberattacks 

When audiences were introduced to Skynet’s nefarious artificial intelligence in the 1984 movie Terminator, the idea of AI-powered attacks probably seemed far-fetched. Tech professionals may be beginning to think differently. According to a BlackBerry survey of 1,500 IT decision makers, 51% of IT workers believe a cyberattack credited to ChatGPT is less than a year away. The report reveals respondents' biggest fears are ChatGPT’s ability to help bad actors craft legitimate sounding phishing emails (53%), improve their technical knowhow (49%) and spread misinformation (49%).  

Source: https://www.helpnetsecurity.com/2023/02/07/chatgpt-security-risks/  

U.K. Metal Engineering Firm Suffers Cyberattack 

Vesuvius, a U.K. metal flow engineering company, was recently hit with a cyberattack that led to unauthorized access to its systems. In a statement released earlier this week, the company said, “We are working with leading cybersecurity experts to support our investigations and identify the extent of the issue, including the impact on production and contract fulfillment.” Information on the type of attack, systems affected and other details have yet to be revealed.  

Source: https://www.infosecurity-magazine.com/news/uk-metalg-firm-vesuvius-cyberattack/  

LockBit Claims Royal Mail Cyberattack 

The notorious LockBit ransomware gang has publicly claimed responsibility for the cyberattack on the U.K.’s Royal Mail. The attack was first reported on January 10 and caused severe disruption to the postal operator’s international shipping services. LockBit claims to have stolen Royal Mail’s data and threatened to publish it if their ransom isn’t paid. Royal Mail has yet to officially acknowledge that its “cyber incident” is a ransomware attack, but has resumed outbound international mail operations.  

Source: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-royal-mail-cyberattack/  

ION Trading Pays LockBit’s Ransom after Global Disruption to Its Business 

U.K. software company ION Trading has reportedly paid a ransom to LockBit for an attack it suffered on January 31. ION has been removed from LockBit’s data leak site and a spokesperson for the criminal group said the ransom was paid the day before its due date by a “very rich unknown philanthropist." While paying ransoms to cybercriminals is typically discouraged, the incident was impacting ION’s clients on a global scale. Ian McShane, vice president of Arctic Wolf, said, “The cyber attack on the ION Group demonstrates how attackers can use the supply chain to cripple entire industries.”  

Source: https://www.itpro.co.uk/security/ransomware/370007/ion-trading-reportedly-pays-lockbit-ransom-demands  

Canada’s Indigo Suffers Web Outage After “Cybersecurity Incident” 

Canadian books and music retailer Indigo has, like Royal Mail, suffered a “cybersecurity incident” that has affected customer orders in-store and online. The company remians quiet about the details of the incident, but David Masson, director of enterprise security at cybersecurity firm Darktrace, was reported by CBC News to have suggested that the sheer length of the problem indicates it wasn't an internal error, and rather an instance of ransomware. At the time of writing, the website remains down with an English/French static page apologizing for the inconvenience while it tries to get its systems back online. 

Source: https://www.cbc.ca/news/business/indigo-cybersecurity-1.6742230 

To stay updated on the latest cybersecurity threats and advisories, look for weekly updates on the (ISC)² blog. Please share other alerts and threat discoveries you’ve encountered and join the conversation on the (ISC)² Community Industry News board.   

(ISC)² has adopted a new approach to creating and publishing editorial content such as our news, features, opinions and other educational journalism. Helping our members navigate the cybersecurity landscape is an essential part of what we do. Creating topical, engaging and useful editorial articles is one way that we do this. It is also a popular way our members earn CPE credits as part of their continuing education journey. 

Based on member feedback and changes in how members prefer to access our content, we have relaunched our editorial program, based around a new home for our educational journalism at isc2.org/News.

We will be providing more and new types of content and publishing much more frequently than before. We are also putting even more emphasis on content coming directly from our members, whether that is authoring articles on key issues or new cybersecurity approaches, participating in head-to-head debates, sharing an opinion or even providing members’ view of major incidents or events. Ensuring that members are part of creating that content is of the utmost importance. Our new editorial team wants to hear from YOU and have you involved in shaping and creating  (ISC)² articles going forward. Please contact communications@isc2.org with your suggestions and article proposals, or let us what cybersecurity topics interest you or that you feel deserve more exploration.  

With the arrival of our new editorial program comes some changes to the things we have published previously. The November/December 2022 edition of InfoSecurity Professional was the last edition in the bi-monthly magazine. Past issues and articles will still be available. For many years, InfoSecurity Professional explored new practices and shared the voice of our members. As we move into this exciting new phase, we carry many lessons forward and will continue to provide a platform for members to learn, engage one another and share the unique voice of the professionals working every day to create a safe and secure cyber world.  

We look forward to delivering fresh new insights and working even more closely with members in the years to come.  

 We have created a short FAQ to answer some of the most common questions: 

FAQs 

Why has (ISC)² made a change to the magazine? 

The way that (ISC)² members and the wider cybersecurity industry consumes our content has changed significantly over the years. Demand for magazine-formatted material such as the InfoSecurity Professional PDF edition has declined, while use of our web-based version, as well as other content that is more easily accessed and shareable on an article-by-article basis has grown. Equally, members are keen to get more content, more often, rather than receiving it on a periodical basis, which has prompted us to update and change what content we produce and how often we publish it. 

What will happen to the legacy issues of InfoSecurity Professional? 

The existing issues of InfoSecurity Professional are not going away. They are accessible at https://www.isc2.org/InfoSecurity-Professional.  

What about the CPE Credits for reading, will I still be able to get them? 

Yes, you can. The CPE quiz is not going away and the number of CPEs you can earn is not changing, but the quiz format is changing slightly. A new quiz will be published every two months (the same frequency as it was with InfoSecurity Professional magazine) but will be based only on features and longer-read content we have published in the two months prior to the quiz being posted. Each quiz will be available for 12 months, after which each quiz will be retired. We are also applying the same policy to the legacy quizzes associated with issues of InfoSecurity Professional. As of today, only the last six issues (12 months) of InfoSecurity Professional have a quiz attached to them, and we will be withdrawing those quizzes gradually on a bi-monthly basis as the 12-month time limit is reached. At the same time, we will be publishing new quizzes based on our new long read content, so you will always have 12 months of quizzes available to earn CPEs. The CPE quiz will still be the same format of 10 multiple-choice questions and new quizzes will be announced via email newsletter and on the News and Insights homepage. 

When will the new content be available? 

Our first pieces of new content are available now at www.isc2.org/news. We are working with a wide variety of professional content producers, including award-winning journalists and industry subject matter experts, alongside continuing to work closely with (ISC)² members, (ISC)² Chapters and new colleagues within (ISC)² to produce content and to engage with all our readers on a regular basis. But MOST IMPORTANTLY, we want to hear from you and encourage your contributions. Contact us at communications@isc2.org to learn more.  

How do I find out when new content is available? 

The best thing is to make sure you are subscribed to our newsletters. Go to https://www.isc2.org/Dashboard/Preferences and make sure you are subscribed to our news and resources newsletter and our continuing education and professional development newsletters. These will ensure you receive all our updates about our relevant editorial content and our dedicated editorial emails. 

How can I get involved with writing for (ISC)²? 

Members have always played a leading role in the content we publish, be that as part of the story or as the author. That will not change as we move to our new content program, in fact we will have more opportunities for members to contribute to the content we create and to write pieces themselves. If you would like to discuss ideas for an article or have content you would like us to consider for publication, please contact communications@isc2.org. Remember, you can also earn CPE credits if your work is published. 

What types of content will (ISC)² be publishing? 

We have a wide range of content planned and in production, including but not limited to: 

• Industry and (ISC)² news 
• Longer-read features on topical issues to support members and cybersecurity professionals in their roles 

• Opinion and debate articles to generate healthy discussion of technology, operational, ethical, policy and regulation issues 
• Insights from members, Chapters, (ISC)² leaders and other industry stakeholders 
• Columns from subject matter experts 
• Event and webinar coverage 
• Guides, eBooks and Executive Briefing papers
• Audio and video podcasts and interviews 

Will this new content be behind a registration or pay wall? 

No, we believe that it is more beneficial to both members and the wider cybersecurity community that our content be freely accessible to all. As a member, you will not need to log in to access any of the content we publish to the site and there will be no additional charges for it. All other users, including (ISC)² Candidates, Associates and the wider community will also be able to access our content for free, without having to register.  

Will (ISC)² still produce newsletters and emails to highlight new content? 

Yes, newsletters will continue to be a part of our content plans. The existing Insights and Cloud Security Insights newsletters will be continuing, while the existing InfoSecurity Professional new issue newsletter will evolve to highlight the new content published to the site instead. Please make sure you are opted into our existing newsletters via your contact preferences to be the first to know about new articles and new email alerts. 

By Diana-Lynn Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP 

In part one of this series, we discussed what lies ahead in 2023, including a rise in wiperware and ransomware attacks plus challenges with OT infrastructure and staffing shortages.  

In our part two of this series, we will explore issues relating to cybersecurity insurance, data privacy, supply chain and artificial intelligence (AI) technology. 

Cybersecurity Insurance  

The global cybersecurity insurance market is projected to grow to U.S. $30 billion by 2027, nearly tripling in growth over five years. In 2023, we can expect the demand for cybersecurity insurance to continue to expand, however it is going to be harder to obtain. Premiums will rise, especially as more organizations become aware of the potential financial and reputational consequences of cyber incidents. Insurance carriers will also enforce stricter requirements to get cyber insurance, such as requiring two-factor authentication or adopting various technology. In addition, many insurance firms will increase cyber insurance premiums for less coverage and enforce stricter requirements.  

Data Privacy 

Since GDPR was enacted in 2018, it has affected how many organizations use and protect consumer data. Recently, massive fines have been levied against organizations (e.g., Marriott, WhatsApp-Ireland, British Airways and Google). It is expected that this trend will continue over the next several years.   

We also anticipate that in 2023, many EU residents will begin implementing the EU Whistleblowing Directive into their laws.    

California passed the California Consumer Privacy Act (CCPA) in 2018, and to date, we have only seen one fine levied, which required Sephora to pay $1.2 million. We anticipate that there will be additional cases brought by the Office of the Attorney General (OAG) in California. Effective January 1, 2023, the California Privacy Rights Act (CPRA) becomes effective and will be enforced on July 1, 2023. What does this mean? For the first time, the CCPA will also apply to employees in addition to consumers.  We anticipate that other U.S. states will begin developing their own privacy laws. 

China implemented the Personal Information Protection Law (PIPL) in 2021, but in 2023, we expect many companies that conduct business in China will need to become compliant with the rules governing cross-border data transfers. 

We suspect that in 2023, we will see many countries establish or revise legislation, including Saudi Arabia, Nigeria, Vietnam and Australia, and we will see the implementation of new and revised laws which are pending in Canada and Israel. 

With more than 100 countries having their own laws and regulations around data and its protection, we foresee a more challenging landscape for security personnel. 

Supply Chain 

During the pandemic, we saw supply chain issues ranging from toilet paper shortages to not being able to buy new cars due to chip shortages. In 2021, the SolarWinds cyberattack compromised data from 18,000 organizations.  

We believe that these challenges impacting the global supply chain -- order backlogs, personnel shortages and labor issues, equipment shortages along with companies shuttering plants -- will continue in 2023. We hope executive boards will implement a strategy that includes cybersecurity, risk detection and response. 

Google OpenAI ChatGPT Chatbot 

Google recently released its OpenAI ChatGPT Chatbot, and which had one million users in less than five days. The ChatGPT provides a very human-like conversation by gathering information from numerous websites. 

Much like other AI that have been developed, this technology has already been used to spreading racist, antisemitic, and false information.  For those implementing this technology, there needs to be comprehensive testing conducted as it could land Google, or other organizations, in hot water. As a result of more AI technology being deployed, we may see governments around the world bring in artificial intelligence legislation to protect their respective nations. 

 With previous AI technology, users have been able to block unsafe or illegal information from being passed. This brings up many questions: 

• Who is correcting it before it releases its output? 
• Whose ethics are being applied?  

Most recently, IBM recently developed governance principles for trustworthy AI technology. So, this is one technology that we will closely watch in 2023, and yes, it will become a headache for cybersecurity professionals as this technology offers the ability to generate the necessary attacks (regardless of the skill level) against a given target, which will undermine current thinking and adapt and self-program these attacks to be successful.  

Is there something not covered here you expect to be top of mind for cybersecurity professionals this year? Join the conversation over on the (ISC)² Community. 

With the ever-changing landscape of the cybersecurity industry, it is important to keep certifications current, accurate and relevant - and we need help from you, the cybersecurity professionals, who hold certifications in the field.  

(ISC)² is exploring a new security management credential that is in better alignment with global standards for recognized roles and specialisms. The current CISSP-ISSMP credential is earned after obtaining a CISSP. This new certification could be obtained by a practitioner before seeking the CISSP credential.   

The first step of the process is to conduct a JTA workshop, tentatively scheduled for March 13-15, 2023. We are asking that anyone who currently holds the CISSP-ISSMP or CISSP to review the current CISSP-ISSMP Exam Outline and consider the following questions:  

1. Which topics from the CISSP-ISSMP exam outline are appropriate to retain for a less-experienced security management professional?
2. What content, currently on the CISSP-ISSMP exam outline, is not appropriate for a less-experienced security management professional?  
3. Are there topics or content that should be added to address emerging cybersecurity techniques and threats that security management professionals are facing in their jobs today? 

Please send your feedback and answers to these questions to ISSMPJTA@isc2.org no later than February 27, 2023. Please include your member ID number in your email. Your comments will be compiled and presented to the JTA committee for further review.  

For your participation in this essential activity keeping our certification up to date, you may submit this exercise for CPE credit in the portal. Thank you for your help and providing insight! 

By John E. Dunn

The industry is taking a fresh look at the security around multi-factor authentication (MFA) in the face of recent bypass attacks.

Multi-factor authentication (MFA) is coming under sustained pressure from attackers, with a striking example being a breach that unfolded at DevOps platform CircleCi back in December. 

According to a recent incident update, the attack was traced back to a single malware infection on an engineer’s laptop on December 16, which wasn’t detected by AV. This, it transpired, was a good target for compromise – the engineer had the privileges to generate production access tokens.  

Attackers first hijacked a corporate SSO session which had passed 2FA, allowing them less than a week later to elevate their access sufficiently to steal data from a subset of databases and stores, including “customer environment variables, tokens, and keys.” 

In short, grabbing the authenticated session cookie allowed the attackers to bypass the 2FA layer, impersonating the engineer to exfiltrate customer data. 

“Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data,” the update noted. 

On December 29, a CircleCI customer altered the company to suspicious GitHub OAuth activity, prompting it to change all tokens. On January 4, it issued a wider warning advising customer to do the same for all secrets stored on the platform.  

How did CircleCi respond? 

In addition to adding a heuristic to its AV system to detect the behaviors used in this attack, CircleCi implemented a range of changes DevOps admins everywhere can learn from: 

• It limited the number of engineers who can access the production environment  
• Added extra 2FA controls for remaining engineer access 

• Implemented monitoring for the types of behavior that might indicate a compromise “via a variety of third-party vendors.”  

Pass-the-cookie 

That still leaves the issue of how a malware compromise of a single device could lead to attackers bypassing 2FA controls on an otherwise well-secured platform. 

The answer is that while 2FA and MFA is a powerful control, it is not without its vulnerabilities. These can, for example, be down to policies that govern the fine detail of when and how MFA is required. In practice, this might include MFA being asked for in some contexts but not others, or only for the first access.  

This approach is sensible and necessary – too much MFA can quickly bog teams down with additional authentication requests. But limiting MFA also comes with higher risk. 

The specific weakness in this attack was the SSO authentication token. This, usefully for attackers, is created after MFA has happened. All the attacker needs to do is compromise the local environment to grab the session cookie at the right moment. 

A demo of this approach are pass-the-cookie attacks, which CISA warned about in 2021 in relation to wider cloud services not unlike CircleCI’s. Stolen cookies are even reportedly being traded on the dark web. Pass the cookie is not the only way attackers are trying to beat MFA, but it might be the one defenders should no longer discount. In any case, this is a learning opportunity and a good excuse for any organization using MFA to examine its deployment and assess potential weak points. 

By John E. Dunn 

It’s been nearly seven years since the 1.1 revision of NIST’s Cybersecurity Framework. What might be coming in version 2.0?  

Since its release in 2014, NIST’s Cybersecurity Framework (CSF) has grown into the one of the world’s most influential cybersecurity references for best practice and planning. 

In January, the world finally caught sight of the draft CSF Concept Paper that will form the basis of the next version 2.0 overhaul due for release around mid-2023.   

From this draft, it is clear that the CSF is developing fast, taking on new and much wider ambitions since the version 1.1 refresh in 2016. The first and perhaps most significant of these is what NIST calls “increased international collaboration engagement.” If this sounds a bit earnest, there appears to be more to it than that if you read between the lines. 

“Since the launch of the CSF’s development in 2013, many organizations have made it clear that international use of the CSF would improve the efficiency and effectiveness of their cybersecurity efforts,” the paper notes. 

NIST said it plans to have the Framework translated into multiple languages and to use the CSF to integrate with and influence global standards bodies such as the ISO.  

While the CSF is by nature a framework rather than a set of formal standards it’s clear that NIST sees its success as heralding a wider global influence. There is a need for something. If this quickly becomes the de facto guide to best practice, this has implications for CISOs far beyond its home territory of the U.S.  

Zero Trust 

NIST also wants version 2.0 to map the advice it offers to other developments in cybersecurity, particularly zero trust architecture (ZTA), 5G Cybersecurity, Post-Quantum Cryptography (PQC) migration. 

One issue with the CSF has been relating best practice to implementation. Version 2.0, NIST promises, will expand the list of ‘success stories’ that offer an example of how the Framework was used by different organizations. 

Supply Chains  

The 2016 version 1.1 update added supply chain management as a category and NIST is looking for industry input as to how version 2.0 might expand on this as directed to by the U.S. Government in 2021. As it notes: 

“Given the increasing globalization, outsourcing, and expansion of the use of technology services, CSF 2.0 should make clear the importance of organizations identifying, assessing, and managing both first- and third-party risks.” 

In other words, how organizations assess not only their own risk through a framework but that of their partners, something that might become a big theme in future updates.  

SMB Cybersecurity 

Since the initial version 1.0 focus on critical infrastructure there has been a growing focus on other sectors, for instance SMBs and the education sector. The Concept Paper is slightly vague on how this might affect the CSF but the fact that NIST has been encouraged to look at it by the current U.S. administration seems to have given things an extra push.  

Version 2.0 is far from set. NIST is still looking for comment and feedback from industry parties by March 3, 2023 by emailing cyberframework@nist.gov.  

By Joe Fay

Derivatives traders, trainer trainers, and finger lickers all hit by ransomware. Russian hackers lash out after Ukraine tanks deal announced. Apple patches decade old devices.  

ION Markets Hit by “Cyber Security Event” 

Dublin-based data and software firm ION Markets has been hit by a “cyber event” which has had a knock-on effect on financial futures and derivatives markets worldwide. The attack is thought to have been ransomware related. ION Markets said the attack on its ION Cleared Derivatives division was “contained to a specific environment”, all the affected servers are disconnected, and remediation of services is ongoing. Traders were left having to complete business manually. 

https://iongroup.com/press-release/markets/cleared-derivatives-cyber-event/ 

Hackers target trainers, fast food giants 

Sportswear retailer JD Sports said a “security incident” had affected historic orders at its JD, Size?, Millets, Blacks, Scotts and MilletSports brands. Details of around 10 million customers may have been affected. Meanwhile, KFC owner Yum! Brands is recovering from a ransomware attack that led to 300 of its UK restaurants being shuttered for a day. The restaurant group, which also owns Pizza Hut and Taco Bell, confirmed data was taken from its network but said there was no evidence that customer databases were stolen. 

https://otp.tools.investis.com/clients/uk/jdplc1/rns/regulatory-story.aspx?newsid=1664679&cid=222 

Russian hackers blast back after Western tanks deal 

The war in Ukraine continues to spill out into cyberspace. It has emerged that Ukraine’s Computer Emergency Response Team discovered five different data wipers had been used in an attack on the country’s official news agency. Meanwhile, Western agreements to supply tanks to Ukraine are likely to have provoked another wave of Russian attacks on the country’s allies. Canada’s Communications Security Establishment said it was aware of “Russian state-aligned hacktivist groups” targeting Ukraine’s allies and called for heightened vigilance. 

https://www.infosecurity-magazine.com/news/five-data-wipers-attack-ukrainian/ 

Microsoft Defender to put Linux devices into isolation 

Microsoft has had a volatile relationship with Linux over the years. However, it is giving the open source operating system equal billing in one sense. Microsoft has launched a public preview of device isolation in Microsoft Defender for Endpoint for Linux. This disconnects the compromised device from the network but retains connectivity to Defender for Endpoint. This can be done through the Microsoft 365 Defender Portal or using an API.   

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-device-isolation-support-for-linux/ba-p/3676400   

Apple runs up patches for aging, fraying devices 

Apple released an iOS update to fix a flaw that left aging iPhones and iPads exposed. iOS 12.5.7 addresses CVE-2022-42856, a type confusion flaw uncovered by Clément Lecigne of Google's Threat Analysis Group, and which affected devices include iPhone 5s, 6 and 6 Plus, along with the iPad Air, mini 2, mini 3 and iPod touch (6th generation). This means devices up to 11 years old are being patched. While tech professionals aren’t necessarily using such devices anymore, plenty of their family members could be. 

https://support.apple.com/en-gb/HT213597   

EU could extend patching requirements for IoT kit 

The EU’s Cyber Resiliency Act is continuing to work its way through the Union’s legislative machine. Euroactiv reports that a new compromise text was due to be discussed which included proposals that could extend the period over which vendors should provide security patches for IoT products. The original draft proposed a maximum of five years. The new text also proposes changes to how manufacturers should report vulnerabilities, shifting initial responsibility from ENISA to the national CSIRTs. 

https://www.euractiv.com/section/cybersecurity/news/eu-council-moves-to-adjust-product-lifecycle-reporting-in-new-cybersecurity-law/ 

Digitization has evolved to include cloud computing in the delivery of computing services, reduction of costs, improvement of agility, and cloud security. The emergence of various cloud solutions has led organizations towards migrating assets from on-prem to the cloud with further diversifying by using multicloud and hybrid solutions to satisfy customers' needs.

Multicloud is on the rise, and organizations are rapidly turning to the idea of multicloud strategies, with some even dedicating a cloud to run single applications. COVID-19 has sped up migration to cloud computing, and organizations choosing to work with multiple cloud service providers for diverse reasons create room for individuals with the proper certifications.

The top reasons businesses implement multicloud solutions are better security, flexibility, and customer experience. According to Flexera's State of the Cloud report, 92 percent of enterprises have a multicloud strategy, with the seven cloud providers experiencing exponential growth since the pandemic. The rise of multicloud can be linked to the fact that cloud solutions give organizations simplicity and flexibility in scaling their business according to demand.

How Do Multicloud Environments Impact Cybersecurity?

Multicloud environments offer several advantages ranging from flexibility, scalability, and the ability to mix and match cloud services from different cloud providers to meet specific workloads. A multicloud environment can be the combination of Infrastructure as a Service (IaaS) from a Cloud Service Provider (CSP) and Software as a Service (SaaS) from another vendor, allowing for high performance, scalability, and saving costs.

Irrespective of the advantages of running a multicloud environment, the heterogeneity of these cloud platforms adds to existing security challenges; therefore, having a deep understanding of these cloud environments and their peculiarities is essential.

These are some of the key effects of multicloud environments in cybersecurity:

Lack of Visibility: Multicloud environments create a larger attack surface. Your workload is distributed across different cloud services; hence, cloud resources and instances spun up can be forgotten or unmanaged. Organizations can lack visibility and security would be dependent on the CSP and tools that can be integrated with existing CSP tools and technologies.

Operational Complexity: Successful management of resources hosted in a multicloud environment can raise concerns about operational complexity. The more cloud environments you use, the more complex it becomes to manage them. Each cloud environment has proprietary tools covering security, analytics, APIs, and unique processes for managing its environment. Learning and deeply understanding these tools independently can lead to security gaps if not appropriately handled.

Cloud Security: To achieve operational efficiency and effectiveness, consistency across all cloud environments should be maintained. However, this can be challenging when your data and resources are spread across multiple platforms. In a multicloud environment where each CSP has its own security infrastructure approach, achieving a stable cloud security posture requires a complete approach focused on the overall computing environment and not vendor-specific environments.

Responsibility in the Cloud:  The concept of shared responsibility posits that CSPs are responsible for the security of the cloud while you are responsible for security in the cloud. Cloud providers are responsible for the virtualization hardware and software security, while businesses are responsible for securing the data and resources stored in the cloud. Organizations are responsible for the security, governance, and compliance of their data.

What Does Multicloud Mean For A Cybersecurity Professional

It is essential for organizations looking to push their businesses forward to adopt multiple cloud computing solutions. Therefore, security professionals must take up new roles and gain new skills and knowledge relevant to deploying appropriate control and security measures. Cloud security vendors use different security models and have varying responsibilities and compliance obligations; hence, a solid vendor-neutral knowledge of the cloud environment is required.

Cloud Security Providers have varying certification programs to equip security professionals with platform-specific skills like configuration, audits, identity and access management. However, these certifications are specifically for the vendor's cloud environment, focusing only on configuring and operating in the specific platforms, limiting the scope and the applicability of the knowledge gained.

How Can CCSP Help

It is in the interest of organizations that, as they use multiple cloud environments, training and certification of security teams should go beyond the technical management of individual cloud environments. The Certified Cloud Security Professional (CCSP) course by (ISC)²  offers training and certification which equips you with technical skills and knowledge to design, manage, and secure data, applications, and infrastructure across various CSPs using best practices, policies, and procedures established by experts.

The CCSP is a vendor-neutral certification that equips you with a robust knowledge of all aspects of cloud security and demonstrates you are a Subject Matter Expert (SME) in aligning security objectives with business goals. It positions you as an authority in cloud security, highly proficient in staying on top of the latest technologies, developments, and threats.

CCSP helps build the solid knowledge required for efficient cloud security for professionals with vendor-specific certifications, expanding your skillsets across multiple cloud environments. The knowledge and skills gained with CCSP training and certification are beneficial to professionals in their early careers and an essential building block for senior roles. 

Download the whitepaper to learn more about accelerating your career in a multicloud world.

Cybercriminals for hire, Hive ransomware is busted and the JD Sports breach impacts millions of sportswear buyers. Here are the latest threats and advisories for the week of February 3, 2023.  

Threat Advisories and Alerts 

U.S. Security Agencies Warn of Malicious Use of RMM Software 

A joint cybersecurity advisory issued by the U.S. National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC) warns that legitimate remote monitoring and management (RMM) software is being used for malicious purposes. After cybercriminals gain access to target networks, they use the software as a “backdoor for persistence and/or command and control (C2),” warned the agencies. Network defenders are encouraged to view the full advisory for information on indicators of compromise and mitigations.   

Source: https://www.cisa.gov/uscert/ncas/alerts/aa23-025a  

Microsoft Issues Urgent Plea to Update Exchange Servers 

Microsoft is urging enterprises to patch their Exchange servers, as the mail server platform remains a valuable target for cybercriminals. "Attackers looking to exploit unpatched Exchange servers are not going to go away," wrote the Exchange Team in a blog post last Thursday. While protecting the exchange environment is a never-ending chore for many users, the Exchange Team noted, "Exchange Server CUs and SUs are cumulative, so you only need to install the latest available one.” 

Source: https://www.theregister.com/2023/01/28/microsoft_patch_exchange_servers/  

Emerging Threats and Research 

Bad Actors Wanted: Cybercriminals Offer Competitive Packages to Lure New Hires 

As employers around the world seek to fill open roles, cybercriminals are getting in on the action. Between January 2020 and June 2022, cybercrime groups posted over 200,000 job ads on the dark web. While 61% of the ads sought to fill developer roles, threat actors also looked to hire admins, designers, network testers and more. Some positions offered compensation packages that oddly mirrored those of legitimate companies, with benefits that included holiday pay, paid sick leave and salaries as high as seven figures. As to why job seekers would be attracted to such roles, researchers wrote, “Many are drawn by expectations of easy money and large financial gain.”  

Source: https://www.itpro.co.uk/security/cyber-crime/369970/cyber-criminal-groups-wooing-hackers-with-seven-figure-salaries-and-holiday  

Hive Ransomware Group’s Servers Seized in Global Cyber-Stakeout 

Law enforcement's war on ransomware experienced a major win this week as a global operation seized the websites and servers of the notorious Hive Ransomware group. After gaining access to the gang’s computer networks, the U.S. Federal Bureau of Investigation (FBI) was able to capture Hive’s decryption keys and distribute them to over 300 victims—saving them a reported $130 million in ransom payments to unlock infected systems. The takedown was a global effort that began in July 2022 and consisted of law enforcement agencies from thirteen countries, including Canada, the U.K., Germany, Spain, France and Sweden. 

Source: https://www.infosecurity-magazine.com/news/global-dismantles-hive-ransomware/ 

JD Sports Breach Affects 10 million Customers 

The personal details of around 10 million customers were stolen following a breach at U.K. sportswear retailer JD Sports. The attack exposed customer billing details, phone numbers, delivery addresses and other personal information from orders placed between November 2018 to October 2020. The stolen information could be used in social engineering or phishing attacks. JD Sports is notifying affected customers.  

Source: https://www.bleepingcomputer.com/news/security/jd-sports-says-hackers-stole-data-of-10-million-customers/  

Signing Certificates Stolen in GitHub Cyberattack 

This past Monday, GitHub confirmed that a cyberattack in December resulted in the theft of three digital signing certificates used for its Atom and Desktop applications. The company, however, found no risk to their services or unauthorized changes to projects. GitHub’s vice president of security operations, Alexis Wales, addressed the issue, writing, “As a preventative measure, we will revoke the exposed certificates used for the GitHub Desktop and Atom applications. Revoking these certificates will invalidate some versions of GitHub Desktop for Mac and Atom.” To continue using the software, GitHub recommends updating the desktop version or downgrading Atom.  

Source: https://www.infosecurity-magazine.com/news/github-revokes-certificates-stolen/  

To stay updated on the latest cybersecurity threats and advisories, look for weekly updates on the (ISC)² blog. Please share other alerts and threat discoveries you’ve encountered and join the conversation on the (ISC)² Community Industry News board.  

Dependence on the cloud in the modern era is no secret. The growth in cloud applications for both professional and personal use has proved unrelenting as critical applications and services are made solely available through cloud access.

In a press release, Gartner predicted a 20.4% increase in end-user spend on cloud applications in 2022, and forecasts another 20% growth in 2023. As spend increases, so does availability, creating an ongoing chicken-and-egg dynamic that will only strengthen the need for robust security measures.

The Importance of Cloud Security

Despite its ubiquity, cloud adoption remains a point of concern for many organizations. Moving from on prem to cloud-based applications often brings a sense of fear or lack of control, generating anxiety particularly for highly risk-averse individuals. While these concerns are not unfounded, they should be leveraged for clarity and planning rather than resistance.

As the implementation of SaaS and other cloud products grows, so too does the ingenuity of cybercriminals. Opportunistic hackers are developing new means of breaching security and stealing data, and organizations need to invest in a strategy to stay ahead of these attempts.

The Role of Teamwork

A strategy is only as strong as the team in charge of it. After all, you can devise the most airtight security measures, but your organization will never be truly secure without experts to implement, manage and maintain your approach.

A reported 95% of security professionals polled are concerned about cloud security. That means organizations should have little issue getting IT and security team members on board. Security teams are challenged not with understanding the value of cloud security, but with understanding what needs to be protected, and then devising a framework to address security issues.

Rather than letting these responsibilities rest on the shoulders of one or a small few, teamwork will enable greater coverage and reliability in cloud security. As John J. Murphy, author of Pulling Together: 10 Rules for High-Performance Teamwork states: “Each individual has unique gifts, and talents and skills. When we bring them to the table and share them for a common purpose, it can give companies a competitive advantage.” Not only will a team support one another, but as individuals bring their unique perspectives they will be able to devise a more comprehensive cybersecurity strategy.

Other benefits to teamwork include:

Productivity

Cohesive teams are more productive, and that affects more than a company’s bottom line. Productive teams are more connected to their work and motivated, increasing emotional well-being and engagement. Happy employees are up to 20% more productive, creating a positive cycle for all involved.

Creativity

Harmonious teamwork depends on great communication. By focusing on teamwork, individuals meet to share ideas, suggestions, analysis, and more, fostering an environment of brainstorming and innovation. When many different perspectives come together, new and creative ideas are born.

Opportunity

There are more opportunities available than those for productivity and creativity. Working together as a team helps each individual level up, building on their skillsets and opening doors for professional development.

Key Players

The structure of cybersecurity teams will vary by organization. Rather than giving you a map to follow for building your team, we’ll instead highlight the objectives and skills required, to help find the key players in a successful security unit.

Some of the key responsibilities include:

• Storing and protecting business data
• Optimizing cloud architectures to run applications
• Designing high-availability workloads
• Managing and optimizing utilization and costs of cloud products
• Establishing policies and procedures to configure and secure cloud apps and security

This is not an exhaustive list, of course, but gives some indication of the breadth of team responsibilities.

Team Building Challenges

With the importance of building the “right” team for the job, it’s no wonder many organizations find creating a security team to be a difficult task. More than a matter of the alchemy of personality types, there are fundamental challenges in the modern era.

As the Covid-19 pandemic drastically changed the workforce landscape, many organizations are finding employees with disparate needs and expectations. Remote and hybrid models are a big shift in mindset and approach for most businesses, and mindsets around collaboration are still catching up.

More than that, there is a widespread lack of candidates in the cybersecurity arena. Candidates are difficult to find, and many security managers struggle to find candidates that match their qualification requirements.

Strong Security Requires a Strong Team

If cybersecurity is not front of mind for your organization in the modern era, it should be. Organizations should not wait until their data or networks are compromised and then scramble in an attempt to make up for lost time in executing a security strategy.

Truly security-minded organizations see the value not only in tools and processes, but in leveraging teamwork and a strong department to spearhead these initiatives.

Cloud security and teamwork go hand-in-hand, and there is a lot more you should know in order to approach your security strategy with success. In our white paper, we go into more detail on building a team and strong qualities to look for in your team members. If you have a cloud security team that isn’t working as cohesively as you would like, all is not lost. We also put together some tips to foster better teamwork in your existing structure so that both your organization and its employees can thrive.

(ISC)² launched a new initiative for individuals pursuing or considering a career in cybersecurity. The goal? To create new pathways to cybersecurity career success and decrease the global workforce gap.

Within three months of launching this initiative, we had more than 110,000 individuals sign up to become (ISC)² Candidates. The offering provides education courses, study materials and resources to help prepare those looking to enter cybersecurity. Additionally, the aim is to encourage (ISC)² Candidates to pursue the recently launched entry-level certification (ISC)² Certified in Cybersecurity (CC).

The immediate success of (ISC)² Candidates showed us there was no shortage of interest in cybersecurity; the challenge is creating new pathways for those with no experience or background to enter the field.

In fact, in December, at SECURE Washington, DC, we heard first-hand the impact of (ISC)² Candidates. Christopher Shaw, a first-time attendee of (ISC)² events, recently passed the Certified in Cybersecurity exam. Christopher is seeking a career transition into cybersecurity – and is working on completing relevant training through (ISC)², and practical applications, to kickstart his cybersecurity career. 

What have we learned? There is no single pathway into cybersecurity, which rings true in our 2022 (ISC)² Workforce Study. We are seeing a shift in how people enter the field, with fewer individuals under 30 years of age moving into cybersecurity from a career outside of IT. The evolution showcases the importance of helping those enter the profession through non-traditional methods.

We are thrilled with the early success of (ISC)² Candidates as it showcases a steady interest in cyber education and training for individuals looking to enter the field. At (ISC)², we are preparing these individuals by providing a new entry path into the profession through this initiative.

It's not too late to sign up to become an (ISC)² Candidate! To sign up:

1. Register for free at isc2.org/candidate. You will be prompted to create an account with (ISC)² and answer a few questions about your cybersecurity career goals.
2. After completing the (ISC)² Candidate registration, you will be redirected to the benefits page. From there, you can enroll in the Online Self-Paced Training and get instructions for redeeming your free exam when you're ready to take the test.

Your first year as an (ISC)² Candidate is free, so don’t miss out. Questions? Talk to us at candidate@isc2.org - we hope you'll join us!

We are excited to have more than 130,000 individuals become (ISC)² Candidates since launching in September 2022. Many of them will go on to earn their Certified in Cybersecurity (CC) as part of our One Million Certified in Cybersecurity pledge.

For those new to (ISC)², or those who’ve had their sights set on their CISSP for years now, you may not be sure exactly how you become (ISC)²-certified. Your certification is more than a single exam. There are three steps to earn your (ISC)² certification:

Step 1: Pass your exam

Step 2: Submit your certification application

Step 3: Pay your first Annual Maintenance Fee (AMF)

Let’s dive in …

Step 1: Pass your exam

Which exam to take depends on your goals, and where you personally are in your cybersecurity career. You can use our Qualification Pathfinder to help chart your course: https://www.isc2.org/Certifications/Qualification-Pathfinder

Once you select the certification you want to earn, you will sit for your exam at a Pearson VUE test center. Register for your exam with Pearson VUE with the same email address as your isc2.org account. If you pass, you will receive a letter informing you of your provisional results and inviting you to the next step …

Step 2: Submit your certification application

If you’ve passed the CC exam, your certification application is quite simple. You will agree to the (ISC)² privacy policy, and then affirm your commitment to abide by the (ISC)² Code of Ethics. This code is a cornerstone of our association and all members – and (ISC)² Candidates – must agree to uphold the cannons themselves, as well as report anyone who violates the code.

If your certification has an experience requirement – for example, the CISSP requires five years of paid relevant work experience in two of the eight domains of the certification – then you will also provide evidence of this in your certification application. This step is where another (ISC)²-certified member will endorse your experience and affirm your good standing in the industry. If you don’t know another (ISC)²-ceritifed member to do this, you can provide your work experience (with proof via tax returns, letters from supervisors, letterhead documentation, etc.) and (ISC)² will review and the association itself will serve as your endorser. If you do not have the required experience needed to earn full certification status, you will become an Associate of (ISC)² and will be able to pursue your paid experience.

Step 3: Pay your first Annual Maintenance Fee (AMF)

As soon as your certification application has been approved, you will be notified via email and invited to pay your first Annual Maintenance Fee, known as your AMF. AMFs are used by (ISC)² to support the costs of maintaining the certifications and their related support systems.

If you earn the CC, or if you become an Associate of (ISC)², your AMF is U.S. $50 each year. If you earn the CISSP, CCSP, SSCP, CSSLP, CGRC or HCISPP, your AMF is U.S. $125 each year. If you are earning an additional certification (which includes the CISSP concentrations: CISSP-ISSAP, CISSP-ISSEP or CISSP-ISSMP) you will not have to pay additional AMFs beyond the one $125 payment each year.

What’s next?

Once you’re certified, you’ll get an invitation to claim your badge from Credly. This digital badge is a signifier of your accomplishment and is an easy way for you to display your credential online. You can use your badge on social media, in an email signature or on a website. When viewers click on it, they will see the knowledge, skills and abilities required to earn that credential, as well as the date that it was earned. Beyond your digital badge, you’ll receive a digital certificate to print or share online.

You’ll also have access to a variety of benefits including discounts on industry events, free online on-demand courses to support your professional development, access to a global network of professionals, such as in our online Community, to support your career growth and so much more. Stay in the know by following us on LinkedIn, Twitter and Facebook . Update your communication preferences; and subscribe to our newsletters to receive important announcements.

TikTok is fined for a privacy violation, major corporations suffer breaches and Vice Society attacks another school. Here are the latest threats and advisories for the week of January 20, 2023.

Threat Advisories and Alerts

U.K. School Survey Reveals Surprising Findings

A new survey by London Grid for Learning (LGfL) and the National Cyber Security Centre (NCSC) revealed that the uptick in cyberattacks on the U.K. school system may not be as bad as first thought. The survey, of more than 800 schools, revealed that 78% of them had suffered at least one cybersecurity incident. Other interesting findings showed that 99% of schools use an antivirus solution, 100% use firewall protection and 74% enable two-step verification for their most critical accounts.

Source: https://www.ncsc.gov.uk/blog-post/uk-schools-build-cyber-resilience

Critical Vulnerability Found in Zoho ManageEngine Products

Cybersecurity company Horizon3.ai is urging users of Zoho ManageEngine to patch their software against critical vulnerability CVE-2022-47966 before the release of a proof-of-concept (PoC) exploit code. Zoho ManageEngine products that have ever enabled SAML single sign-on (SSO) can be exploited by the flaw, allowing attackers to execute arbitrary code and take control of the system.

Source: https://thehackernews.com/2023/01/zoho-manageengine-poc-exploit-to-be.html

Emerging Threats and Research

Vice Society Behind Ransomware Attack on German University

Vice Society has struck the education sector again, hot on the heels of its suspected involvement in last week’s U.K. data leak. This time Germany’s University of Duisburg-Essen is the victim. As is common for Vice Society, the ransomware group has published some of the stolen data on the web due to its demands being unmet. The University said, “If the breach affects people or institutions, they will be informed as soon as possible."

Source: https://www.infosecurity-magazine.com/news/vice-society-attack-university-of/

Nearly 18,000 Customers Affected in Nissan Data Breach

Car maker Nissan North America reported a security incident earlier this week to the Office of the Maine Attorney General. The event originally occurred on June 21, 2022, when one of Nissan’s third party vendors was breached, exposing the information of 17,998 customers. The exposed data included NMAC account numbers, full names and birth dates.

Source: https://www.bleepingcomputer.com/news/security/nissan-north-america-data-breach-caused-by-vendor-exposed-database/

Customer Data Stolen in Norton LifeLock Credential Stuffing Attack

Cybersecurity company Norton LifeLock has been hit with a credential stuffing attack that began on Dec 1, 2022. While the amount of accounts impacted by the incident is unknown, cybercriminals may have accessed customer names, mailing addresses, phone numbers and passwords stored in Norton’s Password Manager application.

Source: https://www.darkreading.com/remote-workforce/norton-lifelock-warns-on-password-manager-account-compromises

TikTok Fined €5 Million for Cookie Law Violation

France's Commission nationale de l'informatique et des libertés (CNIL), the country’s data protection watchdog, has fined TikTok €5 million for breaking cookie consent rules. According to the regulator, the social media giant gave users no easy way to refuse all cookies, yet accepting them could be done in a single click. "Making the opt-out mechanism more complex is in fact discouraging users from refusing cookies and encouraging them to prefer the ease of the 'Accept All' button," said a CNIL representative. TikTok has since corrected the issue.

Source: https://thehackernews.com/2023/01/tiktok-fined-54-million-by-french.html

Credit Cards Stolen in Cyberattack on Canada’s Largest Alcohol Retailer

The website of the Liquor Control Board of Ontario (LCBO), Canada’s largest alcoholic beverage retailer, was breached earlier this month. The attack occurred between January 5 and January 10 when malicious code designed to steal credit card and other customer info was injected into the site. Customers making purchases on the site during this period may have had their personal information stolen, including their email and mailing addresses, credit card details and account passwords.

Source: https://www.bleepingcomputer.com/news/security/canadas-largest-alcohol-retailers-site-hacked-to-steal-credit-cards/

To stay updated on the latest cybersecurity threats and advisories, look for weekly updates on the (ISC)² blog. Please share other alerts and threat discoveries you’ve encountered and join the conversation on the (ISC)² Community Industry News board.

We often hear that cybersecurity certifications have a global reach. When we spoke with Vanessa Leite we learned how true that actually is. Vanessa holds several certifications, including vendor-specific ones, along with the CISSP and CCSP credentials from (ISC)². She exemplifies the idea of “stepping out of one’s comfort zone”. Vanessa’s joy of sharing her knowledge, as well as her thirst for continual learning, are deeply motivating.

Q: What job do you do today, Vanessa?
A: I am a principal cyber strategy and consulting with a Global Cyber Security company. What that means, is basically it is an executive-level role, with focus on the delivering complex cyber security projects. A large part of my job has to do with cloud security. I currently work at CyberCX, which is a pure play cyber company, but before that I have mostly worked with financial service organizations.

I am based in New Zealand / Oceania right now, but I have also worked in countries around America and Europe. At the moment, I am leading an engagement with a client based out of Switzerland, which is requiring significant travel.

I'm originally from Brazil and the main reason I moved to New Zealand was because I thought that I needed an overseas experience. My English was pretty bad and I wanted to feel more confident with the language in general - but it ended up becoming something more than just that.

Q: Were you offered a job specifically in New Zealand, or did you seek that out as a destination?
A:  I was back in Brazil, working in a contractor cyber role with British America Tobacco, when I was offered a position with Ernst & Young (EY) in New Zealand. EY is one of the big four global consulting firms. They offered me a position in Wellington (New Zealand’s capital), and they facilitated everything for me to move here. That was my first work experience in New Zealand. Since then, my husband and I have gotten a house, two dogs and lots of good friends.

After EY I had a few other roles with a few other companies (mainly financial service organizations) and about a year ago I joined CyberCX. CyberCX is a relatively new company, but they are growing fast. They seek to offer end-to-end cyber security services to organizations that are working to mature their security practices. This end-to-end service approach (being able to assist organizations from strategy and board-level reporting to penetration testing and tooling implementation) is a gap in the current market.

Q: Why did you first decide to get into cybersecurity?
A: Back in Brazil when I was around 16, I decided to pursue a general computer and network technician course, which allowed me to get my first job opportunity in technology. It was then when I met Nina, a technology manager and my boss at the time – she later become my close friend. She was extremely knowledgeable and competent and soon she became a role model for me. Nina was doing at the time a Cyber Security degree at the university, which was very unique as not many universities were offering a cyber security related course. I remember her excitement about the number of different things she was learning such as forensics, penetration testing and all the topics that would be required for cyber security jobs, as well as certifications. Nina’s enthusiasm inspired me to peruse a cyber security degree. By the way, she has not only motivated me to enter university, but she has also supported me in many different ways during the first years of my cyber career journey - If I am where I am today is also because of her.

After a little while I managed to get a job with a startup as a cyber threat intel analyst (my first role in cyber security) and soon after my career started taking off.

Q: What was your route towards your certifications?
A: Certification, such as CISSP and CCSP, provides you with the foundation knowledge and skills required to work with cyber security. Obtaining these certifications was essential for my development as a security professional and gaining the expertise I needed for performing my role.

Additionally, certification from wide recognized bodies such as (ISC)² clarify what is factual information versus what is just opinions. I stress this a lot with my teams; the importance of distinguishing between fact and opinion and providing recommendations based on facts, which must be supported by data. The (ISC)² Common Body of Knowledge is a great source of information in that respect, I often reference to that for definitions and best practices. It is excellent for proving subject matter knowledge without taking a vendor-specific standpoint, which may be too limited. On top my (ISC)² certifications I also hold some vendor specific ones such as the AWS Cloud Practitioner. Combining both is a good strategically for obtaining a more comprehensive knowledge.

Q: How long did it take to achieve the CCSP designation, and what resources did you use?
A: I've done many certifications and I know what works best for me in terms of absolving and assimilating the knowledge I need for the exam. Self-learning is something I am used to and this was pretty much what I did for both certifications (CCSP and CISSP). I started with reading the (ISC)² material, which included Study Guide and Practice Tests official books. This worked very well for me as I like studying on my own time, at my own pace.

Self-learning has worked especially well for me as I had a significant foundation cyber security knowledge due to my years at university, and to already be working in the field. Some people might need more than six months to prepare for the exam. This will depend on their existing knowledge and experience. I would recommend however to a newer professional with limited experience to perhaps enroll in the official training offered by (ISC)². That way, you can have the opportunity to ask questions and gain a better understanding of the material, and how to apply it.

Q: Did anything surprise you about the CCSP exam?
A: I had only positive surprises. In the recent years, (ISC)² has made the exam process way more time efficient in addition to provide more insights on the real challenges professional would face in their day-to-day jobs. In particularly I like that the questions focus on a close to real life problem which needs to be solved in a cost efficient and pragmatic way.

Q: As you were learning the cloud security content, did it have an impact on things that you were doing at work?
A: Yes - 100%! I am a stronger believer that certifications, combined with day-to-day experience is the best way of learning. It provides with you a baseline knowledge and the tools you need to articulate your thoughts and ideas. For me, the learning I’ve got from CCSP was specifically important to understand critical components of efficient cloud security architecture such as the shared responsibility and accountability model between the organization and the cloud service provider, in addition to the security related risks.

Certifications assist you with validating and demonstrating your knowledge in a given subject or area. They also demonstrated you are committed to mastering your skills and knowledge and may give you a competitive edge when applying to jobs. This is especially important when applying to opportunities outside of your local market (an overseas job for example) and there is a need to demonstrate expertise. Widely recognized certifications such as CCSP play a massive role in those situations. Certification also plays a significant role for organizations willing to demonstrate to clients they have what it takes to do the job or project.

Q: What would you say is one of the biggest challenges you've faced in your career?
A: I have been lucky to have had support and so many good people and opportunities in my life. Challenge-wise, if I had more clarity about where I was going (what were the pathways into cyber security), and what kind of training and learning I should I be focusing time on, perhaps I wouldn't have encountered some of the struggles that I had in terms of progressing in my career.

Unfortunately, I see these exactly same issues still today when I talk to young professionals. Technology and Cyber career pathways are not clear enough still, which makes so difficult for people entering the field.

Q: As you look into the future, what ambitions do you have for your career ahead?
A: That is always a difficult question. I'm not someone who plans much, because I believe that planning leads to expectations, and expectations to frustrations. I do however have a vision of what and where I want to be in the future. Cyber security is something that I truly love doing so basically, I want to do my job with excellence and be recognized be my efforts so I can keep providing for my family. I want to do challenging and interesting projects, but I do also want to make sure that I have a good balance and sufficient time to recharge here and there - this is critical for performance and creativity. Ultimately, I also want to give back to the cyber and technology community and help other young and new professionals to succeed in their careers.

Q: It sounds like you really are enjoying what you do. What is it about your current job that you love?
A: I love what I do and the organizations and type of projects I work with - it's interesting and challenging. I also like that fact that what I do may have a significant impact on people’s life, including safety. Having the opportunity to learn new things and be creative, is essential for me. I also enjoy the fact that I work for a good company with good people, and that I have the support I need.

Q: How do you ensure your skills continue to grow?
A: That is another reason I like certifications in general. They challenge me to constantly learn. Certifications, reading a lot, and exchanging knowledge and bouncing ideas with fellow colleagues are the best ways of continuing growing your skills and knowledge.

Q: Are there any other resources that you like to use to increase your knowledge?
A: I find that networking with other professionals is super important, because there is no way that I can know everything so you having a support network with people you trust to bounce ideas and/or seek support with topics and subjects that are not your area of expertise, is essential to succeed in this field.

Q: Can you tell us about an achievement or contribution that you've made that you're really proud of?
A: I can’t remember a specific example right now, but I think that often we get disconnected from the end goal (i.e why we do what we do). Cyber security is a super important job and is very likely that the work you do is having a good impact on someone. Think about what your organization does, who their customers are, and I am sure you can thing about few examples of how the work you do is important for them.

I am particularly proud of few projects I did with health care organizations as I could see how much what I was doing (helping them to mature their cyber security practices) would have a direct impact on patient care and safety. Working with financial organisations is another good example; by improving their security capabilities we are directly helping people from, for example, being scammed by criminals.

Q: What do you think is the biggest challenge for cloud security right now?
A: There are so many new technologies and so many different options and vendors, that it can be confusing for organizations. The shared responsibility model between organizations and cloud providers is also not well understood. There is a danger with not properly understanding that relationship. If organizations are not clear about what controls they are responsible for, in contrast with controls their cloud provider are responsible for, they might end up significantly increasing their risk profile and likelihood and impact of cyber security compromises and breaches.

Q: Would you say that the main solution is getting more people into the industry? Are there other solutions that you think are important?
A: There is only so much we can do in terms of getting more people into technology and security. We need to think about alternative ways of solving the problem as the shortage and demand for cyber security professionals will keep on the rise. Cloud technologies and automation have the potential of assisting with solving this problem, in addition to freeing professionals from working on repetitive tasks so they can focus on more meaningful full work.  

Q: Who inspires you in the world of cyber security?
A: There are so many people out there, but I am mostly inspired by the people that work closely with me or people who have the courage to change their career paths and decide to pursue new journeys in completely different fields. Everyone else that has been here in my career, especially previous managers, and people that have guided and helped me have also deeply inspired.

Q: What advice would you give to people who are considering a career in cloud security?
A: Continuous learning is essential. You will have to spend a considerable amount of time reading news and checking what's out there in terms of new technology, threat landscape, and others. Without it, professionals fall behind and can be less effective when performing their jobs. Ongoing learning is also essential to career success.

Additionally, we need technical people who are able to implement technologies, but we also need people with good non-tech skills such as communication, for example, so problems can be clearly articulated to Senior Executives and Boards. We also need people with different skills from different backgrounds to address cloud security problems. Therefore, don’t underestimate the knowledge that you have, and the value that you can bring to those initiatives or environments. There is a space for everyone, and organisations need this difference in knowledge and perspective.

Q: Can you tell us more about the mentoring that you provide?
A: I’ve been mentoring a young woman who wants to make a career change and enter cyber security. She has extensive business and accounting experience and is seeking to develop her technology skills. It is not a formal mentoring program, but I’ve been assisting her with the journey by sharing my knowledge and connecting her to other people who may also help. It's about leveraging my networking, sharing previous experiences and mistakes to guide her towards reaching her goal.

Q: Is there anything else that you would like to share?
A: I am a firm believer that certifications are such an important qualifier. Certifications can help people to stand out in the job market and obtain the knowledge and skills they need to succeed in their careers. Part of that comes from the trust that the industry has in organisations such as (ISC)². Certifications such as CISSP and CCSP give professionals credibility, in addition to a cost and time-effective option for qualification. Certifications are becoming key in most organisations; in many cases, they are as valued as a formal degree.

Vanessa is a perfect example of someone who has taken an unorthodox approach to continuous knowledge. Whatever your learning style, (ISC)² has an approach that can suit your individual goals and ambitions. Learn more about our training courses here.

Cybercriminals attack schools, the FCC looks to change data breach rules and artificial intelligence alters the cybersecurity landscape. Here are the latest threats and advisories for the week of January 13, 2023.

Threat Advisories and Alerts

How Businesses Can Securely Use MSP Services

Managed Service Providers (MSPs) offer a popular and effective way for businesses to outsource their IT. While an MSP’s service can bring productivity gains and cost savings, they can also pose an added security risk. After all, an MSP customer will typically provide the MSP with administrative access to their data, increasing their attack surface. To stay protected when hiring an MSP, the U.K. National Cyber Security Centre (NCSC) has advised that organizations should only allow enough privileges for the service provider to do their job, evaluate their security standards and require them to provide notice of any breaches.

Source: https://www.ncsc.gov.uk/blog-post/using-msps-to-administer-your-cloud-services

CISA Orders Federal Agencies to Patch Two Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added Microsoft security vulnerabilities CVE-2022-41080 and CVE-2023-21674 to its list of exploited bugs. The former can enable remote code execution and the latter is a zero-day vulnerability that can allow elevation of privileges. Though U.S. federal agencies are required to patch the security flaws by January 31st, all organizations are urged to fix the bugs. 

Source: https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-exchange-bug-abused-by-ransomware-gang/

Emerging Threats and Research

Bad Actors Use ChatGPT to Write Malicious Code

The AI-powered ChatGPT has become a hot topic in the business world. The tool can be used for everything from writing to coding to understanding complex subjects. However, it can also be used for malicious purposes. Researchers from Check Point Research have reported at least three instances of bad actors using ChatGPT's AI capabilities to write malicious code. How is this possible? The tool enables cybercriminals with no coding experience to write malware, as noted by Check Point’s threat intelligence group manager, Sergey Shykevich.

Source: https://www.darkreading.com/attacks-breaches/attackers-are-already-exploiting-chatgpt-to-write-malicious-code

FCC Looks to Speed Up Breach Reporting for Telcos

The U.S. Federal Communications Commission (FCC) is looking to overhaul its breach notification rules for telecom firms. The current laws, which have been in place for 15 years, require telcos to wait a mandatory seven business days before reporting a breach to customers. FCC Chairwoman, Jessica Rosenworcel, said, “Given the increase in frequency, sophistication and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements.”

Source: https://www.infosecurity-magazine.com/news/fcc-accelerate-breach-reporting/

CISA and Homeland Security Build AI Cybersecurity Training Ground

The U.S. Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) are developing a machine learning-based analytics environment to combat evolving cyber threats. The goal is to create a multicloud collaborative sandbox that will train government experts to test machine learning techniques and artificial intelligence technologies. Data collected from the experiments will be shared across the government, private sector and academic institutions, with a focus on ensuring the platform's security and protection of privacy.

Source: https://www.theregister.com/2023/01/10/dhs_cisa_cybersecurity_sandbox/

Iowa’s Largest School District Hit by Cyberattack

Des Moines Public Schools, Iowa’s largest school district with more than 31,000 students, was hit by a cyberattack earlier this week, causing the cancellation of classes. In response to the incident, all networked systems were taken offline and the school district launched an investigation. While the nature of the attack is yet to be confirmed, it is suspected to be a ransomware attack.

Source: https://www.bleepingcomputer.com/news/security/iowa-s-largest-school-district-cancels-classes-after-cyberattack/

Vice Society Suspected to Be Involved in U.K. Schools’ Data Leak

As cyberattacks on the education system increase, the U.K. has not been spared from attacks. Fourteen schools in the U.K. have now had their confidential data leaked, which includes staff pay scales and contract details, children’s SEN information and pupil passport scans. Vice Society is believed to be behind the leak.

Source: https://www.infosecurity-magazine.com/news/uk-schools-leak-confidential-data/

Royal Mail ‘cyber incident’ may be linked to Russia

In another U.K-based cyberattack, the Royal Mail, the U.K. postal service, has suffered what it called a ‘cyber incident’ on Wednesday, affecting systems responsible for handling international mail items. As a result, all outbound international mail has been suspended and consumers and retailers have been asked not to mail anything destined for a location outside the U.K. The BBC is reporting that the attack is based on the LockBit ransomware and is linked to Russia.  

Source: https://www.bbc.com/news/business-64244121

To stay updated on the latest cybersecurity threats and advisories, look for weekly updates on the (ISC)² blog. Please share other alerts and threat discoveries you’ve encountered and join the conversation on the (ISC)² Community Industry News board.

By Diana-Lynn Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP

In recent years, we have seen the threat landscape become increasingly complex as threat actors use sophisticated techniques to exploit vulnerabilities of weak passwords, missing patches and antiquated software, thus gaining access to corporate networks.

With attacks rising within industrial control systems (ICS), operating technologies (OT) and the internet of things (IoT), we are seeing the development of new terminologies emerge (e.g., patch lag or security resilience), and the list goes on.

In 2023, we can expect to see the following:

• Staffing shortages because of the increased need to thwart cyberattacks and, as a result, burnout will continue to plague the industry.
• An increase in attacks, including ransomware, bot attacks, expanded attacks on IoT, ICS and OT, and an upward growth in cloud-based attacks and cloud infrastructure
• A rise of deepfakes through e-mail, video and messaging platforms with a particular spike in deep fake phishing and wiperware.
• More challenges associated with cyber insurance as more awareness of cyber incidents' reputational and financial risks come to light. 
• New data privacy regulations and legislation will be implemented worldwide to protect consumers’ information.

Cybersecurity Staff Shortages

Staff shortages have affected the industry for several years, and the 2022 (ISC)² Workforce Study reveals a global cybersecurity workforce gap of 3.4 million professionals. We estimate that the workforce gap will likely increase in 2023.

As cyber threats continue to increase and technologies become more complex, skills will need to evolve to handle the onslaught. This continued need for staff training can impact or leave gaps in resources. Additionally, as the complexity changes, burnout related to long hours and stress will affect staff. Additional stress will be caused by the lack of training, overtime work, the frequency of cyber incidents and the potential for job insecurity.

Cybersecurity professionals continue to be challenged by a never-ending onslaught of attacks and are constantly trying to mitigate cybersecurity risks. As economic conditions worsen, we estimate that training budgets will be amongst the first to be cut, thereby impacting the skills gap.

We are seeing many new training and education opportunities come to market to offset the staffing shortages, but they are insufficient to meet the needs of the cybersecurity workforce. IBM is aiming to train 500,000 individuals from India in cybersecurity skills over the next five years. In August, (ISC)² pledged to provide one million free Certified in Cybersecurity courses and exams for those looking to enter the profession.

In 2023, unfortunately, we will see an increase in those who state they have the necessary skillset but may not have the cybersecurity experience needed for a role. Entry-level certifications, like the Certified in Cybersecurity, provide individuals with the foundational knowledge and expertise, which will be even more critical for finding a cybersecurity job.    

OT Infrastructure

Open-source systems (software) will continue to be a target of cyberattacks, as many of these systems are built on legacy software which is outdated and seldomly patched. Even when these systems are updated, ICS or OT will continue to be susceptible to attacks as there are challenges associated with patch management and insufficient security training.

It is anticipated that, like in previous years, these systems will not be well protected, and little will be done to secure them. As tensions rise with the Russian/Ukrainian war or in China, the threat to these systems increases dramatically.

To protect these systems, we recommend (but are not limited to) the following:

• Increasing the visibility of these assets (have an inventory).
• Implementing (where possible) mitigating controls (think firewalls between networks).
• Building resiliency plans.

Ransomware

In the last several years, ransomware attacks have made headlines, and we can only anticipate that this trend will continue into 2023. In fact, in 2022, more than 200 U.S. institutions were affected by ransomware. Specifically, the “State of Ransomware in the U.S.” report revealed 105 local governments; 44 universities and colleges; 45 school districts; and 25 healthcare providers operating 290 hospitals navigated ransomware attacks in 2022.

As ransomware gangs have shifted tactics and operations in the past year, we anticipate that in 2023 we will see a continued shift around types of attacks and those targeted in new markets and regions.   

To better protect organizations from ransomware attacks in 2023, we recommend the following to enhance security:

• Create backups and secure them offsite.
• Test backups regularly and your ability to restore from the backups).
• Provide security awareness education and information to staff regarding the risks. Educate staff on many of the methods used to steal data.
• Ensure that security software is current and the latest security patches have been applied.
• Implement multi-factor authentication
• When possible, encrypt confidential or sensitive data.

Fake Ransomware (Wiperware)

In late 2022, we began seeing attacks that purport to be ransomware; they contain a ransom request by creating a README.txt file that includes a bitcoin wallet address, a contact e-mail address and an ID. Unfortunately, it is not ransomware but wiperware. Wiperware (a Trojan) typically does not attack or affect system files (.exe, .dll, .lnk, .sys, or .msi or files in the C:\Windows directory), but instead, the attack is focused on databases or user documents. Once the malware modifies a file, it cannot be recovered (ever) as the data has been overwritten or corrupted. Typically, the intent of this Trojan is not financially motivated but is used to destroy data. These attacks can be politically motivated, as seen in the Ukrainian/Russian conflict.

In 2023, there will also be an increase in phishing attempts as these attacks are used to distribute both wiperware and ransomware.

We’ll continue to discuss data privacy, supply chain, cybersecurity insurance, as well as other 2023 predictions in the next blog post.

As practitioners know all too well, it is paramount to remain up to date with the changing landscape of cybersecurity. We regularly conduct Job Task Analysis (JTA) studies to review exam content and outlines to ensure the accuracy, relevance and excellence of all (ISC)² exams.  

The Certified in Governance, Risk and Compliance (CGRC), formerly known as the Certified Authorization Professional (CAP) exam, was last refreshed in 2021. The certification is undergoing a name change to more accurately reflect the knowledge, skills and abilities required to earn and maintain this certification. As part of our regular updates to exams, it is now time to refresh the (ISC)² CGRC exam to better align with best governance, risk and compliance professional practices.  

We will begin the CGRC revision process with a JTA Study Workshop tentatively scheduled for February 13-15, 2023. We are asking that anyone who currently holds the CGRC (aka CAP) review the CGRC Exam Outline and consider the following questions:  

1. Do you believe that the current CGRC exam outline adequately covers the existing and emerging cybersecurity techniques and threats CGRC practitioners are facing in their jobs today? 
2. If not, what sort of topics/content should be added to the CGRC exam outline? 
3. What content currently on the CGRC exam outline is no longer relevant to today’s professionals? 

Please send your answers to these questions to CGRCJTA@isc2.org no later than January 30, 2023. Please include your ID # in your email. Your comments will be compiled and presented to the JTA Committee for further review.  

Be sure to submit this exercise via the CPE portal so that you can earn credit for participating in this essential activity. Thank you for your invaluable insights and help!  

The LockBit ransomware gang apologizes, Google settles privacy lawsuits and cybercriminals impersonate brands and the U.K. government. Here are the latest threats and advisories for the week of January 6, 2023.

Threat Advisories and Alerts

Cybercriminals Impersonate Brands with Search Ads And Fake Sites

The U.S. Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are directing internet browsers to malicious sites via search ads. How does the scam work? Bad actors build a fake website that impersonates a legitimate brand and then advertises it to appear at the top of search results. Once browsers click the ad, the malicious site prompts them to enter login credentials, financial information or download ransomware that’s disguised as a program.

Source: https://www.ic3.gov/Media/Y2022/PSA221221

Top Six U.K. Government Impersonation Scams of 2022

As 2023 kicks into gear, the U.K.’s National Cyber Security Centre (NCSC) has looked back at the past 12 months to reveal the top six government email impersonation scams that were taken down. The imitated organizations include the National Health Service (NHS), HM Revenue & Customs (HMRC), TV Licensing, gov.uk (the primary domain for many U.K government services and web pages), Ofgem and the DVLA (the U.K vehicle and driver licensing body). The NCSC received more than 6.4 million reports of potential scams in 2022 and took down 67,300 fraudulent URLs. To protect against these cyberthreats, the NCSC urges consumers to implement two-step verification, shop at trusted retailers and use secure payment methods like a major credit card or PayPal.

Source: https://www.ncsc.gov.uk/news/ncsc-reveals-top-government-email-impersonation-scams-taken-down-in-2022

Emerging Threats and Research

LockBit Ransomware Gang Apologies for Attack on Children’s Hospital

The notorious LockBit ransomware group has offered an apology and a free decryption key to undo a ransomware attack that hit Toronto’s Hospital for Sick Children on December 18, 2022. The gang said the attack was by one of its affiliates who violated LockBit’s policy on targeting medical institutions where ransomware encryption could lead to death. LockBit released a statement addressing the issue, saying, “We formally apologize for the attack on sickkids.ca and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program.”

Source: https://www.infosecurity-magazine.com/news/lockbit-ransomware-decryptor-kids/

Linux Trojan Attacks Outdated WordPress Sites

Vulnerabilities in 30 WordPress (WP) themes and plug-ins are being exploited by Trojan backdoor Linux malware. If WP sites use one of the outdated add-ons, they could be infected with rogue JavaScript that redirect visitors to malicious websites. While the malware is newly identified, the researchers who discovered it believe it may have been in existence for over three years.

Source: https://www.darkreading.com/attacks-breaches/wordpress-under-attack-from-new-linux-backdoor-malware

Google Settles Location Tracking Lawsuits for $29.5 Million

Google has settled two U.S. location tracking lawsuits filed in Washington, D.C. and Indiana for a total of $29.5 million. Karl Racine, the former attorney general of D.C. whose office filed suit, said Google’s behavior "made it nearly impossible for users to stop their location from being tracked." The two lawsuits assert that Google used dark patterns, which they describe as employing "deceptive and unfair practices that makes it difficult for consumers to decline location tracking or to evaluate the data collection and processing to which they are purportedly consenting."

Source: https://www.theregister.com/2023/01/03/google_tracking_settlements/  

Royal Ransomware Group Attacks Prominent Australian University

Queensland University of Technology (QUT), one of Australia’s largest universities, has suffered a cyberattack at the hands of the Royal ransomware gang – a criminal group who gained recent notoriety for targeting the U.S. healthcare industry. The university has experienced significant disruption from the attack, with some exams and courses being rescheduled to early February. While QUT says there’s no evidence of stolen data, Royal Ransomware has published ID cards, email communications and HR files that they claim were from the attack.

Source: https://www.bleepingcomputer.com/news/security/royal-ransomware-claims-attack-on-queensland-university-of-technology/ 

Guardian Newspaper Still Struggling After Ransomware Attack

The U.K.-based Guardian newspaper is continuing to struggle to recover from a ransomware attack reported at the end of 2022. Guardian Media Group chief executive Anna Bateson sent a note on January 2, saying that all staff must continue to work from home until at least Monday 23rd January in the U.K., U.S. and Australia to give IT staff time to recover the affected systems. Production of the newspaper and its website have continued despite the issue.

Source: https://pressgazette.co.uk/publishers/guardian-ransomware-attack 

To stay updated on the latest cybersecurity threats and advisories, look for weekly updates on the (ISC)² blog. Please share other alerts and threat discoveries you’ve encountered and join the conversation on the (ISC)² Community Industry News board.

The (ISC)² New Jersey Chapter held their first virtual international event, which hosted more than 20 thought leaders and 500 registered chapter member attendees. The International (ISC)² Chapter Conference, SECON International, took place virtually, on December 1, 2022, and delivered intriguing content on various cybersecurity topics.

The conference featured Ted-talk style presentations across three tracks during a three-hour event.

The New Jersey Chapter hopes that by sharing their successes, it can help other chapters to either replicate their event or encourage them to join this conference in the future. This event was a collaboration between several (ISC)² chapters on a global scale which produced tangible business value added benefits for attendees. The New Jersey Chapter’s leadership considered their event’s biggest success to be that they reached such a large global audience.

When asked to describe their biggest challenges, leaders explained that providing thought-provoking content and attracting high-caliber speakers for a global audience was an ambitious goal. Attracting a worldwide audience to be set apart from other events means the chapter needed to use top technology applications to reach attendees. The group utilized the Metaverse-level platform, Gather.Town to offer a unique conferencing experience for attendees and speakers.

Another challenge proved to be related to time zones of a global audience – speakers spanned 20 time zones and conference participants attended from 50 different countries and states globally.

The planning committee met together more than 20 times to execute the conference within a six-month time frame. The success of using a new platform was due to a group of volunteers who assisted with the attendees’ user experience.

Lessons learned includes planning for emergencies. This event had backup speakers on deck and presentations pre-recorded in case of technical difficulties or cancelations, and, in this case, the contingencies were necessary.

Finally, the group recommends promoting the event to a wide audience utilizing all social media channels, connecting with local chapter groups and working with the Chapter team at (ISC)² Headquarters to promote to all global chapter leaders. The team is already planning for next year’s conference.

To find an (ISC)² Chapter in your area, visit https://www.isc2.org/Chapters/Chapter-Directory