Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.
HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.
Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.
Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.
Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications
Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.
Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.
Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.
MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.
Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.
EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.
Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.
Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.
Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.
Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.
Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.
Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workers – leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers
Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.
Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.
Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”
Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.
Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,
War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.
Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.
ISC: ICS and SCADA systems remain trending attack targets also in 2023.
Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.
PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.
Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.
Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.
MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!
Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-
Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.
VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.
AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.
AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?
Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.
Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.
Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.
Sources:
Asiantuntija neuvoo käyttämään pilkkua salasanassa – taustalla vinha logiikka
Overseeing artificial intelligence: Moving your board from reticence to confidence
Android is adding support for updatable root certificates amidst TrustCor scare
Google Play now lets children send purchase requests to guardians
Diligent’s outlook for 2023: Risk is the trend to watch
Microsoft will turn off Exchange Online basic auth in January
Google is letting businesses try out client-side encryption for Gmail
Google Workspace Gets Client-Side Encryption in Gmail
The risk of escalation from cyberattacks has never been greater
Client-side encryption for Gmail available in beta
AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Microsoft: Edge update will disable Internet Explorer in February
Is Cloud Native Security Good Enough?
Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023
Google Chrome preparing an option to block insecure HTTP downloads
Cyber attacks set to become ‘uninsurable’, says Zurich chief
The Dark Risk of Large Language Models
Police Must Prepare For New Crimes In The Metaverse, Says Europol
Policing in the metaverse: what law enforcement needs to know
Cyber as important as missile defences – an ex-NATO general
Misconfigurations, Vulnerabilities Found in 95% of Applications
Personnel security in the cloud
Multi-factor auth fatigue is real – and it’s why you may be in the headlines next
MFA Fatigue attacks are putting your organization at risk
NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
Poor software costs the US 2.4 trillion
Passkeys Now Fully Supported in Google Chrome
Google Takes Gmail Security to the Next Level with Client-Side Encryption
Executives take more cybersecurity risks than office workers
NIST Retires SHA-1 Cryptographic Algorithm
NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm
WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections
Over 85% of Attacks Hide in Encrypted Channels
GitHub Announces Free Secret Scanning, Mandatory 2FA
Leaked a secret? Check your GitHub alerts…for free
Data Destruction Policies in the Age of Cloud Computing
Why PCI DSS 4.0 Should Be on Your Radar in 2023
Google: With Cloud Comes APIs & Security Headaches
Digesting CISA’s Cross-Sector Cybersecurity Performance Goals
Zero Trust Shouldnt Be The New Normal
Don’t click too quick! FBI warns of malicious search engine ads
FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
Kyberturvan ammattilaisista on huutava pula
1,768 Comments
Tomi Engdahl says:
Angela Fu / Poynter:
A Las Vegas Review-Journal reporter and her colleagues faced social media attacks when users, including Elon Musk, distorted her coverage of a fatal hit-and-run — The Las Vegas Review-Journal is facing a harassment campaign stoked by Elon Musk, one year after a reporter was killed for his coverage.
Tomi Engdahl says:
Angela Fu / Poynter:
A Las Vegas Review-Journal reporter and her colleagues faced social media attacks when users, including Elon Musk, distorted her coverage of a fatal hit-and-run — The Las Vegas Review-Journal is facing a harassment campaign stoked by Elon Musk, one year after a reporter was killed for his coverage.
A reporter made sure a retired police chief’s death didn’t go uncovered. Then social media attacked her.
https://www.poynter.org/reporting-editing/2023/a-reporter-made-sure-a-retired-police-chiefs-death-didnt-go-uncovered-then-social-media-attacked-her/
The Las Vegas Review-Journal is facing a harassment campaign stoked by Elon Musk, one year after a reporter was killed for his coverage.
When retired police chief Andreas Probst was killed in a hit-and-run last month, Las Vegas Review-Journal crime reporter Sabrina Schnur was the first journalist to arrive on the scene.
Schnur was also the first local reporter to talk to Probst’s family, penning an obituary to ensure that his widow’s and daughter’s voices would be heard.
And she was the reporter who instructed a source with video footage of the killing to go to the police, just nine hours before police announced a murder charge in the case.
But despite her work documenting Probst’s death, Schnur became the target of anti-Semitic attacks and death wishes over the weekend as social media users questioned why the “media” wasn’t properly covering the attack. Screenshots of the month-old obituary’s headline sparked outrage among readers who falsely assumed the Review-Journal was downplaying Probst’s death.
The obituary originally ran on Aug. 18 with the headline “Retired police chief killed in bike crash remembered for laugh, love of coffee.” At that point, police did not yet know that the killing was intentional. Thirteen days later, on Aug. 31, a source approached Schnur with a video showing the driver in the crash intentionally hitting Probst and laughing about it with the passenger. She connected the source with the police, and the Review-Journal covered the subsequent murder charge.
But when that video went viral over the weekend, social media users shared screenshots of the old obituary, taking issue with the phrase “bike crash.” They filled Schnur’s inbox and social media mentions with increasingly personal attacks and accused her of being anti-white. They shared her photo and made anti-Semitic comments. They circulated her office phone number and told her that they hoped she would get cancer, that they hoped she would die. They found her private social media accounts and dug through her Twitter, unearthing posts she’d made as a teenager, going as far back as 2015.
“That’s what started to scare me — if they’re taking the time to go through my Twitter, what else are they taking the time to find on me?” Schnur said. “I started to piece together, OK, if I was going to just cyber stalk someone, what things would they be able to find on me? I started to feel genuinely unsafe at that point.”
On Sunday morning, Elon Musk, the billionaire owner of X, formerly known as Twitter, amplified one of the screenshots, posting “An innocent man was murdered in cold blood while riding his bicycle. The killers joked about it on social media Yet, where is the media outrage? Now you begin to understand the lie.” That post had 68.2 million views as of Monday evening.
A request for comment sent to X generated an automated email response.
The Review-Journal’s social media accounts and other staff also received vicious attacks. When Schnur shared that she’d received 700 notifications on X and an onslaught of angry emails and voicemails, editors jumped in to support her and make sure she was safe.
Executive editor Glenn Cook said that during his 30-plus years in journalism, he’d never seen vitriol of this volume or intensity. “It’s like a fire hose of hatred to the face,”
In an attempt to slow the harassment, editors changed the Aug. 18 obituary’s headline — which Schnur did not write — so that it read “hit-and-run” instead of “bike crash.” The Review-Journal then published a story about the online harassment in an attempt to correct the record. Cook told staff scheduled to work on Sunday not to come into the office as a safety precaution.
“We know firsthand that social media vitriol can turn into something worse,” Cook said. “That’s one of the takeaways from what we dealt with with Jeff German’s murder.”
“I’m not going to stop writing because some people on Twitter are upset.”
Tomi Engdahl says:
OT/IoT and OpenTitan, an Open Source Silicon Root of Trust
A silicon root of trust (S-RoT) is designed to provide security to those parts of a device that can be attacked by a third party. The question remains, however: can the S-RoT itself be attacked?
https://www.securityweek.com/ot-iot-and-opentitan-an-open-source-silicon-root-of-trust/
OpenTitan is a project aimed at bringing the success of open source software to the silicon design space – specifically a silicon-level root of trust. The project achieved RTL Freeze in June 2023, and will be generating engineering sample silicon by the end of this year.
The project is managed by LowRISC, a UK non-profit organization founded in the Cambridge University computer lab in 2014 by Dr Gavin Ferris and Prof Rob Mullins (who also co-founded the Raspberry Pi Foundation with Pi’s creator Eben Upton in 2008).
LowRISC became steward of the OpenTitan project in March 2019, and has been working with partners including Google, Western Digital, Seagate and others.
Tomi Engdahl says:
Nick Huber / Financial Times:
Research: the global cyber workforce reached 4.7M in 2022 while still short by 3.4M; Statista: average salary for cyber professionals was between $120K-$150K
Wanted: another 3mn cyber professionals
Ever greater demand for security staff is increasing wage inflation and skills gaps
https://www.ft.com/content/7c048b07-4e4b-4f54-8aa4-dcde1ee71a13
Governments and companies are still struggling to find cyber security staff after more than a decade in which demand has outstripped supply, and sent wages spiralling higher.
In 2022, the global shortage of cyber security professionals stood at 3.4mn, compared with a total cyber workforce of 4.7mn, according to research by ISC2, an association for cyber security professionals. The gap was particularly wide in the aerospace, government, education, insurance and transportation sectors, it found. To fill all the current vacancies, the workforce must grow by about 70 per cent, says ISC2 chief executive, Clar Rosso.
And the biggest skills shortages were in soft skills — communicating and dealing with other people — and cloud computing, according to separate global research by Isaca, another IT security association.
This inability to acquire and retain cyber security workers is already creating vulnerabilities in the private and public sectors. More than half of the respondents to ISC2 who reported workforce shortages said that staff deficits put their organisations at “moderate” or “extreme” risk of cyber attack.
In response to the heightened threat, fresh recruitment initiatives have been launched. ISC2 is offering an “entry level” certification in cyber security — part of a wider plan by the US government to partner with organisations and fill hundreds of thousands of vacancies. At the same time, smaller schemes — through institutions such as Toronto Metropolitan University — are retraining “mid-career” workers in cyber security and helping them find jobs in the industry.
However, despite these efforts to boost supply, competition to hire cyber security workers is still fierce — keeping salaries high. In 2022, average global salaries for cyber security professionals ranged between about $128,000 and $150,000, according to Statista, a research and data provider.
In this buoyant market, job candidates can dictate their employment terms. “[They] can choose where they work, and when they work, and how they work,” says Karoli Hindriks, chief executive of Jobbatical, an AI-powered platform that helps tech workers relocate.
Tomi Engdahl says:
These skills need not be cyber specific.
Broad skills, such as business acumen and calmness under pressure, can be just as important in cyber security roles as technical skills, which candidates can be taught.
However, despite signs that the pool of candidates for cyber security roles is widening, there is room for improvement. Tes.
She feels this is a mistake. “The adversary [cyber security criminals] is diverse and, if we’re going to keep up, we need diversity of thought, diversity of skills, diversity of background,” Hopkins says.
https://www.ft.com/content/7c048b07-4e4b-4f54-8aa4-dcde1ee71a13
Tomi Engdahl says:
BBC:
After Meta criticized the UK’s potential E2EE rules, the UK says Meta “failed to provide assurances” over keeping its platforms “safe from sickening abusers”
Braverman and Facebook clash over private message plans
https://www.bbc.com/news/technology-66854622
Facebook’s owner Meta has hit back at a government campaign strongly critical of its plans to encrypt messages.
Protecting messages with end-to-end-encryption would mean that they could only be read by sender and recipient.
Home Secretary Suella Braverman said encryption could not come at the cost of children’s safety, amid fears it can be used to conceal child abuse.
Meta argues that encryption protects users from invasion of privacy.
“We don’t think people want us reading their private messages”, the firm said.
“The overwhelming majority of Brits already rely on apps that use encryption to keep them safe from hackers, fraudsters and criminals”, it added.
Ms Braverman set out her concerns to Meta in a letter co-signed by technology experts, law enforcement, survivors and leading child safety charities in July.
Tomi Engdahl says:
NCSC-UK:] Building on our history of cryptographic research https://www.ncsc.gov.uk/blog-post/building-on-our-history-cryptographic-research
We’ve just published a paper for the cryptographic community in which we release two new designs for cryptographic algorithms known as block cipher modes of operation, or ‘modes’. We’re also sharing the supporting security analysis and design rationale. We’ve named the new modes GLEVIAN and VIGORNIAN*.
Tomi Engdahl says:
Quantum Resistance and the Signal Protocol https://signal.org/blog/pqxdh/
Today we are happy to announce the first step in advancing quantum resistance for the Signal Protocol: an upgrade to the X3DH specification which we are calling PQXDH. With this upgrade, we are adding a layer of protection against the threat of a quantum computer being built in the future that is powerful enough to break current encryption standards.
Tomi Engdahl says:
CISA’s catalog of must-patch vulnerabilities crosses the 1,000 bug mark after
2 years
https://therecord.media/cisa-known-exploited-vulnerability-catalog-passes-1000
CISA officials explained in a statement this week that the list was created in
2021 primarily because there are too many vulnerabilities for defenders to patch – there were more than 25,000 new bugs released in 2022 alone.
“The purpose of the KEV is simple: while focusing on vulnerabilities that have been exploited isn’t sufficient, it’s absolutely necessary – so let’s start there,” they said. “Every organization should be prioritizing mitigation of KEVs as part of a vulnerability management program that enables prioritization based on organizational attributes such as how a vulnerable product is being used and the exploitability of the relevant system.”
Tomi Engdahl says:
India’s biggest tech centers named as cyber crime hotspots https://www.theregister.com/2023/09/21/india_cybercrime_trends_report/
India is grappling with a three-and-a-half year surge in cyber crime, with analysis suggesting cities like Bengaluru and Gurgaon – centers of India’s tech development – are also hubs of evil activity.
The report – A Deep Dive into Cybercrime Trends Impacting India from the non-profit Future Crime Research Foundation (FCRF) – identified cyber crime hot spots, as well as the most popular types of infosec assaults, from January
2020 until June 2023.
Report at
https://drive.google.com/file/d/192gIh708WWTmXzrBoqqxhe7wa0IAPXXl/view?pli=1
Tomi Engdahl says:
2023 Unit 42 Attack Surface Threat Report Highlights the Need for ASM https://www.paloaltonetworks.com/blog/2023/09/attack-surface-threat-report-highlights-need-for-asm/
Most organizations have an attack surface management problem, and they don’t even know it, because they lack full visibility of the various IT assets and owners. One of the biggest culprits of these unknown risks are remote access service exposures, which made up nearly one out of every five issues we found on the internet. Defenders need to be vigilant, because every configuration change, new cloud instance or newly disclosed vulnerability begins a new race against attackers.
Today’s attackers can scan the entire IPv4 address space for vulnerable targets in minutes. Of the 30 common vulnerabilities and exposures (CVEs) analyzed, three were exploited within hours of public disclosure and 63% were exploited within 12 weeks of the public disclosure. Of the 15 remote code execution (RCE) vulnerabilities analyzed by Unit 42, 20% were targeted by ransomware gangs within hours of disclosure, and 40% of the vulnerabilities were exploited within 8 weeks of publication.
80% of security exposures are present in cloud environments compared to on-premises at 19%. Cloud-based IT infrastructure is always in a state of flux, changing by more than 20% across every industry every month. Nearly 50% of high-risk, cloud-hosted exposures each month were a result of the constant change in cloud-hosted new services going online and/or old ones being replaced. Over 75% of publicly accessible software development infrastructure exposures were found in the cloud, making them attractive targets for attackers.
Over 85% of organizations analyzed had Remote Desktop Protocol (RDP) internet-accessible for at least 25% of the month, leaving them open to ransomware attacks or unauthorized login attempts.
Tomi Engdahl says:
Singapore may split liability for phishing losses between banks and victims https://www.theregister.com/2023/09/20/singapore_phishing_split_fraud/
Singapore officials announced on Monday that next month they will deliver a consultation paper detailing a split liability scheme that will mean both consumers and banks are on the hook for financial losses flowing from scams.
Tomi Engdahl says:
FCC plays whack-a-mole with telcos accused of profiting from robocalls https://arstechnica.com/tech-policy/2023/09/fcc-plays-whac-a-mole-with-telcos-accused-of-profiting-from-robocalls/
One Owl Telecom is a US-based gateway provider that routes phone calls from outside the US to consumer phone companies such as Verizon. “Robocalls on One Owl’s network apparently bombarded consumers without their consent with prerecorded messages about fictitious orders,” the Federal Communications Commission said yesterday.
On August 1, the FCC sent One Owl a Notification of Suspected Illegal Robocall Traffic ordering it to investigate robocall traffic identified by USTelecom’s Industry Traceback Group, block all of the identified traffic within 14 days, and “continue to block the identified gateway traffic as well as substantially similar traffic on an ongoing basis.”
“One Owl faces a simple choice—comply or lose access to US communications networks,” FCC Enforcement Bureau Chief Loyaan Egal said in a press release.
Tomi Engdahl says:
P2PInfect botnet activity surges 600x with stealthier malware variants https://www.bleepingcomputer.com/news/security/p2pinfect-botnet-activity-surges-600x-with-stealthier-malware-variants/
The P2PInfect botnet worm is going through a period of highly elevated activity volumes starting in late August and then picking up again in September 2023.
Cado Security researchers who have been following the botnet since late July 2023, report today seeing global activity, with most breaches impacting systems in China, the United States, Germany, Singapore, Hong Kong, the UK, and Japan.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/15333-mistae-tietaeae-ettae-aelypuhelintasi-vakoillaan
Tomi Engdahl says:
The entire point of the CVE system is to identify the origin of a vulnerability so anyone making or using software downstream from the origin can easily tell if they’re vulnerable. And if the CVEs cover the same underlying vulnerability, the teams involved in its discovery should have coordinated and made that clear.
Incomplete disclosures by Apple and Google create “huge blindspot” for 0-day hunters
No one mentioned that libwebp, a library found in millions of apps, was a 0-day origin.
https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/?utm_source=facebook&utm_brand=ars&utm_social-type=owned&utm_medium=social&fbclid=IwAR0adkCktQ_P1gH5jQEurWump7XTHgSFF8JWu3EdY9pipu2zOJW2eOHz4Do
Incomplete information included in recent disclosures by Apple and Google reporting critical zero-day vulnerabilities under active exploitation in their products has created a “huge blindspot” that’s causing a large number of offerings from other developers to go unpatched, researchers said Thursday.
Two weeks ago, Apple reported that threat actors were actively exploiting a critical vulnerability in iOS so they could install espionage spyware known as Pegasus. The attacks used a zero-click method, meaning they required no interaction on the part of targets. Simply receiving a call or text on an iPhone was enough to become infected by the Pegasus, which is among the world’s most advanced pieces of known malware.
Four days later, Google reported a critical vulnerability in its Chrome browser. The company said the vulnerability was what’s known as a heap buffer overflow that was present in WebP. Google went on to warn that an exploit for the vulnerability existed in the wild. Google said that the vulnerability, designated as CVE-2023-4863, was reported by the Apple Security Engineering and Architecture team and Citizen Lab.
On Thursday, researchers from security firm Rezillion published evidence that they said made it “highly likely” both indeed stemmed from the same bug, specifically in libwebp, the code library that apps, operating systems, and other code libraries incorporate to process WebP images.
Rather than Apple, Google, and Citizen Lab coordinating and accurately reporting the common origin of the vulnerability, they chose to use a separate CVE designation, the researchers said. The researchers concluded that “millions of different applications” would remain vulnerable until they, too, incorporated the libwebp fix. That, in turn, they said, was preventing automated systems that developers use to track known vulnerabilities in their offerings from detecting a critical vulnerability that’s under active exploitation.
“Since the vulnerability is scoped under the overarching product containing the vulnerable dependency, the vulnerability will only be flagged by vulnerability scanners for these specific products,” Rezillion researchers Ofri Ouzan and Yotam Perkal wrote. “This creates a HUGE blindspot for organizations blindly relying on the output of their vulnerability scanner.”
Google has further come under criticism for limiting the scope of CVE-2023-4863 to Chrome rather than in libwebp. Further, the official description describes the vulnerability as a heap buffer overflow in WebP in Google Chrome.
In an email, a Google representative wrote: “Many platforms implement WebP differently. We do not have any details about how the bug impacts other products
The representative noted that the WebP image format is mentioned in its disclosure and the official CVE page. The representative didn’t explain why the official CVE and Google’s disclosure did not mention the widely used libwebp library or that other software was also likely to be vulnerable.
The Google representative didn’t answer a question asking if CVE-2023-4863 and CVE-2023-41064 stemmed from the same vulnerability.
The number of apps, frameworks, code libraries, and other packages that incorporate libwebp and have yet to receive a patch is unknown. While Microsoft patched CVE-2023-4863 in its Edge browser, the company confirmed in an email on Thursday that other vulnerable products and code packages had yet to be patched.
Microsoft offerings known to remain vulnerable are Teams, a widely used collaboration platform, and the developer tool Visual Studio Code.
Both products are built on the Electron framework, which was also affected by CVE-2023-4863.
The number of affected software packages is too large to check all of them.
Tomi Engdahl says:
AI-generated books force Amazon to cap e-book publications to 3 per day https://arstechnica.com/information-technology/2023/09/ai-generated-books-force-amazon-to-cap-ebook-publications-to-3-per-day/
On Monday, Amazon introduced a new policy that limits Kindle authors from self-publishing more than three books per day on its platform, reports The Guardian. The rule comes as Amazon works to curb abuses of its publication system from an influx of AI-generated books.
Since the launch of ChatGPT, an AI assistant that can compose text in almost any style, some news outlets have reported a marked increase in AI-authored books, including some that seek to fool others by using established author names. Despite the anecdotal observations, Amazon is keeping its cool about the scale of the AI-generated book issue for now. “While we have not seen a spike in our publishing numbers,” they write, “in order to help protect against abuse, we are lowering the volume limits we have in place on new title creations.”
Tomi Engdahl says:
”Perusoikeudet romukoppaan” – EU:n aikomus vakoilla kaikkea viestiliikennettä saa raskasta kritiikkiä
https://www.kauppalehti.fi/uutiset/perusoikeudet-romukoppaan-eun-aikomus-vakoilla-kaikkea-viestiliikennetta-saa-raskasta-kritiikkia/6c311186-7ac8-4a17-82a9-53277909e719
Tietoliikenteen ja tietotekniikan keskusliitto Ficom kritisoi Euroopan komission asetusehdotusta lapsiin kohdistuvan seksuaaliväkivallan ehkäisyä ja torjuntaa koskevista säännöistä.
”Tämä johtaisi vakavaan perus- ja ihmisoikeuksien rajoitukseen sekä rajoittaisi muiden oikeutettujen tavoitteiden, kuten tietoturvan, varmistamista”, Ficomin lakimies Asko Metsola kirjoittaa.
Euroopan parlamentin oma ylimääräinen vaikutustenarviointi on Ficomin kanssa samoilla linjoilla, Ficom kertoo.
Tomi Engdahl says:
Käytetyn auton ostaja osaa vaatia avaimia, mutta auton sovelluksen poistaminen entisen omistajan puhelimesta ei välttämättä tule mieleen
https://yle.fi/a/74-20049325
EU:n tietosuojaviranomaiset käsittelevät useassa maassa autojen sovelluksista tehtyjä kanteluja. Yhdessä tapauksessa vanhalla omistajalla oli edelleen pääsy myymänsä auton tietoihin sovelluksessa.
Sähköistymisen myötä autojen omat sovellukset ovat yleistyneet vauhdilla.
Puhelin on kätevä laite latauksen hallinnointiin ja seurantaan.
Mutta ovat sovellukset yleistyneet myös polttomoottorilla varustettujen autojen kohdalla. Autoliike Deltan toimitusjohtaja Pekka Pättiniemi arvioi, että tällä hetkellä kaikissa keskihintaisissa ja sitä kalliimmissa uusissa autoissa on jo oma sovellus.
– Yleisin käytetty yhdistettävyysominaisuus on lämmityksen laittaminen päälle etänä. Toinen on lukituksen varmistaminen. Ja sitten on auton sijainnin seuranta, Pättiniemi kertoo.
Kaikki nämä ominaisuudet ovat hyödyllisiä – etenkin silloin, kun sovellus on liitetty omaan autoon.
Viime vuosina internetin keskustelupalstoilta on voinut lukea tapauksista, joissa käytettynä myydyn auton tiedot ovat unohtuneet edellisen omistajan sovellukseen. Tällaisissa tapauksissa vanha omistaja on voinut seurata auton liikkeitä ja halutessaan säätää asetuksia.
– Jos uusi omistaja ei tiedä ominaisuudesta, eikä huomaa siirtää sitä omalle puhelimelleen, niin silloin näin voi käydä, Pättiniemi sanoo.
Tomi Engdahl says:
Evasive Gelsemium hackers spotted in attack against Asian govt https://www.bleepingcomputer.com/news/security/evasive-gelsemium-hackers-spotted-in-attack-against-asian-govt/
A stealthy advanced persistent threat (APT) tracked as Gelsemium was observed in attacks targeting a Southeast Asian government that spanned six months between 2022 and 2023.
Gelsemium is a cyberespionage group operational since 2014, targeting government, education, and electronic manufacturers in East Asia and the Middle East.
Tomi Engdahl says:
What is DNS Rebinding Attack?
https://hackersonlineclub.com/what-is-dns-rebinding-attack/
What is DNS Rebinding Attack? And How it Works And Protection?
DNS rebinding is a form of computer attack or can say domain name computer based attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network.
A DNS rebinding attack uses JavaScript in a malicious Web page to gain control of a router.
DNS rebinding attack can be used to breach a private network by causing the victim’s web browser to access machines at private IP addresses and return the results to the attacker. It can also be employed to use the victim machine for spamming, distributed denial-of-service attacks or other malicious activities.
Cybercriminal can also do DNS rebinding attack through Malicious advertising and then they can access private information on the network.
How DNS Rebinding works?
The attacker registers a domain (such as anydomain.com) and delegates it to a DNS server under the attacker’s control. The server is configured to respond with a very short time to live (TTL) record, preventing the response from being cached. When the victim browses to the malicious domain, the attacker’s DNS server first responds with the IP address of a server hosting the malicious client-side code.
For instance, they could point the victim’s browser to a website that contains malicious JavaScript or Flash scripts that are intended to execute on the victim’s computer.
The malicious client-side code makes additional accesses to the original domain name (such as attacker.com). These are permitted by the same-origin policy. However, when the victim’s browser runs the script it makes a new DNS request for the domain, and the attacker replies with a new IP address. For instance, they could reply with an internal IP address or the IP address of a target somewhere else on the Internet.
How can we Protect Themselves?
The following techniques attempt to prevent DNS rebinding attacks:
1. Always use a strong password for your router.
2. To Disable admin access console to your router from any external network.
3. Web browsers can implement DNS pinning: the IP address is locked to the value received in the first DNS response.
4. This technique may block some legitimate uses of Dynamic DNS, and may not work against all attacks. However, it is important to fail safe (stop rendering) if the IP address does change, because using an IP address past the TTL expiration can open the opposite vulnerability when the IP address has legitimately changed and the expired IP address may now be controlled by an attacker.
5. Private IP addresses can be filtered out of DNS responses.
6. External public DNS servers with this filtering e.g. OpenDNS.
7. Local sysadmins can configure the organization’s local nameservers to block the resolution of external names into internal IP addresses. This has the downside of allowing an attacker to map the internal address ranges in use.
8. DNS filtering in a firewall or daemon e.g. dnswall.
9. Web servers can reject HTTP requests with an unrecognized Host header.
10. The Firefox NoScript extension provides partial protection (for private networks)
11. It was first discovered in 1996 and affected Java Virtual Machine.
Tomi Engdahl says:
ZTNA’s untapped potential to both reduce cyber risk and empower businesses to:
• Provide slick experiences to even your riskiest users like contractors, temporary hires, and developers
• Maintain continuity during critical junctures like M&A and cloud migrations
• Roll out phishing-resistant MFA (like hard keys) everywhere to everyone
• Set the groundwork for a whole roadmap of security use cases even after that VPN is (mostly) gone
Tomi Engdahl says:
IPv6 represents 20% of reported malicious IPs, reports recent CrowdSec research. With such rapid high adoption, it was inevitable that IPv6 eventually started registering on cybersecurity radars.
Tomi Engdahl says:
AI Is Now Better Than Humans at Solving Those Annoying “Prove You’re a Human” Tests
https://futurism.com/the-byte/ai-better-solving-captchas-prove-human
Researchers have found that bots are shockingly good at completing CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart), which are those small, annoying puzzles designed — ironically — to verify that you’re really human.
In fact, as the team led by Gene Tsudik at the University of California, Irvine discovered, the bots are actually way better and faster at solving these tests than us, a worrying sign that the already-aging tech is on its way out.
Tomi Engdahl says:
DHS Publishes New Recommendations on Cyber Incident Reporting
https://www.securityweek.com/dhs-publishes-new-recommendations-on-cyber-incident-reporting/
DHS has published a new set of recommendations to help federal agencies better report cyber incidents and protect critical infrastructure.
The US Department of Homeland Security (DHS) on Tuesday published a new document containing recommendations on how federal agencies can streamline cyber incident reporting, to help protect critical infrastructure entities.
Titled Harmonization of Cyber Incident Reporting to the Federal Government (PDF), the document offers a definition of reportable cyber incidents and of reporting timeline, and recommends the adoption of a model reporting form within federal agencies.
Additionally, the document details when incident reporting might be delayed, including situations when this action would pose a risk to “critical infrastructure, national security, public safety, or an ongoing law enforcement investigation”.
https://www.dhs.gov/sites/default/files/2023-09/DHS%20Congressional%20Report%20-%20Harmonization%20of%20Cyber%20Incident%20Reporting%20to%20the%20Federal%20Government.pdf
Tomi Engdahl says:
From Audit to Assurance: Pixelle’s OT Security Triumph with TXOne Security Inspection
https://www.txone.com/case-studies/pixelle-ot-security-triumph-with-txone-security-inspection/?utm_source=SecurityWeek&utm_medium=paid&utm_campaign=SW%20eblast&utm_content=
Paper manufacturer, Pixelle Specialty Solutions, had been requested by their insurance carrier to meet new OT security requirements as part of an audit that would help determine their premiums.
“TXOne was the first solution we found, and frankly, I couldn’t find much competition,” said Mr. Long. “We explained to the insurance company what the portable security devices did and how they worked. And they basically said, ‘Well, that satisfies our requirements,’ and they checked them off.”
Security Inspection
Ensure asset integrity with rapid, installation-free asset and device scans, allowing for defense of air-gapped environments and improved supply chain security.
https://www.txone.com/products/security-inspection/
The OT zero trust-based malware inspection and cleanup tool that prevents insider threat and supply chain attacks
OT zero trust begins the moment a device enters your work site, be it for onboarding or in the hands of trusted personnel. Put a stop to insider threat and prevent supply chain attacks by flexibly securing integrity from the very beginning of the asset life cycle.
Even after onboarding, some endpoints – air-gapped and stand-alone assets – continue to require specialized protection. Many of them are highly sensitive and cannot accept installation or changes to their configurations. Portable Inspector provides all this with no installation required.
To eliminate the shadow OT, asset information will be collected during every scan and sent to the central management console where it’s easily reviewed and archived. All of Portable Inspector’s scans are centrally logged for easy reference, alongside the asset inventory it creates during scans that is, like the rest of its features, specifically designed to ease compliance with regulations.
Portable Inspector’s convenient USB form-factor is easy even for non-experts to use, with LED lights that show the inspection result after scanning either Windows or Linux devices. This installation-free device’s portability and user-friendliness are tailored to the fast-moving needs of ICS environments.
Leaders in Aerospace and Transportation use Portable Inspector to protect stand-alone and mobile assets from malware.
Organizations in the Pharmaceutical, Chemical, and Medical industries use Portable Inspector to scan highly-sensitive mission-critical devices that cannot accept installations.
Semiconductor and Automotive organizations use Portable Inspector to streamline the audits that are necessary to comply with industry regulations.
Tomi Engdahl says:
CLOUD SECURITY
Intel Launches New Attestation Service as Part of Trust Authority Portfolio
Intel announces general availability of attestation service that is part of Trust Authority, a new portfolio of security software and services.
https://www.securityweek.com/intel-launches-new-attestation-service-as-part-of-trust-authority-portfolio/
Tomi Engdahl says:
MANAGEMENT & STRATEGY
Staying on Topic in an Off Topic World
https://www.securityweek.com/staying-on-topic-in-an-off-topic-world/
Learning how to keep discussions on-topic is an important skill for security professionals to learn, and it can allow them to continue to improve their security programs.
Have you ever been in a meeting where someone keeps taking the discussion off topic? Have you ever tried to get answers to straightforward questions when speaking with someone, only to have them constantly going off on what seem to be tangents? Have you ever been part of an email thread or chat group where the discussion just seems to go around in circles?
We might not want to believe it, but this is often a tactic employed by certain personality types. In other words, it is seldom the case that a person cannot focus or is scatter-brained. Rather, it is far more likely that they are deliberately trying to derail what should be a relatively straightforward discussion.
You might ask why a person would do this. Different people have different motivations, but typically people do this for one of the following reasons:
They are looking for control/power (knowledge is power after all)
They are looking to hide information (perhaps because they are embarrassed by something or perhaps because it undermines an ulterior motive they have)
They do not know the answer but do not want to admit to that
They do not want to accept responsibility for a poor decision or a mistake they may have made
They are looking to avoid being exposed for having lied and/or hidden information in the past
Here are five tips for dealing with this a person who keeps getting off-topic in order to keep your security program on track:
Remove emotion: One of the tricks that these types of people employ is to try and tug at your emotions. They may try to make you feel guilty for wanting to stay on-topic.
Do not engage: One of the most successful tactics that off-topic people use is to entice their “opponents” to engage. If you are trying to keep a discussion on-topic and someone tries to derail that discussion, politely but firmly casting that derailment aside and getting back on-topic is highly effective.
Stay on-topic: Even the most upstanding security professionals who have the best intentions can get off-topic from time to time. Set clear goals and desired outcomes at the beginning of each meeting, email thread, chat, and discussion. Resist the temptation to digress and to add in excessive details that don’t add value or don’t help move things along.
Stick to facts: Sticking to facts is critical. All it takes is for an on-topic person to slip up once. If we throw in one point that isn’t fact-based, the off-topic person will seize the opportunity and use it to twist the discussion and accuse us of misleading others (or perhaps something else). Then the discussion becomes about that, rather than the issue at hand. It simply isn’t worth it – it is far better to rely on facts.
Choose your battles: As security professionals, we’re very analytical. While it may be tempting to refute every claim and statement with evidence that counters it, it is not smart to do that. It is best to stick to the important points. Understand which battles are worth fighting and which ones can be let go for the time being. A big part of keeping matters on-topic is knowing when attempting to set the record straight will serve no other purpose other than to play into what the off-topic person wants. Namely, to further derail the discussion. This is a tough one to adhere to, but it is an important one.
Tomi Engdahl says:
OT Cybersecurity Insurance: Present Landscape and Future Outlook
https://www.txone.com/blog/ot-cybersecurity-insurance/?utm_source=SecurityWeek&utm_medium=paid&utm_campaign=SW%20eblast&utm_content=
Cybersecurity insurance is an essential part of OT cybersecurity risk management
From a cybersecurity perspective, there are only two types of companies: those that have been hacked and those that will be hacked. As for corporate risk managers, apprehending and addressing all the threats leveled at targets may pose a challenge. In the worst-case scenario, if all defenses fail, cybersecurity insurance can be used to cover losses, as it also aids organizations in disaster recovery. Cybersecurity insurance is often viewed as a risk transfer strategy, a trend of mitigation that is steadily being adopted in the OT field. Data from the cybersecurity insurance market corroborates our observation that companies are now recognizing the strategic importance of OT cybersecurity insurance.
Traditionally, IT cybersecurity concerns centered around safeguarding third-party data and privacy liabilities. However, the landscape has evolved, with recent cybersecurity incidents indicating a significant shift towards first-party threats such as ransom demands, business disruptions, harm to reputation, and even physical harm. Ransomware has become the weapon of choice for attacking OT environments, and threat actors can now purchase plug-and-play ransomware kits available on the “dark web,” contributing to the proliferation of incidents through what is known as Ransomware-as-a-Service (RaaS). This surge in ransomware could result in more targeted attacks against businesses, particularly vulnerable small and medium-sized enterprises. Should these businesses holding sensitive data be attacked, they would face longer downtime, higher business interruption costs, increased litigation, and regulatory penalties.
According to a report by Guidehouse Insights, electric utilities in 2022 saw a 25-30% increase in premiums for cyber insurance. In contrast, other types of energy companies in the commercial insurance sector experienced more than a doubling of their premiums. Furthermore, Guidehouse predicts that by 2030, the global cyber insurance market for energy will grow from $102 million in 2021 to $442 million, boasting a compound annual growth rate (CAGR) of 17.7%. The firm also warned that power plants might encounter the most significant hikes in premium rates. Beyond utilities, we believe that the surging demand for OT insurance could extend to other industries, including transportation, critical manufacturing, chemicals, aerospace, and more. While the OT cybersecurity insurance market remains relatively small, its rapid growth means many managers are beginning to recognize its value in their OT cybersecurity strategy.
Tomi Engdahl says:
Gartner® Report: Innovation Insight for Cyber-Physical Systems Protection Platforms
“(CPS) asset-centric security is evolving, anchored by a new set of CPS protection platform vendors”
https://xage.com/gartner-report-innovation-insight-for-cyber-physical-systems-protection-platforms/?utm_campaign=FY22%20ZTRA%20Campaign%20-%20Oct%202022&utm_medium=email&_hsmi=243056682&_hsenc=p2ANqtz-_40gnsypBWOp3yiNzVYPM950J_5n6nT8zjeD7ptx8aGroEsIbdHowQtXLbHUFxkioaqHqASkk08CdGu71zQqBFbAjGtZY3SkMyy9ia5zZ_1lASCls&utm_content=243056682&utm_source=hs_automation
Gartner states that security by obscurity mindset is no longer acceptable for operational security as ransomware attacks now bring entire plants or pipelines down. And traditional IT security tools do not work in environments with unique protocols where safety and resilience are paramount.
Key findings highlighted in this report:
“The changing technology and threat landscape is forcing security and risk management leaders to think about security differently when it comes to cyber-physical systems.
Beyond “security by obscurity” and network-centric security based on firewalls and segmentation, an asset-centric view of CPS security is emerging.
This new view is enabled by a new type of security solution that starts with asset discovery and wraps additional security features around these assets. This is all deployed in a platform environment that can feed other enterprise security tools.”
Tomi Engdahl says:
Ovatko tietosi pimeässä verkossa? Uusi maksullinen työkalu lupaa löytää ne – toimii myös Suomessa https://www.tivi.fi/uutiset/tv/8bc6bfd9-ba76-44c3-aff4-225385754b8d
On olemassa useita palveluja, jotka varoittavat käyttäjäänsä, jos tämän tiedot ovat vuotaneet tietomurron seurauksena. Esimerkiksi Troy Huntin perustama Have I Been Pwned? -sivusto täyttää tänä vuonna kymmenen vuotta, ja siihen nojaa myös vuonna 2018 aloittanut Mozillan Firefox Monitor -palvelu.
Alkuvuonna 2023 palveluiden keskuuteen saapui uusi tulokas Googlen oman Dark web -raportin muodossa. Kesän päätteeksi se tuli myös suomalaisten ulottuville.
Google-tilin omistajana pääsee halutessaan tarkistamaan milloin tahansa, onko oma sähköpostiosoite päätynyt pimeään verkkoon. Muiden tietojen esiintymistä pimeässä verkossa pääsee tutkimaan vain maksullisella Google One -tilauksella.
Tomi Engdahl says:
Navigating the Digital Frontier in Cybersecurity Awareness Month 2023
https://www.securityweek.com/navigating-the-digital-frontier-in-cybersecurity-awareness-month-2023/
ZTNA stands out as a solution that enables organizations to minimize their attack surface while ensuring the productivity and security of their remote workforce.
This October will mark the 20th anniversary of Cybersecurity Awareness Month, a pivotal initiative launched under the guidance of the U.S. Department of Homeland Security and the National Cyber Security Alliance (NCSA). It’s primary goal is to empower Americans with knowledge that enables them to stay safe and secure online.
In the spirit of reflection, this year’s campaign theme, “20 Years of Cybersecurity Awareness Month”, takes a critical look at the evolution of security education and awareness, while also examining the path ahead in securing our interconnected world. This year’s NCSA campaign will put a spotlight on crucial cybersecurity practices, including the importance of regularly updating software, recognizing and reporting phishing attempts, enabling multi-factor authentication (MFA), using strong passwords, and employing password managers. While these fundamentals are undeniably vital, organizations must recognize the need to go beyond them to fortify their cyber resilience.
Hackers often choose the path of least resistance, typically targeting the weakest link in the cybersecurity chain—humans. As a result, a significant number of data breaches today stem from credential harvesting campaigns, often followed by credential stuffing attacks. Once attackers infiltrate a network, they can laterally traverse it, seeking privileged accounts and credentials that provide access to an organization’s most sensitive data and critical infrastructure. Consequently, it comes as no surprise that IBM Security’s Cost of Data Breach Report for 2023 identifies stolen or compromised credentials as the most common initial attack vector, accounting for 15% of data breaches.
Tomi Engdahl says:
Cyberwarfare
China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
https://www.securityweek.com/chinas-offensive-cyber-operations-in-africa-support-soft-power-efforts/
Chinese state-sponsored threat groups have targeted telecoms, financial and government organizations in Africa as part of soft power efforts.
Chinese state-sponsored threat groups have targeted telecommunications, financial and government organizations in Africa in support of Beijing’s soft power agenda in the region, according to SentinelOne.
Earlier this year, SentinelOne reported seeing a Chinese cyberespionage group targeting telecoms providers in the Middle East as part of an operation dubbed Tainted Love.
The cybersecurity firm revealed on Thursday that the same threat actor, which could be linked to China’s APT41 group, has also been observed targeting a North African telecommunications organization as part of what appears to be an operation supporting China’s soft power efforts.
“The timing of this activity aligned closely with Chinese telecommunication soft power interests in Africa, as the organization was in private negotiations for further regional expansion in areas. Strategic objectives in such intrusions highlight interest from China in internal business knowledge on negotiations, providing competitive advantage, or prepositioning for retained technical access for intelligence collection,” SentinelOne noted.
Tomi Engdahl says:
ICS/OT
Every Network Is Now an OT Network. Can Your Security Keep Up?
https://www.securityweek.com/every-network-is-now-an-ot-network-can-your-security-keep-up/
Many previously isolated OT networks, like manufacturing, processing, distribution, and inventory management, have now been woven into larger IT networks.
Every network today is now an OT network. Or it will be soon. Of course, part of this transformation is due to the ongoing convergence of OT and IT networks. As many of us have experienced, previously isolated OT networks, like manufacturing, processing, distribution, and inventory management, have now been woven into our larger IT networks. This integration enables better controls, more responsiveness, broad interconnectivity for better communication, and seamless resource expansion, distribution, and redistribution. It also introduces new security risks.
But that’s just half the story. Modern enterprise IT networks must now include smart, energy-efficient physical resources. Fortinet’s new carbon-neutral campus, for example, includes integrated OT smart building elements like automated lighting, windows, shades, HVAC systems, and a wide variety of headless IoT devices—and we have had to integrate all of them into our IT network fully. As a result, our network, like many of yours, now faces many of the same challenges that industrial environments have experienced for years. These issues are compounded further in extended environments like smart cities or organizations with multiple smart campus environments.
And as more and more of your business operations are digitized, securing such complex, hybrid network environments will only become increasingly challenging. Add things like mobile workers, cloud-based services and resources, edge computing, and essential business applications like streaming video, and the legacy security solutions and strategies you have in place will inevitably begin to create bottlenecks and gaps in your protection—if they haven’t already.
Securing today’s expanding hybrid networks requires a holistic approach, beginning with rethinking how and where security is implemented. Here are five things your organization needs to consider before you spend another dollar on expanding your legacy security toolset.
Start with a universal, integrated security platform. Most organizations have dozens of point security solutions deployed across their distributed network that struggle to share real-time threat information and coordinate an effective response. Visibility and control are essential to effective security, but as networks expand, they struggle to keep up
Use security tools designed to operate as a single system. Your security platform must include a portfolio of security technologies designed to serve as a single, integrated solution. A centralized, single-pane-of-glass management system, consistent policy deployment and enforcement, the sharing of real-time threat intelligence, and the ability to operate natively in any cloud environment should be table stakes for designing and implementing a modern network security system. This includes solutions designed specifically for OT environments, including ruggedized systems, OT-specific modules, and deep interoperability with OT systems.
Converge your network and security. Many legacy systems treat networking and security as siloed functions, but it’s critical to build infrastructure and leverage solutions that bring security and networking together, meaning they have critical security functionality woven directly into their operations or, better yet, have been built on a security platform. Networking equipment that can implement security elements natively and in concert with the larger security posture ensures that IoT and OT devices connect to the network with the appropriate security context. For example, Secure SD-WAN converges security and networking functions to ensure optimal user experience without sacrificing security. Additionally, organizations can route traffic from IoT and OT devices for security checks in the cloud via SSE or SASE points of presence. This seamless convergence of networking and security means all devices, even those without an agent, connect securely.
Implement zero trust everywhere. One of the biggest risks of legacy network environments is that they were often built around an implicit trust model. Automatically trusting traffic that has passed through a demarcation point is a recipe for disaster, especially with highly mobile users and devices and widely deployed applications and other resources. Zero trust takes the opposite approach where every user, device, and application must be authenticated per session, are only granted access to the resources needed to do their job, and are monitored end to end to detect any deviations from their sanctioned behavior. Going a step further, universal zero trust network access, which applies the same principles to remote and on-premises users and devices, is the best way to ensure the same access controls are applied to any connection, regardless of location.
Use AI. But you need to understand it before you buy it. AI is the new buzzword in security and networking. It can potentially detect complex threats before they launch, fix misconfigurations, take on manual tasks to free up IT staff to work on higher-order issues, reduce the time to detect and respond to breaches, and much more. But there is remarkably little consistency in what vendors mean when they slap an AI label on their product.
Networks are undergoing the most rapid transformation in their history. And for a long time, we’ve been advising IT leaders that their security must keep up. And now, as nearly every IT network becomes an IT-OT network, the stakes are even higher. This means that if you’ve been putting off redesigning your security systems, now is the time to make it a priority.
Tomi Engdahl says:
Balkan Insight:
Investigation: some stakeholders, like AI firms selling CSAM scanning tech, funded lobbying efforts for EU Commissioner Ylva Johansson’s CSAM scanning proposal — By Giacomo Zandonini, Apostolis Fotiadis and Luděk Stavinoha
‘Who Benefits?’ Inside the EU’s Fight over Scanning for Child Sex Content
Giacomo Zandonini, Apostolis Fotiadis and Luděk Stavinoha
https://balkaninsight.com/2023/09/25/who-benefits-inside-the-eus-fight-over-scanning-for-child-sex-content/
An investigation uncovers a web of influence in the powerful coalition aligned behind the European Commission’s proposal to scan for child sexual abuse material online, a proposal leading experts say puts rights at risk and will introduce new vulnerabilities by undermining encryption.
In early May 2022, days before she launched one of the most contentious legislative proposals Brussels had seen in years, the European Union’s home affairs commissioner, Ylva Johansson, sent a letter to a US organisation co-founded in 2012 by the movie stars Ashton Kutcher and Demi Moore.
The organisation, Thorn, develops artificial intelligence tools to scan for child sexual abuse images online, and Johansson’s proposed regulation is designed to fight the spread of such content on messaging apps.
“We have shared many moments on the journey to this proposal,” the Swedish politician wrote, according to a copy of the letter addressed to Thorn executive director Julie Cordua and which BIRN has seen.
Johansson urged Cordua to continue the campaign to get it passed: “Now I am looking to you to help make sure that this launch is a successful one.”
That campaign faces a major test in October when Johansson’s proposal is put to a vote in the Civil Liberties Committee of the European Parliament. It has already been the subject of heated debate.
The regulation would obligate digital platforms – from Facebook to Telegram, Signal to Snapchat, TikTok to clouds and online gaming websites – to detect and report any trace of child sexual abuse material, CSAM, on their systems and in their users’ private chats.
It would introduce a complex legal architecture reliant on AI tools for detecting images, videos and speech – so-called ‘client-side scanning’ – containing sexual abuse against minors and attempts to groom children.
Welcomed by some child welfare organisations, the regulation has nevertheless been met with alarm from privacy advocates and tech specialists who say it will unleash a massive new surveillance system and threaten the use of end-to-end encryption, currently the ultimate way to secure digital communications from prying eyes.
The EU’s top data protection watchdog, Wojciech Wiewiorowski, warned Johansson about the risks in 2020, when she informed him of her plans.
They amount to “crossing the Rubicon” in terms of the mass surveillance of EU citizens, he said in an interview for this story. It “would fundamentally change the internet and digital communication as we know it.”
Johansson, however, has not blinked. “The privacy advocates sound very loud,” the commissioner said in a speech in November 2021. “But someone must also speak for the children.”
The proposed regulation is excessively “influenced by companies pretending to be NGOs but acting more like tech companies”, said Arda Gerkens, former director of Europe’s oldest hotline for reporting online CSAM.
If the regulation undermines encryption, it risks introducing new vulnerabilities, critics argue. “Who will benefit from the legislation?” Gerkens asked. “Not the children.”
Enter ‘WeProtect Global Alliance’
Among the few traces of Thorn’s activities in the EU’s lobby transparency register is a contribution of 219,000 euros in 2021 to the WeProtect Global Alliance, the organisation that had a video conference with Kutcher and Von der Leyen in late 2020.
WeProtect is the offspring of two governmental initiatives – one co-founded by the Commission and the United States, the other by Britain.
They merged in 2016 and, in April 2020, as momentum built for legislation to CSAM with client-side scanning technology, WeProtect was transformed from a British government-funded entity into a putatively independent ‘foundation’ registered at a residential address in Lisse, on the Dutch North Sea coast.
Minutes after the proposed regulation was unveiled in May last year, Labrador Jimenez emailed his Commission colleagues: “The EU does not accept that children cannot be protected and become casualties of policies that put any other values or rights above their protection, whatever these may be.”
He said he was looking forward to “seeing many of you in Brussels during the WeProtect Global Alliance summit” the following month.
Self-interest
In June 2022, shortly after the roll out of Johansson’s proposal, Thorn representatives sat down with one of the commissioner’s cabinet staff, Monika Maglione. An internal report of the meeting, obtained for this investigation, notes that Thorn was interested to understand how “bottlenecks in the process that goes from risk assessment to detection order” would be dealt with.
Detection orders are a crucial component of the procedure set out within Johansson’s proposed regulation, determining the number of people to be surveilled and how often.
European Parliament sources say that in technical meetings, Zarzalejos, the rapporteur on the proposal, has argued in favour of detection orders that do not necessarily focus on individuals or groups of suspects, but are calibrated to allow scanning for suspicious content.
This, experts say, would unlock the door to the general monitoring of EU citizens, otherwise known as mass surveillance.
Asked to clarify his position, Zarzalejos’ office responded: “The file is currently being discussed closed-doors among the shadow rapporteurs and we are not making any comments so far”.
The EU Centre to Prevent and Combat Child Sexual Abuse, which would be created under Johansson’s proposal, would play a key role in helping member states and companies implement the legislation; it would also vet and approve scanning technologies, as well as purchase and offer them to small and medium companies.
As a producer of such scanning technologies, a role for Thorn in supporting the capacity building of the EU Centre database would be of significant commercial interest to the company.
“The more they frame this as a huge problem in the public discourse and to regulators, the more they incentivise large tech companies to outsource their dealing of the problems to them,” Whittaker said in an interview for this story.
Effectively, such AI firms are offering tech companies a “get out of responsibility free card”, Whittaker said, by telling them, “’You pay us (…) and we will host the hashes, we will maintain the AI system, we will do whatever it is to magically clean up this problem”.
“So it’s very clear that whatever their incorporation status is, that they are self-interested in promoting child exploitation as a problem that happens “online,” and then proposing quick (and profitable) technical solutions as a remedy to what is in reality a deep social and cultural problem. (…) I don’t think governments understand just how expensive and fallible these systems are, that we’re not looking at a one-time cost. We’re looking at hundreds of millions of dollars indefinitely due to the scale that this is being proposed at.”
Lack of scientific input
Johansson has dismissed the idea that the approach she advocates will unleash something new or extreme, telling MEPs last year that it was “totally false to say that with a new regulation there will be new possibilities for detection that don’t exist today”.
But experts question the science behind it.
Matthew Daniel Green, a cryptographer and security technologist at John Hopkins University, said there was an evident lack of scientific input into the crafting of her regulation.
“In the first impact assessment of the EU Commission there was almost no outside scientific input and that’s really amazing since Europe has a terrific scientific infrastructure, with the top researchers in cryptography and computer security all over the world,” Green said.
AI-driven scanning technology, he warned, risks exposing digital platforms to malicious attacks and would undermine encryption.
“If you touch upon built-in encryption models, then you introduce vulnerabilities,” he said. “The idea that we are going to be able to have encrypted conversations like ours is totally incompatible with these scanning automated systems, and that’s by design.”
In a blow to the advocates of AI-driven CSAM scanning, US tech giant Apple said in late August that it is impossible to implement CSAM-scanning while preserving the privacy and security of digital communications. The same month, UK officials privately admitted to tech companies that there is no existing technology able to scan end-to-end encrypted messages without undermining users’ privacy.
According to research by Imperial College academics Ana-Maria Cretu and Shubham Jain, published last May, AI driven Client Side Scanning systems could be quietly tweaked to perform facial recognition on user devices without the user’s knowledge. They warned of more vulnerabilities that have yet to be identified.
“Once this technology is rolled out to billions of devices across the world, you can’t take it back”, they said.
Law enforcement agencies are already considering the possibilities it offers.
Europol officials floated the idea of using the proposed EU Centre to scan for more than just CSAM, telling the Commission, “There are other crime areas that would benefit from detection”. According to the minutes, a Commission official “signalled understanding for the additional wishes” but “flagged the need to be realistic in terms of what could be expected, given the many sensitivities around the proposal.”
Ross Anderson, professor of Security Engineering at Cambridge University, said the debate around AI-driven scanning for CSAM has overlooked the potential for manipulation by law enforcement agencies.
“The security and intelligence community have always used issues that scare lawmakers, like children and terrorism, to undermine online privacy,” he said.
“We all know how this works, and come the next terrorist attack, no lawmaker will oppose the extension of scanning from child abuse to serious violent and political crimes.”
Tomi Engdahl says:
Leke Oso Alabi / Financial Times:
Gripped by worker shortages, some security companies are using robots developed by 1X, Knightscope, Ava Robotics, Ascento, and others to augment human labor
Security companies are turning to robots as the labour shortage bites
https://www.ft.com/content/4635f501-f915-4ea4-8235-0017a0137a94
Tomi Engdahl says:
Jo 4000 salasanahyökkäystä sekunnissa
https://etn.fi/index.php/13-news/15317-jo-4000-salasanahyoekkaeystae-sekunnissa
Loihde Trust järjesti tänään kyberturvallisuuteen keskittyneen tilaisuuden, jossa käytiin lpi ajankohtaisia verkon turvallisuusasioita. Microsoftin asiantuntija Virve Kettunen kertoi, että tällä hetkellä Microsoftin verkkoihin kohdistuu jo 4000 salasanahyökkäystä sekunnissa. – Vuosi sitten luku oli 800, alkuvuodesta tuhat ja nyt jo siis 4000. Tämä kertoo jotain siitä, kuinka älyttömän räjähdysmäistä kasvu on.
Kyberiskuihin vastaaminen ja varautuminen on erittäin nopeaa kilpajuoksua. – Kalasteluviestin klikkaamisesta menee reilu tunti yli 72 minuuttia siihen, että hyökkääjä pääsee käsiksi henkilökohtaiseen dataan
Tomi Engdahl says:
Softwares for cybersecurity enthusiasts:
1. Operating systems – Kali Linux
2. Email Security – Deshashed
3. Web Hacking – BurpSuite
4. Port Scan – Nmap
5. Training – HackTheBox
6. Data Modification – CyberChef
7. Intrusion Detection System – Snort
8. Firewall – PfSense
#CyberSec
Tomi Engdahl says:
CISO Strategy
The CISO Carousel and its Effect on Enterprise Cybersecurity
https://www.securityweek.com/the-ciso-carousel-and-its-effect-on-enterprise-cybersecurity/
CISO churn is a hidden cybersecurity threat. Major security initiatives or implementations can take longer than the residency of a single CISO, and constant churn can leave cracks or gaps in security.
The average tenure of a Chief Information Security Officer said to sit between 18 to 24 months. This is barely enough time to get feet under the table, never mind a meaningful seat at the table. Two questions arise: why is there such volatile churn in this space; and how does it affect enterprise cybersecurity?
Reasons for CISO churn
Cause #1: the scapegoat effect
The potential for CISOs to be used as scapegoats for security incidents is widely accepted and potentially growing.
It can simply be internal: ‘We got breached under your watch, so we’ll blame you and let you go.’ But it can equally be a complex external issue ultimately caused by a lack of legal clarity in the Computer Fraud and Misuse Act (CFAA), a lack of clarity on bounty hunting and security research, and regulatory pressure for security professionals to protect personal information.
Cause #2: lack of board support
Board recognition of the importance of the CISO and cybersecurity is slowly growing, but remains far from optimum. An August 2023 survey by BSS of 150 UK security decision makers found that only 28% felt their role was valued; 22% were actively involved in the wider business strategy; and only 9% said cybersecurity was always in the top three priorities on boardroom agendas.
BSS director Chris Wilkinson commented, “CISOs need a seat at the table. Such a poor level of prioritization for information security is unacceptable in a world of evolving threats that can result in significant financial and reputational penalties.”
Cause #3: stress and burnout
Stress is another cause of CISO churn. It’s not stress on its own, but the cumulative mental and emotional debilitation caused by multiple, different, and continuous stressors: burnout.
Burnout can strike suddenly. A CISO may think he or she is handling stress effectively, but a single, final straw can suddenly and unexpectedly tip the balance. Burnout can cause physical and/or mental collapse. Sufferers may need to take extended time out, move to a less stressful position, or simply leave the industry altogether. “Some CISOs are moving into consultancy,” comments Sarakar, “especially when they have the experience, but they don’t want the operational fatigue.”
“The CISO job can be a stressful one, especially when you have accountability without authority,” explains Yu. “If CISOs are held responsible for security outcomes but aren’t given the tools or power to influence those outcomes, they will feel helpless and frustrated, leading to decreased morale and motivation.”
A recent survey by Salt Security lists six of the top personal stressors experienced by CISOs globally. Noticeably, the threat of personal litigation is #1 (48%). Only 1% of CISOs don’t feel they face any personal challenges.
Cause #4: the next big challenge
Jennifer Pittman-Leeper
Not all CISO churn is caused by the job’s difficulty. There are many CISOs that are simply very good at their job and can confidently ride all the difficulties. Such people thrive on challenge and career progression. The difficulty is that career progression within the same organization is likely to be difficult. The only option is to take on a new challenge in a different organization with potentially a larger budget, a bigger security team, greater responsibility, more authority, and – probably – higher remuneration and benefits. These CISOs have simply outgrown their existing position and need to move on to the next big challenge.
“CISOs are a special breed,” explains Jennifer Pittman-Leeper, whole of state strategist at Tanium. “They want to help, but if their hands are tied, they aren’t willing to stick around assuming the risk for an organization that isn’t willing to put in the hard work and reduce risk. They also love a good challenge. Once they get an organization on a good path, they are ready to tackle the next cyber mountain. A CISO skill set is quite unique – it’s a mix of introvert and extrovert, technical and strategic, communicator and listener. If you have a good one, it is in your best interest to keep them as long as you can.”
Effect of CISO churn
CISO churn is a hidden cybersecurity threat. Major security initiatives or implementations can take longer than the residency of a single CISO, and new CISOs may have different beliefs on how to implement security. Constant churn can leave cracks or gaps in security.
New CISOs will also need to understand the business before being able to secure it –that in itself is a challenge. Sarakar believes that only “about 10-20% [of CISOs] actually understand business context, 10-20% have low experience or are underqualified, and the rest have medium understanding of business context.”
The average tenure for a CISO is often quoted as 18 months. Pittman-Leeper analyzes this: “I think the reason is for the first six months they are trying to figure out their way at the organization. Learn who is who, what the real story is. The next six months are spent trying to effect change and policy. These six months are critical – they will either meet resistance and not be able to improve the security posture or they will be successful in implementing meaningful change. The last six months are spent ensuring compliance and helping the stragglers along the way – or looking for a job where they will be able to help an organization.”
The result of this timeline is just a short period of effective cybersecurity, between settling in and trying to find a way out: there is little time for the CISO to implement seriously effective security controls.
Obviously, the 18-month tenure does not apply to all CISOs and all organizations – more mature and especially larger organizations tend to keep the same CISO for longer periods – but new and smaller organizations are the ones most likely to suffer from rapid churn.
Solution
There is only one real solution to the CISO Carousel: better communication. While boards must learn to love their CISOs (which includes respect, responsiveness, resources, and support); CISOs must better understand business imperatives and better communicate cybersecurity imperatives to business leaders.
Respect and support go beyond simply paying inflated salaries (although adequate compensation is essential). You cannot buy enthusiasm – it must be fostered by respect and support. Above all, the fear of scapegoating should be eliminated by genuine support. CISOs rarely criticize each other. When a breach occurs in another company, the general feeling is ‘there but for the grace of God go I’. Breaches cannot be eliminated. CISOs need to be confident that the expectation is to limit and ameliorate breaches, and that one single success by an elite hacker with a zero day exploit won’t lead to dismissal.
Tomi Engdahl says:
https://www.facebook.com/groups/shahidzafar/permalink/6979365775415823/
Top 10 cybersecurity certifications to enhance your career:
1. eLearnSecurity Junior Penetration Tester (eJPT)
2. ISC)2 Certified Information Systems Security Professional (CISSP)
3. (ISC)2 Certified Cloud Security Professional (CCSP)
4. ISACA Certified Information Security Manager (CISM)
5. Certified Ethical Hacker (CEH)
6. CompTIA Security+
7. CompTIA PenTest+
8. Offensive Security Certified Professional (OSCP)
9. Cloud Security Alliance (CSA) Certificate of Cloud Security Knowledge (CCSK)
10. Cloud Security Alliance (CSA) Certificate of Cloud Auditing Knowledge (CCAK)
These certifications can significantly boost your cybersecurity career prospects.
-
I prefer this view.. you might have to open the link in a real browser, not Facebook.
https://pauljerimy.com/security-certification-roadmap/
Tomi Engdahl says:
Työn alla oleva laki antaisi poliisille pääsyn kaikkeen yksityiseen viestintään – näin sitä perustellaan puolesta ja vastaan https://www.is.fi/digitoday/art-2000009884437.html
EU-komission ehdotus laajentaisi taistelua lapsipornoa vastaan perusoikeuksiin kajoamalla. Suomi muodostaa asiaan parhaillaan kansallista kantaa.
PIKAVIESTIMIEN vahvan salauksen purkamisen mahdollistavan lakiesityksen käsittely on edennyt Suomessa valiokuntavaiheeseen. Kyseessä on EU-komission lakiehdotus, jonka takana on lapsiin kohdistuvan seksuaalisen väkivallan vastainen taistelu.
Alkuperäisessä ehdotuksessa Euroopan parlamentin ja neuvoston asetukseksi ja valtioneuvoston kirjelmässä ehdotetaan velvoitteita internet-yhtiöille, joihin kuuluvat muun muassa pikaviestimet, verkkotallennustilan tarjoajat ja teleoperaattorit. Velvoitteiden mukaan yhtiöiden tulisi tunnistaa niiden palveluissa liikkuva seksuaaliväkivaltaa todistava kuvamateriaali ja grooming. Lisäksi tulisi perustaa erillinen lapsiin kohdistuvan seksuaaliväkivallan EU-torjuntakeskus.
Kokonaisuudessaan ehdotuksen nimi on Euroopan komission ehdotus Euroopan parlamentin ja neuvoston asetukseksi lapsiin kohdistuvan seksuaaliväkivallan ehkäisystä ja torjuntaa koskevista säännöistä. Puhekielessä siitä käytetään nimeä CSAM-laki tai chat control.
Liikenne- ja viestintävaliokunta otti poikkeuksellisen kriittisen näkökulman ehdotukseen. Huoli yksityisen viestinnän vaarantumisesta on suuri.
“Liikenne- ja viestintävaliokunta ilmoittaa, että se suhtautuu erittäin kriittisesti siihen, että sääntely näyttää käytännössä edellyttävän vahvan salauksen käytön rajoittamista, mikä heikentäisi viestinnän ja viestintään liittyvien palvelujen tietoturvan tasoa.”
Ehdotusta vastustaneet tahot pitivät lapsiin kohdistuvan seksuaaliväkivallan torjuntaa ehdottoman tärkeänä, mutta salauksen purkua vääränä keinona siihen.
Pääesikunta kiinnitti huomiota (pdf) siihen, että viestinnän salauksen purkaminen heikentää kyberturvallisuutta, ja vaikutukset kohdistuisivat kaikkiin käyttäjiin.
Likenne- ja viestintäministeriön ehdotusta vastustava kanta oli poikkeuksellisen selkeä:
– Ministeriön arvion mukaan asetusehdotus tarkoittaisi – – että palveluntarjoajien tulisi joko luopua tehokkaasta päästä päähän -salauksesta, luoda ns. takaovia päästäkseen salattuun sisältöön tai saada pääsy sisältöön käyttäjän päätelaitteella ennen sisällön salaamista, ministeriö kirjoittaa lausunnossaan
Liikenne- ja viestintävirasto Traficom toteaa lausunnossaan (pdf), että käytännössä palveluntarjoajalla olisi palvelimellaan pääsy kaikkeen käyttäjän palveluun lähettämään teksti-, kuva- ja ääniviestipohjaiseen sisältöön. Mikäli palveluntarjoaja joutuisi tietomurron tai sisäisen väärinkäytöksen kohteeksi, voisi tekijällä olla mahdollista saada pääsy kaikkien käyttäjien viestisisältöihin.
KYBERALA ry:n toimitusjohtaja Peter Sund pitää keskustelun kielenkäyttöä ongelmallisena. Hänen mukaansa salaus joko on vahvaa tai ei ole, mutta tätä yritetään keskustelussa hälventää. Jos viranomaisella on yleisavain kaikkeen viestintään, luottamuksellinen viestintä katoaa nykymuodossaan. Ehdotusta kannattavat tahot eivät tee näkyväksi sitä, että seuranta edellyttää ulkopuolisen toimijan tekemää salausten purkua.
– Ne, joilla on intressi päästä luottamukselliseen viestintään kiinni, ovat hiljaa siitä, mitä se tarkoittaa teknisessä mielessä, Sund sanoo.
Sundin mukaan liikenne- ja viestintäministeriön lausunnossaan mainitsemia takaportteja voi hyödyntää kuka tahansa, jolla sellainen on tiedossa tai halu ja kyky selvittää heikkoudet – myös rikolliset ja vakoojat.
Suurin ongelma liittyy kuitenkin Sundin mukaan tunnistamismääräykseen, jollaisen jotkut tahot vaikuttavat hyväksyvän riittäväksi edellytykseksi salauksen purkamiselle.
– Kyse ei ole yksittäisistä viesteistä. Käytännössä seurannan kohteeksi joutuu suuri joukko ihmisiä ja organisaatioita. Tämä koskee yksityisten ihmisten lisäksi myös liiketoiminnassa käytettäviä sovelluksia. Ison ihmisjoukon viestintä päätyy tutkittavaksi ennen kuin ketään epäillään rikoksesta, Sund sanoo.
Tomi Engdahl says:
Työn alla oleva laki antaisi poliisille pääsyn kaikkeen yksityiseen viestintään – näin sitä perustellaan puolesta ja vastaan https://www.is.fi/digitoday/art-2000009884437.html
PIKAVIESTIMIEN vahvan salauksen purkamisen mahdollistavan lakiesityksen käsittely on edennyt Suomessa valiokuntavaiheeseen. Kyseessä on EU-komission lakiehdotus, jonka takana on lapsiin kohdistuvan seksuaalisen väkivallan vastainen taistelu.
Alkuperäisessä ehdotuksessa Euroopan parlamentin ja neuvoston asetukseksi ja valtioneuvoston kirjelmässä ehdotetaan velvoitteita internet-yhtiöille, joihin kuuluvat muun muassa pikaviestimet, verkkotallennustilan tarjoajat ja teleoperaattorit. Velvoitteiden mukaan yhtiöiden tulisi tunnistaa niiden palveluissa liikkuva seksuaaliväkivaltaa todistava kuvamateriaali ja grooming.
Lisäksi tulisi perustaa erillinen lapsiin kohdistuvan seksuaaliväkivallan EU-torjuntakeskus.
Kokonaisuudessaan ehdotuksen nimi on Euroopan komission ehdotus Euroopan parlamentin ja neuvoston asetukseksi lapsiin kohdistuvan seksuaaliväkivallan ehkäisystä ja torjuntaa koskevista säännöistä. Puhekielessä siitä käytetään nimeä CSAM-laki tai chat control.
Tomi Engdahl says:
Government
Government Shutdown Could Bench 80% of CISA Staff
https://www.securityweek.com/80-of-cisa-staff-at-risk-of-furlough-as-government-shutdown-looms/
Roughly 80% of CISA staff will be sent home at the end of the week in case of a government shutdown.
Roughly 80% of the staff at US cybersecurity agency CISA may be sent home at the end of the week as a government shutdown looms.
The US government will partially shut down on Sunday unless lawmakers reach a deal on a funding bill. A shutdown will result in the furlough of hundreds of thousands of non-essential federal employees and the suspension of many services.
The Department of Homeland Security has announced the number of employees that would stay on during a shutdown for each of its agencies. In the case of CISA, which had 3,117 employees as of June 17, only 571 would remain during a lapse in appropriations. This means that more than 80% of its workers would be furloughed.
A government shutdown can have a significant impact on cybersecurity, including increasing criminal activity, failure to renew digital certificates, failure to deploy security patches, and denting the government’s ability to recruit talent.
In CISA’s case, the agency plays an important role in protecting the government and the private sector against cyber threats.
This includes issuing warnings over actively exploited vulnerabilities, helping investigate high-impact cyberattacks, creating guidance, aiding critical infrastructure organizations beef up their security, conducting cyber exercises, and assisting with incident response.
“The silver lining for cybersecurity in any government shutdown is that most government personnel involved with cybersecurity operations are likely to be classified as essential and will be exempt from furlough. These would include roles like security monitoring and incident response, but generally not roles like security governance,” commented Jake Williams, veteran cybersecurity expert and faculty at IANS Research.
“The dark cloud is that in many government agencies, large percentages of the tactical security operations work is performed by contractors, who have historically not had the same exemptions to remain in place. In any shutdown scenario, there will be fewer staff available for security monitoring and response,” Williams added.
Tomi Engdahl says:
Risk Management
Moving From Qualitative to Quantitative Cyber Risk Modeling
https://www.securityweek.com/moving-from-qualitative-to-quantitative-cyber-risk-modeling/
Migrating to a quantitative cyber risk model of analysis allows for more accurate data, which leads to more informed decision-making.
Reporting on cyber risk is a table stakes initiative for information security leaders. After speaking with key stakeholders within organizations, recurring questions for CISOs and cybersecurity leaders have been:
What are our top cyber risks?
Are we effectively managing our cyber risks?
Are we investing in the right cyber controls?
How do we evaluate the effectiveness of our information security program?
Are we spending enough or too much?
When dealing with qualitative risk modeling that looks at matrices showing likelihood and impact with loosely defined categories of “high” or “critical”, we come across a number of limitations.
To begin, thresholds aren’t well defined. The ceiling of a “high” isn’t easily distinguishable from the floor of a “critical” without measurements. Thus, there’s no associative, measurable explanation of whether cyber risks have materially increased or decreased.
Secondly, the risk tolerance level isn’t typically found within the risk matrix readout. The absence of an overlay of risk appetite/tolerance is a big miss. Without applying this to risk tolerance, the risk readout is incomplete and the relevance is missing. If an organization’s risk tolerance levels can sustain a higher level of risk in certain areas, then stating higher risks in those areas can be informative, but unworthy of immediate focus.
Thirdly, financial relevance is a cornerstone to making informed business decisions in for-profit and not-for-profit organizations. Without an indicator of dollars of loss associated with the risk readout, how are organizations to know if prioritization of spend is aligned with the greatest potential risk? Akin to this is the knowledge of how much potential financial risk can be mitigated by making investments in cybersecurity related controls. With qualitative risk reporting, this is another gap.
Migrating to a quantitative cyber risk model of analysis and reporting allows for more accurate data, which leads to more informed decision-making. The shift is not an easy one for many.
What is interesting is that measuring cyber risk is a lot like measuring other risks. Yes, it is more of a recent phenomenon because of the innovation of technology’s evolution in housing and transferring data. But, at its core, the elements are quite similar.
There is still a reluctance to measure cyber risk in a more effective manner than the inertia-driven approach of ordinal scales (e.g., the risk is based upon the intersection of likelihood and the impact level). Why is there an allergic reaction to measuring cyber risk using a quantitative method?
One of the main reasons people give is that it is just too complex and/or difficult. It is seen at the same difficulty level as desalinating the ocean. It is a more astute approach, but due to inherent biases and/or ineffectiveness in conveying cyber risk measurements, practitioners have been led to believe the juice is not worth the squeeze. However, according to Hubbard, “Many organizations use these methods right now, even when their backgrounds had nothing to do with quantitative risk analysis.”
Within the context of migrating to quantitative risk analysis, the benefits are pivotal for those practitioners looking to demonstrate cyber risk in a more accurate manner by reducing uncertainty and demonstrating more business-relevant outputs. Whether it is embedding risk tolerance or applying financial relevance or departing from loosely defined terminology of high, medium, or low, the approach of measuring cyber risk quantitatively is directionally much more correct than the alternatives in use today.
Tomi Engdahl says:
Identity & Access
Navigating the Digital Frontier in Cybersecurity Awareness Month 2023
https://www.securityweek.com/navigating-the-digital-frontier-in-cybersecurity-awareness-month-2023/
ZTNA stands out as a solution that enables organizations to minimize their attack surface while ensuring the productivity and security of their remote workforce.
In the spirit of reflection, this year’s campaign theme, “20 Years of Cybersecurity Awareness Month”, takes a critical look at the evolution of security education and awareness, while also examining the path ahead in securing our interconnected world. This year’s NCSA campaign will put a spotlight on crucial cybersecurity practices, including the importance of regularly updating software, recognizing and reporting phishing attempts, enabling multi-factor authentication (MFA), using strong passwords, and employing password managers. While these fundamentals are undeniably vital, organizations must recognize the need to go beyond them to fortify their cyber resilience.
Hackers often choose the path of least resistance, typically targeting the weakest link in the cybersecurity chain—humans. As a result, a significant number of data breaches today stem from credential harvesting campaigns, often followed by credential stuffing attacks. Once attackers infiltrate a network, they can laterally traverse it, seeking privileged accounts and credentials that provide access to an organization’s most sensitive data and critical infrastructure. Consequently, it comes as no surprise that IBM Security’s Cost of Data Breach Report for 2023 identifies stolen or compromised credentials as the most common initial attack vector, accounting for 15% of data breaches.
Despite years of advocacy for robust password policies and widespread multi-factor authentication adoption, many users still rely on weak passwords or reuse them across multiple accounts. Attackers can effortlessly exploit these practices, gaining access to numerous accounts tied to the same user. Thus, security practitioners can no longer presume implicit trust among applications, users, devices, services, and networks. This shift in mindset has prompted numerous organizations to embrace a Zero Trust approach, contemplating the augmentation of conventional network access security methods like virtual private networks (VPNs) and demilitarized zones (DMZs) with Zero Trust Network Access (ZTNA) solutions.
ZTNA solutions establish identity- and context-based logical access boundaries around applications or sets of applications. Access is granted to users based on a wide range of factors, such as the device in use, device posture (e.g., the presence and functionality of anti-malware software), access request timestamp, and geolocation. The solution dynamically determines the appropriate access level for each specific access request, recognizing that the risk levels of users, devices, and applications are in constant flux.
When selecting ZTNA solutions, you’ll encounter a plethora of vendors vying for your attention.
To successfully navigate the challenges of today’s digital landscape, organizations must break free from the cycle of password dependency. While numerous approaches can lead to this goal, ZTNA stands out as a solution that enables organizations to minimize their attack surface while ensuring the productivity and security of their remote workforce.
Tomi Engdahl says:
Do Bounties Hurt FOSS?
https://hackaday.com/2023/09/27/do-bounties-hurt-foss/
Tomi Engdahl says:
Analysis of Time-to-Exploit Trends: 2021-2022
https://www.mandiant.com/resources/blog/time-to-exploit-trends-2021-2022
Mandiant Intelligence analyzed 246 vulnerabilities that were exploited between
2021 and 2022. Sixty-two percent (153) of the vulnerabilities were first exploited as zero-day vulnerabilities. The number of exploited vulnerabilities each year continues to increase, while the overall times-to-exploit (TTEs) we are seeing are decreasing.
Exploitation of a vulnerability is most likely to occur before the end of the first month following the release of a patch. Microsoft, Google, and Apple continue to be the most exploited vendors year-over-year, but the last two years were the first time the top three vendors accounted for less than 50 percent of the overall vulnerabilities exploited.
Tomi Engdahl says:
FBI warns energy sector of likely increase in targeting by Chinese, Russian hackers https://therecord.media/fbi-warning-energy-sector-increased-hacking-china-russia
Global energy supply changes will likely increase Chinese and Russian hackers’
targeting of critical energy infrastructure, according to an FBI notification sent to the energy industry and obtained by Recorded Future News. The alert, issued Thursday, cites factors such as increased U.S. exports of liquefied natural gas (LNG); changes in the global crude oil supply chain favoring the U.S.; ongoing Western pressure on Russia’s energy supply; and China’s reliance on oil imports.
The notification does not refer to any specific advanced persistent threat
(APT) hacking groups associated with China or Russia, nor does it point to specific cybersecurity incidents involving critical infrastructure. Instead, it broadly notes the attractiveness of U.S. networks for foreign intrusions and reminds recipients that Chinese and Russian hackers are constantly trying to explore key systems and improve their ability to exploit gaps they discover.
Tomi Engdahl says:
FBI: Dual ransomware attack victims now get hit within 48 hours https://bleepingcomputer.com/news/security/fbi-dual-ransomware-attack-victims-now-get-hit-within-48-hours/
The FBI has warned about a new trend in ransomware attacks where multiple strains are deployed on victims’ networks to encrypt systems in under two days. FBI’s warning comes in the form of a Private Industry Notification prompted by trends observed starting July 2023. The federal law enforcement agency explains that ransomware affiliates and operators have been observed using two distinct variants when targeting victim organizations. Variants used in these dual ransomware attacks include AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal.
“This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments,” the FBI said. “Second ransomware attacks against an already compromised system could significantly harm victim entities.”
Tomi Engdahl says:
Nuoret lankeavat verkkohuijauksiin useammin kuin isovanhempansa – Verkkopalveluiden turvallisuus ei saa olla vain käyttäjän varassa https://www.tivi.fi/uutiset/tv/2aabf7f2-d9ed-4953-8bd1-8e2ffa540ecd
Z-sukupolven jäsenet lankeavat huijauksiin ja joutuvat hakkeroiduksi paljon useammin kuin heidän isovanhempansa. Tieto käy ilmi Deloitten tutkimuksesta, josta kertoi Vox.com-julkaisu. Artikkelin tutkimus viittaa amerikkalaisiin Z-sukupolven nuoriin, mutta tulokset ovat sovitettavissa laajemmin.
Kotimaassa Yle kertoo jutussaan, että nuorten digitaitoja pidetään parempina kuin ne todellisuudessa ovat. Z-sukupolvella viitataan 90-luvun lopun ja 2010-luvun alun välillä syntyneisiin. Nuoret ovat raportoineen joutuneensa tietojen kalastelun, identiteettivarkauksien, romanssihuijausten ja verkkokiusaamisen uhriksi vanhempia sukupolvia useammin.
Deloitten tutkimus osoittaa, että Z-sukupolven amerikkalaisnuoret joutuivat kolme kertaa todennäköisemmin nettihuijauksen kohteeksi kuin 1946-1964-vuosina syntyneet isovanhempansa. Z-sukupolvi joutui myös kaksi kertaa todennäköisemmin hakkeroiduksi sosiaalisessa mediassa kuin boomer-ikäiset.