Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The concept of ratings has been the accepted standard for making investment decisions. The first commercial credit reporting agency, the Mercantile Agency, was founded in 1841. While this relied on largely subjective methods of evaluation, it wasn’t until the 1960s, when credit reporting became computerized, that the industry consolidated and took off. Since then, credit and financial ratings models have progressed to become objective and trustworthy data points that inform lending decisions.

It’s been reported that 2.6 million user records sourced from the Duolingo app are for sale. The attacker apparently obtained them from an open API provided by the company. There’s a more technical explanation available here. While we talk a lot about the vulnerabilities in the OWASP API Top-10 and the exploits associated with those vulnerabilities, this incident provides a good reminder that not all vulnerabilities are flaws in code. In fact, this API was working as designed.

If you’re not particular techy these acronyms may not mean much, but you can easily make checks, even if you can’t implement the fix! Read on….. One of KEEPs consultants recently assessed a client (CNI) where only 55% of their domains had the necessary SPF and DMARC configurations in place correctly. This mis-configuration allows attackers (at minimum) to easily email spoof and target your users. If you do nothing else this week, check the basics!

There’s a sentiment that has, unfortunately, taken hold in the field of cybersecurity: Users are the weakest part of your environment. You can see why some may try to paint that picture. The statistics would seem to back it up: However, there’s a deeper truth hiding behind these statistics: It’s not the employees who are the weakest part of your security environment, it’s the training they receive.

In today's interconnected and digital world, businesses face increasing risks, particularly in the realm of cybersecurity. To address these risks and ensure the operational resilience of financial institutions, industries and governments push for regulatory frameworks. Two prominent examples are the EU's Digital Operational Resilience Act (“DORA”) and the UK's Prudential Standard PS21/3 (“PS21/3”).

Adversaries are doubling down on identity-based attacks. According to Nowhere to Hide: CrowdStrike 2023 Threat Hunting Report, we’ve seen an alarming 583% year-over-year increase in Kerberoasting attacks — a form of identity-based threat — and a 147% increase in access broker advertisements on the dark web. Adversaries are evolving their tradecraft, building custom tooling and leveraging more than usernames and passwords to breach your environments.

Business Email Compromise (BEC) remains a lucrative threat vector for attackers. The FBI’s IC3 reported that in 2022, they received 21,832 complaints with adjusted losses of over $2.7 billion. When it comes to targeted attacks, threat actor sophistication is evident in their ever-evolving tactics, even as detection capabilities and preventative measures improve. Let’s take a look at the current BEC landscape for the first half of 2023.