by Mike Holcomb
Checkout previous OSINT posts here
Nov 27 2024
Why Security Leaders Should Prioritize the MITRE ATT&CK Evaluation
The article emphasizes the importance of the MITRE Engenuity ATT&CK Evaluations for security leaders in navigating the complex cybersecurity landscape. These evaluations simulate real-world threats to test how vendorsā solutions detect, respond to, and report adversary tactics, techniques, and procedures (TTPs). The evaluations leverage the globally recognized MITRE ATT&CK framework, which categorizes TTPs into a structured model, helping organizations assess and address security gaps effectively.
Key factors that set MITRE ATT&CK Evaluations apart include their focus on real-world conditions, transparent results, and alignment with the ATT&CK framework. Unlike traditional assessments, these evaluations emulate attack scenarios, enabling vendors to demonstrate their capabilities under realistic conditions. The transparency of the results allows organizations to evaluate performance metrics directly, helping security leaders choose solutions tailored to their unique threat environments.
The 2023 MITRE ATT&CK Evaluation highlighted notable advancements, with Cynet achieving 100% visibility and analytic coverage without configuration changesāa first in the evaluation’s history. For 2024, MITRE plans to introduce more targeted evaluations, testing vendor solutions against adaptable ransomware-as-a-service variants and North Korean state-sponsored tactics, expanding coverage to Linux, Windows, and macOS platforms.
Cybersecurity leaders are encouraged to closely monitor the upcoming results, which will offer valuable insights into the strengths and weaknesses of vendor solutions. By leveraging these findings, organizations can refine their defenses, mitigate risks, and strengthen resilience against evolving threats. The Cynet-hosted webinar provides an opportunity to understand and act on these evaluations, making them a critical resource for informed decision-making.
For further details, access the full article here
Previous articles on Mitre Att&ck Framework
InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services
Nov 27 2024
Penetration Testing and ISO 27001 – Securing ISMS
The document highlights the integration of penetration testing within ISO 27001’s framework, emphasizing its critical role in identifying system vulnerabilities and maintaining security posture. It links pen testing to the standard’s risk management and continuous improvement principles, focusing on Annex A controls, such as Operations Security and Compliance.
It details the importance of scoping, balancing business needs with potential risks. The guide underscores embedding pen testing into broader risk assessment efforts to enhance resilience.
How does penetration testing fit into my ISO 27001 ISMS project?
There are three stages in your ISMS project when penetration testing can make a
significant contribution:
- As part of the risk assessment process, to uncover vulnerabilities in any
Internet-facing IP addresses, web applications or internal devices and
applications, and link them to identifiable threats. - As part of the risk treatment plan, to ensure that security controls work
as designed. - As part of the ongoing performance evaluation and improvement
processes, to ensure that controls continue to work as required and that
new and emerging vulnerabilities are identified and dealt with.
ISO 27001 says that you must identify information security risks within the scope of
the ISMS (Clause 6.1.2.c). This involves identifying all assets and information systems
within scope of the ISMS, and then identifying the risks and vulnerabilities those
assets and systems are subject to.
A penetration test can help identify these risks and vulnerabilities. The results will
highlight detected issues and guide remedial action, and are a key input for your risk
assessment and treatment process. Once you understand the threats you face, you
can make an informed decision when selecting controls.
For further details, access the full document here.
Contact usĀ to explore how we can turn security challenges into strategic advantages.
Penetration Testing : Step-By-Step GuideĀ
Secure Your Digital Transformation with ISO 27001
Significance of ISO 27017 and ISO 27018 for Cloud Services
The Risk Assessment Process and the tool that supports it
What is the significance of ISO 27001 certification for your business?
Pragmatic ISO 27001 Risk Assessments
ISO/IEC 27001:2022 ā Mastering Risk Assessment and the Statement of Applicability
ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k
How to Address AI Security Risks With ISO 27001
How to Conduct an ISO 27001 Internal Audit
4 Benefits of ISO 27001 Certification
How to Check If a Company Is ISO 27001 Certified
How to Implement ISO 27001: A 9-Step Guide
ISO 27001 Standard, Risk Assessment and Gap Assessment
ISO 27001 standards and training
Securing Cloud Services: A pragmatic guide
InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services
Nov 26 2024
Secure Your Digital Transformation with ISO 27001
Secure Your Digital Transformation in Cloud with ISO 27001
In todayās fast-paced digital transformation era, cloud computing drives innovation, scalability, and global competitiveness. But with these opportunities come critical responsibilitiesāespecially in protecting sensitive data.
Enter ISO 27001: the globally recognized standard for information security management. For organizations adopting cloud solutions, ISO 27001 provides a structured roadmap to safeguard data, build trust, and ensure compliance.
Why ISO 27001 is Essential in the Cloud Era
While cloud computing offers flexibility, it also introduces risks. ISO 27001 addresses these challenges by:
- Adopting a Risk-Based Approach: Identifying and mitigating cloud-specific risks like breaches and misconfigurations. ISO 27001 Risk Management
- Establishing Clear Policies: Developing tailored security controls for cloud environments.
- Enhancing Vendor Management: Ensuring third-party agreements align with security objectives.
- Strengthening Incident Response: Promoting readiness for potential cloud threats or breaches.
ISO 27001 + Digital Transformation = Success
When integrated into your digital strategy, ISO 27001 helps you:
- Build Trust: Demonstrate commitment to security to customers, partners, and regulators.
- Simplify Compliance: Align with GDPR, HIPAA, and other regulations.
- Enable Secure Scalability: Grow your operations without compromising security or agility.
Elevate Your Cloud Security Strategy
Embracing ISO 27001 ensures you not only mitigate cloud risks but also gain a competitive edge. Certification showcases your dedication to safeguarding client data, fostering trust and long-term partnerships.
How secure is your cloud strategy? Letās discuss how ISO 27001 can help you enhance your security while accelerating your digital transformation goals.
Contact us to explore how we can turn security challenges into strategic advantages.
In the 2022 update, ISO 27001 introduces specific Cloud controls (Annex A, clause 5.23 – the control that specifies the processes for acquiring, using, managing, and exiting cloud services), highlighting key areas where organizations can tighten security:
- Defining security requirements using the CIA Triad
- Establishing supplier selection criteria based on your risk profile and needs
- Assigning and tracking roles and responsibilities (Governance) for Cloud security
- Ensuring data protection and privacy throughout operations
- Implementing procurement lifecycle policies for Cloud services, from acquisition to termination
Given todayās reliance on Cloud servicesāand the risks posed by issues like faulty vendor updatesāitās critical to go deeper into Cloud security controls.
ANNEX A CLAUSE 8.26 APPLICATION SECURITY REQUIREMENTS
Significance of ISO 27017 and ISO 27018 for Cloud Services
The Risk Assessment Process and the tool that supports it
What is the significance of ISO 27001 certification for your business?
Pragmatic ISO 27001 Risk Assessments
ISO/IEC 27001:2022 ā Mastering Risk Assessment and the Statement of Applicability
ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k
How to Address AI Security Risks With ISO 27001
How to Conduct an ISO 27001 Internal Audit
4 Benefits of ISO 27001 Certification
How to Check If a Company Is ISO 27001 Certified
How to Implement ISO 27001: A 9-Step Guide
ISO 27001 Standard, Risk Assessment and Gap Assessment
ISO 27001 standards and training
Securing Cloud Services: A pragmatic guide
InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services
Nov 25 2024
Adding Value with Adding Value with Risk-Based Information Security
The article emphasizes the importance of integrating risk management and information security management systems (ISMS) for effective IT security. It recommends a risk-based approach, leveraging frameworks like ISO/IEC 27001 and NIST Cybersecurity Framework (CSF) 2.0, to guide decisions that counteract risks while aligning with business objectives. Combining these methodologies enhances control accuracy and ensures that organizational assets critical to business goals are appropriately classified and protected.
An enterprise risk management system (ERMS) bridges IT operations and business processes by defining the business value of organizational assets. This alignment enables ISMS to identify and safeguard IT assets vital to achieving organizational objectives. Developing a registry of assets through ERMS avoids redundancies and ensures ISMS efforts are business-driven, not purely technological.
The NIST CSF 2.0 introduces a “govern” function, improving governance, priority-setting, and alignment with security objectives. It integrates with frameworks like ISO 27001 using a maturity model to evaluate controls’ effectiveness and compliance. This approach ensures clarity, reduces redundancies, and provides actionable insights into improving cybersecurity risk profiles and resilience across the supply chain.
Operationally, integrating frameworks involves a centralized tool for managing controls, aligning them with risk treatment plans (RTP), and avoiding overlaps. By sharing metrics across frameworks and using maturity models, organizations can efficiently evaluate security measures and align with business goals. The article underscores the value of combining ISO 27001’s holistic ISMS with NIST CSF’s risk-focused profile to foster continual improvement in an evolving digital ecosystem.
For example, let’s consider an elementary task such as updating the risk policy. This is part of control 5.1 of ISO27001 on information security policies. It is part of the subcategory GV.PO-01 of the NIST CSF on policies for managing cybersecurity risks, but it is also present in the RTP with regard to the generic risk of failure to update company policies. The elementary control tasks are evaluated individually. Then, the results of multiple similar tasks are aggregated to obtain a control of one of the various standards, frameworks or plans that we are considering.
Best method for evaluating the effectiveness of control activities may be to adopt theĀ Capability Maturity Model Integration (CMMI). It is a simple model for finding the level of maturity of implementation of an action with respect to the objectives set for that action. Furthermore, it is sufficiently generic to be adaptable to all evaluation environments and is perfectly linked with gap analysis. The latter is precisely the technique suitable for our evaluations ā that is, by measuring the current state of maturity of implementation of the control and comparing it with the pre-established level of effectiveness, we are able to determine how much still needs to be done.
In short, the advantage of evaluating control tasks instead of the controls proposed by the frameworks is twofold.
- The first advantage is in the very nature of the control task that corresponds to a concrete action, required by some business process, and therefore well identified in terms of role and responsibility. In other words, something is used that the company has built for its own needs and therefore knows well. This is an indicator of quality in the evaluation.
- The second advantage is in the method of treatment of the various frameworks. Instead of building specific controls with new costs to be sustained for their management, it is preferable to identify each control of the framework for which control tasks are relevant and automatically aggregate the relative evaluations. The only burden is to define the relationship between the companys control tasks and the controls of the chosen framework, but just once.
More details and considerations on pros and cons are described in recentĀ ISACA JournalĀ article,Ā āAdding Value With Risk-Based Information Security.ā
Information Security Risk Management for ISO 27001/ISO 27002
Information Security Risk Assessment Workshop
InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services
Nov 22 2024
Explore the new Atomic Red Team website
The redesigned Atomic Red Team website features a new browser interface, improved search capabilities, and easier test execution
Red Canary’s Atomic Red Team is an open-source framework designed to help security teams test their detection capabilities against adversary tactics defined in the MITRE ATT&CK framework. It provides small, portable tests, enabling organizations to simulate specific attacker techniques in a controlled environment. This framework empowers defenders to validate their security controls, identify gaps in detection, and better understand malicious behaviors. Atomic Red Team offers a highly flexible approach, supporting manual execution via command-line scripts or automated tools like Invoke-Atomic, a PowerShell module that simplifies running testsā
The platform focuses on making security testing accessible to teams of all sizes by offering easy-to-follow documentation and a community-driven approach. Tests are mapped to MITRE ATT&CK tactics, allowing users to tailor simulations to their environment while ensuring compliance with security protocols. By leveraging these tests, organizations can proactively enhance their detection capabilities, address visibility gaps, and prepare for real-world threats effectively
TheĀ new siteĀ provides several long-requested feature additions such as an easier method to execute the sometimes complex command lines in your environment, more detailed searching and filtering capabilities, and a generally more streamlined interface. This convenient interface ensures that even a casual user can learn about and launch tests in their own environment to help improve their security posture.
Previous posts on Att&ck Matrix
InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services
Nov 22 2024
Significance of ISO 27017 and ISO 27018 for Cloud Services
ISO 27017 and ISO 27018 are critical standards for enhancing information security, specifically in cloud environments.
- ISO 27017: This standard provides guidelines for information security controls in cloud services. It extends the general ISO 27001 framework to address cloud-specific risks, such as shared resources, multi-tenancy, and data location. It offers recommendations for both cloud service providers (CSPs) and customers to ensure the security of cloud infrastructure, operations, and data. Key areas include responsibilities of CSPs, customer monitoring, and cloud-specific risk management.
- ISO 27018: This standard focuses on protecting Personally Identifiable Information (PII) in cloud computing environments. It ensures CSPs comply with privacy laws and practices by offering controls specifically tailored for PII processing. These include requirements for data access, consent management, incident notification, and restricting data usage for marketing without explicit approval. It promotes trust by addressing privacy in a structured and transparent way.
Together, these standards build confidence in cloud adoption by mitigating risks associated with data security and privacy in shared digital ecosystems. They are particularly valuable for organizations handling sensitive data, such as financial institutions and healthcare providers.
- ISO27017 – Cloud services management
- ISO27018 – Service management system
- ISO27701 – Privacy information management system
- Cloud Security Toolkit – Start the journey to ISO 27017 and ISO 27018 compliance for Cloud services security with customizable templates, documents, policies and records.
- Designed to integrate with our ISO 27001 DocumentKits toolkit to ensure you have complete control over the security of your Cloud services.
- Get professional guidance and become an expert in securing your Cloud services, putting you fully in control of managing your information security.
- Guarantee full coverage of ISO 27017 and ISO 27018 with comprehensive documentation covering topics including backup and restoration, compliance checking, information security planning and risk assessments.
- ReduceāÆyour implementation costs and time spent generating your documentation.
- Get compliant and stay compliant with more than 500 free annual updates.
- Benefit from using the worldās only fully Cloud-based toolkit platform, making collaboration and accessibility easier than ever.
- This is an annual subscription product, however, you can cancel at any time. (T&Cs apply)
Previous posts on cloud computing
3 ISO 27001:2022 Controls That Help Secure Your Cloud Services
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services
Nov 22 2024
Researchers crack RSA and AES data encryption
For the first time ever researchers crack RSA and AES data encryption
Chinese scientists reveal D-Waveās quantum computers can break RSA encryption, signaling an urgent need for new cryptography solutions.
A group of Chinese researchers has successfully cracked RSA and AES encryption using D-Wave quantum computers. This breakthrough marks the first time such widely used encryption methods have been defeated. RSA, used in digital security protocols like HTTPS, relies on the difficulty of factoring large prime numbers. AES, on the other hand, protects sensitive data by converting it into unintelligible code. Both encryption methods are foundational to modern cybersecurity and global data protection systems.
The researchers employed a combination of advanced quantum computing and innovative algorithms to break the encryption. Quantum computers, unlike classical systems, process information using quantum bits (qubits), enabling parallel computations at an unprecedented scale. This capability makes them uniquely suited to solving problems like factoring large numbers or solving complex mathematical challengesāprocesses essential for breaking RSA and AES.
This achievement signals an urgent need for post-quantum cryptography, which can withstand quantum attacks. Governments and technology organizations worldwide are now accelerating the development of cryptographic systems designed for this new era. This breakthrough emphasizes the importance of adopting quantum-resistant encryption to ensure long-term security for sensitive information in areas like banking, healthcare, and national defense.
The implications of this research extend beyond encryption. Quantum computing’s power could revolutionize fields such as medicine, artificial intelligence, and materials science. However, it also presents significant challenges to current cybersecurity practices. Researchers and policymakers must urgently address these dualities to harness quantum computing’s potential while mitigating its risks.
You can access the details here
The value of quantum-resistant cryptography, post-quantum cryptography, and decentralized technologies just skyrocketed.
Inside Cyber: How AI, 5G, IoT, and Quantum Computing Will Transform Privacy and Our Security
Advancing Cyber Security Through Quantum Cryptography
InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services
Nov 21 2024
How to Create a Strong Security Culture
Building a robust cybersecurity culture within the workplace requires a comprehensive approach that integrates technical measures, employee training, and leadership commitment. Organizations must prioritize educating their workforce on cybersecurity risks and best practices, emphasizing their role in safeguarding sensitive data. Practical measures include implementing regular staff awareness training and fostering a proactive attitude toward identifying and reporting threatsā
A successful cybersecurity culture hinges on leadership involvement. Executives should model the importance of cybersecurity by prioritizing it in organizational strategies and communications. This leadership sets the tone for employees, demonstrating that security is not just an IT issue but a company-wide priority. Encouraging cross-departmental collaboration helps embed cybersecurity in every aspect of the businessā
Technology and policy also play vital roles. Organizations should maintain updated cybersecurity policies tailored to their specific risks, covering areas like secure password practices, remote access controls, and patch management. Regular reviews of these policies ensure they evolve with emerging threats and business changes, reinforcing their relevance and effectivenessā
Lastly, fostering a culture of accountability and openness is critical. Employees should feel encouraged to report mistakes or incidents without fear of blame, as honest communication allows for quick and effective responses. Investing in ongoing training, including simulated phishing exercises, can reinforce vigilance and adaptability against evolving threats
For more details on the topic here
But to ensure that all staff truly take note of security and apply the knowledge gained from anyĀ staff awareness training, security should be embedded in your organization’s culture.
āAs cyber security leaders, we have to create our message of influence because security is a culture and you need the business to take place and be part of that security culture.ā
– Britney Hommertzheim
Previous security awareness posts
InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services
Nov 20 2024
3 ISO 27001:2022 Controls That Help Secure Your Cloud Services
The article highlights three critical controls from ISO 27001:2022 to enhance cloud security, providing organizations with guidance on how to protect sensitive data stored in the cloud effectively:
- Contractual Assurance: Control 5.10 emphasizes acceptable use and handling of information, particularly third-party assets like cloud services. It stresses the importance of establishing contractual agreements with cloud providers to ensure data security. Organizations should verify providers’ compliance with standards like ISO 27001 or other independent certifications, check for business continuity guarantees, and ensure compliance with regulations like GDPR or PCI DSS where applicable.
- Cloud-Specific Policies: Control 5.23 introduces the need for processes and policies tailored to cloud services. These should cover the acquisition, use, management, and exit strategies for cloud services. Organizations are advised to define security requirements and clarify roles, responsibilities, and controls between the organization and the provider. Policies should also include handling incidents and outlining exit procedures to maintain security throughout the service lifecycle.
- Extending ISMS: While ISO 27001:2022 offers foundational controls, organizations can enhance their information security management system by adopting supplementary standards like ISO 27017 (focused on cloud-specific controls) and ISO 27018 (privacy in cloud services). However, these extensions currently align with the older ISO 27001:2013 Annex A, necessitating careful integration with updated frameworks.
These controls underscore the importance of robust policies, contractual due diligence, and clear delineation of responsibilities to secure cloud environments effectively. More details can be found here.
The Risk Assessment Process and the tool that supports it
What is the significance of ISO 27001 certification for your business?
Pragmatic ISO 27001 Risk Assessments
ISO/IEC 27001:2022 ā Mastering Risk Assessment and the Statement of Applicability
ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k
How to Address AI Security Risks With ISO 27001
How to Conduct an ISO 27001 Internal Audit
4 Benefits of ISO 27001 Certification
How to Check If a Company Is ISO 27001 Certified
How to Implement ISO 27001: A 9-Step Guide
ISO 27001 Standard, Risk Assessment and Gap Assessment
ISO 27001 standards and training
InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot
Nov 19 2024
Choosing the Right ISO 27001 Certification Body
A Strategic Guide
This guide emphasizes the importance of choosing the right certification body for ISO 27001 certification. Key points include:
Why the Choice Matters:
- Credibility: A recognized certification body adds legitimacy.
- Expertise: Industry-specific knowledge ensures relevant audits.
- Global Recognition: Important for organizations with international reach.
- Rigorous Audits: Ensures compliance and resilience.
Factors to Consider:
- Accreditation: Look for reputable accreditations (e.g., ANAB, UKAS, IAF).
- Industry Expertise: Ensure familiarity with your sector’s needs.
- Global Reach: Necessary for multinational operations.
- Reputation: Verify through reviews and recommendations.
- Cost vs. Quality: Prioritize quality to avoid re-certification issues.
Recommended Certification Bodies:
- TĆV SĆD
- Bureau Veritas
- DNV GL
- BSI
- UL
Practical Tips:
- Request multiple proposals for comparison.
- Interview representatives to gauge fit.
- Check references and past client experiences.
- Align the choice with your business needs.
The guide stresses that selecting the right body ensures long-term success and strengthens your ISMSās value. You can access the full guide here
Selecting the right certification body for ISO 27001 can turn your certification into a strategic advantage, enhancing your security framework and boosting your brand’s reputation. A thoughtful decision ensures long-term success and resilience.
Feel free to contact us to explore ISO 27001 strategies tailored to your organizationās needs!
What will the certification auditor ask regarding risk assessment and treatment?
During the audit, an auditor might ask for the following evidence regarding ISO 27001 clause 6.1 Actions to address risks and opportunities:
1. The risk assessment methodology.
2. The report about the performed risk assessment and treatment, together with the list of all the risks.
3. If each risk has impact, likelihood, level of risk, and risk owner listed, and whether it is considered acceptable.
4. If each unacceptable risk has been treated with at least one option; if the option is decreasing the risk, then the risk needs to have appropriate controls selected.
5. If the selected controls are marked as applicable in the Statement of Applicability.
6. If you have planned the implementation of your controls through the Risk Treatment Plan.
7. If the risk owners have accepted the Risk Treatment Plan and the residual risks.
The Risk Assessment Process and the tool that supports it
What is the significance of ISO 27001 certification for your business?
Pragmatic ISO 27001 Risk Assessments
ISO/IEC 27001:2022 ā Mastering Risk Assessment and the Statement of Applicability
ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k
How to Address AI Security Risks With ISO 27001
How to Conduct an ISO 27001 Internal Audit
4 Benefits of ISO 27001 Certification
How to Check If a Company Is ISO 27001 Certified
How to Implement ISO 27001: A 9-Step Guide
ISO 27001 Standard, Risk Assessment and Gap Assessment
ISO 27001 standards and training
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot
Nov 19 2024
Threat modeling your generative AI workload to evaluate security risk
AWS emphasizes the importance of threat modeling for securing generative AI workloads, focusing on balancing risk management and business outcomes. A robust threat model is essential across the AI lifecycle stages, including design, deployment, and operations. Risks specific to generative AI, such as model poisoning and data leakage, need proactive mitigation, with organizations tailoring risk tolerance to business needs. Regular testing for vulnerabilities, like malicious prompts, ensures resilience against evolving threats.
Generative AI applications follow a structured lifecycle, from identifying business objectives to monitoring deployed models. Security considerations should be integral from the start, with measures like synthetic threat simulations during testing. For applications on AWS, leveraging its security tools, such as Amazon Bedrock and OpenSearch, helps enforce role-based access controls and prevent unauthorized data exposure.
AWS promotes building secure AI solutions on its cloud, which offers over 300 security services. Customers can utilize AWS infrastructure’s compliance and privacy frameworks while tailoring controls to organizational needs. For instance, techniques like Retrieval-Augmented Generation ensure sensitive data is redacted before interaction with foundational models, minimizing risks.
Threat modeling is described as a collaborative process involving diverse rolesābusiness stakeholders, developers, security experts, and adversarial thinkers. Consistency in approach and alignment with development workflows (e.g., Agile) ensures scalability and integration. Using existing tools for collaboration and issue tracking reduces friction, making threat modeling a standard step akin to unit testing.
Organizations are urged to align security practices with business priorities while maintaining flexibility. Regular audits and updates to models and controls help adapt to the dynamic AI threat landscape. AWS provides reference architectures and security matrices to guide organizations in implementing these best practices efficiently.
You can write and document these possible threats to your application in the form of threat statements. Threat statements are a way to maintain consistency and conciseness when you document your threat. At AWS, we adhere to a threat grammar which follows the syntax:
A [threat source] with [prerequisites] can [threat action] which leads to [threat impact], negatively impacting [impacted assets].
This threat grammar structure helps you to maintain consistency and allows you to iteratively write useful threat statements. As shown in Figure 2, Threat Composer provides you with this structure for new threat statements and includes examples to assist you.
You can read the full article here
Proactive governance is a continuous process of risk and threat identification, analysis and remediation. In addition, it also includes proactively updating policies, standards and procedures in response to emerging threats or regulatory changes.
How CISOs Can Drive the Adoption of Responsible AI Practices
The CISOās Guide to Securing Artificial Intelligence
AI in Cyber Insurance: Risk Assessments and Coverage Decisions
Hackers will use machine learning to launch attacks
To fight AI-generated malware, focus on cybersecurity fundamentals
4 ways AI is transforming audit, risk and compliance
AI security bubble already springing leaks
Could APIs be the undoing of AI?
The Rise of AI Bots: Understanding Their Impact on Internet Security
How to Address AI Security Risks With ISO 27001
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot
Nov 18 2024
WinRAR and ZIP File Exploits: This ZIP File Hack Could Let Malware Bypass Your Antivirus
A new vulnerability affecting WinRAR and ZIP file extraction tools has been identified, which can allow malware to bypass antivirus programs. Attackers exploit this by embedding malicious scripts within specially crafted ZIP or RAR files, which can evade detection and execute upon extraction. The flaw takes advantage of how some extraction tools handle paths and permissions, potentially leading to unauthorized access and execution. Users are advised to update their software and exercise caution with untrusted compressed files to mitigate the risk of such attacks.
You can read the full article here
Cyber Resilience ā Defence-in-depth principles. Winner of Best Cyber Book of the Year at the Real Cyber Awards 2023.
Understand how information security standards can improve your organization’s security and set it apart from competitors with this introduction to the 2022 updates of ISO 27001 and ISO 27002.
Previous posts on malwares
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot |
Nov 15 2024
Law Enforcement Deanonymizes Tor Users
The German police haveĀ successfully deanonymizedĀ at least four Tor users. It appears they watch known Tor relays and known suspects, and use timing analysis to figure out who is using what relay.
Tor: From the Dark Web to the Future of Privacy
Nov 15 2024
What does it mean to live in a world where IoT devices can be weaponized
The blog post discusses Israel’s sabotage of Hezbollahās communication devices, including pagers and walkie-talkies. This operation aimed to disrupt Hezbollahās capabilities by modifying these devices to malfunction or reveal information, impacting their command structure and operational security. The post highlights the technical and intelligence challenges in carrying out such operations, emphasizing the complex interplay of cyber and electronic warfare. It also underlines the broader implications for national security, showcasing how these tactics reflect evolving methods in modern conflict, blending physical and cyber tactics.
The piece warns that while technological innovation can push boundaries, not every potential application should be realized. The ethics of technology hinge on its use; what can be a safety patch might easily become an exploit. The advent of weaponized everyday items, like modified batteries, raises significant concerns. While spy agencies may have conceived such tactics, their widespread adoption could enable lesser actors, from gangs to rogue manufacturers, to replicate and deploy them. Immediate global condemnation is essential to prevent the normalization of such dangerous practices in civilian life.
Per statement:I fear that if we do not universally and swiftly condemn the practice of turning everyday gadgets into bombs, we risk legitimizing a military technology that can literally bring the front line of every conflict into your pocket, purse or home.
James Bond used to utilize similar technologies in popular movie where innocent things were turned into deadly weapon.
And no doubt āit is too easy for weaker adversaries to copy the idea and justify its re-deployment in an asymmetric and devastating retaliation.ā
Changes in warfare driven by IoT weapons, logistics, and systems – IoT for Defense and National Security
Previous posts on IoT security
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot
Nov 13 2024
How CISOs Can Drive the Adoption of Responsible AI Practices
Amid the rush to adopt AI, leaders face significant risks if they lack an understanding of the technology’s potential cyber threats. A PwC survey revealed that 40% of global leaders are unaware of generative AI’s risks, posing potential vulnerabilities. CISOs should take a leading role in assessing, implementing, and overseeing AI, as their expertise in risk management can ensure safer integration and focus on AIās benefits. While some advocate for a chief AI officer, security remains integral, emphasizing the CISOās/ vCISO’S strategic role in guiding responsible AI adoption.
CISOs are crucial in managing the security and compliance of AI adoption within organizations, especially with evolving regulations. Their role involves implementing a security-first approach and risk management strategies, which includes aligning AI goals through an AI consortium, collaborating with cybersecurity teams, and creating protective guardrails.
They guide acceptable risk tolerance, manage governance, and set controls for AI use. Whether securing AI consumption or developing solutions, CISOs must stay updated on AI risks and deploy relevant resources.
A strong security foundation is essential, involving comprehensive encryption, data protection, and adherence to regulations like the EU AI Act. CISOs enable informed cross-functional collaboration, ensuring robust monitoring and swift responses to potential threats.
As AI becomes mainstream, organizations must integrate security throughout the AI lifecycle to guard against GenAI-driven cyber threats, such as social engineering and exploitation of vulnerabilities. This requires proactive measures and ongoing workforce awareness to counter these challenges effectively.
āAI will touch every business function, even in ways that have yet to be predicted. As the bridge between security efforts and business goals, CISOs serve as gatekeepers for quality control and responsible AI use across the business. They can articulate the necessary ground for security integrations that avoid missteps in AI adoption and enable businesses to unlock AI’s full potential to drive better, more informed business outcomes.āÆā
You can read the full article here
CISOs play a pivotal role in guiding responsible AI adoption to balance innovation with security and compliance. They need to implement security-first strategies and align AI goals with organizational risk tolerance through stakeholder collaboration and robust risk management frameworks. By integrating security throughout the AI lifecycle, CISOs/vCISOs help protect critical assets, adhere to regulations, and mitigate threats posed by GenAI. Vigilance against AI-driven attacks and fostering cross-functional cooperation ensures that organizations are prepared to address emerging risks and foster safe, strategic AI use.
Need expert guidance? Book a free 30-minute consultation with a vCISO.
The CISO’s Guide to Securing Artificial Intelligence
Hackers will use machine learning to launch attacks
To fight AI-generated malware, focus on cybersecurity fundamentals
4 ways AI is transforming audit, risk and compliance
AI security bubble already springing leaks
Could APIs be the undoing of AI?
The Rise of AI Bots: Understanding Their Impact on Internet Security
How to Address AI Security Risks With ISO 27001
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot
Nov 09 2024
Veeam Backup & Replication exploit reused in new Frag ransomware attack
A critical vulnerability (CVE-2023-27532) in Veeam Backup & Replication software is being actively exploited by a new ransomware group known as FRAG. This flaw allows unauthorized attackers to access backup infrastructure and steal sensitive data, which can lead to double extortion tactics. The FRAG ransomware gang has been observed leveraging this flaw to gain initial access to networks before encrypting data and demanding ransom payments.
Key points include:
- The vulnerability enables access by exposing credential information in plaintext.
- Attackers use this as a foothold to compromise the broader infrastructure.
- Users are strongly urged to patch Veeam installations to prevent exploitation.
The post highlights the importance of updating security measures to defend against such targeted ransomware campaigns.
Would you like more technical details on the vulnerability or defensive steps?
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot
Nov 08 2024
Multiple Vulnerabilities in the Mazda In-Vehicle Infotainment (IVI) System
The Zero Day Initiative (ZDI) blog discusses a series of critical vulnerabilities found in the Mazda in-vehicle infotainment (IVI) system. These vulnerabilities were identified by researcher Daan Keuper of Computest and were presented at the Pwn2Own 2023 Toronto contest. The IVI system in question, the Mazda Connect, is used in various models of Mazda vehicles and includes components such as a digital dashboard, navigation tools, and multimedia controls.
The vulnerabilities, categorized as command injection flaws, can be exploited to gain unauthorized access to the IVI system’s operating environment. This type of attack could allow an attacker to execute arbitrary commands, potentially leading to the compromise of vehicle control features and the personal data stored within the system. The issues stem from insufficient input validation within the system’s software components, allowing for external manipulation through crafted network packets or other entry points.
Mazda was notified of these findings as part of the responsible disclosure process. The company has since taken steps to release updates and patches to mitigate the identified vulnerabilities. However, as with many vehicle security flaws, there is concern about how quickly end-users and dealerships will apply these updates, highlighting the importance of prompt and widespread adoption of security patches.
The blog emphasizes the need for automotive manufacturers to integrate stronger security protocols within their software development life cycle. It also advocates for the broader automotive industry to prioritize cybersecurity measures as cars become more connected and software-reliant. The post closes with a call to action for car owners to remain vigilant about software updates and for manufacturers to enhance the robustness of their systems against potential threats.
For more detail on these evolving threats,Ā you can read full article
InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot
Nov 06 2024
Hackers will use machine learning to launch attacks
The article on CSO Online covers how hackers may leverage machine learning for cyber attacks, including methods like automating social engineering, enhancing malware evasion, launching advanced spear-phishing, and creating adaptable attack strategies that evolve with new data. Machine learning could also help attackers mimic human behavior to bypass security protocols and tailor attacks based on behavioral analysis. This evolving threat landscape underscores the importance of proactive, ML-driven security defenses.
The article covers key ways hackers could leverage machine learning to enhance their cyberattacks:
- Sophisticated Phishing: Machine learning enables attackers to tailor phishing emails that feel authentic and personally relevant, making phishing even more deceptive.
- Exploit Development: AI-driven tools assist in uncovering zero-day vulnerabilities by automating and refining traditional techniques like fuzzing, which involves bombarding software with random inputs to expose weaknesses.
- Malware Creation: Machine learning algorithms can make malware more evasive by adapting to the targetās security measures in real time, allowing it to slip through defenses.
- Automated Reconnaissance: Hackers use AI to analyze massive data sets, such as social media profiles or organizational networks, to find weak points and personalize attacks.
- Credential Stuffing and Brute Force: AI speeds up credential-stuffing attacks by automating the testing of large sets of stolen credentials against a variety of online platforms.
- Deepfake Phishing: AI-generated audio and video deepfakes can impersonate trusted individuals, making social engineering attacks more convincing and difficult to detect.
For more detail on these evolving threats, you can read the full article on CSO Online.
InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot
Nov 06 2024
Cybersecurity: Key Information You Need to Know
Cybersecurity involves technologies, processes, and measures aimed at safeguarding systems, networks, and data from cyber threats. A strong cybersecurity strategy minimizes the risk of attacks and prevents unauthorized access to systems, networks, and technologies.
Cybersecurity focuses on protecting computer systems from unauthorized access, damage, or events that would make them inaccessible.
People:
It is important that all staff are informed about how to identify and avoid common cyber threats, and for those responsible for the technical aspects of cybersecurity to keep up to date with the latest skills and qualifications.
Processes:
Processes are crucial in defining how the organizationās activities, roles, and documentation are used to mitigate the risks to the organizationās information. Cyber threats change quickly, so processes need to be continually reviewed to ensure you stay ahead.
Technology:
To mitigate cyber risks, you must first identify what risks your organization faces. From there, you can implement technological controls. Technology can be used to prevent or reduce the impact of cyber risks, depending on your risk assessment and the level of risk you consider acceptable.
Why is cybersecurity important?
- The cost of cybersecurity breaches is risingEmerging privacy laws can mean significant fines for organizations. There are also non-financial costs to consider, like reputational damage.
- Cyber attacks are increasingly sophisticated Cyber attacks continue to grow in sophistication. Attackers use an ever-expanding variety of tactics, including social engineering, malware, and ransomware.
Types of cybersecurity threats
Phishing
Phishing is a method of social engineering used to trick people into divulging sensitive or confidential information, often via email. These scams are not always easy to distinguish from genuine messages, and can inflict enormous damage on organizations.
Train your staff how to spot and avoid phishing attacks
Social engineering
Social engineering is used to deceive and manipulate victims into providing information or access to their computer. This is achieved by tricking users into clicking malicious links or opening malicious files, or by the attacker physically gaining access to a computer through deception.
Malware
Malware is short for āmalicious software.ā It can take the form of viruses, worms, Trojans, and other types of malicious code. Malware can be used to steal personal information, destroy data, and take control of computers.
Ransomware attacks
Ransomware is a form of malware that encrypts victimsā information and demands payment in return for the decryption key. Paying a ransom does not necessarily guarantee that you will be able to recover the encrypted data.
cyber secure today!
What is Cybersecurity ? : FAST/FOR BEGINNERS
InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot
« Previous Page — Next Page »
