InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The ever-changing topography of cyberspace always results in the introduction of new security flaws and vulnerabilities. A major vulnerability, which is now known as CVE-2023-34000 and has a CVSS score of 7.5, has been discovered in the WooCommerce Stripe Gateway Plugin, which has prompted an urgent call to action for both site administrators and security specialists. This plugin, which was built by WooCommerce and is presently being used in over 900,000 active installs, is well-known for its efficient capabilities to take payments directly on online and mobile businesses. Customers are able to finish their purchases without ever leaving the environment of the online shop thanks to an inherent feature of this plugin. This eliminates the need for an externally hosted checkout page.
Nevertheless, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability lies behind the pluginâs surface functionality. This vulnerability, in its unpatched condition, gives an unauthenticated user the potential to obtain extremely sensitive Personally Identifiable Information (PII) that is associated with any WooCommerce order. This data may contain sensitive information such as a userâs complete name, email address, and residence address in its exposed form.
Following the breadcrumb trail of this security hole leads to the âjavascript_paramsâ function that is located inside the plugin. The âorder_idâ variable is used by the code included inside this method in order to get an order object. This variable is derived from the query parameters, and it then gathers specific information from the order object, such as complete user details and addresses. Within this method, there is a noticeable lack of order ownership checks, which substantially increases the risk and makes it possible to return the âorderâ as an object. Experts made the discovery that the âpayment_scriptsâ function might be used to activate the âjavascript_paramsâ variable. This function then returns a JavaScript object variable to the front-end by way of the âwp_localize_scriptâ function. When a user visits the homepage of the website, the overall functionality causes the orderâs personally identifiable information to be disclosed, which is then mirrored back into the page source.
After further examination, a second occurrence of the vulnerability was found to be placed inside the âpayment_fieldsâ method. This vulnerability, like the one found in the âjavascript_paramsâ function, stems from the fact that there is no order ownership verification taking place. The result is the same: the front-end has access to both the userâs billing email address and their complete name.
According to the findings of recent study conducted, harmful packages may be readily propagated into development environments with the assistance of ChatGPT, which can be used by attackers.
In a blog post published, researchers from Vulcan Cyber outlined a novel method for propagating malicious packages that they dubbed âAI package hallucination.â The method was conceived as a result of ChatGPT and other generative AI systems providing phantasmagoric sources, links, blogs, and data in response to user requests on occasion. Large-language models (LLMs) like ChatGPT are capable of generating âhallucinations,â which are fictitious URLs, references, and even whole code libraries and functions that do not exist in the real world. According to the researchers, ChatGPT will even produce dubious patches to CVEs and, in this particular instance, would give links to code libraries that do not even exist.
If ChatGPT produces phony code libraries (packages), then attackers may exploit these hallucinations to disseminate harmful packages without utilizing common tactics such as typosquatting or masquerade, according to the researchers from Vulcan Cyber who worked on this study. âThose techniques are suspicious and already detectable,â the researchers claimed in their conclusion. However, if the attacker is able to construct a package that can replace the âfakeâ programs that are suggested by ChatGPT, then they may be successful in convincing a victim to download and install the malicious software.
 This ChatGPT attack approach demonstrates how simple it has become for threat actors to utilize ChatGPT as a tool to carry out an attack.We should expect to continue to see risks like this associated with generative AI and that similar attack techniques could be used in the wild. This is something that we should be prepared for. The technology behind generative artificial intelligence is still in its infancy, so this is only the beginning. When seen through the lens of research, it is possible that we will come across a large number of new security discoveries in the months and years to come. Companies should never download and run code that they donât understand and havenât evaluated. This includes executing code from open-source GitHub repositories or now ChatGPT suggestions. Teams should do a security analysis on every code they wish to execute, and the team should have private copies of the code.
ChatGPT is being used as a delivery method by the adversaries in this instance. However, the method of compromising a supply chain by making use of shared or imported libraries from a third party is not a new one. The only way to defend against it would be to apply secure coding methods, as well as to extensively test and review code that was meant for usage in production settings.
According to experts, âthe ideal scenario is that security researchers and software publishers can also make use of generative AI to make software distribution more secureâ. The industry is in the early phases of using generative AI for cyber attack and defense.
In todayâs rapidly evolving digital landscape, organizations face constant cyber threats that can compromise their sensitive data, disrupt operations, and damage their reputation. Staying informed about the latest cyberattacks and understanding effective protection methods is crucial.
This list of free cybersecurity whitepapers that donât require registration covers a wide range of common cyber risks (ransomware, DDoS attacks, social network account hijacking). It explores the possible risks that could originate from new technologies such as generative AI (GenAI) and large language models (LLMs).
MS-ISAC guide to DDoS attacks
The Multi-State Information Sharing and Analysis Center (MS-ISAC) has created a guide to shed light on denial of service (DoS) and distributed denial of service (DDoS) attacks. A DoS attack aims to overwhelm a system and hinder its intended usersâ access, while a DDoS attack involves multiple sources working together towards the same goal.
These attacks deplete network, application, or system resources, leading to issues such as network slowdowns, application crashes, and server failures. The MS-ISAC guide examines various techniques employed by cyber threat actors (CTAs) to execute successful DDoS attacks. The guide also provides recommendations for defending against these types of attacks.
Ransomware has become one of the most concerning types of attacks. To be able to effectively tackle these attacks, IT professionals and managed services providers need to be prepared to respond quickly and appropriately.
The first step towards readiness lies in acquiring a comprehensive understanding of the primary issues and possible pitfalls that can significantly impact the outcome.
This whitepaper from N-able gives insights on one of the most common and disastrous type of attack and what are the frequent mistakes organizations do when trying to limit the damaging effects.
To establish a robust and successful security program for industrial control systems (ICS) or operational technology (OT), a combination of five cybersecurity controls can be employed.
This SANS whitepaper points out these controls, empowering organizations to customize and implement them according to their specific environment and risk factors.
Rather than being overly prescriptive, these controls prioritize outcomes, ensuring flexibility and adaptability. Moreover, they are informed by intelligence-driven insights derived from the analysis of recent breaches and cyberattacks in industrial companies worldwide.
How to identify the cybersecurity skills needed in the technical teams in your organization
To keep an organization safe from information security threats, it is essential to understand cybersecurity skills gaps within your IT and InfoSec teams. To enhance your companyâs protection, it is crucial to pinpoint these deficiencies and give importance to skills according to specific job roles.
This whitepaper from Offensive Security concentrates on optimal methods for nurturing internal cybersecurity talent within your technical teams, such as IT, information security, DevOps, or engineering.
The increasing use of GenAI and LLMs in enterprises has prompted CISOs to assess the associated risks. While GenAI offers numerous benefits in improving various daily tasks, it also introduces security risks that organizations need to address.
This whitepaper from Team8 aims to provide information on these risks and recommended best practices for security teams and CISOs, as well as encourage community involvement and awareness on the subject.
Traditional methods of data security and threat protection are inadequate in the face of evolving applications, users, and devices that extend beyond the corporate perimeter.
Legacy security approaches struggle to adapt to the hybrid work model, leading to visibility issues, conflicting configurations, and increased risks. To address these challenges, organizations need to update their risk mitigation strategies.
Remote browser isolation (RBI) technology offers a promising solution by separating internet browsing from local browsers and devices. However, traditional RBI approaches have limitations such as high costs, performance issues, and security vulnerabilities caused by deployment gaps.
This Cloudflare whitepaper examines the causes and consequences of these challenges, and shows how to approach browser isolation to tackle these common issues.
S1 deload stealer: Exploring the economics of social network account hijacking
Social networks have become an essential part of our lives, but they have also been exploited by criminals. Threat actors have been using legitimate social media accounts to engage in illegal activities, such as extortion and manipulating public opinion for influencing elections.
Financially motivated groups have also employed malvertising and spam campaigns, as well as operated automated content-sharing platforms, to increase revenue or sell compromised accounts to other malicious individuals.
This whitepaper from Bitdefender highlights an ongoing malware distribution campaign that takes advantage of social media by hijacking usersâ Facebook and YouTube accounts.
Building a budget for an insider threat program
To gain support from top-level executives when planning to implement a purpose-built insider threat solution, the value of the solution needs to be linked not just to reducing risks but also to providing additional business benefits.
The business case should show how an insider threat program can result in immediate cost savings, allow security resources to be allocated to other important projects in the future, and ultimately promote collaboration, productivity, and innovation.
This Code42 whitepaper provides a strategy for security teams to create a convincing business case.
The case for threat intelligence to defend against advanced persistent threats
Organizations are encountering an increasingly serious challenge posed by advanced persistent threats (APTs). Those responsible for managing business risk recognize that it is impossible to completely prevent such threats. Instead, the focus is on implementing defensive measures and utilizing threat intelligence to improve the chances of detecting attacks and reducing risk to an acceptable level.
Rather than fixating on the inevitability of being hacked, the emphasis is placed on minimizing the occurrence of attacks and efficiently identifying and responding to them, to mitigate their impact on the business.
This Cyberstash whitepaper examines the effectiveness and cost associated with threat intelligence in enhancing the security industryâs defensive capabilities against APTs.
An essential aspect of organizational operations is effectively responding to and returning from a disruptive event, commonly called disaster recovery.
The primary objective of DR techniques is to restore the utilization of crucial systems and IT infrastructure following a disaster. To proactively tackle such scenarios, organizations conduct a comprehensive assessment of their systems and establish a formal document that serves as a guiding framework during times of crisis. This document is commonly known as a disaster recovery plan.
In this Help Net Security video, Chris Groot, General Manager of Cove Data Protection at N-able, discusses enterprise CISOsâ challenges with disaster recovery.
A Vulnerability Scanner Tools is one of the essential tools in IT departments Since vulnerabilities pop up every day and thus leaving a loophole for the organization.
The Vulnerability scanning tools help detect security loopholes in the application, operating systems, hardware, and network systems.
Hackers are actively looking for these loopholes to use them to their advantage. Vulnerabilities inside a network need to be identified and fixed immediately to leave your attackers at bay.
What do Vulnerability Scanner Tools do?
Vulnerability scanners are one right way to do this. With their continuous and automated scanning procedures, they can scan the network for potential loopholes.
It is on your internet or any device, they would help the IT departments identify the vulnerability and fix it both manually and automatically.
Vulnerability scanning tools do have two different approaches for performing their routines, authenticated and unauthenticated scans.
In the latter case, a penetration tester will show the scan disguised as a hacker without him having trusted access to the corporate network.
What are the Three types of Vulnerability Scanners?
This type of scan will help organizations identify the loopholes which will allow hackers to penetrate the system without trusted permissions.
Following are the types of vulnerability scanners
Discovery Scanning
Full Scanning
Compliance Scanning
What is an example of a Vulnerability Scanner?
The best Web vulnerability scanner in the market should allow you to perform both authenticated and unauthenticated types of scans to nullify network vulnerabilities among other related vulnerability scanners online
In this article, weâll take a look at the top 10 best vulnerability scanning tools available in the market.
Chief Information Security Officers (CISOs) hold a critical and challenging role in todayâs rapidly evolving cybersecurity landscape. Here are the common security challenges CISOs face.
As organizations increasingly rely on technology to drive their operations, CISOs face complex security challenges that demand their expertise and strategic decision-making.
These challenges arise from the constant emergence of sophisticated cyber threats, the need to protect sensitive data, and the ever-evolving regulatory landscape.
The role of a CISO requires balancing proactive risk mitigation with the ability to respond swiftly to incidents and breaches.
This article will delve into the top challenges CISOs face, including protecting digital assets, managing security incidents, ensuring compliance, dealing with insider threats, and the relentless pursuit of cyber resilience.
By understanding these challenges, CISOs can develop robust cybersecurity strategies and lead their organizations toward a secure and resilient future.
Who is a CISO?
Chief Information Security Officer (CISO) is a senior executive responsible for overseeing and administering an organizationâs information security plan.
A CISOâs primary responsibility is safeguarding the confidentiality, availability, and integrity of an organizationâs information assets and systems.
They are accountable for creating and enforcing strategies, policies, and procedures to defend against cyber threats, protect sensitive data, and mitigate security risks.
CISOs play a crucial role in maintaining an organizationâs security posture by establishing and enforcing security standards, conducting risk assessments, and implementing appropriate security controls.
They collaborate with other executives, IT teams, and stakeholders to align security initiatives with business objectives and ensure that security measures are integrated into the organizationâs operations.
In addition to their technical expertise, CISOs often engage in risk management, incident response planning, security awareness training, and compliance with regulatory requirements.
They stay updated on the latest cybersecurity trends, threats, and technologies to address emerging risks and implement appropriate security measures effectively.
The role of a CISO has become increasingly important as cyber threats evolve in complexity and frequency.
CISOs are responsible for safeguarding the organizationâs sensitive information, maintaining the trust of customers and stakeholders, and ensuring business continuity in the face of cybersecurity challenges.
What are all the Roles and Responsibilities of CISO?
Developing and Implementing Information Security Strategy: The CISO is responsible for developing and implementing an overarching information security strategy aligned with the organizationâs business objectives. This includes setting security goals, defining security policies and procedures, and establishing risk management frameworks.
Leading the Security Team: The CISO manages and provides leadership to the security team, including hiring, training, and supervising security personnel. They ensure the team has the necessary skills, resources, and support to carry out their responsibilities effectively.
Overseeing Security Operations: The CISO oversees day-to-day security operations, including incident response, vulnerability management, threat intelligence, and security monitoring. They ensure appropriate controls, technologies, and processes are in place to protect the organizationâs assets.
Risk Management: The CISO is responsible for identifying and assessing security risks to the organizationâs information systems and assets. They develop and implement risk management strategies to safeguard critical data and systems, including risk mitigation, transfer, and acceptance.
Compliance and Regulatory Requirements: The CISO ensures that the organization complies with relevant security regulations, industry standards, and legal requirements. They stay updated on emerging regulations and ensure appropriate controls and processes are in place to meet compliance obligations.
Security Incident Response: The CISO leads the organizationâs response to security incidents, including data breaches, malware attacks, and other security breaches. They establish incident response plans, coordinate efforts, and collaborate with relevant stakeholders, such as legal, PR, and law enforcement agencies.
Security Awareness and Training: The CISO promotes a culture of security awareness throughout the organization. They develop and deliver security awareness programs and training initiatives to educate employees on security best practices and minimize human-related security risks.
Vendor and Third-Party Risk Management: The CISO assesses and manages security risks associated with third-party vendors and partners. They establish vendor security requirements, conduct due diligence, and monitor compliance with security standards and contractual obligations.
Security Governance and Reporting: The CISO provides regular reports and updates on the organizationâs security posture to executive management, board members, and other relevant stakeholders. They ensure that security metrics and key performance indicators (KPIs) are established to measure the effectiveness of security programs.
Incident Investigation and Forensics: In the event of security incidents, the CISO oversees the investigation and forensic analysis to identify the root cause, assess the impact, and prevent future occurrences. As required, they collaborate with internal and external resources, such as forensic experts and law enforcement agencies.
Security Challenges CISOs Face
CISOs face various common security challenges as they strive to protect their organizationsâ digital assets and information. Perimeter 81 Guide helps CISOs to prevent their network from being at Risk. Some of the key challenges they encounter include:
Sophisticated Cyberattacks: CISOs must defend against increasingly sophisticated cyber threats, including advanced persistent threats (APTs), ransomware attacks, social engineering, and zero-day exploits. These attacks can bypass traditional security measures and require constant vigilance and adaptive security strategies.
Insider Threats: CISOs need to address the risks posed by insiders, including employees, contractors, or partners who have authorized access to systems and data. Insider threats can involve accidental data breaches, negligence, or malicious intent, requiring a balance between enabling productivity and implementing controls to prevent unauthorized access or data leakage.
Compliance and Regulatory Requirements: CISOs must ensure their organizations comply with industry-specific regulations, such as GDPR, HIPAA, PCI-DSS, or SOX, and evolving privacy laws. Navigating complex compliance requirements and maintaining a robust security posture to meet these standards can be a significant challenge.
Cloud Security: As organizations increasingly adopt cloud services and infrastructure, CISOs must address the unique security challenges associated with cloud computing. This includes securing data stored in the cloud, managing access controls, and ensuring the security of cloud service providers (CSPs) and their environments.
Security Skills Gap: CISOs often need more skilled cybersecurity professionals. The industryâs rapid growth and evolving threat landscape have resulted in high demand for cybersecurity talent, making recruiting and retaining qualified professionals challenging.
Third-Party Risk: Organizations rely on third-party vendors and suppliers, introducing potential security risks. CISOs must assess the security posture of third parties, establish contractual security obligations, and monitor their adherence to security standards to mitigate the risk of breaches through these external connections.
Security Awareness and Training: Human error remains a significant factor in cybersecurity incidents. CISOs must promote a strong security culture, provide regular training and awareness programs, and educate employees about cybersecurity best practices to minimize the risk of social engineering, phishing attacks, and other user-related vulnerabilities.
Incident Response and Recovery: CISOs must develop and test robust incident response plans to manage and recover from security incidents effectively. This involves identifying and containing breaches, conducting forensic investigations, and implementing remediation measures to minimize the impact and prevent future incidents.
Emerging Technologies: Adopting technologies like the Internet of Things (IoT), artificial intelligence (AI), and blockchain introduces new security challenges. CISOs must understand the security implications of these technologies, assess risks, and implement appropriate controls to protect against potential vulnerabilities and attacks.
Budget and Resource Constraints: CISOs often face budget limitations and the need to prioritize security initiatives. Balancing the allocation of resources to address immediate security needs while investing in long-term security capabilities can be a significant challenge.
What are the Security Compliance CISO Should Follow
As a Chief Information Security Officer (CISO), there are several security compliance frameworks and regulations that you should consider following, depending on the nature of your organization and its operations. Here are some of the key security compliance frameworks and regulations:
General Data Protection Regulation (GDPR): If your organization deals with the personal data of individuals in the European Union (EU), GDPR sets requirements for the protection, processing, and transfer of personal data. It includes principles for data minimization, consent, data breach notification, and the rights of individuals.
Payment Card Industry Data Security Standard (PCI DSS): PCI DSS applies to organizations that handle credit card information. It sets requirements for securing payment card data, including network security, encryption, access controls, and regular vulnerability assessments.
Health Insurance Portability and Accountability Act (HIPAA): HIPAA applies to organizations in the healthcare industry that handle protected health information (PHI). It establishes requirements for the privacy and security of PHI, including access controls, encryption, risk assessments, and breach notification.
Sarbanes-Oxley Act (SOX): SOX applies to publicly traded companies in the United States. It sets requirements for financial reporting and establishes controls and processes to ensure the accuracy and integrity of financial statements. While not solely focused on security, it includes provisions for protecting financial data.
National Institute of Standards and Technology (NIST) Cybersecurity Framework: The NIST Cybersecurity Framework provides guidelines and best practices for managing cybersecurity risks. It covers risk assessment, security controls, incident response, and continuous monitoring.
ISO 27001: ISO 27001 is an international standard that provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It covers various aspects of information security, including risk management, access controls, incident management, and security awareness.
Federal Information Security Management Act (FISMA): FISMA applies to U.S. federal agencies and sets requirements for securing federal information and systems. It mandates risk assessments, security controls, incident response planning, and continuous monitoring.
Security Challenges CISOs Face to Manage Security Team
Managing a security team as a Chief Information Security Officer (CISO) requires effective leadership, communication, and coordination. Here are some key aspects to consider when managing a security team:
Establish Clear Roles and Responsibilities: Clearly define the roles and responsibilities of each team member to ensure everyone understands their specific duties and areas of expertise. This clarity helps streamline operations and avoid confusion.
Set Goals and Objectives: Define strategic goals and objectives for the security team aligned with the organizationâs overall security strategy. Communicate these goals to the team and regularly track progress to ensure everyone is working towards the same objectives.
Provide Guidance and Mentorship: Offer team members guidance, mentorship, and professional development opportunities. Encourage skill development, certifications, and staying up-to-date with the latest security trends and technologiesâsupport team members in their career growth.
Foster Collaboration and Communication: Promote a collaborative and open communication culture within the team. Encourage knowledge sharing, cross-functional collaboration, and effective communication channels. Regular team meetings, brainstorming sessions, and updates are valuable for aligning efforts.
Support Decision-Making: Empower team members to make decisions within their areas of responsibility. Provide guidance and support when needed, but encourage autonomy and ownership in decision-making. Foster an environment where team members feel comfortable taking calculated risks.
Establish Incident Response Procedures: Develop clear incident response procedures and ensure the team is well-prepared to handle security incidents effectively. Conduct regular drills, tabletop exercises, and simulations to test and improve the teamâs incident response capabilities.
Stay Informed and Adapt: Stay up-to-date with the latest security threats, industry trends, and best practices. Encourage continuous learning and professional development for the team. Adapt security strategies and measures as the threat landscape evolves.
Collaborate with Other Departments: Work closely with other departments, such as IT, legal, HR, and executive management, to ensure security initiatives are aligned with business objectives and integrated into overall organizational operations. Build relationships and foster a culture of security awareness throughout the organization.
Regularly Evaluate and Improve: Regularly evaluate the teamâs performance, processes, and procedures. Collect feedback from team members and stakeholders to identify areas for improvement. Implement changes and adjustments as necessary to enhance the teamâs effectiveness and efficiency.
Lead by Example: Demonstrate strong leadership skills, integrity, and a commitment to security best practices. Lead by example in adhering to security policies and procedures. Encourage a positive and supportive work environment.
Final Thoughts
CISOs face many common security challenges as protectors of their organizationâs digital assets and information.
From sophisticated cyberattacks and insider threats to compliance requirements and resource constraints, these challenges highlight the complex and evolving nature of the cybersecurity landscape.
CISOs must navigate these challenges by adopting a proactive and strategic approach to security, leveraging advanced technologies, fostering a strong security culture, and collaborating with stakeholders.
To overcome these challenges, CISOs must stay abreast of emerging threats, continuously evaluate and improve their security measures, and prioritize investments in critical security capabilities.
They must also foster strong partnerships with internal teams, third-party vendors, and industry peers to collectively address security challenges and share best practices.
While the security challenges CISOs face may seem daunting, they also present opportunities for innovation and growth.
By effectively addressing these challenges, CISOs can enhance their organizationsâ security posture, safeguard critical assets, and instill confidence in customers and stakeholders.
Ultimately, the role of a CISO requires a comprehensive and adaptable approach to cybersecurity, where staying one step ahead of threats and continuously improving security measures are paramount.
By embracing these challenges, CISOs can help shape a secure and resilient future for their organizations in an increasingly interconnected and threat-filled digital landscape.
Researchers at the cybersecurity firm Eclypsium, which focuses on firmware, reported today that they have found a secret backdoor in the firmware of motherboards manufactured by the Taiwanese manufacturer Gigabyte. Gigabyteâs components are often used in gaming PCs and other high-performance systems. Eclypsium discovered that whenever a computer with the affected Gigabyte motherboard restarts, code inside the motherboardâs firmware silently triggers the launch of an updater application, which then downloads and runs another piece of software on the machine. Researchers discovered that the hidden code was built in an unsafe manner, making it possible for the mechanism to be hijacked and used to install malware rather than Gigabyteâs intended software.
Despite the fact that Eclypsium claims the hidden code is intended to be a harmless utility to keep the motherboardâs firmware updated, researchers determined that the implementation was vulnerable. And since the updater application is activated from the computerâs firmware rather than the operating system, it is difficult for users to either delete it or even detect it on their own. In the blog post, the company details the 271 different versions of Gigabyte motherboards that the researchers think are vulnerable. According to experts, individuals who are interested in discovering the motherboard that is used by their computer may do so by selecting âStartâ in Windows and then selecting âSystem Information.â
Users who donât trust Gigabyte to silently install code on their machine with a nearly invisible tool may have been concerned by Gigabyteâs updater alone. Other users may have been concerned that Gigabyteâs mechanism could be exploited by hackers who compromise the motherboard manufacturer to exploit its hidden access in a software supply chain attack. The update process was designed and built with obvious flaws that left it susceptible to being exploited in the following ways: It downloads code to the userâs workstation without properly authenticating it, and in certain cases, it even does it through an unsecured HTTP connection rather than an HTTPS one. This would make it possible for a man-in-the-middle attack to be carried out by anybody who is able to intercept the userâs internet connection, such as a malicious Wi-Fi network. The attack would enable the installation source to be faked.
Even if Gigabyte does release a fix for its firmware issueâafter all, the problem stems from a Gigabyte tool that was intended to automate firmware updatesâexperts points out that firmware updates frequently fail silently on usersâ machines, in many cases due to the complexity of the updates themselves and the difficulty of matching the firmware with the hardware.
In other instances, the updater that is installed by the mechanism in Gigabyteâs firmware is configured to be downloaded from a local network-attached storage device (NAS). This is a feature that appears to be designed for business networks to administer updates without all of their machines reaching out to the internet. Under such circumstances, a malicious actor on the same network might potentially fake the location of the NAS in order to covertly install their own malware in its place.
The company has said that it has been collaborating with Gigabyte in order to report its results to the motherboard maker, and that Gigabyte has indicated that it intends to solve the concerns.
Researchers from Tsinghua University and George Mason University have discovered a significant weakness in the NPU chipset. By exploiting this flaw, attackers are able to eavesdrop on data being broadcast across 89% of real-world Wi-Fi networks.
Hardware acceleration, such as the use of NPU chipsets in Wi-Fi networks, increases the data transmission rate and decreases latency. However, it also creates security problems owing to the direct transmission of wireless frames by Access Point (AP) routers.
Researchers from Tsinghua University and George Mason University have recently found a security weakness in the wireless frame forwarding mechanism used by the NPU. Attackers may take use of the vulnerability to conduct a Man-in-the-Middle attack (MITM) on Wi-Fi networks by circumventing the need for rogue access points (APs). Intercepting a victimâs plaintext communication while avoiding link layer security methods such as WPA3 is possible with this technique. The research paper that  team wrote has been approved for presentation at the 2023 IEEE Symposium on Security and Privacy.
The scenario shown in Figure  depicts a situation in which an attacker and a victim supplicant are both connected to the same Wi-Fi network in order to access Internet services. Imagine that you have successfully completed the phone authentication process and are now able to access the Wi-Fi network at Starbucks. Each session to the AP router is protected by a Pairwise Transient Key (PTK) session key, and the Wi-Fi network that you are trying to connect to has WPA2 or WPA3 installed to provide security.
They made the discovery that the security methods, such as WPA2 and WPA3, may be readily evaded, giving attackers the ability to read the plaintext of the victim supplicantâs communication. An impersonation of the access point (AP) is created by the attacker via the use of spoofing the source IP address. The attacker then sends a victim supplicant an ICMP redirect message, which is an ICMP error message with a type value of 5.
Because of the need to maximize performance, the NPU in the AP router (for example, Qualcomm IPQ5018 and HiSilicon Gigahome Quad-core) would immediately transfer the bogus message of ICMP redirection that it has received to the victim supplicant. After receiving the message, the victim supplicant will be deceived into changing its routing cache and substituting the next hop to the server with the IP address of the attacker. This will allow the attacker to get access to the server. Because of this, future IP packets that were supposed to be sent to the server are instead routed to the attacker at the IP layer. This gives the attacker the ability to send the packets to their intended destination. The MITM attack is successfully carried out by the attacker, who does not make use of any rogue AP in the process. This allows the attacker to intercept and change the traffic of the victim supplicant invisibly.
Both Qualcomm and Hisilicon have verified that their NPUs are susceptible to the vulnerability that prohibits AP devices from successfully blocking faked ICMP redirect packets. This vulnerability has been given the identifier CVE-2022-25667 by Qualcomm.
Adding features to access points that will slow down maliciously constructed ICMP redirection. If the message has clear unlawful features (for instance, the source IP address of the message is provided with the APâs IP address, and the message can only be created by the AP itself), then the AP should block and discard the message as soon as it is detected. This strategy depends on the participation of both the NPU chip makers and the AP suppliers in a collaborative effort. Improving the ability of supplicants to check the ICMP packets that they have received. The supplicant has the ability to successfully detect bogus ICMP messages and mount a defense against this attack provided it ensures that the source IP address and source MAC address of the received ICMP message are consistent with one another.
The widespread adoption of remote and hybrid working practices in recent years has brought numerous benefits to various industries, but has also introduced new cyber threats, particularly in the critical infrastructure sector.
These threats extend not only to IT networks but also to operational technology (OT) and cyber-physical systems, which can directly influence crucial physical processes.
In response to these risks, the US government reinforced critical infrastructure security by introducing Cross-Sector Cybersecurity Performance Goals (CPGs) mandated by the US Cybersecurity Infrastructure & Security Agency (CISA).
Recently, CISA updated the CPGs to align with NISTâs standard cybersecurity framework, establishing each of the five goals as a prioritized subset of IT and OT cybersecurity practices.
In this article, we will look in more detail at CISAâs revamped CPGs and discuss the potential solutions available to help organizations achieve these critical goals.
CPG 1.0 Identify: Scoping out the vulnerabilities in the OT environment
CISAâs first CPG is âIdentifyâ, which includes identifying the vulnerabilities in the IT and OT assets inventory, establishing supply chain incident reporting and vulnerability disclosure program, validating the effectiveness of third-party security controls across your IT and OT networks, establishing OT security leadership, and mitigating known vulnerabilities. Critical infrastructure organizations must address all these sub-categories exclusively to achieve the first CPG.
Addressing these responsibilities requires a dynamic effort. Firstly, organizations must strengthen their IT and OT relationship by fostering more effective collaboration between the security teams of both departments. But, most importantly, IT and OT teams must come together to understand the potential cyber threats and risks of each environment and how it affects the other. To achieve the first CPG, it is critical that these departments are not kept in isolation but rather collaborate and communicate frequently.
At the same time, organizations must establish OT leadership by clearly identifying a single leader who will be responsible and accountable for OT-specific cybersecurity. From there, organizations must create an asset inventory or glossary that clearly identifies and tracks all OT and IT assets across the entire ecosystem. These assets should be regularly audited based on their vulnerability management program. Itâs also highly critical to have an open, public, and easily accessible communication channel where vendors, third parties, or employees can disclose any potential vulnerability in relation to the OT and IT assets.
CPG 2.0 Protect: Safeguarding privileged access to OT assets
CISAâs second CPG is âProtectâ, which emphasizes the account security aspects of OT assets. To achieve this goal, critical infrastructure organizations are required to strengthen their password policies, change default credentials across OT remote access systems, apply network segmentation to segregate OT and IT networks, and separate general user and privileged accounts.
Addressing all these aspects of account security can be a chore for most organizations, but they can turn to unified secure remote access (SRA) solutions that can extend multiple account-level security controls to OT remote users via enforcement of multi-factor authentication (MFA), least privilege policies, and role-based access. Such solutions can also support advanced credential policies to further reduce the risk of unauthorized access and denial of service attacks.
Itâs also important that organizations only leverage SRA solutions that are based on zero trust policies. This will help organizations establish effective network segmentation that eliminates direct, unfettered remote connectivity to OT assets, and to continuously monitor personnel activity during all remote OT connections.
CPG 3.0 Detect: Awareness of critical threats and potential attack vectors across your OT environment
CISAâs third CPG emphasizes the detection of relevant threats and knowledge of potential attack vectors and TTPs (tactics, techniques, and procedures) that can compromise OT security and potentially disrupt critical services.
Detecting relevant threats and TTPs across OT assets and networks requires a proactive approach that combines advanced monitoring and analysis. Real-time monitoring solution should be complemented with comprehensive network visibility, allowing for the swift detection of anomalies and unusual patterns.
A critical aspect of threat detection in OT environments â and meeting the CPG mandate â is the sharing of information and collaboration between various stakeholders. Threat intelligence platforms play an essential role in gathering and disseminating information about current and emerging threats. By leveraging this valuable data, organizations can stay ahead of potential risks, fine-tune their defenses, and ensure the safety and security of their OT assets. Additionally, conducting regular security assessments, penetration testing, and vulnerability scanning will help uncover any weaknesses in the infrastructure, allowing for timely remediation and improved resilience against cyberattacks.
CPG 4.0 and 5.0: Respond and Recover
The final two CISAâs CPGs stress the importance of incident reporting and planning. Regardless of how robust your OT security practices are, cyber threats are almost inevitable in todayâs interconnected and increasingly remote networking era. So, while proactive security solutions are necessary, attacks still are unavoidable, especially in a highly targeted sector like critical infrastructure.
Therefore, CISA stresses that organizations must have a comprehensive plan and process outlined for reporting security incidents and effectively recovering their affected systems or services upon a breach.
Advanced SRA solutions can help organizations to achieve these goals through automated recording of user activities and asset-related data, as well as creating automated backups of critical data. More specifically, they can log all user sessions, encrypt all user- and asset-related data, and retain logs of OT remote user activity. These measures help to ensure that critical information is stored in accordance with all relevant regulatory requirements and backup and recovery needs.
Conclusion
Overall, the vulnerabilities of ageing OT assets and siloed OT and IT networks have created a significant threat to critical infrastructure entities, which has been further exacerbated by the prevalence of remote access.
CISAâs OT-specific goals and actions within the CPGs provide a much-needed set of guidelines for CNI organizations to strengthen their security posture and increase cyber resilience. By following CISAâs recommendations and employing innovative security technologies, organizations can minimize the risk of cyberattacks affecting the physical world and public safety.
Integrating proprietary and open-source code, APIs, user interfaces, application behavior, and deployment workflows creates an intricate composition in modern applications. Any vulnerabilities within this software supply chain can jeopardize your and your customersâ safety. In this Help Net Security video, Tim Mackey, Head of Software Supply Chain Risk Strategy at Synopsys, discusses supply chain security practices and approaches.
The research that was published in the German daily Handelsblatt said that customers of Tesla Inc. lodged over 2,400 complaints about difficulties with self-acceleration and 1,500 complaints regarding issues with brakes between the years of 2015 and March 2022.
According to reports, a big data dump that was based on a whistleblowerâs breach of internal Tesla papers suggests that problems with Teslaâs autonomous driving system may be considerably more frequent than authorities and the media have suggested. This was discovered after the whistleblower gained unauthorized access to internal Tesla documents.
According to information that was taken from Teslaâs information technology (IT) system, complaints against these Full Self Driving (FSD) capabilities originated from all over the globe, including the United States of America, Europe, and Asia.
Particularly, in an article titled âMy autopilot almost killed me,â Handelsblatt reported receiving 100 terabytes of data and 23,000 files. Within those files were 3,000 entries highlighting consumersâ safety concerns and tales of more than 1,000 crashes.
The publisher included a note stating that the data includes the phone numbers of customers.
According to the hundreds of clients that Handelsblatt is claimed to have contacted, the fears were quite serious.
According to one man from Michigan, his Tesla âsuddenly braked hard, as hard as you can imagine.â When I was ordered to fasten my seatbelt, the vehicle was on the verge of coming to a complete halt. I was then struck by a second car.
The files were shown to the Fraunhofer Institute for Secure Information Technology by Handelsblatt. The institute concluded that there is no reason to presume that âthe data set does not come from IT systems belonging to or in the environment of Tesla.â
Employees are instructed that, unless lawyers are involved, they should not deliver written comments but rather should convey them âVERBALLY to the customer.â Unless attorneys are involved, written critiques should not be given.
The post quotes the instructions as saying, âDo not copy and paste the report below into an email, text message, or leave it in a voicemail to the customer,â and it is clear that this is a requirement.
An report featured a doctor from California who said that her Tesla accelerated on its own in the autumn of 2021 and smashed into two concrete pillars. She noted that the company never sent emails and that everything was always communicated verbally.
According to the attorneys for Tesla, the news organization is required to provide a copy of the data to Tesla, and all other copies of the data must be destroyed. The attorneys for Tesla also warned legal action âfor the theft of confidential and personal data.â
According to reports, the alleged papers would undoubtedly be important to current wrongful death lawsuits made against Tesla. These claims assert that the companyâs technology has significant safety faults. Additionally, they may compel local, state, and federal authorities to take action.
The stateâs data protection officer, Dagmar Hartge, recognized the seriousness of the allegations and pointed out that, should the allegations prove to be accurate, the data breach would have significant repercussions on a worldwide scale. The situation has been sent to privacy advocates in the Netherlands so that additional investigation might be conducted.
âTesla takes the protection of its proprietary and confidential information, as well as the privacy of its employees and customers, very seriously.â âWe intend to initiate legal proceedings against this individual for his theft of Teslaâs confidential information and employeesâ personal data,â Tesla stated in a response that was reported by the publication. The statement was made in reaction to the theft of sensitive information and personal data pertaining to Tesla employees.
The Chinese regulatory authorities have already started to take action. Approximately two weeks ago, Tesla was forced to provide an emergency software update for the majority of the automobiles it has sold in China as a direct result of problems with unexpected and sudden acceleration.
Since 2016, Musk has made many claims that his self-driving vehicles would be really autonomous, but he has not delivered on those claims.
The presence of each third-party application increases the potential for attacks, particularly when end users install them without proper oversight or approval. IT security teams face challenges in obtaining comprehensive knowledge about the apps connected to their corporate SaaS platforms, including their permissions and activities.
In this Help Net Security video, Matt Radolec, Senior Director, Incident Response and Cloud Operations at Varonis, offers advice for CISO-level executives to enhance the security of corporate cloud data.
Phishers are using encrypted restricted-permission messages (.rpmsg) attached in phishing emails to steal Microsoft 365 account credentials.
â[The campaigns] are low volume, targeted, and use trusted cloud services to send emails and host content (Microsoft and Adobe),â say Trustwave researchers Phil Hay and Rodel Mendrez. âThe initial emails are sent from compromised Microsoft 365 accounts and appear to be targeted towards recipient addresses where the sender might be familiar.â
Phishing emails with Microsoft Encrypted Restricted Permission Messages
The phishing emails are sent from a compromised Microsoft 365 account to individuals working in the billing department of the recipient company.
Phishing email with a encrypted restricted-permission message (Source: Trustwave)
The emails contain a .rpmsg (restricted permission message) attachment and a âRead the messageâ button with a long URL that leads to office365.com for message viewing.
To see the message, the victims are asked to sign in with their Microsoft 365 email account or to request a one-time passcode.
After using the received passcode, the victims are first shown a message with a fake SharePoint theme and are asked to click on a button to continue. They are then redirected to a document that looks like itâs hosted on SharePoint but itâs actually hosted on the Adobeâs InDesign service.
They are again asked to click on a button to view the document, and are taken to a domain that looks like the one from the original sender (e.g., Talus Pay), featuring a progress bar.
In the background, the open source FingerprintJS library collects the userâs system and browser information and, finally, the victim is shown a spoofed Microsoft 365 login page and is asked to sign in with their credentials.
Hiding from security solutions
âThe use of encrypted .rpmsg messages means that the phishing content of the message, including the URL links, are hidden from email scanning gateways. The only URL link in the body of the message points to a Microsoft Encryption service,â Hay and Mendez noted.
âThe only clue that something might be amiss is the URL has a specified sender address (chambless-math.com) unrelated to the From: address of the email. The link was likely generated from yet another compromised Microsoft account.â
They advise organizations to:
Block, flag or manually inspect .rpmsg attachments
Monitor incoming email streams for emails originating from MicrosoftOffice365@messaging.microsoft.com and having the subject line âYour one-time passcode to view the messageâ
Educate users about the consequences of decrypting or unlocking content from unsolicited emails
Although iSpoof advertised openly for business on a non-darkweb site, reachable with a regular browser via a non-onion domain name, and even though using its services might technically have been legal in your country (if youâre a lawyer, weâd love to hear your opinion on that issue once youâve seen the historical website screenshots below)âŠ
âŠa UK court had no doubt that the iSpoof system was implemented with life-ruining, money-draining malfeasance in mind.
The siteâs kingpin, Tejay Fletcher, 35, of London, was given a prison sentence of well over a decade to reflect that fact.
Show any number you like
Until November 2022, when the domain was taken down after a seizure warrant was issued to US law enforcement, the siteâs main page looked something like this:
You can show any number you wish on call display, essentially faking your caller ID.
And an explanatory section further down the page made it pretty clear that the service wasnât merely there to enhance your own privacy, but to help you mislead the people you were calling:
Get the ability to change what someone sees on their caller ID display when they receive a phone call from you. Theyâll never know it was you! You can pick any number you want before you call. Your opposite will be thinking youâre someone else. Itâs easy and works on every phone worldwide!
In case you were still in any doubt about how you could use iSpoof to help you rip off unsuspecting victims, hereâs the siteâs own marketing video, provided courtesy of the Metropolitan Police (better known as âthe Metâ) in London, UK:
As you will see below, and in our previous coverage of this story, iSpoof users werenât actually anonymous at all.
More than 50,000 users of the service have been identified already, with close to 200 people already arrested and under investigation in the UK alone.
Chief Information Security Officers (CISOs) hold a critical and challenging role in todayâs rapidly evolving cybersecurity landscape. Here are the common security challenges CISOs face.
As organizations increasingly rely on technology to drive their operations, CISOs face complex security challenges that demand their expertise and strategic decision-making.
These challenges arise from the constant emergence of sophisticated cyber threats, the need to protect sensitive data, and the ever-evolving regulatory landscape.
The role of a CISO requires balancing proactive risk mitigation with the ability to respond swiftly to incidents and breaches.
This article will delve into the top challenges CISOs face, including protecting digital assets, managing security incidents, ensuring compliance, dealing with insider threats, and the relentless pursuit of cyber resilience.
By understanding these challenges, CISOs can develop robust cybersecurity strategies and lead their organizations toward a secure and resilient future.
Who is a CISO?
Chief Information Security Officer (CISO) is a senior executive responsible for overseeing and administering an organizationâs information security plan.
A CISOâs primary responsibility is safeguarding the confidentiality, availability, and integrity of an organizationâs information assets and systems.
They are accountable for creating and enforcing strategies, policies, and procedures to defend against cyber threats, protect sensitive data, and mitigate security risks.
CISOs play a crucial role in maintaining an organizationâs security posture by establishing and enforcing security standards, conducting risk assessments, and implementing appropriate security controls.
They collaborate with other executives, IT teams, and stakeholders to align security initiatives with business objectives and ensure that security measures are integrated into the organizationâs operations.
In addition to their technical expertise, CISOs often engage in risk management, incident response planning, security awareness training, and compliance with regulatory requirements.
They stay updated on the latest cybersecurity trends, threats, and technologies to address emerging risks and implement appropriate security measures effectively.
The role of a CISO has become increasingly important as cyber threats evolve in complexity and frequency.
CISOs are responsible for safeguarding the organizationâs sensitive information, maintaining the trust of customers and stakeholders, and ensuring business continuity in the face of cybersecurity challenges.
What are all the Roles and Responsibilities of CISO?
Developing and Implementing Information Security Strategy: The CISO is responsible for developing and implementing an overarching information security strategy aligned with the organizationâs business objectives. This includes setting security goals, defining security policies and procedures, and establishing risk management frameworks.
Leading the Security Team: The CISO manages and provides leadership to the security team, including hiring, training, and supervising security personnel. They ensure the team has the necessary skills, resources, and support to carry out their responsibilities effectively.
Overseeing Security Operations: The CISO oversees day-to-day security operations, including incident response, vulnerability management, threat intelligence, and security monitoring. They ensure appropriate controls, technologies, and processes are in place to protect the organizationâs assets.
Risk Management: The CISO is responsible for identifying and assessing security risks to the organizationâs information systems and assets. They develop and implement risk management strategies to safeguard critical data and systems, including risk mitigation, transfer, and acceptance.
Compliance and Regulatory Requirements: The CISO ensures that the organization complies with relevant security regulations, industry standards, and legal requirements. They stay updated on emerging regulations and ensure appropriate controls and processes are in place to meet compliance obligations.
Security Incident Response: The CISO leads the organizationâs response to security incidents, including data breaches, malware attacks, and other security breaches. They establish incident response plans, coordinate efforts, and collaborate with relevant stakeholders, such as legal, PR, and law enforcement agencies.
Security Awareness and Training: The CISO promotes a culture of security awareness throughout the organization. They develop and deliver security awareness programs and training initiatives to educate employees on security best practices and minimize human-related security risks.
Vendor and Third-Party Risk Management: The CISO assesses and manages security risks associated with third-party vendors and partners. They establish vendor security requirements, conduct due diligence, and monitor compliance with security standards and contractual obligations.
Security Governance and Reporting: The CISO provides regular reports and updates on the organizationâs security posture to executive management, board members, and other relevant stakeholders. They ensure that security metrics and key performance indicators (KPIs) are established to measure the effectiveness of security programs.
Incident Investigation and Forensics: In the event of security incidents, the CISO oversees the investigation and forensic analysis to identify the root cause, assess the impact, and prevent future occurrences. As required, they collaborate with internal and external resources, such as forensic experts and law enforcement agencies.
Security Challenges CISOs Face
CISOs face various common security challenges as they strive to protect their organizationsâ digital assets and information. Perimeter 81 Guide helps CISOs to prevent their network from being at Risk. Some of the key challenges they encounter include:
Sophisticated Cyberattacks: CISOs must defend against increasingly sophisticated cyber threats, including advanced persistent threats (APTs), ransomware attacks, social engineering, and zero-day exploits. These attacks can bypass traditional security measures and require constant vigilance and adaptive security strategies.
Insider Threats: CISOs need to address the risks posed by insiders, including employees, contractors, or partners who have authorized access to systems and data. Insider threats can involve accidental data breaches, negligence, or malicious intent, requiring a balance between enabling productivity and implementing controls to prevent unauthorized access or data leakage.
Compliance and Regulatory Requirements: CISOs must ensure their organizations comply with industry-specific regulations, such as GDPR, HIPAA, PCI-DSS, or SOX, and evolving privacy laws. Navigating complex compliance requirements and maintaining a robust security posture to meet these standards can be a significant challenge.
Cloud Security: As organizations increasingly adopt cloud services and infrastructure, CISOs must address the unique security challenges associated with cloud computing. This includes securing data stored in the cloud, managing access controls, and ensuring the security of cloud service providers (CSPs) and their environments.
Security Skills Gap: CISOs often need more skilled cybersecurity professionals. The industryâs rapid growth and evolving threat landscape have resulted in high demand for cybersecurity talent, making recruiting and retaining qualified professionals challenging.
Third-Party Risk: Organizations rely on third-party vendors and suppliers, introducing potential security risks. CISOs must assess the security posture of third parties, establish contractual security obligations, and monitor their adherence to security standards to mitigate the risk of breaches through these external connections.
Security Awareness and Training: Human error remains a significant factor in cybersecurity incidents. CISOs must promote a strong security culture, provide regular training and awareness programs, and educate employees about cybersecurity best practices to minimize the risk of social engineering, phishing attacks, and other user-related vulnerabilities.
Incident Response and Recovery: CISOs must develop and test robust incident response plans to manage and recover from security incidents effectively. This involves identifying and containing breaches, conducting forensic investigations, and implementing remediation measures to minimize the impact and prevent future incidents.
Emerging Technologies: Adopting technologies like the Internet of Things (IoT), artificial intelligence (AI), and blockchain introduces new security challenges. CISOs must understand the security implications of these technologies, assess risks, and implement appropriate controls to protect against potential vulnerabilities and attacks.
Budget and Resource Constraints: CISOs often face budget limitations and the need to prioritize security initiatives. Balancing the allocation of resources to address immediate security needs while investing in long-term security capabilities can be a significant challenge.
What are the Security Compliance CISO Should Follow
As a Chief Information Security Officer (CISO), there are several security compliance frameworks and regulations that you should consider following, depending on the nature of your organization and its operations. Here are some of the key security compliance frameworks and regulations:
General Data Protection Regulation (GDPR): If your organization deals with the personal data of individuals in the European Union (EU), GDPR sets requirements for the protection, processing, and transfer of personal data. It includes principles for data minimization, consent, data breach notification, and the rights of individuals.
Payment Card Industry Data Security Standard (PCI DSS): PCI DSS applies to organizations that handle credit card information. It sets requirements for securing payment card data, including network security, encryption, access controls, and regular vulnerability assessments.
Health Insurance Portability and Accountability Act (HIPAA): HIPAA applies to organizations in the healthcare industry that handle protected health information (PHI). It establishes requirements for the privacy and security of PHI, including access controls, encryption, risk assessments, and breach notification.
Sarbanes-Oxley Act (SOX): SOX applies to publicly traded companies in the United States. It sets requirements for financial reporting and establishes controls and processes to ensure the accuracy and integrity of financial statements. While not solely focused on security, it includes provisions for protecting financial data.
National Institute of Standards and Technology (NIST) Cybersecurity Framework: The NIST Cybersecurity Framework provides guidelines and best practices for managing cybersecurity risks. It covers risk assessment, security controls, incident response, and continuous monitoring.
ISO 27001: ISO 27001 is an international standard that provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It covers various aspects of information security, including risk management, access controls, incident management, and security awareness.
Federal Information Security Management Act (FISMA): FISMA applies to U.S. federal agencies and sets requirements for securing federal information and systems. It mandates risk assessments, security controls, incident response planning, and continuous monitoring.
Security Challenges CISOs Face to Manage Security Team
Managing a security team as a Chief Information Security Officer (CISO) requires effective leadership, communication, and coordination. Here are some key aspects to consider when managing a security team:
Establish Clear Roles and Responsibilities: Clearly define the roles and responsibilities of each team member to ensure everyone understands their specific duties and areas of expertise. This clarity helps streamline operations and avoid confusion.
Set Goals and Objectives: Define strategic goals and objectives for the security team aligned with the organizationâs overall security strategy. Communicate these goals to the team and regularly track progress to ensure everyone is working towards the same objectives.
Provide Guidance and Mentorship: Offer team members guidance, mentorship, and professional development opportunities. Encourage skill development, certifications, and staying up-to-date with the latest security trends and technologiesâsupport team members in their career growth.
Foster Collaboration and Communication: Promote a collaborative and open communication culture within the team. Encourage knowledge sharing, cross-functional collaboration, and effective communication channels. Regular team meetings, brainstorming sessions, and updates are valuable for aligning efforts.
Support Decision-Making: Empower team members to make decisions within their areas of responsibility. Provide guidance and support when needed, but encourage autonomy and ownership in decision-making. Foster an environment where team members feel comfortable taking calculated risks.
Establish Incident Response Procedures: Develop clear incident response procedures and ensure the team is well-prepared to handle security incidents effectively. Conduct regular drills, tabletop exercises, and simulations to test and improve the teamâs incident response capabilities.
Stay Informed and Adapt: Stay up-to-date with the latest security threats, industry trends, and best practices. Encourage continuous learning and professional development for the team. Adapt security strategies and measures as the threat landscape evolves.
Collaborate with Other Departments: Work closely with other departments, such as IT, legal, HR, and executive management, to ensure security initiatives are aligned with business objectives and integrated into overall organizational operations. Build relationships and foster a culture of security awareness throughout the organization.
Regularly Evaluate and Improve: Regularly evaluate the teamâs performance, processes, and procedures. Collect feedback from team members and stakeholders to identify areas for improvement. Implement changes and adjustments as necessary to enhance the teamâs effectiveness and efficiency.
Lead by Example: Demonstrate strong leadership skills, integrity, and a commitment to security best practices. Lead by example in adhering to security policies and procedures. Encourage a positive and supportive work environment.
Final Thoughts
CISOs face many common security challenges as protectors of their organizationâs digital assets and information.
From sophisticated cyberattacks and insider threats to compliance requirements and resource constraints, these challenges highlight the complex and evolving nature of the cybersecurity landscape.
CISOs must navigate these challenges by adopting a proactive and strategic approach to security, leveraging advanced technologies, fostering a strong security culture, and collaborating with stakeholders.
To overcome these challenges, CISOs must stay abreast of emerging threats, continuously evaluate and improve their security measures, and prioritize investments in critical security capabilities.
They must also foster strong partnerships with internal teams, third-party vendors, and industry peers to collectively address security challenges and share best practices.
While the security challenges CISOs face may seem daunting, they also present opportunities for innovation and growth.
By effectively addressing these challenges, CISOs can enhance their organizationsâ security posture, safeguard critical assets, and instill confidence in customers and stakeholders.
Ultimately, the role of a CISO requires a comprehensive and adaptable approach to cybersecurity, where staying one step ahead of threats and continuously improving security measures are paramount.
By embracing these challenges, CISOs can help shape a secure and resilient future for their organizations in an increasingly interconnected and threat-filled digital landscape.
In the wake of the ex-Uber CISO verdict, CISOs ask for clearer rules and less uncertainty in managing disclosures, amid jail-time fears.
Getting cybersecurity incident disclosure right can mean the difference between prison and freedom. But the rules remain woefully vague.
Chief information security officers (CISOs) and their teams know there’s a certain amount of risk intrinsically baked into the job. But the recent sentencing of former Uber CISO Joseph Sullivan for his role in covering up a 2016 data breach at the company has significantly upped the ante.
SolarWinds CISO Tim Brown survived one of the most spectacular security breaches in history in 2020 inan epic supply chain attack, and emerged on the other side with the business â and his professional reputation â intact. In an interview with Dark Reading, he explained that CISOs are asking for clarity on rules around disclosures. The Federal Trade Commission (FTC) has rules, and beyond that, there is a vast and evolving mousetrap of rules, regulations, executive orders, and case law dictating how and when disclosures need to occur, and that’s before anyone considers the impact of an incident on the business.
“Liability is something that has CISOs concerned,” Brown says. “It’s a concerning time and creates stress and angst for teams. We want to be covered.”
A court found Uber’s Sullivan guilty of working to cover up the breach from FTC investigators, as well as trying to keep the breach secret from other Uber executives. Brown acknowledges that Sullivan made the mistake, in the view of the court, of trying to make disclosure decisions unilaterally, without legal guidance, which left him open to prosecution.
Sarbanes-Oxley Act for CISOs?
To avoid making such mistakes, CISOs need something in the mold of the 2002 Sarbanes-Oxley Act, which details financial reporting regulations for chief financial officers (CFOs), Brown says.
In the same way Sarbanes-Oxley prescribes steps that CFOs are expected to take to prevent financial fraud, Brown says that he would like to see new federal regulations that outline CISO requirements for preventing and responding to cybercrime on their watch.
The stakes are high: While Sullivan was only sentenced to three years’ probation for his role in attempting to bury Uber’s data breach, Judge William Orrick used Sullivan’s hearing as an opportunity to send a chilling warning to the next CISO unfortunate enough to find themselves in his court.
“If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison,” Judge Orrick said to Sullivan. “When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off.”
Disclosure Maze
The litany of hazy rules and emerging guidelines doesn’t provide CISOs and cybersecurity teams with a clear path to compliance, meaning in-house counsel and outside legal advisers have become essential in helping organizations navigate the disclosure process maze.
“Enterprise security teams do not exist in a vacuum when it comes to evaluating disclosure of data breaches and security incidents,” says Melissa Bischoping, director of endpoint security research at Tanium, on the current disclosure landscape. “Their responses must be coordinated with legal and communications stakeholders to ensure they are meeting regulatory and legal requirements, and providing the appropriate level of information to the right consumers of the information.”
Beth Waller, an attorney and chair of cybersecurity and data privacy at Woods Rogers Vandeventer Black, says oversight bodies as well as consumers are driving cybersecurity incident transparency â and shrinking acceptable disclosure windows.
Waller points to a grab bag of regulations pushing disclosures, such as the Security and Exchange Commission’s demand for immediate data incident disclosure for publicly traded companies, as well as federal regulations on sectors like banking, healthcare, and critical infrastructure demanding disclosures within days of its discovery. Department of Defense contractors must notify the DoD of an incident within 72 hours, she points out.
“For international companies, regulations like the Europe’s General Data Protection Regulation (GDPR) drive similar timelines,” Waller says. “More and more, a company that wants to keep a data incident quiet cannot do so from a regulatory or legal standpoint.”
Disclosure Dangers
As pressure mounts on enterprise cybersecurity teams to disclose quickly, Dave Gerry, CEO of Bugcrowd, acknowledges the value of transparency for trust and the flow of information, but explains he is also concerned that rapid disclosure could rob security teams of priceless time to respond properly to cyberattacks.
“Incident disclosure needs to allow for the opportunity for the security organization to rapidly patch systems, fix code-level vulnerabilities, eject attackers, and generally mitigate their systems prior to publicly disclosing details ensure additional security incidents donât come as a result of the disclosure,” Gerry adds. “Identifying the root cause and magnitude of the incident to avoid adding additional fear and confusion to the situation takes time, which is an additional consideration.”
Data ‘Duty of Care’ Defined
Making things more confusing, US state attorneys general are pushing for tougher regulations around cybersecurity incident disclosures, leaving each state with its own unique disclosure landscape riddled with broad, ill-defined requirements like taking “reasonable” actions to protect data.
Veteran CISO and VMware cyber strategist Karen Worstell notes that Colorado AG Philip Weiser took an important step toward clarifying CISO obligations last January, when he offered a definition of “Duty of Care” rules under the Colorado Privacy Act requiring reasonable action be taken to protect personal data.
According to Weiser, the definition was informed by actual cases that have come through his office, meaning it reflected how prosecutors viewed specific data breaches under their jurisdiction.
“First, we will evaluate whether a company has identified the types of data it collects and has established a system for how storing and managing that data â including ensuring regularly disposing of data it no longer needs,” Weiser said in prepared remarks regarding data breach rules. “Second, we will consider whether a company has a written information security policy. For companies that have no such policies or have ones that are outdated or exist only in theory with no attempt to train employees or comply with the policy, we will view more skeptically claims that their conduct is reasonable.”
Waller applauds Weiser’s move to clarify disclosure rules in his state. In Colorado, as well as Virginia, the attorney general has the sole authority to hold someone liable for breaking state privacy laws.
“Colorado Attorney General Weiser’s comments provide helpful background on the security considerations state attorney generals will consider in looking at bringing violations under these new data privacy laws,” Waller says.
Despite such strides forward, for now the rules still leave plenty of room for enterprise cybersecurity teams to get it wrong.
“The current emerging cacophony of new state privacy regulations, coupled with a hodgepodge of state data breach laws, means that we can hope a federal privacy law would eventually address the need for uniform guidance for entities experiencing a data breach,” Waller says.
“In the absence of federal guidance, the legal landscape remains simply complex,” Waller adds.
The slow churning of courts, regulatory bodies, and legislatures means it’s going to take time for all parties to get on the same page. But SolarWinds’ Brown expects more standardized rules for CISOs and their organizations to likely emerge over the next five or so years. In the meantime, he suggests keeping legal teams closely involved in all cyber incident responses.
“It will be evolving, and we will get crisper,” Brown says. “Iâm hopeful.”
CERT-UA has identified and addressed a cyber attack on the government information systems of Ukrainian governmental state bodies.
Through investigation, it was discovered that the departmentâs email address received communications on April 18, 2023, and April 20, 2023, appearing to originate from the authentic email account of the Embassy from Tajikistan (In Ukraine).
Weaponized DOCX File
Suspected to be a result of the compromised state of the embassy, these emails comprised an attachment in the form of a document that contained a macro in the initial case while referring to the same document in the later incident.
When the document is downloaded, and its macro is activated, it creates and opens a DOCX file called âSvcRestartTaskLogonâ with a macro that generates another file with the âWsSwapAssessmentTaskâ macro.Â
While it also includes a âSoftwareProtectionPlatformâ file categorized as HATVIBE, which can load and execute additional files.
During the course of technical investigation, it was documented that on April 25, 2023, supplementary programs were generated on the computer, possibly facilitated by HATVIBE, under uncertain circumstances.
Here below, we have mentioned those additional generated apps:-
LOGPIE keylogger
CHERRYSPY backdoor
The files are created with Python and secured with PyArmor, while the âpytransformâ module, providing encryption and code obfuscation, is further safeguarded with Themida.
The STILLARCH malware is employed for searching and exfiltrating files, including data from the LOGPIE keylogger, with file extensions such as:-
.~tmp
.doc
Further analysis of infrastructure and associated data determined that the groupâs targets include organizations from various countries engaging in espionage activities under the code name UAC-0063, which have been monitored since 2021.
To minimize the vulnerability scope, it is advisable to limit user accounts from executing âmshta.exe,â Windows Script Host (âwscript.exe,â âcscript.exeâ), and the Python interpreter, thereby reducing the potential attack surface.
The vulnerability (CVE-2023-21492) affects mobile devices manufactured by Samsung and running on the following versions of the Android operating system. The vulnerability results from the accidental inclusion of sensitive data in log files.
Android 11, Android 12, Android 13
CISA has just recently issued a warning on a security hole that affects Samsung devices and makes it possible for attackers to avoid Androidâs address space layout randomization (ASLR) protection while carrying out targeted attacks.
Randomization of the memory locations at which important app and operating system components are loaded into the deviceâs memory is made possible thanks to Androidâs Address Space Layout Randomization (ASLR), which is a fundamental component of Androidâs security architecture. The information that has been revealed may be used by local attackers who have elevated rights to perform an ASLR bypass, which would therefore make it easier to exploit weaknesses in memory management. Samsung has essentially remedied this issue as a part of the most recent security upgrades by adopting safeguards that prevent kernel references from being recorded in future instances. This was done as part of a larger effort to introduce new security measures.
According to the advice that was included in the May 2023 Security Maintenance Release (SMR), Samsung has admitted that it was notified of an attack that targets this specific flaw that is now active in the wild.
Despite the fact that Samsung did not provide any particular information on the exploit of CVE-2023-21492, it is essential to keep in mind that during highly focused cyberattacks, security vulnerabilities are regularly exploited as part of a sophisticated chain of exploits.
These attacks used chains of exploits that targeted the vulnerabilities to spread spyware that was driven by commercial interests. While this is going on, security researchers working for Googleâs Threat Analysis Group (TAG) and Amnesty International discovered and reported on two different attack operations in the month of March. Following the recent addition of the CVE-2023-21492 vulnerability to CISAâs list of Known Exploited Vulnerabilities, the United States Federal Civilian Executive Branch Agencies (FCEB) have been given a three-week window of time until June 9 to patch their Samsung Android devices in order to protect themselves from potential attacks that exploit this security flaw.
In accordance with BOD 22-01, government agencies have until the deadline of June 9, 2023 to fix any vulnerabilities that have been added to the CISAâs KEV list.
Insider attacks often catch organizations by surprise because theyâre tricky to spot.
Banking on reactive solutions like antivirus software or a patch management solutionto avoid such attacks is not wise.
Understanding what contributes to the increasing number of insider threats and addressing these factors is the only way to secure your enterprise against such attacks.
An insider attack is often defined as an exploit by malicious intruders within an organization.
This type of attack usually targets insecure data. Insider threats might lurk within any company; in some industries, they can account for more than 70% of cyberattacks.
More often than not, insider attacks are neglected. Perhaps this is why they have been on a constant rise.
A survey by CA Technologies in 2018 found that about 90% of organizations feel vulnerable to insider attacks.
Organizations also feel that the data most vulnerable to insider attacks is sensitive personal information (49%), intellectual property (32%), employee data (31%), and privileged account information (52%).
Many insider attacks are associated with excessive access privileges. While it might be unpleasant or inconvenient not to trust employees, organizations must be vigilant.
This can be accomplished by monitoring possible sources of cyberattacks. A big problem is that many companies are unaware of how to identify and combat insider threats.
Questions then arise: Where can you find the best network security tools to gain more knowledge on combating insider attacks? What security standards should you follow to stay within your industryâs security compliance requirements and protect your digital assets better? How do you differentiate between a malicious insider and a non-malicious one?
Insider Threat Warnings That You Should Look Out For
Here are some tell-tale signs you can monitor to avoid an insider attack. Be on the lookout for anyone who:
Downloads large amounts of data on personal portable devices or attempts to access data they donât normally use for their day-to-day work.
Requests network or data access to resources not required for their job, or searches for and tries to access confidential data.
Emails sensitive information to a personal email account or people outside your organization.
Accesses the network and corporate data outside of regular work hours.
Exhibits negative attitudes or behaviorsâfor instance, a disgruntled employee leaving the organization.
Ignores security awareness best practices, such as locking screens, not using USBs or external drives, not sharing passwords and user accounts, or does not take cyber threats seriously.
Once you have started monitoring, you can implement security measures to prevent attacks from occurring. Weâve put together a short list of solutions for curbing insider threats.
1. Zero Trust
Zero Trust, a new cybersecurity buzzword, is a holistic approach for tightening network security by identifying and granting access, or âtrustâ.
No specific tool or software is associated with this approach, but organizations must follow certain principles to stay secure.
More users, applications, and servers and embracing various IoT devices expands your network perimeter.
How do you exert control and reduce your overall attack surface in such cases?
How can you ensure that the right access is granted to each user?
IT security at some organizations reflects the age-old castle-and-moat defense mentality that everything inside an organizationâs perimeter should be trusted while everything outside should not.
This concept focuses on trust too much and tends to forget that we might know little about the intentions of those we deem âinsiders.â
The remedy is Zero Trust, which revokes excessive access privileges of users and devices without proper identity authentication.
By implementing Zero Trust, you can:
Understand your organizationâs access needs.
Decrease risk by monitoring device and user traffic.
Lower the potential for a breach.
Profoundly increase your businessâs agility.
2. Privileged access management
Privileged access management (PAM) means extending access rights to trusted individuals within an organization.
A privileged user hasadministrative access to critical systems and applications.
For example, if an IT admin can copy files from your PC to a memory stick, they are said to be privileged to access sensitive data within your network.
This also applies to accessing data via physical devices, logging in, and using different applications and accounts associated with the organization.
A privileged user with malicious intent might hijack files and demand your organization pay a ransom.
PAM takes some effort, but you can start simple. For instance, you can remove an employeeâs access to the data associated with their previous role.
Consider an employee moving from finance to sales. In this case, the rights to access critical financial data must be revoked because we do not want to risk the organizationâs financial security.
By implementing PAM, you can:
Make dealing with third-party devices and users safer and more accessible.
Protect your password and other sensitive credentials from falling into the wrong hands.
Eliminate excess devices and users with access to sensitive data.
Manage emergency access if and when required.
3. Mandatory Security Training for Existing & New Employees
Not all insider attacks are intentional; some happen because of negligence or lack of awareness.
Organizations should make it mandatory for all their employees to undergo basic security and privacy awareness training sessions regularly.
Employees can also be quizzed on these sessions to make the training more effective.
Ensuring employees are acquainted with the cost consequences that negligence can cause the organization can help prevent unintentional insider threats significantly.
With so much to lose, itâs a wonder more companies arenât taking steps to reduce their chance of suffering from an insider attack.
As mentioned earlier, no particular software or tool is behind the security approaches mentioned above.
Rather, your organization must address these aspects while developing a homegrown security solution or utilizing a similar service or product from a vendor.
By doing so, you can protect your organization from bad actors within or outside of your organization.
However, to specifically tackle the threat posed by insiders who regularly misuse their access credentials or bring malicious plug-and-play devices to work, we recommend looking into other security protocols, such as identity and access management and user behavior analytics, to prevent internal security mishaps.
Predicting Insider Attacks: Using Machine Learning & Artificial Intelligence Algorithms
