Edwin Kwan:  Attackers have been running a campaign this month using malicious open source packages to steal sensitive data from software developers. The attackers utilized typosquatting to trick developers into downloading the packages.

Katy Craig: In the wake of Russia’s invasion of Ukraine and the subsequent year and a half of conflict, the Pentagon is revising its perspective on the role of cyber operations in war. It’s become clear that cyber alone won’t yield immediate results. The Russia-Ukraine conflict revealed discrepancies between expectations and reality in terms of cyber disruptions and impacts.

Ian Garret: Web application and API attacks against the financial services sector increased by a staggering 65 percent in Q2 2023 compared with the same period from the previous year. This surge resulted in a total of 9 billion attacks within just 18 months, with banks being the primary target.

Hillary Coover: Addressing employees non compliance with cybersecurity rules is a pressing concern for most organizations. The threat of sanctions often fails to deter rule violations, primarily due to rationalizations that diminish the wrongness of these actions. To combat this, management can employ two key strategies.

Today is Thursday, September 28th, 2023. From sourced network productions in New York City, It’s 5:05. I’m Mark Miller sitting in for Hillary Coover. Today’s episode begins with Ian Garrett presenting highlights from the Akamai report examining the trends in the financial services industry.

 

The Stories Behind the Cybersecurity Headlines

 

Ian Garrett
FinServ Industry Sees A Massive Rise In Attacks

There is a new report on the trend of attacks against the global financial services industry. The TL/DR… it’s not good. There’s been an alarming rise in web application and API attacks, and the recent report titled, High Stakes of Innovation, Attack Trends in Financial Services, from cybersecurity firm Akamai, details the trends of cyber threats in the sector.

Hey folks, this is Ian Garrett in Arlington, Virginia.

Web application and API attacks against the financial services sector increased by a staggering 65 percent in Q2 2023 compared with the same period from the previous year. This surge resulted in a total of 9 billion attacks within just 18 months, with banks being the primary target.

The report highlights two significant factors contributing to this increase.

First, the rise in the power of virtual machine botnets has given attackers more capabilities to launch sophisticated attacks.

Second, pro Russian hacktivism, motivated by the Russia Ukraine conflict, has further fueled the surge in attacks.

API security and distributed denial of service, known as DDoS, attacks continue to pose persistent threats to organizations across various sectors. The increasing use of APIs offers attackers more avenues to exploit vulnerabilities, exfiltrate data, or disrupt operations.

Banks faced a majority of these attacks, accounting for 58 percent of them. Other financial services such as fintech, capital markets, insurance, and payment and lending companies collectively made up 28 percent of the attacks. Insurance companies accounted for the remaining 14 percent of web app and API attack traffic within the financial services sub verticals.

Local file inclusion, known as LFI, vulnerabilities emerged as the leading driver of web app and API attacks, accounting for nearly 58 percent of these incidents. LFI vulnerabilities allow attackers to launch directory traversal attacks and gain access to sensitive information. Cross-site scripting and structured query language injection were also prevalent, constituting 24 percent and 11 percent of web app and API attacks, respectively.

To help counteract the attacks, financial service institutions should keep apps and APIs up to date, share threat intelligence, and conduct incident response exercises.

Cyberattacks targeting financial services will continue to grow in quantity and severity, and firms need to remain vigilant.

Resources
– CSO Online: https://www.csoonline.com/article/653719/web-app-api-attacks-surge-as-cybercriminals-target-financial-services.html
– Akamai: https://www.akamai.com/lp/soti/high-stakes-of-innovation

 

Katy Craig
Rethinking Cyber’s Role in Modern Warfare

In the wake of Russia’s invasion of Ukraine and the subsequent year and a half of conflict, the Pentagon is revising its perspective on the role of cyber operations in war. It’s become clear that cyber alone won’t yield immediate results.

This is Katy Craig in San Diego, California.

Mieke Eoyang, Deputy Assistant Secretary of Defense for Cyber Policy, emphasized that while cyber has a role in conflicts, it’s not the primary one initially expected. The DoD’s 2023 Cyber Strategy underscores that cyber capabilities alone are unlikely to deter adversaries. Instead, they’re most effective when combined with other national power instruments.

The strategy reflects a significant shift in the DoD’s thinking about cyber’s role in armed conflict, particularly given the lessons learned from the Russia Ukraine conflict. Eoyang highlighted the importance of planning and precision in utilizing cyber, distinguishing it from Russia’s approach in Ukraine, which was more reactive.

The Russia-Ukraine conflict revealed discrepancies between expectations and reality in terms of cyber disruptions and impacts. Despite Russia’s cyber capabilities, Ukraine demonstrated resilience in the face of cyber disruptions. Additionally, the conflict highlighted the importance of cloud migration for data accessibility, even in challenging circumstances.

As the Pentagon continues to adapt its strategies, it’s clear that the role of cyber in modern warfare is evolving, emphasizing planning, precision, and integration with other military operations.

This is Katy Craig, stay safe out there.

Resources
– DefenseScoop: https://defensescoop.com/2023/09/18/russia-ukraine-conflict-forces-dod-to-revise-assumptions-about-cybers-impact-in-war/

 

Edwin Kwan
Info Stealing Campaign Targeting Developers Through OSS

Attackers have been running a campaign this month using malicious open source packages to steal sensitive data from software developers.

This is Edwin Kwan from Sydney, Australia.

The campaign commenced on September 12, 2023 and started with 14 malicious packages on NPM. There was a brief hiatus on September 16 and 17, and the attacks resumed and expanded to the PyPi platform. A total of 45 malicious packages have been detected since the start of the campaign.

The attackers utilized typosquatting to trick developers into downloading the packages. Typosquatting is where malicious packages are given similar names to a legitimate popular package in hopes that developers would pick the malicious packages. They could use underscores instead of dashes in the file name.

The data stolen by these packages included sensitive machine and user information. Some of the sensitive information included SSH private keys and kubeconfig files. Those stolen information can be used to provide unauthorized access to systems, servers, or infrastructure.

Users are advised to be cautious of what packages they download.

Resources
– Bleeping Computer: https://www.bleepingcomputer.com/news/security/ssh-keys-stolen-by-stream-of-malicious-pypi-and-npm-packages/

 

Hillary Coover
Navigating Employee Rationalizations for a Secure Future

Why do employees keep ignoring cybersecurity rules, and what can you do about it? Explore the secrets behind employee rationalizations, and learn powerful strategies to bolster your organization’s cybersecurity.

Hi, this is Hillary Coover in Washington, DC.

Addressing employees non compliance with cybersecurity rules is a pressing concern for most organizations.

Even the threat of sanctions often fails to deter rule violations, primarily due to the effectiveness of what’s called neutralization techniques. Those are rationalizations that diminish the wrongness of these actions. To combat this, management can employ two key strategies.

First, targeted training courses can confront and explain neutralization techniques directly. These courses shed light on why these techniques are invalid and encourage employees to re-evaluate their beliefs. For example, they can debunk rationalizations like “defense of necessity” for using weak passwords by demonstrating practical methods for creating strong yet usable passwords. Similarly, they can highlight the fallacy of the “denial of injury” technique by illustrating the ease with which hackers exploit weak passwords.

A study showed that such training significantly increased employees intention to comply with security policies and decreased their agreement with neutralization techniques.

Second, organizations can tackle neutralization techniques through effective communication and messaging. Messages sent to employees can directly address these techniques and challenge their validity.

Hypothetical scenarios involving rationalizations like “defensive necessity” or “denial of injury” can be presented with accompanying messages explicitly countering these neutralization techniques. These messages emphasize the importance of policy adherence and reject any justifications employees might use.

By implementing these management strategies, organizations can raise awareness of neutralization techniques, prompting employees to reconsider their rationalizations for violating cyber security rules and ultimately fostering better compliance with security policies.

Resources
– WSJ: https://www.wsj.com/tech/cybersecurity/cybersecurity-risks-employees-training-c7415183