Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.
HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.
Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.
Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.
Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications
Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.
Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.
Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.
MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.
Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.
EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.
Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.
Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.
Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.
Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.
Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.
Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workers – leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers
Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.
Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.
Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”
Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.
Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,
War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.
Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.
ISC: ICS and SCADA systems remain trending attack targets also in 2023.
Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.
PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.
Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.
Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.
MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!
Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-
Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.
VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.
AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.
AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?
Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.
Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.
Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.
Sources:
Asiantuntija neuvoo käyttämään pilkkua salasanassa – taustalla vinha logiikka
Overseeing artificial intelligence: Moving your board from reticence to confidence
Android is adding support for updatable root certificates amidst TrustCor scare
Google Play now lets children send purchase requests to guardians
Diligent’s outlook for 2023: Risk is the trend to watch
Microsoft will turn off Exchange Online basic auth in January
Google is letting businesses try out client-side encryption for Gmail
Google Workspace Gets Client-Side Encryption in Gmail
The risk of escalation from cyberattacks has never been greater
Client-side encryption for Gmail available in beta
AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Microsoft: Edge update will disable Internet Explorer in February
Is Cloud Native Security Good Enough?
Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023
Google Chrome preparing an option to block insecure HTTP downloads
Cyber attacks set to become ‘uninsurable’, says Zurich chief
The Dark Risk of Large Language Models
Police Must Prepare For New Crimes In The Metaverse, Says Europol
Policing in the metaverse: what law enforcement needs to know
Cyber as important as missile defences – an ex-NATO general
Misconfigurations, Vulnerabilities Found in 95% of Applications
Personnel security in the cloud
Multi-factor auth fatigue is real – and it’s why you may be in the headlines next
MFA Fatigue attacks are putting your organization at risk
NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
Poor software costs the US 2.4 trillion
Passkeys Now Fully Supported in Google Chrome
Google Takes Gmail Security to the Next Level with Client-Side Encryption
Executives take more cybersecurity risks than office workers
NIST Retires SHA-1 Cryptographic Algorithm
NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm
WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections
Over 85% of Attacks Hide in Encrypted Channels
GitHub Announces Free Secret Scanning, Mandatory 2FA
Leaked a secret? Check your GitHub alerts…for free
Data Destruction Policies in the Age of Cloud Computing
Why PCI DSS 4.0 Should Be on Your Radar in 2023
Google: With Cloud Comes APIs & Security Headaches
Digesting CISA’s Cross-Sector Cybersecurity Performance Goals
Zero Trust Shouldnt Be The New Normal
Don’t click too quick! FBI warns of malicious search engine ads
FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
Kyberturvan ammattilaisista on huutava pula
1,768 Comments
Tomi Engdahl says:
Application Security Protection for the Masses
https://www.securityweek.com/application-security-protection-for-the-masses/
While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in a self-service manner are becoming increasingly popular.
I’ve always found it entertaining that so many sales pitches are essentially a listing of features for the product or service being sold. The reason I find this entertaining is that for anyone who has worked on the customer side or has ever listened to customers, it is obvious that customers buy solutions, not products. Thus, the notion of showing off how proud you are of your product by rattling off a laundry list of features has always seemed a bit odd to me.
In other words, customers have a number of different problems, issues, and challenges that they are looking to solve. They are not necessarily interested in all of the different things your product or service can do. Rather, they are interested in learning how your solution can help them address their strategic priorities and move forward on the goals they have set for their security and fraud problems. It is incumbent upon vendors to understand that and to make it easy for potential customers to understand that mapping.
Along those lines, improving application security is a common goal customers have. As you might imagine, any solution geared towards improving the security of an application is going to be complex, consisting of many different moving parts. Thus, forcing customers to hunt for the components they need within your product data sheets and overviews is not going to be an effective way to convince those customers that you have a solution they might be in the market for.
Tomi Engdahl says:
https://www.securityweek.com/application-security-protection-for-the-masses/
Along those lines, what would a bundle around the popular application security protection use case look like?
While not an exhaustive list, here are some thoughts:
App Proxy: Putting a proxy in front of applications is perhaps one of the most basic application security requirements, and for good reason. Having an intermediary allows us to inspect and monitor traffic going to and from the application, as well as to block or filter as necessary for security purposes.
Rate Limiting and Fast Access Control Lists (ACLs): Flooding a site is an old standby of attackers. It is a primitive, yet effective tactic. Rate limiting is a relatively straightforward way to prevent this type of attack. Similarly, fast-performing Access Control Lists (ACLs) are another effective way to keep unwanted traffic at bay.
Path Discovery: Applying machine learning (ML) to traffic transiting the environment allows us to track the rate of requests, the identity of clients accessing applications, the size of the payloads being sent, and other important telemetry elements. Using ML allows us to identify and block nefarious traffic before it becomes a more serious issue – often in minutes as opposed to hours.
Web Application Firewall: WAF has become a required technology for application providers and should be included as a part of any application security bundle.
L3/L4/L7 DDoS: DDoS protection has also become a requirement for application providers and should also be included as part of any application security bundle.
Bot Defense: Advanced bots that know how to get around the defenses listed above can cause application providers monetary loss and reputation damage. As such, bot defense should also be included as part of an application security bundle.
Auto-Certificates: Speed of deploying applications is essential for remaining competitive, as is speed of protecting those applications. The ability to auto-issue certificates and to auto-register DNS for resources saves time, allowing application providers to go from no protection to full protection in a matter of minutes.
Malicious User Detection: Another great application for machine learning (ML) is quickly understanding which users and patterns appear to be behaving maliciously. This is something that often takes application providers hours or days to identify. With ML, this can be done in minutes, allowing those application providers to quickly take action and block/mitigate.
Client-Side Defense: Visibility into the end-user environment is something many application providers lack. The ability to inspect how JavaScript is being called, where requests are going, and what third party scripts are being called gives important insight that is extremely helpful for application security purposes.
URI Routing: The ability to quickly and easily control where certain requests are routing gives application providers the ability to block/control specific endpoints (URIs). No application security solution would be complete without this important feature.
Service Policies: Quick and easy policy deployment is a must for application security. The ability to chain together service policies as needed based on requirements, along with the ability to generate custom rules for steering traffic or allowing/denying traffic beyond the capabilities of the other defensive capabilities is another essential part of the total application security package.
Synthetic Monitors: How are applications performing externally? What are my customers experiencing? These are important questions that synthetic monitors allow a business to answer, which can quickly identify any issues that might affect the application.
TLS Fingerprinting and Device Identification: While IP addresses change frequently, TLS fingerprints and device identifiers change much more rarely. Thus, basing policies and rules on them rather than IP address makes a lot of sense when it comes to application security.
Cross-Site Request Forgery Protection: Scripts that operate cross-site can cause serious problems for application providers. Thus mitigating the risk they present should be part of any application security bundle as well.
Tomi Engdahl says:
Edge Security in an Insecure World
https://www.mouser.com/empowering-innovation/more-topics/ai?utm_source=endeavor&utm_medium=display&utm_campaign=ed-personifai-eit-ai-#article2-ai
As the cost of embedded networked devices falls—consider the Raspberry Pi as one example—they become ubiquitous. But, a hidden cost in this proliferation is that these devices can lack security and therefore be exploited. Without the investment in security, devices can leak private information—such as video, images, or audio—or become part of a botnet that wreaks havoc around the world.
Edge Computing in a Nutshell
Edge computing is a paradigm of shifting centralized compute resources closer to the source of data. This produces a number of benefits including:
Disconnected operation
Faster response time
Improved balance of compute needs across the spectrum
Securing a Device
To look at a device and understand how it can be exploited, we look at what’s called the attack surface. The attack surface for a device represents all of the points where an attacker can attempt to exploit or extract data from a device. This attack surface could include:
The network ports that interface to the device
The serial port
The firmware update process used to upgrade the device
The physical device itself
Attack Vectors
The attack surface defines the device’s exposure to the world and becomes the focus of defense for security. Securing a device is then a process of understanding the possible attack vectors for a device and protecting them to reduce the surface.
Common attack vectors typically include:
Interfaces
Protocols
Services
Tomi Engdahl says:
Iso takaisku: digitaalinen henkilökortti ei etene
https://etn.fi/index.php?option=com_content&view=article&id=14637&via=n&datum=2023-02-24_15:19:24&mottagare=31202
Hallituskauden lopun käännyttyä lähinnä puolueiden väliseksi vaalitaisteluksi moni tärkeä hanke on jumiutunut. Yksi niistä on digitaalinen henkilökortti. Digi- ja väestötietovirasto kertoo, ettei eduskunta ei ehdi käsitellä digitaalisen henkilöllisyyden uudistusta mahdollistavia lakiesityksiä ennen istuntokauden loppua.
Digitaalinen henkilökortti toisi monia parannuksia ihmisten arkeen. Uudistus parantaisi henkilötietojen hallintaa, toisi sähköisen tunnistautumisen kaikkien saataville sekä sujuvoittaisi maahanmuuton prosesseja.
Tomi Engdahl says:
Nixua ostetaan Norjaan 98 miljoonalla eurolla
https://etn.fi/index.php/13-news/14634-nixua-ostetaan-norjaan-98-miljoonalla-eurolla
Yli 400 ammattilaisen kyberturvatalo Nixu on saanut ostotarjouksen norjalaiselta DNV AS:lta. Käteisostotarjouksen mukaan Nixun hinnaksi olisi tulossa 98 miljoonaa euroa. Nixun hallitus suosittaa ostotarjouksen hyväksymistä.
DNV on Norjan Hövikissä päämajaansa pitävä yritys, jolla on lähes 12 000 työntekijää. Tilivuonna 2020 sen liikevaihto oli 20,9 miljardia Norjan kruunua eli lähes kaksi miljardia euroa.
Tomi Engdahl says:
Defending Against Generative AI Cyber Threats https://www.forbes.com/sites/tonybradley/2023/02/27/defending-against-generative-ai-cyber-threats/
Generative AI has been getting a lot of attention lately. ChatGPT, Dall-E, Vall-E, and other natural language processing (NLP) AI models have taken the ease of use and accuracy of artificial intelligence to a new level and unleashed it on the general public. While there are a myriad of potential benefits and benign uses for the technology, there are also many concernsincluding that it can be used to develop malicious exploits and more effective cyberattacks
Tomi Engdahl says:
White House: No More TikTok on Gov’t Devices Within 30 Days
The White House is giving all federal agencies 30 days to wipe TikTok off all government devices.
https://www.securityweek.com/white-house-no-more-tiktok-on-govt-devices-within-30-days/
Tomi Engdahl says:
Nation-State
US National Cyber Strategy Pushes Regulation, Aggressive Hack-Back Operations
https://www.securityweek.com/us-national-cyber-strategy-pushes-regulation-aggressive-hack-back-operations/
The U.S. government is set to green-light a more aggressive ‘hack-back’ approach to dealing with foreign adversaries and mandatory regulation of critical infrastructure vendors.
The U.S. government is set to release a cybersecurity strategy document that approves mandatory regulations on critical infrastructure vendors and green-lights a more aggressive ‘hack-back’ approach to dealing with foreign adversaries.
According to early reporting on the strategy document making the rounds in Washington, the Biden administration is mulling over the final details of a 35-page National Cybersecurity Strategy that will use regulation to “level the playing field” in national security.
“[While] voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has too often resulted in inconsistent and, in many cases inadequate, outcomes,” the document argues, calling for a dramatic shift of liability “onto those entities that fail to take reasonable precautions to secure their software.”
The strategy, created by the Office of the National Cyber Director (ONCD), also gives high-level authorization to law enforcement and intelligence agencies to hack into foreign networks to prevent attacks or to retaliate against APT campaigns.
When It Comes to Cybersecurity, the Biden Administration Is Getting Much More Aggressive
https://slate.com/news-and-politics/2023/01/biden-cybersecurity-inglis-neuberger.html
A new policy will empower U.S. agencies to hack into the networks of criminals and foreign governments, among other changes.
President Biden is about to approve a policy that goes much farther than any previous effort to protect private companies from malicious hackers—and to retaliate against those hackers with our own cyberattacks.
The 35-page document, titled “National Cybersecurity Strategy,” differs from the dozen or so similar papers signed by presidents over the past quarter-century in two significant ways: First, it imposes mandatory regulations on a wide swath of American industries. Second, it authorizes U.S. defense, intelligence, and law enforcement agencies to go on the offensive, hacking into the computer networks of criminals and foreign governments, in retaliation to—or preempting—their attacks on American networks.
“Our goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States,” the document states in a five-page section titled “Disrupt and Dismantle Threat Activities,” according to a draft exclusively viewed by Slate. (The document has not yet been publicly released, though it will be after Biden signs it, an event anticipated sometime this month.)
Tomi Engdahl says:
https://slate.com/news-and-politics/2023/01/biden-cybersecurity-inglis-neuberger.html
Corporate lobbyists successfully resisted mandatory cybersecurity regulations on private companies for years. The new strategy recognizes that didn’t work.
As recently as a few years ago, many corporate executives perceived cyber threats as theoretical. Now they are obviously anything but.
It was way back in October 1997 when President Clinton’s Commission on Critical Infrastructure Protection warned of “cyber attacks” that could “paralyze or panic large segments of society” and “limit the freedom of action of our national leadership”—adding, “We must learn to negotiate a new geography, where borders are irrelevant and distances meaningless, where an enemy may be able to harm the vital systems we depend on without confronting our military power.”
A quarter-century later, Biden’s new strategy goes a long distance toward coming to grips with this new geography. But in many ways, we’re still negotiating.
Tomi Engdahl says:
https://www.uusiteknologia.fi/2023/02/27/tekoaly-suojaamaan-tuotantoa-myos-5g-laitteita/
Tomi Engdahl says:
https://www.kitploit.com/2023/02/ipgeo-tool-to-extract-ip-addresses-from.html?m=1
Tomi Engdahl says:
Vulnerabilities Being Exploited Faster Than Ever: Analysis
https://www.securityweek.com/vulnerabilities-being-exploited-faster-than-ever-analysis/
The time from vulnerability disclosure to exploitation is decreasing, according to a new intelligence report from Rapid7.
In 2022, the widespread exploitation of new vulnerabilities was down 15% over the previous year; zero-day attacks declined 52% from 2021; and there were 33% fewer vulnerabilities known to have been exploited as part of a ransomware attack. On the surface, it might appear that things were easier for security teams last year. That would be wrong.
The figures are taken from Rapid7’s 2022 Vulnerability Intelligence Report, an annual publication commenced in 2020. The most worrying finding today is the time from vulnerability disclosure to exploitation is decreasing. “A large number of vulnerabilities are being exploited before security teams have any time to implement patches or other mitigations,” Caitlin Condon, senior manager of security research at Rapid7, told SecurityWeek.
To be precise, 56% of the vulnerabilities in the report were exploited within seven days of public disclosure – a 12% increase over 2021, and an 87% increase over 2020. Resources for triaging and remediating vulnerabilities remain limited, and priorities can be misdirected.
Tomi Engdahl says:
A good example of this was hype emanating from Log4Shell. “Many organizations spent the first weeks (or months) of 2022 working their way down a lengthy list of Log4Shell remediations, taxing IT and security team resources that had already been depleted by shrinking budgets and pandemic exhaustion,” notes the report.
But after Log4Shell we had Spring4Shell and then Text4Shell. There was, suggests Condon, “a 4Shell cadence given to new vulnerabilities.” This implied they were of the same magnitude as Log4Shell when they were not. But the C-suite saw these reports and asked the security folks, what are we doing? “It’s kind of hard for the security team to reply, ‘yeah, it’s called 4Shell, but it’s stupid and we’re not prioritizing it,’”
https://www.securityweek.com/vulnerabilities-being-exploited-faster-than-ever-analysis/
Tomi Engdahl says:
Cybercrime
33 New Adversaries Identified by CrowdStrike in 2022
https://www.securityweek.com/33-new-adversaries-identified-by-crowdstrike-in-2022/
CrowdStrike identified 33 new threat actors and campaigns in 2022, including many cybercrime groups and operations.
Tomi Engdahl says:
https://www.thesslstore.com/blog/client-authentication-certificate-101-how-to-simplify-access-using-pki-authentication/
Tomi Engdahl says:
https://hackaday.com/2023/02/21/supercon-2022-kuba-tyszko-cracks-encrypted-software/
Tomi Engdahl says:
Why TikTok Is Being Banned on Gov’t Phones in US and Beyond
https://www.securityweek.com/why-tiktok-is-being-banned-on-govt-phones-in-us-and-beyond/
So how serious is the threat of using TikTok? Should TikTok users who don’t work for the government be worried about the app, too?
The United States is ratcheting up national security concerns about TikTok, mandating that all federal employees delete the Chinese-owned social media app from government-issued mobile phones. Other Western governments are pursuing similar bans, citing espionage fears.
So how serious is the threat? And should TikTok users who don’t work for the government be worried about the app, too?
The answers depend somewhat on whom you ask, and how concerned you are in general about technology companies gathering and sharing personal data.
HOW ARE THE U.S. AND OTHER GOVERNMENTS BLOCKING TIKTOK?
The White House said Monday it is giving U.S. federal agencies 30 days to delete TikTok from all government-issued mobile devices.
Congress, the White House, U.S. armed forces and more than half of U.S. states had already banned TikTok amid concerns that its parent company, ByteDance, would give user data — such as browsing history and location — to the Chinese government, or push propaganda and misinformation on its behalf.
The European Union’s executive branch has temporarily banned TikTok from employee phones, and Denmark and Canada have announced efforts to block TikTok on government-issued phones.
China says the bans reveal the United States’ insecurities and are an abuse of state power. But they come at a time when Western technology companies, including Airbnb, Yahoo and LinkedIn, have been leaving China or downsizing operations there because of Beijing’s strict privacy law that specifies how companies can collect and store data.
WHAT ARE THE CONCERNS ABOUT TIKTOK?
Both the FBI and the Federal Communications Commission have warned that ByteDance could share TikTok user data with China’s authoritarian government.
A law China implemented in 2017 requires companies to give the government any personal data relevant to the country’s national security. There’s no evidence that TikTok has turned over such data, but fears abound due to the vast amount of user data it collects.
Concerns were heightened in December when ByteDance said it fired four employees who accessed data on two journalists from Buzzfeed News and The Financial Times while attempting to track down the source of a leaked report about the company. TikTok spokesperson Brooke Oberwetter said the breach was an “egregious misuse” of the employees’ authority.
In Congress, concern about the app has been bipartisan. Congress passed the “No TikTok on Government Devices Act” in December as part of a sweeping government funding package. The legislation does allow for TikTok use in certain cases, including for national security, law enforcement and research purposes.
The bill has received pushback from civil liberties organizations
Tomi Engdahl says:
https://www.securityweek.com/why-tiktok-is-being-banned-on-govt-phones-in-us-and-beyond/
WHAT ARE OTHER EXPERTS SAYING?
While the potential abuse of privacy by the Chinese government is concerning, “it’s equally concerning that the US government, and many other governments, already abuse and exploit the data collected by every other U.S.-based tech company with the same data-harvesting business practices,” said Evan Greer, director of the nonprofit advocacy group Fight for the Future.
“If policy makers want to protect Americans from surveillance, they should advocate for a basic privacy law that bans all companies from collecting so much sensitive data about us in the first place, rather than engaging in what amounts to xenophobic showboating that does exactly nothing to protect anyone,” Greer said.
Others say there is legitimate reason for concern.
WHAT DOES TIKTOK SAY?
Its unclear how much the government-wide TikTok ban might impact the company. Oberwetter, the TikTok spokesperson, said it has “no way” of knowing whether its users are government employees.
The company, though, has questioned the bans, saying it has not been given an opportunity to answer questions and that governments were cutting themselves off from a platform beloved by millions.
“These bans are little more than political theater,” Oberwetter said.
TikTok CEO Shou Zi Chew is set to testify next month before Congress. The House Energy and Commerce Committee will ask about the company’s privacy and data-security practices, as well as its relationship with the Chinese government.
Tomi Engdahl says:
Privacy
Internet Access, Privacy ‘Essential for Freedom’: Proton Chief
https://www.securityweek.com/internet-access-privacy-essential-for-freedom-proton-chief/
Proton, perhaps best known for its encrypted email service, sees its mission of ensuring privacy and online access as a vital tool in shoring up democracy in the digital age.
Internet privacy company Proton can spot attacks on democracy in a country before they hit the headlines, simply by watching demand for its services explode, its chief told AFP.
When Russia blocked access to independent news sites following its invasion of Ukraine a year ago, the small company which provides virtual private networks (VPNs) saw “a 9,000 percent increase in sign-ups over just a period of a few days”, company chief executive Andy Yen said in an interview last week.
Switzerland-based Proton also saw a huge surge in demand for its VPNs, which are used to skirt online restrictions, in Iran last October as authorities cracked down harder on internet access amid flaring protests following Mahsa Amini’s death in custody.
“It was a factor of 10 at least,” Yen said.
Speaking at Proton’s headquarters outside Geneva, the 34-year-old particle physicist, who worked at Europe’s physics lab CERN before founding Proton in 2014, said the company had noticed that spikes in sign-ups “almost match… one-to-one” to places where democracy and freedom are under attack. “If there is a coup happening in Africa, we see it in our data before it makes the news.”
Severe consequences
Proton, perhaps best known for its encrypted email service, sees its mission of ensuring privacy and online access as a vital tool in shoring up democracy in the digital age.
“Privacy is something that is essential for freedom,” said Yen. The Proton chief, who grew up in Taiwan and says the Chinese threat hanging over the democratic island colored his world view, acknowledged the company’s mission had taken on added urgency since Russia’s invasion of its neighbor.
“We all see in Ukraine how important it is to have digital technologies that protect privacy and give people freedom of information so they can see real news sources,” he said.
Privacy in focus
Proton, which began nine years ago with 10,000 users crowd-funding 500,000 euros, today counts more than 70 million users worldwide. The company, Yen said, has pursued a fundamentally different business model than that of big tech companies like Google and Facebook, which offer “free” services in exchange for selling users’ data to advertisers.
“If you’re a Google user, you’re not Google’s actual customer. What you actually are is a product,” he said.
Influenced by former US National Security Agency (NSA) contractor Edward Snowden’s disclosures of mass digital spying by US government agencies, Yen said he had been even more concerned about “corporate surveillance, which was much more massive”.
“If you consider what the NSA might have on you, it’s probably only a drop in the bucket compared to what Google and Facebook have.” Proton does offer free end-to-end encrypted email and VPN services, but instead of compensating by selling user data, it makes its money by selling monthly subscriptions for under $10 for extra features.
Tomi Engdahl says:
CISO Conversations: Code42, BreachQuest Leaders Discuss Combining CISO and CIO Roles
https://www.securityweek.com/ciso-conversations-code42-breachquest-leaders-discuss-combining-ciso-and-cio-roles/
The CISO reporting to the CIO remains the most common organizational hierarchy and is a continuing topic of concern. Many CISOs believe there is an unavoidable conflict of interest between smooth running IT and secure IT – but there is a slowly emerging trend that can solve this. Combine both roles under one person.
This is not the same as the earliest attempts at introducing cybersecurity into a business, where the existing head of IT was told to also look after security. This is the fully emergent head of cybersecurity turning round and being told to also look after IT.
In this issue of CISO Conversations we talk to two CISOs who have accepted this dual CISO/CIO role: Jadee Hanson at Code42 and Sandy Dunn at BreachQuest (now CISO at Shadowscape).
Getting the combined role
There is no current job role defined as CIO/CISO. Dunn believes it is the way of the future, but that it will take another 20 years before it becomes the norm. Her belief is born from a simple conviction: both roles serve the same purpose, which is to help or ensure business profitability. But neither function generates revenue for the business. They are both necessary cost centers, and it makes sense for them to work together as effectively as possible to maximize business efficiency. Combining the roles immediately eliminates any negative effects from a conflict of interest between IT and cybersecurity.
The biggest drawback to this evolution is that it is only suitable for SMEs – a single person would not be able to handle the complex requirements of both roles in large enterprises.
Since there is no accepted CISO/CIO role, there is no formal career path that can be followed to achieve it. It is largely a case of being prepared for it and taking the opportunity if and when it arises. Being in the right place at the right time with the right attitude is key.
For Hanson, who was already CISO, the potential was seen by the CEO because of her approach to cybersecurity. “Sometimes in the CISO role you get very narrowly focused on only protecting the organization,” she explains. “You forget that protecting the organization means taking on enough risk to enable the organization to meet business objectives. Within my security role, one of the things we often talk about and drive within the security program, is how to truly enable the organization to do what it needs to do. Security also means taking on the right risks in the right places.” As a result, she added, the CEO saw her as someone who could seamlessly take on the additional CIO role.
Dunn has a similar view of the combined value of CISO and CIO, but personally comes from a more tech background.
She likens the combination of IT and security to a car, where the driver is the business that needs to reach the finish line as quickly and safely as possible. IT provides the engine, but security – whose function is to ensure the vehicle and its driver reach the finish line safely – specifies the air bags, the type of brakes and the standard of tires. These can all affect the performance of the car – and it is this conflict between performance and safety that can lead to disagreements between IT and security.
The driver, which is the business, doesn’t really care and may not understand the nuances of the different options. The driver’s concern is to get his vehicle to the finish line. Dunn’s view is that this is best achieved when there is harmony between the engine and the brakes and tires, and this is best achieved when they are overseen by one person – a combined CISO/CIO.
Handling the pressure to improve IT efficiency over IT security
Sometimes, combining the functions merely displaces the underlying problem of conflicting priorities. The pressure for performance ultimately comes from other business leaders, and the CIO is merely responding to his or her perception of the business requirements. That pressure will still be applied, even if it is now at a combined CISO/CIO rather than the CIO alone.
There will still be occasions where the CISO has an absolute conviction than an IT solution presents greater security risk than the business allows. This can lead to a new impasse, but now between the CISO/CIO and other business leaders. Both Hanson and Dunn have similar solutions – the business leader or department that wants to accept a risk against the advice of the CISO must sign off on that risk.
“I require something physical,” said Dunn. “I need the business leader to provide a DocuSign signature, which I can present to the CFO.” Frequently, this requirement is enough to get the business leader to back down. “I can’t think of a single time where I escalated the issue and I wasn’t able to get it turned around,” she added.
“But a lot of security decisions live in a land of gray,” she continued. “Here, my role is to fully articulate the risk and how it might impact the business so that my peer executive understands.” If the peer accepts the risk and still insists, he or she must document acceptance on a risk ticket. Those risk tickets are regularly reviewed because a company’s risk tolerance changes over time.
The obvious example is the startup, whose risk tolerance during its growth phase is likely to be higher than an established company. But tolerances can go up or down. “Every year,” said Hanson, “we reevaluate the tickets to see if the risk still makes sense, or if something has changed where we need to go back and add in the mitigation controls.”
Ethical issues over risk acceptance
Dunn gives an example of some of the ethical issues that might arise in risk acceptance. In a previous life, when just the CISO, her company had a supply chain where third-party vendors provided goods for resale.
She had to lay out her concerns for the CEO, which included third-party cybersecurity risk from the supplier over poor security practices, and the potential to harm her own company’s customers through the discounted products. Her case was strong, but it had to be strong enough to deflect the profit motive for the business.
She raises another ethical issue. What can or should the CISO do if he or she discovers the company is mishandling or wrongfully collecting customer information? Even worse, what should she do if senior management asks her to look the other way, for good business reasons?
Recruitment
An interesting area is staff recruitment. Should a CISO/CIO recruit different people for the different roles? IT and cybersecurity, at the engineer level, are completely different functions – but the skills gap applies to both areas. One difference is that IT can be and is taught in schools. This is not so easy for cybersecurity, where the skills are mostly and best learned ‘on the job’. But there is also a difference in psychological skills, which can be described by the statement, ‘IT is a science; cybersecurity is an art’.
In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.
Tomi Engdahl says:
US Officials Make Case for Renewing FISA Surveillance Powers
https://www.securityweek.com/us-officials-make-case-for-renewing-fisa-surveillance-powers/
The Biden administration urged Congress to renew the Foreign Intelligence Surveillance Act (FISA) that the government sees as vital in countering overseas terrorism, and cyberattacks.
Tomi Engdahl says:
Ransomware Attacks: Don’t Let Your Guard Down
https://www.securityweek.com/ransomware-attacks-dont-let-your-guard-down/
History has shown that when it comes to ransomware, organizations cannot let their guards down.
A recent report from blockchain data company Chainalysis shows that extortion payments for ransomware declined significantly in 2022. The decrease is attributed to the disruption of major ransomware gangs, a weakening in crypto values, and organizations finally stepping up their cybersecurity practices. According to U.S. Deputy Attorney General Lisa Monaco, the industry has pivoted “to a posture where we’re on our front foot.” Based on her view, companies are more focused on making sure they’re doing everything to prevent attacks in the first place and invest in business continuity and backup software that allow computer systems to restart after they have been infected. Does this mean we can refocus on other attack vectors and tactics?
Not so fast. A quick Google ransomware search under ‘News’ will reveal plenty of recent high-profile attacks on Dole, the City of Oakland, and Regal Medical Group and illustrate that even if ransomware appears to be slowing down, organizations cannot let their guards down.
History has shown that cyber adversaries are often adjusting their tactics and techniques to account for evolutions of their victims’ defense strategies before starting a new wave of attacks.
For instance, threat actors have shifted from just infecting systems with ransomware to multi-faceted extortion where they steal data and threaten to release it to the public or even sell it. In those cases, traditional ransomware defense tools are less effective.
And while organizations might try to limit their risk exposure to these extortion schemes by taking out cybersecurity insurance policies, going forward this approach might no longer prove efficient. As insurers like Lloyds continue to add restrictions on payouts, including excluding losses related to state-backed cyber-attackers, fewer companies will be able to rely on cybersecurity insurance to mitigate catastrophic risk. Instead, companies need to increase their ransomware preparedness. This is especially true for the recovery of endpoints, which represent an essential tool for remote workers to conduct business in today’s work-from-anywhere environment.
In this context cyber resiliency plays an important role, allowing businesses to improve their ability to prepare and quickly recover endpoints from ransomware attacks.
Tomi Engdahl says:
Top 10 Security, Operational Risks From Open Source Code
https://www.securityweek.com/top-10-security-operational-risks-from-open-source-code/
Endor Labs has introduced an OWASP-style listing of the most important or impactful risks inherent in the use of open source software (OSS).
Endor Labs has introduced an OWASP-style listing of the most important or impactful risks inherent in the use of open source software (OSS).
Use of OSS is effectively free and readily available – it satisfies the commercial need for speed at low cost in software development. It is not uncommon for more than 80% of modern application code to come from OSS, and it is therefore here to stay (at least until some new technology can provide faster yet still inexpensive software development).
The problem here is that we know very little about the source of the open source we use. It comes without warranties or SLAs; we are usually unaware of the developers of this development tool; and it can introduce major security risks (just think Log4J) without our awareness.
Its Station 9 research team has now developed and published a report (PDF) on the Top Ten Open Source Software Risks. The hope is to emulate for OSS what the OWASP Top Ten provides for web application security.
Unsurprisingly, the current #1 risk is ‘known vulnerabilities’. The Endor description states, “A component version may contain vulnerable code, accidentally introduced by its developers. Vulnerability details are publicly disclosed, for example, through a CVE. Exploits and patches may or may not be available.” Here it is worth noting Rapid7’s research pointing out that 56% of CVE vulnerabilities are exploited within seven days of the public disclosure.
The remaining nine risks are:
The compromise of a legitimate package, where attackers may for example inject malicious code to take advantage of a supply chain attack against users of that code
A name confusion attack, which is like typo-squatting in web-based attacks
Unmaintained software, where the component may unknowingly no longer be maintained or supported
Outdated software, where an old version is in use even though a newer version may be available,
Untracked dependencies, perhaps because it is not part of an upstream SBOM
License and regulatory risk, where – for example – the license may be incompatible with the intended use by a downstream consumer
Immature software, where the OSS project development may not conform to development best practices
Unapproved changes, where a component may change without the developers being aware
Under- or over-sized dependency, where, in the latter case, a component may provide a lot of functionality of which only a fraction may be used
Tomi Engdahl says:
David Shepardson / Reuters:
The US House Foreign Affairs Committee votes 24 to 16 to advance a bill that would enable President Biden to ban TikTok and other apps considered security risks — The U.S. House Foreign Affairs Committee voted on Wednesday to give President Joe Biden the power to ban Chinese-owned social media app TikTok and other apps.
U.S. House panel approves bill giving Biden power to ban TikTok
https://www.reuters.com/technology/us-house-panel-approves-bill-give-biden-power-ban-tiktok-2023-03-01/
WASHINGTON, March 1 (Reuters) – The U.S. House Foreign Affairs Committee voted on Wednesday along party lines to give President Joe Biden the power to ban Chinese-owned TikTok, in what would be the most far-reaching U.S. restriction on any social media app.
Lawmakers voted 24 to 16 to approve the measure to grant the administration new powers to ban the ByteDance-owned app – which is used by over 100 million Americans – as well as other apps considered security risks.
“TikTok is a national security threat … It is time to act,” said Representative Michael McCaul, the Republican chair of the committee who sponsored the bill.
Democrats opposed the bill, saying it was rushed and required due diligence through debate and consultation with experts. The bill does not precisely specify how the ban would work, but gives Biden power to ban any transactions with TikTok, which in turn could prevent anyone in the United States from accessing or downloading the app on their phones.
The bill would also require Biden to impose a ban on any entity that “may” transfer sensitive personal data to an entity subject to the influence of China.
TikTok has come under increasing fire in recent weeks over fears that user data could end up in the hands of the Chinese government, undermining Western security interests.
Tomi Engdahl says:
Application Security
GitHub Secret Scanning Now Generally Available
https://www.securityweek.com/github-secret-scanning-now-generally-available/
GitHub this week made secret scanning generally available and free for all public repositories.
Code-hosting platform GitHub this week announced that secret scanning is now generally available for all public repositories, for free.
Initially released in beta in December 2022, the feature is meant to help organizations and developers identify credentials and secrets (such as tokens and private keys) that might be exposed in their code.
With secret scanning enabled, developers are notified of any potentially exposed secrets, and can enable alerts across all their repositories.
“You can enable secret scanning alerts across all the repositories you own to notify you of leaked secrets across your full repository history including code, issues, description, and comments,” GitHub says.
The feature is backed by over 100 service providers in the GitHub Partner Program and delivers notifications and an audit log even for exposed self-hosted keys, for full visibility into potential risks.
The alerts for partners, GitHub explains, are automatically delivered for all public repositories, to inform service providers when their secrets are leaked. Whenever a repository is made public, GitHub scans it for secrets that match partner patterns.
Service providers then decide whether the secret should be revoked and a new secret issued instead, or if they should contact the repository administrator or owner directly, depending on the associated risks.
Tomi Engdahl says:
New CISA Tool ‘Decider’ Maps Attacker Behavior to ATT&CK Framework
https://www.securityweek.com/new-cisa-tool-decider-maps-attacker-behavior-to-attck-framework/
CISA has released a free and open source tool that makes it easier to map an attacker’s TTPs to the Mitre ATT&CK framework.
The US Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday announced the release of a free and open source tool designed to help defenders map attacker behavior to the Mitre ATT&CK framework.
The new tool, named Decider, was developed in partnership with the Homeland Security Systems Engineering and Development Institute (HSSEDI) and Mitre. Decider makes the mapping process easier by asking the user a series of questions about the adversary’s activity in their network.
The tool also provides search and filtering functionality, and allows users to export the results to common formats.
Decider is available on GitHub, but since it’s a web application it must be hosted somewhere before it can be used. CISA has published a fact sheet and a blog post to help defenders get started with Decider.
https://github.com/cisagov/Decider/
https://www.cisa.gov/sites/default/files/2023-03/decider_fact_sheet_508c.pdf
https://www.cisa.gov/news-events/news/helping-cyber-defenders-decide-use-mitre-attck
Tomi Engdahl says:
White House Releases National Cybersecurity Strategy
https://www.securityweek.com/white-house-releases-national-cybersecurity-strategy/
US National Cybersecurity Strategy pushes regulation, aggressive ‘hack-back’ operations.
Tomi Engdahl says:
White House Releases National Cybersecurity Strategy
https://www.securityweek.com/white-house-releases-national-cybersecurity-strategy/
The strategy, divided by five pillars, seeks to:
Defend Critical Infrastructure
Disrupt and Dismantle Threat Actors
Shape Market Forces to Drive Security and Resilience
Invest in a Resilient Future
Forge International Partnerships to Pursue Shared Goals
Tomi Engdahl says:
Advancing Women in Cybersecurity – One CMO’s Journey
https://www.securityweek.com/advancing-women-in-cybersecurity-one-cmos-journey/
Anna Tutt, CMO of Oort, shares her experiences and perspectives on how we can accelerate growth of women in cybersecurity.
Tomi Engdahl says:
https://www.securityweek.com/advancing-women-in-cybersecurity-one-cmos-journey/
The number of women in cybersecurity is on the rise. Recent research finds women hold 25% of cybersecurity jobs globally in 2022, up from 20% in 2019, and projected to reach 30% by 2025 and 35% by 2031. While the trend is moving in the right direction, women are still underrepresented. As an industry, we are leaving untapped talent on the table which we can ill-afford to do given the ongoing cybersecurity workforce gap.
Tomi Engdahl says:
POLICE SAY THEY USED GENEALOGY DATABASE TO ARREST IDAHO MURDER SUSPECT
USING GENEALOGY DATABASES TO SOLVE HIGH-PROFILE CRIMES IS BECOMING STANDARD.
https://futurism.com/neoscope/genealogy-database-idaho-murders-suspect
While it’s a relatively recent phenomenon, genealogy databases have proven to be a boon to investigators who may otherwise run into dead ends, mostly due to the fact that suspects don’t need to have ever sent their own DNA to an ancestry database. Instead, the databases allow investigators to follow genetic threads, connecting dots between close and distant relatives until they can identify a viable suspect.
“If you’re white, live in the United States, and a distant relative has uploaded their DNA to a public ancestry database,” Science.org noted back in 2021, “there’s a good chance an internet sleuth can identify you from a DNA sample you left somewhere.”
In other words, someone with a pension for doing crime may see the value in keeping their genetic information away from 23andMe, but if their distant Aunt Suzy decides that she wants to map her family tree? They’re in trouble.
This isn’t the first time that such databases have been used to identify a high-profile murderer
Tomi Engdahl says:
Industry Experts Analyze US National Cybersecurity Strategy
https://www.securityweek.com/feedback-friday-industry-reactions-to-us-national-cybersecurity-strategy/
Feedback Friday: Industry professionals commented on various aspects of the new national cybersecurity strategy, its impact, and implications.
The White House has released its National Cybersecurity Strategy, seeking to shift the burden for managing cyber risk from individuals and small businesses to tech companies, while taking a more offensive approach to dealing with threat actors.
The strategy focuses on five pillars: defending critical infrastructure, disrupting and dismantling threat groups, shaping market forces to drive security and resilience, investing in a resilient future, and forging international partnerships to pursue shared goals.
Industry professionals have commented on various aspects of the new cybersecurity strategy, its impact, and implications.
“There’s a lot to like here. It just lacks a lot of specifics,” Valeriano, commented. “They produce a document that speaks very much to regulation at a time when the United States is very much against regulation.”
“Even amid the surging cybercrime, shifting the cybersecurity burden to software developers and tech solution providers may seem an unduly harsh move, however, economically speaking it makes perfect sense.”
Software vendors will certainly argue that they will be required to raise their prices, eventually harming the end users and innocent consumers. This is, however, comparable to carmakers complaining about “unnecessarily expensive” airbag systems and seatbelts, arguing that each manufacturer should have the freedom to build cars as it sees fit.
Most industries – apart from software – are already comprehensively regulated in most of the developed countries: you cannot just manufacture what you want without a license or without following prescribed safety, quality and reliability standards. Software and SaaS solutions shall be no exception to that.
That being said, overregulation or bureaucracy will certainly be harmful and rather produce a counterproductive effect. The technical scope, timing of implementation and niche-specific requirements for tech vendors will be paramount for the eventual success or failure of the proposed legislation. Unnecessarily burdensome or, contrariwise, formalistic and lenient security requirements will definitely bring more harm than good.
“Would you consent to undergoing a surgical procedure performed by a newly graduated individual who possesses exceptional proficiency in performing surgeries on cats? Furthermore, why would you entrust the same individual with the task of developing software for your pacemaker? While the answer to the former question will be negative, as a society, we permit the latter to occur. The IT industry has demonstrated remarkable adeptness in evading warranties on their products and offering them for sale ‘as is.’ This apparent lack of accountability is unprecedented in other industries, such as healthcare and construction.”
“The newly released National Cyber Strategy is a huge step in the right direction for the world in the fight against cybercrime and state-driven adversaries. ”
David Lindner, CISO, Contrast Security:
“The current US Federal government administration is really driving the need to beef up the collective defensive and offensive capabilities within both the private and public sectors. It all started with President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity. This EO quickly morphed into many other key initiatives and operational directives such as Operational Directive 22-01 and OMB 22-18. Operational Directive 22-01 and 22-18, along with this new national cybersecurity strategy, have one distinct thing in common; we need to do a much better job of understanding, exposing, and fixing the security issues in our software.
This new strategy states, “Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance.” Those of us in the technology sector have known this for a very long time. As of today, the average number of new Common Vulnerabilities and Exposures released per day in 2023 sits at 76.9 (per CVE.icu) and that doesn’t include the fact that on average a software application has 25 vulnerabilities in their custom code (data source: Contrast Security).
Cody Cornell, co-founder, chief strategy officer, Swimlane:
“The White House is calling for new regulation that is not only for critical infrastructure, but sector-specific regulatory frameworks. While the idea of sector-specific frameworks is a good one, these frameworks are not one size fits all and have specific guidance and controls that can be very beneficial. There is a lot of work to be done on defining the sectors, the frameworks, getting buy-in and providing guidance on not just implementation, but how they will be measured and enforced, because a framework with no enforcement is entirely voluntary and runs contrary to the goal of rebalancing the responsibility of defending cyberspace. As we’ve seen as an industry, getting a standard built, especially a collaborative one, can be extremely time-consuming, and the ability for it to become watered down and lack the teeth to drive change is always a risk in the development and refinement process.
An interesting element of the first pillar of the strategy is to create and institute incentives that ensure that low-margin sectors or disincentivized sectors might have the economic support to implement or, at a sector level, may become mandatory across every provider in a sector, reducing the often-seen fight between doing what is right from a security perspective, with the concern that a competitor may forgo those same costs and be able to achieve a lower cost for the market or higher margins.
“The National Cybersecurity Strategy lays out a lot of great high-level ideas with the goal of modernizing the federal government’s cybersecurity strategy with the understanding that it needs help from across the government and the private sector, but does leave some questions unanswered around the speed and ability to execute inside the windows of an Executive administration and its inevitable changes in leadership that come at a longest in eight-year cycle. Like almost everything in cybersecurity, real progress is not just made with strategy, but in detailed hands-on work.”
“While we applaud the administration’s goal to build out our national cyber workforce under Strategic Objective 4.6 and develop our nation’s next generation of cyber talent, it unfortunately doesn’t move the needle on what needs to be done to strengthen the workforce we have today. In any type of life safety field—and that is exactly what cyber security of critical infrastructure represents—the need for ongoing training and readiness is integral.
The cyber threat landscape changes daily, with critical infrastructure sectors being the targets of the most advanced, nation-state backed APTs, so we can’t depend on a yearly training certificate to be confident that our infrastructure is being protected.
“The 2023 National Cybersecurity Strategy acknowledges the benefits of cloud-based services, such as operational resilience for critical infrastructure and enabling scalable, more affordable cybersecurity practices – while acknowledging there are gaps in cloud security at the federal level.
We encourage all enterprises – including the federal government – to use agile data security tools that allow for automated continuous monitoring of data assets — especially after the shift to the cloud is complete.
Jim Richberg, public sector field CISO, VP of information security, Fortinet:
“Part of the focus of the new national strategy is on transferring much of the responsibility for mitigating cyber risk away from end-users such as individuals, small businesses and small critical infrastructure operators like local utilities. Such groups are typically under-resourced and short on cyber expertise compared to organizations like technology providers and large corporations or government agencies, who are better able to deal with cyber risks systemically. As the U.S. government works to implement this strategy, ongoing partnership and collaboration between private and public organizations must be integrated into these efforts.
Cybersecurity is everyone’s concern. Our national cyber strategy will help define goals and roles for stakeholders ranging from government to individuals. Perfect cybersecurity is unattainable, but the goal we strive for should be focused on building cyber resilience, on maximizing cybersecurity while simultaneously taking steps to minimize the consequences of the inevitable failures that can occur in security. As a nation, we need to plan to succeed, but to be prepared to deal with failure as well.”
Tomi Engdahl says:
2023 Browser Security Report Uncovers Major Browsing Risks and Blind Spots
https://thehackernews.com/2023/03/2023-browser-security-report-uncovers.html
Tomi Engdahl says:
https://www.kitploit.com/2023/02/gmailc2-fully-undetectable-c2-server.html?m=1
Tomi Engdahl says:
WithSecure esitteli uuden vastalääkkeen nettikiristäjien rajuille tempuille
Janne Heleskoski23.2.202315:51|päivitetty23.2.202315:51KIRISTYSHAITTAOHJELMATTIETOTURVAHAITTAOHJELMAT
WithSecuren uusi teknologia on ”peruutuspainike” kiristysohjelmille.
https://www.tivi.fi/uutiset/withsecure-esitteli-uuden-vastalaakkeen-nettikiristajien-rajuille-tempuille/29639c55-02d3-453a-9690-4ce3ec936377
Tomi Engdahl says:
ChatGPT, Bing, And The Upcoming Security Apocalypse
https://hackaday.com/2023/03/04/chatgpt-bing-and-the-upcoming-security-apocalypse/
Most security professionals will tell you that it’s a lot easier to attack code systems than it is to defend them, and that this is especially true for large systems. The white hat’s job is to secure each and every point of contact, while the black hat’s goal is to find just one that’s insecure.
Whether black hat or white hat, it also helps a lot to know how the system works and exactly what it’s doing. When you’ve got the source code, either because it’s open-source, or because you’re working inside the company that makes the software, you’ve got a huge advantage both in finding bugs and in fixing them. In the case of closed-source software, the white hats arguably have the offsetting advantage that they at least can see the source code, and peek inside the black box, while the attackers cannot.
Is There An Antidote To The Black Box Problem Of NLP
https://analyticsindiamag.com/is-there-an-antidote-to-the-black-box-problem-of-nlp/
The opacity of NLP models, in particular, makes training and deployment of models like T5 and GPT-3 extremely difficult since they are opaque in their knowledge representation and backing claims with provenance
Tomi Engdahl says:
CrowdStrike 2023 Global Threat Report
https://www.crowdstrike.com/global-threat-report/
CrowdStrike looking back to 2022 with a 42-page report. Some key highlights explained by Forbes:
https://www.forbes.com/sites/tonybradley/2023/03/03/crowdstrike-report-highlights-crucial-shift-in-ransomware-tactics/
Tomi Engdahl says:
Huge lithium discovery could end world shortages … Oh, wait, it’s in Iran https://www.theregister.com/2023/03/04/lithium_iran_china_shortage/
“The reserve is said to be 8.5 million metric tons, which – if accurate – would be among the largest known deposits yet discovered.
Iran two years ago signed a 25-year strategic cooperation agreement with China, so its newfound lithium wealth also looks likely to strengthen China’s already extensive control of the supply chain for strategically and economically important minerals.”
Tomi Engdahl says:
SBOMs should be a security staple in the software supply chain https://www.theregister.com/2023/03/05/sboms_supply_chain_security/
A software bill of materials (SBOM) is an inventory of the components in a piece of software, a crucial tool at a time when applications are a collection of code from multiple sources, many from outside an organization’s development team. Know the ingredients before mixing the code. Oh and pay open source maintainers for goodness’ sake.
Tomi Engdahl says:
2023 Browser Security Report Uncovers Major Browsing Risks and Blind Spots
https://thehackernews.com/2023/03/2023-browser-security-report-uncovers.html
The key report findings #
1. Over half of all the browsers in the enterprise environment are misconfigured. While a configured browser is nearly impossible to compromise, stealing data from misconfigured browsers is like taking candy from a baby. The Leading misconfigurations are improper use of personal browser profiles on work devices (29%), poor patching routine (50%), and the use of corporate browser profiles on unmanaged devices.
2. 3 of every 10 SaaS applications are non-corporate shadow SaaS, and no SaaS discovery/security solution can address its risks. Shadow SaaS, and more than that, shadow identities, are the number one source for enterprise data loss. No existing data security tool (whether it being a traditional DLP or a DSPM) has access or control to what employees can do on their own personal applications.
3. Attackers adopt evasive attack techniques that neither email security nor network security tools can detect. Advanced browser-borne attack techniques, such as the use of SaaS applications to distribute malware or abusing high-reputation sites for phishing, have become a threat commodity.
4. Traditional security tools miss over half of those attack vectors at zero hour, making targeted browser attacks into a leading cause for enterprise breaches.
5. Most browser risks may lead to identity theft. Weak passwords, misconfigurations and SaaS security issues all circulate around the digital identity. This depressing finding outlines a main pain point – the digital identities are still the corporate Achilles heel.
https://go.layerxsecurity.com/2023-browser-security-annual-report?utm_source=THN
Tomi Engdahl says:
CrowdStrike Report Highlights Crucial Shift In Ransomware Tactics
https://www.forbes.com/sites/tonybradley/2023/03/03/crowdstrike-report-highlights-crucial-shift-in-ransomware-tactics/?sh=498f121a63f1
CrowdStrike released the 9th annual edition of its Global Threat Report this week. The 42-page report reveals insights on threat actor behavior, tactics, and trends from the past year—tracking activities of more than 200 cyber adversaries. There are a number of interesting findings and notable trends in the 2023 Global Threat Report, but what stands out is the changing dynamics of ransomware attacks.
Here are some of the key highlights from the report:
· 71% of attacks detected were malware-free (up from 62% in 2021), and interactive intrusions (hands on keyboard activity) increased 50% in 2022—Outlining how sophisticated human adversaries increasingly look to evade antivirus protection and outsmart machine-only defenses.
· 112% year-over-year increase in access broker advertisements on the dark web—Illustrating the value of and demand for identity and access credentials in the underground economy.
· Cloud exploitation grew by 95% and the number of cases involving ‘cloud-conscious’ threat actors nearly tripled year-over-year—More evidence adversaries are increasingly targeting cloud environments.
· Adversaries are re-weaponizing and re-exploiting vulnerabilities—Spilling over from the end of 2021, Log4Shell continued to ravage the internet, while both known and new vulnerabilities, like ProxyNotShell and Follina—just two of the more than 900 vulnerabilities and 30 zero-days Microsoft issued patches for in 2022—were broadly exploited as nation-nexus and eCrime adversaries circumvented patches and sidestepped mitigations.
· eCrime actors moving beyond ransom payments for monetization—2022 saw a 20% increase in the number of adversaries conducting data theft and extortion campaigns.
· China-nexus espionage surged across all 39 global industry sectors and 20 geographic regions tracked by CrowdStrike Intelligence—Rise in China-nexus adversary activity shows that organizations across the world and in every vertical must be vigilant against the threat from Beijing.
· Average eCrime breakout time is now 84 minutes—This is down from 98 minutes in 2021, demonstrating the extensive speed of today’s threat actors.
· The cyber impact of Russia-Ukraine war was overhyped but not insignificant—CrowdStrike saw a jump in Russia-nexus adversaries employing intelligence gathering tactics and even fake ransomware, suggesting the Kremlin’s intent to widen targeting sectors and regions where destructive operations are considered politically risky.
· An uptick in social engineering tactics targeting human interactions—Tactics such as vishing direct victims to download malware and SIM swapping to circumvent multifactor authentication (MFA).
New Threats Need New Solutions
Meyers explained that cybersecurity tools have evolved over time as well—from antivirus, to endpoint protection and, more recently, to endpoint detection and response (EDR) solutions. He stressed, though, “I think data weaponization and data extortion is going to continue to escalate, and it necessitates a different solution.”
He suggested that what organizations need to defend themselves more effectively from these emerging threats is zero trust. “Zero trust is really critical to what organizations need to be thinking about because we used to say ‘Trust, but verify,’ and now it needs to be ‘Verified and trust.’ We need to change the paradigm and flip it on its head—and that requires additional technology and additional practices inside the organization.”
Report:
https://www.crowdstrike.com/global-threat-report/
From relentless adversaries
to resilient businesses
2022 was a year of explosive, adaptive and damaging threats. Adversaries continue to be relentless in their attacks as they become faster and more sophisticated. CrowdStrike’s 2023 Global Threat Report uncovers notable themes, trends and events across the cyber threat landscape, including:
33 newly named adversaries in 2022
200+ total adversaries tracked by CrowdStrike
95% increase in cloud exploitation
112% increase in access broker ads on the dark web
84 minutes average eCrime breakout time
71% of attacks were malware-free
Tomi Engdahl says:
EPA Mandates States Report on Cyber Threats to Water Systems
https://www.securityweek.com/epa-mandates-states-report-on-cyber-threats-to-water-systems/
The Biden administration said it would require states to report on cybersecurity threats in their audits of public water systems, a day after it released a broader plan to protect critical infrastructure against cyberattacks.
Tomi Engdahl says:
Cloud-Native Threats in 2023
https://www.hackmageddon.com/2023/03/06/cloud-native-threats-in-2023/
The author created visualizations from cyber attacks, whose information is available via OSINT, which exploited the cloud in one or more stages of the attack chain.
Tomi Engdahl says:
2022 Phishing Insights
https://v4ensics.gr/phishing/
“In 2022, V4ensics team analyzed more than 400 phishing sites, in most cases along with the associated e-mails. Upon statistics analysis, the results of the research produced noteworthy findings about the way that phishers perform their malicious activities and target specific entities. These findings are presented in the blog article that follows.. In general, postal scams [...] appeared to be on the rise, as V4ensics spotted phishing sites also targeting Norwegian, Romanian, Hungarian, Finnish, Canadian, Slovenian and Maltese postal services.”
Tomi Engdahl says:
Experts Reveal Google Cloud Platform’s Blind Spot for Data Exfiltration Attacks https://thehackernews.com/2023/03/experts-reveal-google-cloud-platforms.html
“Malicious actors can take advantage of “insufficient” forensic visibility into Google Cloud Platform (GCP) to exfiltrate sensitive data, a new research has found.”
Tomi Engdahl says:
557 CVEs Added to CISA’s Known Exploited Vulnerabilities Catalog in 2022
https://www.securityweek.com/557-cves-added-to-cisas-known-exploited-vulnerabilities-catalog-in-2022/
There are nearly 900 vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog, including nearly 100 discovered in 2022.
There are nearly 900 vulnerabilities in the Known Exploited Vulnerabilities (KEV) catalog maintained by the US Cybersecurity and Infrastructure Security Agency (CISA), including 557 CVEs that were added in 2022, according to vulnerability intelligence company VulnCheck.
Tomi Engdahl says:
The VulnCheck 2022 Exploited Vulnerability Report – A Year Long Review of the CISA KEV Catalog
https://vulncheck.com/blog/2022-cisa-kev-review
Tomi Engdahl says:
New Tool Made by Microsoft and Mitre Emulates Attacks on Machine Learning Systems
https://www.securityweek.com/new-tool-made-by-microsoft-and-mitre-emulates-attacks-on-machine-learning-systems/
Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.
Microsoft and Mitre have announced the release of a new tool designed to help cybersecurity professionals emulate attacks on machine learning (ML) systems.
Called Arsenal, the tool is a plugin for the Mitre ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) framework, a knowledge base of adversarial tactics, techniques, and case studies.
ATLAS is meant to raise awareness of the threats to ML systems, while Arsenal helps cybersecurity researchers store and create adversarial tactics, techniques, and procedures (TTPs) defined in ATLAS to interface with CALDERA, the cybersecurity platform that automates adversary emulation.
Arsenal uses Microsoft’s Counterfit automation tool for running artificial intelligence (AI) security risk assessments as an automated adversarial attack library and enables CALDERA to emulate attacks using the Counterfit library.
https://github.com/mitre-atlas/arsenal
Tomi Engdahl says:
https://www.uusiteknologia.fi/2023/03/08/viime-vuonna-jo-146-miljardia-kyberturvahavaintoa-verkossa/
Tomi Engdahl says:
TSA Requires Aviation Sector to Enhance Cybersecurity Resilience
https://www.securityweek.com/tsa-requires-aviation-sector-to-enhance-cybersecurity-resilience/
TSA instructs airport and aircraft operators to improve their cybersecurity resilience and prevent infrastructure disruption and degradation.
The US Transportation Security Administration (TSA) said on Tuesday that airport and aircraft operators will be required to improve their cybersecurity resilience.
The agency said the new cybersecurity requirements, issued through an emergency amendment, come in response to the persistent threats against the country’s aviation sector and other critical infrastructure.
Airport and aircraft operators are required to develop a plan for improving their resilience and preventing infrastructure disruption and degradation. In addition, they need to assess the effectiveness of their measures.
Aviation organizations that are regulated by the TSA are required to develop network segmentation controls and policies to ensure that OT systems are not disrupted by incidents affecting IT systems, and vice versa.
In addition, they need to create access control mechanisms to prevent unauthorized access to critical systems, implement incident detection and response policies and procedures, and ensure that their systems are not left unpatched.