Cyber security trends for 2022

Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.

Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.

Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.

Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats

“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.

Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).

Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.

Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.

Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.

In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.

The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.

Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf

“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.

Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.

Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf

Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”

Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks

Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.

3,062 Comments

  1. Tomi Engdahl says:

    The Top 5 Cloud Security Threats To Be Aware of in 2022
    https://www.namecheap.com/blog/the-top-5-cloud-security-threats-to-be-aware-of-in-2022/

    Organizations around the world are experiencing significant changes in the business environment. Remote work, digitalization, and evolving regulations are only a few of the changes companies deal with. The last thing an organization needs is a cyber incident that can have far-reaching impacts, including data loss, loss of reputation, and recovery costs.

    Cloud computing promises improved cybersecurity when compared to most legacy on-premise systems. But many organizational leaders aren’t fully aware of the threats and vulnerabilities that come with cloud computing. However, cyber threats are steadily increasing, targeting unassuming SMBs with little to no additional cybersecurity protocols for their cloud implementations.

    Staying on top of the latest cybersecurity trends is essential to protecting sensitive business and personal data. Let’s talk about the top five cloud security threats that every organization needs to be aware of in 2022.

    Reply
  2. Tomi Engdahl says:

    The Biggest Vulnerabilities that Hackers are Feasting on Right Now
    https://okapitech.co.uk/2022/10/20/the-biggest-vulnerabilities-that-hackers-are-feasting-on-right-now/

    Software vulnerabilities are an unfortunate part of working with technology. A developer puts out a software release with millions of lines of code. Then, hackers look for loopholes that allow them to breach a system through that code.

    The developer issues a patch to fix the vulnerability. But it’s not long before a new feature update causes more. It’s like a game of “whack-a-mole” to keep your systems secure.

    Keeping up with new vulnerabilities is one of the top priorities of IT management firms. It’s important to know which software and operating systems are being attacked.

    Without ongoing patch and update management, company networks are vulnerable. And these attacks are completely avoidable. 82% of U.S. cyberattacks in Q1 of 2022 were due to exploiting patchable vulnerabilities. This is a global problem.

    Reply
  3. Tomi Engdahl says:

    An old satellite was hacked to broadcast signals across North America
    The demonstration reveals the vulnerability of decommissioned, but not dead, satellites.
    https://www.freethink.com/space/decommissioned-satellite-hacking

    Reply
  4. Tomi Engdahl says:

    Internal Documents Show How Close the FBI Came to Deploying Spyware https://www.yahoo.com/now/internal-documents-show-close-fbi-160829343.html
    During a closed-door session with lawmakers in December 2021, Christopher Wray, the director of the FBI, was asked whether the bureau had ever purchased and used Pegasus, the hacking tool that penetrates mobile phones and extracts their contents. Wray acknowledged that the FBI had bought a license for Pegasus, but only for research and development. But dozens of internal FBI documents and court records tell a different story. The documents, produced in response to a Freedom of Information Act lawsuit brought by The New York Times against the bureau, show that FBI officials made a push in late 2020 and the first half of 2021 to deploy the hacking tools made by the Israeli spyware firm NSO in its own criminal investigations.
    The FBI eventually decided not to deploy Pegasus in criminal investigations in July 2021, amid a flurry of stories about how the hacking tool had been abused by governments across the globe. But the documents offer a glimpse at how the U.S. government over two presidential administrations wrestled with the promise and peril of a powerful cyberweapon. And, despite the FBI decision not to use Pegasus, court documents indicate the bureau remains interested in potentially using spyware in future investigations.

    Reply
  5. Tomi Engdahl says:

    New extortion scam threatens to damage sites’ reputation, leak data https://www.bleepingcomputer.com/news/security/new-extortion-scam-threatens-to-damage-sites-reputation-leak-data/
    An active extortion scam is targeting website owners and admins worldwide, claiming to have hacked their servers and demanding $2, 500 not to leak data. The attackers (self-dubbed Team Montesano) are sending emails with “Your website, databases and emails has been hacked” subjects. The emails appear to be non-targeted, with ransom demand recipients from all verticals, including personal bloggers, government agencies, and large corporations. Even though these emails can be scary to those website owners who receive them, it is important to remember that they are just scams.

    Reply
  6. Tomi Engdahl says:

    Security and fraud leaders need to speak the language of the board to translate security and fraud risks into monetary risks to the business
    https://www.securityweek.com/bringing-bots-and-fraud-boardroom

    Reply
  7. Tomi Engdahl says:

    CISA Releases Decision Tree Model to Help Companies Prioritize Vulnerability Patching
    https://www.securityweek.com/cisa-releases-decision-tree-model-help-companies-prioritize-vulnerability-patching

    The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday announced the release of a Stakeholder-Specific Vulnerability Categorization (SSVC) guide that can help organizations prioritize vulnerability patching using a decision tree model.

    The SSVC system was created in 2019 by CISA and Carnegie Mellon University’s Software Engineering Institute (SEI), and a year later CISA developed its own customized SSVC decision tree for security flaws relevant to government and critical infrastructure organizations.

    CISA is now encouraging organizations of all sizes to use its version of the SSVC for vulnerability management.

    The SSVC provides a customized decision tree model that assists companies in prioritizing vulnerability response. CISA’s SSVC helps organizations categorize each vulnerability into one of four categories:

    Track – does not require any action at this time and should be patched within standard update timelines,
    Track* – may require closer monitoring for changes and should be patched within standard update timelines,
    Attend – requires attention from internal supervisory-level individuals and should be addressed sooner than standard update timelines,
    Act – requires attention from supervisory- and leadership-level people and should be addressed as soon as possible.

    The SSVC tree helps users make a decision based on a vulnerability’s exploitation status, technical impact, whether it is automatable, impact on mission-essential functions, and the potential impact of system compromise on humans.

    Reply
  8. Tomi Engdahl says:

    Sigstore announced the general availability of its free and ecosystem-agnostic software signing service two weeks ago, giving developers a way to sign, verify and protect their software projects and the dependencies they rely on. Trail of Bits is absolutely thrilled to be a part of the project, and we spoke about our work at the inaugural SigstoreCon.
    https://blog.trailofbits.com/2022/11/08/sigstore-code-signing-verification-software-supply-chain/

    Reply
  9. Tomi Engdahl says:

    Moving from checkers to chess: Cyber tips for today’s boards
    https://brand-studio.fortune.com/diligent/cyber-tips-for-todays-boards/?prx_t=U7AHAAAAAAovEQA&fbclid=IwAR1wXvaFQP0Qk3Gn4z3Ap9E-8VtW5fSDu6MpvZukLKlRGB6WRv1rUwlwKVE

    Corporate board members have made great strides in cyber literacy in recent years, recognizing cybersecurity’s importance and getting up to speed on topics from patching and zero-day vulnerabilities to the need for cyber insurance.

    Cyber literacy is a journey that is just beginning. Escalating threats, expanding attack surfaces, and intensifying regulatory scrutiny are upping the ante for in-depth knowledge and sophisticated, timely conversations, among both management and stakeholders.

    Fundamental shifts in threats and infrastructure

    According to the panelists, recent geopolitical tensions, specifically cyber as an integral part of warfare, have spurred a considerable shift in the cyber landscape.

    Shevelyov likened cyber defense in today’s environment to “playing poker, when we don’t know all the cards on the table and we’re making probabilistic bets, or facing off against a nation state like playing the game Go,” he said. Cyber aggressors, he explained, “are gradually encircling us. They’re inserting threat actors through contracts or employees. They are attacking you with malware. They have a plan, a grand strategy targeting you.”

    Meanwhile, the infrastructure that organizations must defend is getting more complex as well, changing from internal systems on premises that can be guarded with a moat to ecosystems of third-party vendors that are less straightforward to monitor and protect.

    Defense now requires a broader view. First, organizations must look beyond controls that safeguard individual systems to the systems themselves: How do systems interlock with one another and how can the organization manage the connections across them to achieve resilience? Second, an organization’s cyber risk score must account for both internal security posture and market externalities, such as the geopolitical risks of the war in Ukraine.

    Finally, organizations must move the cyber discussion from prevention to mitigation.

    Kim said that organizations he works with used to ask how to prevent cyberattacks from happening. “We never get those questions anymore,” he said. “Now they assume the attack is happening. How can they best prepare from a technical controls and governance perspective while complying with rules and regulations?”

    Achieving the right level of understanding and involvement

    What does this all mean for board agendas and education? On one hand, directors act as generalists, due to the nature of their oversight role. They practice broader corporate management, mostly operating in a “noses in, fingers out” capacity. On the other hand, the new world of cyber requires directors to approach matters in different ways.

    “The board gets involved in quite a bit of detail around financial data,” Pegueros pointed out. “But how much are we going to put our fingers in around cyber?” Cyber is a very complicated topic, she explained, with a lot of detailed information that demands more detailed questions.

    Effective boards view such questions as more than short-term checklists. They weave them into constant, rich discussions that serve as a “connective tissue” between the board and management, for protecting the organization against potential attacks and shaping overall cybersecurity and risk strategy. What types of issues get escalated? What are the reporting mandates around such escalations? Are attack mitigation techniques integrated with business continuity?

    In Pegueros’ eyes, boards are not yet comfortable having these conservations. “We need to get there,” she said.
    Three steps for deeper cyber discussions:

    Decide on the metrics your board needs from security leaders.
    Determine the best reporting style for your company.
    Talk directly with security leaders, privately and often. One-off conversations are not enough.

    For determining what to focus on in such conversations, Kim advised using the SEC’s proposed rules on cybersecurity risk management, governance and incident disclosure as a guide.

    Such discussions and disclosures start with developing and implementing cybersecurity policies and procedures, risk oversight processes, the frequency of updates and so forth. But they don’t stop there. The SEC also wants to see cyber oversight as part of every new business initiative, Kim said. This includes digital transformation strategies like automation and AI or due diligence for M&A and joint venture activities.

    In short, cyber should no longer be a topic relegated to siloed board conversation but an integral part of strategic discussions and considered a matter of governance.

    What’s next for education, collaboration, and oversight

    In terms of cyber knowledge, “all boats have risen,” in Kim’s words.

    Pegueros talked about a fundamental lack of technical expertise on boards today, of which cyber is a subset. “I think we have a compartmentalization problem where people are only comfortable talking about the things they understand,” she said. “So there needs to be a shift of more education and more curiosity by board members on the new technologies and new things that are evolving that enable them to make better decisions.”

    Conversely, she continued, “as CISOs come onto boards, they need to work to become more well-rounded from a business perspective. They can’t come in and just talk about cyber vulnerabilities. They need to understand all the other elements of the business.”

    Boards and CIOs must learn how to navigate a wide range of externalities and interdependencies. Shevelyov cited the many types of risk an organization might face, from white swan “known knowns” to the black swan “unknown unknowns you can’t do much about” to so-called red swans.

    What processes do you have in place to validate such risks—how frequently and how effectively? How are you achieving an understanding of your risk overall? Shevelyov advised companies to integrate these principles into their business practices and “never really be comfortable in this space.”

    Meanwhile, individual leaders should aim to be what Shevelyov calls “Z-shaped professionals. “You understand the business, you understand the technology, and you understand the risk connected between the two.”

    Be sure to look retrospectively as well. He presented a hypothetical example: “It’s three years from now, our security strategy has failed—how did it fail?”

    “Have that discussion,” he encouraged. “Apply critical thinking skills through the five whys to get to root cause analysis. Begin to evolve that perception of just thinking about controls to thinking about systems that have impact on those cyber risk outcomes. And be curious.”

    Overall, he said, “Keep learning and improving. Security is a continuum. It’s a journey. You don’t get to the destination, you evolve over the course of time.”

    From her perspective as a CISO and board member, Pegueros advised that leaders emphasize consensus and focus. “Once organizations achieve agreement, they can allocate resources and move forward toward protecting that information. And once organizations identify their priority risks, say, their top five, they can discuss these risks and share updates with the necessary frequency.”

    From his perspective on the legal side, Kim emphasized the importance of a holistic approach. “The questions that the really effective senior leadership ask are all about connective tissue. For example, do you think we’re escalating incidents to the right people at the right time? Or, do we have a great instant response plan? Is that integrated with business continuity?”

    For the important step of communication, he talked about the importance of demystifying, simplifying and analogizing information, of distilling complicated and complex cyber issues into bite-size chunks and language that a wide range of people with different talent skills and backgrounds can understand.

    “I think this is absolutely critical if we want to move the lens from cyber literacy to fluency, which is where I think all of us want to get as an overall ecosystem,” he said.

    Reply
  10. Tomi Engdahl says:

    Australia to consider banning ransomware payments https://therecord.media/australia-to-consider-banning-ransomware-payments/
    Australia will consider banning ransomware payments in a bid to undermine the cybercriminal business model, a government minister said on Sunday. Clare O’Neil, the minister for home affairs and cybersecurity, confirmed to Australia’s public broadcaster ABC that the government was looking at criminalizing extortion payments as part of the government’s cyber strategy. The announcement follows several large security incidents affecting the country, including most significantly the data breach of Medibank, one of the country’s largest health insurance providers.https://www.bleepingcomputer.com/news/microsoft/windows-kerberos-authentication-breaks-after-november-updates/.
    Windows Kerberos authentication breaks after November updates.
    Microsoft is investigating a new known issue causing enterprise domain controllers to experience Kerberos sign-in failures and other authentication problems after installing cumulative updates released during this month’s Patch Tuesday. Kerberos has replaced the NTLM protocol as the default authentication protocol for domain-connected devices on all Windows versions above Windows 2000. BleepingComputer readers also reported three days ago that the November updates break Kerberos “in situations where you have set the This account supports Kerberos AES 256 bit encryption’ or This account supports Kerberos AES
    128 bit encryption’ Account Options set (i.e., msDS-SupportedEncryptionTypes attribute) on user accounts in AD.”

    Reply
  11. Tomi Engdahl says:

    GitHub Introduces Private Vulnerability Reporting for Public Repositories
    https://www.securityweek.com/github-introduces-private-vulnerability-reporting-public-repositories

    Microsoft-owned code hosting platform GitHub has announced the introduction of a direct channel for security researchers to report vulnerabilities in public repositories that allow it.

    The new private vulnerability reporting capability enables repository maintainers to allow security researchers to report to them any vulnerabilities identified in their code.

    Some repositories may contain specific instructions on how the maintainers can be contacted for vulnerability reporting, but for those that do not, researchers often report issues publicly.

    Regardless of whether the researcher reports the vulnerability via social media or by creating a public issue, this method could result in vulnerability details inadequately being made public.

    To avoid such situations, GitHub has introduced private reporting, where researchers can directly contact repository maintainers willing to enroll.

    If the functionality is enabled, the reporting security researchers are provided with a simple form they can fill out with details on the identified issue.

    “Anyone with admin permissions to a public repository can enable and disable private vulnerability reporting for the repository,” GitHub says.

    Reply
  12. Tomi Engdahl says:

    40 States Settle Google Location-Tracking Charges for $392M
    https://www.securityweek.com/40-states-settle-google-location-tracking-charges-392m

    Search giant Google has agreed to a $391.5 million settlement with 40 states to resolve an investigation into how the company tracked users’ locations, state attorneys general announced Monday.

    The states’ investigation was sparked by a 2018 Associated Press story, which found that Google continued to track people’s location data even after they opted out of such tracking by disabling a feature the company called “location history.”

    The attorneys general called the settlement a historic win for consumers, and the largest multistate settlement in U.S history dealing with privacy.

    It comes at a time of mounting unease over privacy and surveillance by tech companies that has drawn growing outrage from politicians and scrutiny by regulators. The Supreme Court’s ruling in June ending the constitutional protections for abortion raised potential privacy concerns for women seeking the procedure or related information online.

    Reply
  13. Tomi Engdahl says:

    War ‘Wake-up Call’ Spurs EU to Boost Cyber, Army Mobility
    https://www.securityweek.com/war-wake-call-spurs-eu-boost-cyber-army-mobility

    The European Union on Thursday unveiled new proposals to help its armies move faster in times of conflict and to boost cyber security, saying that Russia’s war on Ukraine is a wake-up call to bolster Europe’s defenses.

    “I think it’s a wake-up call for all of us. We must reinforce our ability to defend ourselves and also to defend our values,” European Commission Executive Vice-President Margrethe Vestager told reporters.

    The proposals aim to identify gaps in European infrastructure — such as roads, bridges, rail lines, ports or airports incapable of handling heavy or large military equipment — for priority upgrades and to ensure guaranteed access to fuel supplies right across the continent.

    They would also cut red tape by developing a joint electronic administration system to reduce the time that armed forces on the move might be caught up by border formalities or customs and tax rules. Currently, armies can face waits of at least five days to move military equipment across borders for war games and other maneuvers.

    The EU and NATO routinely combine forces together for military exercises but also have rapidly deployable combat brigades for use during times of conflict. U.S. military officers have long warned of the administrative and physical barriers to moving forces around Europe.

    To better ward off cyberattacks — civilian facilities ranging from hospitals to shipping companies have been by targeted by hackers in recent months — the EU should ramp up civilian and military cyber cooperation and improve exchanges between national and European level defense experts, the commission said.

    Reply
  14. Tomi Engdahl says:

    NSA Publishes Guidance on Mitigating Software Memory Safety Issues
    https://www.securityweek.com/nsa-publishes-guidance-mitigating-software-memory-safety-issues

    The National Security Agency (NSA) has published guidance on how organizations can implement protections against common software memory safety issues.

    Caused by how programs manage or allocate memory, logic errors, incorrect order of operations, or the use of uninitialized variables, software memory safety issues are often exploited for remote code execution (RCE).

    Representing the most common cause of vulnerabilities in many cases (Microsoft and Google blame memory safety issues for 70% of their bugs), memory safety issues may also lead to incorrect program behavior and performance degradation.

    According to the NSA, the first step towards eliminating memory safety issues is the use of a programming language that is not inherently opening the door to these vulnerabilities.

    C and C++, which offer flexibility regarding the management of memory, rely heavily on the programmer for memory reference checks. As such, even the smallest errors may lead to exploitable vulnerabilities.

    While software analysis tools may detect memory management defects and some protections may exist, using a memory safe software language can prevent or mitigate most of these issues, the NSA says.

    The NSA recommends using a memory safe language when possible. While the use of added protections to non-memory safe languages and the use of memory safe languages do not provide absolute protection against exploitable memory issues, they do provide considerable protection.

    https://media.defense.gov/2022/Nov/10/2003112742/-1/-1/0/CSI_SOFTWARE_MEMORY_SAFETY.PDF

    Reply
  15. Tomi Engdahl says:

    2022 holiday DDoS protection guide
    https://www.microsoft.com/en-us/security/blog/2022/11/15/2022-holiday-ddos-protection-guide/
    The holiday season is an exciting time for many people as they get to relax, connect with friends and family, and celebrate traditions.
    Organizations also have much to rejoice about during the holidays (for example, more sales for retailers and more players for gaming companies). Unfortunately, cyber attackers also look forward to this time of year to celebrate an emerging holiday traditiondistributed denial-of-service (DDoS) attacks. While DDoS attacks happen all year round, the holidays are one of the most popular times and where some of the most high-profile attacks occur. Last October in India, there was a 30-fold increase in DDoS attacks targeting services frequently used during the festive season, including media streaming, internet phone services, and online gaming. While retail and gaming companies are the most targeted during the holidays, organizations of all sizes and types are vulnerable to DDoS attacks. It’s easier than ever to conduct an attack. For only $500, anyone can pay for a DDoS subscription service to launch a DDoS attack. Every year, DDoS attacks are also becoming harder to protect against as new attack vectors emerge and cybercriminals leverage more advanced techniques, such as AI-based attacks.

    Reply
  16. Tomi Engdahl says:

    MFA Fatigue attacks are putting your organization at risk https://www.bleepingcomputer.com/news/security/mfa-fatigue-attacks-are-putting-your-organization-at-risk/
    The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. A common threat targeting businesses is MFA fatigue attacksa technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests.

    Reply
  17. Tomi Engdahl says:

    Näin varaudut kiristyshaittaohjelmiin “En ikinä luottaisi pelkästään automaattivarmuuskopiointiin”
    https://www.kauppalehti.fi/uutiset/nain-varaudut-kiristyshaittaohjelmiin-en-ikina-luottaisi-pelkastaan-automaattivarmuuskopiointiin/ce08dff3-c2ae-4f46-9a1d-74ff37019efb
    Yritysten tiedoilla voi kiristää monella tavalla. Hyökkääjä voi tietomurrossa salata organisaation kriittiset tiedot tai vuotaa arkaluonteiset tiedot verkkoon. Digian kyberturvallisuusasiantuntijan Teemu Keski-Valkaman mukaan Tietoturvariskeistä suurin ja merkittävin uhka ovat tällä hetkellä kiristyshaittaohjelmat. Hyökkäyksiä on eri tyyppisiä. “On opportunistisia, jotka menevät sinne minne helpolla pääsee, ja on kohdennettuja. Paljon on tilanteita, joissa ei toimita perinteisen kiristyshaittaohjelman tavoin. Naamioidutaan sellaiseksi tai vaaditaan tietojen vuotamisen kiristämisellä rahoja”, Keski-Valkama kertoo. Hyökkääjä pyrkii pääsemään sellaisiin yrityksen tietoihin, joista ollaan valmiita maksamaan tai varmistumaan, ettei tietoa ole vuodettu.

    Reply
  18. Tomi Engdahl says:

    Tällaista on armeijassa kybervarusmiehenä “aloitin koodaamisen 8.
    luokalla”
    https://www.tivi.fi/uutiset/tv/23afe16c-a729-465d-936c-e0c3c13b0af4
    Kolme noin parikymppistä varusmiestä on saanut luvan kertoa muista varusmiehistä poikkeavasta koulutuksestaan Iltalehdelle. Raamit ovat
    tiukat: ei nimiä, ei kasvoja, ei mitään tunnistetietoja jutun tekstiin eikä kuviin. Nuoret ovat ohjeet hyvin sisäistäneet vajaassa neljässä kuukaudessa. Panu, Vesa ja Tiia ovat saaneet luvan kertoa yleispiirteisesti varusmieskoulutuksestaan. Kovin moni ei tiedä, että he ovat kybererikoisjoukoissa.

    Reply
  19. Tomi Engdahl says:

    Swimlane Launches Security Automation Ecosystem for OT
    https://www.securityweek.com/swimlane-launches-security-automation-ecosystem-ot

    Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

    The company has teamed up with several companies for this OT security automation ecosystem, including industrial cybersecurity firm Nozomi, event monitoring and risk detection firm Dataminr, and technology and security consulting firm 1898 & Co.

    A technology integration with Nozomi combines low-code security automation with OT and IoT security. The Dataminr integration results in a cyber-physical threat response solution that uses automated processes to mitigate risks and quickly warn employees of safety risks.

    As for 1898 & Co., it uses Swimlane as the core automation platform for its managed threat detection services.

    https://swimlane.com/solutions/industries/energy-and-utilities

    Reply
  20. Tomi Engdahl says:

    Risk Mitigation Strategies to Close the XIoT Security Gap
    https://www.securityweek.com/risk-mitigation-strategies-close-xiot-security-gap

    Understanding the vulnerability landscape of the XIoT to properly assess and mitigate risk is critically important to protect livelihoods and lives

    After more than 20 years of connecting devices to the Internet, we’ve reached the point where our physical world is very dependent on its digital components. We now have direct connections to process control systems and smart sensors in industrial environments, medical imaging equipment and patient monitoring systems in healthcare organizations, and other devices used in smart grids and building management systems. Even our most basic needs like food and water depend on cyber-physical systems (CPS) and the connected devices that underpin them, referred to holistically as the Extended Internet of Things (XIoT). But many of these connected devices were not necessarily designed with security in mind. This is par for the course with technology innovation and will take years, if not decades, before a new generation of connected assets emerges with more natively integrated security processes and pathways.

    Understanding the vulnerability landscape of the XIoT to properly assess and mitigate risk is critically important to protect livelihoods and lives. Recent key events have brought this into sharp focus:

    ● Industroyer2, a variant of the 2016 Industroyer malware, was deployed in a foiled attack against a Ukrainian electricity provider.

    ● A suite of attack tools called Incontroller (aka Pipedream) was discovered and found to have components purpose-built to target specific industrial equipment and disrupt service delivery.

    ● Dubbed OT:ICEFALL, 56 vulnerabilities were disclosed affecting devices from 10 XIoT vendors.

    While IT security research communities and vendor vulnerability disclosure programs have been around for decades to accelerate identification of vulnerabilities and corrective action, only recently have we started bringing that expertise and insights to the XIoT. With a growing realization that industrial environments are rapidly changing and more exposed to attack as highly connected CPS become the norm, the level of effort to safeguard users is accelerating.

    New research on XIoT vulnerabilities found that in the first half of 2022, vendor self-disclosures surpassed independent research outfits for the first time. While the number of vulnerabilities impacting smart devices, networking gear, and cameras almost doubled since the prior six months, vendors provided full or partial remediation for 91% of published vulnerabilities, including marked improvement in firmware remediations which presents challenges. This is significant as the vast majority of published XIoT vulnerabilities were either critical or high severity.

    Recommendations

    Mitigation strategies are often the only remediation option open to operational technology (OT) engineers and security teams in industrial environments, where many of the systems being connected to the Internet are legacy and availability or uptime is directly tied to the bottom line. The risk of disruption and downtime to implement a new security control, patch or system upgrade can be a non-starter. Even if you plan to patch during a maintenance window, the following foundational security measures should be put in place to mitigate risk moving forward:

    ● Network segmentation. Physical network segmentation between IT and OT networks reduces the chance of an attack on the IT network spreading to the OT network, but it can be a drawn out and costly endeavor. A cost-effective, efficient alternative is virtual segmentation within the OT environment to establish what “normal” communication looks like and create zone-specific policies, so security teams can be alerted to lateral movement as malicious actors try to establish a presence, jump zones, and move across the environment. This should include micro segmentation for XIoT devices, creating even smaller groups of assets with which these devices can communicate. In certain levels of the network, it isn’t possible to block traffic because doing so also stops the physical process and may create safety issues. However, this type of segmentation can improve network monitoring and access control and greatly accelerate response time, saving cost and reducing downtime in the event an attacker does establish a foothold.

    ● Secure remote access. Hand-in-hand with segmentation, secure remote access involves not only separating critical zones from the rest of the IT and OT networks, but also securing remote sessions through the addition of encryption, authentication, and authorization capabilities. Strict controls over users, devices, and sessions empowers organizations to identify connected devices, control access to devices and processes granularly, and be alerted to non-trusted communications and behavior across the network and terminate sessions if needed. Password vaulting and multi-factor authentication (MFA) provide additional layers of security controls to prevent password reuse and sharing among users.

    ● Cloud risk management. To gain process efficiencies, organizations are connecting XIoT devices and systems to the Internet and managing them from the cloud. However, vulnerabilities impacting cloud-managed OT devices and management consoles in the cloud often escape the attention of asset owners and security teams. Verify cloud support protocols of XIoT devices and use security mechanisms such as encryption and certificates to protect the exchange of data. Authentication and identity management mechanisms such as MFA, strong credentials, and granular user and role-based access control policies help prevent unauthorized access to devices and systems. Additionally, since cloud providers operate with a shared responsibility model, it is critically important to have clarity between the organization’s and its cloud providers’ responsibilities.

    XIoT Vendors Show Progress on Discovering, Fixing Firmware Vulnerabilities
    https://www.securityweek.com/xiot-vendors-show-progress-discovering-fixing-firmware-vulnerabilities

    Reply
  21. Tomi Engdahl says:

    Joka kymmenes ei ole koskaan vaihtanut Wi-Fi-verkkonsa salasanaa
    https://etn.fi/index.php/13-news/14257-joka-kymmenes-ei-ole-koskaan-vaihtanut-wi-fi-verkkonsa-salasanaa

    Wi-Fin suojaaminen salasanalla on ensimmäinen askel verkon turvallisuuden varmistamisessa. Siitä huolimatta AtlasVPN:n esittämien tietojen mukaan lähes joka kymmenes (9 %) Wi-Fi-salasanoja käyttävistä internetin käyttäjistä ei ole koskaan vaihtanut omaansa.

    Lisäksi 9 prosenttia ei tiedä, miten salasana vaihdetaan. Tiedot perustuvat PC Maticin suorittamaan kyselyyn, johon osallistui noin 2 500 henkilöä ympäri Yhdysvaltoja ja joka esiteltiin vuoden 2022 Password Hygiene And Habits -raportissa.

    Reply
  22. Tomi Engdahl says:

    Over 12,000 Cyber Incidents at DoD Since 2015, But Incident Management Still Lacking
    https://www.securityweek.com/over-12000-cyber-incidents-dod-2015-incident-management-still-lacking

    The US Government Accountability Office (GAO) this week has published a report detailing issues identified in the Department of Defense’s (DoD) cyber incident management processes.

    The report represents the conclusion of a year-and-half audit (March 2021 to November 2022) of DoD’s implementation of reporting and notification capabilities related to cyber incidents.

    The audit focused on in-place processes for reporting and notifying leadership, for reporting incidents involving the defense industrial base (DIB), and for notifying individuals when personally identifiable information (PII) has been exposed in a data breach.

    DIB includes entities that are outside the federal government but which deliver goods or services for meeting U.S. military requirements.

    “To conduct this work, GAO reviewed relevant guidance, analyzed samples of cyber incident artifacts and cyber incident reports submitted by the DIB and privacy data breaches reported by DoD, and surveyed 24 DoD cyber security service providers. In addition, GAO interviewed officials from DoD and cyber security service providers and convened two discussion groups with DIB companies,” GAO notes.

    The information systems that DoD and DIB rely on to carry out their operations are susceptible to cyberattacks, with more than 12,000 cyber incidents experienced since 2015. While the DoD did establish two processes for managing cyber incidents (one for all incidents and another for critical incidents), it failed to fully implement either of them, GAO says.

    “Despite the reduction in the number of incidents due to DOD efforts, weaknesses in reporting these incidents remain. For example, DOD’s system for reporting all incidents often contained incomplete information and DOD could not always demonstrate that they had notified appropriate leadership of relevant critical incidents,” GAO’s report reads.

    https://www.gao.gov/assets/gao-23-105084.pdf

    Reply
  23. Tomi Engdahl says:

    Moving from checkers to chess: Cyber tips for today’s boards
    https://brand-studio.fortune.com/diligent/cyber-tips-for-todays-boards/?prx_t=U7AHAAAAAAovEQA

    Corporate board members have made great strides in cyber literacy in recent years, recognizing cybersecurity’s importance and getting up to speed on topics from patching and zero-day vulnerabilities to the need for cyber insurance.

    Cyber literacy is a journey that is just beginning. Escalating threats, expanding attack surfaces, and intensifying regulatory scrutiny are upping the ante for in-depth knowledge and sophisticated, timely conversations, among both management and stakeholders.

    In a recent webinar, Diligent convened an expert panel to weigh in: Anthony (Tony) Kim, partner with Latham & Watkins; Nick Shevelyov, CSO, digital risk management expert, and author; and Vanessa Pegueros, former CISO for Expedia and DocuSign, who now serves on the boards of Forterra and Prisidio. Highlights follow.

    Fundamental shifts in threats and infrastructure

    According to the panelists, recent geopolitical tensions, specifically cyber as an integral part of warfare, have spurred a considerable shift in the cyber landscape.

    Shevelyov likened cyber defense in today’s environment to “playing poker, when we don’t know all the cards on the table and we’re making probabilistic bets, or facing off against a nation state like playing the game Go,” he said. Cyber aggressors, he explained, “are gradually encircling us. They’re inserting threat actors through contracts or employees. They are attacking you with malware. They have a plan, a grand strategy targeting you.”

    Meanwhile, the infrastructure that organizations must defend is getting more complex as well, changing from internal systems on premises that can be guarded with a moat to ecosystems of third-party vendors that are less straightforward to monitor and protect.

    Defense now requires a broader view. First, organizations must look beyond controls that safeguard individual systems to the systems themselves: How do systems interlock with one another and how can the organization manage the connections across them to achieve resilience? Second, an organization’s cyber risk score must account for both internal security posture and market externalities, such as the geopolitical risks of the war in Ukraine.

    Finally, organizations must move the cyber discussion from prevention to mitigation.

    Reply
  24. Tomi Engdahl says:

    https://brand-studio.fortune.com/diligent/cyber-tips-for-todays-boards/?prx_t=U7AHAAAAAAovEQA

    In Pegueros’ eyes, boards are not yet comfortable having these conservations. “We need to get there,” she said.

    Three steps for deeper cyber discussions:

    Decide on the metrics your board needs from security leaders.
    Determine the best reporting style for your company.
    Talk directly with security leaders, privately and often. One-off conversations are not enough.

    Such discussions and disclosures start with developing and implementing cybersecurity policies and procedures, risk oversight processes, the frequency of updates and so forth. But they don’t stop there. The SEC also wants to see cyber oversight as part of every new business initiative, Kim said. This includes digital transformation strategies like automation and AI or due diligence for M&A and joint venture activities.

    In short, cyber should no longer be a topic relegated to siloed board conversation but an integral part of strategic discussions and considered a matter of governance.

    What’s next for education, collaboration, and oversight

    In terms of cyber knowledge, “all boats have risen,” in Kim’s words. Yet the state of the seas ahead—intensifying threats, increased disclosure demands from regulators and investors—requires that leaders step up their navigational skills.

    Pegueros talked about a fundamental lack of technical expertise on boards today, of which cyber is a subset. “I think we have a compartmentalization problem where people are only comfortable talking about the things they understand,” she said. “So there needs to be a shift of more education and more curiosity by board members on the new technologies and new things that are evolving that enable them to make better decisions.”

    Conversely, she continued, “as CISOs come onto boards, they need to work to become more well-rounded from a business perspective. They can’t come in and just talk about cyber vulnerabilities. They need to understand all the other elements of the business.”

    Boards and CIOs must learn how to navigate a wide range of externalities and interdependencies. Shevelyov cited the many types of risk an organization might face, from white swan “known knowns” to the black swan “unknown unknowns you can’t do much about” to so-called red swans.

    Meanwhile, individual leaders should aim to be what Shevelyov calls “Z-shaped professionals. “You understand the business, you understand the technology, and you understand the risk connected between the two.”

    From his perspective on the legal side, Kim emphasized the importance of a holistic approach. “The questions that the really effective senior leadership ask are all about connective tissue. For example, do you think we’re escalating incidents to the right people at the right time? Or, do we have a great instant response plan? Is that integrated with business continuity?”

    Reply
  25. Tomi Engdahl says:

    Apple Sued for Allegedly Deceiving Users With Privacy Settings After Gizmodo Story
    Researchers found that Apple collects iPhone data even when the company’s own iPhone Analytics setting explicitly promises not to.
    https://gizmodo.com/apple-iphone-privacy-analytics-class-action-suit-1849774313

    Reply
  26. Tomi Engdahl says:

    Holiday Cybersecurity Staffing Levels a Difficult Balancing Act for Companies
    https://www.securityweek.com/holiday-cybersecurity-staffing-levels-difficult-balancing-act-companies

    The effect of reduced staffing levels doesn’t just attract more cybercriminals, it makes the outcome of attacks more severe

    It’s difficult to know the extent to which cybercriminals make use of weekends and holidays to launch their attacks; but it is generally accepted that they do. Crime, unlike business, is not a Monday to Friday, 9-to-5 occupation. And business, unlike crime, is understaffed over holiday/weekends.

    Extensive dwell times means an attack may have begun on a holiday, but not become apparent until much later. However, it is much easier to quantify the effect of cyberattacks that were launched and discovered over a weekend – they are generally more severe, harder to redress, and more expensive than weekday attacks.

    Both the Colonial Pipeline and JBS attacks, for example, occurred over holiday weekends.

    A global study of 1,023 cybersecurity professionals, conducted in September 2022 by Cybereason and titled Ransomware Attackers Don’t Take Holidays, highlights the extent of the attacks and the effect of reduced staffing over holiday/weekends. In the US, weekend and holiday staffing levels are on average less than 50% of normal levels. In Germany, this figure encompasses 91% of organizations. France, UAE, Singapore and South Africa firms are all in the 70% to 80% range.

    More dramatically, 21% of the respondents said they cut cybersecurity staffing levels by as much as 90%, while only 7% maintained staffing at 80% or more of normal weekdays.

    The effect of reduced staffing levels doesn’t simply attract more cybercriminals, it makes the outcome of the attack more severe. More than one-third of those companies that admitted to a holiday/weekend ransomware attack said they lost more money as a result. This is a 19% increase over a similar study in 2021. Individual sectors fared worse – a 42% increase in the education sector and a 48% increase in the travel and transportation industry.

    Reply
  27. Tomi Engdahl says:

    Cyber Resilience: The New Strategy to Cope With Increased Threats
    https://www.securityweek.com/cyber-resilience-new-strategy-cope-increased-threats

    As part of last month’s Cybersecurity Awareness Month, I was traveling around the globe to provide organizations actionable tips on how to strengthen their cybersecurity posture and allow for accelerated recovery from cyberattacks. Through my conversations with hundreds of analysts, system integrators, and security professionals one thing became apparent – many of them understand that it’s no longer a matter of ‘if’ but ‘when’ an organization will suffer a data breach. This means that instead of primarily focusing efforts on keeping threat actors out of the network, it’s equally important to develop a strategy to reduce the impact. In turn, many organizations have started adopting a new strategy to cope with today’s increased cyber threats, which is called ‘cyber resilience’.

    But what exactly is cyber resilience and how does it compare to traditional cybersecurity practices?

    According to MITRE, cyber resilience (or cyber resiliency) “is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources.” The need for cyber resilience arises from the growing realization that traditional security measures are no longer enough to protect systems, data, and the network from compromise. The objective of cyber resilience is to ensure that an adverse cyber event (intentional or unintentional, i.e., due to failed software updates) does not negatively impact the confidentiality, integrity, and availability of an organization’s business operation.

    Cybersecurity vs. Cyber Resilience

    Cybersecurity applies technology, processes, and measures that are designed to protect systems (e.g., servers, endpoints), networks, and data from cyberattacks. In contrast, cyber resilience focuses on detective and reactive controls in an organization’s IT environment to assess gaps and drive enhancements to the overall security posture. Most cyber resilience initiatives leverage or enhance a variety of cybersecurity measures. Both are most effective when applied in concert.

    Benefits of Cyber Resilience

    A cyber resilience strategy is vital for business continuity and can provide a range of benefits prior, during, and after a cyberattack, such as:

    • Enhanced Security Posture: Cyber resilience not only helps with responding to and surviving an attack. It can also help an organization develop strategies to improve IT governance, improve security across critical assets, expand data protection efforts, and minimize human error.

    • Reduced Financial Loss: According to the IBM Cost of a Data Breach Report 2022, the average cost of a data breach is now $4.35 million globally. In addition to financial costs, the reputational impact of data breaches is increasing due to the introduction of general data protection laws and stringent data breach notification requirements. Cyber resilience can help minimize recovery costs by accelerating time-to-remediation.

    • Improved Compliance Posture: Many industry standards, government regulations, and data privacy laws nowadays propagate cyber resilience.

    • Enhanced IT Productivity: One of the understated benefits of cyber resilience is its ability to improve the daily IT operations, including threat response and ensuring day-to-day operations run smoothly.

    • Heightened Customer Trust: Implementing a cyber resilience strategy helps improve trust as it enhances the chances of responding to and surviving a cyberattack, minimizing the negative impact on an organization’s customer relationships.

    • Increased Competitive Edge: Cyber resilience provides organizations a competitive advantage over companies without it.

    Both the range of cyber resources within an organization (e.g., networks, data, workloads, devices, and people) and the threats to which they are susceptible will determine what steps are needed to achieve cyber resilience. As a result, cyber resilience measures should be implemented based on an assessment of the tactics, techniques, and procedures (so-called TTPs) that hackers are commonly applying when exploiting their victims.

    For instance, endpoints are often used as an access point for hackers and cybercriminals to launch attacks that could infect an organization’s entire network or function as a beachhead to laterally move within the network. In fact, a Ponemon Institute survey revealed that 68 percent of organizations suffered a successful endpoint attack within the last 12 months.

    Despite widespread attempts to secure endpoints, this finding suggests that security has been rapidly eroding in today’s work-from-anywhere environment and therefore requires Endpoint Resilience, which is just one flavor of cyber resilience. Endpoint Resilience enables organizations to always know where their endpoints are, apply deep security control, and take defensive actions on those devices, which includes repairing protective security applications if they’re disabled, altered, or otherwise compromised.

    Reply
  28. Tomi Engdahl says:

    FBI warning: PC and tech support scams are back. Here’s what to watch out for
    https://www.zdnet.com/article/fbi-warning-pc-and-tech-support-scams-are-back-heres-what-to-watch-out-for/#ftag=RSSbaffb68
    The FBI is warning people to be alert to the threat of technical support scams, in which criminals pose as support staff from computer or software companies and try to trick unsuspecting PC users into giving up access to their bank accounts. The public service announcement by the FBI warns that there have been instances across the US recently of scammers posing as service representatives of software company tech support or computer repair services in attempts to trick victims into following instructions.

    Reply
  29. Tomi Engdahl says:

    Tietoturva on jatkuvaa murrosta
    https://www.tivi.fi/uutiset/tv/c5642265-224b-4c05-85b0-bf010395e68b
    Tietoturvauhkat muuttuvat alituisesti, ja turva-ala on jatkuvaa kilpajuoksua uusia menetelmiä kehittävien rikollisten ja torjuntakeinoja miettivien puolustajien välillä. Hyvä esimerkki nopeasta muutoksesta on kiristyshaittaohjelmien eli ransom­waren suosion nousu. Niillä tehtyjen hyökkäysten määrä kasvoi tietoturvayhtiö Fortinetin mukaan yli kymmenkertaiseksi vuosien 2020 ja 2021 välillä. Identiteettivarkaudet ovat toinen kasvualue.
    Teleyhtiö Verizonin mukaan vuonna 2021 selvästi suurin osa tietomurroista, 48 prosenttia, perustui kirjautumistunnusten väärinkäyttöön. Kasvu on nopeaa: neljä vuotta aiemmin osuus oli 37 prosenttia. Tietojenkalastelu tuli seuraavana vajaan viidenneksen osuudella. Usein toistettu hokema siitä, että ihminen on tietoturvan heikoin lenkki, pitää edelleen paikkansa. Samaisen Verizonin raportin mukaan 82 prosenttia murroista perustui ihmisen toimintaan, kuten varastettuihin tunnuksiin, kalasteluviestien linkkien klikkaamiseen, väärinkäytöksiin tai virheisiin. Väärin konfiguroidut pilvipalvelut vastaavat varsin suuresta osasta inhimillisiä virheitä.

    Reply
  30. Tomi Engdahl says:

    Token tactics: How to prevent, detect, and respond to cloud token theft https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/
    As organizations increase their coverage of multifactor authentication (MFA), threat actors have begun to move to more sophisticated techniques to allow them to compromise corporate resources without needing to satisfy MFA. Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose. By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly. This poses to be a concerning tactic for defenders because the expertise needed to compromise a token is very low, is hard to detect, and few organizations have token theft mitigations in their incident response plan.

    Reply
  31. Tomi Engdahl says:

    NSA Recommends Safe Memory Management
    Nov. 14, 2022
    The U.S. National Security Agency recently published the “Software Memory Safety” Cybersecurity Information Sheet.
    https://www.electronicdesign.com/technologies/embedded-revolution/article/21253089/green-hills-software-whats-the-difference-in-security-between-virtual-machines-and-containers

    What you’ll learn

    What is memory safety?
    Why is it important?
    What does the NSA recommend?

    Poor memory-management practices have been the cause of over 70% of the vulnerabilities found in today’s software. This can lead to a host of problems from programs that fail or degrade to providing attackers with a hook into the systems.

    “Memory-management issues have been exploited for decades and are still entirely too common today,” said Neal Ziring, Cybersecurity Technical Director. “We have to consistently use memory safe languages and other protections when developing software to eliminate these weaknesses from malicious cyber actors.”

    The challenge with embedded programs these days is a vast majority are written in C and C++. C++ can more easily mitigate some memory-management problems but not all. C on the other hand, depends on the watchful eye of the programmer to prevent these kinds of problems. Unfortunately, it’s too easy to include bugs in an application and difficult to identify them especially when looking at someone else’s code.

    NSA’s Software Memory Safety Info Sheet

    To address these issues, the U.S. National Security Agency (NSA) just released the “Software Memory Safety” Cybersecurity Information Sheet, which you can download. The NSA recommends using compiler options that would harden code, but the challenge is what can be done with a particular compiler. This is normally based on the programming language.

    C compilers can check a few things like uninitialized variables. However, it takes a language like Rust or Ada to provide more robust checks. It’s preferable to have the compiler do the checking, since it’s more consistent, will not overlook something that’s programmed to check, and it can force programmers to specify what requirements they have that should be applied regardless of the application.

    According to the NSA, “Examples of memory safe language include C#, Go, Java, Ruby, Rust, and Swift.” I find interesting that Ada and SPARK, a provable version of Ada, were not included in the list, especially given Ada’s government heritage.

    From an embedded perspective, C++, Rust, and Ada tend to be languages that can address embedded application needs because they don’t use garbage collection. Garbage collection can address a number of memory safety issues. That’s why languages like Java and Ruby are often mentioned as improvements over C because of their garbage-collection support, which prevents dangling pointers.

    The paper notes that “Memory safety can be costly in performance and flexibility. Most memory-safe languages require some sort of garbage collection to reclaim memory that has been allocated but is no longer needed by the program. There is also considerable performance overhead associated with checking the bounds on every array access that could potentially be outside of the array.”

    This is an interesting statement and applies to languages like Java that require garbage collection. It’s also not true that memory-safe languages require garbage collection, as Rust and Ada/SPARK don’t have this “feature.”

    Static and Dynamic

    The paper also says that “Several mechanisms can be used to harden non-memory-safe languages to make them more memory safe. Analyzing the software using static and dynamic application security testing (SAST and DAST) can identify memory use issues in software.”

    What’s intriguing is that they’re talking about security, because security and safety are two different although related programming topics. Static- and dynamic-analysis tools are useful in address safe memory use, too. They’ve been the backbone for supporting much of the safety-related standards like ISO 26262, where companies need to “prove” the safety and reliability of the application.

    Such applications have typically been written in C and C++, but they also require significant checking by humans, which isn’t as reliable as software when repeatedly doing many of these checks. Of course, we tend to be better at finding more complex logic errors versus the more straightforward memory manipulation problems being addressed by languages like Rust and Ada/SPARK.

    Carving a Path to High-Quality Software

    We’ve been covering development of high-quality software for some time as well as Ada/SPARK and Rust.

    Part of the challenge with any solution involving more than one programming language is interfacing, as well as finding or developing qualified programmers. Interfacing is the more challenging of the two—the differences are forced by the languages themselves, which change slowly and look at interfacing between systems as a secondary issue.

    The differences in language support also can be significant. For example, Rust uses traits to provide object-oriented-style support. Direct use of C++ objects with Rust can be a challenge for this reason. Even mixing C++ and Ada may be a challenge in this area because of differences in their similar but not identical class/object hierarchy.

    Adding more compilers and tools as well as training programmers in a new language will incur further costs; however, one must look at the cost as well as the payback. Remember, the reason for even discussing memory-safe languages is to reduce errors, prevent attacks due to errors, and deliver software.

    One interesting aspect is that software often can be delivered faster because fewer errors are in the code. That’s because the language and compilers prevent programmers from overlooking these problems.

    If you haven’t considered any of the safer programming alternatives but want to check them out, I have two online recommendations. One is the Rust Playground. This provides a web-based development system to try out simple Rust applications.

    The other is learn.adacore.com, which is a tutorial-based introduction to Ada and SPARK.

    https://media.defense.gov/2022/Nov/10/2003112742/-1/-1/0/CSI_SOFTWARE_MEMORY_SAFETY.PDF

    Reply
  32. Tomi Engdahl says:

    NSA Recommends Safe Memory Management
    https://www.electronicdesign.com/blogs/altembedded/article/21254694/electronic-design-nsa-recommends-safe-memory-management
    Nov. 14, 2022
    The U.S. National Security Agency recently published the “Software Memory Safety” Cybersecurity Information Sheet.
    What you’ll learn
    What is memory safety?
    Why is it important?
    What does the NSA recommend?
    Poor memory-management practices have been the cause of over 70% of the vulnerabilities found in today’s software. This can lead to a host of problems from programs that fail or degrade to providing attackers with a hook into the systems.
    “Memory-management issues have been exploited for decades and are still entirely too common today,” said Neal Ziring, Cybersecurity Technical Director. “We have to consistently use memory safe languages and other protections when developing software to eliminate these weaknesses from malicious cyber actors.”
    The challenge with embedded programs these days is a vast majority are written in C and C++. C++ can more easily mitigate some memory-management problems but not all. C on the other hand, depends on the watchful eye of the programmer to prevent these kinds of problems. Unfortunately, it’s too easy to include bugs in an application and difficult to identify them especially when looking at someone else’s code.
    NSA’s Software Memory Safety Info Sheet
    To address these issues, the U.S. National Security Agency (NSA) just released the “Software Memory Safety” Cybersecurity Information Sheet, which you can download. The NSA recommends using compiler options that would harden code, but the challenge is what can be done with a particular compiler. This is normally based on the programming language.
    C compilers can check a few things like uninitialized variables. However, it takes a language like Rust or Ada to provide more robust checks. It’s preferable to have the compiler do the checking, since it’s more consistent, will not overlook something that’s programmed to check, and it can force programmers to specify what requirements they have that should be applied regardless of the application.
    According to the NSA, “Examples of memory safe language include C#, Go, Java, Ruby, Rust, and Swift.” I find interesting that Ada and SPARK, a provable version of Ada, were not included in the list, especially given Ada’s government heritage.
    From an embedded perspective, C++, Rust, and Ada tend to be languages that can address embedded application needs because they don’t use garbage collection. Garbage collection can address a number of memory safety issues. That’s why languages like Java and Ruby are often mentioned as improvements over C because of their garbage-collection support, which prevents dangling pointers.
    The paper notes that “Memory safety can be costly in performance and flexibility. Most memory-safe languages require some sort of garbage collection to reclaim memory that has been allocated but is no longer needed by the program. There is also considerable performance overhead associated with checking the bounds on every array access that could potentially be outside of the array.”
    This is an interesting statement and applies to languages like Java that require garbage collection. It’s also not true that memory-safe languages require garbage collection, as Rust and Ada/SPARK don’t have this “feature.”
    Static and Dynamic
    The paper also says that “Several mechanisms can be used to harden non-memory-safe languages to make them more memory safe. Analyzing the software using static and dynamic application security testing (SAST and DAST) can identify memory use issues in software.”
    What’s intriguing is that they’re talking about security, because security and safety are two different although related programming topics. Static- and dynamic-analysis tools are useful in address safe memory use, too. They’ve been the backbone for supporting much of the safety-related standards like ISO 26262, where companies need to “prove” the safety and reliability of the application.
    Such applications have typically been written in C and C++, but they also require significant checking by humans, which isn’t as reliable as software when repeatedly doing many of these checks. Of course, we tend to be better at finding more complex logic errors versus the more straightforward memory manipulation problems being addressed by languages like Rust and Ada/SPARK.
    Carving a Path to High-Quality Software
    We’ve been covering development of high-quality software for some time as well as Ada/SPARK and Rust.
    Part of the challenge with any solution involving more than one programming language is interfacing, as well as finding or developing qualified programmers. Interfacing is the more challenging of the two—the differences are forced by the languages themselves, which change slowly and look at interfacing between systems as a secondary issue.
    The differences in language support also can be significant. For example, Rust uses traits to provide object-oriented-style support. Direct use of C++ objects with Rust can be a challenge for this reason. Even mixing C++ and Ada may be a challenge in this area because of differences in their similar but not identical class/object hierarchy.
    Adding more compilers and tools as well as training programmers in a new language will incur further costs; however, one must look at the cost as well as the payback. Remember, the reason for even discussing memory-safe languages is to reduce errors, prevent attacks due to errors, and deliver software.
    One interesting aspect is that software often can be delivered faster because fewer errors are in the code. That’s because the language and compilers prevent programmers from overlooking these problems.
    If you haven’t considered any of the safer programming alternatives but want to check them out, I have two online recommendations. One is the Rust Playground. This provides a web-based development system to try out simple Rust applications.
    The other is learn.adacore.com, which is a tutorial-based introduction to Ada and SPARK.

    https://media.defense.gov/2022/Nov/10/2003112742/-1/-1/0/CSI_SOFTWARE_MEMORY_SAFETY.PDF

    Reply
  33. Tomi Engdahl says:

    Personnel security in the cloud
    https://www.ncsc.gov.uk/blog-post/personnel-security-in-the-cloud
    While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far. In a hyperscale cloud provider, this could still be several thousand people, working around the globe. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.

    Reply
  34. Tomi Engdahl says:

    Yritysten kyberturvassa edelleen isoja aukkoja Asiantuntija: Kysymys jopa kansallisesta turvallisuudesta
    https://www.kauppalehti.fi/uutiset/yritysten-kyberturvassa-edelleen-isoja-aukkoja-asiantuntija-kysymys-jopa-kansallisesta-turvallisuudesta/ff16adc0-fba8-41ba-bea2-f9de093bbda1
    Tiedon puute, työntekijöiden osaamisen ylläpito ja välinpitämättömyys ovat vahvimpia esteitä yritysten kyberturvallisuuden kehittämisessä, selviää Helsingin seudun kauppakamarin ja Avarn Securityn kyberturvallisuusselvityksestä.

    Reply
  35. Tomi Engdahl says:

    US Gov Cybersecurity Apprenticeship Sprint: 190 New Programs, 7,000 People Hired
    https://www.securityweek.com/us-gov-cybersecurity-apprenticeship-sprint-190-new-programs-7000-people-hired

    The US government’s 120-day Cybersecurity Apprenticeship Sprint has come to an end. The initiative has resulted in more than 190 new cybersecurity programs and 7,000 apprentices getting hired.

    The sprint was launched in July by the White House, the Department of Labor and various other government agencies, as well as private sector partners. The goal was to promote the Registered Apprenticeship model for developing and training a skilled and diverse cybersecurity workforce.

    Specifically, as part of this national campaign, the government encouraged employers, labor unions, industry associations, and training providers to consider Registered Apprenticeship as part of their recruitment, training, and retention strategy.

    As a result of the initiative, the White House announced that 194 new Registered Apprenticeship programs have been approved or are in development. In addition, more than 7,000 apprentices, including 1,000 from the private sector, got a job.

    “Of these private sector apprentices, 42% were people of color and 32% female. Prior to this Sprint, 27% of all cybersecurity apprentices were people of color and 28% women, which reflects the impact of this sprint and the power of the public and private sector working together and partnering with community-based organizations to reach diverse populations,” the White House said.

    Reply
  36. Tomi Engdahl says:

    OpenSSF Adopts Microsoft-Built Supply Chain Security Framework
    https://www.securityweek.com/openssf-adopts-microsoft-built-supply-chain-security-framework

    The Open Source Security Foundation (OpenSSF) on Wednesday announced the adoption of Secure Supply Chain Consumption Framework (S2C2F), a Microsoft-built framework for consuming open source software.

    In use within Microsoft since 2019 and made public in August 2022, S2C2F defines real-world threats to open source software (OSS) and includes requirements to mitigate them. The consumption-focused framework takes a threat-based, risk-reduction approach to mitigating supply chain threats against the OSS.

    The framework includes eight different areas of practice, including ingestion, inventory, updates, enforcement, audit, scanning, rebuilding, and fixing (upstream).

    Each of these comprises requirements organized on four levels of maturity, namely basic governance practices (OSS inventory, vulnerability scanning, and dependencies updates), improving mean time to remediate (MTTR) vulnerabilities in OSS, proactive security analysis and controls, and mitigation against sophisticated attacks.

    “Using the S2C2F, teams and organizations can more efficiently prioritize their efforts in accordance with the maturity model. The ability to target a specific level of compliance within the framework means teams can make intentional and incremental progress toward reducing their supply chain risk,” Microsoft explains.

    The framework also includes guidance that helps organizations assess their maturity level, along with an implementation guide with recommendations on industry tools that can help organizations meet the framework’s requirements.

    By design, S2C2F should protect developers from accidentally using malicious and compromised packages, thus mitigating supply chain attacks. The OpenSSF S2C2F special interest group (SIG), led by a team from Microsoft, will update the S2C2F requirements to address emerging threats.

    https://github.com/ossf/s2c2f

    Microsoft contributes S2C2F to OpenSSF to improve supply chain security
    https://www.microsoft.com/en-us/security/blog/2022/11/16/microsoft-contributes-s2c2f-to-openssf-to-improve-supply-chain-security/

    On August 4, 2022, Microsoft publicly shared a framework that it has been using to secure its own development practices since 2019, the Secure Supply Chain Consumption Framework (S2C2F), previously the Open Source Software-Supply Chain Security (OSS-SSC) Framework. As a massive consumer of and contributor to open source, Microsoft understands the importance of a robust strategy around securing how developers consume and manage open source software (OSS) dependencies when building software. We are pleased to announce that the S2C2F has been adopted by the OpenSSF under the Supply Chain Integrity Working Group and formed into its own Special Initiative Group (SIG). Our peers at the OpenSSF and across the globe agree with Microsoft when it comes to how fundamental this work is to improving supply chain security for everyone.
    What is the S2C2F?

    We built the S2C2F as a consumption-focused framework that uses a threat-based, risk-reduction approach to mitigate real-world threats. One of its primary strengths is how well it pairs with any producer-focused framework, such as SLSA.1 The framework enumerates a list of real-world supply chain threats specific to OSS and explains how the framework’s requirements mitigate those threats.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*