Cyber trends for 2023

Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.

HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.

Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.

Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.

Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications

Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.

Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.

Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.

MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.

Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.

EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?

USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.

Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.

Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.

Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.

Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.

Governance: For boards and management, heightened pressure around climate action dovetails with the SEC’s proposed rules about cybersecurity oversight, which may soon become law. When they do, companies will need to prepare for more disclosures about their cybersecurity policies and procedures. With fresh scrutiny on directors’ cybersecurity expertise, or lack thereof, boards will need to take their cyber savviness to the next level as well.

Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.

Auditing: Audit’s role in corporate governance and risk management has been evolving. Once strictly focused on finance and compliance, internal audit teams are now increasingly expected to help boards and executive management identify, prioritize, manage and mitigate interconnected risks across the organization.

Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workersleaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.

Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers

Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.

Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.

Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”

Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.

Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,

War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.

Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.

ISC: ICS and SCADA systems remain trending attack targets also in 2023.

Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.

Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.

PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.

SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.

Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.

Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.

Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.

MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!

Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-

Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.

VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.

AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.

AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?

Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.

Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.

Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.


Asiantuntija neuvoo käyttämään pilkkua sala­sanassa – taustalla vinha logiikka

Overseeing artificial intelligence: Moving your board from reticence to confidence

Android is adding support for updatable root certificates amidst TrustCor scare

Google Play now lets children send purchase requests to guardians

Diligent’s outlook for 2023: Risk is the trend to watch

Microsoft will turn off Exchange Online basic auth in January

Google is letting businesses try out client-side encryption for Gmail

Google Workspace Gets Client-Side Encryption in Gmail

The risk of escalation from cyberattacks has never been greater

Client-side encryption for Gmail available in beta

AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range

Microsoft: Edge update will disable Internet Explorer in February

Is Cloud Native Security Good Enough?

The Privacy War Is Coming

Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023

Google Chrome preparing an option to block insecure HTTP downloads

Cyber attacks set to become ‘uninsurable’, says Zurich chief

The Dark Risk of Large Language Models

Police Must Prepare For New Crimes In The Metaverse, Says Europol

Policing in the metaverse: what law enforcement needs to know

Cyber as important as missile defences – an ex-NATO general

Misconfigurations, Vulnerabilities Found in 95% of Applications

Mind the Gap

Yritysten kyberturvassa edelleen isoja aukkoja Asiantuntija: Kysymys jopa kansallisesta turvallisuudesta

Personnel security in the cloud

Multi-factor auth fatigue is real – and it’s why you may be in the headlines next

MFA Fatigue attacks are putting your organization at risk

Cybersecurity: Parliament adopts new law to strengthen EU-wide resilience | News | European Parliament

NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset

Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?

Poor software costs the US 2.4 trillion

Passkeys Now Fully Supported in Google Chrome

Google Takes Gmail Security to the Next Level with Client-Side Encryption

Executives take more cybersecurity risks than office workers

NIST Retires SHA-1 Cryptographic Algorithm

NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm

WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections

Over 85% of Attacks Hide in Encrypted Channels

GitHub Announces Free Secret Scanning, Mandatory 2FA

Leaked a secret? Check your GitHub alerts…for free

Data Destruction Policies in the Age of Cloud Computing

Why PCI DSS 4.0 Should Be on Your Radar in 2023

2FA is over. Long live 3FA!

Google: With Cloud Comes APIs & Security Headaches

Digesting CISA’s Cross-Sector Cybersecurity Performance Goals

Zero Trust Shouldnt Be The New Normal

Don’t click too quick! FBI warns of malicious search engine ads

FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads

Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users

Kyberturvan ammattilaisista on huutava pula

Is Enterprise VPN on Life Support or Ripe for Reinvention?

Cyber as important as missile defences – an ex-NATO general


  1. Tomi Engdahl says:

    Air-Gapped Networks (Part 1): Air-Gapped Madness
    April 11, 2023
    It’s not enough to have an air-gapped network—that network must be located in a secure facility, too.|7211D2691390C9R&oly_enc_id=7211D2691390C9R

  2. Tomi Engdahl says:

    Selvitys: Suomen kyberturvallisuutta tulee kehittää määrätietoisesti, viranomaisten yhteistyötä ja prosesseja pitää edelleen parantaa
    Kyberturvallisuusuhat ovat sekä monimuotoistuneet että lisääntyneet viime vuosien aikana. Tämä vaatii kyberturvallisuuden jatkuvaa ja määrätietoista kehittämistä. Tuoreessa selvityksessä tunnistetaan useita kehittämistoimenpiteitä, joilla voidaan parantaa viranomaisten toimintaedellytyksiä suojata kansallista kyberturvallisuutta, torjua vakavaa kyberrikollisuutta ja kehittää kyberpuolustusta.
    Sisäministeriön ja puolustusministeriö asettivat 15.2.2022 laajapohjaisen selvityshankkeen viranomaisten toimintaedellytyksien selvittämiseksi ja kehittämisehdotusten laatimiseksi kansallisen kyberturvallisuuden varmistamisessa, kyberrikollisuuden torjunnassa ja kyberpuolustuksessa. Selvitys on esiselvitys, jonka perusteella ehdotetaan toimenpiteiden käynnistämistä

  3. Tomi Engdahl says:

    DDoS threat report for 2023 Q1
    Welcome to the first DDoS threat report of 2023. DDoS attacks, or distributed denial-of-service attacks, are a type of cyber attack that aim to overwhelm Internet services such as websites with more traffic than they can handle, in order to disrupt them and make them unavailable to legitimate users. In this report, we cover the latest insights and trends about the DDoS attack landscape as we observed across our global network. Threat actors kicked off 2023 with a bang.
    The start of the year was characterized by a series of hacktivist campaigns against Western targets including banking, airports, healthcare and universities mainly by the pro-Russian Telegram-organized groups Killnet and more recently by AnonymousSudan

  4. Tomi Engdahl says:

    Four Ways to Harden Your Network Perimeter
    With the threat of cyberattacks on the rise worldwide, hardening your organizations network perimeter has never been more critical. Many organizations have begun to focus more on actively securing and monitoring their externally facing assets to fend off cyberattacks from enemy nation-state actors and cyber criminals. By implementing the four best practices listed below, you can protect against attacks that could seriously impact your organizations mission

  5. Tomi Engdahl says:

    Majority of US IT Pros Told to Keep Quiet About Data Breaches
    In a survey released last week, 42% of the more than 400 IT and security professionals surveyed and 71% of those in the United States maintain that they have been instructed to keep a data breach confidential when they knew the incident should be reported. Three in
    10 of those surveyed have acquiesced and not reported the breach, according to the “2023 Cybersecurity Assessment Report,” published by cybersecurity firm Bitdefender

  6. Tomi Engdahl says:

    U.S. and International Partners Publish Secure-by-Design and -Default Principles and Approaches
    The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands,. and New Zealand (CERT NZ, NCSC-NZ) published today “Shifting the Balance of Cybersecurity Risk:
    Principles and Approaches for Security-by-Design and -Default.”. This joint guidance urges software manufacturers to take urgent steps necessary to ship products that are secure-by-design and -default. To create a future where technology and associated products are safe for customers,. the authoring agencies urge manufacturers to revamp their design and development programs to permit only secure-by-design and
    - -default products to be shipped to customers.

  7. Tomi Engdahl says:

    Google Proposes More Transparent Vulnerability Management Practices

    New Google paper calls for increased transparency from vendors regarding their vulnerability management practices.

    Google today published a white paper calling on vendors to provide more transparency into their vulnerability management practices.

    A longtime supporter of collaboration on bug disclosure and patching, the internet giant believes that the endless ‘doom loop’ of vulnerability patching is exhausting defenders and users. In addition, the tools created in response to novel attack trends do not seem to help in improving the situation.

    Breaking this loop, Google says, requires a focus on the fundamentals of secure software development, on adopting best practices for patching, and on ensuring that patching is easy and secure from the start. For that, vendors need to understand the root cause of vulnerabilities and to apply complete fixes.

    “Prioritizing root cause analysis will enable industry, government, and end users to start rising above the exhausting hamster wheel of vulnerability responses,” the company says.

    Vulnerabilities, Google says, pose great risks not only as zero-days, but also if they remain unpatched, weakening both enterprise and end-user security posture. Frequency of patching, automated patching, and how fixes are delivered (as standalone patches or part of system updates) should be a focus for all vendors, the company suggests.

    “While the notoriety of zero-day vulnerabilities typically makes headlines, risks remain even after they’re known and fixed, which is the real story. Those risks span everything from lag time in OEM adoption, patch testing pain points, end user update issues and more,” Google says.

    New initiatives to reduce the risk of vulnerabilities and protect researchers

    . In a white paper we’re releasing today, we propose initiatives in response to these risks, including:

    Greater transparency from vendors and governments in vulnerability exploitation and patch adoption to help the community diagnose whether current approaches are working.
    More attention on friction points throughout the vulnerability lifecycle to ensure risks to users are being comprehensively addressed.
    Address the root cause of vulnerabilities and prioritize modern secure software development practices with the potential to close off entire avenues of attack.
    Protect good-faith security researchers who make significant contributions to security through their efforts to find vulnerabilities before attackers can exploit them. Unfortunately, these researchers can still face legal threats when their contributions are unwelcome or misunderstood, which creates a chilling effect on beneficial research and vulnerability disclosure.

  8. Tomi Engdahl says:

    CISA Introduces Secure-by-design and Secure-by-default Development Principles

    CISA has described and published a set of principles for the development of security-by-design and security-by-default cybersecurity products.

    CISA has described and published a set of principles for the development of security-by-design and security-by-default cybersecurity products.

    Pillar Three of the National Cybersecurity Strategy published on March 1, 2023 is titled ‘Shape market forces to drive security and resilience’. Within this section the Administration makes two points very clear. Firstly, security liability must be shifted away from the use of security products to the development of security products; and secondly, federal procurement power will be used to encourage this shift.

    Both points were previewed in a speech given by CISA director Jen Easterly at Carnegie Mellon days earlier (February 27, 2023). She noted that insecurity has become normalized, and that the onus is currently on the user to make use of products less risky. She said this must change, so that the user is forced into making usage more rather than less risky.

  9. Tomi Engdahl says:

    Why Your Tech Stack Isn’t Enough To Ensure Cyber Resilience
    With the final ruling from the US Securities and Exchange Commissions
    (SEC) proposed amendments to its security incident disclosure requirements set to be announced this month, many organizations are reevaluating their tech stack to ensure they have the right solutions in place. But in todays growing threat landscape, is technology enough? As leaders invest in their defensive capabilities, they must also invest in their people’s preparedness for cyber attacks. Throwing money at tech stacks alone will not be enough to ensure resilience.

  10. Tomi Engdahl says:

    The Security and Productivity Implications of Low Code/No Code Development

    The low code/no code movement provides simplified app generation – but it needs to be understood to be safe.

    The low code/no code movement provides simplified app generation – but it needs to be understood to be safe.

    We are struggling to satisfy the demand for new software – the laborious effort of writing code has become a bottleneck to innovation in general, and being first to market in particular.

    In other areas of business, such problems are being solved through automation. Automation applied to code generation leads to the concept of ‘low code/no code’; that is, the automatic generation of software requiring little or even no direct human coding. The question is whether this concept will be a genuine boon to secure app development, or just a promise full of hidden landmines and booby traps – like open source software has proved to be.


    “The concept of low-code/no-code isn’t new,” explains Steve Wilson, CPO at Contrast Security; “but the definition isn’t very specific either. For decades, most computer programs have been written with text-based programming languages – aka code. The resulting ‘source code’ is then ‘compiled’ into the code a computer can execute. This is true for most apps that run on back-end servers, desktops, and even mobile phones today.”

    Low code/no code environments are introducing a higher level of abstraction, often using concepts like drag-and-drop icons and data flow diagrams. “In other words, visual programming rather than textual. Alternatively, low-code environments may mix visual programming with small bits of textual code, often referred to as ‘scripts’ or ‘functions’ to allow the developer or user to mix the benefits of visual and textual concepts.”

    Ryan Cunningham, VP of Power Apps at Microsoft described the Microsoft product. “Low code/no code platforms like the Microsoft Power Platform,” he said, “use AI, automation, and ‘what you see is what you get’ tooling to make it easier to create applications, data visualizations, workflows, chatbots, and websites more efficiently than traditional ‘code-first’ software development.”

    The application of low code/no code is expanding, and there is no single sentence nor use case that can categorize its potential. Broadly speaking, it falls into apps or workflows, or apps with workflows.

    Eoin Hinchy, CEO and co-founder at Tines, has a low code/no code platform designed for security personnel. “Security teams face a major problem: there’s too much work and not enough staff,” he says. “More specifically, overworked staff are doing repetitive and mundane tasks, which not only leads to burnout [more likely, ‘rust out’, see Burnout in Cybersecurity – Can It Be Prevented?] but to human error that could cost a company millions.”

    This can be solved by allowing the teams to develop their own scripts to automate workflows. But “Security analysts don’t necessarily have coding skills,” continued Hinchy, “so, they’re forced to call in developers, which can take weeks or months to create integrations and deploy automations. Then, if an update or addition is needed, the analyst needs to get developers involved all over again.”

    His argument is that no-code automation allows frontline security analysts to independently automate time-consuming, mission-critical workflows: “like phishing attack responses, suspicious logins, and even employee onboarding and offboarding. Using a drag-and-drop interface, users place actions into a workflow, connect them together, enter parameters, test it, and set it loose.”

    Automating workflows is just one of the uses for low code/no code concepts. Richard Rabins, CEO and co-founder of Alpha Software, sees the core technology of his platform frequently being used to develop mobile and web apps that combine with data collection workflows.

    Advantages and disadvantages

    “The top two benefits of low code/no code are speed of delivery and opening it up for ‘business users’ to self-service and develop workflows that meet their needs without needing to engage with IT. However, this is also the biggest potential pitfall,” comments Mark Lambert, VP of products at ArmorCode.

    Reed Loden, VP of security at Teleport agrees. “I’m personally a big fan of low code/no code,” he says. “These types of products have made code integrations really easy, making certain actions possible that would have taken a typical developer a lot of time to complete.”
    Reed Loden

    But there are both pros and cons, he continued. “The pros are that developers can quickly make integrations that are super useful for cybersecurity. For example, it can create an interaction that detects an alert and automatically remediates a problem, without any human intervention required. The con is that these types of tools require a lot of access, so if they are compromised, it can be really bad for the customer.”

    Cunningham, describes the movement as a democratic force: “This technology changes the traditional development landscape by making existing professionals more productive and at the same time democratizing software development for a wider range of users.”

    Allowing professionals in a professional environment to be more productive is good. “It decreases the risks associated with either one-off software projects or the ‘shadow IT’ alternatives that many business users will turn to without any other viable solution,” he adds.

    But the same democratizing process could increase shadow IT. In one area it could help a small business develop personal apps to improve internal operations and workflow. This could be good or bad depending on the security of the app’s usage.

    But it could also persuade an employee in a large organization to by-pass the IT department and produce his or her own personal automation tools. “Giving the power of development to non-developers,” comments Nick Rago, Field CTO at Salt Security, “also presents another security risk in regard to shadow IT, even if the endpoints are intended to be ‘internal only’. We have seen far too many breaches where attackers gain inside or privileged access to internal applications and APIs.”

    Lambert adds, “Simply put, we need a defined process for deploying low-code, no-code into production environments; and have guardrails to ensure that, if any issues are present, the potential damage is limited.”

    In fairness to Cunningham, extensive guardrails are present in the Microsoft product. “The Power Platform is built upon all the security and governance capabilities Microsoft is known for,” he comments, “and makes it possible for IT departments to require standard guardrails around app development and data access. Administrators can build guardrails around data, applications, and environments.”

    The problem is that once a new technology is in process, it cannot be contained.

    Just as the web created the citizen journalist, so is low code/no code creating the citizen developer — with similar concerns. The output and the connection between subject and output both increase, but the accuracy and quality of the output needs scrutiny. It may be that the democratization of app development — at least for corporations — should be considered more as a potentially worrying side-effect than an advantage of low code/no code.

    “One of the advantages of low code is that it allows non-developers to build their own applications,” says Jeff Williams, CTO and co-founder at Contrast Security. But he adds, “There is also a con in this as citizen developers are more likely to make inadvertent mistakes that could lead to security issues. I would expect citizen developers will make a lot of the basic mistakes such as hardcoded and exposed credentials, missing authentication and authorization checks, disclosure of PII, and exposure of implementation details.”

    “If the platform is well designed and is generating code that’s secure, that’s a Good Thing,” says Mike Parkin, senior technical engineer at Vulcan Cyber, “but it may also potentially introduce idiosyncrasies or vulnerabilities that a threat actor could leverage. Overall, though, the low/no code platforms offer more advantages than not.”
    Security implications

    “Low code solutions are often considered more of a black box where developers may not have full control over how the underlying system is used, making it difficult to ensure the security of the application,” warns Jason Davis, VP of product and applications at Sauce Labs. “This can have implications as engineers don’t have control over network security, server configurations, security policies, and use of third-party services.”

    Cunningham is a firm believer in the potential security of low code/no code. “A well-managed low code practice significantly decreases security concerns by standardizing application delivery on a robust platform with secure best practices built in… Companies can set granular data loss prevention policies to apply across low code environments.”

    But Davis adds, “Vulnerabilities such as those achieved through inadequate input validation, insecure user input handling, or backdoors allowing unauthenticated access are always a concern.”

    Rabins believes the security concerns are more in the use of the finished app, than the building blocks of its generator. Firstly, the generator is developed by experts with a security first approach. Secondly, it is under constant overview of security experts. And thirdly, since it is a cloud-based platform, any concerns can be immediately addressed and corrected for all future customers.

    But he adds, “Any software that gets written has massive security implications. An app could be sending nurses to take care of patients in their own homes, and it collects sensitive medical information.” Here, it is not so much the security of the app’s code, but the security of the app’s usage that needs to be considered.

    This is the primary security issue: the democratization of app production puts the ability into the hands of individuals who may have little understanding of cybersecurity and compliance regulations.

    To complicate matters, those individuals or sole traders could be a component of your supply chain. Williams, however, doesn’t feel we should over-stress security concerns. “The risks are essentially the same [for all software]. Authentication, authorization, injection, encryption, logging, libraries, etc. There are slight differences with every application framework. And low/no code is no different.”

    Wilson points out, “As with many things in IT, security is a shared responsibility model. What is the user/developer responsible for and what is the development environment responsible for. In a low-code environment, classic ‘vulnerabilities’ such as SQL Injection may not be a worry, and many user-authentication issues may be automatically handled. However, the user/developer may still make logic errors where they pass inappropriate data back to users or store data in insecure manners. In essence, the problems are all still there, but they move around in terms of who is responsible for what. At a minimum, you should thoroughly investigate the security characteristics, tools and practices that are recommended by the provider of your low-code tooling.”

    He believes this is just the beginning. “I expect to see the proliferation of low code/no code solutions grow in the next to 12-18 months. With the skills in short supply, and the absolute complexity and large failure rates in large scale automation programs, companies are going to need a flexible, less risky way to build efficiencies.”

    Like all new technologies, there are concerns in the early days. Cloud-based platforms reduce some of the concerns of low code/no code. Greater understanding of the governance and guardrails necessary to manage the results will come. The advantages without the disadvantages will increase over time.

  11. Tomi Engdahl says:

    Oldsmar Errata

    Remember the scary hack of the water treatment plant at Oldsmar? Someone attempted to raise the Sodium Hydroxide levels from a sane 100 ppm up to an unpleasant 11,000 ppm. We even had a bit of fun with the idea that it could have been a watering hole attack on a real watering hole. A few of our more skeptical readers pointed out that the new value felt a bit like a forgotten decimal point, or a fat fingered attempt at a legitimate change.

    Well surprise, it’s beginning to look like the null hypothesis was right. “[T]hrough the course of the investigation the FBI was not able to confirm that this incident was initiated by a targeted cyber intrusion of Oldsmar.” The city manager made a statement that it may have even been the reporting employee, accidentally banging on the keyboard. So, that’s awkward. Though it suggests a new hobby, similar to trainspotting: Looking for debunked attacks in presentations. This particular non-incident seems to be one of the favorite for government officials to mention when asking for money or pushing for new regulations.

    Did someone really hack into the Oldsmar, Florida, water treatment plant? New details suggest maybe not.

    Statements from the FBI and former Oldsmar city manager indicate what happened at the plant may not have been the work of an outside hacker.

    It was the kind of doomsday scenario cybersecurity experts had been warning about for years: hackers infiltrate a small water utility and try to poison the local population. And that’s exactly what appeared to happen in February 2021 in Oldsmar, Florida.

    News of hackers remotely tampering with levels of lye at the local water treatment facility alarmed officials, shocked the public and has been served as a siren call for the need to safeguard the most sensitive U.S. networks from malicious hackers attempting cause serious physical harm and even death. In the years since Oldsmar authorities first announced the incident, officials in Washington also have regularly pointed to the case as exhibit No. 1 for more cyber investments — and regulations — for U.S. critical infrastructure.

    But two years later, there’s still little evidence pointing to exactly what happened inside the plant, how a hacker could have gained access to internal systems or who may have even carried out the alleged attack. Now, new details suggest that the incident may not have been the work of an outside hacker at all. In a statement to CyberScoop, the FBI said that “through the course of the investigation the FBI was not able to confirm that this incident was initiated by a targeted cyber intrusion of Oldsmar.”

  12. Tomi Engdahl says:

    The dystopian future you’ve been expecting is here now, at least if you live in New York City, which unveiled a trio of technology solutions to the city’s crime woes this week. Surprisingly, the least terrifying one is “DigiDog,” which seems to be more or less an off-the-shelf Spot robot from Boston Dynamics. DigiDog’s job is to de-escalate hostage negotiation situations, and unarmed though it may be, we suspect that the mission will fail spectacularly if either the hostage or hostage-taker has seen Black Mirror. Also likely to terrify the public is the totally-not-a-Dalek-looking K5 Autonomous Security Robot, which is apparently already wandering around Times Square using AI and other buzzwords to snitch on people. And finally, there’s StarChase, which is based on an AR-15 lower receiver and shoots GPS trackers that stick to cars so they can be tracked remotely. We’re not sure about that last one either; besides the fact that it looks like a grenade launcher, the GPS tracker isn’t exactly covert. Plus it’s only attached with adhesive, so it seems easy enough to pop it off the target vehicle and throw it in a sewer, or even attach it to another car.

  13. Tomi Engdahl says:

    Beyond CVEs: The Key to Mitigating High-Risk Security Exposures
    In 2022, the National Institute of Standards and Technology reported more than 23,000 new vulnerabilities, the largest spike ever recorded within one calendar year. Alarmingly, this upward trend is anticipated to continue, with recent research suggesting that we may see more than
    1,900 new common vulnerabilities and exposures (CVEs) per month on average this year, including 270 rated high-severity and 155 rated critical-severity. As CISOs and security teams grapple with reduced security budgets and the perpetual scarcity of cyber talent, patching this veritable tidal wave of new vulnerabilities every year is simply an unattainable and ludicrous task

  14. Tomi Engdahl says:

    Mandiant 2023 M-Trends Report Provides Factual Analysis of Emerging Threat Trends

    In a year dominated by kinetic/cyber war in Ukraine, North Korea doubles down on cryptocurrency thefts, China and Iran continue to take advantage, and a new form of personal intimidation of company personnel emerges.

  15. Tomi Engdahl says:

    The Security and Productivity Implications of Low Code/No Code Development

    The low code/no code movement provides simplified app generation – but it needs to be understood to be safe.

  16. Tomi Engdahl says:

    Cyberinsurance Backstop: Can the Industry Survive Without One?

    The purpose of a backstop would be to make cyberinsurance more widely available and affordable to the whole market – but it isn’t yet clear whether this can be achieved.

    The cyberinsurance industry is lobbying for a government backstop. The government is not averse in principle. But what is an insurance backstop, and is one necessary?

    In conversation with SecurityWeek at the end of January 2023, Chris Storer, head of the cyber center of excellence at reinsurance giant Munich Re, confirmed that the cyberinsurance industry is talking to governments, seeking a cyberinsurance backstop.

    On March 1, 2023, the US government published its National Cybersecurity Strategy. Section 3.6 of the Strategy (Explore a Federal Cyberinsurance Backstop) states, “The Administration will assess the need for and possible structures of a Federal insurance response to catastrophic cyber events that would support the existing cyberinsurance market.”

    A federal cyberinsurance backstop has been requested by the industry and is being considered by government. Whether the industry needs one, whether it will get one, and whether it can survive without one, is what we will discuss here.

    What is a backstop?

    “A governmental backstop,” explained Storer, “is essentially a guarantee by governments that they would step in as the capacity of last resort in the case of a truly catastrophic unmanageable systemic risk.”

    In simple terms, a government backstop would be a federal guarantee that it would step in if the industry is confronted by a widespread, devastating cyber event that could threaten the industry’s ability to meet the claims and remain in business.

    Andrew Moss, insurance recovery litigation partner at Reed Smith, added, “The government becomes a last resort insurer of the policyholder – it is not intended to add funds to the insurance industry, but to protect the industry from systemic risk and to protect the policyholder in the event of systemic risk.”

  17. Tomi Engdahl says:

    Sources: some US tech companies push to narrow the scope of a Senate bill aimed at a TikTok ban, worried it exposes them to future national security reviews

    TikTok Could Get a Lifeline From Big Tech as a US Ban Looms

    US companies fear they’d be swept up by bill’s broad language
    Conservatives join progressives warning of security overreach

  18. Tomi Engdahl says:

    EU seeks to bridge cyber-skills gap with new academy
    The European Commission launched Cybersecurity Skills Academy on Tuesday (18 April) to close the cybersecurity sectors ongoing skills shortage and develop the EUs cyber resilience. The Cybersecurity Skills Academy is part of the 2023 European Year of Skills, an initiative to promote the upskilling and reskilling of the workforce with the view of helping workers and companies keep up with the green and digital transitions

  19. Tomi Engdahl says:

    The EUs Cyber Solidarity Act: Security Operations Centers to the rescue!
    The European Union (EU) is transforming itself into a digitally aware, secure, and productive collective, with the aim of entering the 2030s as a relevant player within the digital sector. One of the base ideas of this transformation is the Digital Decade program, which has multiple targets and guidance for relevant objectives for the digital sphere. Among these are ideas to essentially transform the entire digital infrastructure of the EU, with business prospects, governmental security, effectiveness, individual data privacy, and other safeguards in mind

  20. Tomi Engdahl says:

    Microsoft Will Name Threat Actors After Weather Events

    Microsoft plans to use weather-themed naming of APT actors as part of a move to simplify the way threat actors are documented.

  21. Tomi Engdahl says:

    Phylum Adds Open Policy Agent to Open Source Analysis Engine

    The software supply chain security firm adds the Open Policy Agent to its risk analysis engine, increasing flexibility for the creation and enforcement of custom policies on the use of open source software.

    Software supply chain security firm Phylum has added the Open Policy Agent (OPA) to its risk analysis engine, increasing flexibility for the creation and enforcement of custom policies on the use of open source software.

    Phylum’s policy engine provides security and risk teams greater visibility into the development lifecycle. “Our product analyzes every bit of information we can find about open source packages,” co-founder and CSO Pete Morgan told SecurityWeek. “That includes the code, the authors, OSINT and metadata, and we analyze it for software supply chain risk.”

    The result is a risk analysis rather than vulnerability scan of the open source software code. “We can advise our users on how to consume and use open source packages effectively and safely based on the threat model that they have for their software and their company,” Morgan added.

    The advantage in automating risk analysis in open source software is that it can go deeper into dependencies with greater efficiency and speed than could be achieved manually. Morgan uses React as an example. “If you browse 100 websites in a day, you’ll almost certainly see React 100 times. It is ubiquitous. When developers consider React, they just install it.”

  22. Tomi Engdahl says:

    The Cyber Resilience Act Threatens Open Source

    Society and governments are struggling to adapt to a world full of cybersecurity threats. Case in point: the EU CRA — Cyber Resilience Act — is a proposal by the European Commission to enact legislation with a noble goal: protect consumers from cybercrime by having security baked in during design. Even if you don’t live in the EU, today’s global market ensures that if the European Parliament adopts this legislation, it will affect the products you buy and, possibly, the products you create. In a recent podcast, our own [Jonathan Bennett] and [Doc Searles] interview [Mike Milinkovich] from the Eclipse Foundation about the proposal and what they fear would be almost a death blow to open source software development.

    Here’s the concern in a nutshell. Suppose you write up a cool little C++ program for your own use. You aren’t a company, and you didn’t do it for profit. Wanting to share your work, you post your program on GitHub with an open source license. This happens all the time.

    Meanwhile, another developer of a large open source program — let’s say the fictitious open source GRID database server decides to incorporate your code. That’s allowed. In fact, it is even encouraged. That’s how open source works.

    The problem is when the GRID database has a problem that causes a data breach. The problem turns out to be a vulnerability in your code. Under the proposed law, it is possible you’d be left holding the bag for a large sum of money thanks to your generous hobby project that didn’t earn you a cent. The situation is even more complex if your code has multiple contributors. Was it your code that caused the breach or the other developer’s code? Who “owns” the project? Are all contributors liable? Faced with this, most people would probably stop contributing or levy a license making it illegal to use their code in jurisdictions where laws like this apply.

    [Milinkovich] points out that hobbyists will likely be expressly exempted, so the above scenario isn’t probable. But, he asserts that hobby programmers do not make most open source software that matters (his wording). Important software is often created by paid developers working as part of a foundation or a sponsor organization. The EU mentions “commercial activity,” and the fear is that major software like Apache, Linux, and other important open source projects would fall under this umbrella.

    The consensus is that the EU doesn’t want to cripple or kill open source. But there is still time for the act to have changes that will make the law more palatable.

    What is the Cyber Resilience Act and why it’s dangerous for Open Source

    The Cyber Resilience Act (CRA) is an interesting and important proposal for a European law that aims to drive the safety and integrity of software of all kinds by extending the “CE” self-attestation mark to software. And it may harm Open Source. The proposal includes a requirement for self-certification by suppliers of software to attest conformity with the requirements of the CRA including security, privacy and the absence of Critical Vulnerability Events (CVEs).

  23. Tomi Engdahl says:

    Potential Outcomes of the US National Cybersecurity Strategy

    The national strategy outlined by the Federal Government on March 1, 2023, is a monumental attempt to weave a consistent approach to cybersecurity for the whole nation.

  24. Tomi Engdahl says:

    Daily maps of GPS interference

    here were strange doings this week as Dallas-Forth Worth Airport in Texas experienced two consecutive days of GPS outages. The problem first cropped up on the 17th, as the Federal Aviation Administration sent out an automated notice that GPS reception was “unreliable” within 40 nautical miles of DFW, an area that includes at least ten other airports. One runway at DFW, runway 35R, was actually closed for a while because of the anomaly. According to — because of course someone built a global mapping app to track GPS coverage — the outage only got worse the next day, both spreading geographically and worsening in some areas. Some have noted that the area of the outage abuts Fort Hood, one of the largest military installations in the country, but there doesn’t appear to be any connection to military operations. The outage ended abruptly at around 11:00 PM local time on the 19th, and there’s still no word about what caused it. Loss of GPS isn’t exactly a “game over” problem for modern aviation, but it certainly is a problem, and at the very least it points out how easy the system is to break, either accidentally or intentionally

  25. Tomi Engdahl says:

    Publication: October 28, 2022
    Cybersecurity and Infrastructure Security Agency
    Understanding and Responding
    to Distributed Denial-of-Service

  26. Tomi Engdahl says:

    The future starts now: 10 major challenges facing cybersecurity
    To mark Antimalware Day, we’ve rounded up some of the most pressing issues for cybersecurity now and in the future

  27. Tomi Engdahl says:

    Could a ‘digital Red Cross emblem’ protect hospitals from cyber warfare?

    The International Committee of the Red Cross (ICRC) is proposing applying a “digital Red Cross” marker to certain websites and systems used for medical and humanitarian purposes to protect them from attack, similar to the physical emblems worn by ICRC volunteers and facilities during armed conflicts.

    Described in a new report released on Thursday, such an emblem wouldn’t be a substitute for cyberdefense tools – ICRC medics of course still wear protective equipment when in a conflict zone – but is intended to minimize the harms caused during warfare. In an age in which war is likely to have a significant cyber dimension, the proposals in the report attempt to apply a voluntary international system to the online realm.

  28. Tomi Engdahl says:


  29. Tomi Engdahl says:

    The Cryptography Handbook
    May 3, 2021
    This series, which is designed to be a quick study guide for product development engineers, takes an engineering rather than theoretical approach.

  30. Tomi Engdahl says:

    Misconfigurations, Vulnerabilities Found in 95% of Applications
    Weak configurations for encryption and missing security headers topped the list of software issues found during a variety of penetration and application security tests.

  31. Tomi Engdahl says:

    Tim Keary / VentureBeat:
    Google announces Google Cloud Security AI Workbench, powered by the Sec-PaLM LLM, to rival tools like Microsoft’s GPT-4-based Security Copilot — Today in the Moscone Center, San Francisco, at RSA Conference 2023 (RSAC), Google Cloud announced Google Cloud Security AI Workbench …

    Google releases security LLM at RSAC to rival Microsoft’s GPT-4-based copilot

    Today in the Moscone Center, San Francisco, at RSA Conference 2023 (RSAC), Google Cloud announced Google Cloud Security AI Workbench, a security platform powered by Sec-PaLM, a large language model (LLM) designed specifically for cybersecurity use cases.

    Sec-PaLM modifies the organization’s existing PaLM model and processes Google’s proprietary threat intelligence data alongside Mandiant’s frontline intelligence to help identify and contain malicious activity, and coordinate response actions.

    “Imagine a world where you know, as you’re generating your infrastructure, there’s an auto-generated security policy, security control, or security config that goes along with that,” Eric Doerr, VP of Engineering at Google Cloud, said in an interview with VentureBeat. “That’s one example that we’re working on that we think will be transformative in the world of security operations and security administration.”

    One of the tools included as part of Google Cloud Security AI Workbench is VirusTotal Code Insight, released today in preview, which allows a user to import a script and analyze it for malicious behavior.

    Another, Mandiant Breach Analytics for Chronicle, entering preview in summer 2023, uses Google Cloud and Mandiant threat intelligence to automatically notify users about breaches, while using Sec-PaLM to find, summarize and respond to threats discovered within the environment.

    Kickstarting the defensive generative AI war

    The announcement comes as more organizations are beginning to experiment with defensive use cases for generative AI, as part of a market that MarketsandMarkets estimates will reach a value of $51.8 billion by 2028.

    One such vendor, SentinelOne, also unveiled a LLM security solution today at RSAC that uses algorithms like GPT-4 to accelerate human-led threat-hunting investigations and orchestrate automated responses.

    Another key competitor experimenting with defensive generative AI use cases is Microsoft with Security Copilot, an AI assistant that combines GPT-4 with Microsoft’s proprietary data to process threat signals and create a written summary of potential breach activity.

    Other vendors, like cloud security provider Orca Security and Kubernetes security company ARMO, have also begun experimenting with integrations that leverage generative AI to automate SOC operations.

  32. Tomi Engdahl says:

    External Signs of Narcissism – Raising Awareness to Avoid Collateral Damage

    Learning how to spot the signs of narcissism and identify narcissists will help us ensure that we do not bring these people into our security and fraud teams, or our enterprises.

    Narcissism and narcissistic employees can be a big problem for enterprises as a whole, security and fraud teams in part, our careers, and in fact, even our lives in general. In a previous column that I wrote , I shared some tactics that narcissists often use and discussed how to protect your career if you become the target of a narcissist.

    If you read that piece, or if you are familiar with narcissism, you know that while you can survive being the target of a narcissist, it is not a pleasant experience. Worse yet, it is difficult to find support and help when a narcissist has turned their ire on you. Most people simply aren’t aware of the signs of narcissism or don’t have experience with narcissists and thus don’t know how to differentiate between the public persona and the devil that operates in secret behind closed doors.

    While, unfortunately, many signs of narcissism occur behind closed doors, there are some that can sometimes be observed in public. If we can raise awareness about these public-facing tells, we can help people understand the risk that narcissists present, along with how to identify them relatively quickly. We can use that knowledge to help us avoid narcissists in our personal and professional lives and to mitigate, minimize, and/or avoid collateral damage from narcissists if we cannot avoid engaging with them.

    Experts estimate that up to 5% of people have Narcissistic Personality Disorder (NPD).

    Yet, despite narcissists being relatively common, so many people are unfamiliar with this personality disorder. Why is that? Well, for starters, narcissists are experts at deceiving their friends, family, neighbors, medical providers, mental health professionals, community leaders, co-workers, managers, and others. This generally means that narcissists can operate “undetected” for extended periods of time and most often do not get the mental health treatment that they need.

    Unfortunately, this also means that the targets of narcissists and narcissistic rage often suffer in silence – no one believes them. Quite the contrary – victims of narcissists are often blamed and attacked if they attempt to shed light on what they are being subjected to. It is an extremely sad and difficult predicament.

    While there are many tells of narcissism, here are a few that might be helpful:

    Social media posts: It is fairly easy to tell who has narcissistic tendencies or perhaps NPD from their social media posts (or even other writings as well, such as emails) – they tend to make everything about themselves.

    Lack of transparency: Perhaps we know someone who provides few details and holds onto information tightly – many narcissists believe that knowledge is power and that knowledge can and should be weaponized. For example, perhaps we have a co-worker or manager who is taking a business trip, yet provides little to no information on the exact travel dates, the itinerary, their whereabouts during the trip, and/or with whom they will be meeting.

    Always the victim: Narcissists are always the victims in their stories. It is never the case that they bear any responsibility for the situations they find themselves in. It can’t be that their actions, decisions, poor treatment of, and/or abuse of another person caused that person to react negatively to them or to seek distance from them. Simply put, it is always someone else’s fault and someone else is always the villain.

    Changing the story: Narcissists use lies, lies of omission, half-truths, and other tricks to paint the narrative that they need to in order to accomplish their goals. When information or evidence comes to light that counters their narrative, they either change and adjust their story, distract off-topic, and/or vilify the people attempting to expose the narcissistic behavior.

    Deflection: When someone approaches or confronts a narcissist about something, the narcissist will often use a variety of evasive tactics to distract and avoid talking about the issue at hand. Narcissists do this with remarkable success – even bright, well-educated people are often oblivious to the game they have been dragged into and will follow the narcissist on a round and round journey off-topic. Narcissists will also sometimes attack the person confronting them, and that person may even become a target of the narcissist.

    These are just a few of the signs of narcissism that an astute observer can pick up on. Many narcissists, particularly covert narcissists, are masters of presenting themselves to be good people externally, while ensuring there are no witnesses to the way they treat their targets behind closed doors.

  33. Tomi Engdahl says:

    US Cyberwarriors Thwarted 2020 Iran Election Hacking Attempt

    Iranian hackers broke into to a system used by a local government to support its election night operations but were kicked out before any attack could be launched, according to U.S. military and cybersecurity officials.

    Iranian hackers broke into to a system used by a U.S. municipal government to publish election results in 2020 but were discovered by cyber soldiers operating abroad and kicked out before an attack could be launched, according to U.S. military and cybersecurity officials.

    The system involved in the previously undisclosed breach was not for casting or counting ballots, but rather was used to report unofficial election results on a public website. The breach was revealed during a presentation this week at the RSA Conference in San Francisco, which is focused on cybersecurity. Officials did not identify the local government that was targeted.

    “This was not a system used in the conduct of the election, but we are of course also concerned with systems that could weigh on the perception of a potential compromise,” said Eric Goldstein, who leads the cybersecurity division at the U.S. Cybersecurity and Infrastructure Security Agency.

  34. Tomi Engdahl says:

    New Data Sharing Platform Serves as Early Warning System for OT Security Threats

    Several OT cybersecurity firms have teamed up to create an information sharing platform designed to serve as an early warning system for critical infrastructure.

    Several cybersecurity companies specializing in industrial control systems (ICS) and other operational technology (OT) have teamed up to create an open source information sharing platform that is designed to serve as an early warning system for critical infrastructure.

    The new project, named ETHOS (Emerging THreat Open Sharing), is a vendor-agnostic technology platform for sharing threat information anonymously and in real time across various industries.

  35. Tomi Engdahl says:

    Apiiro Launches Application Attack Surface Exploration Tool

    Apiiro’s Risk Graph Explorer helps security teams to understand their application attack surface.

    RSAC 2023: Tel Aviv and New York based Apiiro announced an application attack surface exploration tool to sit on top of its application security Risk Graph.

    Apiiro provides a cloud application security platform. It finds vulnerabilities within applications that are being developed or continuously updated and relates those vulnerabilities into any associated business risks. It enables the developer or security team to understand the risks that matter in a business context.

    Apiiro builds a Risk Graph of the application as a whole. This is continuous – as the application evolves, so does the Risk Graph. It provides a risk view in the context of the application concerned. So, for example, the app may incorporate OSS code with a known vulnerability that can only be exploited from the internet – but the code here is only deployed in an environment that is not internet connected. In this instance, the vulnerability exists, but is not a risk.

    The Apiiro Risk Graph applies this approach throughout the application, including in-house code, OSS, APIs, legacy code, repositories, etcetera. It surfaces the actual business risk contained in the application.

    Say Hello to Apiiro’s New Risk Graph™ Explorer

    Modern applications are more complex, interconnected, and ephemeral than ever. They’re made up of countless code modules, dependencies, APIs, data models, and technologies developed across numerous languages, frameworks, and contributors, maintained, built, and deployed across multiple repositories, SCMs, CI/CD pipelines, and cloud environments. And they’re all constantly changing.

    At Apiiro, we always believed that effective modern application security requires complete visibility into those complex application components, their interconnections, associated business context, risks, and changes over time. For many AppSec teams, this is way easier said than done.

    That’s where our Risk Graph™ comes in. Developed over the past three years, our patented Risk Graph is the engine of Apiiro’s platform, enabling our customers to map their application attack surfaces, contextualize security alerts, correlate and prioritize risks, and remediate faster.

    With a simple and comprehensive query experience, Apiiro customers can discover, query, and understand the multidimensional relationships across the different application layers, enriched with business context and overlaid with insights.

    Putting the Explorer in the hands of early users impressed us with the types of questions that emerged from this. Here are few examples:

    Show me all my internet-facing APIs in a high business impact application that are part of a code module with an exploitable OSS vulnerability with a CVSS score of 7.0 or higher.
    Where do I have APIs in Java version 19 in production code that are about to be deployed to an internet-facing environment and also use an OSS package with a critical exploitable vulnerability?
    Where are all my vuln OSS dependencies in production code (i.e., not in test) with high or critical active risks that are in an application with internet-facing sensitive APIs that writes sensitive data to logs?
    Find me all the instances of a specific secret appearing across public repositories or repositories that store PII in a storage bucket.

  36. Tomi Engdahl says:

    Cloud Security
    Millions of Exposed Artifacts Found in Misconfigured Cloud Software Registries

    Aqua Security found over 250 million artifacts and more than 65,000 container images in misconfigured registries.

    Cloud security firm Aqua Security has identified thousands of exposed cloud software registries and repositories containing more than 250 million artifacts and over 65,000 container images.

    As part of research focused on identifying software supply chain weaknesses that could allow threat actors to exploit registries, Aqua discovered that even large companies inadvertently exposed secrets, used default passwords, and provided users with unnecessary high privileges.

    “In some of these cases, anonymous user access allowed a potential attacker to gain sensitive information, such as secrets, keys, and passwords, which could lead to a severe software supply chain attack and poisoning of the software development life cycle (SDLC),” Aqua says.

    Aqua identified 1,400 distinct internet-exposed registries containing at least one sensitive key and 156 hosts that contained private sensitive addresses of end points.

    Moreover, 57 of the identified registries had critical vulnerabilities, such as a default admin password, and more than 2,100 artifact registries were configured with upload permissions.

  37. Tomi Engdahl says:

    NetRise Adds $8 Million in Funding to Grow XIoT Security Platform

    XIoT security firm NetRise announced $8 million in additional funding, bringing the total raised by the company to $14 million.

  38. Tomi Engdahl says:

    EU ratkoo nyt mahdotonta yhtälöä loppu­tulos vaikuttaa kaikkien kansalaisten puhelimiin
    VAHVOJA tunteita herättävän ja mahdollisesti internetin toiminnan luonnetta EU:ssa muuttavan, chat control -nimellä tunnetun lakialoitteen käsittely ottaa tänään EU:ssa askeleen eteenpäin, kun EU-parlamentti antaa vastauksensa lakiehdotukseen. Lain tarkoitus on edistää lasten seksuaalisen hyväksikäytön ja terrorismin torjumista internetissä. Samaan aikaan sen pelätään purkavan pikaviestimien sekä muiden nettiviestimien salauksen ja antavan viranomaisille ja mahdolliselle automatisoidulle massavalvonnalle yleisavaimen nettiliikenteeseen

  39. Tomi Engdahl says:

    Tällaista salasanaa ei voi murtaa

    oka vuosi toukokuun ensimmäisenä torstaina vietetään Maailman salasanapäivää. Ensi viikolla koittavan päivän alla tietoturvayhtiö Check Point Software Technologies muistuttaa turvallisten salasanojen tärkeydestä. Salasanoilta vaaditaan koko ajan enemmän. Kasvattamalla salasanan pituus 18 merkkiin voidaan rakentaa täysin murtamaton avain.

    Check Point korostaa, että ns. brute-force-hyökkäykset eli raakaa laskentavoimaa käyttävät yritykset salasanojen hankkimiseksi ovat siirtyneet CPU-prosessoreista GPU-prosessoreihin. Tämä on kasvattanut laskennan tehoa niin, että rikolliset kykenevät tarkistamaan yli miljoona avainta sekunnissa.

    Tämä tarkoittaa, että salasanojen täytyy täyttää uusia vaatimuksia ollakseen todella turvallisia. Turvallisessa salasanassa pitäisi olla vähintään 12 merkkiä, isoja ja pieniä kirjaimia, numeroita ja erikoismerkkejä.

    Ongelma on iso ja globaali. Vuonna 2019 brittien kansallinen kyberturvallisuuskeskus paljasti, että 23 miljoonaa ihmistä ympäri maailmaa käyttää edelleen turvattomia salasanoja, kuten “123456″. Tämä osoittaa, että monet käyttäjät eivät vieläkään ymmärrä mahdollisia vaaroja.

    Uusien virtuaalimuistilla (VRAM) varustettujen näytönohjainkorttien tulo on avannut näille laitteistoille mahdollisuuden käsitellä nopeita tietoja samalla tavalla kuin kryptovaluutan louhinnassa. Niitä voidaan kuitenkin käyttää myös raa’an voiman kyberhyökkäyksissä salasanojen hankkimiseen, sillä uusimmat GPU-kortit pystyvät suorittamaan yli miljoona tarkistusta vain yhdessä sekunnissa. Tämä tarkoittaa, että jos meillä on alle 12 merkin pituinen salasana, joka perustuu yksinomaan kirjaimien ja numeroiden käyttöön, se voidaan murtaa muutamassa päivässä.

    Salasanan pitää olla pidempi ja monipuolisempi. Sen tulee olla vähintään 14-16 merkkiä pitkä ja koostua erilaisista kirjaimista, joissa yhdistyvät isot ja pienet kirjaimet, symbolit ja numerot. On havaittu, että kasvattamalla salasanan pituus 18 merkkiin, voidaan rakentaa täysin murtamaton avain.

  40. Tomi Engdahl says:

    Cybersecurity Futurism for Beginners

    How will Artificial Intelligence develop in the near term, and how will this impact us as security planners and practitioners?

    A frequent topic I am asked about is what the future of the SOC looks like. At first glance, this seems like a simple question – but scratch beneath the surface and it’s actually really complex. Cybersecurity does not exist in its own little pocket universe. Instead, what happens in security operations is driven mainly by external factors – the economy and macro-economics, internal, external and geopolitics, social and cultural trends, fashions, and of course, natural disasters like pandemics. There is no future of the SOC independent of the Future. So if you want to talk about the future of security operations, you really have to make a whole series of predictions and assumptions about the world in general .That’s what makes futurism and trend analysis so difficult. Good futurology synthesises trends from all and any relevant domains and fields into a coherent whole.

    Case in point, how will Artificial Intelligence develop in the near term, and how will this impact us as security planners and practitioners?

    As I write this, Microsoft just announced their Cybersecurity Copilot, a personal AI assistant for security analysts, with industry analysts cautiously declaring that “AI Finally Does More Than Enhance Detection”.

    The FT put out an article (paywall) saying that generative AI will affect over 300M jobs in developing economies. A collection of over 1,100 scientists, tech experts, and business leaders including Elon Musk, are publicly calling for a global 6-month pause to consider the “profound risks of AI to society and humanity”

    Other commentators like Corey Doctorow, the blogger, journalist, and science fiction author, are already calling generative AI the new “crypto-bubble”.

    And by the time you read this, I am sure further developments will have occurred, to drive the conversation forward.

    Biases and Black Swans

    The examples above represent just a small sample of the viewpoints currently being expressed in the public debate around generative AI. What is remarkable is how widely they diverse in their assumptions and conclusions. We can roughly group them into three vastly different predictions for the future of generative AI.

    Prediction #1: Microsoft and Forrester – Generative AI is production-ready and the impact will be evolutionary rather than revolutionary, at least when applying ChatGPT to incident response.

    Prediction #2: Financial Times, Elon Musk, and Co – Generative AI progress is on the slope of massive acceleration that will disrupt work and life for millions of people.

    Prediction #3: Corey Doctorow – Generative AI is overhyped and will only have marginal impact, if any.

    Futures, not Future

    However hard it is to try and predict the future, we still have to try, or we can’t plan. But plan we must, whether you’re leading a country, a company, a charity or a commune. That’s the real reason why futurism exists as a field of study and practice. To make planning for the future less guesswork, futurists and other strategic planners have developed a set of tools to help model future developments, and more importantly, to derive something actionable from them. We’re going to be working with two of these in particular:

    Horizon Scanning

    Horizon scanning is a systematic process used to identify and analyze emerging trends, opportunities, threats, and potential disruptions that could affect an organization, industry, or society in the future. The main goal of horizon scanning is to supply early warning signs of change and to inform strategic planning and decision-making, allowing organizations to prepare for and adapt to future developments proactively.

    Scenario Analysis

    Scenario planning or scenario method is a strategic planning technique used to explore and prepare for possible future events and uncertainties. It involves developing multiple plausible future scenarios based on key driving forces and trends, and then analysing the potential impacts of these scenarios on an organization, industry, or system. The main goal of the scenario method is to help decision-makers better understand the risks and opportunities associated with different future outcomes and make more informed strategic choices.

    AI on the Horizon

    We’re going to imagine a variety of different futures throughout this series, but all of them will be extrapolated from current trends, with different uncertain assumptions defining the scenarios.

    With all of the hype and hustle on the topic of generative AI, we’re going to look at some future AI scenarios first.

    We can now go back to our original three predictions on how generative AI will impact society in the near term, and also infer a few further ones:

    Dead End AI

    AI ends up another hype like crypto, NFT’s and the Metaverse.
    AI is overhyped and the resulting disappointment leads to defunding and a new AI winter.

    Slow AI

    AI plateaus and stays on our current level
    AI iteratively improves on an evolutionary, not revolutionary path

    Controlled AI

    AI progresses rapidly, but is globally rigidly controlled and regulated
    AI progresses rapidly, but is only available to a few great powers

    Runaway AI

    A new AI revolution, as disruptive as the agricultural or industrial revolution
    Endgame, Imminent Artificial general Intelligence and the Technological Singularity

  41. Tomi Engdahl says:

    Millions of Exposed Artifacts Found in Misconfigured Cloud Software Registries

    Aqua Security found over 250 million artifacts and more than 65,000 container images in misconfigured registries.

  42. Tomi Engdahl says:

    Kaspersky Analyzes Links Between Russian State-Sponsored APTs

    Kaspersky believes that Russia-linked threat actors Tomiris and Turla are cooperating at least at a minimum level.

  43. Tomi Engdahl says:

    Luo voittava taktiikka tietoturvaan
    Pyörittävätkö tietoturvaasi yksittäiset tähdet? Tähdet, jotka tulevat kentälle vasta, kun tietoturva vaarantuu. Mutta entäpä jos yksittäisiä tähtiä ei tarvittaisi? Jos organisaatiossa vallitsisi niin vahva tietoturvakulttuuri, että riskitilanteista selvitään koko joukkueena tai jopa vältetään ne kokonaan? Tietoturvan standardeissa taktiikka tietoturvakulttuurin rakentamiseksi on jo mietitty puolestasi.


Leave a Comment

Your email address will not be published. Required fields are marked *