Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.
HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.
Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.
Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.
Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications
Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.
Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.
Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.
MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.
Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.
EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.
Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.
Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.
Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.
Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.
Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.
Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workers – leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers
Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.
Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.
Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”
Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.
Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,
War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.
Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.
ISC: ICS and SCADA systems remain trending attack targets also in 2023.
Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.
PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.
Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.
Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.
MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!
Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-
Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.
VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.
AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.
AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?
Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.
Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.
Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.
Sources:
Asiantuntija neuvoo käyttämään pilkkua salasanassa – taustalla vinha logiikka
Overseeing artificial intelligence: Moving your board from reticence to confidence
Android is adding support for updatable root certificates amidst TrustCor scare
Google Play now lets children send purchase requests to guardians
Diligent’s outlook for 2023: Risk is the trend to watch
Microsoft will turn off Exchange Online basic auth in January
Google is letting businesses try out client-side encryption for Gmail
Google Workspace Gets Client-Side Encryption in Gmail
The risk of escalation from cyberattacks has never been greater
Client-side encryption for Gmail available in beta
AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Microsoft: Edge update will disable Internet Explorer in February
Is Cloud Native Security Good Enough?
Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023
Google Chrome preparing an option to block insecure HTTP downloads
Cyber attacks set to become ‘uninsurable’, says Zurich chief
The Dark Risk of Large Language Models
Police Must Prepare For New Crimes In The Metaverse, Says Europol
Policing in the metaverse: what law enforcement needs to know
Cyber as important as missile defences – an ex-NATO general
Misconfigurations, Vulnerabilities Found in 95% of Applications
Personnel security in the cloud
Multi-factor auth fatigue is real – and it’s why you may be in the headlines next
MFA Fatigue attacks are putting your organization at risk
NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
Poor software costs the US 2.4 trillion
Passkeys Now Fully Supported in Google Chrome
Google Takes Gmail Security to the Next Level with Client-Side Encryption
Executives take more cybersecurity risks than office workers
NIST Retires SHA-1 Cryptographic Algorithm
NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm
WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections
Over 85% of Attacks Hide in Encrypted Channels
GitHub Announces Free Secret Scanning, Mandatory 2FA
Leaked a secret? Check your GitHub alerts…for free
Data Destruction Policies in the Age of Cloud Computing
Why PCI DSS 4.0 Should Be on Your Radar in 2023
Google: With Cloud Comes APIs & Security Headaches
Digesting CISA’s Cross-Sector Cybersecurity Performance Goals
Zero Trust Shouldnt Be The New Normal
Don’t click too quick! FBI warns of malicious search engine ads
FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
Kyberturvan ammattilaisista on huutava pula
1,768 Comments
Tomi Engdahl says:
Winter Vivern | Uncovering a Wave of Global Espionage https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/
The Winter Vivern Advanced Persistent Threat (APT) is a noteworthy yet relatively underreported group that operates with pro-Russian objectives. DomainTools initially publicized the group in early 2021, naming it based on an initial command-and-control beacon URL string wintervivern, which is no longer in use. Subsequently, Lab52 shared additional analysis several months later, identifying new activity associated with Winter Vivern. The group has avoided public disclosure since then, until recent attacks targeting Ukraine. A part of a Winter Vivern campaign was reported in recent weeks by the Polish CBZC, and then the Ukraine CERT as UAC-0114. In this activity, CERT-UA and the CBZC collaborated on the release of private technical details which assisted in our research to identify a wider set of activity on the threat actor, in addition to new victims and previously unknown specific technical details
Tomi Engdahl says:
https://www.uusiteknologia.fi/2023/03/15/tekoaly-tulee-voimalla-kybersuojauksiin-ja-hyokkayksiin/
Tomi Engdahl says:
https://etn.fi/index.php/13-news/14713-kyberkatasrofi-kohtaa-useimpia-yrityksiae-kahden-vuoden-kuluessa
Tomi Engdahl says:
NSA Shares Guidance on Maturing ICAM Capabilities for Zero Trust
https://www.securityweek.com/nsa-shares-guidance-on-maturing-icam-capabilities-for-zero-trust/
NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.
The National Security Agency (NSA) this week published guidance to help system operators mature identity, credential, and access management (ICAM) capabilities to improve their cyberthreat protections.
Immature ICAM capabilities pose a risk to critical infrastructure, national security, and defense industrial base (DIB) systems, but improvements can be made by integrating zero trust principles and designs into enterprise networks.
Part of the national cybersecurity strategy, the adoption of zero trust is mandated by the president’s executive order on improving the nation’s cybersecurity (EO 14028) and National Security Memorandum 8 (NSM-8), which applies to federal civilian executive branch (FCEB) agencies and national security system (NSS) owners and operators.
According to the NSA, a mature zero trust framework requires the adoption of capabilities from seven different pillars, namely application/workload, automation and orchestration, device, data, network/environment, user, and visibility and analytics.
Following the 2021 guidance on the adoption of a zero trust security model, the NSA is now providing recommendations on the capability and maturity levels for the user pillar. Primarily intended for NSS owners and operators, the guidance may be useful for other system operators as well, the NSA notes.
The user pillar of zero trust, which refers to the management of user access in a dynamic risk environment, refines capabilities associated with the Federal Identity, Credential, and Access Management (FICAM) framework, which was established in 2009 to provide a common ICAM segment architecture for federal agencies to use.
Maturing identity management, the NSA says, includes creating an inventory of users with access to critical resources, using standardized inventories that are centrally accessible, performing identity vetting, defining enterprise attribute standards, and defining risk-based attributes.
For all established identities, secure credentials should be issued – some identities may be associated with multiple credentials, depending on their roles within the organization – and the NSA recommends strong multi-factor authentication for person users and hardware-based protections for non-person entity authenticators.
Strictly managed credential lifecycles, the use of enterprise-approved, highly assured authenticators, updating user credentials to ensure compliance with NSS standards, and implementing effective procedures to quickly revoke and replace credentials when needed are steps to be taken towards a mature zero trust implementation.
https://media.defense.gov/2023/Mar/14/2003178390/-1/-1/0/CSI_ZERO%20TRUST%20USER%20PILLAR.PDF
https://www.securityweek.com/nsa-publishes-guidance-adoption-zero-trust-security/
Tomi Engdahl says:
https://www.securityweek.com/webinar-today-how-to-build-resilience-against-emerging-cyber-threats/
Tomi Engdahl says:
Are Encryption and Zero Trust Breaking Key Protections?
https://www.securityweek.com/are-encryption-and-zero-trust-breaking-key-protections/
Compliance and ZTNA are driving encryption into every aspect of an organization’s network and enterprise and, in turn, forcing us to change how we think about protecting our environments.
According to Gartner, 75% of the global population will have its personal data covered under privacy regulations by the end of 2024. And in their latest information security and risk management study, Gartner identifies Zero Trust Network Access (ZTNA) as the fastest-growing segment in network security, forecast to grow 31% in 2023 and propelled by the rise in remote workers. Hybrid work is a fact of life and expected to be served predominantly by ZTNA versus VPN services.
Compliance and ZTNA are driving encryption into every aspect of an organization’s network and enterprise and, in turn, forcing us to change how we think about protecting our environments.
Unintended consequences
ZTNA is great for security in one aspect, providing greater control over movement and access as the Atomized Network continues to grow and applications and people are everywhere. Instead of authenticating once and then getting relatively open access to resources and devices on a network, zero trust is about authenticating and receiving a set of permissions and authorization for explicit access. However, ZTNA’s use of encryption to secure all connections, regardless of where they reside in the infrastructure, is creating massive issues in another aspect of security. As I’ve discussed before, encryption is blinding many of the network visibility and security tools we have traditionally used for enterprise protection.
Organizations that decide to use secure access service edge (SASE) platforms to manage ZTNA, also sacrifice a degree of visibility for the sake of authentication and encryption.
Tomi Engdahl says:
How the Atomized Network Changed Enterprise Protection
https://www.securityweek.com/how-the-atomized-network-changed-enterprise-protection/
Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud, and edge.
Cyberattacks rose at a rate of 42% in the first half of 2022 and the average cost of a data breach has hit a record high of $4.35 million with costs in the U.S. peaking at $9.44 million. Unfortunately, this shouldn’t come as a surprise. Enterprise networks have changed dramatically, particularly over the last few years, and yet we continue to try to defend them with the same conventional approaches. As an industry, we’ve hit an inflection point. It’s time to fundamentally rethink the problem set and our approach to solving it.
Networks are dispersed, ephemeral, encrypted, and diverse
Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud, and edge. The capabilities, the nomenclature, and the available data for each type of infrastructure are also dispersed.
The cloud has changed the game quite a bit, making today’s networks very ephemeral. Everybody is remote and IP addresses come and go. We’re no longer just talking about dynamic host configuration protocol (DHCP). In the cloud, every time we reboot a cloud instance that instance can get a new IP address. Conventions like Canonical Name (CNAME) do that mapping behind the scenes for us. However, it’s incredibly difficult to stay on top of what we have, what it’s doing, and what’s happening to it, when what something is today may not necessarily be what it was yesterday, and teams have limited visibility and understanding of these changes.
Tomi Engdahl says:
CISA Seeks Public Opinion on Cloud Application Security Guidance
https://www.securityweek.com/cisa-seeks-public-opinion-on-cloud-application-security-guidance/
CISA this week announced it is seeking public input on draft guidance for securing cloud business applications.
The US Cybersecurity and Infrastructure Security Agency (CISA) is seeking public comment on guidance for securing cloud business applications.
Titled Secure Cloud Business Applications (SCuBA) Hybrid Identity Solutions Architecture, the document is meant to help federal agencies securely integrate cloud-based solutions with existing on-premises infrastructure.
The SCuBA project includes two CISA-developed guidance documents providing agencies with recommendations on adopting the best security and resilience practices required for utilizing cloud services.
“SCuBA will help secure federal civilian executive branch (FCEB) information assets stored within cloud environments through consistent, effective, modern, and manageable security configurations,” CISA notes.
While they are primarily intended for federal agencies, these documents can be used by any organization.
The first document, (SCuBA) Technical Reference Architecture (TRA), is meant to provide context, standard views, and terminology that align with SCuBA.
Tomi Engdahl says:
Incident Response
Meta Develops New Kill Chain Thesis
https://www.securityweek.com/meta-develops-new-kill-chain-thesis/
Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of models.
Facebook parent Meta has officially unveiled a ten-phase kill chain model that it believes will be more inclusive and more effective than the existing range of kill chain models.
Over the years, there have been many attempts to define better or more efficient kill chains. But they tend to be ultimately unsatisfactory. The problem is the asynchronous relationship between attackers and kill chains: there are many different attackers using many different approaches to attack many different targets, that sometimes have many and often siloed response teams – while there is just one kill chain.
As a result, whichever kill chain is adopted by defenders, it tends not to be a full reflection of all attacks, all the time, everywhere. It is difficult for the right person to find the right link in the chain to disrupt.
The Online Operations Kill Chain
The Meta approach starts from the assumption that despite the asynchronous nature of attacks, there are still meaningful commonalities, especially where those commonalities can be abstracted from the platform or hardware being attacked. For Meta, it is the human element of the attack that is key.
Six guiding principles were used in its development: ‘observation-based’ (not designed to track hypotheses, such as assumed strategic goals); ‘tactical’ (designed for tactical analysis, not for organic social movements); ‘platform agnostic’ (suitable for everything from social media to smaller websites and email providers); ‘optimized for human-on-human operations’ (can be applied to machine-on-machine attacks, but is not primarily designed for them); ‘applicable to one or many platforms’ (both single-platform and multi-platform operations); and ‘modular’ (not every attacker will go through every phase of the chain).
The Meta kill chain, says the white paper, provides “an analytic framework that is designed to be applied to a wide range of online operations – especially those in which the targets are human. These include, but are not limited to, cyberattacks, influence operations, online fraud, human trafficking, and terrorist recruitment.”
As a result, the Meta kill chain contains more phases (ten) than the original Intrusion Kill Chain (seven). Two new phases, for example, are included before Lockheed Martin’s reconnaissance phase: acquiring assets, and disguising assets. These phases are more likely to be detected by independent researchers, law enforcement agencies and dark web monitoring firms than by corporate security teams – but are nevertheless part of the overall attack chain.
The full list of the ten phases of the kill chain comprises:
Acquiring assets
Disguising assets
Gathering information
Coordinating and planning
Testing platform defenses
Evading detection
Indiscriminate engagement
Targeted engagement
Compromising assets
Enabling longevity
Tomi Engdahl says:
GPT-4 Cant Stop Helping Hackers Make Cybercriminal Tools https://www.forbes.com/sites/thomasbrewster/2023/03/16/gpt-4-could-help-stupid-hackers-become-good-cybercriminals/
OpenAI released the latest version of its machine learning software, GPT-4, to great fanfare this week. One of the features the company highlighted about the new version was that it was supposed to have rules protecting it from cybercriminal use. Within a matter of days, though, researchers say they have tricked it into making malware and helping them craft phishing emails, just as they had done for the previous iteration of OpenAIs software, ChatGPT. On the bright side, they also were able to use the software to patch holes in cyber defenses, too. Researchers from cybersecurity firm Check Point showed Forbes how they got around OpenAI blocks on malware development by simply removing the word malware in a request
Tomi Engdahl says:
What Does a Network Security Engineer Do?
https://securityintelligence.com/articles/what-does-a-network-security-engineer-do/
In a nutshell, the network security engineer is the person who is responsible for the design and implementation of the organizations security system, ensuring there are no gaps or vulnerabilities for threat actors to exploit. They arent just responsible for protecting the infrastructure from potential cyberattacks but also for safeguarding the networks physical security from all types of intrusion or natural disasters. This is the position that creates and enforces an organizations security policy. A network security engineer maintains the hardware and software that act as the first line of defense during an attack. While the titles sound similar and people sometimes use them interchangeably, network security engineers are different from network security architects. The architects are usually higher level: They analyze and test a system and decide what tools are needed. However, the engineers are the ones who put it all together and keep it running properly. In smaller companies, the network security engineer may be asked to take on the tasks of an architect, but they are generally separate roles
Tomi Engdahl says:
https://etn.fi/index.php/13-news/14726-verkkorikollinen-voi-jo-kaeyttaeae-chatgpt4-sta-usealla-tavalla
Tomi Engdahl says:
Microsoft seemingly enabling VBS by default in Windows 10 too, leading to performance loss
https://www.neowin.net/news/microsoft-seemingly-enabling-vbs-by-default-in-windows-10-too-leading-to-performance-loss/
Tomi Engdahl says:
How to make your smart TV a little dumb (and why you should)
Your smart TV is spying on you. Here’s how to stop it.
https://mashable.com/article/how-to-stop-smart-tv-from-spying-on-me-disable-automatic-content-recognition
Tomi Engdahl says:
THE FUTURE OF CYBER IS AUTOMATED MOVING TARGET DEFENSE https://blog.morphisec.com/automated-moving-target-defense-gartner
Moving Target Defense (MTD) technology is the next evolution in cybersecurity, and unlike the technologies that came before it, rather than focusing on detection and reaction, it is preventive. MTD is based on a basic premise taken from military strategy, that a moving target is harder to attack than a stationary one. MTD uses strategies that orchestrate movement or changes in IT environments across the attack surface to increase uncertainty and complexity for attackers.
Tomi Engdahl says:
Germany clocks that ripping out Huawei, ZTE network kit won’t be cheap or easy https://www.theregister.com/2023/03/18/germany_huawei_mobile/
Ripping and replacing Huawei and ZTE equipment from German carrier networks is going to be a painful process, according to the country’s economy ministry. The letter to the Bundestag lower house of parliament’s economic committee, obtained by Reuters, warns that “there is likely to be significant impact on the operation of mobile networks and the fulfillment of coverage requirements, ” if the country removes Chinese telecommunications technologies from its network.
Tomi Engdahl says:
Verkkorikollinen voi jo käyttää ChatGPT4:sta usealla tavalla
https://etn.fi/index.php?option=com_content&view=article&id=14726&via=n&datum=2023-03-17_14:49:32&mottagare=30929
ChatGPT on tämän hetken kuumin tekniikka, jota voidaan käyttää sekä hyvään että haitalliseen. Tietoturvayhtiö Check Pointin tutkimusosasto löysi jo viisi mahdollista skenaariota, jossa tekoälybottia voidaan käyttää laatimaan haittakoodia nopeammin ja tehokkaammin.
Toki tekoälyä voidaan käyttää tehokkaasti erittäin hyväänkin tarkoitukseen. Esimerkiksi eräs koodaaja kertoi Twitterissä esimerkein, miten oli pyytänyt tarjouksen viiden mikrokernelin koodaamisesta ammattikehittäjältä. Tarjous oli viisi tuhatta puntaa ja työ olisi vienyt kaksi viikkoa. ChatGPT teki saman kolmessa tunnissa ja käyttäjä arvioi kustannuksiksi 11 senttiä.
Tomi Engdahl says:
Matt Burgess / Wired:
How open source intelligence, or OSINT, researchers are using public data to untangle the mystery of the Nord Stream pipeline sabotage, helping debunk claims — Open source intelligence researchers are verifying and debunking opaque claims about who ruptured the gas pipelines in the Baltic Sea.
Tomi Engdahl says:
Online Sleuths Untangle the Mystery of the Nord Stream Sabotage
Open source intelligence researchers are verifying and debunking opaque claims about who ruptured the gas pipelines in the Baltic Sea.
https://www.wired.com/story/nord-steam-explosions-mystery-osint/
Tomi Engdahl says:
Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace
https://www.mandiant.com/resources/blog/zero-days-exploited-2022
Mandiant tracked 55 zero-day vulnerabilities that we judge were exploited in 2022. Although this count is lower than the record-breaking 81 zero-days exploited in 2021, it still represents almost triple the number from 2020. Chinese state-sponsored cyber espionage groups exploited more zero-days than other cyber espionage actors in 2022, which is consistent with previous years. We identified four zero-day vulnerabilities exploited by financially motivated threat actors. 75% of these instances appear to be linked to ransomware operations.
Tomi Engdahl says:
A Look at The 2023 Global Automotive Cybersecurity Report https://www.tripwire.com/state-of-security/global-automotive-cybersecurity-report
Recently, Upstream published their 2023 Global Automotive Cybersecurity Report. In it, they explored the cybersecurity threats that plague the automotive industry, as well as the things the sector can do to protect itself as these threats continue to evolve. Here’s a closer look at five important findings in this comprehensive document
Tomi Engdahl says:
Why You Should Opt Out of Sharing Data With Your Mobile Provider https://krebsonsecurity.com/2023/03/why-you-should-opt-out-of-sharing-data-with-your-mobile-provider/
A new breach involving data from nine million AT&T customers is a fresh reminder that your mobile provider likely collects and shares a great deal of information about where you go and what you do with your mobile device – unless and until you affirmatively opt out of this data collection. Here’s a primer on why you might want to do that, and how.
Tomi Engdahl says:
Tailoring Sandbox Techniques to Hidden Threats https://unit42.paloaltonetworks.com/tailoring-sandbox-techniques/
Malware authors often throw curve balls that are meant to confound automated detection systems. We’ve adapted to these techniques by tailoring our analysis platform in a couple of notable ways that we’ll discuss, particularly to address malware that engages in sandbox evasion.
Tomi Engdahl says:
TikTok cannot be considered a private company, says Australian report https://www.theregister.com/2023/03/19/asia_tech_news_roundup/
ByteDance, the Chinese developer of TikTok, “can no longer be accurately described as a private enterprise” and is instead intertwined with China’s government, according to a report [PDF] submitted to Australia’s Select Committee on Foreign Interference through Social Media.
Tomi Engdahl says:
BBC to staff: Uninstall TikTok from our corporate kit unless you can ‘justify’ having it https://www.theregister.com/2023/03/20/british_broadcasting_corporation_softbans_tiktok/
The world’s oldest national broadcaster, the venerable British Broadcasting Corporation, has told staff they shouldn’t keep the TikTok app on a BBC corporate device unless there is a “justified business reason.”
Tomi Engdahl says:
The AI Risk Landscape: How ChatGPT Is Shaping the Way Threat Actors Work https://flashpoint.io/blog/ai-risk-chatgpt/
The sophistication of current and near-future artificial intelligence
(AI) generated attacks, however, are low. The code we’ve observed tends to be very basic or bug ridden: we’ve yet to observe any attacks leveraging advanced, or previously-unseen code generated from the AI tool. Despite this, the promise of the AI models, specifically ChatGPT, still poses a major risk to organizations and individuals, and will challenge security and intelligence teams for years to come.
Tomi Engdahl says:
ShellBot Malware Being Distributed to Linux SSH Servers https://asec.ahnlab.com/en/49769/ AhnLab Security Emergency response Center (ASEC) has recently discovered the ShellBot malware being installed on poorly managed Linux SSH servers. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server. ShellBot is an old malware that has been in steady use and is still being used today to launch attacks against Linux systems.
Tomi Engdahl says:
The Scorched-Earth Tactics of Irans Cyber Army https://www.wired.com/story/iran-cyber-army-protests-disinformation/
Within its borders, the Iranian regime controls its population through one of the worlds toughest internet filtering systems, physical crackdowns, and mass arrests carried out with impunity. With the ongoing political unrest in Iran, old cyber tactics have been ramped up, and new tricks that aim to distract, discredit, distort, and sow distrust have come to the fore as the regime finds itself in a critical moment
Tomi Engdahl says:
Unit 42 Ransomware and Extortion Report Highlights: Multi-Extortion Tactics Continue to Rise https://unit42.paloaltonetworks.com/multi-extortion-rise-ransomware-report/
Our 2023 Unit 42 Ransomware Threat Report explores recent incident response cases, as well as our threat intelligence analysts assessment of the larger threat landscape. It also offers predictions for how we believe threat actors will use ransomware and extortion tactics going forward
Tomi Engdahl says:
Understanding Cyber Threats in Transport https://www.enisa.europa.eu/news/understanding-cyber-threats-in-transport
The European Union Agency for Cybersecurity (ENISA) publishes its first cyber threat landscape report dedicated to the transport sector
Tomi Engdahl says:
Norja suosittelee Tiktokin poistamista hallituksensa työntekijöiden työlaitteilta https://www.is.fi/digitoday/art-2000009468465.html
Oikeusministeriön mukaan hallituksen työntekijät voivat yhä käyttää Telegramia ja Tiktokia työtarkoituksiin tarvittaessa sellaisilla laitteilla, jotka eivät ole kytkettyinä hallituksen digitaalisiin järjestelmiin
Tomi Engdahl says:
Stories from the Cyber Trenches: Walking Right Into a Password Managers Master Vault https://www.secureworks.com/blog/walking-right-into-a-password-managers-master-vault
Were kicking off a new series with the story of a recent Secureworks® penetration testing engagement
Tomi Engdahl says:
The AI Risk Landscape: How ChatGPT Is Shaping the Way Threat Actors Work https://flashpoint.io/blog/ai-risk-chatgpt/
The sophistication of current and near-future artificial intelligence
(AI) generated attacks, however, are low. The code we’ve observed tends to be very basic or bug ridden: we’ve yet to observe any attacks leveraging advanced, or previously-unseen code generated from the AI tool. Despite this, the promise of the AI models, specifically ChatGPT, still poses a major risk to organizations and individuals, and will challenge security and intelligence teams for years to come.
Tomi Engdahl says:
Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
https://www.securityweek.com/exploitation-of-55-zero-day-vulnerabilities-came-to-light-in-2022-mandiant/
Mandiant has conducted an analysis of the zero-day vulnerabilities disclosed in 2022 and over a dozen were linked to cyberespionage groups.
Tomi Engdahl says:
Vulnerabilities
Zoom Paid Out $3.9 Million in Bug Bounties in 2022
https://www.securityweek.com/zoom-paid-out-3-9-million-in-bug-bounties-in-2022/
Zoom says it paid out $3.9 million in bug bounty rewards in 2022, with a total of over $7 million awarded to researchers since 2019.
Tomi Engdahl says:
Malware Trends: What’s Old Is Still New
https://www.securityweek.com/malware-trends-whats-old-is-still-new/
Many of the most successful cybercriminals are shrewd; they want good ROI, but they don’t want to have to reinvent the wheel to get it.
It’s clear that cybercrime is one of the world’s most lucrative illicit industries – possibly taking the top spot. Threat actors are getting more meticulous and inventive in their ploys, even reviving outdated and long-forgotten techniques, thanks to their own brand of Key Performance Indicators linked to return on investment. After all, if a successful remake of an old classic can generate new revenue, producers will embrace it.
Many of the most successful cybercriminals are shrewd; they want good ROI, but they don’t want to have to reinvent the wheel to get it. That’s one reason they are leveraging existing infrastructure and older threats to maximize opportunity. As a security professional, you need to know what attackers are up to so you can focus your resources appropriately.
Remaking the classics
When the FortiGuard Labs research team looked at the second half of 2022, code reuse (old code being retrofitted into new versions) and the re-emergence of well-known names in the botnet, malware and wiper space – such as Emotet and GandCrab, among others – served as a reminder that threats and malware never truly go away. They merely retreat underground and wait for another opportunity. And they are available wholesale any time to anyone who wants to buy them.
Tomi Engdahl says:
Ransomware Will Likely Target OT Systems in EU Transport Sector: ENISA
https://www.securityweek.com/ransomware-will-likely-target-ot-systems-in-eu-transport-sector-enisa/
Ransomware and data related attacks are the top cybersecurity threats to the transport sector in the EU, ENISA says.
Ransomware has become the top threat to the transport sector in the EU, and the European Union Agency for Cybersecurity (ENISA) expects ransomware groups to disrupt operational technology (OT) systems.
The overall number of cyberattacks targeting aviation, maritime, railway and road transport organizations has increased between January 2021 and October 2022, with cybercriminals responsible for most of the incidents (54%), according to a new report from ENISA.
Ransomware emerged as the primary threat, being used in 38% of the observed incidents, with data related attacks taking the second position, at 30%.
Malware (17%), DoS and DDoS (16%), phishing (10%) and supply chain attacks (10%) were also observed, along with breaches, fraud, and vulnerability exploitation.
As part of a ransomware attack, threat actors compromise a target’s systems, deploy file-encrypting malware, and demand a ransom payment in exchange for decryption keys. Representing a significant portion of the identified incidents, including several high-profile attacks, ransomware is presented separately from malware.
https://www.enisa.europa.eu/publications/enisa-transport-threat-landscape
Tomi Engdahl says:
Malware & Threats
Spain Needs More Transparency Over Pegasus: EU Lawmakers
https://www.securityweek.com/spain-needs-more-transparency-over-pegasus-eu-lawmakers/
Spain needs more transparency over the Pegasus spyware hacking scandal, a European Parliament committee said.
Tomi Engdahl says:
CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
https://www.securityweek.com/cisa-adds-experts-to-cybersecurity-committee-updates-baseline-security-goals/
CISA announces adding more experts to its Cybersecurity Advisory Committee and updating the Cybersecurity Performance Goals.
The US Cybersecurity and Infrastructure Security Agency (CISA) this week announced adding more experts to its Cybersecurity Advisory Committee (CSAC) and updating the baseline cybersecurity goals introduced last year.
CISA on Monday announced over a dozen new members of the CSAC, whose role is to advise the agency’s director on policies and programs.
Members of the advisory committee include cybersecurity, tech, privacy, risk management and resilience experts from public and private sector organizations.
New members from the private sector include Dave DeWalt, CEO and founder of NightDragon; Brian Gragnolati, president and CEO of Atlantic Health System; Royal Hansen, VP of privacy, safety and security engineering at Google; Rahul Jalali, SVP and CIO at Union Pacific; Cathy Lanier, SVP and CSO at the NFL; Doug Levin, co-founder and national director at K12 Security Information eXchange; Kevin Tierney, VP and CSO at General Motors; and Alex Tosheff, SVP and CSO at VMware.
Tomi Engdahl says:
BreachForums Shut Down Over Law Enforcement Takeover Concerns
https://www.securityweek.com/breachforums-shut-down-over-law-enforcement-takeover-concerns/
The popular cybercrime forum BreachForums is being shut down following the arrest of Conor Brian Fitzpatrick, who is accused of running the website.
Tomi Engdahl says:
Burnout in Cybersecurity – Can it be Prevented?
https://www.securityweek.com/burnout-in-cybersecurity-can-it-be-prevented/
Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.
Burnout is a growing problem that damages people and threatens effective security.
Burnout is likely to worsen in the coming months as the economy forces teams to do more with less at the same time as cybercrime and nation-state attacks are increasing.
But what is burnout? How does it affect you; can you prevent it; and can you recover from it? Any profession, especially stressful professions, suffer from burnout; but here we are primarily discussing cybersecurity.
The World Health Organization (WHO) describes burnout as an occupational syndrome: “Burn-out is a syndrome conceptualized as resulting from chronic workplace stress that has not been successfully managed.”
The symptoms are exhaustion and mental distancing from the occupation – and the effect is reduced efficacy at work. The question we ask here is whether better stress management could prevent burnout, recognize its early stages, halt its progression, and recover from its effect.
It’s worth mentioning – it’s not just the CISO. Any member of the security team can succumb to burnout.
The view from the coalface
“Our industry is facing unprecedented levels of burnout,” comments Melissa Bischoping, director of endpoint security research at Tanium.
“We face the exceptionally high risk of burnout due to the nature of our work in security,” adds Sounil Yu, CISO at JupiterOne. “Burnout is more common than most realize. Recognizing burnout risks is an important way to be supportive and to let team members know that they are not alone.”
“Cybersecurity professionals are dealing with environments that are ‘active’ 8 by 5 but are under threat 24 by 7,” says Mike Parkin, senior technical engineer at Vulcan Cyber. “Finding the resources to keep the SOC operating after hours can be a challenge.”
Bischoping recognizes the same problem. “It’s not uncommon to hear those in the industry say that holidays and weekends are the most likely time to get a call for a major event, so ensuring that you’ve got the right on-call coverage where needed and you’re balancing that with providing time to recover and prevent burnout is essential.”
Security professionals know about burnout and understand some of the underlying causes. It is usually described as a mental health issue. ‘#burnout’ has more than 12,000 followers on LinkedIn. But still it exists and – if anything – is increasing. It’s time for a closer look at causes and remedies.
Cause and effect
Peter Coroneos is founder of Cybermindz.org, a not-for-profit organization dedicated to supporting mental wellbeing within the cyber community. Coroneos accepts that burnout isn’t limited to the cybersecurity profession. “Burnout can ultimately affect anyone in any sector,” he told SecurityWeek. But he added that Cybermindz has identified at least 15 factors which, in combination, make the stresses on cyber teams stand apart from just about every other professional group.
“The combination is both quantitatively and qualitatively unique, which is why we are seeing burnout rates in cyber exceeding those of other professional groups.” He gives two specific examples. “The attack environment is relentless, with no psychological downtime as security teams are never sure when an attack will occur;” and “cyber teams are acutely aware that the downstream effects of a single failure can affect potentially millions of people.”
CISOs are also aware they are the potential scapegoat for security failures. It is rarely the board that is punished for failing to provide the necessary resources, but the CISO is always responsible for failing to achieve the impossible.
The result is a constant demand on adrenaline that is completely out of sync with the biological and psychological purpose of adrenaline. This is a naturally produced hormone that is designed to improve physical and mental performance at the point of stress – immediate and short-term fight or flight. It is not designed for constant use – and consistently high levels of adrenaline, or insufficient time to recover from adrenaline surges, is positively harmful.
“The warning signs of impending burnout are threefold,” says Coroneos: “increasing cynicism or depersonalization (the so called ‘quiet quitting’ phenomenon); emotional depletion; and a loss of sense of professional efficacy (or how well you think you are doing your job).”
She cites the Yerkes-Dodman law of performance. It relates performance quality to stress level, and presents as an inverted ’U’ curve. Boredom can lead to apathy and poor performance, or rust-out – the little-known converse relation of burnout. Surprisingly, rust-out can also affect certain members of a security team – some routine functions simply need to be repeated over and over again.
Peak performance comes with medium (or manageable) levels of stress. But in times of high anxiety, performance falls. The problem for security teams is they are required to operate at high performance levels for extended periods of high anxiety; and this can only be achieved with high and continuously high levels of adrenaline. The physiological purpose of adrenaline to fuel short term fight or flight is replaced by a continuing requirement to fuel psychological stress and anxiety that never stops.
This is unsustainable, and the result is burnout. The primary route is constant stress causing continuous reliance on adrenaline with little opportunity to recover from the normal adrenaline surge, resulting in burnout. “It’s that continual pressure from one direction or another, that leads to burnout,” says McKeown. “It’s not just one incident. One incident might be the straw that broke the camel’s back, but for cybersecurity I think it’s a constant – being under fire, under pressure.”
Remedies
The key questions for CISOs and their teams are: ‘can burnout be prevented?’, and ‘can burnout be cured?’ Prevention is always a better option than cure – and it is usually the easiest solution. ‘Cure’ is often too late for the current employment – the victim has burned out and left. The cure is usually a complete rest followed by a different occupation. “It’s more effective to prevent burnout in the first place by building personal resilience than it is to try and mop it up after the event,” says McKeown.
Prevention comes from building resilience. Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.
McKeown believes security professionals can help themselves with the Robertson Cooper model of resilience. There are four primary components to this model: confidence in one’s own ability to handle difficult situations; adaptability to changing situations; purposefulness in having a clear sense of purpose, values, drive, and direction; and social support.
For security teams, the last one is key, upon which the others are founded. “It means building trust and relationships,” she explained. “When that is successful, you know the support of your team around you. And that is a big component of building resilience against any sort of bad things that can happen – because you know you’re not on your own. You’ve got a team that will support you. They’ve got your back, and you’ve got their back. And that is quite a strong measure of how resilient a team is.”
Coroneos also stresses the term resilience. “At a personal level, when you are emotionally depleted, you’ve got nothing to give even yourself, much less the people around you that may be suffering. If we can rebuild the emotional resources within the individual and make them feel better and stronger about themselves, they obviously have more to give to those around them. This is the power of building resilience, psychological resilience in teams and wellbeing. It can have a huge morale boosting effect.”
“By showing the individual where the foundation is within themselves, that they can always return to and that is unbreakable,”
Who is responsible for preventing burnout?
Building personal resilience is key to countering burnout – but it’s a complex process (especially within cybersecurity teams), and everyone is responsible for it. One important factor is ensuring that everybody gets adequate downtime to recover from the most recent surge of adrenaline. That’s not just being away from the desk but being away from the stress.
“It’s important that everyone in my team can take off, and decompress, and come back to work energized and charged,” comments Billy Spears, CISO at Teradata. “For me as a CISO. I’m overly cautious of that. I think that if they’re not saying anything and I’m not seeing people take time off, then burnout and fatigue will be a concern. So, I talk to them a lot about boundaries and making sure they’re taking their time off, and plan in advance and make sure that they get whatever time away that they need. That means away from their computers and their work devices, and they don’t respond to emails or exchanges at night and things like that.”
He also makes sure that he has time off for himself, and he makes sure his team sees him having time off.
Tomi Engdahl says:
We (Did!) Start the Fire: Hacktivists Increasingly Claim Targeting of OT Systems https://www.mandiant.com/resources/blog/hacktivists-targeting-ot-systems
In this blog post, Mandiant offers a comprehensive analysis of recent hacktivist activity targeting OT systems. Mandiant was able to leverage information from previously undisclosed and known incidents to discuss the potential implications for OT defenders. Awareness about emerging hacktivism trends helps OT defenders to prioritize countermeasures and differentiate state-sponsored fronts leveraging the hacktivism cloak
Tomi Engdahl says:
The Unintentional Leak: A glimpse into the attack vectors of APT37
https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
At Zscaler ThreatLabz, we have been closely monitoring the tools, techniques and procedures (TTPs) of APT37 (also known as ScarCruft or
Temp.Reaper) – a North Korea-based advanced persistent threat actor.
This threat actor has been very active in February and March 2023 targeting individuals in various South Korean organizations. In this blog, we will provide a high-level technical analysis of the infection chain, the new loaders we identified and a detailed analysis of the themes used by this APT group, discovered while reviewing the GitHub commit history. Even though the threat actor routinely deletes the files from the repository, we were able to retrieve all the deleted files and do an analysis of them
Tomi Engdahl says:
NAPLISTENER: more bad dreams from developers of SIESTAGRAPH https://www.elastic.co/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph
While continuing to monitor the REF2924 activity group, Elastic Security Labs observed that the attacker shifted priorities from data theft to persistent access using several mechanisms. Wmdtc.exe is an HTTP listener written in C#, which we refer to as NAPLISTENER.
Consistent with SIESTAGRAPH and other malware families developed or used by this threat, NAPLISTENER appears designed to evade network-based forms of detection. Notably, network- and log-based detection methods are common in the regions where this threat is primarily active (southern and southeastern asia)
Tomi Engdahl says:
India’s absurd infosec reporting rules get just 15 followers https://www.theregister.com/2023/03/22/cert_in_cyber_reporting_ignored/
India’s rules requiring local organizations to report infosec incidents within six hours of detection have been observed by a mere
15 entities
Tomi Engdahl says:
Researchers Spot Silicon-Level Hardware Trojans in Chips, Release Their Algorithm for All to Try
https://www.hackster.io/news/researchers-spot-silicon-level-hardware-trojans-in-chips-release-their-algorithm-for-all-to-try-ba00bbd56248
Using thousands of electron microscope images and the original chip layout, 37 of 40 deliberate modifications were spotted. Researchers at the Ruhr University Bochum and the Max Planck Institute for Security and Privacy (MPI-SP) have come up with an approach to analyzing die photos of real-world microchips to reveal hardware Trojan attacks and are releasing their imagery and algorithm for all to try
Tomi Engdahl says:
The Age of AI has begun
https://www.gatesnotes.com/The-Age-of-AI-Has-Begun
Artificial intelligence is as revolutionary as mobile phones and the Internet
Tomi Engdahl says:
Developing an incident response playbook https://securelist.com/developing-an-incident-response-playbook/109145/
An incident response playbook is a predefined set of actions to address a specific security incident such as malware infection, violation of security policies, DDoS attack, etc. Its main goal is to enable a large enterprise security team to respond to cyberattacks in a timely and effective manner. Such playbooks help optimize the SOC processes, and are a major step forward to SOC maturity, but can be challenging for a company to develop. In this article, I want to share some insights on how to create the (almost) perfect playbook
Tomi Engdahl says:
The Latest Intel on Wipers
https://www.fortinet.com/blog/threat-research/intel-on-wiper-malware
The mass distribution of wiper malware continues to showcase the destructive evolution of cyberattacks. Does the evidence corroborate the theory that the ongoing conflict in Europe is to blame for the rise in wipers? Indeed. Furthermore, given that Russia is the main source of wiper activity, one can anticipate an increase in the use of wipers against countries and organizations that provide aid, weapons, or other logistical support to Ukraine. While both ransomware and wipers increased in the second half of 2022, FortiGuard Labs research found it was wipers that really took off. And this trend shows no sign of slowing, which means defenders must take action and prepare now as if they will be targeted
Tomi Engdahl says:
Malicious JavaScript Injection Campaign Infects 51k Websites https://unit42.paloaltonetworks.com/malicious-javascript-injection/
Unit 42 researchers have been tracking a widespread malicious JavaScript (JS) injection campaign that redirects victims to malicious content such as adware and scam pages. This threat was active throughout 2022 and continues to infect websites in 2023