The year 2023 saw heightened cybersecurity activity, with both security professionals and adversaries engaged in a constant cat-and-mouse game. Here are some cybersecurity predictions for 2024 to help security professionals. It is crucial to anticipate the key themes likely to dominate the cybersecurity space in 2024.
Cybersecurity is an ever-evolving process that can never be ‘complete’ in the exact sense. The cybersecurity field evolves constantly as technology advances, global events create uncertainty, and threat actors refine and improve their malicious tactics. It is expected that 2024 again emphasizes the critical need to strike a balance between cybersecurity and cyber resilience. Safeguarding mission-critical assets and developing the capacity to anticipate, withstand, recover from, and adapt to cyberattacks remain central to organizational cybersecurity strategies. While preparedness remains one of the most important facets of effective organizational cybersecurity, it can be difficult to plan for the year ahead with so many unknowns.
Five Cybersecurity Predictions for 2024
https://www.securityweek.com/five-cybersecurity-predictions-for-2024/
A Never-Ending Story: Compromised Credentials
Ransomware Attacks Continue to Wreak Havoc
Global Conflicts and Elections Lead to a Rise in Hacktivism
White House Cybersecurity Strategy Triggers Revival of Vulnerability Management
The Emergence of Next-Gen Security Awareness Programs
10 Global Cybersecurity Predictions for 2024
https://www.fticonsulting.com/insights/articles/10-global-cybersecurity-predictions-2024
Election Security Making Headlines
A Two-Sided Approach to Artificial Intelligence
Widespread Adoption of Zero-Trust Architecture
Cities Integrating IoT into Critical Infrastructure
Increasing Cybersecurity Supply Chain Risks
Third Party Scrutiny Taking Priority for Compliance Officers
The Start of Significant Fines From Australian Regulators
Corporate Responsibility Shifting to Individuals
Organizational Transparency Surrounding Cybersecurity
Emergence of Incentivized Cybersecurity
Experts Talk: Predicting the Cybersecurity Landscape in 2024
Spiceworks News & Insights brings you expert insights on what to expect in cybersecurity in 2024.
https://www.spiceworks.com/it-security/security-general/articles/cybersecurity-predictions-2024/
By investing in AI governance tools and developing complimentary guardrails, companies can avoid what may end up being the biggest misconception in 2024: the assumption that you can control the adoption of AI.
“In 2024, we can expect a surge in malicious AI-generated content.”
“Organizations’ inability to identify the lineage of AI will lead to an increase in software supply chain attacks in 2024,”
The integration of AI into the development process, particularly in the CI/CD pipeline, is crucial.
“Cyberattacks overall are expected to increase; ransomware groups are targeting vendors, government agencies, and critical infrastructure in the United States.”
How can AI help threat actors: “With the assistance of AI, particularly generative AI (GenAI) technology, attackers will be able to refine their techniques, increasing their speed and effectiveness. GenAI will allow criminal cyber groups to quickly fabricate convincing phishing emails and messages to gain initial access into an organization.”
“If cyber leaders want to take on this responsibility (and burden), they will have to be reasonably informed of cyber risks faced by the organization and able to communicate those risks to investors,”
“Third-party risk management is no longer an experiment; it’s an expectation,”
“We will see breaches related to Kubernetes in high-profile companies,”
API Security Trends and Projections for 2024
https://www.spiceworks.com/it-security/application-security/guest-article/api-security-trends-and-projections/
1. The pervasiveness of API vulnerabilities – These vulnerabilities in AAA, if exploited, can lead to major security breaches.
2. Limitations of standard frameworks – While foundational, traditional frameworks like the OWASP API Security Top-10 have limitations in addressing the dynamic nature of API threats.
3. Leak protection – The report highlighted the critical need for enhanced API leak protection, especially considering significant breaches at companies like Netflix and VMware.
4. Rising threats and strategic recommendations – The Wallarm report identified injections as the most pressing API threat, underscoring their likelihood of significant damage.
Gartner’s 8 Cybersecurity Predictions for 2023-2025
https://krontech.com/gartners-8-cybersecurity-predictions-for-2023-2025
By 2025, 60% of organizations will use cybersecurity risk as the primary determinant in conducting third-party transactions and business relationships. Investors, especially venture capitalists, use cybersecurity risk as an important factor in evaluating opportunities.
1. By the end of 2023, modern data privacy laws will cover the personal information of 75% of the world’s population.
2. By 2024, organizations that adopt a cybersecurity network architecture will be able to reduce the financial costs of security incidents by an average of 90%.
3. By 2024, 30% of enterprises will deploy cloud-based Secure Web Gateway (SWG), Cloud Access Security Brokers (CASB), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS), sourced from the same vendor.
4. By 2025, 60% of organizations will use cybersecurity risk as the primary determinant in conducting third-party transactions and business relationships.
5. The percentage of states that enact laws regulating ransomware payments, fines and negotiations will increase from less than 1% in 2021 to 30% by the end of 2025.
6. By 2025, 40% of boards will have a dedicated cybersecurity committee overseen by a qualified board member.
7. By 2025, 70% of CEOs will build a culture of corporate resilience to protect themselves from threats from cybercrime, severe weather events, social events, and political instability.
8. By 2025, cyber-attackers will be able to use operational technology environments as weapons successfully enough to cause human casualties.
Top 10 Cyber Security Trends And Predictions For 2024
https://www.splashtop.com/blog/cybersecurity-trends-and-predictions-2024
Trend 1: Increased Focus on AI and Machine Learning in Cybersecurity
Trend 2: Growing Importance of IoT Security
Trend 3: Expansion of Remote Work and Cybersecurity Implications
Trend 4: The Rise of Quantum Computing and Its Impact on Cybersecurity
Trend 5: Evolution of Phishing Attacks
Trend 6: Enhanced Focus on Mobile Security
Trend 7: Zero Trust Security
Trend 8: Cybersecurity Skills Gap and Education
Trend 9: Blockchain and Cybersecurity
Trend 10: Cybersecurity Insurance Becoming Mainstream
6 Predictions About Cybersecurity Challenges In 2024
https://www.forbes.com/sites/edwardsegal/2023/12/09/6-predictions-about-cybersecurity-challenges-in-2024/?sh=172726819433
‘Uptick in Disruptive Hacktivism’
Election Interference
More Targeted Attacks
Fooling Users
Leveraging AI Tools
‘New Avenues For Cybercrime’
5 cybersecurity predictions for 2024
https://www.fastcompany.com/90997838/5-cybersecurity-predictions-for-2024
1. Advanced phishing
2. AI-powered scams
3. Increase in supply chain attacks
4. Deployment of malicious browser extensions
5. Changing demographics brings more threats
Top cybersecurity predictions of 2024
https://www.securitymagazine.com/articles/100271-top-cybersecurity-predictions-of-2024
Adoption of passwordless authentication
Multi-Factor Authentication (MFA) will become a standard requirement for most online services and applications. Traditional methods like SMS-based MFA will decline in favor of more secure options, such as time-based one-time passwords (TOTP) generated by authenticator apps.
Both enterprises and consumers are increasingly adopting passwordless solutions across various sectors. Transitioning to a passwordless mindset may appear unconventional, as it requires users to change their habits. However, the enhanced security and the seamless experience it offers reduce the learning curve, making the transition more user-friendly.
Cybersecurity will be a higher priority for law firms
For nearly any law firm, part of the ‘big picture’ approach to cybersecurity includes an ability to scale detection and response capabilities.
Artificial intelligence and large language models
Phishing and BEC attacks are becoming more sophisticated because attackers are using personal information pulled from the Dark Web (stolen financial information, social security numbers, addresses, etc.), LinkedIn and other internet sources to create targeted personal profiles that are highly detailed and convincing. They also use trusted services such as Outlook.com or Gmail for greater credibility and legitimacy.
We should also expect the rise of 3D attacks, meaning not just text but also voice and video. This will be the new frontier of phishing. We are already seeing highly realistic deep fakes or video impersonations of celebrities and executive leadership.
I expect to see a major breach of an AI company’s training data exposing the dark side of large language models (LLM) and the personal data they hold that were scraped from open sources.
One of the big trends we expect to see in 2024 is a surge in use of generative AI to make phishing lures much harder to detect, leading to more endpoint compromise. Attackers will be able to automate the drafting of emails in minority languages, scrape information from public sites — such as LinkedIn — to pull information on targets and create highly-personalized social engineering attacks en masse.
Simultaneously, we will see a rise in ‘AI PC’s’, which will revolutionize how people interact with their endpoint devices. With advanced compute power, AI PCs will enable the use of “local Large Language Models (LLMs)”
With the increase in regulatory and security requirements, GRC data volumes continue to grow at what will eventually be an unmanageable rate. Because of this, AI and ML will increasingly be used to identify real-time trends, automate compliance processes, and predict risks.
Prioritize training
Insider threats are a leading problem for IT/security teams — many attacks stem from internal stakeholders stealing and/or exploiting sensitive data, which succeed because they use accepted services to do so. In 2024, IT leaders will need to help teams understand their responsibilities and how they can prevent credential and data exploitation.
On the developer side, management will need to assess their identity management strategies to secure credentials from theft, either from a code repository hosted publicly or within internal applications and systems that have those credentials coded in. On the other hand, end users need to understand how to protect themselves from common targeted methods of attack, such as business email compromise, social engineering and phishing attacks.
Security teams need to prioritize collaboration with other departments within their organization to make internal security training more effective and impactful.
Humans Are Notoriously Bad at Assessing Risk
https://www.epanorama.net/newepa/2022/12/31/cyber-trends-for-2023/
We as humans, with our emotions, can sometimes be irrational and subjective. When too much subjectivity is mixed into risk assessment, it can produce a risk picture that is not an accurate representation of reality.
Threat Intel: To Share or Not to Share is Not the Question
https://www.securityweek.com/threat-intel-to-share-or-not-to-share-is-not-the-question/
To share or not to share isn’t the question. It’s how to share, what to share, where and with whom. The sooner we arrive at answers, the safer we’ll be collectively and individually.
Addressing the State of AI’s Impact on Cyber Disinformation/Misinformation
https://www.securityweek.com/addressing-the-state-of-ais-impact-on-cyber-disinformation-misinformation/
The recent rapid rise of artificial intelligence continues to be a game-changer in many positive ways. Yet, within this revolution, a shadow looms. By embracing a strategy that combines technological advancements with critical thinking skills, collaboration, and a culture of continuous learning, organizations can safeguard against AI’s disruptive effects.
108 Comments
Tomi Engdahl says:
The Imperative for Modern Security: Risk-Based Vulnerability Management
https://www.securityweek.com/the-imperative-for-modern-security-risk-based-vulnerability-management/
By prioritizing vulnerabilities based on risk and aligning security efforts with business objectives, organizations can enhance their resilience to cyberattacks, optimize resource allocation, and maintain a proactive security posture.
In recent months, the news has been filled with reports of vulnerabilities being exploited, such as the Apple Shortcuts Vulnerability, SlashandGrab ScreenConnect Vulnerability, ESET Privilege Escalation Vulnerability, Zoom Vulnerability, Roundcube Webmail Vulnerability, and Ivanti VPN Vulnerability. These incidents underscore the urgent need for organizations to modernize their vulnerability management practices. According to the Cybersecurity and Infrastructure Security Agency (CISA), adversaries exploit vulnerabilities within just 15 days of their discovery, while organizations typically take several months to patch them. This raises concerns about how organizations can close this gap and minimize their risk exposure effectively.
Since computer software became the backbone of modern commerce, communications, and entertainment, it has been a prime target for hacktivists, organized cybercriminals, rogue nation-states, and terrorist organizations. Their primary method of attack is exploiting design flaws and weaknesses in applications to steal data, commit fraud, and disclose sensitive information.
The State of Vulnerability Management
In today’s ever-evolving digital landscape, safeguarding sensitive information and critical systems against cyber threats is more challenging than ever. The volume and complexity of vulnerabilities continue to rise due to factors like rapid technological innovation, open source library adoption, an expanding attack surface that now includes the cloud, the proliferation of software applications, and the increasing sophistication of cyber threats.
Many organizations face resource constraints, including limited budgets, personnel shortages, and competing priorities, making it difficult to keep pace with the constant stream of vulnerabilities and effectively allocate resources to mitigate them. Patch management, while essential, presents its own challenges. Timely patching without disrupting critical systems and operations requires careful coordination and testing, straining organizational resources and introducing potential risks.
Tomi Engdahl says:
From Open Source to Enterprise Ready: 4 Pillars to Meet Your Security Requirements
https://www.securityweek.com/from-open-source-to-enterprise-ready-4-pillars-to-meet-your-security-requirements/
Open source is a great way to test the waters and define requirements. But when looking at putting a platform into production, an enterprise-ready solution will ensure you can keep up with business demands.
For organizations building a security operations practice, open-source tools are a great place to start. The software is often free to use so it’s a low-risk way for teams to dig into practice areas and associated technologies in order to better understand their requirements and needs. But when it’s time to put that capability into production, they quickly find the total cost of ownership (TCO) can far exceed the TCO of an enterprise-ready solution. This is especially true if it is a platform and core aspect of the security architecture versus just a tool. I gained experience in this realm during my time at Sourcefire, a company founded by my friend (and, full disclosure, ThreatQuotient Board member) Marty Roesch to take open-source Snort, one of the seminal tools of the security industry, and package it for the enterprise.
One of the aha moments with open-source security software, is when you determine you need the functionality and want to expand its utilization beyond an initial, small group of users, but realize deploying it for detection, investigation and response across your infrastructure is a bridge too far. It turns out that open-source software is good up to a point, but it really isn’t “free.” It takes significant resources, and thus cost, to uplevel it for the enterprise with the scalability, performance, manageability and support we’ve come to expect from a core platform in our arsenal of security solutions. To explore this further, let’s use threat intelligence platforms as an example.
There are several options for open-source threat intelligence platforms that allow the storing and sharing of indicators of compromise (IoCs) with other users. Each has its own utility as a tool. However, when you look at the full gamut of threats your organization faces and the different teams, workflows and tools required to detect and respond to threats, you can start to run into limitations as you try to use it more broadly as a platform.
1. Scalability: Data is a huge challenge when it comes to threat intelligence which consists of the internal telemetry, content and data created by each layer in our security architecture, and the millions of external threat datapoints analysts are bombarded with every day.
2. Performance: It’s great to aggregate all that data within a central platform. But if it takes five or more minutes for a query, then that data isn’t very useful. When you’re hunting for threats or investigating an incident, speed and responsiveness are paramount. Now extrapolate the usage of threat intel to your workflows; if there are five steps and each step takes five minutes to complete, the queue becomes untenable. If the infrastructure can’t ingest, query, translate and act on intelligence at an appropriate rate, it isn’t really going to help streamline workflows and improve your security.
3. Management: Stepping back and looking at the platform as the hub of your security operations, it becomes abundantly clear that enterprise-ready management capabilities are also important. In addition to industry-standard interfaces for integration, the platform should include an extensive ecosystem of pre-built integrations along with easy-to-use APIs to add others.
A software development kit (SDK) and low-code/no-code interfaces provide flexibility so teams with varying skill sets can customize dashboards, visualizations and configuration capabilities to align with their workflows and processes. An enterprise-ready threat intel platform manages and enriches threat intelligence for users so that they can operationalize data seamlessly and derive value quickly.
4. Supportability: Finally, if you’re going to put a platform in your production environment you need someone you can call when things go wrong. Any glitch can impact more than that solution because security infrastructure is now highly integrated. Threat hunts, investigations and incident response playbooks can come to a standstill when you have trouble getting the right data at the right time to the right teams and tools. Having someone to call, backed by SLAs, gives you peace of mind to put the system into production.
Training and certifications are also important. Getting users up to speed quickly, simplifying onboarding when there is turnover or as your team grows, and encouraging utilization of more advanced capabilities pave the way for success.
When it comes to cybersecurity offerings, it’s not a matter of open source or enterprise ready. It’s both. Open source is a great way to test the waters and define your requirements. But when looking at putting a platform into production, an enterprise-ready solution will ensure you can keep up with the demands of the business, today and in the future, and at a lower TCO.
Tomi Engdahl says:
https://www.securityweek.com/threat-detection-report-cloud-attacks-soar-mac-threats-and-malvertising-escalate/
Tomi Engdahl says:
Shadow AI – Should I be Worried?
Overzealous policies and blanket bans on AI tools risk forcing users underground to use unknown tools with unknown consequences.
https://www.securityweek.com/shadow-ai-should-i-be-worried/
Tomi Engdahl says:
Artificial Intelligence
Preparing Society for AI-Driven Disinformation in the 2024 Election Cycle
The rapid evolution of AI and analytics engines will put campaign-year disinformation into hyperspeed in terms of false content creation, dissemination and impact.
https://www.securityweek.com/preparing-society-for-ai-driven-disinformation-in-the-2024-election-cycle/
Tomi Engdahl says:
ICS/OT
1 in 4 Organizations Shut Down OT Operations Due to Cyberattacks: Survey
A Palo Alto Networks survey shows many industrial organizations experience cyberattacks and 1 out of 4 has shut down OT operations
https://www.securityweek.com/1-in-4-organizations-shut-down-ot-operations-due-to-cyberattacks-survey/
Tomi Engdahl says:
Seeing is Believing… and Securing
Because you can’t secure what you can’t see, having real-time asset visibility across the network is vital to maximizing security, minimizing risk, and protecting the enterprise.
https://www.securityweek.com/seeing-is-believing-and-securing/
Tomi Engdahl says:
Frederic Lardinois / TechCrunch:
GitHub releases code scanning autofix, powered by Copilot and CodeQL, in public beta for GitHub Advanced Security customers, to help them fix vulnerabilities — It’s a bad day for bugs. Earlier today, Sentry announced its AI Autofix feature for debugging production code and now …
GitHub’s latest AI tool can automatically fix code vulnerabilities
https://techcrunch.com/2024/03/20/githubs-latest-ai-tool-that-can-automatically-fix-code-vulnerabilities/
It’s a bad day for bugs. Earlier today, Sentry announced its AI Autofix feature for debugging production code and now, a few hours later, GitHub is launching the first beta of its code-scanning autofix feature for finding and fixing security vulnerabilities during the coding process. This new feature combines the real-time capabilities of GitHub’s Copilot with CodeQL, the company’s semantic code analysis engine. The company first previewed this capability last November.
GitHub promises that this new system can remediate more than two-thirds of the vulnerabilities it finds — often without the developers having to edit any code themselves. The company also promises that code scanning autofix will cover more than 90% of alert types in the languages it supports, which are currently JavaScript, Typescript, Java, and Python.
This new feature is now available for all GitHub Advanced Security (GHAS) customers.
Tomi Engdahl says:
https://cybersecuritynews.com/darkgpt-ai-osint-tool/
DarkGPT – AI OSINT Tool to Detect Leaked Databases
Tomi Engdahl says:
Wikipedia No Longer Considers CNET a “Generally Reliable” Source After AI Scandal
“It’s infuriating that Red Ventures’ decisions have undermined the quality work done by CNET’s writers, editors and producers.”
https://futurism.com/wikipedia-cnet-unreliable-ai
Remember last year, when we reported that the Red Ventures-owned CNET had been quietly publishing dozens of AI-generated articles that turned out to be filled with errors and plagiarism?
The revelation kicked off a fiery debate about the future of the media in the era of AI — as well as an equally passionate discussion among editors of Wikipedia, who needed to figure out how to treat CNET content going forward.
“CNET, usually regarded as an ordinary tech [reliable source], has started experimentally running AI-generated articles, which are riddled with errors,” a Wikipedia editor named David Gerard wrote to kick off a January 2023 discussion thread in Wikipedia’s Reliable Sources forum, where editors convene to decide whether a given source is trustworthy enough for editors to cite.
“So far the experiment is not going down well, as it shouldn’t,” Gerard continued, warning that “any of these articles that make it into a Wikipedia article need to be removed.”
Tomi Engdahl says:
Microsoft announces deprecation of 1024-bit RSA keys in Windows
https://www.bleepingcomputer.com/news/microsoft/microsoft-announces-deprecation-of-1024-bit-rsa-keys-in-windows/
Microsoft has announced that RSA keys shorter than 2048 bits will soon be deprecated in Windows Transport Layer Security (TLS) to provide increased security.
Rivest–Shamir–Adleman (RSA) is an asymmetric cryptography system that uses pairs of public and private keys to encrypt data, with the strength directly related to the length of the key. The longer these keys, the harder they are to crack.
1024-bit RSA keys have approximately 80 bits of strength, while the 2048-bit key has approximately 112 bits, making the latter four billion times longer to factor. Experts in the field consider 2048-bit keys safe until at least 2030.
Tomi Engdahl says:
C++ creator rebuts White House warning
Biden administration seems oblivious of the strengths of contemporary C++ and the efforts to provide strong safety guarantees, Bjarne Stroustrup said.
https://www.infoworld.com/article/3714401/c-plus-plus-creator-rebuts-white-house-warning.html
Tomi Engdahl says:
https://techcrunch.com/2024/03/15/how-to-verify-a-data-breach/
Tomi Engdahl says:
https://thehackernews.com/2024/03/ghostrace-new-data-leak-vulnerability.html
Tomi Engdahl says:
Why Are Large AI Models Being Red Teamed? Intelligent systems demand more than just repurposed cybersecurity tools
https://spectrum.ieee.org/red-team-ai-llms
Tomi Engdahl says:
How to Create a Sandbox Environment For Malware Analysis – A Complete Guide
https://gbhackers.com/how-to-create-a-sandbox-environment-for-malware-analysis-a-complete-guide/
Tomi Engdahl says:
Adapting to new cybersecurity regulations
The world of cybersecurity is constantly evolving, with regulations rapidly adapting to keep up with emerging threats and technological advancements. As sophisticated and approachable experts in the field, we understand the importance of legal compliance in safeguarding businesses and individuals from cyber risks. In this article, we will provide valuable insights on implementing compliance to new cybersecurity regulations affecting products and entities, empowering you to navigate the regulatory landscape effectively.
https://www.etteplan.com/about-us/insights/adapting-to-new-cybersecurity-regulations/
Tomi Engdahl says:
https://www.uusiteknologia.fi/2024/03/28/suomalaisyrityksilla-paljon-tekemista-nis2-tietoturvadirektiivin-taytantoonpanossa/
Tomi Engdahl says:
EU:n kyberturvallisuusdirektiivi NIS2.0 – Mikä se on ja miten sinun tulisi toimia?
https://sulava.com/tietoturva/eun-kyberturvallisuusdirektiivi-nis2-0-mika-se-on-ja-miten-sinun-tulisi-toimia/?utm_term=nis2&utm_campaign=Tietoturva:+NIS2-direktiivi+%7C+Haku&utm_source=google&utm_medium=cpc&hsa_acc=9506622127&hsa_cam=20784896864&hsa_grp=151007717690&hsa_ad=681274549124&hsa_src=g&hsa_tgt=kwd-302582436608&hsa_kw=nis2&hsa_mt=p&hsa_net=adwords&hsa_ver=3&gad_source=1&gclid=EAIaIQobChMIlOGX2v6hhQMVfwWiAx3wlABCEAAYAiAAEgLizPD_BwE
NIS2.0, uusi EU:n laajuinen kyberturvallisuusdirektiivi, on tulossa vuonna 2024. Tässä blogikirjoituksessa kerromme mikä se on, miksi ja miten sinun tulisi toimia ja mitkä ovat Microsoftin ratkaisut NIS2-vaatimusten noudattamiseen. Määräaika tulee vastaan 17. lokakuuta 2024.
Mitä NIS2 tarkoittaa minulle?
Kaksi pääaluetta, joilla NIS2 vaikuttaa, ovat:
Kyberturvallisuusriskien hallintatoimenpiteet
Vaaratilanteista ilmoittamista koskevat velvoitteet
Yhteenveto C-tason johdolle
NIS2.0 on EU:n uusi verkko- ja tietoturvadirektiivi, jonka tavoitteena on parantaa kriittisten toimialojen ja keskeisten palveluiden häiriönsietokykyä ja valmiutta kyberuhkia vastaan. Se tulee voimaan lokakuussa 2024 ja koskee organisaatioita, joissa on yli 250 henkilöä. Siinä edellytetään, että organisaatiot noudattavat tiettyjä standardeja ja velvoitteita, kuten poikkeamista ilmoittamista, riskinarviointien tekemistä, turvatoimien toteuttamista ja yhteistyötä kansallisten viranomaisten kanssa.
Jos työskentelet C-tason johdossa, sinun on oltava tietoinen NIS2.0:n vaikutuksista organisaatioosi ja asiakkaisiisi. Sinun on varmistettava, että IT-järjestelmäsi, prosessisi ja henkilöstösi turvamenettelyt ovat uusien vaatimusten mukaisia ja että sinulla on selkeä strategia ja toimintasuunnitelma vaatimustenmukaisuuden saavuttamiseksi. Sinun on myös kommunikoitava asiakkaidesi kanssa NIS2.0:n eduista ja siitä, miten se parantaa heidän turvallisuuttaan ja luottamustaan palveluihisi.
NIS2:lla on merkittävä vaikutus liiketoimintaan, maineeseen ja kilpailukykyyn. NIS2 edellyttää, että yritykset investoivat enemmän kyberturvallisuuteen, noudattavat uusia sääntöjä ja standardeja ja tekevät yhteistyötä kansallisten viranomaisten ja muiden sidosryhmien kanssa.
Jos näin ei tehdä, seurauksena voi olla sakkoja, jotka voivat olla jopa 10 prosenttia vuotuisesta liikevaihdosta, maineen vahingoittumista ja asiakkaiden luottamuksen menettämistä. Toisaalta NIS2:n noudattaminen voi myös tuoda etuja, kuten parempaa resilienssiä, innovaatioita ja markkinamahdollisuuksia.
NIS2 ei ole vain haaste, vaan myös mahdollisuus johdolle osoittaa johtajuutensa ja sitoutumisensa kyberturvallisuuteen.
Sukelletaan syvemmälle: Mikä NIS2.0 on ja mitkä ovat tärkeimmät muutokset?
Lähdetään sitten tutustumaan aiheeseen pintaa syvemmälle. NIS2 on uusi eurooppalainen kyberturvallisuusdirektiivi, joka korvaa nykyisen verkko- ja tietoturvadirektiivin (NIS1-direktiivin) lokakuussa 2024. NIS2 laajentaa aiemman NIS1-direktiivin soveltamisalaa.
NIS2 on tähän mennessä kattavin EU:n kyberturvallisuuslainsäädäntö, joka kattaa 15 alaa, mukaan lukien uudet alat, kuten valmistusteollisuus ja tutkimus. Direktiivi sisältää keskikokoisia yrityksiä, jotka on määritelty kuuluvaksi kriittiseen infrastruktuuriin.
Tärkeimmät muutokset NIS1-direktiivistä NIS2-direktiiviin
• NIS2 asettaa vähimmäistoimenpiteiden vertailupisteen:
Yritysten on ryhdyttävä toimiin kyberturvallisuuden tilan parantamiseksi. Näitä ovat riskinarviointien tekeminen, monivaiheisen todennuksen toteuttaminen sekä suunnitelmat tapahtumiin reagoimiseksi ja toimitusketjun turvaamiseksi.
• NIS2 tiukentaa täytäntöönpanoa:
Tehostetaan toimenpiteitä ja seuraamuksia direktiivin noudattamatta jättämisestä sekä tiukennetaan kansallisten viranomaisten valvontatoimenpiteitä.
• NIS2 luo puitteet haavoittuvuuksien koordinoidulle julkistamiselle ja perustetaan EU:n haavoittuvuusrekisteri, jota ylläpitää Euroopan unionin kyberturvallisuusvirasto ENISA.
• NIS2 tehostaa myös yhteistyötä ja tiedon jakamista jäsenvaltioiden ja niiden viranomaisten välillä, myös kyberkriisinhallinnan osalta.
NIS2:n noudattamiseksi sinun on suoritettava seuraavat vaiheet:
1. Tunnista NIS2-direktiivin mukainen roolisi ja velvollisuutesi. Roolistasi riippuen sinulla on erilaisia vastuita ja vaatimuksia.
2. Arvioi kyberturvallisuutesi nykyinen taso ja tunnista mahdolliset aukot tai heikkoudet. Sinun on noudatettava turvallisuutta ja resilienssiä koskevia yhteisiä standardeja ja suuntaviivoja, jotka ENISA ja Euroopan komissio laativat.
3. Ota käyttöön asianmukaiset turvatoimet ja käytännöt järjestelmien ja tietojen suojaamiseksi kyberuhilta. Sinun on omaksuttava riskiperusteinen lähestymistapa ja varmistettava, että turvatoimet ovat oikeassa suhteessa kohtaamaasi riskitasoon nähden.
4. Raportoi huomattavista tai merkittävistä poikkeamista kansallisille viranomaisille ja ENISAlle. Sinun on noudatettava vaaratilanteista ilmoittamista koskevaa yhdenmukaistettua kehystä, jossa määritetään raportoinnin kynnysarvot, muodot ja menettelyt.
5. Tee yhteistyötä kansallisten viranomaisten ja muiden sidosryhmien kanssa. Sinun on osallistuttava kansallisten viranomaisten säännöllisiin auditointeihin ja tarkastuksiin sekä jaettava tietoja ja parhaita käytäntöjä muiden alan toimijoiden kanssa tai eri alojen kesken.
Kyberturvallisuusriskien hallintatoimenpiteet
NIS 2 soveltaa riskiperusteista, tuloskeskeistä lähestymistapaa toimenpiteisiin, joilla puututaan:
riskianalyysi ja tietojärjestelmien turvallisuusperiaatteet;
poikkeamien käsittely;
toiminnan jatkuvuus ja kriisinhallinta;
toimitusketjun turvaaminen;
verkko- ja tietojärjestelmien hankinnan, kehittämisen ja ylläpidon turvallisuus, mukaan lukien haavoittuvuuksien käsittely ja paljastaminen;
toimintaperiaatteet ja menettelyt, joilla arvioidaan kyberturvallisuusriskien hallintatoimenpiteiden tehokkuutta;
kyberturvallisuutta koskeva perushygienia ja koulutus;
salaustekniikkaa ja enkryptausta koskevat toimintaperiaatteet ja menettelyt;
henkilöstöön liittyvä turvallisuus, mukaan lukien kulunvalvontaperiaatteet ja omaisuudenhallinta; ja
MFA:n (Zero Trust -suojausmalli) ja muiden teknisten valvontatoimien käyttö.
Tietoturvailmoituksen tekemistä koskevat velvoitteet
Raportoitava ”poikkeamista, joilla on merkittävä vaikutus palvelujen tarjoamiseen” = jotka aiheuttavat vakavia toiminnallisia häiriöitä palveluun tai taloudellisia menetyksiä; vaikuttavat muihin henkilöihin aiheuttamalla huomattavia aineellisia tai aineettomia vahinkoja.
annettava asianomaiselle viranomaiselle ennakkovaroitus 24 tunnin kuluessa.
toimitettava viipymättä lieventämistä ja ehkäisemistä koskevat tiedot.
toimitettava poikkeamailmoitus 72 tunnin kuluessa (arviointi, vakavuus, kompromissin indikaattorit).
antaa sääntelyviranomaisen pyynnöstä väliraportteja.
kuukauden kuluessa siitä, kun on saanut alustavan tiedon, on toimitettava joko loppuraportti tai edistymisraportti. Kuukausittain on lähetettävä uusi edistymisraportti, kunnes lopullinen raportti on saatu.
Tomi Engdahl says:
https://www.forescout.com/ebook-nis2-forescout-mapping-guide/?utm_source=google&utm_medium=cpc&utm_campaign=ppc_ot_emea&cq_con=159768046219&cq_term=nis2%20compliance&cq_med=&cq_plac=&cq_net=g&gad_source=1&gclid=EAIaIQobChMI6vOkgoCihQMVEAuiAx022gr0EAAYASAAEgLhU_D_BwE
https://infotechtion-nis2.com/?gad_source=1&gclid=EAIaIQobChMI6vOkgoCihQMVEAuiAx022gr0EAAYAiAAEgIzIPD_BwE
https://infotechtion.com/
Decoding NIS2 : is your company truly impacted ?
Boosting the level of cybersecurity in the European Union, accross companies and the entire supply chain, is the objective of the latest NIS2 directive.
https://content.tehtris.com/nis2guide/en/gads?campaignid=21113636106&adgroupid=158518993885&gad_source=1&gclid=EAIaIQobChMI6vOkgoCihQMVEAuiAx022gr0EAAYAyAAEgJOM_D_BwE
Tomi Engdahl says:
NIS2 to ISO27001 & ISO27002 Mapping Tool
https://www.huntandhackett.com/blog/iso-mapping-tool
The transition to NIS2 compliance carries substantial implications for most entities falling under the Directive’s scope, often necessitating a transitional period of 1-3 years. Therefore, it is imperative to initiate the requisite measures well in advance. To facilitate this, we have developed an assessment tool, aligning NIS2 requirements with the ISO/IEC 27001:2022 and ISO/IEC 27002:2022 standards. Although the exact requirements are not yet known, these standards are a valid place to start in order to gain an idea how far the company or organisation in question is in their cybersecurity processes.
ISO 27001 is intended to give a framework of best practice policies, procedures and controls for information security to reduce the risk of information security breaches. ISO 27002 is about the implementation of controls and guidelines. When mapping NIS2 measures to the ISO 27001:2022 standard, most of the relevant controls come from Annex A, as they provide the best clues from a control perspective.
Is ISO 27001 enough for NIS2 compliance?
https://www.ceeyu.io/resources/blog/is-iso-27001-enough-for-nis-2-compliance
The scope of the ISO certificate
NIS2 emphasizes cybersecurity from a societal perspective. The scope is the activities that are important for the continuity of the proper functioning of a country. So first and foremost, you must ensure that the scope of activities that are ISO 27001 certified in your company are all activities that are important or essential to society.
ISO 27001:2013 is a good start, but ISO 27001:2022 is a better basis given its enhancements, which are in line with NIS2 requirements. In addition, ISO:2013 certifications are valid only until one year after the effective date of the NIS2 legislation. If you have ISO 27001:2013 and have not yet started upgrading the certificate, now is a good time to start doing so.
The importance of ISO 27002
The ISO 27002 standard is a detailed supplementary guide to the security controls in the ISO 27001 framework. ISO 27002 provides best-practices guidance on selecting and implementing the controls listed in ISO 27001, however ISO 27002 controls (94 controls in the 2022 standard) aren’t compulsory to become 27001 certified. They are, at best, a reference set of information security controls that organizations can use. Also, companies can only certify for ISO 27001, not for ISO 27002.
As shown in the above table, many ISO 27002 controls map to NIS 2 requirements. As such, while not required for obtaining the ISO 27001 certificate, (most of) ISO 27002 is mandatory for NIS2 compliance.
Business continuity management is where ISO 22301 may help, but it’s not a must.
Under NIS2, critical and important entities must ensure continuity of operations in the event of a major incident, which may be an incident other than a cyberattack, and which may not be an internal incident, but also an incident at a critical supplier. Organizations must therefore implement a comprehensive resilience framework – which includes business continuity, disaster recovery and crisis management – to minimize disruptions.
If organizations have carefully implemented the above ISO27001 and ISO27002 controls related to business continuity and disaster recovery (5.29 and 5.30 as core), they should comply with NIS2 in this area. However, organizations covered by NIS2 could consider adding ISO 22301 for business continuity management (BCM). ISO 22301 is designed to help implement, maintain, and continuously improve a company’s business continuity approach. While some aspects of ISO 27001 include business continuity management, it does not define a process for implementing BCM. That’s where the complementary standard ISO 22301 comes in. Certification to this standard will further demonstrates compliance with NIS 2, but it’s not an absolute must.
Supply chain risk management is not just about information security
In the context of NIS2, attention should not only be paid to information security throughout the supply chain. Any business continuity threat that could potentially spread through the entire supply chain should be identified and mitigated. Therefore, the content of risk assessments can be revised to place more emphasis on business continuity measures implemented at the supplier. The list of suppliers covered by the third-party risk management may also be revised because while the focus of ISO 27001 is more on the ICT supply chain, the focus of NIS2 on general business continuity may require you to expand the list of assessed suppliers. Obviously, the security of potential IT integrations (eg. APIs) with these non-ICT suppliers must also be considered.
ISO 27036 for supply chain risk management is a bit like ISO 22301 for business continuity. ISO 27001 does not define a process for implementing third-party risk. That’s where ISO 27036 can help companies that have no experience/expertise in this area or want to use the standard to structure the activity. But also here, ISO 27036 is in se not mandatory for NIS2 compliance.
In the area of incident notification, there is certainly work to be done
. The directive describes the prescribed lead times for such reports:
First notification with 24 hours
First report within 72 hours
Full report within a month after notification
This requirement has far-reaching implications and is only marginally covered by the ISO 27001/27002 standards. For organizations subject to the GDPR, the implementation of Annex A 5.24 (Information Security Incident Management Planning and Preparation) requires notification procedures to be in place to report data breaches to authorities within 72 hours. However, NIS2 aims to report any security incident that poses a threat to business continuity within 24 hours. To report properly, companies must first have adequate detection, including initial analysis and forensics, and incident response. Also, “military-style” internal reporting and decision-making processes must be in place to meet the 24-hour deadline. These processes must not only be defined, but they must also be tested to ensure they work as they should.
Tomi Engdahl says:
Reduce OT Cybersecurity Risk
https://www.honeywellforge.ai/us/en/solutions/ot-cybersecurity/reduce-ot-cybersecurity-risk?utm_source=google&utm_medium=cpc&utm_campaign=23-q2-hce-cyber-ww-cyb_insights_product_campaign-7016s000002wd5dqag-europe&utm_adgroup=&utm_term=&gad_source=1&gclid=EAIaIQobChMI8O_A74SihQMVxRuiAx07xwLEEAAYAiAAEgKRBPD_BwE
Tomi Engdahl says:
NIS2: Boosting OT Security in a New Regulatory Landscape
https://www.orangecyberdefense.com/global/blog/cybersecurity/default-title-2
It is already highly likely that the number of affected organizations will increase significantly – experts agree that there are over 100,000 organizations in Europe that will fall under these new rules.
In the future, organizations will be legally required to maintain a high level of network and information security, ensuring ongoing quality. This applies to all systems and components vital for delivering critical services, including IT, OT, embedded systems, data centers, and others. Organizations must consider several key aspects:
Information Security Guidelines & Organizational Structure: This involves setting up a structured process organization to manage information security.
Risk Analysis: Adopting a proactive approach to identify, classify, and assess risks, using a standardized process.
Active Provider Management: Managing risks associated with third-party ICT providers and supply chains.
Technical Measures: Implementing physical security, conducting penetration tests, network segmentation, and ensuring robust authentication, authorization, and logging to detect security-relevant events.
Organizational Measures: Handling security-relevant events effectively, continuously improving processes, and conducting regular security checks and audits.
All measures under the NIS2 directive must be verifiable by the state supervisory authorities of the respective EU member states. This legal requirement extends not only to directly affected organizations but also to those in their supply chain. As a result, NIS2 mandates a clear audit mechanism and audit procedures for outsourced services. It’s crucial for every organization to assess whether they are directly or indirectly impacted by the NIS2 directive at this stage.
Implementation of the NIS2 requirements
Implementing the NIS2 directive’s network and information security standards in Operational Technology (OT) environments presents significant challenges. These environments are complex, often composed of diverse legacy systems, proprietary technologies, and a web of interconnected devices. Adding to the complexity is the varying levels of security maturity across many industrial systems. Identifying these levels is a critical first step in developing or upgrading to a security architecture that allows for consistent security monitoring.
Strategic Approaches to Network Design and Integration
Under the NIS2 directive and other security standards, safeguarding networks and assets, particularly for critical infrastructure, is a vital security mandate.
Tomi Engdahl says:
https://www.trendmicro.com/en_no/business/solutions/nis2.html?utm_content=ent_industry+reports_lg_e_fi_wg_ao_search&ent_industry+reports_lg_e_fi_wg_ao_search&gad_source=1&gclid=EAIaIQobChMI8O_A74SihQMVxRuiAx07xwLEEAAYAyAAEgJHsvD_BwE
Tomi Engdahl says:
Towards less vulnerable embedded electronics – New regulation for cybersecurity
https://www.etteplan.com/about-us/insights/towards-less-vulnerable-embedded-electronics-new-regulation-cybersecurity/
Electronics manufacturers will soon be under new regulation that demands cybersecurity from their products, and even from their development process. Why is this happening, where does it apply, and what must be done?
“It is expected that a lot of new cybersecurity legislation will come into force around 2023. By and large, this will affect all manufacturers of electronical and electrical devices, because the EU will also start classifying these companies as critical infrastructure according to the upcoming NIS2 directive. Concurrently, the EU is revising general safety and liability regulation of consumer products, and it just published the Artificial Intelligence Act proposal. Overall, it seems that the EU is planning to regulate security of devices and software if their use involves safety, environmental, property or fundamental right risks,” says Etteplan’s Antti Tolvanen, Sales Director for Software & Embedded.
For many years, the EU along with industry and standardization organizations have been developing voluntary cybersecurity standards and guidelines both for critical infrastructure operators and manufacturers of operational technology. Now both the operators and manufacturers need to start preparing for the regulatory change.
“The proposed NIS2 directive will expand the definition of critical infrastructure significantly. Many more industries will be classified among essential and important entities compared with the effective NIS directive. Purchasing, development and maintenance of information systems will be regulated from a security perspective in much more detail than before. Also, the likely adoption of the security related delegated acts in the Radio Equipment Directive is expected to demand a technical security baseline from any devices with radios,” tells Tolvanen.
Tomi Engdahl says:
Navigating cybersecurity services in the era of NIS 2
https://sii.pl/en/news-feed/navigating-cybersecurity-services-in-the-era-of-nis-2/?category=company-growth,offering&tag=banking,cybersecurity-en,retail,utilities
How does the NIS2 Directive differ from previous regulations?
The answer is the Network and Information Systems Directive 2 (NIS 2), introduced in 2023 and published by ENISA, the European Union Agency for Cybersecurity. It’s an updated version of the NIS 1 Directive, setting minimum security standards and requiring reporting of serious incidents to the Computer Security Incident Response Team (CSIRT) or national authorities.
What are the changes introduced in NIS 2?
Rigorous standards for risk analysis, audit and incident handling, and cyber education.
Applicable to all EU countries.
Ensuring supply chain and business continuity.
Improve reporting obligations.
Strengthen the legal consequences for violating regulations.
Covering more sectors with regulation.
One of the significant differences between NIS 1 and NIS 2 is the expansion of its scope. Until now, the existing directive covered two entities: operators of essential services (OES) and relevant digital service providers (RDSPs). NIS 2’s coverage now extends to more sectors, including transport, health, energy, finance, and public administration, and introduces a size criterion – medium and large companies must comply with the regulation. NIS 2 also applies to all companies, regardless of size, that have key value for specific sectors, the economy, or society.
Tomi Engdahl says:
https://verveindustrial.com/resources/whitepaper/nis2-cybersecurity-directive-for-eu/
Tomi Engdahl says:
https://kpmg.com/fi/fi/home/Pinnalla/2024/01/nis2-varmista-tietoturvasi-vaatimustenmukaisuus.html?gad_source=1&gclid=EAIaIQobChMItqru4IeihQMV92iRBR0xqgsvEAMYASAAEgI8FvD_BwE
Tomi Engdahl says:
https://www.2ns.fi/nis2-direktiivi-laittaa-useammat-yritykset-kehittamaan-ja-seuraamaan-tietoturvaa/?gad_source=1&gclid=EAIaIQobChMI4caegLqjhQMV61iRBR3CdAsREAAYAiAAEgJoyPD_BwE
Tomi Engdahl says:
SPDL (Secure Product Development Lifecycle) comes into play. SPDL is a comprehensive framework that provides guidance and structure for developing and maintaining secure products. According to the widely adopted IEC 62443-4-1 standard, it consists of eight essential practices that cover every stage of the product lifecycle.
https://www.etteplan.com/about-us/insights/secure-product-development-lifecycle-essential-tool-for-product-development/
Tomi Engdahl says:
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (Text with EEA relevance)
https://eur-lex.europa.eu/eli/dir/2022/2555/oj
Tomi Engdahl says:
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)
https://www.europeansources.info/record/proposal-for-a-directive-on-measures-for-a-high-common-level-of-cybersecurity-across-the-union/
Tomi Engdahl says:
Which companies must comply with NIS 2? Essential vs. important entities
https://advisera.com/articles/who-does-nis2-apply-to/
Mid-size and large companies from the following sectors must comply with NIS2: energy; transport; banking; financial market infrastructures; health; drinking water; wastewater; digital infrastructure; ICT service management (business-to-business); public administration; space; postal and courier services; waste management; manufacture, production, and distribution of chemicals; production, processing, and distribution of food; manufacturing; digital providers; and research.
Tomi Engdahl says:
Chatgpt says
Certainly! Here are some iOS and Android mobile apps related to cybersecurity training or awareness:
1. **Cybrary** (iOS, Android): Offers a wide range of cybersecurity courses, including ethical hacking, incident response, network security, and more.
2. **Udemy** (iOS, Android): Provides courses on cybersecurity topics such as penetration testing, cryptography, and cybersecurity fundamentals.
3. **Kali NetHunter** (Android): A penetration testing platform that includes various tools and resources for ethical hacking and security testing.
4. **Duo Mobile** (iOS, Android): A two-factor authentication (2FA) app that enhances security by requiring a second form of verification for accessing accounts.
5. **Norton Mobile Security** (iOS, Android): Offers mobile security features like malware scanning, Wi-Fi security, and device protection against threats.
6. **LastPass** (iOS, Android): A password manager app that securely stores passwords and sensitive information, promoting good password hygiene and security practices.
7. **OWASP Mobile Security Project** (iOS, Android): Provides resources, tools, and best practices for securing mobile applications against common security vulnerabilities.
8. **Hacker101** (iOS, Android): Offers interactive challenges and tutorials for learning ethical hacking and web application security.
9. **IBM Security Verify** (iOS, Android): Provides insights into cybersecurity threats, best practices, and security awareness training for individuals and organizations.
10. **StaySafeOnline** (iOS, Android): Offers tips, guides, and resources for staying safe online, covering topics like password security, phishing prevention, and social media safety.
These apps cover a range of cybersecurity topics, from training and education to practical tools and security awareness. Encourage your friend to explore these apps based on their specific interests and learning goals.
Tomi Engdahl says:
we dont talk about them because most admins prefer shit practices for themselves unless they are compelled by policy. Just like users ..
In the other corner, we have a guy who clicked a link in a comment on CNBC thinking he was going to see a video
Ignorant people keep me employed
In the other corner, we have a guy who clicked a link in a comment on CNBC thinking he was going to see a video
Tomi Engdahl says:
so for example you need to know the basics of networking, protocols, OSI model, windows and Linux, threat actors, the basis of security systems CIA triad.. etc as a first step as you have got to start from the beginning and gain concrete knowledge dont jump to hacking without knowing how everything works underneath
Experience is what it takes to make you an expert
Training will be the best start. Only experience will make you a master. Cybersecurity is a broad field, you must figure out what you want to pursue.
Red Team, Research, Forensic, Security Analysis* Select your field first.
Cyber Security Expert
Step by step guide to becoming a Cyber Security Expert in 2024
https://roadmap.sh/cyber-security
Tomi Engdahl says:
Mikko Hyppöseltä kylmäävät terveiset: ”Tätä emme ole vielä nähneet, mutta pian näemme”
https://www.is.fi/digitoday/tietoturva/art-2000010344740.html
Mikko Hyppönen listasi merkittävimmät tekoälyn lähitulevaisuudessa tuomat uhat. Samalla hän kertoo muuttaneensa mielensä tärkeässä avoimuuskysymyksessä.
Tietoturvaguru ja tietoturvayhtiö WithSecuren tutkimusjohtaja Mikko Hyppönen on kertonut, millaisia uhkia tekoälyn nopea yleistyminen tuo tullessaan. Englantilaisessa University College London -yliopistossa luennoidessaan Hyppönen pohti käsillä olevaan tekniseen vallankumoukseen liittyviä vaaroja.
Hyppönen mainitsi suurimmiksi tekoälyn aiheuttamiksi tietoturvauhiksi deepfaket eli syväväärennökset, sarjahuijaukset eli deepscamit, itse itseään kehittävät haittaohjelmat sekä tietoturva-aukkoja etsivän tekoälyn.
Hyppönen kansantajuisti aluksi tekoälyn hyvin kouriintuntuvalla tavalla: kyse on tekniikasta, joka ”tietää” asioita siten, että se osaa laittaa sanoja peräkkäin perustuen siihen, miten ne yleensä kielessä asettuvat.
AI-enabled Crime
https://www.youtube.com/watch?v=Wc1yCYgwjfg
Tomi Engdahl says:
The OODA Loop: The Military Model That Speeds Up Cybersecurity Response
https://www.securityweek.com/the-ooda-loop-the-military-model-that-speeds-up-cybersecurity-response/
The OODA Loop can be used both by defenders and incident responders for a variety of use cases such as threat assessment, threat monitoring, and threat hunting.
Time is a precious commodity especially in cybersecurity. Cybercriminals can be in and out of victim environments in less than 24 hours of initial access. Professional cybercriminals and advanced persistent threats (APTs) leverage zero-day vulnerabilities, easily rendering software developers clueless.
When a cyberattack strikes, defenders have only minutes to detect and respond. The faster the detection, the sooner a virus can be arrested from spreading. The faster the response time, the sooner the enemy can be outmaneuvered. To win this race against time, defenders need two things: 1) a robust decision-making model that aids in swift but accurate decision-making; and 2) real-time status checks on the entire infrastructure, allowing security teams the chance of making informed decisions.
Enter the OODA Loop Military Model and its Security Application
The OODA loop is a military mental model developed in the mid-20th century by Air Force strategist Col. John Boyd to boost decision-making skills for fighter pilots during aerial combats.
The OODA loop consists of four iterative phases: Observe, Orient, Decide and Act. “Observe” refers to building a comprehensive picture of the situation. “Orient” means connecting with reality, avoiding cognitive biases, and developing a deep awareness of the situation and its context. “Decide” translates to making decisions based on observations, but not jumping to conclusions. “Act” is about implementing or acting on the decision made.
The OODA loop is a versatile model which can obviously be applied to cybersecurity. It can be used both by defenders (and incident responders) for a variety of use cases such as threat assessment, threat monitoring, and threat hunting. The success of the OODA loop is highly dependent on the quality of security signals and data used for decision making. In other words, poor quality data equals poor decisions and vice versa.
Using SASE to Harness the OODA Loop
Security complexity is one of the biggest roadblocks to effective and timely threat detection. It’s common practice to deploy many disparate security tools (anywhere from 45 to 75 on average) to address a host of threat vectors and security use cases. As a result, security tools are unable to “connect the dots,” failing to produce timely, accurate, and contextual security data for effective decision-making. Because data and applications have moved to the cloud together with users who are working remotely, blind spots come into the picture over which security teams have no data insight or control over.
SASE is a single-pass, cloud-native architecture that tackles the complexity problem by converging multiple security controls (such as data leakage prevention, secure web gateway, zero trust network access, cloud access security broker and other controls) into a single service. Consolidated security tools and native integrations result in real-time visibility over network traffic spanning endpoints, multi-cloud, applications, identities, devices, and Internet of Things. Real-time data is then enriched with contextual details like location and identity, empowering security teams with finer security control and more informed decision-making. The SASE backbone also enables immediate threat response against zero-day exploits via virtual patching. In other words, SASE significantly enhances the OODA loop process because it sees all network flows (‘Observe’), contextualizes all the data it receives (‘Orient’), invokes the policy that needs to be applied (‘Decide’), and enforces policies across the entire infrastructure end-to-end (‘Act’).
Tomi Engdahl says:
Cybersecurity Mesh: Overcoming Data Security Overload
https://www.securityweek.com/cybersecurity-mesh-overcoming-data-security-overload/
A significant cybersecurity challenge arises from managing the immense volume of data generated by numerous IT security tools, leading organizations into a reactive rather than proactive approach.
Gartner projects that organizations worldwide will invest $208.7 billion in IT security and risk management tools this year alone. However, despite this significant investment, Accenture reports that 74 percent of CEOs lack confidence in their organization’s cybersecurity posture. Contrary to the longstanding belief that deploying more security solutions will inevitably enhance protection against threats, the reality can often be quite different. In fact, a significant cybersecurity challenge arises from managing the immense volume of data generated by numerous IT security tools, leading organizations into a reactive rather than proactive approach.
The expanding attack surface and mushrooming regulations (e.g., PCI DSS 4.0, NIST, FISMA, etc.) necessitate more frequent security posture assessments, resulting in the deployment of a myriad of security tools, each focused on individual attack surfaces and vectors. However, these solutions are often siloed, making it difficult for security practitioners to report on exploitability posture, identify critical business areas, and demonstrate the effectiveness of security initiatives and controls. Breaking down these silos frequently requires manual efforts to aggregate and correlate data, leading to critical issues not being addressed in a timely fashion. According to IBM’s 2023 Cost of a Data Breach Report, 67% of breaches were discovered by third parties rather than internal resources. Ultimately, the goal is to shorten the window attackers have to exploit software or network configuration flaws. While big data sets can assist in putting specific behavior into context, there are significant technological challenges to overcome.
Tomi Engdahl says:
Know Your Audience When Speaking to Security Practitioners
https://www.securityweek.com/know-your-audience-when-speaking-to-security-practitioners/
How can security practitioners make sense of the vendor landscape and separate those who talk a good game from those who can execute, perform, and solve real problems for enterprises?
Every now and again, I feel that the voice of the security practitioner – those in the trenches day-in and day-out defending their enterprises – needs to be heard. I’m not sure why exactly, but as I write this piece, today just seems like one of those days. Lately, a few things going on around the industry have caused me to believe that the time is right for me to put on my cranky security analyst hat and put a few things down on paper.
It is not news that the security vendor landscape is crowded – perhaps even overcrowded. With this comes quite a bit of confusion – everyone seems to market the same way, use the same words, make the same claims, and purport to solve the same problems. As you can imagine, all of this messaging is coming at security practitioners on a regular basis. With all of that noise, how can security practitioners make sense of the vendor landscape and separate those who talk a good game from those who can execute, perform, and solve real problems for enterprises?
This is an interesting question that I believe deserves some attention. Having spent quite a bit of time in the trenches myself before moving over to the vendor side, there are a few discussion topics that cross my mind. I’d like to devote the remainder of this piece to discussing what resonates and what doesn’t when vendors seek to communicate their value to security practitioners.
Lay off the marketing slogans: Marketing slogans may serve their purpose when it comes to raising brand awareness, capturing people’s attention, and explaining your focus in just a few words. It turns out that marketing slogans are not so helpful when it comes to conveying to security practitioners how you can solve operational security problems and how you can help them achieve their goals. In fact, using buzzy slogans can backfire in some cases. They may actually cause security practitioners to roll their eyes, take you less seriously, and engage more hostilely with you. Instead of speaking slogans, try asking questions, understanding challenges, and listening.
Beware of inducing an AI allergy: Artificial Intelligence is a popular topic these days. Of course, AI is an important technology that has some very real and useful applications. Unfortunately, AI also creates a lot of hype and buzz. You can talk about AI, but make it meaningful. AI generally produces the best results when applied to specific problems that it is well-suited for.
The proof is in the pudding: Perhaps it is not surprising that every vendor presents themselves as the most effective on the market and the best solution in the industry. While no one polices what goes on PowerPoint slides, numbers don’t lie. If you want security practitioners, who hear the same claims from every vendor, to take your claims seriously, you’ll need to prove it with data. Even better if you can prove it using their own data (obtained via Proof of Concept, for example). Claims backed by real data speak volumes when compared with unbacked claims. Sales pitches that are data-driven are so much more powerful than those that are not.
Speak to business needs: Resist the temptation to begin enumerating the features of your product or products. Security practitioners aren’t interested, at least initially, in seeing a suitcase full of features. It is more likely that they want to understand which of their goals you can help them achieve and how. In other words, they want to understand which of their real world problems you’ll be able to help them solve.
Quit ambulance chasing: The older I get, the more amazed I am at how many vendors think that ambulance chasing is going to get them wins with security practitioners. When a security practitioner is dealing with a significant breach, a major vulnerability, or the “item du jour” that has the attention of management, the last thing they want to hear is that if they only had your product, they wouldn’t be in this situation. Simply put, ambulance chasing doesn’t work. On the contrary, it often reduces the credibility of a vendor and spurs animosity amongst potential buyers. Don’t do it. Instead, develop trusted relationships with security practitioners. Understand their pain points, their objectives, and what challenges they are looking to address in the coming years. Then explain to them how you can help them achieve that.
Although security practitioners have a bit of a reputation for being allergic to vendors, they are really not. Rather, they are tired of hearing the same old rhetoric, promises, and hype again and again.
Tomi Engdahl says:
NIS2 tuo yrityksille lisää vastuita – täällä opas yrityksille
https://etn.fi/index.php/13-news/16081-nis2-tuo-yrityksille-lisaeae-vastuita-taeaellae-opas-yrityksille
EU:n uusi NIS2-direktiivi vahvistaa kyberturvallisuutta monella tasolla, mutta tuo myös yrityksille paljon uusia vastuita. Finnish Information Security Cluster (FISC) – Kyberala ry on julkaissut EU:n verkko- ja tietoturvallisuusdirektiivi NIS2:n kansallisen soveltamisoppaan. Tavoitteena on tukea Suomessa toimivien yritysten kyberturvallisuustyötä vastaamaan muuttuvia lainsäädäntövelvoitteita.
NIS2-direktiivi vahvistaa kyberturvallisuutta organisaatio- ja yhteiskuntasolla: EU:n verkko- ja tietoturvadirektiivi on keskeinen osa Euroopan unionin pyrkimyksiä parantaa jäsenvaltioidensa kyberturvallisuutta. Direktiivi edistää yritysten toiminnan jatkuvuutta ja kannattavuutta sekä asettaa velvoitteita digitaalisten riskien hallintaan.
Yritykset voivat saavuttaa kilpailuetua nopealla sopeutumisella direktiivin vaatimuksiin tai ylittämällä ne. Direktiivi tukee yhteiskunnan kyberkestävyyttä ja luo hallittavan toimintaympäristön. Vaikka direktiivin noudattaminen aiheuttaa kustannuksia, ne ovat ennakoitavissa ja tukevat toiminnan laatua, vastuullisuutta ja toimitusvarmuutta.
Kyberala ry:n laatiman oppaan voi lukea täällä. Järjestö edustaa Suomessa toimivaa kyberturvallisuusteollisuutta ja on sitoutunut tukemaan organisaatioita niiden kyberturvallisuuden parantamisessa. Yhdistys toimii osana Teknologiateollisuus ry:tä.
https://www.fisc.fi/sites/fisc/files/inline-files/KYBERALA_NIS2_OPAS_0.9_BETA.pdf
Tomi Engdahl says:
NIS2 tuo yrityksille lisää vastuita – täällä opas yrityksille
https://etn.fi/index.php/13-news/16081-nis2-tuo-yrityksille-lisaeae-vastuita-taeaellae-opas-yrityksille
NIS2-SOVELTAMISOPAS,
0.9 (BETA)
https://www.fisc.fi/sites/fisc/files/inline-files/KYBERALA_NIS2_OPAS_0.9_BETA.pdf
Tomi Engdahl says:
https://www.kyberturvallisuuskeskus.fi/fi/palvelumme/tilannekuva-ja-verkostojohtaminen/kybermittari
https://www.kyberturvallisuuskeskus.fi/fi/palvelumme/tilannekuva-ja-verkostojohtaminen/kybermittari-aineistot
https://www.2ns.fi/kybermittari/
Tomi Engdahl says:
Ohjelmistoturvallisuuden tila 2023
Nykytilaraportti
https://www.kyberturvallisuuskeskus.fi/sites/default/files/media/publication/Ohjelmistoturvallisuuden%20tila%202023.pdf
Suomessa ollaan tietoisia ohjelmistoturvallisuuden merkityksestä. Ohjelmistoala on jatkuvassa ja nopeassa muutok-
sessa. Turvallisuuden taso ohjelmistotyössä on noussut, mutta ei samaa vauhtia kuin teknologia- ja toimintatapamuu-
tokset. Ohjelmistoja tuottavilla, hankkivilla ja hyödyntävillä organisaatioilla ei ole yhteistä, jaettua näkemystä siitä, ke-
nelle vastuu tietoturvallisuudesta ohjelmistotyössä kuuluu. Turvallisuuden tarve ymmärretään yleisellä tasolla, mutta
toteutustasolla vastuut ja turvallisuuden vaatimukset eivät konkretisoidu tekemiseen. Osalla organisaatioista osaami-
nen ja toteutuskyky on korkealla tasolla, mutta toisilla on huomattavia haasteita jo perustason turvallisuuden toteutta-
misessa.
Tarvitaan tietoisuutta ongelmasta ja menetelmiä käytännön ratkaisuiksi.
Ratkaisuksi raportti esittää, että ymmärrystä turvallisen ohjelmistokehityksen vaatimuksista ja tavoitteista tulee lisätä
laaja-alaisesti organisaatioissa. Tietoturvallisuus on keskeinen osa organisaatioiden riskienhallintaa. Tämän vuoksi tie-
toisuutta ohjemistokehityksen turvallisuusvaatimuksista tulee tarjoa aina liikkeenjohdosta ohjelmistokehittäjiin. Orga-
nisaatioden tulee panostaa uusien ja hyvien käytäntöjen jakamiseen sekä eri tehtävissä työskentelevien asiantuntijoi-
den osaamisen ylläpitämiseen ja kehittämiseen.
Tomi Engdahl says:
Kiristyshaittaohjelmat osuvat nyt teollisuuteen
https://etn.fi/index.php/13-news/16092-kiristyshaittaohjelmat-osuvat-nyt-teollisuuteen
Tietoturvayritys Check Point Software on esitellyt alkuvuoden trendejä kyberhyökkäyksissä. Kyberhyökkäysten kasvu jatkuu kovana. Uutena ilmiönä kiristyshaittaohjelmilla hyökätään nyt yhä useammin valmistavan teollisuuden ja mediatalojen kimppuun.
Vuoden 2024 ensimmäisellä neljänneksellä kyberhyökkäysten määrä kasvoi 28 prosenttia viime vuoden viimeisestä neljänneksestä ja oli 5 prosenttia suurempi kuin vuotta aikaisemmin.
Koulutus- ja tutkimussektori on kohdannut eniten hyökkäyksiä, keskimäärin 2454 hyökkäystä organisaatiota kohden viikoittain. Laitteistotoimittajien alalla hyökkäykset kasvoivat 37 % vuoden takaiseen verrattuna, mikä korostaa strategista muutosta kohdevalinnoissa.
Euroopassa hyökkäysten määrä kasvoi maltillisesti 0,4 %. Suomessa kyberhyökkäykset jopa vähentyivät 12 % vuoden takaisesta.
Tomi Engdahl says:
You Against the World: The Offenders Dilemma
Foreign attackers have many more toolsets at their disposal, so we need to make sure we’re selective about our modeling, preparation and how we assess and fortify ourselves.
https://www.securityweek.com/you-against-the-world-the-offenders-dilemma/
Tomi Engdahl says:
Cyber Security Expert
Step by step guide to becoming a Cyber Security Expert in 2024
https://roadmap.sh/cyber-security
Tomi Engdahl says:
Kyberturvan kohdalla päätös olla tekemättä tarpeellisia investointeja muuttuu päätökseksi hyväksyä riskit tietoisesti, kirjoittaa DNA:n Juho Saarinen. Hän kehottaa kaikkia pohtimaan, mitä pelkällä minimillä saa muuttuvassa maailmassa.
Miksi konsernitason quiet quitting on kvanttilaskentaa suurempi uhka kyberturvalle?
https://www.dna.fi/yrityksille/blogi/-/blogs/miksi-konsernitason-quiet-quitting-on-kvanttilaskentaa-suurempi-uhka-kyberturvalle?utm_source=facebook&utm_medium=linkad&utm_content=ILTE-artikkeli-miksi-konsernitason-quiet-quitting-on-kvanttilaskentaa-suurempi-uhka-kyberturvalle&utm_campaign=H_ILTE_MES_24-14-18_artikkelikampanja&fbclid=IwAR2HVFKDzEvTJH-Y1o5iixIPVDmtuWMw9nDsHAb238D7d5DGwPeBRZ4WCVg_aem_ASVFHEHdnzicivKZsfwA_Uf-h14-Lt8zQct2vvaLdxs0n94ldmxONUvHI6ZOkB03PwAqbYr-gZSS2QbzJ3AQkond
Yksi viime vuosien puhutuin aihe on ollut quiet quitting, eli Yhdysvalloista rantautunut työelämän ilmiö, jossa työhön suhtaudutaan rennommin. Työntekijä suorittaa vain hänelle määrätyt työtehtävät, eikä senttiäkään enempää. Nyt ilmassa on merkkejä konsernitason quiet quittingista: tehdään, budjetoidaan ja investoidaan vain absoluuttinen minimi. Tämä trendi pakottaa pohtimaan, mitä minimillä on mahdollista saada nopeasti muuttuvassa maailmassa.
Pääomalla on tällä hetkellä suurempi kustannus, joten investointipäätöksiin suhtaudutaan suuremmalla harkinnalla. Rahan käyttäminen harkitusti, tarkoin punnitut investoinnit ja säästölinja eivät itsessään ole negatiivisia asioita, mutta kannattaako kaikesta säästää? Varsinkin kyberturvan kohdalla päätös olla tekemättä tarpeellisia investointeja muuttuu päätökseksi hyväksyä riskit tietoisesti.
Samaan tapaan, kuin hyvin alkaneen kasvavan liiketoimintasuunnitelman toteutuksen voi tukehduttaa riittämättömällä budjetoinnilla, voi myös kyberturvan vaatimustasosta jäädä auttamatta jälkeen.
Tomi Engdahl says:
Last study showed the deficit was so largethe if we could stop death, end growth, end retirements and maintained current academic output. It would take 30 years to meet demand. Seeing as the industry is growing, people are leaving cyber by choice out fate. The odds of you seeing saturation is near zero. The “chance” is directly coordinated with artificial intelligence development. Which is no where close.
Tomi Engdahl says:
Government
US Government Releases Guidance on Securing Election Infrastructure
https://www.securityweek.com/us-government-releases-guidance-on-securing-election-infrastructure/
New US guidance details foreign malign influence operations to help election infrastructure stakeholders increase resilience.