Monthly News Roundup for March 2022

by Jessica Jenks

March was a busy month here at CyberGRX! Here is a collection of news and other interesting content we released or were featured in throughout the month.

Dave Stapleton Feature on Threatpost
CyberGRX’s CISO, Dave Stapleton was featured in Threatpost’s recent article where he discussed Lapsus$ recent attack on Okta. Dave states that Lapsus$ is looking to increase its notoriety – all the better to recruit insiders willing to sell remote access to major technology corporations. Yet another far-reaching supply-chain attack could also be in its sites.

Dave Stapleton Feature on Washington Examiner
CyberGRX’s CISO, Dave Stapleton was featured in Washington Examiner’s article about the recent Lapsus$ attack. Not a lot is known about Lapsus$ and its motivations. Still, by sharing nearly 200GB of Samsung data, they enable other attackers. Dave states that it is at least possible that they have obtained information that would make it possible to develop grievous attacks against Samsung Galaxy smartphones, whether or not that was the intent of the Lapsus$ breach of Samsung is yet to be seen.

Dave Stapleton Feature on CSO
CyberGRX’s CISO, Dave Stapleton was featured in CSO’s article discussing 7 mistakes CISOs make when presenting to their board. CISOs should ensure that threat messaging never strays far from the business impacts to the organization and that they understand why a specific code library dependency presents a threat to an internet-facing asset, but this is likely too far in the weeds for the board of directors.

Establishing Trustworthiness Between Enterprises and Third Parties
Relationships of any kind are usually based on mutual trust, and it is no different when it comes to third parties–especially considering today’s cyber attack surface. Assessments can help define areas where third parties struggle or shine, but who is to say those third parties are answering the assessments accurately or even understand what they are being asked?

New Threat Profile: Online POS - Card Not Present
Due to the drastic increase in Point of Sale (PoS) and Card Not Present (CNP) transactions as society has shifted to purchasing most of their travel, entertainment, and goods online, cybercriminal groups such as Magecart have capitalized on this opportunity to turn an already lucrative card skimming campaign into a full blown business model.

New Threat Profile: Russian TTPs/Destructive Malware
Geopolitical unrest often results in significant cyberattacks as well as more traditional warfare techniques. This is most recently evident within Russia’s invasion of Ukraine which includes a widespread attack campaign leveraging destructive malware that began in mid-January and is aimed at disrupting Ukrainian infrastructure, financial institutions, and government organizations. In addition, Russia has made threats to retaliate with additional cyber attacks against Western countries who try to interfere in their efforts.

CyberGRX Threat Profiles addressing Russian TTPs & Malware
To help companies react quickly to recognized threats, CyberGRX has created two new threat profiles, available in the Framework Mapper Library. The Russian State-Sponsored Techniques and Tactics threat profile covers controls exploited in historical russian-sponsored attacks such as NotPetya while the Russian Destructive Malware threat profile focuses on the most recent attacks being executed.

My CyberGRX Journey: Azraphael Zaenir
In this reoccurring series, we speak with CyberGRX team members about why they joined the company, what their experience has been like, and what they're looking forward to the most. Here we chat with Azraphael Zaenir, assessment coordinator!

On Demand Webinar: Third-Party Cyber Risk Management For Dummies
Join CyberGRX CEO Fred Kneip and Dave Estlick, CISO at Chipotle Mexican Grill as they kick off this 4 webinar series covering all chapters from the recently released guide, Third-Party Cyber Risk Management For Dummies. Watch Chapter 1 on demand now!

Infographic: Third-Party Cyber Risk in the Technology Sector
Did you know that tech and software companies were most likely to have multiple third-party data breaches than any other industry? Check out this infographic for this and other interesting statistics!

9 Things to Ask a Potential Risk Management Vendor
As Third-Party Cyber Risk Management (TPCRM)  evolves, organizations are finding themselves in the precarious position of knowing that their third parties bring with them an increased level of risk, while being unsure if their current methods of managing third-party cyber risk are sufficient–or even effective. Here are 9 questions to ask any TPCRM  solution provider you’re considering!

Vulnerability Triage Best Practices
Each time a new vulnerability or threat emerges, dozens of our members reach out to ask for help analyzing their portfolios using Predictive Intelligence and Portfolio Insights Technologies. Learn more about vulnerability triage best practices with Gary Phipps here!

Why Security Transparency Is Key for Improving Sales

Here's something not many of us think about: we're all third parties. In other words, just by being a business with customers, we're a third party. Having said that, as a third party, security is more crucial than ever. A study from the Ponemon Institute revealed that 73% of organizations are more likely to purchase from vendors that identify, mitigate, and share security vulnerabilities proactively. Nonetheless, according to the same survey, approximately half of the nation’s businesses fail to take these steps.