CISO Corner: What Cyber Labor Shortage?; SEC Deadlines

CISO Corner: What Cyber Labor Shortage?; SEC Deadlines

Welcome to CISO Corner, Dark Reading’s weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we’ll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We’re committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

In this issue of CISO Corner:

  • CISOs & Their Companies Struggle to Comply with SEC Disclosure Rules

  • Podcast: Dark Reading Confidential: The CISO & the SEC

  • Top 5 Most Dangerous Cyber Threats in 2024

  • DR Global: Singapore Cybersecurity Update Puts Cloud Providers on Notice

  • There Is No Cyber Labor Shortage

  • Is CISA’s Secure by Design Pledge Toothless?

CISOs & Their Companies Struggle to Comply with SEC Disclosure Rules

By Rob Lemos, Contributing Writer, Dark Reading

Most companies still can’t determine whether a breach is material within the four days mandated by the SEC, skewing incident response.

Companies could face millions of dollars in fines if they fail to notify the SEC of a material breach. But, overall, 68% of cybersecurity teams do not believe that their company could comply with the four-day disclosure rule, according to a survey published on May 16 by cloud security firm VikingCloud.

The largest public companies already have disclosure committees to determine whether a variety of events — from severe weather to economic changes and geopolitical unrest — might have a material impact. But while larger companies have focused on the issue for over a year — even before the rule was finalized — smaller companies have had a more difficult road, says Matt Gorham, leader of the Cyber and Privacy Innovation Institute at consultancy PricewaterhouseCoopers. Companies need to focus on creating a documented process and saving contemporaneous evidence as they work through that process for each incident.

“There’s a great disparity from one company to the other … and between incidents,” he says. “Initially, you may have decided that [the breach] may not be material at that point in time, but you’re going to have to continue to assess the damage and see if it’s risen to the level of materiality.”

Read more: CISOs & Their Companies Struggle to Comply with SEC Disclosure Rules

Related: Anatomy of a Data Breach: What to Do If It Happens to You, a free Dark Reading virtual event scheduled for June 20. Verizon’s Alex Pinto will deliver a keynote, “Up Close: Real-World Data Breaches,” that details DBIR findings and more.

Podcast: Dark Reading Confidential: The CISO & the SEC

Hosted by Dark Reading’s Becky Bracken, Sr. Editor, and Kelly Jackson Higgins, Editor-in-Chief

Episode 1 of Dark Reading Confidential brings Frederick “Flee” Lee, CISO of Reddit; Beth Burgin Waller, a practicing cyber attorney who represents many CISOs; and Ben Lee, Chief Legal Officer of Reddit, to the table.

It’s a brand new podcast from the editors of Dark Reading, where we are going to focus on bringing you real-world stories straight from the cyber trenches. The first episode dives into the increasingly complicated relationship between the Securities and Exchange Commission (SEC) and the role of the chief information security officer (CISO) within publicly traded companies.

In the wake of Uber’s Joe Sullivan and the SolarWinds executives being found liable for breaches, CISOs now face a dual challenge of properly interpreting what the SEC means by its new rules for cyber incidents, as well as their own personal liability.

Read more: Dark Reading Confidential: The CISO and the SEC (transcript available)

Related: Ex-Uber CISO Advocates ‘Personal Incident Response Plan’ for Security Execs

Top 5 Most Dangerous Cyber Threats in 2024

By Ericka Chickowski, Contributing Writer, Dark Reading

SANS Institute experts weigh in on the top threat vectors faced by enterprises and the public at large.

Only five months into 2024, and the year has been a busy one for cybersecurity practitioners. But what’s ahead for the rest of year? According to the SANS Technology Institute, there are five top threats flagged by SANS experts that enterprises should be worried about.

1. Security Impact of Technical Debt: The security cracks left behind by technical debt may not sound like a pressing new threat, but according to Dr. Johannes Ullrich, dean of research for SANS Technology Institute, the enterprise software stack is at an inflection point for cascading problems.

2. Synthetic Identity in the AI Age: Fake videos and fake audio are being used to impersonate people, Ullrich said, and they will foil many of the biometric authentication methods that have gained steam over the last decade. “The game changer today is not the quality of these impersonations,” he said. “The game changer is cost. It has become cheap to do this.”

3. Sextortion: According to Heather Mahalik Barnhart, a SANS faculty fellow and senior director of community engagement at Cellebrite, criminals are increasingly extorting online denizens with sexual pictures or videos, threatening that they’ll release them if the victim doesn’t do what they ask. And in the era of highly convincing AI-generated images, those pictures or videos don’t even need to be real to do damage. It’s a problem that’s “running rampant,” she said.

4. GenAI Election Threats: Fake media manipulation and other generative AI-generated election threats will be ever present across all of the major platforms, warned Terrence Williams, a SANS instructor and security engineer for AWS. “You can thank 2024 for giving us the blessing of GenAI plus an election,” he said. “You know how well we handle those things, so we need to understand what we’re coming up against right now.”

5. Offensive AI as Threat Multiplier: According to Stephen Sims, a SANS fellow and longtime offensive security researcher, as GenAI grows more sophisticated, even the most nontechnical cyberattackers now have a more flexible arsenal of tools at their fingertips to quickly get malicious campaigns up and running.

“The speed at which we can now discover vulnerabilities and weaponize them is extremely fast, and it’s getting faster,” Sims said.

Read more: Top 5 Most Dangerous Cyber Threats in 2024

Related: Why Criminals Like AI for Synthetic Identity Fraud

3 Tips for Becoming the Champion of Your Organization’s AI Committee

Commentary by Matan Getz, CEO & Co-Founder, Aim Security

CISOs are now considered part of the organizational executive leadership and have both the responsibility and the opportunity to drive not just security but business success.

As organizations get a handle on how AI can benefit their specific offerings, and while they try to ascertain the risks inherent in AI adoption, many forward-thinking companies have already set up dedicated AI stakeholders within their organization to ensure they are well-prepared for this revolution.

Chief information security officers (CISOs) are the heart of this committee, and those ultimately responsible for implementing its recommendations. Therefore, understanding its priorities, tasks, and potential challenges is pivotal for CISOs who want to be business enablers instead of obstructors.

There are three fundamentals CISOs can use as a guide to being the pivotal asset in the AI committee and ensuring its success:

1. Begin with a comprehensive assessment: You can’t protect what you don’t know.

2. Implement a phased adoption approach: Implementing a phased adoption approach allows for security to escort adoption and assess real-time security implications of adoption. With gradual adoption, CISOs can embrace parallel security controls and measure their success.

3. Be the YES! guy — but with guardrails: To protect against threats, CISOs should set up content-based guardrails to define and then alert on prompts that are risky or malicious, or that violate compliance standards. New AI-focused security solutions may allow customers to also set up and define their own unique parameters of safe prompts.

Read more: 3 Tips for Becoming the Champion of Your Organization’s AI Committee

Related: US AI Experts Targeted in SugarGh0st RAT Campaign

Global: Singapore Cybersecurity Update Puts Cloud Providers on Notice

By Robert Lemos, Contributing Writer, Dark Reading

The nation amends its Cybersecurity Act, giving its primary cybersecurity agency more power to regulate critical infrastructure and third parties, and requiring cyber incidents be reported.

Lawmakers in Singapore updated the nation’s cybersecurity regulations on May 7, to take into account the impact of running critical infrastructure management systems on cloud infrastructure and the use of third-party providers by critical infrastructure operators, as well as a cyber threat landscape in Asia that is growing more dangerous.

Given that so many critical information infrastructure operators have outsourced some facets of their operations to third parties and cloud providers, new rules were needed to hold those service providers accountable, Janil Puthucheary, senior minister of state for the Singapore Ministry of Communications and Information, said in a speech before the country’s parliament.

“The 2018 Act was developed to regulate CII that were physical systems, but new technology and business models have emerged since,” he said. “Hence, we need to update the Act to allow us to better regulate CIIs so that they continue to be secure and resilient against cyber threats, whatever technology or business model they run on.”

Read more: Singapore Cybersecurity Update Puts Cloud Providers on Notice

Related: Singapore Sets High Bar in Cybersecurity Preparedness

There Is No Cyber Labor Shortage

Commentary by Rex Booth, CISO, SailPoint

There are plenty of valuable candidates on the market. Hiring managers are simply looking in the wrong places.

Hiring managers often are hesitant to hire candidates perceived as undercredentialed when they believe there must be a “perfect” candidate out there somewhere. But the truth is, a perfect candidate [a bachelor’s degree in cybersecurity, Security+ (CISSP preferred) training, and $30,000 worth of SANS courses] probably isn’t interested in a third-shift SOC position — which means hiring managers need to reevaluate where they look for new employees and which qualifications matter most.

By narrowing down candidate pools based on a small number of arbitrary qualifications, organizations and recruiters end up self-selecting candidates who are good at acquiring credentials and taking tests — neither of which necessarily correlate to long-term success in the cybersecurity field. Prioritizing this small pool of candidates also means overlooking the many, many candidates with analytical potential, technical promise, and professional dedication who may not have gotten the right degree or attended the right training course.

By tapping into these candidates, organizations will find that the “cyber labor shortage” that has received so much attention isn’t such a hard problem to solve, after all.

Read more: There Is No Cyber Labor Shortage

Related: Cybersecurity Is Becoming More Diverse … Except by Gender

Is CISA’s Secure by Design Pledge Toothless?

By Nate Nelson, Contributing Writer, Dark Reading

CISA’s agreement is voluntary and, frankly, basic. Signatories say that’s a good thing.

At 2024’s RSA Conference last week, brand names like Microsoft, Amazon Web Service (AWS), IBM, Fortinet, and more agreed to take steps toward meeting a set of seven objectives defined by the US’s premier cyber authority.

CISA’s Secure by Design pledge consists of areas of security improvement split into seven primary categories: multifactor authentication (MFA), default passwords, reducing entire classes of vulnerability, security patches, vulnerability disclosure policy, CVEs, and evidence of intrusions.

The pledge contains nothing revolutionary and has no teeth whatsoever (it’s voluntary and not legally binding). But for those involved, that’s all beside the point.

“While they may not have direct authority, I think that there is indirect authority by starting to define what the expectation is,” says Chris Henderson, senior director of threat operations at Huntress, one of the signees.

Read more: Is CISA’s Secure by Design Pledge Toothless?

Related: Patch Tuesday: Microsoft Windows DWM Zero-Day Poised for Mass Exploit

Source link

Intel Discloses Max Severity Bug in Its AI Model Compression Software

Intel Discloses Max Severity Bug in Its AI Model Compression Software

Intel has disclosed a maximum severity vulnerability in some versions of its Intel Neural Compressor software for AI model compression.

The bug, designated as CVE-2024-22476, provides an unauthenticated attacker with a way to execute arbitrary code on Intel systems running affected versions of the software. The vulnerability is the most serious among dozens of flaws the company disclosed in a set of 41 security advisories this week.

Improper Input Validation

Intel identified CVE-2024-22476 as stemming from improper input validation, or a failure to properly sanitize user input. The chip maker has given the vulnerability a maximum score of 10 on the CVSS scale because the flaw is remotely exploitable with low complexity and has a high impact on data confidentiality, integrity, and availability. An attacker does not require any special privileges, and neither is user interaction required for an exploit to work.

The vulnerability affects Intel Neural Compressor versions before 2.5.0. Intel has recommended that organizations using the software upgrade to version 2.5.0 or later. Intel’s advisory indicated that the company learned of the vulnerability from an external security researcher or entity whom the company did not identify.

Intel Neural Compressor is an open source Python library that helps compress and optimize deep learning models for tasks such as computer vision, natural language processing, recommendation systems, and a variety of other use cases. Techniques for compression include neural network pruning — or removing the least important parameters; reducing memory requirements via process call quantization; and distilling a larger model to a smaller one with similar performance. The goal with AI model compression technology is to help enable the deployment of AI applications on diverse hardware devices, including those with limited or constrained computational power, such as mobile devices.

One Among Many

CVE-2024-22476 is actually one of two vulnerabilities in Intel’s Neural Compressor software that it disclosed — and for which it released a fix — this week. The other is CVE-2024-21792, a time-of-check-time-of-use (TOCTOU) flaw that could result in information disclosure. Intel assessed the flaw at presenting only a moderate risk because, among other things, it requires an attacker to already have local, authenticated access to a vulnerable system to exploit it.

In addition to the Neural Compressor flaws, Intel also disclosed five high-severity privilege escalation vulnerabilities in its UEFI firmware for server products. Intel’s advisory listed all the vulnerabilities (CVE-2024-22382; CVE-2024-23487; CVE-2024-24981; CVE-2024-23980; and CVE-2024-22095) as input validation flaws, with severity scores ranging from 7.2 to 7.5 on the CVSS scale.

Emerging AI Vulnerabilities

The Neural Compressor vulnerabilities are examples of what security analysts have recently described as the expanding — but often overlooked — attack surface that AI software and tools are creating at enterprise organizations. A lot of the security concerns around AI software so far have centered on the risks in using large language models and LLM-enabled chatbots like ChatGPT. Over the past year, researchers have released numerous reports on the susceptibility of these tools to model manipulation, jailbreaking, and several other threats.

What has been somewhat less of a focus so far has been the risk to organizations from vulnerabilities in some of the core software components and infrastructure used in building and supporting AI products and platforms. Researchers from Wiz, for instance, recently found weaknesses in the widely used HuggingFace platform that gave attackers a way to tamper with models in the registry or to relatively easily upload weaponized ones to it. A recent study commissioned by the UK’s Department for Science, Innovation and Technology identified numerous potential cyber-risks to AI technology at every life cycle state from the software design phase through development, deployment, and maintenance. The risks include a failure to do adequate threat modeling and not accounting for secure authentication and authorization in the design phase to code vulnerabilities, insecure data handling, inadequate input validation, and a long list of other issues.

Source link

10 Ways a Digital Shield Protects Apps and APIs

10 Ways a Digital Shield Protects Apps and APIs

When network architectures were simpler, so was protecting apps and application programming interfaces (APIs). They were predominantly on-premises, so defense-in-depth practices could be applied to enterprise networks. While far from perfect, this approach provided multilayer security defenses to protect apps and APIs.

As network architectures gradually became more complex, so did protecting apps and APIs. The on-premises enterprise environment gave way to a hybrid mix of on-premises, data center, and multiple cloud environments. These days, hybrid and multicloud environments are more the rule than they are the exception. They introduce complexity and challenges that make it significantly more difficult for organizations to apply defense-in-depth practices to protect apps and APIs.

While the idea of rebuilding the enterprise perimeter doesn’t make much sense in the current state, perhaps there is another way to bring requisite protections to apps and APIs. What if organizations could open an umbrella — a digital shield, if you will — around their hybrid and multicloud environments? This would allow them to add layers of protections that would, at least logically speaking, bring defense-in-depth practices to modern network architectures.

What are some of the essential elements and functionality of a digital shield? I’ll explain 10 of them here.

1. Standardized Communication

The first step in protecting apps and APIs is standardization across different environments. This doesn’t mean that all environments need to be homogeneous, of course. Rather, it means that all environments need a common, central management interface. There also needs to be a straightforward way to understand what environments exist, where they are, how they are connected, and what is running inside of them.

2. Uniform Policy

The ability to uniformly apply and enforce security policy is another important step in protecting apps and APIs. Attackers are always on the lookout for the weakest link. When there is inconsistency in how environments are managed or a large amount of manual labor involved in managing those environments, that opens up holes that attackers can exploit. One of the top benefits of security policy standardization is the ability to reduce the number of weaknesses and points of failure that attackers can leverage.

3. Proper Visibility

Just like when networks were largely on-premises, telemetry and other data requisite for visibility reign supreme — even in modern network architectures. Continuous security monitoring is driven, first and foremost, by visibility. Without the ability to see traffic to and from apps and APIs across all environments, security teams don’t have the ability to monitor their environments for potential security and fraud issues.

4. Reliable Alerting

While visibility is extremely important, it needs to be properly leveraged to create and sustain reliable alerting across hybrid and multicloud environments. This means identifying critical assets and key resources and creating incisive alerting that cues the security team to unusual, suspicious, or malicious activity. For alerting to be considered reliable, it must have low false-positive rates and high true-positive detection rates. This allows an organization to hone its detection and response capabilities — without burying itself in noise.

5. Response Capability

When a security incident is identified, the proper incident response needs to be triggered. This requires not only proper visibility across hybrid and multicloud environments, but also the ability to query, analyze, and interrogate telemetry data from those environments. This is easier said than done, of course, and is an important part of any digital shield.

6. Good Governance

Managing the life cycle of apps and APIs is also an important, yet sometimes neglected, part of securing them. Having apps and APIs inventoried, managed, controlled, versioned, compliant with schema, processing input and output as expected, and adherent to change control procedures makes them less prone to vulnerabilities being introduced during the software development life cycle (SDLC). Proper governance is an all too often overlooked component to protecting apps and APIs, requiring the capabilities that a digital shield provides.

7. Central Controls

Preventive and detective controls work collaboratively to help secure apps and APIs. Preventive controls help secure environments against attacks they face. But because preventive controls are never 100% effective, detective controls augment preventive controls by alerting security teams when security incidents occur. Managing this symbiotic relationship across multiple environments can be extremely complex and difficult without a centralized management capability.

8. Vendor Agnosticism

Getting locked into cloud providers and the array of technologies and solutions they offer is never fun. Part of the appeal of a digital shield is that, in addition to providing an added layer of protection, it acts as a logical overlay to different cloud environments. This allows organizations to leverage available capabilities via one common interface, rather than needing to develop vendor-specific and vendor-dependent capabilities in each and every cloud environment.

9. Defense-in-Depth

Defense in depth and multilayer security are nothing new. They are fundamentally simple in theory yet difficult to implement in practice. The idea of having multiple layers of protection around apps and APIs to avoid single points of failure and weakness makes sense logically. Managing this approach, however, without a digital shield capability is a difficult undertaking due to the complexity of modern network architectures.

10. Simplified Operations

Maximizing the capabilities of defensive technologies is difficult unless operating them is relatively straightforward. Simplified operations require many components. Among them are executive dashboards to convey value to executives and the board; the ability to easily manage, maintain, administer, and secure infrastructure, apps, and APIs; the ability to uniformly and universally apply policy; and the ability to analyze and investigate events and incidents. These and other capabilities allow organizations to maximize the potential of the digital shield as a logical overlay and additional layer of defense.

Raise Your Shield

Protecting apps and APIs is an important undertaking for any organization. While the effort involves many moving parts, leveraging a digital shield as a logical overlay and added layer of defense can greatly simplify app and API security. Reducing complexity and centralizing management into one logical overlay platform can help organizations ensure that they maximize their technology investments and minimize the potential for risk, weakness, and vulnerability introduced by complexity, oversight, and human error.

Source link

SEC Adds New Incident Response Rules for Financial Sector

SEC Adds New Incident Response Rules for Financial Sector

The Securities and Exchange Commission (SEC) announced it will adopt new data-breach reporting regulations for some financial firms.

These new requirements serve to “modernize and enhance the rules that govern the treatment of consumers’ nonpublic personal information by certain financial institutions,” according to the SEC.

These amendments have been updated to require several new standards since the commission first adopted Regulation S-P, more than 24 years ago:

  1. Broker-dealers, investment companies, registered investment advisers, and transfer agents must address the growing use of technology and the risks it imposes.

  2. Institutions must develop, implement, and maintain policies for an incident response program that can respond to and recover from unauthorized access to customer information.

  3. The incident response program must require institutions to notify individuals whose sensitive information was compromised.

  4. Covered institutions must give notice of a breach as soon as possible but no later than 30 days if customer information was accessed by an unauthorized user. This notice must provide details of the incident, the kind of data that was breached, and how affected customers can best protect themselves.

“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said Gary Gensler, SEC chair. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data.”

The amendments will go into effect 60 days after publication in the Federal Register, the SEC said. Once published, larger entities will have 18 months to comply with the amendments, whereas smaller entities will have 24 months.

Source link

400K Linux Servers Recruited by Resurrected Ebury Botnet

400K Linux Servers Recruited by Resurrected Ebury Botnet

A Linux-based botnet is alive and well, powering cryptocurrency theft and financial scams years after the imprisonment of one the key perpetrators behind it.

The Ebury botnet – which was first discovered 15 years ago – has backdoored nearly 400,000 Linux, FreeBSD, and OpenBSD servers. More than 100,000 servers were still compromised as of late 2023, according to new research from cybersecurity vendor ESET.

Victims include universities, small and large enterprises, Internet service providers, cryptocurrency traders, Tor exit nodes, and many hosting providers worldwide.

Anatomy of a Threat

Ebury is an OpenSSH backdoor that’s used to steal credentials like SSH keys and passwords. It creates a backdoor on the infected server that facilitates the deployment of secondary malware modules such as Cdorked, an HTTP backdoor used to redirect Web traffic and modify DNS settings, and Calfbot, a Perl script used to send spam emails.

Over the years, Ebury has served as a platform for spam distribution, Web traffic redirections, and credential-stealing, among other scams. Most recently, the gang running the botnet has pivoted to credit card and cryptocurrency theft, researchers found.

The attackers use adversary-in-the-middle tactics to intercept the SSH traffic of interesting targets – including Bitcoin and Ethereum nodes – within data centers, and then redirecting traffic to a server under their control. Once a would-be victim types their password into a cryptocurrency wallet hosted on the compromised server, Ebury automatically steals those wallets, according to ESET, which this week released updated research and a white paper on the Ebury botnet.

They also appear to be making attempts to muscle out potential credit card theft competitors. Case in point: Ebury malware attempts to detect and remove the BigBadWolf banking Trojan from compromised systems.

Ebury’s operators employ zero-day vulnerabilities in the server administrator software to hack servers at scale and extract credentials from the victim servers, the researchers found. The attackers also use known passwords and keys to hack into related systems, which allow them to surreptitiously install Ebury on multiple servers rented from any compromised hosting providers.

At one hosting provider, total of 70,000 servers were compromised by Ebury in 2023, the researchers said.

“Whenever a hosting provider was compromised, it led to a vast number of compromised servers in the same data centers,” wrote ESET researcher Marc-Etienne M. Léveillé, who has been investigating Ebury for more than a decade.

In perhaps one of Ebury’s most infamous campaigns, from 2009 to 20011 it successfully hacked, which hosts the source code of the Linux kernel. Half of its’s developer SSH passwords were stolen during that period.

Cops and Robbers

In 2014, ESET revealed that it had teamed up with Dutch police in an investigation of servers in the Netherlands suspected of being compromised with Ebury malware. Then in 2015, one of the Ebury perpetrators, Russian citizen Maxim Senak, was arrested at the Finland-Russia border and extradited to the US. He eventually pled guilty to fraud and computer hacking charges in 2017 and was sentenced to 46 months in prison.  

Since then, Ebury’s remaining masterminds have kept a low profile. They don’t advertise their activities and “we’ve never seen them attempting to sell access” to compromised systems on Dark Net forums, ESET’s Léveillé wrote in his post.

The Dutch National High Tech Crime Unit (NHTCU) in 2021 contacted ESET after finding Ebury on the server of a victim of cryptocurrency theft. That law enforcement investigation into Ebury remains ongoing.

Keeping Linux Safe from Ebury

Ebury malware operators regularly add new features. The latest version 1.8.2, spotted earlier this year, bundles new obfuscation techniques, a new domain-generation algorithm, and a stealthier rootkit functionality.

ESET this week released a set of detection and remediation tools to help system administrators determine whether their systems are compromised by Ebury.

Clean-up operations are non-trivial for an Ebury infection, ESET warns. Robert Lipovsky, principal threat intelligence researcher at ESET, told Dark Reading that even if system admins sanitize their infected servers, the cybercriminals behind Ebury might be able to reinstall the malware if compromised credentials get reused.

While there are tools available for adding multi-factor authentication to SSH servers, deployment is not simple, so systems admins often skip that extra level of security. “The continuing problems posed by Ebury illustrate the lack of visibility on Linux-based server-side threats,” ESET’s Léveillé told Dark Reading.

Source link