InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The article emphasizes that AI cybersecurity must be multi-layered, like the systems it protects. Cybercriminals increasingly exploit large language models (LLMs) with attacks such as data poisoning, jailbreaks, and model extraction. To counter these threats, organizations must implement security strategies during the design, development, deployment, and operational phases of AI systems. Effective measures include data sanitization, cryptographic checks, adversarial input detection, and continuous testing. A holistic approach is needed to protect against growing AI-related cyber risks.
Benefits and Concerns of AI in Data Security and Privacy
Predictive analytics provides substantial benefits in cybersecurity by helping organizations forecast and mitigate threats before they arise. Using statistical analysis, machine learning, and behavioral insights, it highlights potential risks and vulnerabilities. Despite hurdles such as data quality, model complexity, and the dynamic nature of threats, adopting best practices and tools enhances its efficacy in threat detection and response. As cyber risks evolve, predictive analytics will be essential for proactive risk management and the protection of organizational data assets.
AI raises concerns about data privacy and security. Ensuring that AI tools comply with privacy regulations and protect sensitive information.
AI systems must adhere to privacy laws and regulations, such as GDPR, CPRA to protect individuals’ information. Compliance ensures ethical data handling practices.
Implementing robust security measures to protect data (data governance) from unauthorized access and breaches is critical. Data protection practices safeguard sensitive information and maintain trust.
1. Predictive Analytics in Cybersecurity
Predictive analytics offers substantial benefits by helping organizations anticipate and prevent cyber threats before they occur. It leverages statistical models, machine learning, and behavioral analysis to identify potential risks. These insights enable proactive measures, such as threat mitigation and vulnerability management, ensuring an organization’s defenses are always one step ahead.
2. AI and Data Privacy
AI systems raise concerns regarding data privacy and security, especially as they process sensitive information. Ensuring compliance with privacy regulations like GDPR and CPRA is crucial. Organizations must prioritize safeguarding personal data while using AI tools to maintain trust and avoid legal ramifications.
3. Security and Data Governance
Robust security measures are essential to protect data from breaches and unauthorized access. Implementing effective data governance ensures that sensitive information is managed, stored, and processed securely, thus maintaining organizational integrity and preventing potential data-related crises.
Recent research shows that Predator spyware, once believed to be inactive due to U.S. sanctions, has resurfaced with improved evasion tactics. Despite efforts to curtail its usage, Predator is still being used in countries like the Democratic Republic of the Congo (DRC) and Angola, where it targets high-profile individuals. Its updated infrastructure makes it more difficult to track victims, underscoring the need for strong cybersecurity defenses. Risk mitigation strategies include regular software updates, enabling lockdown modes, and deploying mobile device management systems. As spyware becomes more sophisticated, international collaboration is crucial to regulating and limiting its spread.
Predator spyware, once linked to Intellexa, has resurfaced after a period of reduced activity, despite sanctions and exposure. The reactivated spyware infrastructure poses renewed threats to privacy and security, as operators have adopted new techniques to obscure their activities, making it harder to track and attribute attacks. With capabilities like remote device infiltration and data exfiltration, governments can secretly monitor citizens and gather sensitive information. Predator’s operators have strengthened their infrastructure by adding another layer of anonymization to their multi-tiered delivery system, making it more difficult to trace the origin and usage of the spyware. Though the attack methods, including “one-click” and “zero-click” exploits, remain similar, the increased complexity of the infrastructure heightens the threat to high-profile individuals such as politicians, executives, journalists, and activists. The expensive licensing of Predator indicates its use is reserved for strategic targets, raising concerns in the European Union, where investigations have uncovered its misuse against opposition figures and journalists in countries like Greece and Poland. To counter the threat of Predator spyware, individuals and organizations should prioritize security measures like regular software updates, device reboots, and lockdown modes. Mobile device management (MDM) systems and security awareness training are also essential in protecting against social engineering and advanced spyware attacks. As the demand for surveillance tools grows, the spyware market continues to expand, with new companies developing increasingly sophisticated tools. While there are ongoing discussions around stricter regulations, particularly following investigations by Insikt Group, the threat of spyware will persist until meaningful international action is taken.
For more detailed insights, check the full article here.
In an era where digital connectivity has become ubiquitous, the line between privacy and surveillance has blurred. Nowhere is this more evident than in the proliferation of spy apps – discreet, powerful tools that grant unprecedented access to the lives of unsuspecting individuals. From tracking location and monitoring communications to covertly capturing audio and video, these applications represent a double-edged sword in the realm of technology.
The rise of artificial intelligence (AI) has introduced new risks in software supply chains, particularly through open-source repositories like Hugging Face and GitHub. Cybercriminals, such as the NullBulge group, have begun targeting these repositories to poison data sets used for AI model training. These poisoned data sets can introduce misinformation or malicious code into AI systems, causing widespread disruption in AI-driven software and forcing companies to retrain models from scratch.
With AI systems relying heavily on vast open-source data sets, attackers have found it easier to infiltrate AI development pipelines. Compromised data sets can result in severe disruptions across AI supply chains, especially for businesses refining open-source models with proprietary data. As AI adoption grows, the challenge of maintaining data integrity, compliance, and security in open-source components becomes crucial for safeguarding AI advancements.
Open-source data sets are vital to AI development, as only large enterprises can afford to train models from scratch. However, these data sets, like LAION 5B, pose risks due to their size, making it difficult to ensure data quality and compliance. Cybercriminals exploit this by poisoning data sets, introducing malicious information that can compromise AI models. This ripple effect forces costly retraining efforts. The popularity of generative AI has further attracted attackers, heightening the risks across the entire AI supply chain.
The article emphasizes the importance of integrating security into all stages of AI development and usage, given the rise of AI-targeted cybercrime. Businesses must ensure traceability and explainability for AI outputs, keeping humans involved in the process. AI shouldn’t be seen solely as a cost-cutting tool, but rather as a technology that needs robust security measures. AI-powered security solutions can help analysts manage threats more effectively but should complement, not replace, human expertise.
For more detailed insights, check the full article here.
The article discusses the increasing financial impact of cybercrime on businesses, with attacks like ransomware and DDoS causing significant losses. Average costs for DDoS attacks have risen to $6,000 per minute, while ransomware payouts have skyrocketed, with a record-breaking $75 million ransom paid in 2024. Third-party vendor breaches and industry-specific vulnerabilities are also contributing to escalating costs.
Companies are facing growing pressure to address these threats, yet many are struggling with cybersecurity talent shortages and burnout. Despite paying ransoms, recovery costs continue to rise, and cyber insurance often doesn’t cover all expenses. Investing in preventive measures and continuous monitoring is critical to mitigate risks.
For more detailed insights, check the full article here.
The article from IBM emphasizes the critical role of data governance in ensuring high-quality, secure, and accessible data, which is vital for organizations aiming to leverage emerging technologies like AI, ML, and automation.
Effective data governance acts like air traffic control, managing the flow of data to ensure integrity and prevent misuse. Without proper governance, organizations risk basing decisions on inaccurate data or suffering breaches that can lead to financial losses and erode trust. Data governance also ensures organizations have access to real-time, high-quality data, enabling them to make better business decisions, optimize operations, and maintain compliance with regulations.
Establishing an effective data governance framework requires a long-term commitment, collaboration across departments, and thoughtful implementation. Organizations should start small, define roles and responsibilities, secure stakeholder buy-in, and select the right tools to manage data. Continuous monitoring, improvement, and alignment with broader business strategies are essential for sustained success. Strong data security practices, adherence to privacy regulations, and the use of maturity models help organizations build a dynamic governance ecosystem that evolves alongside the business, fostering a culture that views data as a strategic asset.
The IBM blog on AI risk management discusses how organizations can identify, mitigate, and address potential risks associated with AI technologies. AI risk management is a subset of AI governance, focusing specifically on preventing and addressing threats to AI systems. The blog outlines various types of risks—such as data, model, operational, and ethical/legal risks—and emphasizes the importance of frameworks like the NIST AI Risk Management Framework to ensure ethical, secure, and reliable AI deployment. Effective AI risk management enhances security, decision-making, regulatory compliance, and trust in AI systems.
AI risk management can help close this gap and empower organizations to harness AI systems’ full potential without compromising AI ethics or security.
Understanding the risks associated with AI systems
Like other types of security risk, AI risk can be understood as a measure of how likely a potential AI-related threat is to affect an organization and how much damage that threat would do.
While each AI model and use case is different, the risks of AI generally fall into four buckets:
Data risks
Model risks
Operational risks
Ethical and legal risks
The NIST AI Risk Management Framework (AI RMF)
In January 2023, the National Institute of Standards and Technology (NIST) published the AI Risk Management Framework (AI RMF) to provide a structured approach to managing AI risks. The NIST AI RMF has since become a benchmark for AI risk management.
The AI RMF’s primary goal is to help organizations design, develop, deploy and use AI systems in a way that effectively manages risks and promotes trustworthy, responsible AI practices.
Developed in collaboration with the public and private sectors, the AI RMF is entirely voluntary and applicable across any company, industry or geography.
The framework is divided into two parts. Part 1 offers an overview of the risks and characteristics of trustworthy AI systems. Part 2, the AI RMF Core, outlines four functions to help organizations address AI system risks:
Govern: Creating an organizational culture of AI risk management
Map: Framing AI risks in specific business contexts
Predictive analytics offers significant benefits in cybersecurity by allowing organizations to foresee and mitigate potential threats before they occur. Using methods such as statistical analysis, machine learning, and behavioral analysis, predictive analytics can identify future risks and vulnerabilities. While challenges like data quality, model complexity, and evolving threats exist, employing best practices and suitable tools can improve its effectiveness in detecting cyber threats and managing risks. As cyber threats evolve, predictive analytics will be vital in proactively managing risks and protecting organizational information assets.
Trust Me: ISO 42001 AI Management System is the first book about the most important global AI management system standard: ISO 42001. The ISO 42001 standard is groundbreaking. It will have more impact than ISO 9001 as autonomous AI decision making becomes more prevalent.
Why Is AI Important?
AI autonomous decision making is all around us. It is in places we take for granted such as Siri or Alexa. AI is transforming how we live and work. It becomes critical we understand and trust this prevalent technology:
“Artificial intelligence systems have become increasingly prevalent in everyday life and enterprise settings, and they’re now often being used to support human decision making. These systems have grown increasingly complex and efficient, and AI holds the promise of uncovering valuable insights across a wide range of applications. But broad adoption of AI systems will require humans to trust their output.” (Trustworthy AI, IBM website, 2024)
Narrow AI (Weak AI): AI systems that are designed and trained for a specific task, such as facial recognition, language translation, or playing chess. These systems operate under a limited set of constraints and do not possess general intelligence. Examples include Siri, Alexa, and IBM’s Watson.
General AI (Strong AI): A theoretical form of AI that would have the ability to learn, understand, and apply intelligence across a wide range of tasks, much like a human being. General AI does not yet exist and remains a goal for future development.
Superintelligent AI: A hypothetical AI that surpasses human intelligence across all aspects, including creativity, decision-making, and emotional intelligence. This type is purely speculative at this point and often discussed in the context of ethical considerations and long-term AI safety.
2. Based on Functionality
Reactive Machines: The most basic type of AI that can only react to current situations without any memory or understanding of the past. An example is IBM’s Deep Blue, which played chess without learning from previous games.
Limited Memory: AI systems that can use past experiences or data to make decisions, albeit temporarily. Most modern AI applications, like self-driving cars, fall into this category as they use historical data to make real-time decisions.
Theory of Mind: This type of AI is in the conceptual stage and aims to understand human emotions, beliefs, and thoughts, and interact socially. Theory of Mind AI is not yet realized but is an area of active research.
Self-Aware AI: The most advanced form of AI, which would have its own consciousness, self-awareness, and emotions. This type does not currently exist and is largely a subject of science fiction and philosophical debate.
3. Based on Learning Techniques
AI comes in many forms. And while the general process of automated technology carrying out a series of tasks remains consistent, how and why this happens will vary. Here are some examples of different types of AI which you might come across.
Deep Learning
An evolution of machine learning, this more thorough approach sees AI programmed in such a way that they’re able to identify images, sounds, and text without the need for human input. While with machine learning you may have to physically describe an image to AI, with deep learning they will be able to process and understand it themselves.
Natural Language Processing (NLP)
If you’ve ever spoken to Siri, Alexa, or any other virtual assistant, you will have interacted with NLP. This technology is able to comprehend, manipulate, and generate human language in a way that allows it to have its very own “voice”. NLP can understand questions you give it, then respond accordingly. It can also be used in text form, such as a chatbot on a website.
Computer vision
This futuristic form of tech allows computers to interpret and analyze the human world through the classification of images and objects. In doing so, it allows an AI to see the world through the eyes of a living person. This kind of technology is most commonly associated with driverless cars, where the vehicle needs to be able to process the world around it as a normal driver would.
Machine Learning
This AI approach sees a series of data and algorithms run to formulate a picture of how a human would approach a situation or task. Over time, the program is able to adapt and even learn more about the human thinking process, which helps it to improve its overall accuracy.
Generative AI
A popular online fad in 2023, generative AI is the name given to technology which is able to create images, text, or other media independently. A user simply needs to input what they want created, with the AI able to draw on their input training to produce something that has similar characteristics.
Speech recognition
One of the oldest forms of AI, this tech is able to understand and interpret what you’re saying out loud, then convert it into text or audio format. This kind of technology is often confused with voice recognition – which instead of transcribing what you’re saying, will instead only be able to recognise the voice of the user.
Robotic Process Automation (RPA)
RPA technology is a software which makes it easier to build, deploy, and manage robots that emulate human interactions. The robotic helpers are able to carry out a number of tasks virtually, at speeds which humans would be incapable of replicating.
AI comes in many forms. And while the general process of automated technology carrying out a series of tasks remains consistent, how and why this happens will vary. Here are some examples of different types of AI which you might come across.
DISC LLC, situated at Sonoma county, CA, is dedicated to offering premier information security services. As a consultant specializing in information security, we pride ourselves in helping businesses across the United States build resilient security programs.
Our Expertise
vCISO Services
When are vCISO services most appropriate? Our expert virtual Chief Information Security Officer (vCISO) services are designed to build a robust security program that effectively detects and mitigates risks. Reach out to us today to develop a security program tailored to today’s challenges.
ISO 27001 and ISMS Implementation
We specialize in implementing ISO 27001 standards and establishing Information Security Management Systems (ISMS) that ensure your organization’s compliance with the highest industry standards. Achieve certification and maintain a strong competitive edge in security compliance.
Our detailed security risk assessment services identify potential threats and vulnerabilities in your systems. By understanding these risks, we develop strategic measures to counteract them, safeguarding your business from data breaches and other security incidents.
Ensuring Security Compliance – GRC Consulting
In the Information Security and Compliance industry, organizations are increasingly seeking services that help them manage the growing complexity of cyber threats and regulatory requirements.
Maintaining security compliance is crucial in today’s digital landscape. DISC LLC helps organizations navigate complex regulatory requirements, ensuring they meet all necessary standards to protect their data and operations.
Overview: As regulations and standards like GDPR, HIPAA, CCPA, and ISO 27001 become stricter, organizations seek expert advice to ensure compliance and reduce risk.
With the rapid adoption of cloud services, securing cloud environments (e.g., AWS, Azure, Google Cloud) is critical. Cloud security solutions focus on protecting data, identities, and workloads in cloud infrastructure.
With regulations like GDPR and CCPA, and with advent of an AI organizations need to implement measures that protect sensitive data, data governance and ensure that personal information is handled according to legal standards.
Protecting sensitive data and complying with privacy regulations is essential. AI systems must be designed to handle data securely and adhere to relevant legal and ethical standards
Expertise: Our team consists of experienced professionals with extensive knowledge in infosec and compliance.
Customized Solutions: We provide tailored security solutions that align with your unique business needs.
Proactive Approach: Our proactive approach ensures timely detection and mitigation of security risks.
Contact DISC LLC today at info@deurainfosec.com or call us at +17079985164 to learn more about how our services can fortify your organization’s security posture. Build a secure future with DISC LLC.
It’s predicted that more than $1 trillion in IT spending will be directly or indirectly affected by the shift to cloud during the next five years. This is no surprise as the cloud is one of the main digital technologies developing in today’s fast-moving world. It’s encouraging that CEOs recognize that it’s crucial for them to champion the use of digital technologies to keep up with today’s evolving business environment.
However, there are still concerns about using cloud services and determining the best approach for adoption. It’s important to acknowledge that adapting to emerging technologies can be challenging, particularly with the constantly expanding range of products and services. As a business improvement partner, DISC collaborates with clients to identify key drivers and develop best practice standards that enhance resilience.
What Influences Organizations to Store Information on the Cloud?
Organizations should align their business strategy and objectives to determine the most suitable approach to cloud computing. This could involve opting for public cloud services, a private cloud, or a hybrid cloud solution, depending on their resources and priorities.
Security concerns remain the leading barrier to cloud adoption, especially with public cloud solutions. In fact, 91% of organizations are very or moderately worried about the security of public cloud environments. These concerns are not limited to IT departments; 61% of IT professionals believe that cloud data security is also a significant concern for executives.
Despite these challenges, many organizations are influenced by the benefits of managing information on the cloud. These benefits include:
Agility: you can respond more quickly and adapt to business changes
Scalable: cloud platforms are less restrictive on storage, size, number of users
Cost savings: no physical infrastructure costs or charges for extra storage, exceeding quotas etc
Enhanced security: standards and certification can show robust security controls are in place
Adaptability: you can easily adjust cloud services to make sure they best suit your business needs
Continuity: organizations are using cloud services as a backup internal solution
Standards to help you Manage Information on the Cloud
Standards that focus on putting appropriate frameworks and controls in place to manage cloud security.
ISO/IEC 27001international standard for an Information security management system (ISMS). It is the foundation of all our cloud security solutions. It describes the requirements for a best practice system to manage information security including understanding the context of an organization, the responsibilities of top management, resource requirements, how to approach risk, and how to monitor and improve the system.
It also provides a generic set of controls required to manage information and ensures you assess your information risks and control them appropriately. It’s relevant to all types of organizations regardless of whether they are involved with cloud services or not, to help with managing information security against recognized best practices.
ISO/IEC 27017is an international code of practice for cloud security controls. It outlines cloud-specific controls to manage security, building on the generic controls described in ISO/IEC 27002. It’s applicable to both Cloud Service Providers (CSPs) and organizations procuring cloud services.
It provides support by outlining roles and responsibilities for both parties, ensuring all cloud security concerns are addressed and clearly owned. Having ISO/IEC 27017 controls in place is especially important when you procure cloud services that form part of a service you sell to clients.
ISO/IEC 27018 is an international code of practice for Personally Identifiable Information (PII) on public clouds. It builds on the general controls described in ISO/IEC 27002 and is appropriate for any organization that processes PII. This is particularly important considering the changing privacy landscape and focus on protecting sensitive personal data.
All businesses need to continually evolve their cybersecurity management in order to effectively manage the cyber risks associated with cloud use. Request to learn more.
Adopt these standards today to ensure your organization effectively manages data in the cloud.
How to build a world class ISMS:
ISO 27001 serves as the foundation for ISO 27017, ISO 27018, and ISO 27701.
After conducting the risk assessment, it’s essential to compare the controls identified as necessary with those listed in Annex A to ensure no important controls were overlooked in managing the risks. This serves as a quality check for the risk assessment, not as a justification for using or not using any controls from Annex A. This process should be done for each risk identified in the assessment to see if there are opportunities to enhance it.
Any controls that you discover were unintentionally “omitted” from the risk assessment can come from any source (NIST, HIPAA, PCI, or CIS Critical Security Controls) and are not restricted to those in Annex A.
One should consider CIS Controls to strengthen one of the above frameworks when building your ISMS. CIS Controls is updated frequently than frameworks and are highly effective against the top five attack types found in industry threat data, effectively defending against 86% of the ATT&CK (sub)techniques in the MITRE ATT&CK framework.
Statement of Applicability (SoA) is typically developed after conducting a risk assessment in ISO 27001. The risk assessment identifies the information security risks that the organization faces and determines the appropriate controls needed to mitigate those risks.
In ISO 27001, the Statement of Applicability (SoA) is a key document that outlines which information security controls from Annex A ( or from (NIST, HIPAA, PCI, or CIS Critical Security Controls)) are applicable to an organization’s Information Security Management System (ISMS). The SoA provides a summary of the controls selected to address identified risks, justifies why each control is included or excluded, and details how each applicable control is implemented. It serves as a reference to demonstrate compliance with ISO 27001 requirements and helps in maintaining transparency and accountability in the ISMS.
The SoA is essential for internal stakeholders and external auditors to understand the rationale behind the organization’s approach to managing information security risks.
Cloud shared responsibilities:
Most companies appear to be operating in the hybrid or public cloud space, often without fully realizing it, and need to gain a better understanding of this environment.
Cloud shared responsibilities refer to the division of security and compliance responsibilities between a cloud service provider (CSP) and the customer. This model outlines who is responsible for specific aspects of cloud security, depending on the type of cloud service being used: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).
The division of responsibilities varies based on the cloud service model:
IaaS: The CSP manages the basic infrastructure, but the customer is responsible for everything else, including operating systems, applications, and data.
PaaS: The CSP manages the infrastructure and platform, while the customer focuses on application development, data management, and user access.
SaaS: The CSP handles most security aspects, including applications and infrastructure, while the customer is primarily responsible for data security and user access management.
Understanding the shared responsibility model is crucial for ensuring that both the CSP and the customer are aware of their respective roles in maintaining cloud security, compliance and last but not the least managing risks in the cloud environment.
In summary, The shift to cloud computing is expected to influence over $1 trillion in IT spending over the next five years as companies increasingly adopt digital technologies to stay competitive. Despite the benefits of cloud computing—such as agility, scalability, cost savings, and enhanced security—many organizations face challenges, particularly around security concerns, which are a major barrier to cloud adoption. To navigate these challenges, businesses need to align their cloud strategies with their objectives, choosing between public, private, or hybrid cloud solutions. Additionally, implementing standards like ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 can help manage cloud security and compliance effectively by providing frameworks for managing information security risks and ensuring data protection. Understanding the shared responsibility model is also crucial for cloud security, as it defines the distinct roles of cloud service providers and customers in maintaining a secure cloud environment.
Welcome to DISC LLC – Your Trusted Computer Security Service Provider
At DISC LLC, we specialize in providing top-notch computer security services to businesses across the United States. Our team of expert consultants is here to help you build a robust security program that effectively detects and mitigates risks. For those looking for comprehensive security solutions, our vCISO services are perfectly tailored to meet today’s challenges.
Why Choose Our vCISO Services?
Our expert virtual Chief Information Security Officers (vCISOs) bring a wealth of experience and knowledge to your organization. We understand the crucial role of information security and offer strategic guidance to establish a solid security foundation. Our services are most appropriate when:
Your business requires an experienced security leader but cannot afford a full-time CISO.
You need to establish or improve your Information Security Management System (ISMS).
Your organization is undergoing a security risk assessment and needs expertise to navigate the process smoothly.
Our Core Services
At DISC LLC, we focus on the most critical aspects of information security.
ISO 27001 Compliance: Achieve and maintain compliance with this international standard for information security management.
Development and implementation of a robust ISMS: We help you build a comprehensive management system to safeguard your information assets.
Comprehensive security risk assessments: Identify, evaluate, and mitigate risks that could potentially impact your organization.
Contact Us
Ready to develop a security program that meets today’s challenges? Reach out to us today.
WordPress admins using the Litespeed Cache plugin must update their sites with the latest plugin release to address a critical vulnerability. Exploiting the flaw allows an unauthenticated attacker to take control of target websites.
LiteSpeed Cache Plugin Vulnerability Could Allow Site Takeover
The security researcher John Blackbourn from PatchStack discovered a critical privilege escalation vulnerability in the LiteSpeed Cache plugin. LiteSpeed Cache for WordPress offers an exclusive server-level cache and numerous site optimization features. The plugin boasts over 5 million active installations, indicating its popularity among WordPress users. Nonetheless, it also shows how any vulnerability in the plugin potentially threatens millions of websites. Specifically, the vulnerability existed in the plugin’s crawler feature that exhibits a user simulation functionality to perform crawler requests as authenticated users. However, due to a weak security hash in this feature, the plugin allowed an unauthenticated adversary to spoof an authenticated user and gain elevated site privileges. The worst exploitation scenarios even allowed the installation of malicious plugins and a complete site takeover. This vulnerability, identified as CVE-2024-28000, received a critical severity rating and a CVSS score of 9.8. It affected all plugin releases until 6.3.0.1. Detailed technical analysis of the vulnerability is available in the recent post from PatchStack.
Vulnerability Patched With Latest Plugin Release
Upon noticing the vulnerability, Blackbourn responsibly disclosed the flaw via Patchstack to the plugin developers. In response, the developers patched the vulnerability with the LiteSpeed Cache plugin version 6.4. The researcher also received a $14,400 bounty under the Patchstack Zero Day program for this bug report. Since the patch has arrived, all WordPress admins must update their sites with the latest plugin release to avoid potential threats. Ideally, users should update to the LiteSpeed Cache plugin version 6.4.1, which appears as the latest release on the plugin’s official page.
Deura Information Security Consulting offers comprehensive vCISO services designed to build robust security programs that effectively detect and mitigate risks. Our seasoned consultants will work with you to develop a security strategy tailored to meet today’s challenges.
Achieve Compliance with ISO 27001
Securing your information assets and achieving compliance is crucial. Our experts specialize in assisting businesses with ISO 27001 implementation. Benefit from our extensive experience in information security management systems (ISMS) to ensure your organization meets the stringent requirements of ISO 27001.
Services Offered
vCISO Services: Enhance your organization’s security posture with our virtual Chief Information Security Officer services.
ISO 27001 Implementation: Guidance on compliance and certification processes to achieve ISO 27001.
Security Risk Assessment:
Information Security Management Systems (ISMS):
Security Compliance Management:
Why Choose Us
At Deura Information Security Consulting, our focus is on creating and implementing security programs that address your specific needs. Contact us at info@deurainfosec.com or call +1 707-998-5164 to schedule a consultation.
Our extensive industry knowledge ensures that your security infrastructure is built to detect and mitigate risks effectively. Choose Deura Information Security Consulting for expert vCISO services and ISO 27001 compliance support.
Google has announced the release of Chrome 128 to the stable channel for Windows, Mac, and Linux.
This update, Chrome 128.0.6613.84 for Linux and 128.0.6613.84/.85 for Windows and Mac addresses a critical zero-day vulnerability actively exploited in the wild.
The update includes 38 security fixes, with particular attention to those contributed by external researchers.
Details of the Zero-Day Vulnerability
The Chrome team has been working diligently to address a zero-day vulnerability that has been actively exploited.
The vulnerability, CVE-2024-7971, involves type confusion in V8, Chrome’s open-source JavaScript engine.
The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) reported this flaw on August 19, 2024.
While the specific details of the exploit remain restricted to protect users, the fix’s urgency underscores the vulnerability’s potential severity.
The Chrome team has emphasized that access to bug details and links will remain restricted until most users have updated their browsers.
This precaution ensures that users are protected before the vulnerability details are public, preventing further exploitation.
In addition to the zero-day vulnerability, the Chrome 128 update includes a wide range of security fixes.
Below is a table summarizing the key vulnerabilities addressed in this update:
The configuration contained transport layer security (TLS) bootstrap tokens that the attacker could extract and use to perform a TLS bootstrap attack. This would grant the attacker the ability to read all secrets within the cluster.
Notably, the attack did not require the compromised Pod to be running with hostNetwork enabled or as the root user. This significantly expanded the attack surface.
The attack involved accessing the undocumented Azure WireServer component at http://168.63.129.16/machine/?comp=goalstate and the HostGAPlugin endpoint at http://168.63.129.16:32526/vmSettings.
The attacker could retrieve a key from the WireServer to decrypt protected settings values. They could then request the JSON document from HostGAPlugin, parse it, and Base64 decode it to obtain the encrypted provisioning script (protected_settings.bin).
Using the WireServer key, the attacker could decrypt protected_settings.bin to access the cluster’s provisioning script (cse_cmd.sh). This script contained several secrets as environment variables, including:
The Linux Foundation and OpenSSF released a report on the state of education in secure software development.
…many developers lack the essential knowledge and skills to effectively implement secure software development. Survey findings outlined in the report show nearly one-third of all professionals directly involved in development and deployment  system operations, software developers, committers, and maintainers  self-report feeling unfamiliar with secure software development practices. This is of particular concern as they are the ones at the forefront of creating and maintaining the code that runs a company’s applications and systems.
The report analyzes the dynamics among C-suite executives to better understand issues that prevent risk reduction, stall or complicate compliance, and create barriers to cyber resilience.
CISOs pressured with AI, cybersecurity risk tradeoffs, and budget
While CISOs are often responsible for technology implementation, they are not getting the support they need at a strategic level. Researchers found that 73% of CISOs expressed concern over cybersecurity becoming unwieldy, requiring risk-laden tradeoffs, compared to only 58% of both CIOs and CTOs.
Additionally, 73% of CISOs feel more pressure to implement AI strategies versus just 58% of CIOs and CTOs. These pressures pair with the fact that 66% of CISOs believe reactive budgets cause a lack of proactive cybersecurity measures, compared to 55% of CIOs and 53% of CTOs feeling the same way.
C-suite alignment could clarify cybersecurity priorities
Effective cybersecurity strategies require top-down leadership and alignment with the perspectives of non-C-suite professionals directly involved in technology development, security implementation, and operational support.
CISOs expressed more concern about cybersecurity’s operational and strategic challenges. The missing component is alignment among the different interests represented by the other roles: CTOs were concerned with the impact of compliance on innovation and competitiveness, aligning with their focus on technology development. Conversely, CIOs balance broader strategic perspectives, encompassing risk management, compliance, and adopting new technologies.
Based on roles, it is not surprising most CIOs (92%) are more inclined to embrace uncertainty concerning cyber threats, compared to 81% of CTOs and 75% of CISOs. These differences in tolerance are important to discuss when creating a cybersecurity strategy that considers business priorities.
“Understanding the C-suite’s business priorities is critical for shaping effective cybersecurity strategies,” said Theresa Lanowitz, Chief Evangelist of LevelBlue. “Identifying how these essential roles look at the business helps to ensure alignment among CIOs, CTOs, and CISOs, as well as the teams that report into them. It’s a key first step towards bolstering cyber defenses, especially with the CEO and Board support.”
External pressures
CTOs view compliance as an obstacle to innovation. 73% of CTOs (compared to 55% CIOs and 61% CISOs) are concerned about regulations hindering competitiveness and are more likely to perceive compliance as an obstacle to innovation. In contrast, CIOs and CISOs view compliance as an integral component of risk management and operational stability, essential for maintaining a secure and reliable organizational environment.
The supply chain has hidden risks, and the importance of those risks varies. Nearly three in four CIOs (74%) and CISOs (73%) find it challenging to assess the cybersecurity risk from their supply chain, compared to only 64% of CTOs. This suggests that CIOs and CISOs are more involved in evaluating external risks and dependencies, while CTOs focus more on internal technology infrastructure.
C-Suite alignment on cloud computing supports cybersecurity resilience. There was little difference in the perception of cloud computing’s ability to provide cybersecurity resilience among CIOs, CTOs, and CISOs, with 83%, 82%, and 80%, respectively, acknowledging its benefits. This consensus indicates a shared recognition among these executive roles of cloud solutions’ value in enhancing cybersecurity.
A sophisticated threat activity cluster, STAC6451, has been identified targeting Microsoft SQL servers.
This cluster, primarily observed by Sophos Managed Detection and Response (MDR) teams, has compromised organizations by exploiting SQL server vulnerabilities.
The attackers have been using a combination of brute-force attacks, command execution, and lateral movement techniques to infiltrate and compromise networks.
This article delves into the intricate details of the STAC6451 attacks, the techniques employed, and the implications for organizations worldwide.
Overview: Microsoft SmartScreen is a cloud-based anti-phishing and anti-malware component that comes integrated with various Microsoft products like Microsoft Edge, Internet Explorer, and Windows. It is designed to protect users from malicious websites and downloads.
Key Features:
URL Reputation:
SmartScreen checks the URL of websites against a list of known malicious sites stored on Microsoft’s servers. If the URL matches one on the list, the user is warned or blocked from accessing the site.
Application Reputation:
When a user downloads an application, SmartScreen checks its reputation based on data collected from other users who have downloaded and installed the same application. If the app is deemed suspicious, the user is warned before proceeding with the installation.
Phishing Protection:
SmartScreen analyzes web pages for signs of phishing and alerts the user if a site appears to be trying to steal personal information.
Malware Protection:
The system can identify and block potentially malicious software from running on the user’s device.
Integration with Windows Defender:
SmartScreen works in conjunction with Windows Defender to provide a layered security approach, ensuring comprehensive protection against threats.
How it Works:
URL and App Checks:
When a user attempts to visit a website or download an application, SmartScreen sends a request to the SmartScreen service with the URL or app details.
The service checks the details against its database and returns a verdict to the user’s device.
Based on the verdict, the browser or operating system either allows, blocks, or warns the user about potential risks.
Telemetry and Feedback:
SmartScreen collects telemetry data from users’ interactions with websites and applications, which helps improve the accuracy of its threat detection algorithms over time.
Smart App Control (SAC)
Overview: Smart App Control (SAC) is a security feature in Windows designed to prevent malicious or potentially unwanted applications from running on the system. It is an evolution of the earlier Windows Defender Application Control (WDAC) and provides advanced protection by utilizing cloud-based intelligence and machine learning.
Key Features:
Predictive Protection:
SAC uses machine learning models trained on a vast amount of data to predict whether an application is safe to run. It blocks apps that are determined to be risky or have no known good reputation.
Cloud-Based Intelligence:
SAC leverages Microsoft’s cloud infrastructure to continuously update its models and threat intelligence, ensuring that protection is always up-to-date.
Zero Trust Model:
By default, SAC assumes that all applications are untrusted until proven otherwise, aligning with the zero trust security model.
Seamless User Experience:
SAC operates silently in the background, allowing trusted apps to run without interruptions while blocking potentially harmful ones. Users receive clear notifications and guidance when an app is blocked.
Policy Enforcement:
Administrators can define policies to control app execution on enterprise devices, ensuring compliance with organizational security standards.
How it Works:
App Analysis:
When an app attempts to run, SAC sends its metadata to the cloud for analysis.
The cloud service evaluates the app against its machine learning models and threat intelligence to determine its risk level.
Decision Making:
If the app is deemed safe, it is allowed to run.
If the app is determined to be risky or unknown, it is blocked, and the user is notified with an option to override the block if they have sufficient permissions.
Policy Application:
SAC policies can be customized and enforced across an organization to ensure consistent security measures on all managed devices.
Integration with Windows Security:
SAC is integrated with other Windows security features like Microsoft Defender Antivirus, providing a comprehensive defense strategy against a wide range of threats.
Despite the robust protections offered by Microsoft SmartScreen and Smart App Control (SAC), some techniques can sometimes bypass these features through several sophisticated techniques.
1. Signed Malware Bypassing Microsoft SmartScreen and SAC
1. Valid Digital Signatures:
Stolen Certificates: Cybercriminals can steal valid digital certificates from legitimate software developers. By signing their malware with these stolen certificates, the malware can appear trustworthy to security features like SmartScreen and SAC.
Bought Certificates: Attackers can purchase certificates from Certificate Authorities (CAs) that might not perform thorough background checks. These certificates can then be used to sign malware.
2. Compromised Certificate Authorities:
If a Certificate Authority (CA) is compromised, attackers can issue valid certificates for their malware. Even if the malware is signed by a seemingly reputable CA, it can still be malicious.
3. Certificate Spoofing:
Advanced attackers may use sophisticated techniques to spoof digital certificates, making their malware appear as if it is signed by a legitimate source. This can deceive security features into trusting the malware.
4. Timing Attacks:
Some malware authors time their attacks to take advantage of the period between when a certificate is issued and when it is revoked or added to a blacklist. During this window, signed malware can bypass security checks.
5. Use of Legitimate Software Components:
Attackers can incorporate legitimate software components into their malware. By embedding malicious code within a signed, legitimate application, the entire package can be trusted by security features.
6. Multi-Stage Attacks:
Initial stages of the malware may appear harmless and thus be signed and trusted. Once the initial stage is executed and trusted by the system, it can download and execute the actual malicious payload.
7. Social Engineering:
Users may be tricked into overriding security warnings. For example, if SmartScreen or SAC blocks an application, an attacker might use social engineering tactics to convince the user to manually bypass the block.
2. How Reputation Hijacking Bypasses Microsoft SmartScreen and SAC
Compromised Legitimate Websites:
Method: Attackers compromise a legitimate website that has a strong reputation and inject malicious content or host malware on it.
Bypass Mechanism: Since SmartScreen relies on the reputation of websites to determine if they are safe, a website with a previously good reputation may not trigger alerts even if it starts serving malicious content. Users are not warned because the site’s reputation was established before the compromise.
Trusted Domains and Certificates:
Method: Attackers use domains with valid SSL certificates issued by trusted Certificate Authorities (CAs) to host malicious content.
Bypass Mechanism: SmartScreen and SAC check for valid certificates as part of their security protocols. A valid certificate from a trusted CA makes the malicious site appear legitimate, thus bypassing the security checks that would flag a site with an invalid or self-signed certificate.
Embedding Malware in Legitimate Software:
Method: Attackers inject malicious code into legitimate software or its updates.
Bypass Mechanism: If the legitimate software has a good reputation and is signed with a valid certificate, SmartScreen and SAC are less likely to flag it. When users update the software, the malicious payload is delivered without triggering security warnings because the update appears to be from a trusted source.
Phishing with Spoofed Emails:
Method: Attackers send phishing emails that appear to come from trusted sources, often using spoofed email addresses.
Bypass Mechanism: Users are more likely to trust and open emails from familiar and reputable sources. SmartScreen may not always catch these emails, especially if they come from legitimate domains that have been spoofed, leading users to malicious websites or downloads.
Domain and Subdomain Takeover:
Method: Attackers take over expired or unused domains and subdomains of reputable sites.
Bypass Mechanism: Since the domain or subdomain was previously associated with a legitimate entity, SmartScreen and SAC may continue to trust it based on its historical reputation. This allows attackers to serve malicious content from these domains without raising security flags.
Social Engineering Attacks:
Method: Attackers trick users into overriding security warnings by posing as legitimate sources or using persuasive tactics.
Bypass Mechanism: Even if SmartScreen or SAC warns users, skilled social engineering can convince them to bypass these warnings. Users might disable security features or proceed despite warnings if they believe the source is trustworthy.
3. How Reputation Seeding Bypasses Microsoft SmartScreen and SAC
Reputation seeding is a tactic where attackers build a positive reputation for malicious domains, software, or email accounts over time before launching an attack. This can effectively bypass security measures like Microsoft SmartScreen and Smart App Control (SAC) because these systems often rely on reputation scores to determine the trustworthiness of an entity. Here’s how reputation seeding works and strategies to mitigate it:
How Reputation Seeding Works
Initial Clean Activity:
Method: Attackers initially use their domains, software, or email accounts for legitimate activities. This involves hosting benign content, sending non-malicious emails, or distributing software that performs as advertised without any harmful behavior.
Bypass Mechanism: During this period, SmartScreen and SAC observe and record these entities as safe and build a positive reputation for them. Users interacting with these entities during the seeding phase do not encounter any security warnings.
Gradual Introduction of Malicious Content:
Method: Over time, attackers start to introduce malicious content slowly. This might involve adding malware to software updates, injecting harmful code into websites, or sending phishing emails from trusted accounts.
Bypass Mechanism: Because the entities have already established a positive reputation, initial malicious activities may not be immediately flagged by SmartScreen or SAC, allowing the attackers to reach their targets.
Leveraging Established Trust:
Method: Once a strong reputation is established, attackers conduct large-scale malicious campaigns. They leverage the trust built over time to bypass security checks and deceive users.
Bypass Mechanism: The established positive reputation causes security systems to consider these entities as low-risk, allowing malware or phishing attempts to bypass filters and reach users without triggering alarms.
Typical Timeframes for Reputation Seeding
Websites:
Short-Term (Weeks): Initial establishment of a website with benign content and basic user interactions.
Medium-Term (Months): Gaining backlinks, increasing traffic, and more extensive content creation.
Long-Term (6+ Months): Strong reputation with significant traffic, positive user interactions, and established trust.
Software:
Short-Term (Weeks): Initial distribution and passing basic security checks.
Medium-Term (Months): Accumulating downloads, positive user reviews, and routine updates.
Long-Term (6+ Months): Strong reputation with widespread usage and consistently positive feedback.
Email Accounts:
Short-Term (Weeks): Initial legitimate emails and normal interactions.
Medium-Term (1-2 Months): Building trust through regular, benign communication.
Long-Term (3+ Months): Established trust with consistent, non-malicious activity.
4 .How Reputation Tampering Bypasses Microsoft SmartScreen and SAC
Reputation tampering, particularly in the context of Smart App Control (SAC), can exploit the way SAC assesses and maintains the reputation of files. Given that SAC might use fuzzy hashing, feature-based similarity comparisons, and machine learning models to evaluate file reputation, attackers can manipulate certain segments of a file without changing its perceived reputation. Here’s a deeper dive into how this works and the potential implications:
How Reputation Tampering Works in SAC
Fuzzy Hashing:
Method: Unlike traditional cryptographic hashing, which changes completely with any alteration to the file, fuzzy hashing allows for minor changes without drastically altering the hash value. This means that files with small modifications can still be considered similar to the original.
Attack: Attackers modify segments of the file that do not significantly affect the fuzzy hash value, allowing the file to retain its reputation.
Feature-Based Similarity Comparisons:
Method: SAC may use feature-based similarity comparisons to evaluate files. These features could include metadata, structural attributes, or specific code patterns that are consistent with known good files.
Attack: By understanding which features are used and ensuring that these remain unchanged while modifying other parts of the file, attackers can maintain the file’s good reputation.
Machine Learning Models:
Method: Machine learning models in the cloud may analyze files based on patterns learned from a large dataset of known good and bad files. These models might use a variety of indicators beyond simple hashes.
Attack: Through trial and error, attackers identify which code sections can be altered without changing the overall pattern recognized by the ML model as benign. They can then inject malicious code into these sections.
5. How LNK stomping Bypasses Microsoft SmartScreen and SAC
LNK stomping is a technique where attackers modify LNK (shortcut) files to execute malicious code while appearing legitimate to users and security systems. By leveraging the flexibility and capabilities of LNK files, attackers can disguise their malicious intentions and bypass security features such as Microsoft SmartScreen and Smart App Control (SAC). Here’s how LNK stomping works and how it can bypass these security features:
How LNK Stomping Works
Creating a Malicious LNK File:
Method: Attackers create an LNK file that points to a legitimate executable or document but includes additional commands or scripts that execute malicious code.
Example: An LNK file might appear to open a PDF document, but in reality, it executes a PowerShell script that downloads and runs malware.
Modifying Existing LNK Files:
Method: Attackers modify existing LNK files on a target system to include malicious commands while retaining their original appearance and functionality.
Example: An LNK file for a commonly used application (e.g., a web browser) is modified to first execute a malicious script before launching the application.
Embedding Malicious Code:
Method: Attackers embed malicious code directly within the LNK file, taking advantage of the file’s structure and features.
Example: An LNK file might contain embedded shell commands that execute when the shortcut is opened.
Understanding the MotW Bypass via LNK File Manipulation
The Mark of the Web (MotW) is a critical security feature used to flag files downloaded from the internet, making them subject to additional scrutiny by antivirus (AV) and endpoint detection and response (EDR) systems, including Microsoft SmartScreen and Smart App Control (SAC). However, certain techniques can bypass this feature, allowing potentially malicious files to evade detection. Here, we’ll explore how manipulating LNK (shortcut) files can bypass MotW checks
Manually Creating an LNK File with a Non-Standard Target Path
Locate the PowerShell Script:
Ensure you have the path to the PowerShell script, for example, C:\Scripts\MyScript.ps1.
Create the Shortcut:
Right-click on the desktop or in the folder where you want to create the shortcut.
Select New > Shortcut.
Enter the Target Path:
In the “Type the location of the item” field, enter the following command with a non-standard path:
powershell.exe -File "C:\Scripts\MyScript.ps1."
Notice the extra dot at the end of the script path.
Name the Shortcut:
Enter a name for your shortcut (e.g., Run MyScript Non-Standard).
Click Finish.
Verify the Target Path:
Right-click the newly created shortcut and select Properties.
In the Target field, you should see:
powershell.exe -File "C:\Scripts\MyScript.ps1."
Click OK to save the changes.
By following these steps, you can create an LNK file that points to a PowerShell script with a non-standard target path. This can be used for testing how such files interact with security features like SmartScreen and Smart App Control.
Manually Creating an LNK File with a Relative Path
Locate the PowerShell Script:
Ensure you have the relative path to the PowerShell script within its directory structure, for example, .\Scripts\MyScript.ps1.
Create the Shortcut:
Right-click on the desktop or in the folder where you want to create the shortcut.
Select New > Shortcut.
Enter the Target Path:
In the “Type the location of the item” field, enter the following command with a relative path:
powershell.exe -File ".\Scripts\MyScript.ps1"
Click Next.
Name the Shortcut:
Enter a name for your shortcut (e.g., Run MyScript Relative).
Click Finish.
Verify the Target Path:
Right-click the newly created shortcut and select Properties.
In the Target field, you should see:
powershell.exe -File ".\Scripts\MyScript.ps1"
Click OK to save the changes.
Manually Creating an LNK File with a multi-level path
To create an LNK file with a multi-level path in the target path array, we need to manipulate the internal structure of the LNK file to contain a non-standard target path. This involves using a utility or script that can handle the creation and modification of LNK files with detailed control over their internal structure.
Here’s a step-by-step guide to creating such an LNK file using PowerShell and a specialized library for handling LNK files, pylnk3, which is a Python-based library. For this example, you will need to have Python installed along with the pylnk3 library.
Step-by-Step Guide
Prerequisites
Install Python:
If you don’t have Python installed, download and install it from the official website: Python.org.
Install pylnk3 Library:
Open a command prompt or terminal and run the following command to install pylnk3:shCopy codepip install pylnk3
Creating a Multi-Level Path LNK File
Create a Python Script to Generate the LNK File:
Create a Python script (e.g., create_lnk.py) with the following content:
import lnk
# Define the path for the new shortcut
shortcut_path = "C:\\Users\\Public\\Desktop\\MyScriptShortcutMultiLevel.lnk"
# Create a new LNK file
lnk_file = lnk.lnk_file()
# Set the target path with multi-level path entries
lnk_file.add_target_path_entry("..\\..\\Scripts\\MyScript.ps1")
# Set the arguments for the target executable
lnk_file.command_line_arguments = "-File .\\Scripts\\MyScript.ps1"
# Save the LNK file
with open(shortcut_path, "wb") as f:
lnk_file.write(f)
print(f"Shortcut created at: {shortcut_path}")
Run the Python Script:
Open a command prompt or terminal and navigate to the directory where your Python script is located.
Run the script using the following command:shCopy codepython create_lnk.py
Explanation
lnk.lnk_file(): Creates a new LNK file object.
add_target_path_entry: Adds entries to the target path array. Here, we use a relative path (..\\..\\Scripts\\MyScript.ps1) to simulate a multi-level path.
command_line_arguments: Sets the arguments passed to the target executable. In this case, we pass -File .\Scripts\MyScript.ps1.
write: Saves the LNK file to the specified path.
Additional Notes
Relative Paths: The use of relative paths (..\\..\\) in the target path entries allows us to create a multi-level path structure within the LNK file.
Non-Standard Structures: By manipulating the internal structure of the LNK file, we can craft paths that might bypass certain security checks.
Running the LNK File
After creating the LNK file, you can test its behavior by double-clicking it. The crafted LNK file should follow the relative path and execute the target PowerShell script, demonstrating how non-standard paths can be used within an LNK file.
The article “Dismantling Smart App Control” by Elastic Security Labs explores the vulnerabilities and bypass techniques of Windows Smart App Control (SAC) and SmartScreen. For more details, you can read the full article here.
What key factors have contributed to increased personal liability risks for CISOs?
The role of the CISO has evolved significantly over the past year. The notable shift toward increased personal liability is largely the result of three factors:
First, organizations are at greater cybersecurity risk than ever. Attackers and their wares are growing more advanced by the day. At the same time, for all their benefits, new technologies, such as AI, often result in increasingly complex digital infrastructures that may hide security vulnerabilities ripe for the picking.
Second, the evolving regulatory landscape. Laws such as the Digital Operations Resiliency Act (DORA) in Europe and various new regulations from the US Securities and Exchange Commission (SEC) legally place personal responsibility for data breaches squarely on the shoulders of the CISO.
Finally, broader public awareness of security lapses. The SEC now requires publicly traded companies to disclose material cybersecurity incidents within four days. This is on top of the Strengthening American Cybersecurity Act that requires entities that own or operate critical infrastructure to report cyber incidents and ransom payments within 24 to 72 hours.
How have high-profile cyber incidents influenced the perception and reality of personal liability for CISOs?
Even if many organizations are now required to disclose cybersecurity incidents in a timely manner—as I just mentioned—that doesn’t mean all of those incidents become common knowledge. In fact, relatively few do. High-profile cybersecurity breaches—the incidents that most affect the general public—are those that drive intensified public scrutiny. As these incidents grab headlines, customers demand change. Unfortunately for the CISO, in these cases, perception is reality, and they often become the sacrificial lamb even if a broader set of executives and board members should share liability.
What proactive steps can CISOs take to mitigate the risk of personal liability?
As the saying goes, “an ounce of prevention is worth a pound of cure.” So, first and foremost, do your core job by strengthening your organization’s cyber resilience. Ensure your team has the resources, skills and guidance to maintain visibility into all of your assets; properly configure perimeter defenses; protect business-critical data and apps with a robust backup and recovery strategy; enforce strong security policies for things like passwords, the principle of least privilege and remote and personal device access; conduct effective employee cybersecurity awareness training; and finally, test and rehearse, test and rehearse, test and rehearse.
It also helps to fight fire with fire. Cybercriminals are using AI to improve their tactics. Implementing AI-powered technology to improve the effectiveness of each of the above cyber resilience steps will help ensure you stay one step ahead of bad actors and avoid the risk of being held personally liable for a successful breach.
Another key is establishing clear lines of communication with other executive leaders and board members. Be completely transparent and avoid the temptation to paper over emerging and potential issues you don’t quite yet understand or have the resources to deal with. It’s much better to be able to say, “I told you so,” than, “should have, could have, would have.”
How effective are directors and officers insurance policies in protecting CISOs from personal liability?
Directors and officers (D&O) liability insurance can offer some protection for the CISO, but its effectiveness in the dynamic realm of cybersecurity is not 100% certain. These policies typically cover legal fees and damages resulting from lawsuits against executives for decisions made in their professional capacities, but regulations that include personal accountability for cybersecurity failures might challenge the scope and limits of traditional D&O coverage. Insurance providers may need to adjust their policies to address the specific risks faced by CISOs. While this will lead to more effective, tailored coverage, it could also potentially lead to higher premiums or so many exclusions that it becomes impractical.
How can organizations better support their CISOs to ensure they are not unfairly held liable for cyber incidents?
Organizations need to develop a culture of welcomed transparency. If the CISO is afraid to bring hard truths to the executive leadership team and board, there’s a problem. On our team, we tend not really even talk about the things that are going well. Instead, we focus almost exclusively on what we need to improve. Red flags aren’t something we avoid, but embrace, so everyone is aware of risks and potential vulnerabilities.
Just as important, even the best security team will fail if not given necessary resources. This includes not just ongoing budgetary support to execute the above cyber resilience strategies, but also the authority to implement critical security measures. If security recommendations are consistently overridden or ignored by other parts of the organization, the CISO’s efforts become futile.
What advice would you give to current and aspiring CISOs in navigating the complexities of personal liability?
The biggest area of improvement needed for most CISOs is communication skills. As I stated, transparency is just as important as anything else in avoiding cybersecurity breaches and the resulting risk of personal liability, and transparency requires effective communication. Not only that, but negotiating for the resources you need to execute the cyber resilience strategies that will protect both your organization and you also requires effective communication. Lastly, effective communication plays a key role in your ability to get organization-wide buy-in to cybersecurity best practices by positioning cybersecurity as a business enabler rather than hindrance.
Injecting spoofed headers with email relaying involves manipulating the email headers to disguise the true origin of an email, making it appear as if it was sent from a legitimate source. Here’s a detailed explanation of how this process works:
1. Understanding Email Headers
Email headers contain vital information about the sender, recipient, and the path an email takes from the source to the destination. Key headers include:
From: The email address of the sender.
To: The recipient’s email address.
Subject: The subject line of the email.
Received: Information about the mail servers that handled the email as it traveled from sender to recipient.
Return-Path: The email address where bounces and error messages should be sent.
2. Email Relaying
Email relaying is the process of sending an email from one server to another. This is typically done by SMTP (Simple Mail Transfer Protocol) servers. Normally, email servers are configured to relay emails only from authenticated users to prevent abuse by spammers.
3. Spoofing Headers
Spoofing email headers involves altering the email headers to misrepresent the email’s source. This can be done for various malicious purposes, such as phishing, spreading malware, or bypassing spam filters. Here’s how it can be done:
a. Crafting the Spoofed Email
An attacker can use various tools and scripts to create an email with forged headers. They might use a command-line tool like sendmail, mailx, or a programming language with email-sending capabilities (e.g., Python’s smtplib).
b. Setting Up an Open Relay
An open relay is an SMTP server configured to accept and forward email from any sender to any recipient. Attackers look for misconfigured servers on the internet to use as open relays.
c. Injecting Spoofed Headers
The attacker crafts an email with forged headers, such as a fake “From” address, and sends it through an open relay. The open relay server processes the email and forwards it to the recipient’s server without verifying the authenticity of the headers.
d. Delivery to Recipient
The recipient’s email server receives the email and, based on the spoofed headers, believes it to be from a legitimate source. This can trick the recipient into trusting the email’s content.
4. Example of Spoofing Email Headers
Here’s an example using Python’s smtplib to send an email with spoofed headers:
import smtplib
from email.mime.text import MIMEText
# Crafting the email
msg = MIMEText("This is the body of the email")
msg['Subject'] = 'Spoofed Email'
msg['From'] = 'spoofed.sender@example.com'
msg['To'] = 'recipient@example.com'
# Sending the email via an open relay
smtp_server = 'open.relay.server.com'
smtp_port = 25
with smtplib.SMTP(smtp_server, smtp_port) as server:
server.sendmail(msg['From'], [msg['To']], msg.as_string())
via Frontend Transport
The statement about the term “via Frontend Transport” in header values refers to a specific configuration in Microsoft Exchange Server that could suggest a misconfiguration allowing email relaying without proper verification. Let’s break down the key elements of this explanation:
1. Frontend Transport in Exchange
In Microsoft Exchange Server, the Frontend Transport service is responsible for handling client connections and email traffic from the internet. It acts as a gateway, receiving emails from external sources and forwarding them to the internal network.
2. Email Relaying
Email relaying is the process of forwarding an email from one server to another, eventually delivering it to the final recipient. While this is a standard part of the SMTP protocol, it becomes problematic if a server is configured to relay emails without proper authentication or validation.
3. The Term “via Frontend Transport”
When email headers include the term “via Frontend Transport”, it indicates that the email passed through the Frontend Transport service of an Exchange server. This can be seen in the Received headers of the email, showing the path it took through various servers.
4. Suggestion of Blind Email Relaying
The concern arises when these headers suggest that Exchange is configured to relay emails without altering them or without proper checks. This could imply that:
The Exchange server is not adequately verifying the sender’s authenticity.
The server might be forwarding emails without checking if they come from trusted sources.
Such a configuration can be indicative of an open relay, where the server forwards any email it receives, which is highly vulnerable to abuse.
5. Abuses of Open Relays
Open relays are notorious for being exploited by spammers and malicious actors because they can be used to send large volumes of unsolicited emails while obscuring the true origin of the message. This makes it difficult to trace back to the actual sender and can cause the relay server’s IP address to be blacklisted.
Attackers Use a Genuine Microsoft Office 365 Account
The attackers have managed to send an email from a genuine Microsoft Office 365 account. This could be through compromising an account or using a trial account.
Email Branded as Disney
The email is branded as coming from Disney (disney.com). This branding could involve setting the “From” address to appear as if it’s from a Disney domain, which can trick recipients into believing the email is legitimate.
Gmail’s Handling of Outlook’s Servers
Gmail has robust mechanisms to handle high volumes of emails from trusted servers like Outlook’s (Microsoft’s email service). These servers are built to send millions of emails per hour, so Gmail will not block them due to rate limits.
SPF (Sender Policy Framework)
SPF is a protocol that helps prevent email spoofing by allowing domain owners to specify which mail servers are authorized to send emails on their behalf. The attackers benefit from this because:
The email is sent through Microsoft’s official relay server, protection.outlook.com.Disney’s SPF record includes spf.protection.outlook.com, which means emails sent through this relay server are authorized by Disney’s domain.
.
Spoofed Headers
Spoofed headers involve altering the email headers to make the email appear as if it originated from a different source. In this scenario, the attackers have spoofed headers to make the email look like it’s from Disney.
SPF Check Passed
Since the email is sent via a server included in Disney’s SPF record (protection.outlook.com), it will pass the SPF check, making it seem legitimate to the recipient’s email server.
DKIM (DomainKeys Identified Mail)
DKIM is another email authentication method that allows the receiver to check if an email claiming to come from a specific domain was indeed authorized by the owner of that domain. This is done by verifying a digital signature added to the email.
Points of Concern
SPF Check Passed
The email passed the SPF check because it was sent through an authorized server (protection.outlook.com) included in Disney’s SPF record.
Spoofed Headers
The headers were manipulated to make the email appear as if it came from Disney, which can deceive recipients.
Gmail Handling
Gmail will trust and not rate-limit emails from Outlook’s servers, ensuring the email is delivered without being flagged as suspicious due to high sending volumes.
Potential for DKIM
To fully understand if the email can pass DKIM checks, we would need to know if the attackers can sign the email with a valid DKIM key. If they manage to:
DKIM Alignment
Ensure the DKIM signature aligns with the domain in the “From” header (disney.com).
Valid DKIM Signature
Use a valid DKIM signature from an authorized domain (which would be difficult unless they have compromised Disney’s signing keys or a legitimate sending infrastructure).
Proofpoint and similar services are email security solutions that offer various features to protect organizations from email-based threats, such as phishing, malware, and spam. They act as intermediaries between the sender and recipient, filtering and relaying emails. However, misconfigurations or overly permissive settings in these services can be exploited by attackers. Here’s an explanation of how these services work, their roles, and how they can be exploited:
Roles and Features of Proofpoint-like Services
Email Filtering and Protection
Spam and Phishing Detection: Filters out spam and phishing emails.
Malware Protection: Scans and blocks emails containing malware or malicious attachments.
Content Filtering: Enforces policies on email content, attachments, and links.
Email Relay and Delivery
Inbound and Outbound Filtering: Manages and filters both incoming and outgoing emails to ensure compliance and security.
Email Routing: Directs emails to the appropriate recipients within an organization.
DKIM Signing: Adds DKIM signatures to outgoing emails to authenticate them.
Authentication and Authorization
IP-Based Authentication: Uses IP addresses to authenticate incoming email servers.
SPF, DKIM, and DMARC Support: Implements these email authentication protocols to prevent spoofing.
How Misconfigurations Allow Exploitation
Permissive IP-Based Authentication
Generic Configuration: Proofpoint is often configured to accept emails from entire IP ranges associated with services like Office365 or Google Workspace without specifying particular accounts.
IP Range Acceptance: Once a service like Office365 is enabled, Proofpoint accepts emails from any IP within the Office365 range, regardless of the specific account.
Exploitation StepsStep 1: Setting Up the Attack
Attacker’s Office365 Account: The attacker sets up or compromises an Office365 account.
Spoofing Email Headers: The attacker crafts an email with headers that mimic a legitimate sender, such as Disney.
Step 2: Leveraging Proofpoint Configuration
Sending Spoofed Emails: The attacker sends the spoofed email from their Office365 account.
Proofpoint Relay Acceptance: Proofpoint’s permissive configuration accepts the email based on the IP range, without verifying the specific account.
Step 3: Proofpoint Processing
DKIM Signing: Proofpoint processes the email, applying DKIM signatures and ensuring it passes SPF checks because it comes from an authorized IP range.
Email Delivery: The email is then delivered to the target’s inbox, appearing legitimate due to the DKIM signature and SPF alignment.
Example of a Permissive Configuration in Proofpoint
Admin Setup
Adding Hosted Services: Proofpoint allows administrators to add hosted email services (e.g., Office365) with a single-click configuration that relies on IP-based authentication.
No Specific Account Configuration
Generic Acceptance: The setup does not specify which particular accounts are authorized, leading to a scenario where any account within the IP range is accepted.
Exploitation of Misconfiguration
Blind Relay: Due to this broad acceptance, attackers can send emails through Proofpoint’s relay, which then processes and delivers them as if they were legitimate.
A recent attack exploited a misconfiguration in Proofpoint’s email routing, allowing millions of spoofed phishing emails to be sent from legitimate domains like Disney and IBM. The attackers used Microsoft 365 tenants to relay emails through Proofpoint, bypassing SPF and DKIM checks, which authenticate emails. This “EchoSpoofing” method capitalized on Proofpoint’s broad IP-based acceptance of Office365 emails. Proofpoint has since implemented stricter configurations to prevent such abuses, emphasizing the need for vigilant security practices.
