Researchers warn that many electric vehicle (EV) charging management systems are affected by vulnerabilities that could allow hackers to cause disruption, steal energy, or obtain driver information.
The vulnerabilities were discovered by researchers working for SaiFlow, an Israel-based company that specializes in protecting EV charging infrastructure and distributed energy resources.
The security holes are related to the communications between the charging system management service (CSMS) and the EV charge point (CP), specifically the use of the Open Charge Port Protocol (OCPP). The flaws have been confirmed to impact the CSMS offered by multiple vendors.
The problem is related to the use of WebSocket communications by the OCPP and how it mishandles multiple connections. The protocol does not know how to handle more than one CP connection at a time and attackers could abuse this by opening a new connection to the CSMS. Another issue is related to what SaiFlow describes as “weak OCPP authentication and chargers identities policy”.
By opening a new connection to the CSMS on behalf of a charge point, the attacker causes the original connection to be closed or to become nonfunctional.
According to SaiFlow, an attacker can exploit the weaknesses to launch a distributed denial-of-service (DDoS) attack that disrupts the electric vehicle supply equipment (EVSE) network. In addition, if an attacker can connect to the CSMS, they may be able to obtain drivers’ personal information, including payment card data, as well as other sensitive data, such as server credentials.
In certain configurations, if the charger approves unknown driver identities, an attacker may be able to charge their vehicle without paying for it, the security firm said.
“Since the CSMS platforms are publicly accessible, it is possible for an attacker to hijack the connection remotely, without needing to gain credentials, access, or perform MITM attacks,” Ron Tiberg-Shachar, co-founder and CEO of SaiFlow, told SecurityWeek.
Tiberg-Shachar believes it may be possible for a somewhat inexperienced hacker to carry out an attack, even with limited resources.
In order to conduct an attack, the hacker first needs to obtain a charger’s identity. This identity typically has a standard structure, making it easier for threat actors to enumerate the values of valid identifiers.
In the next phase, they need to obtain information on which CSMS platform the charger is connected to. The expert noted that the CSMS URL can be discovered using services such as Shodan or SecurityTrails.
It doesn’t seem like the vulnerabilities can be easily patched by vendors.
“We’ve approached many key players in the industry (and keep on doing so) to make them aware of our findings and how they can approach a solution,” Tiberg-Shachar said. “Additionally, we’ve made our solutions team available to support any specific technical questions, in an effort to reinforce vulnerabilities as quickly as possible. Our key goal is to support partners in scaling their charging infrastructure as quickly and safely as possible.”
The digital supply chain is probably more extensive and more complicated than you realize. Upward of 98% of organizations have a relationship with at least one third party that has experienced a breach in the last two years – and these figures are almost certainly no exaggeration.
The figures come from a report by SecurityScorecard. More than 230,000 organizations were examined to discover their relationships with third parties. Third parties were investigated to examine fourth parties (on which the third parties depend before delivering services to the first party). The expansion of relationships grows so rapidly that it makes six degrees of separation likely to be a conservative estimation.
From the figures: 98% of organizations have a relationship with a third party that has been breached, while more than 50% have an indirect relationship with more than 200 fourth parties that have been breached. These figures do not suggest that the first parties have been breached, but they do indicate the extent of risk exposure via the supply chain.
The escalating nature of third and fourth-party relationships
It is worth reflecting on the term ‘breach’. Some commentators include data exposure within the term – so an organization with an unsecured cloud database is described as breached. This is not how SecurityScorecard uses the term in this report.
“We define a breach as any incident where parties gain unauthorized access to computer data, applications, networks, or devices,” Mike Woodward, VP data quality and trust at SecurityScorecard, told SecurityWeek. “The parties could be intruding threat actors who bypass or penetrate security mechanisms from the internet, or they could be organization insiders who abuse their privileged access to data and resources.”
Knowledge of a breach comes from public knowledge: from government disclosures and press reports. “Every day, we scan multiple sources, including government websites and press reports, for reports of breaches. We’re careful about the sources we will accept, and we point back to our source so our users can check for themselves,” he continued.
Of course, not all organizations disclose that they have been breached, and not all organizations even know they have been breached. So, the effect of this methodology means SecurityScorecard’s statement that ‘98% of organizations have a relationship with a third (or fourth) party that has been breached’ can only be the most conservative of estimates.
“SecurityScorecard’s data demonstrates why managing cyber risk across the digital supply chain is absolutely critical as threat actors work to exploit any vulnerabilities an organization may have. Identifying and continuously monitoring all partners and customers within the digital supply chain is key to staying ahead of any potential risk,” comments Wade Baker, partner and co-founder at The Cyentia Institute (a data-driven cybersecurity research group).
“By having full visibility into the security posture of their third and fourth parties, organizations can work with their vendors to address any cybersecurity gaps they may have in their infrastructure and, in turn, reduce their own level of cyber risk.”
The report highlights which sectors have the highest number of third party relationships, notes that more secure first parties still have relationships with the less secure third parties, points out that third parties are 5x more likely to exhibit poor security, and even enumerates the number of companies that have relationships with foreign organizations.
“Seven percent of firms have relationships with vendors in only their home country (no foreign ties),” states the report. “About 59% of organizations have connections to five or fewer countries, and roughly 14% have vendors spanning 10 or more countries.” This doesn’t necessarily increase or decrease cyber risk, but it highlights a potentially overlooked complication: compliance with international laws, security requirements, and other geopolitical issues.
The overriding conclusion of the report is that no firm can afford to be insular about its cybersecurity. It must have visibility into its own digital ecosystem, but also similar visibility into the security of its suppliers – including, perhaps, the fourth party suppliers. And if that visibility is unavailable, maybe the risk of a relationship is too great.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | ICS and Operational Technology – Recognition of the cyber threat to industrial control systems (ICS) and operational technology (OT) systems has grown over the last decade. Until recently, this has been largely a theoretical threat founded on the danger of what could happen rather than what is happening. This is changing, and the threat to ICS/OT is now real and ongoing. The bigger danger is that this is likely to increase in 2023 and onward.
There are several reasons, including geopolitical fallout and escalation of tensions from the Russia/Ukraine war, and a growing willingness of criminals to target the ICS of critical industries. At the same time, ICS/OT is facing an expanding attack surface caused by continuing business digitization, an explosion of IoT and IIoT devices, the coming together of IT and OT networks, and the use of potentially insecure open source software libraries to bind it all together.
Background to the ICS/OT Threatscape
The IT/OT overlap
One of the biggest threats to OT comes from its convergence with IT. When the networks were separate, OT could be isolated from the internet and kept relatively secure. This is no longer reality.
“As IT and OT systems continue to converge,” comments Simon Chassar, CRO at Claroty, “nation-state actors and cybercriminal groups such as Berserk Bear, Conti, Lazarus and Mythic Leopard, will shift their focus from IT to OT and cyber-physical systems; from stealing sensitive data to disrupting mission-critical operations.”
For all its benefits, IT/OT convergence without proper security means threat actors can take down operations by exploiting an IT access point or a cloud vector. “This yields maximum financial or political gain for the attacker,” continued Chassar, “because businesses have more incentive to pay a ransom when their means of production are at stake, which can have a long-term impact on revenue and the supply chain.”
Ramsey Hajj
Ramsey Hajj, Deloitte’s US and global cyber OT leader, expands on this theme. “Cyber attackers are increasingly weaponizing OT environments to attack hardware and software that control industrial processes and secure OT networks. Skilled workforce shortages and overlapping IT and OT environments can make cyber incident containment difficult.”
Supply chain attacks cannot be ignored, either on the IT side or directly against OT. “Supply chain attacks continue to evolve for both ICS hardware and software,” comments Pascal Ackerman, senior security consultant for operational technology at GuidePoint Security. “Think implants for controls and automation equipment, attack chains that involve suppliers and service providers to ICS owners as an initial foothold or pivot point, and compromises on controls and automation vendors’ file repositories with the purpose of adding implants in the provided software.”
Learn More at SecurityWeek’s ICS Cyber Security Conference The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity. October 23-26, 2023 | Atlanta www.icscybersecurityconference.com
Geopolitics and the Russia/Ukraine war
“One of the biggest concerns around the potential for large-scale attacks in the wake of the war in Ukraine is around ICS/OT,” says Christopher Budd, senior manager of threat research at Sophos. “While we haven’t yet seen attacks on a scale as feared, there have been documented attacks like this in Ukraine as part of the ongoing hostilities.”
He suspects this will focus both government and industry on strengthening the security of ICS/OT systems, even if it’s done quietly. This may already be evident in the new Cross-Sector Cybersecurity Performance Goals (CPGs) issued by CISA in late October 2022. Claroty describes them as, “a foundational set of IT and OT practices and recommendations that can help smaller, lesser-resourced organizations better prioritize cybersecurity efforts and reduce risk.”
Claroty highlights four OT recommendations in the CPGs. There should be a single leader responsible for OT asset cybersecurity; there should be specialized OT-focused cybersecurity training for OT engineers; there should be compensating controls such as network segmentation and access controls used as mitigations until software patches and firmware updates can be applied; and there should be unique credentials for assets, use of MFA, and the removal of default passwords.
We can expect that government agencies will, and private industry should, work on conforming to CISA’s CPGs during and from 2023.
Danielle Jablanski
Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, expects further assistance from CISA in 2023. “2023 will usher in the fruits of new CISA programs further building mechanisms for enhanced trust and verification – CyberSentry and RedEye for example – which will broaden the aperture for understanding OT and ICS incidents.”
One less-obvious effect of global geopolitical tensions will be a deterioration in international law enforcement cooperation. “Besides the growth of hacktivist activity ‘working’ to internal and external political agendas,” suggests Kaspersky, “we might also see more ransomware attacks on critical infrastructure due to the fact that it will become harder to prosecute such attacks.”
Chassar is more direct. “There is going to be an increase in the number of threats from nation-state actors, as well as groups that are associated with nation-states in 2023,” he says. “Their activity targeting the critical infrastructure industry, from manufacturing to water and energy, will continue to grow, fueled by ongoing global geopolitical conflicts such as the Russia/Ukraine war, as well as the current economic climate.”
The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while cybercriminals have had their restraints reduced.
Specifically…
IoT/IIoT
“There are now more known vulnerabilities impacting IoT devices than IT devices,” says Bud Broomhead, CEO at Viakoo, “and IoT devices are often the easiest for cybercriminals to access.” IoT and IIoT is a massive and expanding part of the ICS/OT attack surface, providing an entry point, and enabling lateral movement.
“Breached IoT devices are having devastating impacts,” he continued, “such as ransomware, data loss, changing the chemical balance in a municipal water supply, replacing real camera footage with deepfakes, or disrupting transportation systems.”
The scale (sometimes up to 20x more than IT devices) and the physical location (widely distributed rather than focused within data centers), together with the growing use of vulnerable open source software libraries, make vulnerability remediation difficult.
Broomhead believes the shift to open source software presents the most immediate threat. “The dangers open source vulnerabilities present is that they require multiple vendors to provide patches, they are often found in OT and IoT devices that are hard to remediate, and they can be exploited many years after they were discovered.”
Wendy Frank, Deloitte’s US cyber IoT leader, believes part of the threat comes from a lack of adequate security governance covering the implementation of IoT, IIoT, OT and ICS devices. As their number grows, so the expanded attack surface creates more security, data, and privacy risks.
“Leading organizations,” she says, “will focus in the year ahead on connected-device cyber practices by establishing or updating related policies and procedures, updating inventories of their IoT-connected devices, monitoring and patching devices, honing both device procurement and disposal practices with security in mind, correlating IoT and IT networks, and monitoring connected devices more closely to further secure those endpoints, manage vulnerabilities, and respond to incidents.”
Ransomware and other malware
Thomas Winston
“Ransomware remains the most likely threat to cause disruption in industrial infrastructure environments in 2023,” states Thomas Winston, director of intelligence content at Dragos. “Based on our visibility of ransomware events, manufacturing organizations remain the most frequent target with 70% of observed ransomware events, year-to-date [ie, 2022], continuing to target primarily manufacturing.”
Ackerman sees ransomware beginning to target OT specifically. He expects to see: “Ransomware targeting the industrial environment – in contrast to ransomware on the IT side accidentally compromising the OT space – with attacks on virtualization stacks (VMware), data repositories (Historian), controls equipment like PLCs, and controls project repositories (file shares).”
Partly, this will be exacerbated by native code execution on PLCs, with the attacker adding arbitrary code to the PLC’s OS, and paving the way for ransomware and rootkits running on the PLC.
Winston is particularly concerned for those organizations without adequate segmentation between IT and OT, but notes that “Ransomware rarely uses novel methods – making the application of key elements of a defensible ICS/OT architecture particularly effective.”
He recommends the five critical controls outlined by SANS in October 2022: implementation of an ICS-specific incident response plan; development of a defensible architecture [perhaps in conjunction with an attack surface management plan]; ICS network visibility and monitoring; secure remote access; and a risk-based vulnerability management program.
Beyond ransomware, Winston is concerned about the evolution of Pipedream (also known as Incontroller). “Pipedream is an existential threat to the ICS community. This toolset is likely being actively developed and financed,” he said.
“It is already capable of disruption across industries, including CrashOverride-style disruption, pipeline disruption, and servo manipulation. We’ve confirmed that Pipedream, with little development effort, can target devices speaking the ubiquitous CODESYSv3 and OPC UA protocols. It can manipulate servos in the 1S-Series of Omron Servo drives.” While it cannot target Omron Safety Controllers, he believes this is undoubtedly the next step in its development.
Hijacking remote access sessions
Ian Pratt, global head of security for personal systems at HP Inc, sees an increase in session hijacking in 2023. “Increased use of features like Windows Defender Credential Guard are forcing attackers to pivot – either capturing users’ passwords to enable lateral movement, or hi-jacking the remote session itself to access sensitive data and systems. The latter is particularly powerful.”
By targeting users with elevated rights, the attacks are more potent, harder to detect, and more difficult to remove. “The user is typically unaware that anything has happened. It takes just milliseconds to inject key sequences and issue commands that create a backdoor for persistent access. And it works even if privileged access management (PAM) systems are being used to employ MFA, such as smart cards.”
Session hijacking does not involve exploiting a fixable vulnerability – it is about abusing the legitimate functionality of remote session protocols, such as RDP, ICA and SSH. “If such an attack connects to OT and ICS running factories and industrial plants, there could also be a physical impact on operational availability and safety – potentially cutting off access to energy or water for entire areas.”
APTs targeting CNI through OT
“Attacks targeting critical national infrastructure tend to be the work of APT groups working on behalf of nation states with specific goals,” comments Joseph Carson, chief security scientist and advisory CISO at Delinea. Those goals are governed by the current state of geopolitics, and the global tension caused by the Russia/Ukraine conflict means the stakes are high.
“These high-level adversaries are hard to defend against as they have the time and resources required to repeatedly test security measures and find gaps, whereas more opportunist criminals in search of profits will select soft targets,” he continued.
Although OT and IT networks are converging, there remains a fundamental design difference between the two. “OT systems have often been designed with a lifespan of decades in mind, and are a poor fit with the fast-moving world of modern IT networks. Gaining centralized visibility and management of such a complex environment can be extremely challenging,” he added.
This results in gaps between the two networks that APT actors can find, infiltrating the IT network and moving across to the OT network. “These issues elevate the potential threat of a nation state actor infiltrating the system and causing serious disruption,” he continued.
According to Kaspersky’s experts, there will likely be a shift in APT activity against industrial organizations in new industries and locations. “Real economy sectors such as agriculture, logistics and transport, the alternative energy sector, and the energy sector as a whole, high-tech, pharmaceuticals and medical equipment producers are likely to see more attacks next year,” they say. “Moreover, traditional targets such as the military industrial complex and the government sector will also remain a focus.”
Kaspersky also warns that there will likely be an increased level of cooperation between criminals and APTs. “Other risks to watch out for are the heightened criminal activity with a goal to harvest user credentials as well as more volunteer ideological and politically motivated insiders working with criminal groups, usually extortionists and APTs,” it says. “These insiders may be active in production facilities as well as technology developers, product vendors and service providers.”
Human costs
Attacks on the OT of critical industries have real world implications, which may worsen in 2023. “Whether it’s contaminated water supplies or minimal access to fuel, we’ve seen the costs these cyberattacks have firsthand,” comments Edward Liebig, global director of cyber-ecosystem at Hexagon Asset Lifecycle Intelligence. “While hackers’ activities will likely still be money-driven, we can expect to see human cost become more of a play in the following year.”
He is concerned that IT and OT security convergence is still not effective. “Attacks that have been close calls in the past (such as the poisoning of the water supply from a Florida plant in 2021) will eventually have human costs.”
Catastrophic attack on the energy grid
Liebig is also concerned about attacks on the energy grid. “As Ukraine stands its ground in its conflict with Russia, we’re likely to not only see more attacks on Ukrainian energy infrastructure, but the US’s infrastructure as well,” he warns. “At the beginning of 2022, Homeland Security warned that domestic extremists had been developing plans to attack the US electric power infrastructure for years.”
As a result, he continued, “The combination of aforementioned factors makes the US’s power grid more vulnerable to cyberattacks than it has been in a long time.”
The way forward
Sam Curry, CSO at Cybereason, believes there needs to be a fundamental change of approach from the ICS/OT system providers. “Many of the security basics are simply not present, such as leveraging roots of trust and trusted execution environment, strong cryptographic options, hardening, secure update and shipping with strong identity options and no default access, to name a few,” he says. “Most devices don’t ship with hardening options or advice, have poor documentation and no understanding of ultimate use cases.”
This results in customers setting up devices, but rarely coming back to manage the ongoing device lifecycle, let alone maintaining security aggressively as they should. “There are missed business opportunities for security services and secure management services as a service that are being left behind. Done correctly, there’s not only lower risk for business, but there’s money to be made and real value to provide.”
He adds, “2023 needs to be the year to reset ICS and OT standards for security.”
Learn More at SecurityWeek’s ICS Cyber Security Conference The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity. October 23-26, 2023 | Atlanta www.icscybersecurityconference.com
Ronnie Fabela, CTO and co-founder at SynSaber, also sees scope for improvement in standards. “From the practitioner side of ICS cybersecurity, 2023 will continue to see an overwhelming message of guidance, regulation, media, and FUD about topics such as ransomware, threat actors, and nation-states,” he says.
“My prediction for 2023 is that while this will continue, the industry’s response will be loud and focused: ‘Enough guidance and FUD. Help us execute.’” His position is that industrial operators and asset owners know their systems better than anyone. Now they are on board with cyber, empowering the operating community is the only true way to move the needle.
“A shift from ‘We know better’ to ‘You know better’ will be tough for a cybersecurity industry that is used to being the hero,” he adds. “The faster all of us can change this mindset; the more successful 2023 will be for defending critical infrastructure.” There will consequently be continued movement from guidance to regulation.
But Jablanski offers a word of warning, more to do with party politics than geopolitics: “New direction and bolstered industry involvement will produce greater situational awareness, trust, and resolve across the critical infrastructure security community. As a warning, policymakers should avoid a partisan future for reducing cybersecurity risks to critical infrastructure.”
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
A researcher has discovered two potentially serious vulnerabilities affecting Econolite traffic controllers. Exploitation of the security flaws can have serious real-world impact, but they remain unpatched.
Cyber offensive researcher Rustam Amin informed the US Cybersecurity and Infrastructure Security Agency (CISA) that he had identified critical and high-severity vulnerabilities in Econolite EOS, a traffic controller software developed for the Econolite Cobalt and other advanced transportation controllers (ATC).
The California-based vendor’s website says it has deployed more than 360 systems, 150,000 traffic cabinets, 120,000 traffic controllers, and over 160,000 sensors. In December 2022, the company reported reaching more than 10,000 installations of its EOS software.
Amin discovered two types of vulnerabilities. One, rated ‘critical severity’ and tracked as CVE-2023-0452, has been described by CISA as an issue related to the use of a weak algorithm for hashing privileged user credentials.
“A configuration file that is accessible without authentication uses MD5 hashes for encrypting credentials, including those of administrators and technicians,” CISA said in its advisory.
The second issue, tracked as CVE-2023-0452 and rated ‘high severity’, is an improper access control issue. An attacker can view log, database and configuration files that can contain username and password hashes for users, including administrators and technicians.
These vulnerabilities can allow a remote, unauthenticated attacker to gain full control of traffic control functions.
Amin has conducted an internet search to see how many EOS systems are exposed to attacks from the web. He told SecurityWeek that he identified roughly 50 exposed controllers that are running older firmware. These systems are not affected by the flaws he discovered, but they are still not secure.
In addition, he discovered approximately 30 controllers running 2018-2020 versions of the EOS software and these systems are vulnerable to remote attacks.
He also found roughly 500 instances of associated devices that can be found in the affected controllers’ proximity, including routers and cameras, which have their own security issues.
The researcher explained in a post on LinkedIn that the vulnerable devices are typically located on toll roads and in small cities and counties. While the exposed devices are not in major cities, they do appear to be near international airports, border crossings, shopping centers, universities and hospitals.
A hacker who successfully exploits these vulnerabilities can control traffic lights, but the researcher pointed out that they cannot turn all the lights green, which would have a serious safety impact.
“Still, an attacker can make it very hard to pass the controlled crossroad, making green very short, and red very long, or just green very long in one direction,” the researcher explained. “An attacker can create VIP routes for runaway vehicles [and] slow down some targeted vehicles, like ones with valuable things. And much more. People will lose time, money and hopefully not their life.”
He added that once they have access to the controller, an attacker can also hack related equipment, such as sensors and cameras.
The vendor has not responded to SecurityWeek’s request for comment.
CISA initially said in its advisory that Econolite had not responded to the agency’s attempts to coordinate disclosure of the vulnerabilities. However, after Amin described the impact of his findings on LinkedIn, CISA updated its advisory to say that the company is working on patches.
Until patches are released, Amin recommends disconnecting affected controllers from the internet, ensuring that controller cabinets are secure against physical attacks (an attacker with physical access to a control can take complete control of the system), isolating the networks housing controllers, installing firmware updates when available, and changing passwords and WLAN access codes.
Amin told SecurityWeek that the Econolite EOS vulnerabilities were discovered as part of a bigger research project whose results will be made public in the upcoming period.
The Google Fi telecommunications service has informed customers about a data breach that appears to be related to the recently disclosed T-Mobile cyberattack.
However, T-Mobile is Google Fi’s primary network provider, which means the incident is likely related to the hacker attack disclosed by the wireless carrier in mid-January.
Google Fi said there had been unauthorized access to a third-party customer support system containing a “limited amount” of customer data. This data includes phone number, account activation date, mobile service plan, SIM card serial number, and account status.
The company says names, dates of birth, email addresses, payment card details, social security numbers, financial account information, passwords or PINs were not exposed. Hackers also did not gain access to the content of calls or SMS messages.
“There was no access to Google’s systems or any systems overseen by Google,” customers were told.
Google Fi data breach notification
Most of the impacted customers do not need to take any action — except be on the lookout for phishing attempts. However, one Google Fi user reported on Reddit that their notification also informed them that their mobile phone service had been transferred from their SIM card to another SIM card for nearly two hours on January 1.
The notification from Google Fi, according to the impacted customer, read, “During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages. Despite the SIM transfer, your voicemail could not have been accessed. We have restored Google Fi service to your SIM card.”
The customer confirmed that their SIM card had been targeted in a SIM swapping attack on January 1, and claimed that the hacker used it to access three online accounts, including email, financial account, and the Authy authenticator app.
“I tried reporting this repeatedly to Google Fi, including with detailed evidence, and their customer support reps didn’t believe me and didn’t follow up,” the customer said. “They thought this was a standard password compromise or something, even though I could clearly see from activity logs that the hacker reset my passwords rather than logging in and then changing them, and I could see in the Google Fi activity logs the SMSes I didn’t receive that they used to compromise my accounts.”
As for T-Mobile, the company said it detected a data breach on January 5. The threat actor, which has not been identified, apparently abused an API to access customer account data such as name, billing address, phone number, email, date of birth, and service information. Roughly 37 million current postpaid and prepaid customer accounts are impacted.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Cyberinsurance – Cyberinsurance emerged into the mainstream in 2020. In 2021 it found its sums were wrong over ransomware and it had to increase premiums dramatically. In 2022, Russia invaded Ukraine with the potential for more serious and more costly global nation state cyberattacks – and Lloyds of London announced a stronger and more clear war exclusions clause.
Higher premiums and wider exclusions are the primary methods for insurance to balance its books – and it is already having to use both. The question for 2023 and beyond is whether the cyberinsurance industry can make a profit without destroying its market. But one thing is certain: a mainstream, funds rich business like insurance will not easily relinquish a market from which it can profit.
It has a third tool, which has not yet been fully unleashed: prerequisites for cover.
The Lloyd’s war exclusion clause and other difficulties
The Lloyd’s exclusion clause dates to the NotPetya incident of 2017. In some cases, insurers refused to pay out on related claims. Josephine Wolff, an associate professor of cybersecurity policy at Fletcher, Tufts, has written a history of cyberinsurance titled Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks.
“Merck and Mondelez, sued their insurers for denying claims related to the attack on the grounds that it was excluded from coverage as a hostile or warlike action because it was perpetrated by a national government,” she explains. However, an initial ruling in late 2021, unsealed in January 2022, indicated that if insurers wanted to exclude state-sponsored attacks from their coverage they must write exclusions stating that explicitly, rather than relying on boilerplate war exclusions. Merck was granted summary judgment on its claim for $1.4 billion.
The Russia/Ukraine kinetic war has caused a massively increased expectation of nation state-inspired cyberattacks against Europe, the US, NATO, and other west-leaning nations. Lloyds rapidly responded with an expanded, but cyberinsurance-centric, war exclusion clause excluding state-sponsored cyberattacks that will kick in from March 2023.
But “who gets to decide whether an attack is state-sponsored?” asks Wolff. “And what does it even mean for the attack to be state sponsored: that it was perpetrated by government employees? Or paid for by a government? Or even just tacitly permitted by a government? And state-sponsored cyberattacks are not rare occurrences – an exclusion for them is very different from a war exclusion that deals with a fairly well-specified and infrequent event.”
She is not alone with such concerns. “The issue here lies in the murky waters of attribution” explains Chris Denbigh-White, cybersecurity strategist at Next DLP. “Was the attack ‘state-conducted?’ Was it ‘state sponsored?’ Was it ‘state inspired?’ or was it simply a criminal organization piggybacking an existing conflict for financial gain?”
“Looking ahead,” continued Wolff, “I think insurers and their policyholders are going to find themselves mired in a lot of fights about attribution and how to define what makes a cyberattack state-sponsored or catastrophic or uninsurable.” Two things are certain: security defenders will have increased questions over the cost/return value of cyberinsurance, while insurers will be seeking new ways to ensure their market doesn’t disappear.
The insurers have one major advantage: insurance has been a staple part of business for centuries, and business leaders don’t seem inclined to exclude it from security. Joseph Carson, chief security scientist and advisory CISO at Delinea, notes that his own firm’s survey reveals 33% of IT decision makers applied for cyberinsurance due to a requirement from their board and executive management.
He also notes that 80% had subsequently called upon that insurance with more than half doing so more than once. “As a result of more cyber insurance policies being introduced, and ultimately many businesses needing to use them,” he comments, “the cost of cyber insurance is continuing to rise at alarming rates. I expect to see this continue in 2023.”
Jerry Caponera
The insured’s concern over a falling return on investment is not the only worry for the insurers – whether we are in a defined recession or not, the world is certainly suffering an economic downturn. This is already having affecting security budgets. “Companies spent massively during the pandemic, and now that the economy has cooled, spending will go back to 2019/2020 levels,” explains Jerry Caponera, GM at ThreatConnect.
“A very likely outcome of this,” he continued, “is that more companies will fall below the cybersecurity poverty line (CPL). With inflation currently [at the time of writing] over 8% – measuring 4x higher than the central bank’s target rate of 2% – companies who hadn’t planned for increased costs will find themselves with less money to spend on cyber, thus falling further below the CPL and finding themselves facing the hard decision on where to spend their next investment dollar.”
Firms will increasingly need to choose between cybersecurity mitigations or cyberinsurance – and neither of these options on their own will benefit the insurance industry.
Insurers’ response
2023 is a watershed moment for cyberinsurance. It will not abandon what promises to be a massive market – but clearly it cannot continue with its makeshift approach of simply increasing both premiums and exclusions to balance the books indefinitely.
One option would be to become more granular in the cover it offers. Instead of a single cybersecurity policy with a long list of exclusions, it could offer coverage in specific areas only. This would allow coverage to be more tightly defined with fewer if any exclusions. Further, suggests Chris Gray, AVP of security strategy at Deepwatch, it would “allow basic risk management into services while providing the ability to charge increased premiums for more upscale/impactful attacks.”
This approach is not without precedent in other industries. The Food Liability Insurance Program (FLIP) provides Insurance designed for small food businesses with gross annual receipts under $500,000. The Forward Contract Insurance Protection (FCIP) plan is a supplemental insurance that provides an indemnity for farmers unable to deliver contracted volumes.
“Government intervention in the form of sanction insurance programs – a la TRIP, FLIP, FCIP, etcetera – is likely to evolve, with a significant discussion regarding coverage areas and their impact on national security,” suggests Gray.
One of the strongest likelihoods over the coming years, however, is the growth of cybersecurity requirement impositions; that is, insurers will decline coverage unless the insured conforms to a specified security posture. This is the final option – when you can no longer increase premiums and exclusions, you have to reduce claims. And this is best achieved by helping industry prevent cyber incidents.
It may still not be enough. Chris Denbigh-White, cybersecurity strategist at Next DLP, argues, “The notion of ‘insuring away cyber risk’ will become (and arguably always was) somewhat unrealistic. Insurance premiums, prerequisites and policy exclusions will no doubt continue to increase in 2023 which will have the effect of narrowing the actual scope of what is really covered as well as increasing the overall cost.”
Nevertheless, the expansion of ‘prerequisites’ would be a major – and probably inevitable – evolution in the development of cyberinsurance. Cyberinsurance began as a relatively simple gap-filler. The industry recognized that standard business insurance didn’t explicitly cover against cyber risks, and cyberinsurance evolved to fill that gap. In the beginning, there was no intention to impose cybersecurity conditions on the insured, beyond perhaps a few non-specific basics such as having MFA installed.
But now, comments Scott Sutherland, VP of research at NetSPI, “Insurance company security testing standards will evolve.” It’s been done before, and PCIDSS is the classic example. The payment card industry, explains Sutherland, “observed the personal/business risk associated with insufficient security controls and the key stakeholders combined forces to build policies, standards, and testing procedures that could help reduce that risk in a manageable way for their respective industries.”
He continued, “My guess and hope for 2023, is that the major cyber insurance companies start talking about developing a unified standard for qualifying for cyber insurance. Hopefully, that will bring more qualified security testers into that market which can help drive down the price of assessments and reduce the guesswork/risk being taken on by the cyber insurance companies. While there are undoubtedly more cyber insurance companies than card brands, I think it would work in the best interest of the major players to start serious discussions around the issue and potential solutions.”
Bob Ackerman
Bob Ackerman, MD and founder of AllegisCyber, agrees with Sutherland about the way forward for cyberinsurance, but is damning about its progress so far. “Unfortunately, insurers have struggled to take advantage of the opportunity, writing policies with numerous exclusions, high deductibles, and low coverage caps, and showing massive losses in the process. The market opportunity will require insurers to become proactive in defining performance thresholds in order to be ‘insurable’.”
He believes a PCIDSS-style model could be the solution. “By setting standards and measuring related performance, insurers can help define ‘cyber secure’ and build a profitable book of business in the process.”
Mark Lance, VP of DFIR and threat intelligence at GuidePoint Security, even suggests what it might look like. “We’ll continue to see an expansion from traditional questionnaires to actual validation, which will not only include a baseline of standard security solutions (EDR, PAM, MFA), their associated and current configurations (ASM) but also the presence of standard policies (IR Plans, Playbooks), and execution capabilities (Proof of User Awareness Training and Tabletop validation).”
Mike McLellan, director of intelligence at Secureworks, adds, “The requirements on organizations wishing to obtain cyber insurance will become more and more stringent, and organizations that are unable or unwilling to comply will find coverage is declined.”
Whether a PCIDSS style cyberinsurance standard can work is a separate question. While PCIDSS is a well-respected security standard, it has not eliminated the criminal theft of payment card details. GDPR has not eliminated the theft of PII. Put simply, successful cyberattacks cannot be eliminated by cybersecurity tools.
But to even reach the stage of a defined cyberinsurance standard, the insurance industry will either have to get into bed with existing security vendors or become a cybersecurity company itself. The former is worrying – depending on the closeness of the relationship and the degree to which the vendor seeks to satisfy the insurance industry rather than its own customers – while the latter is doomed to failure. The more mature security vendors have been working for more than two decades on eliminating cyber threats with varying but ultimately little success.
Whether or not a full cyberinsurance security standard emerges, there will be increasing cooperation if not collaboration between insurers and security vendors in 2023. “The borderless nature of networks, coupled with a threat landscape that is less predictable, necessitates the need for true risk quantification of companies’ security controls now more than ever. With that, I expect to see more investment into quantifying cyber risk. This will drive better collaboration and data sharing between security companies,” explains Jason Rebholz, CISO at Corvus Insurance. “Cyber insurance carriers will lean into partnerships with technology companies to fuse security data with insurance and risk modeling insights. The net result is more accurate risk quantification, which will in turn help keep policyholders safer.”
There is no silver bullet for cybersecurity. Breaches will continue and will continue to rise in cost and severity – and the insurance industry will continue to balance its books through increasing premiums, exclusions, and insurance refusals. The best that can be hoped for from insurers increasing security requirements is that, as Norman Kromberg, MD at NetSPI suggests, “Cyber Insurance will become a leading driver for investment in security and IT controls.”
An interesting comment comes from Jennifer Mulvihill, business development head of cyberinsurance and legal at BlueVoyant: “The underwriting process and the completion of an underwriting application are excellent ways to self-assess and consider the protection of assets from a cyber perspective. The information gleaned from these exercises is valuable information, not only for the CISO, but for the Board and CFO, and augments financial investments and regulatory compliance.” Insurers could charge for the right to apply for insurance, but if a prospective customer must pay, that customer could simply pay a cybersecurity consultant for the same service and ignore insurance altogether.
Summary
It is unlikely that the insurance industry will be able to balance its books through raising premiums and reducing payouts through increasing exclusions, nor yet eliminate claims through a required cybersecurity standard. The threats are too varied and too extreme.
“Obtaining or maintaining a policy is a challenge at scale,” comments Corey O’Connor, director of products at DoControl. “The bigger your business grows, the more challenging it will be to meet these requirements. More and more organizations were being dropped by providers throughout the last year, and going into 2023 there will likely be a trend of organizations being unable to receive coverage.”
It may be that government will be dragged into the equation. “I think there’s going to be pressure on governments to clarify under what circumstances they’ll provide some sort of backstop for coverage of catastrophic cyberattacks, pressure on insurers to not exclude too many types of attacks, and pressure on policyholders to challenge these exclusions in court if their claims are denied,” suggests Josephine Wolff. “Rising premiums don’t seem to have deterred businesses from buying cyberinsurance, so I don’t know that these new types of exclusions will either, but I wonder how well they’ll hold up in the face of a major cyberattack.”
“Will Cyber insurance become an expensive ‘tick in a box’ or will it deliver real value?” asks Denbigh-White. “Will it even remain a viable offering from insurance companies in 2023? While carrying cyber insurance is rapidly becoming a ‘security prerequisite’ for many organizations, its benefit in relation to cost and cover remain uncertain as we move into 2023.”
But “Rule no.1,” warns Mark Warren, product specialist at Osirium. “Insurance always wins!” Insurance will get more expensive, more difficult to get, and less likely to pay out. “As a result, more organizations may decide not to take out insurance at all, instead focusing on ploughing resources into protection. If this happens, we can expect to see insurance companies partnering with big consulting firms to offer joined up services.”
He fears that buying cyberinsurance may simply become a cost of doing business. “Pointless it may be, if insurers are never going to pay out… but buying cyber insurance may simply become a necessary cost of doing business – a box that must be ticked to demonstrate to shareholders that all steps are being taken to protect the business and ensure resilience and continuity.”
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
Chainguard on Tuesday published a draft OpenVEX specification to help software vendors and maintainers communicate precise metadata about the vulnerability status of products directly to end users.
The Chainguard specification is an implementation of the NTIA’s VEX (Vulnerability Exploitability eXchange) concept that aims to provide additional information on whether a product is impacted by a specific vulnerability in an included component and, if affected, whether there are actions recommended to remediate.
In an interview with SecurityWeek, Chainguard chief executive Dan Lorenc said OpenVEX is designed to meet the minimum requirements defined by the U.S. government’s CISA cybersecurity agency and will help reduce false-positives and improve the quality of SBOMs (software bill of material).
Lorenc said OpenVEX, which was designed in collaboration with CISA’s VEX working group, will allow software suppliers to communicate precise, actionable metadata to improve the signal to noise ratio and add important context to vulnerability warnings.
OpenVEX makes it easy for software producers to accurately describe their artifacts’ exploitability [and] makes it easier for software consumers to filter out false positives from vulnerability scanners. This means security professionals spend more time investigating worthwhile security concerns, and less time wading through erroneous findings,” Chainguard said in a note announcing the draft specification.
“OpenVEX encodes learnings of false positives and enables consumers to prioritize vulnerability reports much more effectively,” the company added.
Chainguard’s Lorenc said OpenVEX is complementary to SBOMs and is the first format to meet the VEX Minimum Requirements. To prove functionality end-to-end, the company has also put OpenVEX into production in its Wolfi Linux distro and its own Chainguard Images product.
The spec, designed with support from Google, HPE, VMWare, and the Linux Foundation, is being positioned as an important piece of the industry wide push to improve the security of software supply chains.
“As an end-user responsible for implementing solutions that secure our software supply chain, I often look to community efforts that show collaborative support because I know they can be trusted to deliver the best outcomes. OpenVEX is one of those projects that gives me hope we are getting to a better place both for vulnerability management but also solving some of the biggest challenges facing the production of quality SBOMs,” said Tim Pletcher, a research engineer at Hewlett Packard Enterprise.
On Friday, January 20, 2023, Google announced it would lay off 12,000 employees. Amazon and Microsoft have laid off a combined 28,000 people; Twitter has reportedly lost 5,200 people; Meta (Facebook, etcetera) is laying off 11,000… This is just the tech giants, and almost all the staff looking for new positions are, by definition, tech-savvy – and some will be cybersecurity professionals.
Layoffs are not limited to the tech giants. Smaller cybersecurity vendor firms are also affected. OneTrust has laid off 950 staff (25% of employees); Sophos has laid off 450 (10%); Lacework (300, 20%); Cybereason (200, 17%); OwnBackup (170, 17%); OneTrust (950, 25%) and the list goes on.
SecurityWeek examined how this layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment in cybersecurity.
The skills gap
The skills gap is a mismatch between the skills available in the workforce, and the skills required by employers. Required skills are continuously evolving with new technology and business transformation. People can learn how to use computers, and many staff currently being laid off will already have done so. But it is far easier to learn how to use computers than it is to learn how computers work. It is in the latter area that the skills gap becomes a talent gap for cybersecurity.
So, the first observation is that current large-scale layoffs may slightly reduce the skills gap at the computer usage level but will likely have little effect on the cybersecurity-specific talent gap where employment requires a knowledge of how computers work. The talent gap is simply too large, and layoffs in these areas are likely to be readily absorbed by new security startups and expanding companies. Many of the companies involved in cybersecurity reductions will almost certainly need to rehire next year or soon after.
Mark Sasson, managing partner and executive recruiter with the Pinpoint Search Group, agrees with this. “Maybe it’s going to be a little easier for organizations to recruit, because you’re getting an influx of experience into the market. However, I don’t think that’s a fix for the talent gap – it’s not going to have a mid to long term discernible impact. There are too few people that have the skills that organizations need today. And so, people are going to get scooped up and we’re still going to have the same situation with the talent gap.”
Cyber threats are still increasing and the demand for cyber defenders is still growing. Criminals are recruiting, not contracting.
Reducing the talent gap in cybersecurity will more likely depend on changing attitudes with employers than adding numbers from those that have been laid off. You could almost say that the cybersecurity talent gap is a self-inflicted wound: employers want experience plus certifications plus new university degrees – which rarely exists in the real world.
Michael Piacente, managing partner and co-founder at Hitch Partners recruitment firm, takes a similar view. “The internal definition on scope and goals often varies greatly resulting in shifts, time delays, and often rendering the position ‘unfillable’,” he told SecurityWeek. “Perhaps it is time to stop focusing so much on resumes and job descriptions. We see these tools as outdated and too often used as a crutch resulting in bad habits, and inconsistent behavior – and they are horribly unfair for under-experienced or diversity candidates.”
He takes this to the extreme and has never supplied resumes with his candidates. “Instead, we build a storyboard about the candidate created as a result of multiple meetings, interactions, and back channels in order to focus on the candidate’s journey, the human character elements as well as their matching and gaps for the particular role.” In short, the talent gap will more likely be reduced by redefining the gap than by seeking to match unrealistic demands to the existing work pool.
Dave Gerry, CEO of Bugcrowd, has a specific recommendation based on diversity candidates. He believes organizations need to be more open to the diversity pool – including neurodiversity (see Harnessing Neurodiversity Within Cybersecurity Teams). “Organizations,” he said, “need to continue to expand their recruiting pool, account for the bias that can currently exist in cyber-recruiting, and provide in-depth training via apprenticeships, internships and on-the-job training, to help create the next generation of cyber-talent.”
However, even if the influx of laid-off experience will have little overall or lasting effect on the macrocosm of the skills gap, it will almost certainly have an immediate effect on recruitment in the microcosm of the cybersecurity talent gap.
Recruitment in cybersecurity
Cybersecurity is not immune to the current round of staff trimming – and it includes security leaders as well as security engineers. Ultimately, it’s a cost cutting exercise; and organizations can save as much money by cutting one leader’s position as they can by cutting two engineers. “Organizations are asking themselves if they can survive letting one person go but still get the job done with the remaining team,” explains Sasson. “If the answer is yes or even maybe, they’re tending to let go of the more highly paid and highly skilled people because they think maybe they can do more with less.”
That’s a top-down approach to staff reductions, but the same argument is used in a bottom-up approach. Joseph Thomssen is senior cybersecurity recruiter at NinjaJobs (a community-run job platform developed by information security professionals). “A company that is not security focused may feel like they can rely on their senior employees to pick up lower-level responsibilities,” he said, “and this can be detrimental to a security team.”
The overall result is that we now have laid off cybersecurity engineers looking for new employment, and we have employed cybersecurity leaders looking for alternative and safer positions. “Many of these layoffs in cybersecurity seem to be short-term attempts to save money,” adds Thomssen – but he fears it may backfire on companies reducing their security workforce. Expecting fewer staff to take on more responsibility will likely have a detrimental effect – it may cause burnout. “I call it the layoff/quit combination,” he said.
Piacente also notes the cuts are not simply targeted at weeding out under performing employees. “There are great candidates impacted due to them being in the wrong place at the wrong time; and we are seeing this industry wide.”
Of course, there are many cybersecurity experts who believe this is a false and dangerous approach, and that cybersecurity is a necessity that should be expanded rather than cut. But that is an argument put forward by every business department in times of economic stress.
One effect of the cybersecurity layoffs and the accompanying increase in the number of experienced people seeking employment is that the recruitment market is moving from a candidate market toward a hirer market – just like home buying fluctuates between a buyer and a seller market depending on supply (properties available) and demand (money to buy). For many years, experienced cybersecurity engineers have been able to pick and choose their employer, and demand somewhat inflated salaries and conditions; but that is no longer the case.
This is beginning to be apparent in the salaries offered. “They’re leveling off,” says Sasson, “maybe even going down. But this needs to be taken in the context of pretty dramatic increases from just a few quarters ago, during the candidate-driven market.” Sasson thought at the time that these were unsustainable. But now, “Folks that are looking for those massive compensation packages from just a year ago are going to have to adjust their expectations.”
Sam Del Toro, senior cybersecurity recruiter at Optomi, has seen a similar growing misalignment between compensation expectation and realization – especially in the more senior positions. Because of the layoffs, there are now more mid to senior level candidates looking for new opportunities.
“On the other hand,” he said, “over the past couple of years we have seen cybersecurity compensation rise significantly. Now, as organizations are tightening their budgets and being more fiscally aware, it is making it tough to align candidate and client compensation.”
Thomssen sees another and different effect of the evolving hirer’s market. “I have seen security staff recruitment switch from direct hires to roles based on shorter term project contracts. In the past you would not see security professionals entertain such contracts, but the security staff recruitment landscape has seen a shift that way.”
It’s not clear whether this will develop into a common long term approach to cybersecurity recruitment or will just be a short-term solution to economic uncertainty. Is the gig economy coming to cybersecurity? It’s been growing in many other segments of employment, and perhaps the current economic climate will boost an existing trend just as Covid-19 boosted remote working.
One visible sign might come with an increase in the employment of virtual CISOs (vCISOs). This would retain access to high level expertise while reducing costs. Another might be an increased use of managed security service providers (MSSPs). “We’re seeing more and more security operations outsourced to consultants and contractors, or to vCISOs and Global CISOs, or whatever you’d like to call it,” comments Mika Aalto, co-founder and CEO at Hoxhunt. But he adds, “This can work with smaller companies, but it’s risky. Security should be looked at as a competitive advantage and a growth strategy, not a luxury.”
Piacente’s firm has seen a 20% increase in the new candidate flow. While the primary cause is the economy, the detailed cause is difficult to isolate. Cybersecurity has always experienced rapid churn with staff from all levels regularly moving to a new company for promotion or improved remuneration. This churn continues, but is complicated by employed people just looking around – not because they are being laid off, but just in case they will be laid off.
At the same time, some people who might normally be on the lookout for better opportunities are choosing to keep what they have until more stable conditions return. “One other observation in these cycles,” adds Piacente, “is that candidates who fall into the diversity category tend to be more resistant to making a change. Since there are already significantly less candidates in this category it makes it more difficult for companies to achieve their goals of creating a more diverse organization or program. This is when companies really need to place care, attention, and a dose of reality into their change initiatives.”
Bugcrowd is a firm that has actively sought to recruit from the ‘diversity’ pool. “Employers need to take a more active approach to recruiting from non-traditional backgrounds, which, in turn, significantly expands the candidate pool from just those with formal degrees to individuals, who, with the right training, have incredibly high-potential,” comments Gerry.
It could be expected that with some companies laying off experienced staff and others simply not hiring new staff, breaking into cybersecurity for new, inexperienced or diverse people will become even more difficult. After all, companies reducing staff levels to save money are not likely to spend money on in-house training for new inexperienced staff.
Del Toro doesn’t see it quite like that – it has always been almost impossible. “I do not think that the influx of [experienced] candidates on the market has much of an impact on newcomers finding opportunities because there are simply not enough entry level cybersecurity roles in general,” he said. “Organizations are almost always looking for mid-level candidates and above rather than bringing on competent and excited newbies, because the latter takes much more than fiscal resources.”
Recruitment going forward
It’s difficult to determine the actual number of experienced cybersecurity professionals being laid off among the overall staff reductions, but it is likely to be substantial. Although boards have become more open to the idea that security is a business enabler, there is nevertheless no discernible line between security and profit. There is, however, a direct line between security and cost. It is almost a no-brainer for security to be heavily featured among staff reductions. But this may be bad thinking.
For all layoffs, companies should proceed with caution. When large numbers of staff need to be cut for economic reasons, those same economic reasons may cause it to be done swiftly and perhaps brutally. These suddenly unemployed people will have inside knowledge of the company and its systems; and some will have thoughts of retaliation. At the same time, the company may have reduced the effectiveness of its cybersecurity team to counter a new threat from malicious recent insiders.
“Layoffs are affecting much of the tech industry and cybersecurity isn’t immune,” comments Mike Parkin, senior technical engineer at Vulcan Cyber. “While no department should really be immune when companies have to tighten their belts, the threat from losing skilled personnel in security operations can have a disproportionate effect.”
Overall, we’ve had a candidate market in cybersecurity recruitment but we’re shifting toward an employer market. Del Toro offers this advice for security people laid off and looking for a new position: “I would tell job seekers to be prepared for longer interview processes and longer time before offers are extended. Hiring managers are under more pressure to be diligent so candidates will need to be more cognizant of interview etiquette. Most importantly make sure you are keeping your skills sharp – use your time off to find passion projects and get better at your craft, not only to stay relevant in the security space but to renew your love for what you do!”
Authorities in the United States and Europe have announced the results of a major law enforcement operation targeting the Hive ransomware.
Agencies from around the world worked together to take down Hive’s leak website and servers. In addition, agents hacked into Hive systems in July 2022, allowing them to identify targets and obtain decryption keys that allowed victims to recover encrypted files without paying a ransom.
Authorities continue to investigate Hive in an effort to identify the cybercriminals involved in the operation, including developers, administrators and affiliates. The US announced that it’s offering rewards of up to $10 million for information on these and other hackers.
Several industry professionals have commented on various aspects of the Hive takedown, many noting that while Hive may have fallen, the threat actors behind the operation will likely continue their malicious activities.
And the feedback begins…
Kimberly Goody, Senior Manager, Mandiant Intelligence, Google Cloud:
“We’ve seen multiple actors using Hive ransomware since it emerged, but the most prolific actor over the past year, based on our visibility, was UNC2727. Their operations are notable because they have commonly impacted the healthcare sector. Hive also hasn’t been the only ransomware in their toolkit; in the past we’ve seen them employ Conti and MountLocker among others. This shows that some actors already have relationships within the broad ecosystem that could enable them to easily shift to using another brand as part of their operations.”
Crane Hassold, former FBI cyber psychological operations analyst, Head of Research, Abnormal Security:
“Unlike some other cyber threats, like business email compromise (BEC), the ransomware landscape is very centralized, meaning a relatively small number of groups are responsible for a majority of all the attacks. The silver lining to this top-heavy ecosystem is that disruptive actions against one of these primary groups, such as law enforcement takedowns, can have a significant impact on the overall landscape. Since Hive has been one of the biggest players in the ransomware space over the past year, I would expect this takedown to have a noticeable impact on ransomware volume, at least in the short-term.
Because of the increased pressure from global law enforcement and the likely regulatory controls of cryptocurrency, one of the biggest drivers of today’s ransomware landscape, it’s very possible that we’ll start to see ransomware actors pivot to other types of cyber attacks, like BEC. BEC is the most financially-impactful cyber threat today and, instead of using their initial access malware to gain a foothold on a company’s network, they could simply reconfigure the malware to establish access to employee mailboxes, which could lead to more scaled and sophisticated vendor email compromise attacks.”
Satnam Narang, Senior Research Engineer, Tenable:
“The actions undertaken by U.S. agencies to disrupt the Hive ransomware group operation from within is an unprecedented step in the fight against ransomware, which has steadily remained the biggest threat facing most organizations today. While this may signal the end of the Hive ransomware group, its members and affiliates remain a threat. If there’s anything we’ve learned after past disruptive actions against ransomware groups, it’s that other groups will rise to fill the void left behind. Affiliates, which are typically responsible for conducting most of these attacks, can easily pivot to other affiliate programs of groups that remain operational and ransomware group members can also take their knowledge to these groups. One of the key ways ransomware groups gain attention and notoriety is by publishing their successful attacks on data leak sites on the dark web. It wouldn’t surprise me if ransomware groups see the threat posed by maintaining these sites and stop publicly listing these attacks in an attempt to stay under the radar.”
Kurt Baumgartner, Principal Researcher, Kaspersky:
“The frequency of ransomware attacks have been up, while victim payments have reportedly gone down. This is a great trend, and this coordinated effort is what we need to see more of from law enforcement around the world. Some of this effort in letting the activity progress may seem somewhat controversial, but generating decryption keys for victims over time helps to exhaust the group’s resources.
Yes, in all likelihood, another gang is going to fill the void. It takes time and effort, but the incentives are in the hundreds of millions of dollars.
It’s somewhat surprising that the group housed their server resources in-country in Los Angeles. Apparently they thought everything was secured and hidden by the Tor network. Law enforcement put on display some impressive capabilities in infiltrating, seizing, and disrupting some of the gang’s resources. The actors behind this group have shown a reckless disregard for human life in their efforts to victimize schools and hospitals.”
Austin Berglas, Global Head of Professional Services, BlueVoyant:
“True dismantlement comes only when law enforcement can “put hands on” or arrest the individuals responsible. However, identifying the actual human beings behind the keyboard is a very difficult task. Many of these cyber criminals are adept at anonymizing their online communications, locations, and infrastructure – often operating in global locations where international law enforcement cooperation is non-existent and utilizing bullet-proof hosting providers, which are unresponsive to legal process.
There may be a temporary decline in ransomware activity in the wake of the website seizure as groups scramble to harden defenses and tighten their inner circles, but this will not make an overall, noticeable impact on global ransomware attacks. History has shown that ransomware gangs that disband either due to law enforcement actions, internal strife, or geo-political reasons will sometimes regroup under a different name. Conti, one of the most active ransomware gangs in recent history, shuttered operations soon after one of their members leaked internal Conti communications. Former members of the group are suspected of spinning off into newer groups such as BlackBasta and BlackByte.”
Jan Lovmand, CTO, BullWall:
“What is a significant win for law enforcement, could in reality be a road bump for the Hive Ransomware group. Whenever law enforcement starts paying too significant attention and effort to a particular group, they often scatter or reorganize under a different name. We have seen these seizes before only for the gang to surface with new extortion sites and ransomware names, or sometimes as several smaller groups. In the past they have seen these interruptions as temporary setbacks to a very lucrative business – similar to when a drug cartel has a shipment seized. They lose some income, get disrupted but rarely stop their criminal activity to become honest working individuals. Law enforcement in several regions have in the past recovered ransoms paid from other gangs or seized decryption keys, but what is different this time is how many victims the FBI have been able to help and for how long.”
Eric O’Neill, National Security Strategist, VMware:
“The disruption of the notorious Hive ransomware group demonstrates that the FBI has increased its ability to investigate and track threat actors across the Dark Web. This supports the commendable work the FBI’s IC3 is doing to track cybercrime attacks and coordinate efforts to repatriate stolen funds from cybercriminals, further reinforcing the importance of notifying the IC3 when a ransomware attack occurs.
It’s also worth noting how large the Dark Web has grown and how well-resourced new cyber crime syndicates, such as Hive, have become. The Dark Web is currently the third largest economy on Earth measured by GDP, which is larger than Japan or Germany. By 2025, this will grow larger than both countries combined. The FBI’s work to shut down Hive servers and repatriate encryption keys is a great step in the right direction, but it is only a step along a distant marathon to stop Dark Web-resourced cyber crime.”
Julia O’Toole, CEO, MyCena Security Solutions:
“When CISOs are reading the news about Hive’s takedown, it would be wise for them to also focus on the data being revealed about the gang’s victims and the financial losses they inflicted. The alarming numbers may be about Hive, but other ransomware gangs that have even more victims under their belt are still in operation and still pose a very real and credible threat today.
Organizations should use this takedown as a warning that ransomware is a damaging threat that is far from over. As the number one route to a ransomware attack is by gaining initial network access, network infrastructure access must be the number one priority.
When it comes to defense tools, access segmentation and encryption provide the greatest protection. These solutions stop data breaches from propagating through networks and morphing into ransomware attacks, while they also help prevent phishing attacks on employees, since they don’t know the passwords they use.”
Alfredo Hickman, Head of Information Security, Obsidian Security:
“Today’s news sends a very loud message to all cybercrime groups that if you are on this administration’s radar, they are going to be proactive – and if you get within reach of the American legal and justice system, they will hold you accountable. Some experts believe this approach still lacks teeth due to the risk/reward calculous that heavily favors cybercrime organizations operating outside the reach of the US justice system.
However, this more aggressive and proactive approach to disrupting cybercrime operations should cause pause and recalculation within some organizations. As these announcements continue to roll out and as related cybercrime operations continue to be disrupted and pressure is applied to host nations, I believe there will be fewer attacks on at least the most sensitive establishments, such as hospitals or critical infrastructures due to the near-universal condemnation and political blowback.”
Tens of cybersecurity companies have announced cutting staff over the past year as part of reorganization strategies, in many cases triggered by the global economic slowdown.
One of the most recent announcements was made by Sophos, which in mid-January confirmed reports that it’s laying off 10% of its global workforce. Roughly 450 people have reportedly lost their job as the company shifts focus to cybersecurity services, including managed detection and response.
At around the same time, identity verification company Jumio also confirmed laying off roughly 100 people.
In May 2022, cloud security company Lacework announced terminating 300 jobs, representing roughly 20% of its workforce.
Another company that laid off a significant portion of its workforce last year is OneTrust, which provides privacy, security, and data governance technology. Nearly 1,000 employees were let go, roughly a quarter of the firm’s workforce.
IronNet, the cybersecurity firm founded by former NSA director Keith Alexander, fired 17% of staff in June and another 35% in September due to significant problems.
In the fall, Cybereason announced plans to reduce its staff by 17%, just months after cutting 10% of its workforce. In total, the company fired approximately 300 employees.
Cloud security firm Aqua Security has laid off 10% of its workforce, and Malwarebytes terminated 14% of its staff (around 125 people). Gen Digital, created through the merger of antivirus companies Avast and NortonLifeLock, let go of a quarter of employees, in some cases due to their activities overlapping with the other company’s workers.
In October, developer security company Snyk — recently valued at $7.4 billion — announced that it had started restructuring and reducing its global workforce, impacting 198 employees, or 14% of its total workforce.
The same month, security and application delivery solutions provider F5 announced cutting approximately 100 roles, representing 1% of its global workforce.
Enterprise security solutions provider Forescout Technologies has reportedly laid off 100 of 170 employees at its R&D center in Israel, after firing 100 other employees in October.
The companies that sacked employees cited market conditions, strategic reorganization and shifting priorities when motivating their decision.
Data from Layoffs.fyi shows that tens of cybersecurity firms terminated staff over the past year. The list includes Tripwire, Deep Instinct, Pipl, Transmit Security, Tufin, Checkmarx, Varonis, Perimeter 81, and Armis.
On the other hand, many of those who have been terminated may not have any difficulties securing a job at a different company.
According to a study conducted by the nonprofit (ISC)², the global cybersecurity workforce is at an all-time high, with an estimated 4.7 million professionals. However, the study found that an additional 3.4 million cybersecurity workers are needed, with 70% of the 11,000 cybersecurity professionals who took part in a survey conducted by the nonprofit saying that their organization does not have enough cybersecurity employees.
Google Analytics è un servizio di analisi web fornito da Google Ireland Limited (“Google”). Google utilizza i dati personali raccolti per tracciare ed esaminare l’uso di questo sito web, compilare report sulle sue attività e condividerli con gli altri servizi sviluppati da Google. Google può utilizzare i tuoi dati personali per contestualizzare e personalizzare gli annunci del proprio network pubblicitario. Questa integrazione di Google Analytics rende anonimo il tuo indirizzo IP. I dati inviati vengono collezionati per gli scopi di personalizzazione dell'esperienza e il tracciamento statistico. Trovi maggiori informazioni alla pagina "Ulteriori informazioni sulla modalità di trattamento delle informazioni personali da parte di Google".
Cloudflare Web Analytics è un servizio di statistica anonimizzata fornito da Cloudflare Inc. che permette al Titolare di ottenere informazioni sull’utilizzo di questo sito web.
Google Maps è un servizio di visualizzazione di mappe gestito da Google Ireland Limited. Questo servizio serve ad integrare tali contenuti all’interno delle proprie pagine.
Gravatar è un servizio di visualizzazione di immagini gestito da Automattic Inc. che permette a Automattic Inc. di integrare tali contenuti all’interno delle proprie pagine.
