Der Sicherheitsforscher Florian Hantke hat kürzlich eine Sicherheitslücke beim Kita-Software-Anbieter KigaRoo aufgedeckt. Wie der Nachrichtendienst Netzpolitik.org berichtet, waren deshalb zeitweise zwei Millionen Datensätze von erwachsenen Personen und von Kindern offen im Netz zugänglich.

Die Software von KigaRoo dient unter anderem dazu, die Mitarbeiterverwaltung abzuwickeln und Wartelisten für Kitaplätze zu verwalten. Zusätzlich können Eltern in einem eigenen Bereich mit individuellen Zugangsdaten Details zu Kindern einsehen und etwa Abwesenheiten einstellen.

Der Anbieter legt nach eigenen Angaben großen Wert auf die Sicherheit der Daten. „Niemand außer Ihnen, Ihren Mitarbeitern und freigeschalteten Bezugspersonen kann die jeweils von Ihnen individuell freigegebenen Daten Ihrer Einrichtung einsehen“, heißt es dazu bei Kigaroo.

Fehlerhafter Autorisierungscheck

Allerdings zeigt der Bericht von Hantke ein anderes Bild. Der Security-Experte stellte fest, dass sich mit einem kostenlosen Testaccount über den Aufruf bestimmter URLs potenziell massenhaft Daten abziehen lassen. „Die Schwachstellen betrafen insbesondere fehlende oder fehlerhafte Autorisierungsprüfungen“, erklärt Hantke. Das heißt, wer das Format der URLs kannte oder erraten hatte, musste einfach nur die Nutzer-ID ändern, um Zugriff auf den jeweiligen Datensatz zu erhalten.

Dem Forscher zufolge konnten solche Abfragen mit beliebigen IDs durchgeführt werden, die aus einer siebenstelligen Zahl bestanden. „Da alle genannten IDs numerisch waren und dadurch einfach hochgezählt werden konnten, ließen sich so vermutlich Daten aller Nutzer und Nutzerinnen abgreifen“, führt Hantke aus.

Der Sicherheitsexperte geht davon aus, dass es sich um ca. 1.290.000 Datensätze erwachsener Personen und 846.00 Datensätze von Kindern gehandelt hat, „die den Bezug zu der Einrichtungsstätte plus Kontaktdaten, Adressen, Bankdaten, Flüchtlingsstatus und ähnliches beinhaltet haben“. Es sei allerdings denkbar, dass sich darunter auch Test-Accounts befunden hätten.

Der Sicherheitsforscher hat KigaRoo umgehend über die Schwachstelle informiert. Der Software-Anbieter hat die Lücke daraufhin geschlossen. Zusätzlich habe KigaRoo die IDs (Identifier) gegen UUIDs (Universally Unique Identifier) ausgetauscht, was das Erraten erschwere, heißt es weiter.

Darüber hinaus hat KigaRoo den Fall auch bei der zuständigen Datenschutzbehörde gemeldet. Es habe sich um eine klassische IDOR-Lücke (Insecure Direct Object Reference) gehandelt, teilte die Behörde gegenüber Netzpolitik.org mit. Zudem bestätigte die Datenschutzbehörde, dass es außer dem Zugriff durch den Sicherheitsforscher keine weiteren Zugriffe auf die Daten gab.

Auch vonseiten des Software-Anbieters gibt es Entwarnung. Gegenüber Netzpolitik.org gibt KigaRoo an, „definitiv ausschließen“ zu können, dass es zu unberechtigten Zugriffen auf den Datenbestand gekommen sei. Zudem betont das Unternehmen, dass „keinerlei Daten offen“ standen – weil eben ein Test-Account notwendig war (KigaRoo nennt diese Accounts „Admin-Accounts“). „Die gemeldete Schwachstelle hätte potenziell Zugriff auf Auszüge einzelner in KigaRoo erfasster Personendatensätze ermöglicht, dies allerdings nur über den Umweg eines weiteren Admin-Accounts“.

Lesetipp: Hacker nehmen Schulen ins Visier

A variant of the Banshee macOS infostealer was seen duping detection systems with new string encryption copied from Apple’s in-house algorithm.

A Check Point research, which caught the variant after two months of successful evasion, said threat actors distributed Banshee using phishing websites and fake GitHub repositories, often impersonating popular software like Google Chrome, Telegram, and TradingView.

Cybersecurity expert at Menlo Security, Ngoc Bui, said the new variant highlights a significant gap in Mac security. “While companies are increasingly adopting Apple ecosystems, the security tools haven’t kept pace,” he said. “Even leading EDR solutions have limitations on Macs, leaving organizations with significant blind spots. We need a multi-layered approach to security, including more trained hunters on Mac environments.”

The malware is known for stealing browser credentials, cryptocurrency wallets, and other sensitive data.

Turning Apple’s own tech against it

CheckPoint researchers found the new Banshee variant using a “stolen” string encryption algorithm from Apple’s XProtect engine, which probably gave it the ability to evade detection for over two months.

Forgoing its usage of plain text strings in the original version, the new variant copied Apple’s string encryption, which can be used to encrypt URLs, commands, and sensitive data so that they aren’t readable or detectable by static analysis tools that antivirus systems use to scan for known malicious signatures.

“As attackers refine their techniques, including leveraging encryption methods inspired by native security tools, it’s evident that businesses can no longer rely on legacy assumptions about platform security,” said James Scobey, chief information security officer at Keeper Security. “Sophisticated malware like Banshee Stealer can bypass traditional defenses, capitalizing on stolen credentials and user errors.”

Banshee 2.0

Another key difference Check Point research noticed in the variant is that the version has removed a Russian language check, hinting at possible new ownership and expanded operations.

“Previous malware versions terminated operations if they detected the Russian language, likely to avoid targeting specific regions,” the researchers said in a blog post. “Removing this feature indicates an expansion in the malware’s potential targets.”

Banshee macOS Stealer gained attention in mid-2024, promoted as a “stealer-as-a-service” on forums like XSS, Exploit, and Telegram. Threat actors could buy it for $3,000 to target macOS users.

In November 2024, however, Banshee’s operations took a wild turn after its source code leaked on XSS forums, leading to its public shutdown. The leak improved antivirus detection but sparked worries about new variants being developed by other actors.

Confusion around when and how to report cybersecurity breaches continues to plague companies a year after revised US Securities and Exchange Commission (SEC) cybersecurity breach reporting rules came into effect, experts say.

As the agency that regulates and enforces federal US securities laws continues to flex its enforcement muscles against organizations that violate the strict rules, which impose a tight reporting deadline for the disclosure of cybersecurity incidents, CISOs and other senior executives are under increasing pressure to quickly assess and report breaches judged to be material — a challenging determination given their complexity.

Companies get into problems with the SEC when disclosures are either not forthcoming or not timely enough, according to Joe Shusko, a partner with global accountancy firm Baker Tilly’s cybersecurity practice. Consequently, they are finding it necessary to develop new strategies to maintain compliance with the rules, the interpretation and application of which aren’t always clear and vary according to specific situations.

“Determination of materiality isn’t straightforward and shouldn’t be made in isolation — senior security staff should work with their business operations colleagues, legal counsel, external forensics as part of a disclosure committee,” Shusko told CSO.

The SEC’s enforcement isn’t slowing down

The SEC has taken more than 200 enforcement actions since it gained the power to do so in 2015, with a quarter of those involving cybersecurity incidents. A growing list of charges has been filed against companies it deems to have misled investors about incidents that it considers to be material to stakeholders.

In December 2024, filed settled charges against “for making materially misleading statements regarding a cybersecurity attack on Flagstar’s network in late 2021” also known as the Citrix Bleed for $3.55 million. The SEC found that while the company did report the breach, it failed to disclose that sensitive customer data of about 1.5 million people had been exposed.

A few months earlier, the SEC fined four companies $7 million for “misleading cyber disclosures” related to the SolarWinds hack. The quartet — Avaya, Check Point, Mimecast, and Unisys — were faulted for misleading disclosures about the impact of the 2020 software breach on their individual businesses that left investors and other stakeholders in the dark.

The four tech firms each agreed to settle the dispute over its disclosures by paying a fine but without making any admission of wrongdoing. Unisys, which was also charged with security controls violations, agreed to pay a $4-million fine while the other vendors each stumped up around $1 million.

CISOs still grappling with fears over a lack of clarity

Former Uber CSO Joe Sullivan, a security expert convicted for obstruction in the reporting of the 2016 Uber privacy breach, contends that despite the rising number of examples of enforcement, there are still many uncertainties over exactly how companies can achieve compliance.

“There is so much fear out there right now because there is a lack of clarity,” Sullivan told CSO. “The government is regulating through enforcement actions, and we get incomplete information about each case, which leads to rampant speculation.”

Based on its history, the SEC may issue clearer and more detailed guidance on the disclosure rules in the future, Shusko says. However, it is unlikely to make allowances for organizations that fall afoul of the rules even pending future clarification.

The SEC did not immediately respond to inquiries by CSO as to whether any supplementary guidance about its revised reporting rules was in the pipeline. Although the incoming Trump administration has promised to slash business regulations in general, whether cyber incident disclosure rules might be modified — much less when — remains unclear.

Companies should err on the side of transparency

As things stand, CISOs and their colleagues must chart a tricky course in meeting reporting requirements in the event of a cyber security incident or breach, Shusko says. That means anticipating the need to deal with reporting requirements by making compliance preparation part of any incident response plan, Shusko says.

If they must make a cyber incident disclosure, companies should attempt to be compliant and forthcoming while seeking to avoid releasing information that could inadvertently point towards unresolved security shortcomings that future attackers might be able to exploit.

“Organisations should err on the side of transparency,” Shusko says.

Edwards continued: “Get the processes in place, including knowing where to find the form to submit to the SEC and maybe even pre-populate it with as much information as possible. Then, when the unthinkable happens, there’s less chance to panic and make mistakes.”

Recent fines have also laid the groundwork for the SEC to enact enforcement actions against other non-compliant organizations — although the SEC disclosure rules are primarily targeted against publicly traded companies a far greater range of organisations might feel their effects.

Given that clarity around disclosure isn’t always straightforward, there is no real substitute for preparedness, and that makes it essential to practise situations that would require disclosure through tabletops and other exercises, according to Simon Edwards, chief exec of security testing firm SE Labs. “Speaking as someone who is invested heavily in the security of my company, I’d say that the most obvious and valuable thing a CISO can do is roleplay through an incident.”

Company supply chains can also impact breach reporting

“The disclosure rules are targeted towards publicly traded organizations, but that doesn’t necessarily mean non-publicly traded organizations are excluded,” Shusko says. “Public companies will likely expect their business partners to disclose and communicate any cyberattacks that might impact their organizations and as a result their customers. Organisations need to understand their supply chains.”

Baker Tilly’s advice on how companies can mitigate their key IT compliance risks and meet the SEC’s cyber disclosure rules can be found here.

Disclosure rules that are open to interpretation mean that some companies will feel obliged to disclose less-serious security incidents. For example, Shusko says, even though a recent cyberattack against American Water had no material impact the utility, it still disclosed the attack in order to keep its stakeholders informed.

“There is a lack of clarity about where enforcement actions might start,” Sullivan says.

Senior security professionals and their colleagues face a particular challenge in determining if a security incident is material, and therefore something they are obliged to disclose, or something less serious that can be handled in-house.

“[There’s] confusion about what meets the threshold of ‘material’ — companies are all over the place on their disclosures, and the guidance from the SEC has been confusing at best,” Sullivan says.

Für viele Geschäftsprozesse ist Technologie inzwischen unverzichtbar. Deshalb zählt diese auch zu den wertvollsten Assets eines Unternehmens. Leider stellt sie gleichzeitig jedoch auch eines der größten Risiken dar – was Risk-Assessment-Frameworks auf den Plan ruft.

IT-Risiken formal zu bewerten, ermöglicht es Organisationen, besser einzuschätzen, zu welchem Grad ihre Systeme, Devices und Daten schädlichen Einflüssen ausgesetzt sind. Etwa in Form von Cyberbedrohungen, Compliance-Verfehlungen oder Ausfällen. Zudem können IT- und Sicherheitsentscheider deren Folgen mit Hilfe von entsprechenden Rahmenwerken auch besser abzuschätzen. Das Ziel besteht am Ende darin, sämtliche identifizierten Risiken – und ihren Impact – zu minimieren.

In diesem Artikel stellen wir Ihnen (in aller Kürze) sechs populäre Risk-Assessment-Frameworks vor, die jeweils auf spezifische Risikobereiche abgestimmt sind.

1. COBIT

Das ist es: Hinter COBIT (Control Objectives for Information and Related Technology) steht der internationale IT-Berufsverband ISACA, der sich auf IT Governance fokussiert hat. Dieses sehr umfassende und breit angelegte Framework wurde entwickelt, um dabei zu unterstützen, Enterprise IT:

• zu verstehen,
• zu designen,
• zu implementieren,
• zu managen und
• zu steuern.

Das kann es: Laut ISACA definiert COBIT die Komponenten und Designfaktoren, ein optimales Governance-System aufzubauen und aufrechtzuerhalten. Die aktuelle Version, COBIT 2019, fußt auf einem Governance-Prinzipien-Sextett:

1. Value für Stakeholder liefern
2. ganzheitlichen Ansatz realisieren
3. Governance-System dynamisch gestalten
4. Management von Governance trennen
5. auf individuelle Unternehmensanforderungen abstimmen
6. Ende-zu-Ende-Governance-System realisieren

So funktioniert es: Das COBIT-Framework ist auf Business-Fokus konzipiert und definiert eine Reihe generischer Prozesse, um IT-Komponenten zu managen. Dabei werden außerdem auch Inputs und Outputs, Schlüsselaktivitäten, Zielsetzungen, Performance-Metriken und ein grundlegendes Reifegradmodell festgelegt.

Gut zu wissen: Laut ISACA ist COBIT flexibel zu implementieren und ermöglicht Unternehmen, ihre Governance-Strategie anzupassen.

2. FAIR

Das ist es: Das Framework FAIR (Factor Analysis of Information Risk) bildet eine Methodik ab, um unternehmensbezogene Risiken zu quantifizieren und zu managen. Dahinter steht das Fair Institute, eine wissenschaftlich ausgerichtete Non-Profit-Organisation, die sich dem Management von betrieblichen und sicherheitstechnischen Risiken verschrieben hat. Laut den Machern ist FAIR das einzige, quantitative Standardmodell auf internationaler Ebene, um diese Art von Risiken zu erfassen.

Das kann es: FAIR bietet ein Modell, um die genannten Risiken in finanzieller Hinsicht zu verstehen, zu analysieren und zu quantifizieren. Laut dem Fair Institute unterscheidet es sich dabei insofern von anderen Risk-Assessment-Frameworks, als dass es seinen Fokus nicht auf qualitative Farbdiagramme oder numerisch gewichtete Skalen legt. Stattdessen will FAIR eine Grundlage liefern, um einen robusten Risikomanagement-Ansatz auszubilden.

So funktioniert es: FAIR ermittelt in erster Linie Wahrscheinlichkeiten mit Blick auf die Frequenz und das Ausmaß von Data-Loss-Ereignissen. Es handelt sich hierbei nicht um eine Methodik, um individuelle Risikobewertungen durchzuführen. Vielmehr will das Framework Unternehmen in die Lage versetzen, IT-Risiken zu verstehen, zu analysieren und zu messen.

Zu den Komponenten des FAIR-Frameworks gehören:

• eine Taxonomie für IT-Risiken,
• eine standardisierte Nomenklatur für Risiken,
• eine Methode um Datenerfassungskriterien zu definieren,
• Messskalen für Risikofaktoren,
• eine Engine für Risikoberechnungen, sowie
• ein Modell, um komplexe Risikoszenarien zu analysieren.

Gut zu wissen: Die quantitative Risk-Assessment-Ansatz von FAIR ist branchenübergreifend anwendbar.

3. ISO/IEC 27001

Das ist es: Bei ISO/IEC 27001 handelt es sich um einen internationalen Standard, der mit Leitlinien in Sachen IT-Security-Management unterstützt. Ursprünglich wurde er im Jahr 2005 gemeinschaftlich von der International Organization for Standardization (ISO) und der International Electrotechnical Commission (IEC) veröffentlicht – und wird seither sukzessive überarbeitet.

Das kann es: ISO/IEC 27001 ist laut den Verantwortlichen ein Guide für Unternehmen jeder Größe und aus sämtlichen Branchen, um ein Information-Security-Management-System (ISMS) aufzusetzen, zu implementieren, zu warten und fortlaufend zu verbessern.

So funktioniert es: ISO/IEC 27001 fördert einen ganzheitlichen Cybersicherheitsansatz, der Menschen, Richtlinien und Technologie auf den Prüfstand stellt. Ein auf dieser Grundlage erstelltes ISMS ist laut ISO ein Tool für Risikomanagement, Cyberresilienz und Operational Excellence.

Gut zu wissen: ISO/IEC-27001-konform zu sein bedeutet, einem weltweit eingesetzten Standard zu genügen und Datensicherheitsrisiken aktiv zu managen.

4. NIST Risk Management Framework

Das ist es: Das Risk Management Framework (RMF) wurde von der US-Behörde NIST (National Institute of Standards and Technology) entwickelt. Dieses Framework stellt einen umfassenden, wiederverwend- und messbaren, siebenstufigen Prozess in den Mittelpunkt, um IT- und Datenschutzrisiken zu managen. Dabei kommt eine ganze Reihe von NIST-eigenen Standards und Guidelines zur Anwendung, um die Implementierung von Risikomanagement-Initiativen zu unterstützen.

Das kann es: Laut NIST realisiert das RMF einen Prozess, der die Risikomanagementaktivitäten in den Bereichen Sicherheit, Datenschutz und Supply Chain in den Lebenszyklus der Systementwicklung integriert. Dabei berücksichtigt der Ansatz Effektivität, Effizienz und Einschränkungen durch geltende Gesetze, Direktiven, Anordnungen, Richtlinien, Standards oder Vorschriften.

So funktioniert es: Der siebenstufige Prozess des NIST RMF gliedert sich in.

1. wesentliche Aktivitäten, um die Organisation auf den Umgang mit Sicherheits- und Datenschutzrisiken vorzubereiten.
2. Systeme und Daten, die verarbeitet, gespeichert und übertragen werden, auf der Grundlage einer Impact-Analyse kategorisieren.
3. eine Reihe von Kontrollmaßnahmen auswählen, um Systeme auf der Grundlage einer Risikobewertung zu schützen.
4. Kontrollmaßnahmen implementieren – und dokumentieren, wie das vonstattengeht.
5. Kontrollmaßnahmen überprüfen und bewerten, ob diese wie gewünscht funktionieren.
6. Systembetrieb auf Grundlage einer risikobasierten Entscheidung autorisieren.
7. Implementierung und Systemrisiken kontinuierlich überwachen.

Gut zu wissen: Das RMF bietet einen verfahrenstechnischen und geordneten Prozess, um Organisation dabei zu unterstützen, Security in ihre allgemeinen Risikomanagement-Prozesse einzubetten.

5. OCTAVE

Das ist es: OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation (PDF)) ist ein Framework, um Risiken im Bereich der Cybersicherheit zu identifizieren und zu managen. Es wurde vom CERT-Team der Carnegie Mellon University in den USA entwickelt.

Das kann es: Dieses Risk-Assessment-Framework definiert eine umfassende Evaluierungsmethode. Diese ermöglicht Unternehmen nicht nur, missionskritische IT-Assets zu identifizieren, sondern auch die Bedrohungen, die mit diesen in Zusammenhang stehen und die Schwachstellen, die das erst ermöglichen.

So funktioniert es: Laut den Verantwortlichen ermöglicht die Zusammenstellung von IT-Assets, -Bedrohungen und –Schwachstellen Unternehmen, zu durchdringen, welche Daten wirklich bedroht sind. Mit diesem Verständnis ausgestattet, können die Anwender eine Schutzstrategie entwickeln und implementieren, um diese nachhaltig zu schützen.

Gut zu wissen: Das OCTAVE-Framework ist in zwei Versionen erhältlich.

• OCTAVE-S bietet eine vereinfachte Methodik, die auf kleinere Unternehmen mit flachen hierarchischen Strukturen ausgerichtet ist.
• OCTAVE Allegro ist hingegen ein umfassenderes Framework, das sich in erster Linie für große Unternehmen oder solche mit komplexen Strukturen eignet.

6. TARA

Das ist es: TARA (Threat Assessment and Remediation Analysis) stellt eine Engineering-Methodik dar, mit deren Hilfe, Sicherheitslücken identifiziert, bewertet und behoben werden können. Dieses Framework wurde von der Non-Profit-Organisation MITRE entwickelt.

Das kann es: Das Framework ist Teil des MITRE-Systemportfolios, das darauf ausgerichtet ist, die Cybersicherheitshygiene sowie die Resilienz von IT-Systemen in einem möglichst frühen Stadium (innerhalb des Beschaffungsprozesses) zu adressieren.

So funktioniert’s: Das TARA-Framework nutzt einen Datenkatalog, um Angriffsvektoren zu identifizieren, die genutzt werden könnten, um Systemschwachstellen auszunutzen sowie potenzielle Gegenmaßnahmen einzuleiten.

Gut zu wissen: TARA wurde ursprünglich im Jahr 2010 entwickelt und kam bereits in mehr als 30 Cyber-Risk-Assessments zum Einsatz. Dieses Framework eignet sich in besonderem Maße für Risikostudien, die sich auf Sicherheitsbedrohungen konzentrieren. (fm)

Sie wollen weitere interessante Beiträge rund um das Thema IT-Sicherheit lesen? Unser kostenloser Newsletter liefert Ihnen alles, was Sicherheitsentscheider und -experten wissen sollten, direkt in Ihre Inbox.

A recently copied and abused open source proof of concept (PoC) exploit from a reputable security company, aimed at helping threat researchers, is the latest example of the novel tactics hackers will use to spread malware.

PoCs for known vulnerabilities are created to be shared by students, researchers, and IT pros to improve software and toughen defenses. The danger is that anything posted on the internet can be abused.

CSOonline reported on the original — and safe — PoC exploit, LDAPNightmare, created by SafeBreach for a vulnerability in Windows Lightweight Directory Access Protocol (LDAP) on Jan. 3. Today, however, Trend Micro said it has found a malicious version of that PoC sitting on GitHub.

In an interview, Tomer Bar, SafeBreach’s vice-president of security research, stressed that the company’s PoC wasn’t compromised, but was copied and manipulated. The original proof of concept exploit was published on SafeBreach’s official GitHub site.

“We always publish full open-source” code, he added, “so people can verify that it’s valid and not malicious.”

“The malicious repository containing the PoC appears to be a fork from the original creator,” Trend Micro said in its report. “In this case, the original Python files were replaced with the executable poc[dot]exe that was packed using UPX.”

Fortunately, the presence of an executable file in a Python-based project was a clue for experienced infosec pros that something was awry.

A ‘classic Trojan horse’

The bad repository has since been taken down. But its discovery is another example of why anyone in IT should be careful of downloading code from anywhere, including an open source repository, said David Shipley, CEO of Canadian awareness training firm Beauceron Security.

“Trojan’s gonna Trojan,” he said in an interview, describing the attempt to lure the unprepared as a “classic social engineering strategy.”

“This is the classic Trojan Horse: You go looking for a legitimate, research-based PoC and you get one that looks like the PoC, but you get one with an executable.”

The reason why threat actors are increasingly using this tactic, he said, is because it works. Among the defences: Test the proof of concept in an isolated computer environment.

“Any code from the web should be treated as massively unhygienic until you know it’s safe,” Shipley added.

Not a new tactic

The tactic of using a PoC to hide malware or a backdoor isn’t new. In 2023, for example, Uptycs reported on a widely-shared malicious proof of concept on GitHub purporting to address the critical Linux kernel vulnerability CVE-2023-35829. And according to a 2022 study by researchers at Cornell University into GitHub-hosted PoCs, almost 2% of the 47,285 repositories it examined had indicators of malicious intent. “This figure shows a worrying prevalence of dangerous malicious PoCs among the exploit code distributed on GitHub,” the study concluded  — and that was over two years ago.

Last fall, SonicWall released a another report on the rise of malicious PoCs. “While security researchers are often very well equipped to handle and detect this situation,” it concluded, “it is easy to become overconfident, leading to compromise.”

Only use trusted repositories

Cybersecurity professionals, including blue and red teams, should only download content from trusted open source repositories that have a lot of stars, SafeBreach’s Bar said, and never download executables from untrusted sources.

In addition, Trend Micro advised IT workers to:

• always download code, libraries, and dependencies from official and trusted repositories;
• be cautious of repositories with suspicious content that may seem out of place for the tool or application it is supposedly hosting;
• if possible, confirm the identity of the repository owner or organization; 
• review the repository’s commit history and recent changes for anomalies or signs of malicious activity; 
• be cautious of repositories with very few stars, forks, or contributors, especially if they claim to be widely used; 
• look for reviews, issues, or discussions about the repository to identify potential red flags. 

Researchers from Google’s Mandiant division believe the critical remote code execution vulnerability patched on Wednesday by software vendor Ivanti has been exploited since mid-December by a Chinese cyberespionage group. This is the same group that has exploited zero-day vulnerabilities in Ivanti Connect Secure appliances back in January 2024 and throughout the year.

The latest attacks, exploiting the new CVE-2025-0282 flaw, involved the deployment of multiple malware components from a toolkit dubbed SPAWN that Mandiant attributes to a cluster of activity tracked as UNC5337, which the company suspects is related to another group tracked as UNC5221.

“​​UNC5221 is a suspected China-nexus espionage actor that exploited vulnerabilities CVE-2023-46805 and CVE-2024-21887, which impacted Ivanti Connect Secure VPN and Ivanti Policy Security appliances as early as December 2023,” the Mandiant researchers said in a report. “Additionally, Mandiant previously observed UNC5221 leveraging a likely ORB network of compromised Cyberoam appliances to enable intrusion operations.”

The SPAWN family of custom malware tools, some of which are specifically designed to interact with Connect Secure features and code, include the SPAWNANT installer, SPAWNMOLE tunneler, the SPAWNSNAIL SSH backdoor and the SPAWNSLOTH log tampering utility. In addition to these known tools that have been used in past Ivanti compromises, the latest attacks also involved never before seen components such as a credential harvester dubbed DRYHOOK and a malware dropper called PHASEJAM.

Malware prevents legitimate upgrades

In its security advisory, Ivanti directed customers to perform a factory reset on appliances before deploying the patched 22.7R2.5 version. The company did not go into details as to why but based on Mandiant’s analysis it’s because of the PHASEJAM dropper which modifies multiple legitimate Connect Secure components, including the one responsible for system upgrades. It does this in order to block and then simulate upgrades in a visually convincing way, even displaying the new version number at the end of the process.

“The first technique, utilized by PHASEJAM, prevents legitimate ICS [Ivanti Connect Secure] system upgrade attempts by administrators via rendering a fake HTML upgrade progress bar while silently blocking the legitimate upgrade process,” the Mandiant researchers explain. “Due to the blocked upgrade attempt, the technique would allow any installed backdoors or tools left by the threat actor to persist on the current running version of the VPN while giving the appearance of a successful upgrade.”

PHASEJAM also modifies legitimate files from the ICS web interface in order to inject a web shell that gives attackers remote access to the device, the ability to execute additional malicious code and to exfiltrate data from the device.

PHASEJAM comes in the form of a bash script and is deployed as a payload following the initial exploit for CVE-2025-0282 after some preparation steps that involve disabling the SELinux protections of the OS, blocking system log collection and remounting the root partition as writable so its files can be modified.

Following the exploitation, the attackers perform several steps to remove evidence of the attack including clearing kernel messages and removing entries from debug logs, deleting troubleshoot information packages and any memory core dumps generated by crashes that could be used in forensics analysis, removing application event log entries related to various failures, crashes and certificate handling errors, and clearing the SELinux audit log of executed commands.

Persistence across upgrades

In addition to blocking and simulating upgrades, the attackers deploy a mechanism to survive legitimate upgrades if they do happen. Normally the root partition is wiped during an upgrade as it’s supposed to be read-only, so the attackers hijack the execution flow of dspkginstall, a legitimate utility used during the upgrade process, in order to copy several malicious components to the temporary upgrade partition that’s mounted on /tmp/data/.

“SPAWNANT establishes an additional method of backdoor access by writing a web shell into compcheckresult.cgi on the upgrade partition,” the researchers explained. “The web shell uses system() to execute the value passed to a hard-coded query parameter.”

SPAWNANT has three components: the SPAWNMOLE tunneler (libsocks5.so), the SPAWNSNAIL SSH backdoor (libsshd.so) and the SPAWNSLOTH log tampering utility (.liblogblock.so). It also tricks the Ivanti Integrity Checker Tool (ICT) by recalculating the SHA256 hash for any files it has modified and generates a new RSA key pair to sign the modified manifest that the ICT uses for integrity checking.

Mandiant notes that there is still a way to tell successful and correct ICT reports from tampered ones due to the number of steps listed. Screenshots with the differences are provided in their analysis.

Lateral movement and credential theft

The APT group uses built-in command line tools such as nmap and dig to perform network reconnaissance and tries to perform LDAP queries using the LDAP service account or to access Active Directory servers, through SMB and RDP.

A Python script dubbed DRYHOOK modifies a system component called DSAuth.pm to intercept legitimate authentications on the appliance and log credentials. Separately, the attackers attempt to exfiltrate the appliance database which contains VPN session cookies, API keys, certificates and credential material.

“Mandiant assesses that defenders should be prepared for widespread, opportunistic exploitation, likely targeting credentials and the deployment of web shells to provide future access,” the researchers said. “Additionally, if proof-of-concept exploits for CVE-2025-0282 are created and released, Mandiant assesses it is likely additional threat actors may attempt targeting Ivanti Connect Secure appliances.”

According to security analysis, the Gayfemboy botnet, based on the notorious Mirai malware, is currently spreading around the world. Researchers from Chainxin X Lab found that cybercriminals have been using the botnet since November 2024 to attack previously unknown vulnerabilities. The botnet’s preferred targets include Four-Faith and Neterbit routers or smart home devices.

Experts from VulnCheck reported at the end of December that a vulnerability in Four-Faith industrial routers (CVE-2024-12856) had been exploited in the wild. The attackers exploited the router’s default credentials to launch a remote command injection.

In addition, the botnet was used for targeted attacks on unknown vulnerabilities in Neterbit routers and Vimar smart home devices. According to Chainxin X Lab, Gayfemboy has exploited over 20 vulnerabilities and weak Telnet credentials to access the devices. It includes a brute-force module for insecure Telnet passwords, uses custom UPX packing with unique signatures, and implements Mirai-based command structures. This allows the attackers to update clients, scan networks, and carry out DDoS attacks.

According to researchers, the botnet has been attacking hundreds of targets every day since its discovery in February 2024. The number of daily active bot IPs is 15,000, most of which are located in China, the US, Russia, Turkey, and Iran. Targets are spread across the world and affect various industries, with the main targets being located in China, the US, Germany, the UK, and Singapore.

According to Chainxin X Lab, the botnet’s DDoS attacks are short-lived (between 10 and 30 seconds), but are high in intensity, with data rates exceeding 100Gbps and capable of disrupting even robust infrastructures.

Vulnerable devices

According to the analysis, the botnet’s attacks target the following devices:

• ASUS routers (via N-day exploits)
• Huawei routers (via CVE-2017-17215)
• Neterbit router (custom exploit)
• LB-Link router (via CVE-2023-26801)
• Four-Faith Industrial Routers (via the zero-day now tracked as CVE-2024-12856)
• PZT cameras (via CVE-2024-8956 and CVE-2024-8957)
• Kguard DVR
• Lilin DVR (via remote code execution exploits)
• Generic DVRs (using exploits like TVT editBlackAndWhiteList RCE)
• Vimar smart home devices (presumably exploiting an unknown vulnerability)
• Various 5G/LTE devices (likely due to misconfigurations or weak credentials)

SonicWall is warning customers of a severe vulnerability in its SonicOS SSLVPN with high exploitability that remote attackers could use to bypass authentication.

The bug is an improper authentication vulnerability in the SSL VPN authentication mechanism, according to emails sent to customers and published on SonicWall’s official subreddit.

“We have identified a high (severity) firewall vulnerability that is susceptible to actual exploitation for customers with SSL VPN or SSH management enabled and that should be mitigated immediately by upgrading to the latest firmware,” SonicWall wrote.

The bug, tracked as CVE-2024-53704, has been patched in a firmware upgrade available since Jan. 7, which also sealed other, less-critical vulnerabilities.

Remote unauthorized access

SonicWall’s network security appliances use the SonicOS SSLVPN to enable secure remote access to internal network resources over the internet.

With a CVSS score of 8.2/10, the vulnerability impacts a number of Gen6 and Gen7 firewalls. The fixed versions include SonicOS 6.5.5.1-6n or newer for hardware firewalls, SonicOS 6.5.4.v-21s-RC2457 or newer for NSv firewalls, and SonicOS 7.0.1-5165 or newer for Gen 7 firewalls.

“To minimize the potential impact of SSLVPN vulnerabilities, please ensure that access is limited to trusted sources, or disable SSLVPN access from the Internet,” SonicWall said in a security advisory.

It encouraged customers to download the latest firmware versions from mysonicwall.com.

Upgrade patched other non-critical bugs

SonicWall disclosed patching a set of other bugs in the upgrade targeted at CVE-2024-53704. These include CVE-2024-40762, CVE-2024-53705, and CVE-2024-53706.

CVE-2024-40762 (CVSS 7.1/10) stems from the use of cryptographically weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that can allow their prediction by attackers resulting in authentication bypass.

Another vulnerability (CVE-2024-53706) in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only) can allow “root” level privilege escalation for remote attackers leading to arbitrary code execution. The bug has received a CVSS rating of 7.8/10.

CVE-2024-53705 (CVSS 6.5/10) is a server-side request forgery vulnerability in the SonicOS SSH management interface allowing remote attackers to establish malicious TCP connections.

None of these vulnerabilities are known to have had exploits in the wild yet. SonicWall credited their discovery to Daan Keuper, Thijs Alkemade and Khaled Nassar of Computest Security through Trend Micro.

Die Ransomware-Bande Space Bears veröffentlichte Ende Dezember 2024 einen Hinweis auf gestohlene Daten von Atos. Der französische IT-Dienstleister teilte jedoch daraufhin mit, dass es keinen Ransomware-Angriff auf seine Systeme gegeben habe.

Allerdings räumt das Unternehmen ein, dass die Daten von einer kompromittierten Infrastruktur eines Drittanbieters stammen. Um welchen Anbieter und welche Daten es sich dabei genau handelt ist bisher unklar. In einer kürzlich veröffentlichten Mitteilung von Atos heißt es lediglich dazu: „Diese Infrastruktur enthielt Daten, die den Firmennamen Atos erwähnten, sie wird jedoch weder von Atos verwaltet noch gesichert.“

Die Frist für die Zahlung des Lösegelds ist inzwischen abgelaufen. Offenbar wurde die geforderte Summe bezahlt. Hinweise dazu finden sich in einem LinkedIn-Post eines Journalisten der Süddeutschen Zeitung. Doch wer die Zahlung ausgeführt hat, ist bisher unbekannt.

Nach eigenen Angaben zählt Atos mit 95.000 Mitarbeitern zu den größten IT-Dienstleistern Europas und betreut zahlreiche kritische Infrastrukturen. Ein erfolgreicher Cyberangriff könnte deshalb weitreichende Folgen haben.

Japan’s National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) have exposed a long-running cyber espionage campaign, “MirrorFace” (also known as Earth Kasha), allegedly linked to China.

The campaign, operational since 2019, has targeted Japanese organizations, businesses, and individuals, primarily to exfiltrate sensitive data related to national security and advanced technologies.

“It has been determined that the MirrorFace attack campaign is an organized cyberattack suspected to be linked to China, with the primary objective of stealing information related to Japan’s security and advanced technology,” the agencies said in a statement.

The agencies said this was confirmed based on an “analysis of the targets, methods, and attack infrastructure of the attacks.”

Japanese industries including aerospace, semiconductor, manufacturing, information and communications, and academics were the victims of this attack.

Other agencies that are involved in the probe include the Kanto Regional Police Bureau Cyber ​​Special Investigation Unit, the Tokyo Metropolitan Police Department, and other prefectural police departments.

This revelation sends a strong warning to enterprises operating in high-stakes sectors like technology, manufacturing, and defense to bolster their cybersecurity strategies against increasingly sophisticated and targeted threats.

A widespread campaign with evolving tactics

In a detailed briefing and technical reports, Japanese officials described MirrorFace’s modus operandi, which involved leveraging cutting-edge tools like Microsoft’s Windows Sandbox and Visual Studio Code’s development tunnels.

The attackers deployed malware, including LODEINFO and ANEL variants, to infiltrate systems, evade detection, and exfiltrate data, the agencies said in a document detailing the exploitation methods.

Windows Sandbox was exploited to create a virtualized environment where malware could run undetected. Tasks were triggered via scheduled commands, allowing malware to operate within sandboxed environments. Attack traces, including shared folder configurations and encrypted files, were wiped upon shutdown, making forensic investigations challenging​.

Similarly, attackers used Visual Studio Code’s development tunnels to establish covert connections, bypassing network defenses and remotely controlling compromised systems. Event logs and PowerShell commands in targeted systems provided insights into these breaches, the statement added.

The MirrorFace campaign stands out due to its use of spear-phishing, zero-day exploits, and highly covert malware, all meticulously designed to target Japan’s technological and national security assets. Experts believe these techniques reflect a calculated effort to avoid detection while extracting critical data.

“The MirrorFace campaign underscores how state-backed groups employ advanced tactics like spear-phishing, zero-day exploits, and sophisticated malware to infiltrate high-tech and national security targets,” said Arjun Chauhan, Senior Analyst at Everest Group. “The campaign’s focus on Japan’s cutting-edge research and defense sectors highlights the evolving nature of espionage, which is increasingly driven by strategic, economic, and geopolitical interests.”

Israeli cybersecurity firm Cybereason which tracks MirrorFace’s activities under the name Cockoo Spear says the “threat Actor persists stealthily on their victims’ network for years” and links it to “Chinese-state sponsored cyber espionage group APT10.”

“Cuckoo Spear is related to the APT10 Intrusion Set because of the links made between various incidents from Threat Actors Earth Kasha and MirrorFace including both APT10’s old arsenal (LODEINFO) and new arsenal,” Cybereason cited in its threat analysis report.

Enterprise threat landscape

MirrorFace’s modus operandi is characterized by advanced tactics, including spear-phishing, the deployment of malicious payloads like LODEINFO v8.0, and the exploitation of customized localized infrastructure for evasion.

The campaign has honed its ability to compromise high-value assets, such as intellectual property in cutting-edge research and proprietary technologies crucial to Japan’s strategic industries.

With Japan being a global hub for innovation, enterprises face heightened risks. Attackers are leveraging sophisticated social engineering techniques to infiltrate corporate networks, potentially threatening intellectual property and the financial bottom line. For multinational enterprises, these incidents are a stark reminder of the need to assess and reinforce cross-border cybersecurity postures.

Broader Implications for the business sector

The MirrorFace campaign poses significant challenges to enterprises dependent on secure supply chains, particularly in sectors like aerospace, automotive, healthcare, and telecommunications. According to an analysis provided in an NPA report, compromised supply chains can introduce hidden vulnerabilities, impacting operations far beyond national borders.

Small and medium enterprises (SMEs), often subcontractors in critical supply chains, are particularly vulnerable due to limited resources to invest in advanced cybersecurity frameworks. This highlights the importance of larger enterprises incorporating supply chain risk management as part of their broader security initiatives.

Experts highlight the importance of proactive cybersecurity measures in safeguarding sensitive organizational assets against threats like MirrorFace.

“Japanese organizations are probably already doing what they must or can,” said Yugal Joshi, Partner at Everest Group. “Some of these are basics like regular vulnerability assessment, penetration testing, hacker days, etc.”

Joshi emphasized that adopting advanced technologies is equally crucial. “For them to do cyber defense more diligently, they need well-staffed CISO functions and use AI and automation in their operations. In addition, leveraging learning from other parts of the world, which Chinese hackers have targeted, will also help them,” he noted.

He added that employee readiness must remain a top priority, particularly given the sophistication of phishing and social engineering tactics often employed by attackers. “Employees are the weakest link in cyber defense, and they need to be coached, educated, and constantly trained,” Joshi said.

Japan’s coordinated response

Japanese authorities have intensified their collaboration with private and public sector entities to prevent the recurrence of such breaches.

“By publicizing MirrorFace’s tactics, our goal is to arm enterprises and individuals with the knowledge to thwart similar attacks in the future,” the NPA said in its advisory.

Businesses are urged to implement robust incident response strategies, focusing on endpoint protection, advanced threat detection, and rigorous employee training to counter social engineering tactics. Large enterprises must prioritize collaboration with government cybersecurity bodies to gain actionable threat intelligence and enhance real-time defenses, the advisory added.

Security-Analysen zufolge verbreitet sich das auf der berüchtigten Mirai-Malware basierende Botnet Gayfemboy derzeit auf der ganzen Welt. Forscher von Chainxin X Lab stellten fest, dass Cyberkriminelle das Botnet seit November 2024 nutzen, um bislang unbekannte Schwachstellen anzugreifen. Zu den bevorzugten Zielen des Botnetzes gehören Router der Marken Four-Faith und Neterbit oder Smart-Home-Geräte.

In diesem Zusammenhang berichteten Experten von VulnCheck Ende Dezember vor einer Schwachstelle bei Industrieroutern von Four-Faith (CVE-2024-12856), die in freier Wildbahn ausgenutzt wurde. Die Angreifer nutzten demnach die Standardanmeldeinformationen des Routers aus, um eine Remote Command Injection zu starten.

Darüber hinaus wurde das Botnet für gezielte Angriffe auf unbekannte Schwachstellen in Neterbit-Routern und Smart-Home-Geräten von Vimar verwendet. Nach Angaben von Chainxin X Lab wird Gayfemboy für insgesamt 20 Schwachstellen und schwache Telnet-Passwörter eingesetzt. Es verfügt über ein Brute-Force-Modul für unsichere Telnet-Passwörter, verwendet benutzerdefiniertes UPX-Packing mit eindeutigen Signaturen und implementiert Mirai-basierte Befehlsstrukturen. Dadurch seien die Angreifer in der Lage, Clients zu aktualisieren, Netzwerke zu scannen und DDoS-Attacken durchzuführen.

Angriffsziele

Den Forschern zufolge werden über das Botnet seit seiner Entdeckung im Februar 2024 täglich Hunderte von Zielen angegriffen. Die Zahl der täglich aktiven Bot-IPs liegt demnach bei 15.000, die meisten davon befinden sich in China, den USA, Russland, der Türkei und dem Iran. Die Angriffsziele sind auf der ganzen Welt verteilt und betreffen verschiedenen Branchen. Die Hauptangriffsziele befinden sich in China, den Vereinigten Staaten, Deutschland, dem Vereinigten Königreich und Singapur.

Laut Chainxin X Lab sind die DDoS-Angriffe des Botnet zwar von kurzer Dauer (zwischen 10 und 30 Sekunden), weisen jedoch eine hohe Intensität auf, wobei die Datenrate 100 Gbit/s übersteigt und selbst bei robusten Infrastrukturen zu Störungen führen kann.

Gefährdete Geräte

Der Analyse zufolge zielen die Angriffe des Botnet auf folgende Geräte ab:

• ASUS-Router (über N-Day-Exploits).
• Huawei-Router (über CVE-2017-17215)
• Neterbit-Router (benutzerdefinierter Exploit)
• LB-Link-Router (über CVE-2023-26801)
• Four-Faith Industrial Routers (über den Zero-Day, der jetzt als CVE-2024-12856 verfolgt wird)
• PZT-Kameras (über  CVE-2024-8956 und CVE-2024-8957 )
• Kguard DVR
• Lilin DVR (über Exploits zur Remote-Code-Ausführung)
• Generische DVRs (unter Verwendung von Exploits wie TVT editBlackAndWhiteList RCE)
• Vimar-Smart-Home-Geräte (vermutlich unter Ausnutzung einer unbekannten Schwachstelle)
• Verschiedene 5G/LTE-Geräte (wahrscheinlich aufgrund von Fehlkonfigurationen oder schwachen Anmeldeinformationen)

Security orchestration, automation, and response (SOAR) has undergone a major transformation in the past few years. Features in each of the words in its description that were once exclusive to SOAR have bled into other tools. For example, responses can be found now in endpoint detection and response (EDR) tools. Orchestration is now a joint effort with security information and event management (SIEM) tools.

Many of these features are now found in managed security products that go by other names, such as threat and incident response or cloud security posture management (CSPM). And many of the SOAR tools are no longer just focused on security but have expanded to cover the wider context of how an enterprise infrastructure operates.

[ Download our editors’ PDF security orchestration, automation, and remediation (SOAR) tools buyer’s guide today! ]

In this buyer’s guide

• SOAR defined
• Why you might need SOAR
• Trends in the SOAR market
• Key SOAR features to look for
• The major SOAR providers and their offerings
• What about the price of SOAR?
• Questions to ask your team and your SOAR vendor
• Essential reading

What is SOAR

The SOAR category originated back in 2015 — the term created by Gartner — when virtualization and containers were first coming into enterprise networks and applications, greatly expanding the threat and attack surface areas.

SOAR helps to orchestrate and integrate a wide tool collection using automation to perform repetitive and simple tasks, and to produce predefined playbooks that IT staff can use to reduce their risk profiles and response to attacks by bad actors. The category has seen major changes, with numerous acquisitions as the major vendors such as Checkpoint, Cisco, Google, IBM, Microsoft, and Palo Alto Networks have bulked up their platforms with SOAR-like features.

Some analysts have soured on SOAR as it has undergone this transformation and as its features can now be found in other products. Ironically, Gartner has said that SOAR tools have not kept pace with changing requirements, putting them at the very bottom of their “hype cycle” — meaning that the innovation portion of SOAR is mostly a thing of the past. But even they admit that SOAR functionality has staying power and can be found in numerous other security tools.

Forrester Research partitions SOAR products into several categories: platforms, products that focus on threat intelligence, and those that are more centered around automation tasks. GigaOm divides the space into its own three categories of SOAR-only pure plays, full security platforms that integrate with other tool collections, and crossover products that originate from IT service management and automation segments. However you slice it, the SOAR market segment has more than 30 vendors.

Why you might need SOAR

The core reason for SOAR originally was it would be a major kingpin in an organization’s defensive posture. They were the first tools to not just discover a potential threat but automate a way to remove it and improve overall security. The goal was — and still is — to reduce the amount of time before a threat is found and resolved.

As security alerts have proliferated, the need to quickly classify and resolve them has gotten greater. “Day-to-day tactical activities take up too much time,” said Forrester’s Allie Mellen in the SOAR report. “SOAR technology provides security teams a way to automate some of these repetitive tasks and coordinate across tools from a single technology.”

However, in recent years, as malware has gotten sneakier and attackers more adept, SOAR is just one weapon against these threats. Security has become more nuanced and integrated with case management and collaboration tools to become more effective. Some SOAR vendors have added machine learning techniques so that past events can help improve detection and eliminate false positives annoyances. Machine learning is of course not unique to SOAR and further blurs the lines between SOAR and other security tools that tout more autonomous operations and threat responses.

These are all great reasons, but one mitigating factor against SOAR is that these are expensive products, with prices around $300,000 per year or more. While there could be savings in not hiring additional SOC analysts or in finding malware quickly with the right SOAR, it could also mean that you might require hiring other analysts who need to be experienced with creating automated workflows to operate these products.

Trends in the SOAR market

Large security vendors have widened their integrations with other vendors’ SOAR products, with some offering hundreds of third-party integrations. This means they can ingest various security signals such as SIEM tools, log analyzers, and endpoint detectors. This means “that SOAR tools can start running independently of SIEM tools to strengthen an organization’s security posture and automate nonsecurity processes as well,” said GigaOm’s Andrew Green in his October 2024 report linked above.

One example of this trend is the recently announced Security Incident Response service from AWS. This brings together a collection of various signals from across the entire AWS collection, tying together its GuardDuty and Security Hub monitoring services along with a human incident response team.

Many vendors have tied their SOAR and SIEM tools together, such as Palo Alto Networks’ Cortex, Microsoft’s Sentinel, and Netwitness’ Orchestrator. Swimlane and D3Security offer only a SOAR product, and both have wide third-party integrations.

Another trend is from a growing threat from API-based attacks and increasing sophistication. Kong has found in its latest survey that half of respondents have experienced these threats in the past year. This means that better detection and response automation is needed, with a broader scope to figure out what is going on across an enterprise network.

One way to do this is to leverage AI and machine learning. For example, according to AIM Research, “vendors are broadening their offerings with genAI-powered AI agents, copilots, context-aware AI assistants, automation and analytics security platforms, and attack training simulators. We are now noticing a rise in the integration of generative AI-specific capabilities into cybersecurity tools.” Swimlane Turbine SOAR and BlinkOps both have their AI copilots and AI-infused low-code playbook generators. Fortinet has its FortAI and Google has its Gemini AI SecLM module that can provide more contextual guidance and execute commands.

Anomali has taken another approach. It doesn’t sell a separate standalone SOAR product, but adds its functionality with its AI-based copilot to its SIEM Security Analytics and ThreatStream intelligence tools. OpenText does something similar with its Enterprise Security Manager, essentially tossing in SOAR and AI functionality as part of the overall package.

But AI by itself means a staff needs to coordinate what is being automated and when. Forrester’s Mellen recommended in 2022 that security teams should “coordinate with other automation talent in other parts of the business,” such as with staff of a “center of excellence” to help build better SOC automation processes. “Often, companies have a lone analyst who maintains their SOAR tool,” and this collaboration could have big payoffs.

Finally, the best SOAR products come in a variety of packages: for on-premises installations as either a dedicated hardware appliance or standalone software and one of three virtual configurations including as a virtual machine image, a public cloud service or as full SaaS/managed service. This gives these tools flexibility in where they are placed across an enterprise infrastructure and what they are protecting. No SOAR vendor offers all these options. Fortinet, Rapid7, and ServiceNow offer hardware options (but not all of the others), while Palo Alto Networks, Swimlane, and Tines offer all other options except the hardware package.

Key features to look for

SOAR products span a wide range of features and protective measures. Here are a few of the key features that can differentiate them:

• How wide is the third-party integration envelope? Each SOAR vendor claims to have hundreds of integrations to others’ products, which is part of the product category’s secret sauce. But that means the SOAR experience can vary widely from installation to installation. Just citing the raw number of integrations is meaningless: for example, a vendor can integrate with dozens or more AWS services, or just S3, so it pays to get the specifics. We have linked to the online catalogs where available.
• How many prebuilt workflows come included? BlinkOps claims thousands of automated flowflows, but just as important is the process to create custom ones. Some vendors offer visual low-code editors or AI-enhanced creation tools.
• How does the product avoid alert fatigue and false positives? The best tools cross-reference their signals to filter out false positives, such as leveraging multiple threat intelligence sources. Tines has a rather innovative way to use a Notion database combined with Elastic Security. D3Security claims its product can eliminate at least 90% of alerts automatically and has a free ROI calculator that possibly can quantify their benefit. Microsoft claims its tool eliminates up to 84% of false positives.
• What about finding zero-day threats? Again, combining signals and feeds with automation processes can help to more quickly identify and neutralize zero-days.
• Does the product serve nonsecurity or general orchestration purposes? As mentioned in the individual specifics of each product, some of the SOAR tools have branched out into nonsecurity areas, such as tracking file access and network traffic, or tracking employee life cycle and asset management or synchronizing with trouble ticketing systems and general application development alerts. Many vendors, with the notable exceptions of Google’s SOAR and Microsoft’s Sentinel, are already moving in this direction.

The major SOAR providers and their offerings

BlinkOps from Blink has hundreds of integrations listed here that span a wide variety of third-party software tools. It has thousands of prebuilt automated workflows (for example, Google Cloud Platform has 360 such automations) that span those that can run on preset schedules or with particular web hook triggers. It comes with two different AI copilots, one for building new workflows and one for automated case management. It also supports non-security automation and orchestration uses. Pricing starts at $17,500 per year.

D3Security Smart SOAR has more than 600 connectors to a variety of tools. The company says it will build anything that isn’t in this list for free. It has automations that handle incidents, search for false positives, and trigger mitigation responses. D3 also handles nonsecurity cases, such as employee onboarding and offboarding. The minimum annual price is $100,000. It plans to add a series of AI-based tools in early 2025 to help make customization more productive and effective.

Fortinet FortiSOAR has more than 600 connectors to a variety of other tools as well as tight integrations with other Fortinet products such as its SIEM, firewall, and XDR. Data is enriched with hundreds of threat intelligence sources, and the companion FortAI tool provides more analysis, creates playbooks, and executes simple commands. It can also be used for nonsecurity tasks such as employee onboarding or offboarding and equipment provisioning. It is available in SaaS, on-premises software, and cloud versions. Pricing comes in two tiers: starter and enterprise.

Google Security Operations SOAR is just one module of many components that have their roles in its Chronicle observability service. It supports more than 250 third-party integrations across all major security categories, including gathering data from various Google security and cloud services. It requires a SIEM connection (Google’s or others) to collect data. It works with Mandiant’s threat intelligence and alerts are sent in near real-time to the SOAR dashboard. It has a three-tier pricing structure.

IBM QRadar SOAR on-premises. In early 2024, IBM sold its QRadar SaaS version to Palo Alto Networks, keeping the Open Shift and virtual machine. It supports more than 300 third-party integrations listed in its marketplace, along with connectors to its Guardium and Verify product lines. QRadar also integrates with its Watson AI-based app dev studio, which when coupled with its Playbook Designer can be used to develop custom playbooks and workflows. It has been extended to nonsecurity use cases, such as employee onboarding and management. Unlike most of its competitors, it has a very transparent pricing estimator, based on the number of authorized users, that starts around $10,000 per year.

Microsoft Sentinel is a cloud-native dual SIEM and SOAR service that uses Azure analytic services. It can collect data from multiple cloud and on-premises sources with a variety of connectors, including prebuilt ones for its own Defender products as well as third-party tools such as AWS S3, various Google Cloud services, Jira Audit, and Okta that can be found on the Azure Marketplace. Microsoft has also written extensive migration plans from Splunk and QRadar SOAR tools and has AI-enhanced automation of workbooks with its Azure Logic Apps tool. It is available as a preview version with various usage-based pricing tiers but without the need for an 365/E5 Defender license, and free to try out for the first month with certain usage limits.

Palo Alto Networks Cortex XSOAR has more than 1,000 third-party integrations that can be reviewed on its marketplace covering both security and nonsecurity tools. The product has integrations with other security, network, and cloud tools from the vendor. It uses AI-enhancements to group and filter duplicate alerts, eliminate false positives, and create playbooks as well as learning from manual analyst interactions. XSOAR also works with a variety of large language models, including ChatGPT, Anything LLM, and Ollama, to analyze and interact with incident data.

ServiceNow Security Incident Response supports hundreds of third-party integrations across a wide variety of security products to enrich its data collection of incidents. This includes connecting with many ServiceNow modules for security, network, compliance, asset collection, and other IT-related issues. It works with three AI-based tools: Flow Designer, a visual drag-and-drop workflow creator; Predictive AIOps, for analyzing event logs; and Now Assist, for case management.

Splunk SOAR. Cisco completed its acquisition of Splunk early in 2024 and it now integrates with more than 300 third-party tools and Splunk’s Enterprise Security and Attack Analyzer products. It comes with more than 2,800 prebuilt automated workflows that can be easily tied to playbooks that can be constructed with a visual editor. A future integration is promised with Cisco’s Talos Intelligence threat feed. Splunk has an AI assistant for its Search Processing Language, enabling natural language prompting of queries. Splunk can also be applied to nonsecurity cases such as IT operations.

Swimlane Turbine has a wide catalog of hundreds of third-party integrations to a variety of security tools. This is enabled thanks to support for a variety of connections, including general Rest APIs, webhooks, various telemetry sensors, and business logic tools. Swimlane claims to be the largest independent SOAR provider, meaning that it doesn’t offer any of its own SIEM or XDR companion products. It does have Turbine Canvas, an AI-based low-code automator, and Hero AI, used to automate playbooks for case management. Pricing starts at $72,000 per year for basic monitoring that includes 500 events. The usage charges can add up for larger networks that could quickly escalate this fee 10x.

Tines has an extensive ecosystem of dozens of prebuilt third-party integrations with vulnerability management, the three major cloud platforms, and various EDR and SIEM vendors. Users can quickly build workflows to automate processes, including using its AI-powered Workbench. It can also automate various nonsecurity tasks such as employee onboarding or offboarding and asset management. There are both always-free and for-fee versions that start at $170,000 per year and can easily be double that amount for more complex installations.

Other SOAR providers include Exabeam, NetWitness, and SentinelOne; these providers declined to provide any specifics on their SOAR products.

What about the price of SOAR?

Unlike IBM and Microsoft, few of the SOAR vendors offer full public and transparent pricing. Three counter examples are Tines’s pricing page, Splunk’s pricing page, and Google’s pricing page. All of these are long on details on how their prices are calculated without providing any actual dollar amounts. The others just ignore pricing altogether.

We obtained pricing from cloud providers’ managed service offerings, which may or may not be representative of other packaging options. The range is quite large, starting at about $20,000 per year. The top cost award is likely to be Swimlane, which which could reach an annual fee of $720,000 or more, depending on usage surcharges. Clearly, SOAR isn’t just an acronym, and the lack of pricing transparency means the sky is the limit. Potential customers will have to negotiate with vendor sales teams to obtain meaningful pricing.

Questions to ask your team and your SOAR vendor

• Does the product offer more protection and automation features than using either an XDR or SIEM tool?
• How wide and agnostic is your support for multiple third-party security vendors?
• What integrations (to other security tools offered by the same vendor) are available? How is this data enriched and combined within the SOAR?
• How is your workflow automation enabled?
• What large language models and AI tools are used to enhance its features?

Essential Reading

• What is SIEM? How to choose the right one for your business
• CSPM buyer’s guide: How to choose the best cloud security posture management tool
• SOAPA vs. SOAR: How these security terms differ

IT software provider Ivanti released patches Wednesday for its Connect Secure SSL VPN appliances to address two memory corruption vulnerabilities, one of which has already been exploited in the wild as a zero-day to compromise devices.

The exploited vulnerability, tracked as CVE-2025-0282, is a stack-based buffer overflow rated as critical with a CVSS score of 9.0. The flaw can be exploited without authentication to achieve remote code execution and impacts Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways.

The second vulnerability, CVE-2025-0283, is also a stack-based buffer overflow impacting the same products but requires authentication to exploit and can only lead to privilege escalation. It’s rated as high severity with a CVSS score of 7.0.

According to Ivanti’s advisory, CVE-2025-0282 was exploited in “a limited number of customers’ Ivanti Connect Secure appliances” but the company is not aware of in-the-wild exploitation against Ivanti Policy Secure and Ivanti Neurons for ZTA gateways yet.

As for CVE-2025-0283, that vulnerability was discovered internally while investigating CVE-2025-0282, and there’s no evidence that it has been exploited. The flaws do not need to be chained for a successful attack.

For now, patches are available only for Ivanti Connect Secure, with patches for Policy Secure and Neurons planned for Jan. 21. That’s more than enough time for the patches to be reverse engineered and for proof-of-concept exploits to be developed and adopted by attackers.

However, Ivanti points out that Policy Secure is not supposed to be exposed to the internet, lowering the risk. It advises all customers to make sure the appliance is configured according to official recommendations.

Meanwhile, Neurons ZTA gateways cannot be exploited in production when connected to a ZTA controller. Only gateways generated and left unconnected are at risk of exploitation.

For Connect Secure the company advises customers to upgrade to version 22.7R2.5 and to perform scans with the internal and the external Integrity Checker Tool (ICT), which should detect signs of compromise.

“Factory reset on appliances with a clean ICT scan is recommended before putting 22.7R2.5 in production out of an abundance of caution,” the company said.

The CVE-2025-0283 vulnerability impacts both the 22.x and 9.x versions of Connect Secure, althought the 9.x branch, which reached end-of-life on Dec. 31, will not receive a patch. The CVE-2025-0282 flaw impacts only the 22.x branch.

“Threat actor activity was identified by the Integrity Checker Tool (ICT) on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix,” the company said in a blog post. “We continue to work closely with affected customers, external security partners, and law enforcement agencies as we respond to this threat. We strongly advise all customers to closely monitor their internal and external ICT as a part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure.”

The company credits Google’s Mandiant and Microsoft’s Threat Intelligence Center (MSTIC) for collaborating in the response, so it’s possible more details about the attacks that exploited the vulnerability will be released at a later date by these companies as has happened in the past.

This is just the latest of several vulnerabilities in Ivanti products exploited in the wild as zero days by APT groups over the past year. In February 2024, the US government went so far as to order agencies to take Ivanti VPNs offline.

The company has not publicly released indicators of compromise observed for this latest exploit but said such information will be shared on request with customers that have confirmed impact with the ICT scans.

The International Civil Aviation Organization (ICAO) on Tuesday said that it is “actively investigating reports of a potential information security incident allegedly linked to a threat actor known for targeting international organizations,” and has initially concluded that “approximately 42,000 recruitment application data records from April 2016 to July 2024” were stolen.

In its initial statement, the ICAO said, “We can confirm that this incident is limited to the recruitment database and does not affect any systems related to aviation safety or security operations.”

On Wednesday, ICAO officials elaborated on that statement during an email exchange between CSO Online and ICAO communications officer William Raillant-Clark, who said, “ICAO began its probe as soon as the claims were brought to our attention” on January 5, 2025.

But even if the systems impacting security were not directly affected, the information stolen could be used by attackers to impersonate airline officials with access to sensitive areas, according to Johannes Ullrich, the dean of research at the SANS Institute, which provides cybersecurity certifications and research.

“It’s very risky” because “we don’t know how [the attackers] are going to use the data that they now control. They could apply to jobs with that information,” Ullrich said. “If they have the information from a solid job application and they can impersonate them, it could place them in places of trust. It might be in backend systems that exchange flight data and such, potentially disrupting air travel.”

When asked how ICAO can say that this incident won’t affect aviation safety or security, Raillant-Clark said that the systems affected by this incident are not in any way connected or related to ICAO’s aviation safety or security work.

He said, “we are not in a position to validate claims or other statements made by external parties, and nor are we in a position to speculate on their intent.”

The agency said that the data was “claimed to be released by the threat actor known as Natohub.”

Reports have identified Natohub as the alias a data thief uses on BreachForum, a cyberthief forum and marketplace.  

Without getting specific, ICAO said, “we have implemented additional security measures to protect our systems. We are also working to identify and notify affected individuals.”

Extensive data stolen

“The compromised data includes recruitment-related information that applicants entered into our system, such as names, email addresses, dates of birth, and employment history,” the initial ICAO statement said. “The affected data does not include financial information, passwords, passport details, or any documents uploaded by applicants.”

There have been many reports of attacks on job application databases because they tend to have massive amounts of personally identifiable information (PII) and other sensitive information. 

Adding to the cybersecurity problem is the fact that many enterprises tend to outsource these sites to third parties who may not have the most robust protections.

One of the weaknesses in job application systems is the ability for applicants to upload files. “Allowing uploading of files, especially PDFs, is one of the most dangerous things a system can allow,”  Ullrich said, noting it could let attackers upload malware.

“These employment application databases are always targets because they have a lot of information” and many companies “collect more data than they really need,” he said. 

For example, Ullrich pointed to the ICAO statement that dates of birth were stolen. “Do they really need to ask that that early in the process?”

“I hope that they have strong evidence that it was not leaked,” he said, adding that the best tactics to protect such information is to encrypt as much data as possible and implement an automated mechanism to move data off of a public environment into a closed secure environment as quickly as possible. 

Ullrich also questioned the portion of the ICAO statement that detailed what had not been stolen. Given that breach reports are routinely updated and expanded, it’s much safer to say what was definitely stolen and not discuss what initially appears to have not been stolen.

Combatting these issues requires sophisticated, experienced cybersecurity talent, which “you often don’t find in these outsourced vendors” handling job application functions, Ullrich said. 

Given that the data grabbed spanned more than eight years, it seems likely that it was stored for an extensive period. 

He also questioned whether the attacker had actually targeted the UN agency, or whether it was just an attack of opportunity, where the attacker found holes in the third-party job application firm’s platform and was systematically going after all of its customers. 

The attacker might be just “taking out sites created by this vendor,” Ullrich said. “It’s very possible that [ICAO] was not targeted, and was just caught because of someone fishing for sites with a particular vulnerability.”

In highlighting vulnerabilities in a widely used DNA gene sequencing device, security researchers have brought further attention to the likely poor state of security in the medical device industry, where hardware and firmware development is often outsourced to external equipment manufacturers under questionable support contracts.

The device, Illumina’s iSeq 100 compact DNA sequencer, is used by medical laboratories around the world for a wide range of applications. When investigating the device, researchers from supply chain security firm Eclypsium discovered vulnerabilities at the firmware level, as well as key missing security features designed to prevent malicious firmware implants.

“We found that the Illumina iSeq 100 used a very outdated implementation of BIOS firmware using CSM mode and without Secure Boot or standard firmware write protections,” the researchers wrote in a report. “This would allow an attacker on the system to overwrite the system firmware to either ‘brick’ the device or install a firmware implant for ongoing attacker persistence.”

But the nature of the development process typical for such devices suggests many other medical devices may be at risk of the same or similar issues — problems that often arise in the IoT and embedded device space, medical or otherwise.

A typical x86 computer — with typical legacy tech problems

Aside from its custom case, touchscreen interface, and other custom peripherals used for DNA sequencing, the iSeq 100 isn’t very different from a typical x86 desktop PC. Its base hardware consists of an Intel Celeron J1900 2GHz Quad Core CPU, 8GB RAM, and 240GB SSD running Windows 10 loT Enterprise.

That’s not surprising given that Illumina, like many medical device vendors, outsourced the hardware design and manufacturing to an original design manufacturer (ODM) — in this case IEI Integration, which develops a wide range of industrial and medical computer products. IEI manufactured the motherboard inside the iSeq 100 and it is the supplier of the Unified Extensible Firmware Interface (UEFI) firmware that powers the device.

UEFI is a standardized specification for firmware in computer systems — the modern equivalent to BIOS — and includes the low-level code responsible for initializing a computer’s hardware before loading the operating system installed on the hard drive.

According to Eclypsium’s researchers, the firmware inside the iSeq 100 (B480AM12 – 04/12/2018) was released in 2018 and has known vulnerabilities. Computer and device manufacturers use UEFI implementations developed by a handful of independent BIOS vendors (IBVs) that they then configure and customize with their own code.

A vulnerability in the base UEFI implementation from an IBV is likely to impact products from all manufacturers that use that IBV’s firmware. For example, one attack dubbed LogoFAIL, discovered in 2023, affected base UEFI implementations from all three major IBVs — Insyde, AMI, and Phoenix — due to multiple vulnerabilities in their image parsing code.

As a result, most PC manufacturers had to release BIOS/UEFI updates, but many older PCs and motherboards have remained vulnerable in perpetuity because PC manufacturers offer software support only for a few years despite those products being used in the real world for much longer.

That problem is even worse in the IoT and embedded device space, where specialized real-time operating systems (RTOSes) are common. Firmware components such as TCP/IP stacks originally developed decades ago by software companies that no longer exist or whose intellectual property changed hands more than once over the years are often found in these devices.

Industrial hardware supply chains are impacted by this issue as well, making firmware security a difficult problem to tackle for end users if no firmware updates are provided. LogoFAIL is one of the vulnerabilities Eclypsium detected in iSeq 100’s outdated firmware, along with other issues such as the absence of firmware write protections, Secure Boot not being enabled, and the OS booting in Compatibility Support Mode (CSM).

The CPU microcode, typically included in UEFI, was also outdated and vulnerable to known side-channel data leak vulnerabilities impacting Intel CPUs such as Spectre v2 (Branch Target Injection) and Fallout and RIDL (Microarchitectural Data Sampling).

“Illumina appreciates Eclypsium Research’s report and our shared commitment to the Coordinated Vulnerability Disclosure principles,” an Illumina spokesperson told CSO via email. “We are following our standard processes and will notify impacted customers if any mitigations are required. Our initial evaluation indicates these issues are not high-risk.”

The spokesperson continued: “Illumina is committed to the security of our products and to privacy of genomic data and we have established oversight and accountability processes, including security best practices for the development and deployment of our products. As part of this commitment, we are always working to improve how we deliver security updates for instruments in the field.”

Firmware protections needed to prevent UEFI implants

Since firmware flashing is not blocked and the firmware is missing write protections for critical regions, attackers with local administrator access on the OS could easily inject malicious code into the firmware or rewrite it entirely, rendering the device inoperable.

“This is not a far-fetched scenario given that the Illumina sequencers were recently found to have a critical RCE (Remote Code Execution) vulnerability (CVE-2023-1968),” the Eclypsium researchers wrote in their report. “The issue affected a variety of Illumina devices, resulting in an FDA Class II recall as well as an ICS Medical Advisory from CISA.”

That 2023 RCE vulnerability has since been patched, but attackers could find another vulnerability or steal credentials for the device and exploit a privilege escalation flaw in Windows, which are common. The Illumina sequencer runs Windows 10 2016 LTSB, Version 1607, for which mainstream support ended in October 2021, but the extended support option will continue until October 2026.

The fact that Secure Boot is not enabled means the code responsible for booting the operating system, both at the UEFI level and the Windows bootloader itself, are not cryptographically verified. As such, malicious code could be injected into the boot process to take control of the OS kernel, a malware attack known as a bootkit (boot rootkit).

UEFI bootkits have been used in the wild for over a decade. Examples include LoJax (2018), MosaicRegressor (2020), FinSpy (2021), ESPecter (2021), MoonBounce (2022), CosmicStrand (2022), and BlackLotus (2023).

Sign of a broader issue

While Eclypsium’s research looked only at the Illumina iSeq 100, the researchers believe many medical devices likely suffer from similar firmware security issues inherited from the hardware supply chain. Medical device vendors don’t always manufacture their device hardware themselves, instead focusing on their core area of expertise and outsourcing the rest of the device development process to ODMs and IBVs, for example.

“It is more than likely that the same process is utilized by many other manufacturers,” Alex Bazhaniuk, CTO of Eclypsium, told CSO. “Once a medical device manufacturer enters the R&D phase, they go ‘shopping’ at ODMs and IBVs for hardware and firmware solutions to accelerate their time to market. This process is treated like any other product transaction where the manufacturer gets offered a quote for the [hardware/firmware] and support for X years — sometimes this includes security updates at no cost and sometimes it does not.”

“From what we have seen, ODMs and even IBVs will provide updates up to a certain point, but once the device passes a certain age, it is much harder to issue fixes or even generate code for the fixes to begin with,” he said. “Keep in mind that industrial computer boards are designed to operate for much longer than regular computing boards we are familiar with.”

Attackers are actively expoiting flaws in Mitel MiCollab flaws to gain unauthorized access to sensitive system files, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned.

On Tuesday the agency added two path traversal vulnerabilities in the widely used communication platform to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of exploitation.

“These type of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in an advisory that also mentioned a critical Oracle flaw, first reported in 2022, which likely now has N-day exploits.

Chained for maximum impact

One of the Mitel flaws, tracked as CVE-2024-41713, is a critical (CVSS 9.8/10) path traversal vulnerability in the NuPoint Unified Messaging component of Mitel MiCollab that could allow an unauthenticated attacker to exploit a lack of sufficient input validation to gain unauthorized access and view, corrupt or delete user data and system configurations.

The other flaw, tracked as CVE-2024-55550 and rated moderately severe (CVSS 4.4/10), is another path traversal vulnerability that could allow authenticated attackers read admin level files on local system due to insufficient input sanitization. The flaw, however, does not allow file modification or privilege escalation, Mitel had said in an October 2024 disclosure.

While technical details of the exploitation were not disclosed in the CISA update, it is important to note that these vulnerabilities could be chained together to allow remote attackers to read sensitive system files.

In October, Mitel had released patches for affected versions along with fixed versions for users to upgrade to.

Active exploitation indicates poor patching of the flaws and calls for immediate user action. CISA has recommended that Federal Civilian Executive Branch (FCEB) agencies should patch affected systems as per the BOD 22-01 directive, which requires them to patch the flaws within 15 days if they are actively exploited.

Attackers exploit critical Oracle flaw

The CISA advisory also highlighted an old Oracle vulnerability, which the company patched in October 2024 following reports of “attempts to maliciously exploit” it. 

Identified as CVE-2020-2883, the flaw affected Oracle WebLogic Server, allowing unauthenticated attackers with network access to fully take over the server. The vulnerability received a severity score of CVSS 9.8/10.

CISA said BOD 22-01 applies to the Oracle flaw, and that organizations must reduce their exposure to cyberattacks by prioritizing its remediation.

Industrieunternehmen sind angesichts ihrer wichtigen Rolle in der Lieferkette ein beliebtes Ziel für Ransomware-Attacken. Die Weininger Metall System GmbH, ein bedeutender Akteur in der Metallindustrie, wurde kürzlich von der berüchtigten 8Base-Ransomware-Gruppe als Opfer aufgeführt. In ihrem Darknet-Post behaupten die Hacker, dass sie sensible Daten wie Accounts, Finanzberichte und E-Mails des Unternehmens erbeutet haben.

Lesetipp: Diese Unternehmen hat’s schon erwischt

Weininger Metall System hat bisher noch keine offizielle Stellungnahme zu dem Angriff abgegeben. Auf Nachfrage von CSO teilte das Unternehmen mit Sitz in Burgsinn lediglich mit, dass aufgrund der laufenden Ermittlungen aktuell keine Informationen dazu herausgegeben werden dürfen.

Derweil drohen die Angreifer damit, die gestohlenen Daten zu veröffentlichen. Die dafür gesetzte Frist endet am 21. Januar.

Über die 8Base-Bande

Die Ransomware-Gruppe 8Base ist seit März 2022 aktiv und beschreibt sich selbst als “einfache Pen-Tester”. Wie viele andere Ransomware-Akteure übt die Bande zusätzlichen Druck aus, indem sie nicht nur kritische Daten verschlüsselt, sondern die Opfer auch öffentlich an den Pranger stellt. Security-Forschern zufolge hat 8Base erhebliche Ähnlichkeiten mit einer anderen Gruppe namens RansomHouse.

Lesetipp: Ransomware-Trend: Hacker mit Zerstörungsdrang

Sizable fines assessed for data breaches in recent years suggest that regulators are getting more serious about cracking down on organizations that don’t properly protect consumer data.

Hit with a $ 1.3 billion fine for unlawfully transferring personal data from the European Union to the US, Meta tops the list of recent big-ticket sanctions, with one other ten figure fine being levied against the Chinese firm Didi Global for violating that nation’s data protection laws. The third largest penalty was the $877 million fine against Amazon in 2021 for running afoul of the General Data Protection Regulation (GDPR) in Europe.

Here are the biggest fines and penalties assessed for data breaches or non-compliance with security and privacy laws.

1. Meta (Facebook) : $1.3 Billion

In May 2023, Ireland’s Data Protection Commission (DPC) concluded an enquiry into Meta Platform Ireland Limited (“Meta Ireland”) it had initiated in Aug 2020, billing the social media giant €1.2 billion ($1.3 billion) for violation of the GDPR. With regards to the article 46(1) of the GDPR, the Irish privacy watchdog blamed Meta Ireland for the transfer of personal data from the EU or the European Economic Area (EEA) to the US without adequate data privacy safeguards in connection with the delivery of its Facebook services. Meta’s president of global affairs, Nick Clegg, said, “We intend to appeal both the decision’s substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines.”

2. Didi Global: $1.19 billion

Chinese ride-hailing firm Didi Global was fined 8.026 billion yuan ($1.19 billion) by the Cyberspace Administration of China after it decided that the company violated the nations’ network security law, data security law, and personal information protection law. In a statement, Didi Global said it accepted the cybersecurity regulators’ decision, which came after a year-long investigation into the firm over its security practices and “suspected illegal activities.”

3. Amazon: $877 million

In summer 2021, retail giant Amazon’s financial records revealed that officials in Luxembourg issued a €746 million (then $877 million) fine for breaches of the GDPR. Amazon was expected to be appeal the fine, with a spokesperson stating, “There has been no data breach, and no customer data has been exposed to any third party.” La Quadrature du Net, the French digital rights organization that filed the original data protection complaint against Amazon on behalf of 10,065 individual complainants in May 2018, said that was unsurprising, since its 19-page complaint targeted Amazon’s operation of a behavioral advertising system without adequate consent, and not an intermittent leak of personal data.

4. Equifax: (At least) $575 Million

2017 saw Equifax lose the personal and financial information of nearly 150 million people due to an unpatched Apache Struts framework in one of its databases. The company had failed to fix a critical vulnerability months after a patch had been issued and then failed to inform the public of the breach for weeks after it been discovered. 

In July 2019 the credit agency agreed to pay $575 million — potentially rising to $700 million — in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories over the company’s “failure to take reasonable steps to secure its network.” 

$300 million of that will go to a fund providing affected consumers with credit monitoring services (another $125 million will be added if the initial payment is not enough to compensate consumers), $175 million will go to 48 states, the District of Columbia and Puerto Rico, and $100 million will go to the CFPB. The settlement also requires the company to obtain third-party assessments of its information security program every two years.

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.”

Equifax had already been fined £500,000 [~$625,000]  in the UK for the 2017 breach, which was the maximum fine allowed under the pre-GDPR Data Protection Act 1998.

In 2020, Equifax was made to pay further settlements relating to the breach: $7.75 million (plus $2 million in legal fees) to financial institutions in the US plus $18.2 million and $19.5 million to the states of Massachusetts and Indiana respectively. 

5. Meta (Facebook, Instagram): $ 413 million

Concluding two enquiries made into Meta’s data processing operations in the European regions, commencing on the day GDPR came into operations (25 May, 2018), the Irish Data Protection Commission (DPC) announced in January 2023 that it found Meta platforms in breach of the GDPR “in connection with the delivery of its Facebook and Instagram services”. Meta Ireland was fined €210 million ($ 225 million) , for Facebook violations, and and €180 million ($ 193 million) for Instagram violations.

Meta’s data processing operations with regards to Facebook and Instagram services were found in violations of several articles of the GDPR, including 5 (1) a) , 6 (1), 12 , and 13 (1) c), relating to the breach of transparency and information obligations.

6. Instagram: $403 million

In September 2022, Ireland’s Data Protection Commissioner (DPC) fined Instagram for violating children’s privacy under the terms of the GDPR. The long-running complaint concerned data belonging to minors, particularly phone numbers and email addresses, which was made more public when some young users upgraded their profiles to business accounts to access analytics tools such as profile visits.

Instagram’s owner, Meta, said it planned to appeal against the decision. “This inquiry focused on old settings that we updated over a year ago and we’ve since released many new features to help keep teens safe and their information private,” a Meta official told BBC News. “While we’ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it.”

Andy Burrows, child-safety-online policy head at the National Society for the Prevention of Cruelty to Children (NSPCC) said, “This was a major breach that had significant safeguarding implications and the potential to cause real harm to children using Instagram. The ruling demonstrates how effective enforcement can protect children on social media and underlines how regulation is already making children safer online.”

7. TikTok: €345 million ($370 million)

In September 2023, TikTok was handed a €345 million ($370 million) fine by the Irish Data Protection Commission (DPC) for violating children’s data privacy, under GDPR law. The DPC found that TikTok had not been transparent enough with children about its privacy settings, and raised questions about how their data was processed.

The inquiry sought to examine the extent to which, during the period between July 31 2020 and December 31 2020, TikTok complied with its obligations under the GDPR in relation to its processing of personal data relating to child users of the TikTok platform in the context of:

1. Certain TikTok platform settings, including public-by-default settings as well as the settings associated with the Family Pairing feature.
2. Age verification as part of the registration process.

“As part of the inquiry, the DPC also examined certain of TTL’s transparency obligations, including the extent of information provided to child users in relation to default settings,” the IDC said. The DPC’s decision, which was adopted on September 1, 2023, recorded findings of infringement of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), 13(1)(e) and 5(1)(a) GDPR, relating to a range of matters including data security, data protection by design, and data processing.

A spokesperson for the social media firm told media outlets, “We respectfully disagree with the decision, particularly the level of the fine imposed.”

8. T-Mobile: $350 million

In July 2022, mobile communications giant T-Mobile announced the terms of a settlement for a consolidated class action lawsuit following a data breach that occurred in early 2021, impacting an estimated 77 million people. The incident centered around “unauthorized access” to T-Mobile’s systems after a portion of customer data was listed for sale on a known cybercriminal forum. In an SEC filing, it was revealed that T-Mobile would pay an aggregate of $350 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel, and the costs of administering the settlement. The company would also commit to an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023.

“The company anticipates that, upon court approval, the settlement will provide a full release of all claims arising out of the cyberattack by class members, who do not opt-out, against all defendants, including the company, its subsidiaries and affiliates, and its directors and officers,” the filing read. “The settlement contains no admission of liability, wrongdoing or responsibility by any of the defendants. Class members consist of all individuals whose personal information was compromised in the breach, subject to certain exceptions set forth in the agreement. The company believes that terms of the proposed settlement are in line with other settlements of similar types of claims,” it added.

9. LinkedIn: €310 Million ($335 Million)

In October 2024, Ireland’s Data Protection Commission (DPC) fined LinkedIn €310 million ($335 million) for processing user data without proper consent, violating the GDPR. The Microsoft-owned platform used members’ personal information for behavioral analysis and targeted advertising without obtaining transparent, informed, or unambiguous consent. This fine is among the largest levied against a tech company for GDPR violations. LinkedIn plans to revise its ad practices to comply with the DPC’s demands, despite asserting its belief that it has complied with the regulation.

10. Meta (Facebook): $277 million

In November 2022, the Ireland Data Protection Commission (DPC) fined Meta $277 million (€265 million) for the compromise of 500 million users’ personal information. The DPC started its inquiry on April 14, 2021, following reports of a collated data set of Facebook personal data that had been made available on the internet.

The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer, and Instagram Contact Importer tools in relation to the processing carried out by Meta Platforms Ireland Limited (“MPIL”) during the period between May 25, 2018, and September 2019.

“The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default,” the DPC wrote. “The DPC examined the implementation of technical and organizational measures pursuant to Article 25 GDPR (which deals with this concept). There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC.”

The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.

11. Meta (Facebook): $263.5 Million

In September 2024, Ireland’s Data Protection Commission (DPC) fined Meta €251 million ($263.5 million) for a 2018 Facebook breach that exposed the personal data of 29 million users. The breach, caused by a flaw in the “view as” feature, compromised sensitive information such as names, contact details, and locations.

Despite addressing the issue and reporting it, Meta faced GDPR violations, contributing to a growing total of over $3 billion in fines. Meta plans to appeal the fine, citing the steps it has taken to enhance user data protection since the incident.

12. Meta (WhatsApp:) $255 million

Facebook-owned messaging service WhatsApp was fined €225 million ($255 million) in August 2021 for a series of GDPR cross-border data protection infringements in Ireland. The fine followed a lengthy investigation and enforcement process which began in 2018 and involved the Data Protection Commission’s proposed decision and sanctions being rejected by its counterpart European data protection regulators, resulting in a referral to and ruling from the European Data Protection Board.

Allegations focused on complaints from users and non-users of WhatsApp’s services, involving alleged breaches of transparency and data subject information obligations under articles 12, 13, and 14 of the GDPR.

13. Home Depot: ~$200 million

In 2014 Home Depot was involved in one of the largest data breaches to date involving a point-of-sale (POS) system, leading to a number of fines and settlements being paid. Stolen credentials from a third party enabled attackers to enter Home Depot’s network, elevate privileges, and eventually compromise the POS system. More than 50 million credit card numbers and 53 million email addresses were stolen over a five-month period between April and September 2014.

Home Depot has reportedly paid out at least $134.5 million to credit card companies and banks as a result of the breach. In addition, in 2016 Home Depot agreed to pay $19.5 million to customers that had been affected by the breach, which included the cost of credit monitoring services to breach victims. In 2017 the firm agreed to pay an additional $25 million to the financial institutions affected by the breach that could be claimed by victims and cover banks’ losses.

Breaches can have a longtail of costs, especially when it comes to fines and settlements. In November 2020, the retailer paid a further $17.5 million settlement to 46 US states and Washington DC for the breach. The agreement also compels Home Depot to employ a highly qualified CISO, provide security training for key personnel, and ensure security controls and policies in areas like identity and access, monitoring, and incident response.

14. Capital One: $190 million

In December 2021, Capital One agreed to pay $190 million to settle a class-action lawsuit filed against it by U.S. customers over a 2019 data breach that affected 100 million people. This settlement comes more than a year after the U.S. Office of the Comptroller of the Currency fined Capital One $80 million for the same breach (see below).

A software engineer at AWS was behind the attack, which exposed information including bank account details. “While Capital One and AWS deny all liability, in the interest of avoiding the time, expense and uncertainty of continued litigation, plaintiffs and Capital One have executed a term sheet containing the essential terms of a class settlement that, if approved by this court, will fully resolve all claims brought by plaintiffs,” a filing with the U.S. District Court for the Eastern District of Virginia read. In an emailed statement, Capital One said that key facts in the case had not changed since it announced the event in coordination with federal authorities more than two years ago, with the hacker arrested and the stolen data recovered before it could be disseminated or used for fraudulent purposes. “We are pleased to have reached an agreement that will resolve the consumer class litigation in the U.S.,” the company added.

15. Uber: $148 million

In 2016 ride-hailing app Uber had 600,000 driver and 57 million user accounts breached. Instead of reporting the incident, the company paid the perpetrator $100,000 to keep the hack under wraps. Those actions, however, cost the company dearly. The company was fined $148 million in 2018 — the biggest data breach fine in history at the time — for violation of state data breach notification laws.

16. Morgan Stanley: $120 million (total)

In January 2022, investment bank and financial services giant Morgan Stanley agreed to pay $60 million to settle a legal claim relating to its data security. The agreement, if approved by a federal judge in Manhattan, will resolve a class-action lawsuit was that filed against the company in July 2020 regarding two security breaches that compromised the personal data of approximately 15 million customers. According to claimants, Morgan Stanley failed to protect the personally identifiable information (PII) of current and former clients. It is alleged data center equipment decommissioned by the firm in 2016 and 2019 was not efficiently wiped clean and a software flaw meant that unencrypted, sensitive data was visible to whoever purchased the equipment.

The proposed claim settlement comes more than a year after Morgan Stanley was handed a separate $60 million civil penalty by the Office of the Comptroller of the Currency (OCC) in relation to the same incidents. The OCC stated that Morgan Stanley failed “to exercise proper oversight of the 2016 decommissioning of two Wealth Management business data centers located in the U.S. Among other things, the banks failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.” In 2019, the banks experienced similar vendor management control deficiencies in connection with decommissioning other network devices that also stored customer data, the OCC added.

In a statement on the recent settlement agreement, Morgan Stanley said: “We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation.”

17. Google Ireland: $102 million

Google Ireland was hit by a €90 million ($102 million) fine by French data protection authority the CNIL on January 6, 2022. The fine related to how Google’s European arm implements cookie consent procedures on YouTube. “The CNIL has received many complaints about the way cookies can be refused on the websites google.fr and youtube.com,” it wrote. “In June 2021, the CNIL carried out an online investigation on these websites and found that, while they offer a button allowing immediate acceptance of cookies, the sites do not implement an equivalent solution (button or other) enabling the user to refuse the deposit of cookies equally easily. Several clicks are required to refuse all cookies, against a single one to accept them.” The restricted committee considered that this process affected the freedom of consent of internet users and constituted an infringement of Article 82 of the French Data Protection Act.

Editor’s note: This article, originally published in July 2019, is frequently updated as new information on incident penalties becomes available.

When it comes to securing cybersecurity investments there are many things at play. The key often lies in the CISO’s ability to build relationships with key stakeholders across the organization. However, CISOs are being tasked with protecting their organizations while navigating budget constraints.

Although nearly two-thirds of CISOs report budget increases, funding is only up 8% on average this year. That’s much less than previous year’s growth, according to the IANS 2024 Security Budget Benchmark Summary report.

With budgets constrained, a CISO’s ability to secure sufficient funding depends on their influence and reputation within the organization. Fostering strong relationships with key business leaders is critical to securing their budget goals.

From developers to the CFO: How to build trust

Erica Antos, CISO at TriNetX, places a premium on building strong cross-functional partnerships that not only advance security initiatives but also align with the business’s overall objectives. She identifies adjacent business functions as important partners for collaboration and alignment.

In her case, this involves understanding the priorities of the CFO, collaborating with legal to ensure data protection requirements are met, and working closely with IT and engineering to align security tools with broader organizational needs. “You want to understand what their goals are and identify some of the tools that security also uses that can help achieve both goals,” Antos says.

For example, a zero-trust solution will also help IT modernize network access and remove the need for a VPN. Privacy requirements can involve the general counsel and security through data protection. For this she advises talking with legal about what their needs are and if there are any tools that security can help with to achieve their objectives.

In other cases, it might involve engineering and working with developers and engaging with the CTO on things like code reviews or security alerts. “You can take a solution that security might use as a security event information management system that can also have a deployment that helps engineering teams,” she tells CSO.

Naturally, building a good relationship with finance is crucial. This involves understanding their objectives and showing how security initiatives can help achieve those goals or provide cost savings.

“It might not be aligning with finance to deploy some sort of a tool or get budget for something but showing efficiencies or how deploying certain tools can save X dollars,” Antos says.

Impact of CISO’s reporting line on budget and relationships

The CISO’s proximity to certain stakeholders, based on their reporting line, can also affect their ability to align with key business leaders. Whether a CISO reports to the CFO, CIO, or directly to the CEO can influence how they prioritize and communicate security needs, and ultimately, how quickly they can gain buy-in for additional funding.

“It can guide daily interactions that build the relationship, help them understand the needs of the group they’re a part of and be able to align more quickly,” says Antos.

Antos believes it helps if it forces the CISO to understand the business side of how the organization works. “That’s thinking about efficiencies with a business hat as opposed to thinking with a purely technical hat,” she says.

In turn, applying a business mindset helps CISO achieve budget goals and greater satisfaction when day-to-day security operations are in sync with the strategic goals and priorities of leadership including the board. CISOs that lead security programs viewed in the context of business risk are more likely to be satisfied with their budget when this alignment is in place, according to the IANS report.

However, in practice, CISOs can find themselves facing a critical paradox, according to Richard Watson, global and APAC cybersecurity consulting leader at EY. On one hand, the board can express a low appetite for cyber risk, but on the other hand, management might be saying there’s a need to cut a certain percentage from the budget. “These are almost irreconcilable positions, yet I see a number CISOs struggling with this paradox,” Watson says.

While the CFO is a key stakeholder due to their budget management role, in these kinds of situations, Watson says it’s important for CISOs to highlight these contradictory objectives and look to natural allies to help build support for their budget.

He suggests that CISOs can spend time with the chair of the audit risk committee and explain the paradox because it’s not always visible to the board if management don’t declare they’re operating in a way that is constraining budgets. “If surfaced with the chair of the audit risk committee, it can help the CISO justify further budget increases, or why just staying flat and not cutting funds is a requirement,” he tells CSO.

Maintain a visible profile within the broader organization

CISOs satisfied with their budget typically have visibility and credibility with leadership, engage in risk management discussions, and present program metrics to the board, the IANS report noted. It suggests that CISOs must maintain a visible profile and engage within the broader organization and frame the conversation around business risk more than technical controls.

Watson agrees that to successfully navigate influential, funding-related relationships, CISOs need visibility beyond the cyber and IT functions within the larger organization. “They may have started from technical beginnings, but to branch out beyond the IT department they need to be counted as a business partner and business advisor,” says Watson.

As Chris Peake, CISO at Smartsheet, points out, it’s not just about the CISO’s visibility — it’s about helping the organization understand the scope of cybersecurity threats it faces. The goal is to provide the context for making decisions around priorities and therefore funding and budget.

“If security is going to be a business enabler, it’s visibility not just of the CISO and the security program; the threat landscape needs to be clear to everyone,” Peake says.

The CISO’s role is communicating this information broadly across the organization, including to the C-suite and board, and to align it with the overall business goals. “The rest of the business needs to understand what they’re up against and this helps them have the context for making decisions about what’s going to be prioritized,” Peake says.

While it’s not always been a natural fit for CISOs to be fluent in finance, that’s changing as more conversations consider the financial aspects of the business. “Most of my peers are talking about budget and how we finance and think about bringing new technologies into the organization,” he says.

New technologies like generative AI, which open new threat vectors, are also triggering some budget conversations because they require investment to manage and secure. “They may require resources and that requires new perspectives in terms of how we deploy our existing tools,” he says.

Nonetheless, there will be situations that hinder budget decisions where CISOs face challenges in getting certain projects prioritized.

Not having a relationship with a key stakeholder, or even having a contentious relationship can create barriers that otherwise wouldn’t be there, Antos says. “It can lead misunderstandings about what the security team is trying to do or lead to incorrect assumptions, misinterpretations or poor communications,” she says.

These can hinder budget allocation and lead to the solution or initiative falling off the priority list. It reinforces the importance of a shared understanding of the project’s importance. This requires constructive relationships and aligning priorities.

“A lot of the time, what security does is implemented by other teams, like engineering, developers or IT, and so whatever it is you’re looking to implement, you’ll need to get it prioritized into their work queue,” she says.

Financial literacy underpins relationships that impact funding

With organizations facing financial headwinds, it puts more pressure on CISOs to justify their budget to stakeholders including the CFO, CEO, and the board, according to Watson. “In addition, new requirements for SEC disclosures are driving a big focus on cyber risk quantification because materiality has become really important,” he says.

To convincingly answer these challenges, CISOs need to tie cyber risk to budget and it’s why cyber risk quantification tools are becoming more important for them to build a robust business case.

“How do you prove if something is material or not? You need to have a mathematical formula to do that. It’s the art and science cyber risk quantification is now gathering a lot of momentum in organizations,” he says.

For smaller organizations and those that don’t engage consulting firms, Antos suggests they utilize ISACA or IANS tools and resources to build out their risk analysis and budgeting processes. “These tools provide guidance and materials to help security teams develop the necessary financial literacy and budgeting processes internally,” she says.

ISACA’s Capability Maturity Model Integration (CMMI) framework helps with cost control and risk-based budgeting strategies. Organizations using the framework showed a 47% reduction in cost variance, according to the 2023 CMMI Technical Report.

For Antos, degrees in information systems and accounting have helped to bridge the technical and financial aspects of the CISO role. She emphasizes that understanding the language of finance and communicating the business value of security investments can significantly strengthen a CISO’s position when negotiating budgets.

For CISOs, financial literacy is no longer optional — it’s essential for engaging stakeholders and building the business case for security investments.

Understanding the budgeting process and communicating security’s business value allows CISOs to bridge the gap between technical requirements and organizational priorities, ensuring they get the resources they need.

On a practical level, having conversations about the needs of security, especially when it comes to big projects, needs to start early on and explain how it will impact the business.

“Having all of that beforehand is a lot easier than trying to do it during the budgeting process,” she says.

Der Placebo-Effekt basiert auf der Erwartungshaltung und der psychologischen Interpretation eines Menschen. Er spiegelt die Macht des Geistes wider, körperliche und mentale Zustände positiv zu beeinflussen. Forschungsergebnisse zeigen, dass das Gehirn bei der Freisetzung von Endorphinen und anderen chemischen Verbindungen aktiv involviert ist, die nachweislich zu einer verbesserten Wahrnehmung des Wohlbefindens führen können.

Der Nocebo-Effekt ist der böse Bruder des Placebo-Effektes. Er beschreibt die Verschlechterung des Zustands einer Person aufgrund negativer Erwartungen oder Überzeugungen, auch wenn keine tatsächliche schädliche Komponente vorhanden ist. Ähnlich wie der Placebo-Effekt kann der Nocebo-Effekt zu realen physischen und psychischen Veränderungen führen. Negative Erwartungen können den Körper stressigen Situationen aussetzen, was zu unerwünschten Symptomen führen kann.

Es gibt eine interessante Parallele zwischen dem Placebo- und dem Nocebo-Effekt im Kontext von Informationssicherheit, insbesondere wenn es darum geht, die Wahrnehmung und das Verhalten des Menschen in Bezug auf die Informationssicherheit zu gestalten.

Sicherheitskonformes Verhalten fördern, aber wie?

Um Veränderungen im Verhalten eines Menschen im Sinne der Informationssicherheit positiv zu beeinflussen, müssen wir zunächst die individuellen Überzeugungen und Einstellungen in Bezug auf das zu verändernde Verhalten verstehen. Wenn Personen beispielsweise überzeugt sind, dass starke Passwörter unerlässlich sind, um ihre beruflichen und persönlichen Informationen und Daten zu schützen, werden sie eher dazu neigen, komplexe Passwörter zu erstellen, Passwörter nicht zu teilen und möglichst häufig Zwei-Faktor-Authentifizierung (2FA) zu verwenden.

Ein Beispiel, um die Wichtigkeit des Faktors Wissen zu verstehen, ist die Einführung des Sicherheitsgurtpflicht im Jahr 1976: Anfangs stieß diese Maßnahme auf erheblichen Widerstand, ähnlich wie manche Mitarbeitende möglicherweise zögern, Sicherheitsrichtlinien adäquat zu befolgen. Doch heute legt nahezu jeder instinktiv seinen Sicherheitsgurt an. Warum? Da Menschen sich sehr genau vorstellen können, was passiert, wenn sie ohne Sicherheitsgurt in einen Unfall mit hoher Geschwindigkeit verwickelt sind. Dies liegt daran, dass die Ursache – das Nichttragen des Sicherheitsgurts – nicht abstrakt, sondern äußerst greifbar und gut vorstellbar ist.

Auf ähnliche Weise ist es entscheidend, dass wir in der Informationssicherheit die Mitarbeitenden durch Wissen in die Lage versetzen, die unmittelbaren Auswirkungen ihrer Handlungen zu erkennen. Wenn sie verstehen, dass das Klicken auf einen unsicheren Link oder das Öffnen einer fragwürdigen Datei zu schwerwiegenden Konsequenzen führen kann, sind sie eher bereit, die erforderlichen Sicherheitsmaßnahmen zu ergreifen. Aber das Dogma wäre unvollständig ohne die Fähigkeit oder das Können der Mitarbeitenden, die notwendigen Maßnahmen effektiv umzusetzen. Dies schließt persönliche, technische und organisatorische Fähigkeiten ebenso ein wie die Fähigkeit zur Risikoeinschätzung und -bewältigung.

Lesetipp: Wie neue Mitarbeiter sicher Arbeiten – 7 Tipps für Ihr Security Onboarding

Während das Wissen und Können eine rationale Ebene darstellen, deren Verständnis und Umsetzung durch Fakten gestärkt werden können, erweist sich der Faktor Wollen als deutlich komplexer. Dies liegt vor allem daran, dass er maßgeblich von psychologischen Hintergründen und individuellen Eigenschaften beeinflusst wird.

Placebo-Effekte im Kontext der Information Security Awareness

Die Schaffung eines positiven Sicherheitsumfelds ist von zentraler Bedeutung für die Informationssicherheit. Dies bedeutet auch sicherzustellen, dass die Bemühungen der Mitarbeitenden in diesem Segment geschätzt und anerkannt werden. Das kann durch Belohnungen, Anerkennung und eine unterstützende Unternehmenskultur erreicht werden, die das Engagement für Informationssicherheit fördert. Der Placebo-Effekt zeigt, dass die Erwartungen und Überzeugungen einer Person ihre Wahrnehmung und sogar ihre körperliche Reaktion beeinflussen können. In der Informationssicherheit bedeutet das, dass das Wissen und die Fähigkeiten der Mitarbeitenden in Verbindung mit ihren Erwartungen und Überzeugungen über die Wirksamkeit von Sicherheitsmaßnahmen einen erheblichen Einfluss auf ihr tatsächliches Verhalten haben.

Insgesamt geht es darum, den Placebo-Effekt als mächtige Strategie zur Förderung von sicherheitsbewusstem Verhalten zu nutzen. Indem Mitarbeitende als aktive Teilnehmer an der Stärkung der Informationssicherheit anerkannt werden, können Organisationen eine Umgebung schaffen, in der positive Überzeugungen und Erwartungen das Verhalten in Richtung eines umfassenden Sicherheitsbewusstseins beeinflussen. Dieser Ansatz stellt sicher, dass Mitarbeitende nicht nur als Schwachstellen, sondern als treibende Kraft für die Stärkung der Sicherheit angesehen werden.

Lesetipp: Kriminelle Osint-Recherchen – So geraten Ihre Mitarbeiter ins Visier

Wenn Mitarbeitende davon überzeugt sind, dass ihre Sicherheitskenntnisse und -fähigkeiten sie befähigen, effektive Schritte als “Stütze der Informationssicherheit” zum Schutz der Organisation zu unternehmen, werden sie wahrscheinlicher bereit sein, sich aktiv an sicherheitsrelevanten Aktivitäten zu beteiligen.
Ähnlich wie der Placebo-Effekt können positive Erwartungen die Bereitschaft steigern, sicherheitsrelevante Verhaltensweisen anzuwenden.

Nocebo-Effekte im Kontext der Information Security Awareness

Der Nocebo-Effekt, der normalerweise als negativer Gegenpart zum Placebo-Effekt betrachtet wird, hat ebenfalls Relevanz im Kontext der Informationssicherheit. Dieser Effekt kann auftreten, wenn Mitarbeitende in einer Organisation ständig mit negativen Szenarien, Bedrohungsberichten und Angst vor Sicherheitsverletzungen konfrontiert werden. Die übermäßige Betonung von Schwachstellen, Bedrohungen und Risiken ohne angemessene Betonung positiver Sicherheitsmaßnahmen kann zu einer entmutigenden Umgebung führen, in der Mitarbeitende das Gefühl haben, machtlos gegenüber den Bedrohungen zu sein. Die Auswirkung ist vielfältig:

• Angst und Paralyse: Mitarbeitende könnten sich von der Informationsflut über Bedrohungen überwältigt fühlen und das Gefühl haben, dass sie nie in der Lage sein werden, alle potenziellen Risiken zu bewältigen. Dies könnte zu Angst und einer lähmenden Paralyse führen.

• Geringschätzung von Bemühungen: Wenn Mitarbeitende das Gefühl haben, dass ihre Bemühungen zur Informationssicherheit, angesichts vermeintlich unüberwindbarer Bedrohungen, ohnehin irrelevant sind, könnten sie möglicherweise das Interesse an sicherem Verhalten verlieren.

• Rückgang der Verhaltensabsicht: Der Nocebo-Effekt könnte die Verhaltensabsicht beeinflussen, da Mitarbeitende aufgrund der negativen Erwartungen möglicherweise weniger bereit sind, sicherheitsbewusstes Verhalten zu zeigen.

Strategien zur Förderung von sicherheitsbewusstem Verhalten

Indem die positiven Aspekte der Sicherheitspraktiken betont werden, können Mitarbeitende dazu motiviert werden, proaktiv zur Informationssicherheit beizutragen. Um den Nocebo-Effekt zu mildern und eine positive Sicherheitskultur zu fördern, ist es wichtig, ein ausgewogenes Sicherheitsbewusstsein zu schaffen. Dafür können Sie auf folgende Maßnahmen zurückgreifen:

• Betonung positiver Aspekte: Es ist notwendig, die positiven Auswirkungen sicherheitsbewussten Verhaltens hervorzuheben und Mitarbeitenden aufzuzeigen, wie ihre Bemühungen die Organisation schützen und stärken.

• Empowerment und Schulung: Mitarbeitende sollten befähigt werden, ihre Fähigkeiten zur Identifizierung von Bedrohungen und zur Anwendung von Sicherheitsmaßnahmen zu entwickeln. Schulungen, Unterstützung, Simulationen und Notfallübungen können das Selbstvertrauen stärken und den Nocebo-Effekt abschwächen.

• Steigerung des Lerneffektes durch Gamification: Gamification in Informationssicherheitsschulungen hat sich als effektive Strategie erwiesen, um das Engagement der Mitarbeitenden zu steigern und sicherheitsbewusstes Verhalten zu fördern. Diese Methode nutzt Elemente aus Spielen, um Lerninhalte attraktiver, interaktiver und motivierender zu gestalten. Spielelemente wie Punkte, Belohnungen, Wettbewerbe und Fortschrittsanzeiger steigern das Engagement der Mitarbeitenden. Sie werden motiviert, aktiv am Lernprozess teilzunehmen und sich mit den Sicherheitsinhalten auseinanderzusetzen.

Zudem spricht Gamification den intrinsischen Antrieb der Menschen an, sich Herausforderungen zu stellen und Ziele zu erreichen. Die Möglichkeit, Fortschritte zu verfolgen und Belohnungen zu erhalten, steigert die Motivation, sich mit den Sicherheitsthemen auseinanderzusetzen. Spiele sind zudem oft interaktiv und visuell ansprechend, wodurch Informationen auf eine Art präsentiert werden, die das Gedächtnis anspricht. Dies hilft, Aufmerksamkeit auf wichtige Sicherheitskonzepte zu lenken und die Informationen effektiver zu vermitteln. Dadurch sind Mitarbeitende eher in der Lage, das Gelernte zu behalten und in der Praxis anzuwenden.
Darüber hinaus bieten Spiele oft eine sichere Umgebung, um Fehler zu machen und aus ihnen zu lernen. Mitarbeitende können in einem geschützten Umfeld Sicherheitsbedrohungen erkennen und bewältigen, bevor sie in der Realität auftreten. Die ständige Aktualisierung von Spielen, Herausforderungen und Belohnungen wird das Interesse der Mitarbeitenden aufrechterhalten, was zu langfristigen und nachhaltigen Lerneffekten führen kann.

Es ist wichtig, Fähigkeiten realistisch darzustellen und gleichzeitig die positiven Fortschritte und Gesichtspunkte zu betonen und die Menschen dazu zu ermutigen, ihre Sichtweise und ihr Handeln optimistisch zu gestalten. Indem Organisationen den Nocebo-Effekt berücksichtigen und die Kommunikation und Schulungen entsprechend gestalten, können sie sicherstellen, dass Mitarbeitende nicht von Angst oder Resignation beeinflusst werden, sondern motiviert sind, einen positiven Beitrag zur Informationssicherheit zu leisten. Dies fördert ein Gleichgewicht zwischen Sensibilisierung und Empowerment und verhindert, dass der Nocebo-Effekt das Sicherheitsbewusstsein untergräbt.

Die Verknüpfung des Placebo-Effekts mit Wissen und Fähigkeiten, Verhaltensabsicht und Salienz unterstreicht die Bedeutung, Menschen als Stützen der Informationssicherheit zu betrachten. Indem die positiven Aspekte der Sicherheitspraktiken betont werden, können Mitarbeitende dazu motiviert werden, proaktiv zur Informationssicherheit beizutragen. (bw)