Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.
HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.
Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.
Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.
Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications
Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.
Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.
Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.
MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.
Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.
EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.
Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.
Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.
Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.
Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.
Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.
Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workers – leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers
Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.
Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.
Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”
Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.
Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,
War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.
Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.
ISC: ICS and SCADA systems remain trending attack targets also in 2023.
Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.
PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.
Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.
Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.
MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!
Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-
Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.
VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.
AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.
AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?
Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.
Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.
Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.
Sources:
Asiantuntija neuvoo käyttämään pilkkua salasanassa – taustalla vinha logiikka
Overseeing artificial intelligence: Moving your board from reticence to confidence
Android is adding support for updatable root certificates amidst TrustCor scare
Google Play now lets children send purchase requests to guardians
Diligent’s outlook for 2023: Risk is the trend to watch
Microsoft will turn off Exchange Online basic auth in January
Google is letting businesses try out client-side encryption for Gmail
Google Workspace Gets Client-Side Encryption in Gmail
The risk of escalation from cyberattacks has never been greater
Client-side encryption for Gmail available in beta
AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Microsoft: Edge update will disable Internet Explorer in February
Is Cloud Native Security Good Enough?
Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023
Google Chrome preparing an option to block insecure HTTP downloads
Cyber attacks set to become ‘uninsurable’, says Zurich chief
The Dark Risk of Large Language Models
Police Must Prepare For New Crimes In The Metaverse, Says Europol
Policing in the metaverse: what law enforcement needs to know
Cyber as important as missile defences – an ex-NATO general
Misconfigurations, Vulnerabilities Found in 95% of Applications
Personnel security in the cloud
Multi-factor auth fatigue is real – and it’s why you may be in the headlines next
MFA Fatigue attacks are putting your organization at risk
NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
Poor software costs the US 2.4 trillion
Passkeys Now Fully Supported in Google Chrome
Google Takes Gmail Security to the Next Level with Client-Side Encryption
Executives take more cybersecurity risks than office workers
NIST Retires SHA-1 Cryptographic Algorithm
NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm
WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections
Over 85% of Attacks Hide in Encrypted Channels
GitHub Announces Free Secret Scanning, Mandatory 2FA
Leaked a secret? Check your GitHub alerts…for free
Data Destruction Policies in the Age of Cloud Computing
Why PCI DSS 4.0 Should Be on Your Radar in 2023
Google: With Cloud Comes APIs & Security Headaches
Digesting CISA’s Cross-Sector Cybersecurity Performance Goals
Zero Trust Shouldnt Be The New Normal
Don’t click too quick! FBI warns of malicious search engine ads
FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
Kyberturvan ammattilaisista on huutava pula
1,768 Comments
Tomi Engdahl says:
First in space: SpaceX and NASA launch satellite that hackers will attempt to infiltrate during DEF CON
For the first time ever, researchers will be able to test the security of a satellite on-orbit at this year’s Hack-A-Sat contest at DEF CON.
https://cyberscoop.com/moonlighter-hack-a-sat-defcon/
Tomi Engdahl says:
A PoC feature for NanoDump (https://github.com/helpsystems/nanodump) to exfiltrate the dump bytes over named pipes
Tomi Engdahl says:
Rusty Bootkit -#Windows UEFI Bootkit in Rust https://github.com/memN0ps/bootkit-rs
Tomi Engdahl says:
AI and Cybersecurity: How Mandiant Consultants and Analysts are Leveraging AI Today https://www.mandiant.com/resources/blog/mandiant-leveraging-ai
With the increasing focus on the potential for generative AI, there are many use cases envisioned in how this technology will impact enterprises. The impact to cybersecurity—to the benefit of both defenders and adversaries—will likely reshape the landscape for organizations.
This blog post highlights just a few of the recent examples across Mandiant’s consulting and analysis teams that have used Bard within their workflow.
Tomi Engdahl says:
Uudenlainen huijaustapa tulossa – varoitus USA:sta: “Meidän pitää olla hereillä”
https://www.is.fi/digitoday/art-2000009633713.html
Yhdysvaltain kauppakomission puheenjohtaja on huolissaan tekoälyn avulla tehdyistä rikoksista.
Tomi Engdahl says:
DOS Attacks Dominate, but System Intrusions Cause Most Pain https://www.darkreading.com/attacks-breaches/dos-attacks-dominate-but-system-intrusions-cause-most-pain
In the latest Verizon “Data Breach Investigations Report,” denial-of-service attacks are the most common type of security incident, but when it comes to breaches, nearly four-in-ten attackers compromise systems.
Tomi Engdahl says:
Hakkerit iskevät terveydenhuoltoon aiempaa useammin – Osa laitteista on tietoturvaltaan niin vanhentuneita, ettei päivittäminen onnistu [TILAAJILLE]
https://www.tivi.fi/uutiset/tv/23d3d577-9dbc-418b-ab6e-094554a104a7
Meneillään oleva siirtymävaihe hyvinvointialueille on tietoturvariski.
”Tietojen kalastelulle on muutostilanteissa loistava hetki”, sanoo tietoturva-asiantuntija Jarno Ahlström Check Pointilta.
Tomi Engdahl says:
“En kadu mitään” – Tietovuotaja Edward Snowden on ollut maanpaossa jo 10 vuotta
https://www.talouselama.fi/uutiset/en-kadu-mitaan-tietovuotaja-edward-snowden-on-ollut-maanpaossa-jo-10-vuotta/1d7e6047-95a4-461d-9dde-dbb9b7dda145
Kymmenen vuotta sitten Edward Snowden paljasti journalisteille, miten Yhdysvaltain ja Iso-Britannian tiedustelupalvelut valvovat kansalaisia laaja-alaisesti. Nykyiseen tilanteeseen verrattuna vuoden 2013 vakoilu oli kuitenkin lastenleikkiä.
”Teknologiasta on tullut valtavan vaikutusvaltaista. Jos ajatellaan vuonna
2013 nähtyjä asioita ja nykypäivän hallitusten kyvykkyyksiä, 2013 näyttää lasten leikiltä”, Snowden sanoo The Guardianin tuoreessa haastattelussa.
Tomi Engdahl says:
Consolidate Vendors and Products for Better Security
https://www.securityweek.com/consolidate-vendors-and-products-for-better-security/
Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a platform.
Organizations everywhere are evolving in new ways, whether it’s embracing remote work or developing new digital business initiatives. Although these changes can be crucial to business growth and employee retention, they often expand the attack surface, which leads to greater day-to-day operational complexity for Security Operations Center (SOC) teams.
At the same time the attack surface is increasing, threats are also on the upswing. Cyberattacks are becoming more sophisticated and organizations of all sizes across all industries are a target. The growth of Crime-as-a-Service (CaaS), which has made it possible for non-technical criminals to purchase cyber tools and service has contributed to the increased volume of attacks. Now even the most skilled, well-staffed security teams are feeling the strain as they work to protect organizations against a wide variety of threats.
Tomi Engdahl says:
Google Introduces SAIF, a Framework for Secure AI Development and Use
https://www.securityweek.com/google-introduces-saif-a-framework-for-secure-ai-development-and-use/
The Google SAIF (Secure AI Framework) is designed to provide a security framework or ecosystem for the development, use and protection of AI systems.
The Google SAIF (Secure AI Framework) is designed to provide a security framework or ecosystem for the development, use and protection of AI systems.
All new technologies bring new opportunities, threats, and risks. As business concentrates on harnessing opportunities, threats and risks can be overlooked. With AI, this could be disastrous for business, business customers, and people in general. SAIF offers six core elements to ensure maximum security in AI.
Expand strong security foundations to the AI ecosystem
Many existing security controls can be expanded and/or focused on AI risks. A simple example is protection against injection techniques, such as SQL injection. “Organizations can adapt mitigations, such as input sanitization and limiting, to help better defend against prompt injection style attacks,” suggests SAIF.
Traditional security controls will often be relevant to AI defense but may need to be strengthened or expanded. Data governance and protection becomes critical to protect the integrity of the learning data used by AI systems. The old concept of ‘rubbish in, rubbish out’ is magnified manyfold by AI, but made critical where business and people decisions are based on that rubbish.
. If a data pool is poisoned without knowledge of that poisoning, AI outputs will be adversely and possibly invisibly affected.
It will be necessary to monitor AI output to detect algorithmic errors and adversarial input. “Organizations that use AI systems must have a plan for detecting and responding to security incidents and mitigate the risks of AI systems making harmful or biased decisions,” says Google.
Automate defenses to keep pace with existing and new threats
This is the most common advice used in the face of AI-based attacks – automate defenses with AI to counter the increasing speed and magnitude of adversarial AI-based attacks. But Google warns that humans must be kept in the loop for important decisions, such as determining what constitutes a threat and how to respond to it.
AI-based automation goes beyond the automated detection of threats and can also be used to decrease the workload and increase the efficiency of the security team.
Reduce overlapping frameworks for security and compliance controls to help reduce fragmentation. Fragmentation increases complexity, costs, and inefficiencies. Reducing fragmentation will, suggests Google, “provide a ‘right fit’ approach to controls to mitigate risk.”
Adapt controls to adjust mitigations and create faster feedback loops for AI deployment
Contextualize AI system risks in surrounding business processes
This involves a thorough understanding of how AI will be used within business processes, and requires a complete inventory of AI models in use. Assess their risk profile based on the specific use cases, data sensitivity, and shared responsibility when leveraging third-party solutions and services.
Google has based its SAIF framework on the experience of 10-years in the development and use of AI in its own products. The company hopes that making public its own experience in AI will lay the groundwork for secure AI – just as its BeyondCorp access model led to the zero trust principles which are industry standard today.
Introducing Google’s Secure AI Framework
https://blog.google/technology/safety-security/introducing-googles-secure-ai-framework/
Tomi Engdahl says:
CSC’s recommendations on securing US critical infrastructure
In a new report, the Cyberspace Solarium Commission (CSC) deems the system currently used to designate critical sectors as inadequate. CSC evaluates the state of the public-private sector relationship, underlines flaws in policy implementation, and provides recommendations on how to change it to improve national security.
CSC 2.0 Reports
Revising Public-Private Collaboration to Protect U.S. Critical Infrastructure
https://cybersolarium.org/csc-2-0-reports/revising-public-private-collaboration-to-protect-u-s-critical-infrastructure/
The current systems for designating sectors as critical and for mitigating cross-sector risks are inadequate.
Few things more directly impact Americans’ security and well-being than the reliability, availability, and safety of critical infrastructure. The security of this critical infrastructure relies, in turn, on the strength of the relationship between the government and the private sector, which owns and operates the majority of the infrastructure. Thus, the federal government has endeavored for decades to build a strong relationship with the private sector.
Nevertheless, the policy underpinning this public-private sector relationship has become outdated and incapable of meeting today’s demands. Similarly, the implementation of this policy — and the organization, funding, and focus of the federal agencies that execute it — is inadequate. This report will evaluate the state of the public-private sector relationship and offer recommendations to reshape it to improve national security going forward.
Tomi Engdahl says:
OWASP Top 10 for Large Language Model applications
OWASP has published a Top 10 list of security risks associated with large language model (LLM) applications. Vulnerabilities include prompt injections, data leakage, inadequate sandboxing, and unauthorized code execution.
https://owasp.org/www-project-top-10-for-large-language-model-applications/
Tomi Engdahl says:
Microsoft guide for finding vulnerabilities with Yara
Microsoft has published a guide on how Yara can be used to create rules for finding different types of software vulnerabilities. Examples include deserialization vulnerabilities that can lead to arbitrary code execution, command injection vulnerabilities, and loose regular expressions that can be bypassed and could lead to SSRF.
https://msrc.microsoft.com/blog/2023/06/hey-yara-find-some-vulnerabilities/
Tomi Engdahl says:
Suomea uhkaavat nämä kyberuhat: ”Sosiaalinen hakkerointi iskee suomalaisten lompakkoon”
https://www.iltalehti.fi/tietoturva/a/9b1e6062-f937-4a0e-8558-06eb16d536c8
Tekoäly tulee muuttamaan huijauksista entistä uskottavampia. Tietoturvakouluttaja Sami Laiho kertoi suomalaisten kyberuhista, ja miten näiltä voi suojautua.
Suurimmat kolaukset suomalaisten talouteen aiheuttavat romanssi- ja finanssihuijaukset.
Kiristyshuijauksia on kahdenlaisia: Tietokone joko lukitaan tai uhrin mainetta uhataan lunnaita vastaan.
Kaksivaiheinen tunnistautuminen ja järjestelmien päivitys on paras keino suojautua.
Tekoäly tulee tekemään huijauksista uskottavampia.
Verkkorikollisuus on hyvinkin järjestäytynyttä.
Suomalaiset menettävät eniten rahaa netissä oleviin romanssi- ja finanssihuijauksiin. Suomalaisia lisäksi riivaavat tietojenkalasteluyritykset. Paikkaamattomat järjestelmät aiheuttavat myös riskin tietomurroille.
Pitkän linjan kyberturvallisuuskouluttaja Sami Laiho kertoo, että suomalaisten menettämä rahasumma pelkästään romanssihuijauksiin lähentelee 10 miljoonaa euroa.
– Perinteisillä pehmeillä arvoilla toimiva sosiaalinen hakkerointi osuu ihmisten lompakkoon eniten, Laiho toteaa.
Romanssihuijausten lisäksi myös erilaiset finanssihuijaukset lypsävät ihmisiltä rahaa. Finanssihuijauksissa kehotetaan sijoittamaan joihinkin tiettyihin osakkeisiin suurien voittojen perusteella. Vinkkien antaja pyrkii esiintymään vakuuttavasti huijauksen onnistumisessa.
– Se on vähän toinen maailma ja finanssihuijaukset tulevat toisena listalla. Näissä vedotaan ihmisen kaipuuseen menestyksestä.
Kaksivaiheinen tunnistautuminen turvaa
Tietomurtoja on pyritty tekemään tietojenkalastelun keinoilla, mutta kaksivaiheisen tunnistautumisen myötä rikolliset ovat joutuneet etsimään muita keinoja. Laihon mukaan tietomurtoja pyritään nykyään tekemään järjestelmässä olevan aukon kautta.
– Aukon järjestelmään aiheuttaa joko unohtunut tietoturvaohjelmiston päivitys, vanhentunut reititin, turvakamerat ja ylipäänsä kaikki mikä on netissä kiinni.
Kahdenlaisia kiristysviestihuijauksia
Kiristysviestihuijauksia on kahdenlaisia. Näissä rikollinen pyrkii joko lukita tietokoneen sisältöä, tai uhkaa levittää arkaluotoista tietoa kohteestaan. Rikolliset hakevat näistä joko useita pieniä summia tai yhtä isoa potti.
Järjestäytynyttä toimintaa
Verkkorikollisten ja huijareiden toiminta on yleensä hyvinkin järjestäytynyttä. Laiho kertoo, että huijauksia masinoidaan yleensä soittokeskuksista, joissa on saattaa työskennellä paljonkin ihmisiä.
– Tekoälyn tullessa huijauksiin mukaan, voisi se korvata ihmistyötä ja antaa paljon suurempaa volyymia huijauksille, Laiho arvelee.
Laiho kertoo, että esimerkiksi aikoinaan Suomenkin hallintoon hyökätyllä Lockbit-kiristysohjelma kohdalla huomattiin hyökkääjän käyttävän sen vanhaa versiota. Sen käyttämästä koodista huomattiin, ettei haittaohjelma aktivoidu mikäli käyttäjällä on venäjän kielinen näppäimistö.
– Tämä ei olisi tullut tietoon, jos hyökkääjä olisi maksanut sen päivitysmaksun.
Screen Swap Experiment
https://www.youtube.com/watch?v=_jtfazvwysM
This video displays the technology used to effortlessly blend a target body into a deepfake without swapping heads or faces.
Tomi Engdahl says:
Linuxiin hyökätään yhä enemmän
https://etn.fi/index.php/13-news/15081-linuxiin-hyoekaetaeaen-yhae-enemmaen
Ennen pidettiin totuutena, ettei Linuxiin ole haittaohjelmia. Tmä ei tietenkään pidä paikkaansa. Vaikka Linux-haittaohjelmien määrä on edelleen poieni verrattuna muihin alustoihin, on se kasvussa. Tämä selviää Palo Alto Networksin turvallisuusyksikkö Unit 42:n tuoreesta uhkaraportista.
Raportissa todetaan, että verkkorikolliset etsivät uusia mahdollisuuksia pilvessä toimivissa työkuormissa ja IoT-laitteissa, jotka toimivat Unixin kaltaisilla käyttöjärjestelmillä. Tämän selittää, miksi jotkut hyökkääjät kääntävät katseensa kohti Linux-järjestelmiä.
Yleisimmin Linux-järjestelmiä vastaan hyökätään bottiverkoilla, joiden osuus Linux-haitoista on yli 47 prosenttia. Yleisimmät tällaiset haitat ovat Mirai (14,3 % Linux-haittaohjelmista) ja Gafgyt (4,7 %).
Tomi Engdahl says:
Dell Cameron / Wired:
A declassified ODNI report from 2022: the US has amassed troves of “sensitive and intimate information” about Americans purchased from commercial data brokers — A newly declassified report from the Office of the Director of National Intelligence reveals the federal government is buying troves of data about Americans.
The US Is Openly Stockpiling Dirt on All Its Citizens
https://www.wired.com/story/odni-commercially-available-information-report/
A newly declassified report from the Office of the Director of National Intelligence reveals that the federal government is buying troves of data about Americans.
Tomi Engdahl says:
https://hackaday.com/2023/06/12/spy-tech-unshredding-documents/
Tomi Engdahl says:
US Government Provides Guidance on Software Security Guarantee Requirements
https://www.securityweek.com/us-government-provides-guidance-on-software-security-guarantee-requirements/
OMB has published new guidance on federal agencies obtaining security guarantees from software vendors.
The US Office of Management and Budget (OMB) has issued new guidance on when and how federal agencies should collect security guarantees from software vendors.
Building on the cybersecurity executive order that President Joe Biden signed in May 2021, the OMB last year published a memorandum (M-22-18) requiring federal agencies to obtain from software vendors guarantees that the software they provide is secure.
Per M-22-18, federal agencies are required to obtain attestation for all software developed after September 14, 2022, but also for software released prior to that date, if it receives a major update or if it is used as a service and receives constant updates.
At a minimum level, such guarantees should be provided as a self-attestation form, but agencies may also require a software bill of materials (SBOM) and other artifacts, or may require the vendor to run a vulnerability disclosure program.
Tomi Engdahl says:
Software Supply Chain: The Golden Container Ship
https://www.securityweek.com/software-supply-chain-the-golden-container-ship/
By having a golden image you will put a process in place that allows you to quickly take action when a vulnerability is found within your organization.
Today we find ourselves using cloud native technologies to increase flexibility, scaling and cost savings in many respects. The modern cloud stack using IaaS, abstracts the hardware maintenance component away and you are left with everything above such as the operating system and software.
Golden images have been a simple concept used in practice for a long time. It reminds me a bit of the AOL marketing campaign that everyone saw and knew. The concept was that each year a new CD appeared in the mail with a version number, and people installed the software from the CD onto their PC. (Amazing to imagine how far we have come) The idea was that we know there is a known good version that has been approved and tested, pre-bundled, so no downloads were needed from external sources, especially over slow dial-up internet connections.
There is a lot of debate around the best way to create golden images and how to maintain them, as well as the software involved such as AWS image builder, Terraform or Packer. One idea is to keep them as simple as possible such that they have broad compatibility and can be configured by downstream systems.
Tomi Engdahl says:
US Government Provides Guidance on Software Security Guarantee Requirements
https://www.securityweek.com/us-government-provides-guidance-on-software-security-guarantee-requirements/
OMB has published new guidance on federal agencies obtaining security guarantees from software vendors.
The US Office of Management and Budget (OMB) has issued new guidance on when and how federal agencies should collect security guarantees from software vendors.
Building on the cybersecurity executive order that President Joe Biden signed in May 2021, the OMB last year published a memorandum (M-22-18) requiring federal agencies to obtain from software vendors guarantees that the software they provide is secure.
Tomi Engdahl says:
https://www.securityweek.com/in-other-news-ai-regulation-layoffs-us-aerospace-attacks-post-quantum-encryption/
Dragos and SentinelOne announce layoffs
Industrial cybersecurity firm Dragos is laying off 50 employees, or roughly 9% of its workforce, after missing its Q1 targets. Impacted individuals have been offered severance packages and other benefits.
SentinelOne shares took a nosedive recently after the company announced poor financial results and layoffs that impacted 100 employees, representing 5% of its workforce.
OWASP Top 10 for Large Language Model applications
OWASP has published a Top 10 list of security risks associated with large language model (LLM) applications. Vulnerabilities include prompt injections, data leakage, inadequate sandboxing, and unauthorized code execution.
https://owasp.org/www-project-top-10-for-large-language-model-applications/
Tomi Engdahl says:
China’s cyber now aimed at infrastructure, warns CISA boss https://www.theregister.com/2023/06/13/china_cyber_threat_infrastructure/
China’s cyber-ops against the US have shifted from espionage activities to targeting infrastructure and societal disruption, the director of the Cybersecurity and Infrastructure Security Agency (CISA) Jen Easterly told an Aspen Institute event on Monday.
“PRC actors have been in the spotlight for years and years, the key difference here was for PRC actors the focus has been espionage,” said Easterly.
Easterly’s definition of espionage includes intellectual property theft and “the greatest transfer of intellectual wealth in history.”
“But what we are starting to see – and this was captured in the IC’s annual threat assessment – was targeting that was less about espionage and more about disruption and destruction,” she added.
Tomi Engdahl says:
Kyberiskun kohteeksi joutunut Säkylän kunta vaatii vahingonkorvauksia – it-kumppanin moka mahdollisti hyökkäyksen [TILAAJILLE]
https://www.tivi.fi/uutiset/tv/bfa689a7-86c0-4d9c-b7de-47e2691e7102
Joulukuussa kyberhyökkäyksen kohteeksi joutunut Säkylän kunta selvittää it-kumppaninsa korvausvastuuta tapauksesta. Kunnanhallituksen asiakirjoista selviää, että kunnanjohtaja Teijo Mäenpää on käynyt neuvotteluja it-palveluita tuottavan yrityksen kanssa, ja niiden kuvaillaan sujuneen suotuisasti.
Tunkeutumisen kunnan järjestelmiin aiheutti ulkopuolisen palveluntuottajan vakava virhe, jonka yksityiskohtia ei ole kerrottu julkisuuteen. Säkylän kunta on pysynyt myös hiljaa palveluita tuottavan yrityksen nimestä.
Tomi Engdahl says:
Inside Win32k Exploitation: Background on Implementations of Win32k and Exploitation Methodologies https://unit42.paloaltonetworks.com/win32k-analysis-part-1/
This is part one of a series that will cover Win32k internals and exploitation in general using these two vulnerabilities and their related proof-of-concept
(PoC) exploits as examples.
Tomi Engdahl says:
Q&A: Terveydenhuolto, sote-uudistus ja tietoturva – Kyberturvallisuus on potilasturvallisuutta https://www.epressi.com/tiedotteet/tietotekniikka/qampa-terveydenhuolto-sote-uudistus-ja-tietoturva-kyberturvallisuus-on-potilasturvallisuutta.html
Terveydenhuolto oli huhtikuussa hakkereiden toiseksi suosituin kohde Pohjoismaissa ja maailmanlaajuisesti. Suomen sosiaali- ja terveydenhuollon ja pelastustoimen uudistuksen myötä hyvinvointialueilla yhdistellään nyt useita erilaisia tietojärjestelmiä. Check Point Software Technologiesin tietoturvajohtaja Deryck Mitchelson kertoo, mitä muun muassa tämä merkitsee kyberturvallisuuden kannalta.
Tomi Engdahl says:
Analyysi: EU yrittää tekoälyasetuksella toisintaa Bryssel-efektiä, mutta muu maailma ei välttämättä seuraa nyt perässä
https://yle.fi/a/74-20036826
Euroopan unionin tavoitteena on omia sisämarkkinoita säätelemällä luoda globaaleja standardeja. Tietosuoja-asetuksessa näin kävi, mutta tekoälyssä tilanne on toinen, kirjoittaa Ylen teknologiatoimittaja Teemu Hallamaa.
Tomi Engdahl says:
How Cyprus became the EU launchpad of Israel’s spyware companies https://www.euractiv.com/section/cybersecurity/news/how-cyprus-became-the-eu-launchpad-of-israels-spyware-companies/
Cyprus has become the privileged entry point for Israeli cybersecurity companies, including those operating in the shady world of surveillance software.
Tomi Engdahl says:
To Fight Cyber Extortion and Ransomware, Shift Left https://www.trendmicro.com/en_us/research/23/f/fight-cyber-extortion.html
How can organizations defend themselves more effectively against ransomware and other forms of cyber extortion? By “shifting left” and adopting proactive cybersecurity strategies to detect attacks sooner, mitigating breaches before they cause harm.
Tomi Engdahl says:
CISA Order Highlights Persistent Risk at Network Edge https://krebsonsecurity.com/2023/06/cisa-order-highlights-persistent-risk-at-network-edge/
The U.S. government agency in charge of improving the nation’s cybersecurity posture is ordering all federal civilian agencies to take new measures to restrict access to Internet-exposed networking equipment. The directive comes amid a surge in attacks targeting previously unknown vulnerabilities in widely used security and networking appliances.
Tomi Engdahl says:
How a Shady Chinese Firm’s Encryption Chips Got Inside the US Navy, NATO, and NASA https://www.wired.com/story/hualan-encryption-chips-entity-list-china/
The US government warns encryption chipmaker Hualan has suspicious ties to China’s military. Yet US agencies still use one of its subsidiary’s chips, raising fears of a backdoor.
Tomi Engdahl says:
Darth Vidar: The Aesir Strike Back
https://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back
At the beginning of this year, we released a detailed publication on Vidar infrastructure, encompassing both the primary administrative aspects, and the underlying backend.
Over the past four months, several changes have occurred within this infrastructure configuration. Therefore, the intention of this blog post is to provide a comprehensive update on how Vidar is administered / operated today.
Tomi Engdahl says:
Cryptocurrency Mining Pools and Money Laundering: Two Real World Examples https://blog.chainalysis.com/reports/cryptocurrency-mining-pools-money-laundering/
Cryptocurrency mining is a crucial part of our industry, but it also holds special appeal to bad actors, as it provides a means to acquire money with a totally clean on-chain original source.
Below, we’ll look at examples of ransomware actors and crypto scammers who appear to be using mining pools for money laundering, and estimate this activity at scale.
Tomi Engdahl says:
Understanding Malware-as-a-Service
https://securelist.com/malware-as-a-service-market/109980/
Money is the root of all evil, including cybercrime. Thus, it was inevitable that malware creators would one day begin not only to distribute malicious programs themselves, but also to sell them to less technically proficient attackers, thereby lowering the threshold for entering the cybercriminal community. The Malware-as-a-Service (MaaS) business model emerged as a result of this, allowing malware developers to share the spoils of affiliate attacks and lowering the bar even further. We have analyzed how MaaS is organized, which malware is most often distributed through this model, and how the MaaS market depends on external events.
Tomi Engdahl says:
Viranomainen huolissaan ”todella ikävistä” tekoälyhuijauksista – lähtevät vauhdilla liikkeelle
https://yle.fi/a/74-20036445
Joka viides suomalainen on joutunut internetissä petoksen tai muun rikoksen kohteeksi. Lähes puolet heistä ei kuitenkaan ole ilmoittanut rikoksesta poliisille.
Digi- ja väestötietoviraston tuoreen Digiturvabarometri-kyselyn mukaan vuoden sisällä suomalaisista lähes 80 prosenttia on saanut huijaus- tai kalasteluviestin sähköpostilla ja yli 60 prosenttia tekstiviestinä.
Noin kolmannes kyselyyn vastanneista kertoi, että oli saanut huijaus- tai kalasteluviestejä pikaviestisovelluksiin kuten esimerkiksi Whatsappiin.
Lisäksi joka kymmenes vastaaja oli menettänyt rahaa kiristyksen tai huijauksen takia.
Tomi Engdahl says:
Kyberturvallisuuskeskus CVE-tunnisteita jakavaksi CNA-toimijaksi https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/kyberturvallisuuskeskus-cve-tunnisteita-jakavaksi-cna-toimijaksi
Kyberturvallisuuskeskus on hyväksytty haavoittuvuuksille CVE (Common Vulnerabilities and Exposures) -tunnisteita jakavaksi CNA-toimijaksi (CVE Numbering Authority).
Tomi Engdahl says:
Threat Report
2023 Human Factor
https://www.proofpoint.com/uk/resources/threat-reports/human-factor?utm_medium=email01&utm_campaign=2023-thf&utm_source=marketo&mkt_tok=MzA5LVJIVi02MTkAAAGMXSiXF22hDSTPPpyBrlD5ylLvjze5Jx-MSf_5TatYPrlh2e2psaYeLdpxv3eEHtCqgZ3moT06TAkq93ObOBCBkl1xBKdh_6xq5h3iMbAo81evFQ8pDQ
Analyzing the cyber attack chain
Cyber attackers target people. They exploit people. Ultimately, they are people. That’s why people—not technology—are the most critical variable in today’s cyber threats. This year, the 2023 Human Factor report takes an even closer look at new developments in the threat landscape, focusing on the combination of technology and psychology that makes the modern cyber attack chain so dangerous. Here are just a few highlights from this year’s report:
Emotet came back in a big way, topping the attack campaign charts again with more than 25 million messages
Novel distribution pushed SocGholish into the top-five malware by message volume
At peak, MFA-bypass accounted for more than a million messages per month
Telephone-oriented attack delivery (TOAD) messages peaked at more than 13 million per month
Conversational attacks via mobile devices grew twelvefold
Office macro use collapsed after Microsoft rolled out controls to block them
94% of cloud tenants are targeted every month
Tomi Engdahl says:
https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-uk-tr-human-factor-report.pdf
Tomi Engdahl says:
Endpoint Security
CISA, NSA Share Guidance on Hardening Baseboard Management Controllers
https://www.securityweek.com/cisa-nsa-share-guidance-on-hardening-baseboard-management-controllers/
CISA and the NSA have published new guidance to help organizations harden baseboard management controllers (BMCs).
The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have published new guidance to help organizations harden baseboard management controllers (BMCs).
Typically part of a motherboard, a BMC is a specialized service processor used for monitoring the physical state of a system, server, or other device, collecting information such as temperature, voltage, humidity, and fan speeds.
Operating separately from the operating system and the system’s firmware (such as BIOS and UEFI), a BMC enables remote management and control, even on systems that are shut down (as long as the system is connected to a power outlet).
The BMC firmware, CISA and the NSA point out in the new guidance (PDF), is highly privileged, having access to all resources of the system it resides on. Using BMC management solutions allows organizations to manage multiple systems without physical access.
Harden Baseboard Management Controllers
https://media.defense.gov/2023/Jun/14/2003241405/-1/-1/0/CSI_HARDEN_BMCS.PDF
Tomi Engdahl says:
Government
CISA Instructs Federal Agencies to Secure Internet-Exposed Devices
https://www.securityweek.com/cisa-instructs-federal-agencies-to-secure-internet-exposed-devices/
CISA’s Binding Operational Directive 23-02 requires federal agencies to secure the network management interfaces of certain classes of devices.
The US Cybersecurity and Infrastructure Security Agency (CISA) is requiring federal agencies to secure the network management interfaces of certain classes of devices.
CISA’s ‘Binding Operational Directive 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces’ provides federal agencies with guidelines on securing device interfaces that are accessible remotely, and which are often targeted by threat actors.
“A Binding Operational Directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems,” CISA notes.
Binding Operational Directive 23-02 Implementation Guidance
https://www.securityweek.com/cisa-instructs-federal-agencies-to-secure-internet-exposed-devices/
Tomi Engdahl says:
Software Supply Chain: The Golden Container Ship
https://www.securityweek.com/software-supply-chain-the-golden-container-ship/
By having a golden image you will put a process in place that allows you to quickly take action when a vulnerability is found within your organization.
Today we find ourselves using cloud native technologies to increase flexibility, scaling and cost savings in many respects. The modern cloud stack using IaaS, abstracts the hardware maintenance component away and you are left with everything above such as the operating system and software.
Golden images have been a simple concept used in practice for a long time. It reminds me a bit of the AOL marketing campaign that everyone saw and knew. The concept was that each year a new CD appeared in the mail with a version number, and people installed the software from the CD onto their PC. (Amazing to imagine how far we have come) The idea was that we know there is a known good version that has been approved and tested, pre-bundled, so no downloads were needed from external sources, especially over slow dial-up internet connections.
There is a lot of debate around the best way to create golden images and how to maintain them, as well as the software involved such as AWS image builder, Terraform or Packer. One idea is to keep them as simple as possible such that they have broad compatibility and can be configured by downstream systems. The other side is to configure them as much as possible beforehand to speed up builds and remove downloaded dependencies. Here is a typical workflow you might have in your image building and deployment process.
Tomi Engdahl says:
Stanford CRFM:
An assessment finds it is currently feasible for major foundation model providers to comply with the draft EU AI Act and doing so would improve transparency
Do Foundation Model Providers Comply with the EU AI Act?
https://crfm.stanford.edu/2023/06/15/eu-ai-act.html
Foundation models like ChatGPT are transforming society with their remarkable capabilities, serious risks, rapid deployment, unprecedented adoption, and unending controversy. Simultaneously, the European Union (EU) is finalizing its AI Act as the world’s first comprehensive regulation to govern AI, and just yesterday the European Parliament adopted a draft of the Act by a vote of 499 in favor, 28 against, and 93 abstentions. The Act includes explicit obligations for foundation model providers like OpenAI and Google.
Tomi Engdahl says:
Police cracks down on DDoS-for-hire service active since 2013 https://www.bleepingcomputer.com/news/security/police-cracks-down-on-ddos-for-hire-service-active-since-2013/
Polish police officers of the country’s Central Bureau for Combating Cybercrime detained two suspects believed to have been involved in operating a DDoS-for-hire service (aka booter or stresser) active since at least 2013.
Tomi Engdahl says:
EU states told to restrict Huawei and ZTE from 5G networks ‘without delay’
https://therecord.media/eu-states-told-to-restrict-huawei-and-zte
The European Commission told member states on Thursday to restrict “without delay” high-risk equipment suppliers from their 5G networks, with the Chinese vendors Huawei and ZTE being specifically highlighted as representing “materially higher” risk.
Tomi Engdahl says:
How Do Some Companies Get Compromised Again and Again?
https://securityintelligence.com/articles/how-do-some-companies-get-compromised-again-and-again/
Here’s an under-appreciated fact about what happens after a cyberattack:
Malicious actors learn what’s possible. Once that knowledge was out there, it gave cyber crooks an incentive and a target.
Tomi Engdahl says:
US govt offers $10 million bounty for info on Clop ransomware https://www.bleepingcomputer.com/news/security/us-govt-offers-10-million-bounty-for-info-on-clop-ransomware/
The U.S. State Department’s Rewards for Justice program announced up to a $10 million bounty yesterday for information linking the Clop ransomware attacks to a foreign government.
Tomi Engdahl says:
Four Things to Consider as You Mature Your Threat Intel Program
https://www.securityweek.com/four-things-to-consider-as-you-mature-your-threat-intel-program/
If you want to begin, or improve, sharing customized intelligence with key users, consider these four aspects as you develop your process.
When ESG recently asked security professionals to identify the attributes of a mature threat intelligence program, the top response was “information dissemination with reports customized for consumption by specific individuals and groups”. However, many organizations don’t have mature threat intelligence programs and have yet to achieve this. ESG’s Jon Oltsik cites the 80/20 rule, where “80% of organizations have basic threat intelligence programs while only 20% are more advanced.”
Sharing customized threat intelligence with key users is not just a sign that your threat intel program is maturing, it’s a great way to build deeper understanding, demonstrate value, and garner broader support for the program. If you want to begin, or improve, sharing customized intelligence with key users, consider these four aspects as you develop your process.
1. Function. The threat intelligence team’s role is to provide products or services to many different internal customers, and each has different threat intel requirements to support their specific use cases.
2. Form. There is no “one way” to communicate. Different teams speak different languages and will apply threat intelligence in different ways, so it’s important to take the time to learn what type of communication will be most effective. For many technical teams actual feeds and dashboards work well, directly delivering the threat intel they need to do their specific jobs. Meanwhile, for executives and boards, a customized dashboard may work well for some and a PDF may be better for others. Either way, the content itself could be easily digestible and relevant to business leaders.
3. Frequency. Each team also has very different expectations and requirements when it comes to how often they need to receive threat intelligence. In security, the more time that passes, the more damage can be done. Additionally, many security teams are focused on being proactive, so speed is of the essence. But sharing data that hasn’t been vetted and contextualized for relevance to the organization ends up wasting valuable time. Threat intel teams can use automation to augment and enrich data with context, so teams get the right data faster and can easily prioritize it for analysis and action.
Executives and board members have different requirements. Establishing a regular schedule for more formal communications, at a minimum quarterly, is a good start.
4. Feedback. Finally, it’s important to ask your different customers for feedback to make sure they are getting what they need, how and when they need it. Advancing your threat intelligence program is a two-way street. You need to hear how your service is being used and if it isn’t you need to understand why and adjust accordingly. Tweak the format, further customize the threat intel, change the frequency – do whatever it takes to ensure the program is delivering value and considered a crucial tool for each of your organization’s security teams and leadership.
We’re halfway through 2023 and for many teams this is a good time to step back and measure progress against goals set at the beginning of the year.
Tomi Engdahl says:
Endpoint Security
CISA, NSA Share Guidance on Hardening Baseboard Management Controllers
https://www.securityweek.com/cisa-nsa-share-guidance-on-hardening-baseboard-management-controllers/
CISA and the NSA have published new guidance to help organizations harden baseboard management controllers (BMC
Tomi Engdahl says:
https://www.securityweek.com/in-other-news-linux-kernel-exploits-update-on-bec-losses-cybersecurity-awareness-act/
FBI says BEC scam losses surpassed $50 billion
The FBI has updated its report (PDF) on business email compromise and email account compromise (BEC) scams, rounding up estimated losses above the $50 billion mark. In the US, the total number of victims has surpassed 200,000, with reported losses of over $30 billion.
https://www.ic3.gov/Media/Y2023/PSA230609
Tomi Engdahl says:
Cybersecurity Awareness Act
Newly introduced bipartisan legislation requires the Department of Homeland Security (DHS) to provide public and private sectors with regular guidance on best practices related to cybersecurity, while ensuring that the Cybersecurity and Infrastructure Security Agency (CISA) increases outreach to entities frequently targeted with ransomware, such as small businesses and underserved communities.
Cassidy, Peters Introduce Bipartisan Bill to Increase Cybersecurity Awareness
https://www.cassidy.senate.gov/newsroom/press-releases/cassidy-peters-introduce-bipartisan-bill-to-increase-cybersecurity-awareness
WASHINGTON – U.S. Senators Bill Cassidy, M.D. (R-LA) and Gary Peters (D-MI) introduced bipartisan legislation to increase the Department of Homeland Security’s (DHS) outreach to communities on how they can protect themselves from disruptive cyber-attacks. The bill would direct Cybersecurity and Infrastructure Security Agency (CISA) to provide regular guidance and resources to the public and private sectors on best practices related to cybersecurity – such as enabling multifactor authentication and utilizing unique, strong passwords for each account. The legislation would also ensure that CISA increases its outreach to the most frequent targets of ransomware – including small businesses – as well as underserved communities that often lack access to a cybersecurity education.
Tomi Engdahl says:
https://www.securityweek.com/in-other-news-linux-kernel-exploits-update-on-bec-losses-cybersecurity-awareness-act/
Google paid $1.8 million for Linux kernel exploits
Google says it has paid a total of $1.8 million for Linux kernel exploit reports received as part of the kCTF Vulnerability Rewards Program (VRP), which kicked off in 2020. More than 60% of submissions targeted vulnerabilities in the ‘io_uring’ component and Google has disabled the component on its servers and in Chrome OS, and is limiting its usage on Android and GKE AutoPilot.
Kernel exploit submissions are now handled under the name kernelCTF, as the internet giant is shifting focus from Google Kubernetes Engine (GKE) and kCTF to the latest stable kernel and the included mitigations. The maximum total payout for valid reports remains $133,337.
Learnings from kCTF VRP’s 42 Linux kernel exploits submissions
https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html?m=1