CISA announces adding more experts to its Cybersecurity Advisory Committee and updating the Cybersecurity Performance Goals.
The post CISA Expands Cybersecurity Committee, Updates Baseline Security Goals appeared first on SecurityWeek.
CISA announces adding more experts to its Cybersecurity Advisory Committee and updating the Cybersecurity Performance Goals.
The post CISA Expands Cybersecurity Committee, Updates Baseline Security Goals appeared first on SecurityWeek.
Join us for this webinar as we walk through three recent use cases where a new threat caught organizations off-guard.
The post Webinar Today: How to Build Resilience Against Emerging Cyber Threats appeared first on SecurityWeek.
The FDIC seized the assets of Silicon Valley Bank on Friday, which could impact cybersecurity firms that use the bank’s services.
The post Silicon Valley Bank Seized by FDIC as Depositors Pull Cash appeared first on SecurityWeek.
In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.
The post Register Now: Attack Surface Management Summit – Feb. 22 appeared first on SecurityWeek.
India-based Scrut Automation has raised money to improve its risk observability and compliance automation platform and expand its presence in the US.
The post Scrut Automation Raises $7.5 Million for GRC Platform appeared first on SecurityWeek.
About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Supply Chain Security – The supply chain threat is directly linked to attack surface management (it potentially represents a hidden part of the attack surface) and zero trust (100% effective zero trust would eliminate the threat). But the supply chain must be known and understood before it can be remediated.
In the meantime – and especially throughout 2023 – it will be a focus for adversaries. Why attack a single target when successful manipulation of the supply chain can get access to dozens or even hundreds of targets simultaneously.
The danger and effectiveness of such attacks is amply illustrated by the SolarWinds, log4j, Spring4Shell, Kaseya, and OpenSSL incidents.
Supply chain attacks are not new. The iconic Target breach of late 2013 was a supply chain breach. The attackers got into Target using credentials stolen from its HVAC provider, Fazio Mechanical Services – that is, via Target’s supply chain.
The 2018 breach of Ticketmaster was another supply chain breach. A Ticketmaster software supplier, Inbenta, was breached and Inbenta software was modified and weaponized. This was automatically downloaded to Ticketmaster.
Island hopping is another form of supply chain attack. In 2017, Operation Cloud Hopper was revealed. This disclosed that an advanced group, probably APT10, was compromising managed service providers to gain access to the MSP’s customers.
Despite these incidents, it has only been in the last couple of years, fueled by more extensive incidents such as SolarWinds, that industry has become cognizant of the full threat from increasingly sophisticated and wide-ranging supply chain concerns. But we should not forget that the 2017 NotPetya incident also started as a supply chain attack. Software from the Ukrainian accounting firm M.E.Doc was weaponized and automatically downloaded by the firm’s customers, before spreading around the globe. Both SolarWinds and NotPetya are believed to be the work of nation state actors.
All forms of supply chain attacks will increase in 2023, and beyond. Chad Skipper, global security technologist at VMware, specifically calls out island hopping. “In 2023, cybercriminals will continue to use island hopping, a technique that aims to hijack an organization’s infrastructure to attack its customers,” he warns. “Remote desktop protocol is regularly used by threat actors during an island-hopping campaign to disguise themselves as system administrators. As we head into the new year, it’s a threat that should be top of mind for all organizations.”
That supply chain attacks will increase in 2023 and beyond is the single most extensive prediction for 2023. “Supply chain attacks happen when hackers gain access to a company’s inner workings via a third-party partner, a method that provides them with a much greater amount of privileged information from just one breach,” explains Matt Jackson, senior director security operations at Code42. “This type of attack already rose by more than 300% in 2021, and I anticipate this trend will continue in 2023, with these attacks becoming more complicated and intricate.”
Lucia Milică, global resident CISO at Proofpoint, worries that despite all the wake-up calls so far, “We are still a long way from having adequate tools to protect against those kinds of digital supply chain vulnerabilities. We predict these concerns will mount in 2023, with our trust in third-party partners and suppliers becoming one of the primary attack channels.”
The result, she added, is, “We expect more tension in supply chain relationships overall, as organizations try to escalate their vendors’ due diligence processes for better understanding the risks, while suppliers scramble to manage the overwhelming focus on their processes.”
Jackson added, “Because many third-party partners are now privy to more sensitive data than ever before, companies can no longer rely on their own cybersecurity prowess to keep information safe,” he said.
“Supply chain attacks purposefully target the smaller organizations first because they’re less likely to have a robust cybersecurity setup, and they can use those companies to get to the bigger fish,” he continued. “In the next year, companies will become even more diligent when deciding on an outside organization to work with, creating an increase in compliance verifications to vet the cyber tools used by these prospective partners.”
Anand Raghavan, co-founder and CPO at Armorblox, expands on this theme. “This becomes particularly relevant,” he said, “for the Fortune 500 or Global 2000 companies that have a large ecosystem of suppliers, vendors, and distributors whose security stacks are nowhere as mature as those of large organizations. Large organizations might consider requiring all vendors to follow certain security best practices, including modernizing their email security stack if they want to continue being a vendor in good standing.”
Interestingly, despite all the warnings of an escalating threat, Christopher Budd, senior manager of threat research at Sophos, notes, “Unlike two years ago when the SolarWinds attack put supply chain attacks high on people’s radar, supply chain attacks have faded from prominence.” This may be a misleading premise. The discovery of a vulnerability in a widely used piece of software, such as the log4j vulnerability, will be used by individual cybercriminals and nation state actors alike.
However, targeted attacks such as that against SolarWinds requires resources and skill. These attributes are more usually found only in the more advanced gangs and nation state actors. Such adversaries have another attribute: patience. “Today’s and undoubtedly tomorrow’s threat actors have shown they can play the long game,” warns Pieter Arntz, senior intelligence reporter at Malwarebytes.
Budd also warns that despite their immediate lack of prominence (at the time of writing, but anything could happen tomorrow), “Supply chain may be something that continues to not gather news, similar to 2022. But it will remain a real threat and one that organizations should be prioritizing across the board, in part because effectively countering this threat requires a comprehensive, careful, methodical approach.”
The primary growth area in supply chain attacks will likely be the software supply chain. “Over the past few years,” explains Eilon Elhadad, senior director of supply chain security at Aqua, “increasing pressure to deliver software faster has widened attack surfaces and introduced severe vulnerabilities.”
New tools, languages and frameworks that support rapid development at scale are being targeted by malicious actors, who understand the widespread impact that results from attacks to the software supply chain.
“In 2023,” Elhadad continued, “software supply chain threats will continue to be a significant area of concern. These attacks have a larger potential blast radius to allow hackers to impact entire markets and wreak havoc for organizations.”
Eric Byres, founder and CTO at aDolus, agrees. “Software supply chain attacks will continue to increase exponentially in 2023,” he said; “the ROI on these attacks is just too sweet for professional adversaries to resist.” He notes that supply chain attacks have increased by 742% over the last three years.
Much of the software supply chain threat comes from the growing reliance on open source software libraries as part of the ‘increasing pressure to deliver software faster’. Zack Zornstain, head of supply chain security at Checkmarx, believes the software threat will particularly affect the open source supply.
“We believe that this threat of compromising open source packages will increase as malicious code can endanger the safety of our systems, ranging from ransomware attacks to the exposure of sensitive information, and more. We expect to see this as a general attack vector used both by cyber firms and nation-state actors. SBOM adaptation will help clarify which packages we’re using in applications, but we will need to invest in more controls to ensure the safety of those packages,” he said.
“Organizations should be on high alert for supply chain attacks if they use open-source software,” warns Kevin Kirkwood, deputy CISO at LogRhythm. “Bad actors examine the code and its components to obtain a thorough understanding of its flaws and the most effective ways to exploit them.”
If the source code of an open source software library either has – or can be engineered by bad actors to have – a vulnerability, then every company that downloads and uses that code becomes vulnerable.
“In 2023,” continues Kirkwood, “we’ll see bad actors attack vulnerabilities in low-hanging open-source vendors with the intention of compromising the global supply chain that uses third-party code. Attackers will infect the open-source repositories and chromium stores with malicious code and will wait for developers and other end users to come along and pick up the new sources and plugins.”
Venafi’s Matt Barker, president of cloud native solutions, adds, “We’re seeing many instances of vulnerable code brought inside their firewall by developers trying to go fast using unverified code from GitHub, or copypasta from Stack Overflow.”
He continues, “Thankfully, we’ve reached a collective sense of focus on this area and are seeing tremendous developments in how we tackle it. This is only going to increase through 2023 as we see more start-ups popping up and open source tools like cosign and sigstore designed to help it. Biden’s SBOM initiative has helped bring attention to the requirement, and The OpenSSF is leading in this charge.”
Mark Lambert, VP of products at ArmorCode, expands on this. “As the software supply chain continues to get more complicated, it is vital to know what open source you are indirectly using as part of third-party libraries, services (APIs) or tools. This is where SBOM comes in,” he said. “By requiring a disclosure of all embedded technologies from your vendors, you can perform analysis of those libraries to further assess your risk and react appropriately.”
Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity introduced the concept of a software bill of materials (SBOM), effectively if not actually mandating that software bought (or supplied) by government agencies be accompanied with a bill of materials. It described the SBOM as “a formal record containing the details and supply chain relationships of various components used in building software,” and analogous to a list of ingredients on food packaging.
While the advantages of the SBOM may appear obvious in helping software developers understand precisely what is included in the open source libraries they use, it must be said that not everyone is immediately enthusiastic. In December 2022, it emerged that a lobbying group representing major tech firms such as Amazon, Microsoft, Apple, Intel, AMD, Lenovo, IBM, Cisco, Samsung, TSMC, Qualcomm, Zoom and Palo Alto Networks was urging the OMB to ‘discourage agencies’ from requiring SBOMs. The group argued that the requirement is premature and of limited value — but it didn’t ask for the concept to be abandoned.
It is the complexity and difficulty in both compiling and using an SBOM that is the problem — and it is these concerns that will drive a lot of activity through 2023. The value of the concept outlined in the executive order remains undiminished.
“Incidents such as Log4shell [log4j] and the most recent SpookySSL vulnerabilities [CVE-2022-3602 and CVE-2022-3786] will push the adoption of a software bill of materials as a core component of achieving effective incident response, while efforts will continue in maturing the SBOM ecosystem (adoption across sectors, tooling, standardization around sharing and exchanging of SBOMs and more),” explains Yotam Perkal, director of vulnerability research at Rezilion.
“One of the big challenges I see in the year ahead is that this is more data for the development teams to manage as they deliver software,” notes Lambert. “In 2023, organizations are going to need ways to automate generating, publishing and ingesting SBOMs – they will need ways to bring the remediation of the associated vulnerabilities into their current application security programs without having to adopt whole new workflows.”
As part of this process, Michael Assraf, CEO and co-founder at Vicarius, said, “We predict that a new market will evolve called binary software composition analysis, which will look for software files that are different from what was pre-packaged and shipped. Automated techniques can utilize machine learning that will find this discrepancy, which will be vital in knowing where your risk lies and how large your attack surface can potentially be.”
Thomas Pace, CEO at NetRise, suggests, “SBOM is going to continue to garner mainstream adoption, not just from software/firmware suppliers that are building products they are selling, but also for internal development teams that are building applications and systems for internal use.”
He adds, “The need to be able to rapidly understand the provenance of software components is becoming increasingly critical. Without this visibility, the window for attackers to exploit these vulnerabilities is much too big and puts cyber defenders at a significant disadvantage.” But he also notes, “strong efforts from organizations like Google have moved the ball forward in a positive way. Efforts such as open-source insights provide a lot of visibility for end users and vendors alike to scale out the analysis of these components.”
The problems involved with SBOM generation and use have not yet been solved, but enthusiasm remains. We can expect considerable effort into automating these processes to continue throughout 2023.
Nevertheless, Kurt Baumgartner, principal security researcher at Kaspersky, warns, “Open source projects continue to be polluted with malicious code. Awareness of these issues and challenges increase, but the attacks continue to be effective on a large scale. Despite the best efforts of software bill of materials, complex dependency chains help ensure that malicious code is uncontrolled for a time in some projects.”
Despite all companies’ need to be wary of potential software supply chain attacks via the code they develop for their own use, we should not forget that there is a potentially more catastrophic physical supply chain threat. We need only consider the effect the prevention of grain supplies leaving Ukraine (because of the Russia/Ukraine conflict) had on global food supplies to see the potential. Covid-19 also affected many different global supply chains, causing panic buying and popular distress in its early days.
These were not the result of cyberattacks – but many of those physical supply chains could be disrupted by cyberattacks. The Colonial Pipeline incident, although a financially motivated attack, had an immediate effect on the supply of oil to eastern USA. The longer the Ukraine/Russia conflict continues, and the greater that east/west tensions increase, the possibility of physical supply chain cyber disruption will equally increase through 2023, and possibly beyond.
SecurityWeek discussed one such possibility in May 2022: The Vulnerable Maritime Supply Chain – a Threat to the Global Economy here.
Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant notes that in the utilities and energy sector, “99% of energy companies say they have been negatively impacted by at least one supply chain breach in the past year, representing the highest rate of overall impact in any other industry. Because it remains one of the most frequently attacked verticals, it is especially crucial that it rises to the challenge of supply chain defense in 2023.”
Taylor Gulley, senior application security consultant at nVisium, comments, “The past few years have shown that both the digital supply chain, as well as the physical world supply chain, are very fragile. This fragility is due to a lack of redundancy and resources due to economic constraints or skill gaps. For 2023, this situation will still stand true. Supply chain security is a weak link that needs to be strengthened.”
Sam Curry, CSO at Cybereason, believes the SBOM will be an important part of solving the software supply chain problem. “It would be naive in the extreme to think that with thousands of trusted software and service providers to choose from… that the handful of known supply chain compromises were the sum total of them. No. 2023 will show us more, and we will be lucky to learn of them because the attacker can quietly exploit these without tipping their hands.”
He added, “We need to use 2023 to be innovative and vigilant and to find new answers to the supply chain problem, to build on software bills of material, to innovate with the men and women building our software and to find the solutions to deter, to detect and to remove the vulnerabilities and exposures that enable this most insidious and trust eroding of attacks.”
Sharon Chand, Deloitte US’ cyber risk secure supply chain leader, believes that software supply chain security will require continuous realtime monitoring of third-party risks and vulnerabilities in inbound packaged software and firmware components. “For instance,” she said, “this includes implementing leading practice techniques around ingesting SBOMs and correlating the output to emerging vulnerabilities, identifying risk indicators such as geographical origin of the underlying components, and providing visibility to transitive dependencies.”
Christian Borst, EMEA CTO at Vectra AI, suggests collaboration and cooperation across the software industry will be required. “A holistic approach may help turn the tables on the matter: supply chain means partnership – partnership means collaboration and supporting each other. Only as a ‘mesh’ interconnected structure with consistent resiliency can companies thrive in the digital economy. This includes ensuring that they review the security policies of all those in the chain.”
Sounil Yu, CISO at JupiterOne, makes a fitting summary, referencing a paper written by Richard Danzig in July 2014 (Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America’s Cyber Dependencies). “To borrow Richard Danzig’s analogy,” says Yu, “we are on a diet of poisoned fruit with respect to our software supply chain. This poison is not going to go away, so we will need to learn how to survive and thrive under these conditions. Being aware of the risks, through efforts such as SBOM, and managing the risks through compensating controls such as egress filtering, will be a priority in 2023 and the foreseeable future.”
Related: US Gov Issues Software Supply Chain Security Guidance for Customers
Related: OpenSSF Adopts Microsoft-Built Supply Chain Security Framework
Related: Hundreds Infected With ‘Wasp’ Stealer in Ongoing Supply Chain Attack
Related: US Gov Issues Supply Chain Security Guidance for Software Suppliers
The post Cyber Insights 2023 | Supply Chain Security appeared first on SecurityWeek.
The US Cybersecurity and Infrastructure Security Agency (CISA) this week published a report detailing the cybersecurity risks the K-12 education system faces, along with recommendations on how to secure it.
Over the past four years, there have been thousands of cyber incidents involving K-12 institutions, where threat actors targeted school computer systems to deploy ransomware, disrupt access, render systems unusable, and steal sensitive information on students and employees, including financial and medical information, and employee Social Security numbers.
The K-12 Cybersecurity Act of 2021 instructed CISA to review the cyber risks to elementary and secondary school, evaluate challenges schools and school districts face in securing information systems, to provide recommendations on improving the protection of these systems, and to develop an online training toolkit for school officials.
Discussions with stakeholder groups relevant to the K-12 education community revealed that the majority of them do not have the time or resources to secure information systems and sensitive student and employee records, or to implement cybersecurity protocols.
“Most reported that the breadth of available cybersecurity information—news coverage, conference panels, webinars, and more—only made matters more complicated. Nearly all reported that they needed simplicity, prioritization, and resources targeted to the unique needs and context of K-12 organizations,” CISA’s report reads (PDF).
According to CISA, “with finite resources, K-12 institutions can take a small number of steps to significantly reduce cybersecurity risk,” such as deploying multi-factor authentication (MFA), patching known vulnerabilities, creating backups, and implementing cyber incident response plans and cybersecurity training programs.
The agency’s incursion into the cybersecurity stance of the K-12 education system has revealed that many school districts struggle with insufficient IT resources and cybersecurity capacity, which can be addressed by using free or low-cost services, by asking technology providers for strong security controls at no additional cost, by migrating IT services to more secure cloud versions, and by taking advantage of the State and Local Cybersecurity Grant Program (SLCGP).
CISA also notes that K-12 entities cannot singlehandedly identify and prioritize emerging threats, risks, and vulnerabilities, recommending that they join relevant collaboration groups, work with other information-sharing organizations, and collaborate with CISA and FBI regional cybersecurity personnel.
The agency recommends that all K-12 institutions start by investing in the most impactful security measures, which will allow them to eventually migrate to a mature cybersecurity plan. They should also prioritize investments in line with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).
CISA’s Digital Toolkit contains resources and materials in line with these recommendations, as well as guidance on how stakeholders can implement each recommendation. The toolkit also includes additional resources to help stakeholders build, operate, and maintain a resilient cybersecurity program at their institution.
Related: CISA Updates Infrastructure Resilience Planning Framework
Related: CISA Releases Decision Tree Model to Help Companies Prioritize Vulnerability Patching
Related: CISA Urges Organizations to Implement Phishing-Resistant MFA
The post CISA Provides Resources for Securing K-12 Education System appeared first on SecurityWeek.
As I discussed previously, the past three years created a perfect storm situation with lasting consequences for how we think about cybersecurity:
The impact of this perfect storm on boardroom conversations has been that cybersecurity technologies and teams have shifted from being viewed as a cost center to a business enabler. The shift is so crucial to business outcomes that Gartner expects that by 2025, 70% of CEOs will mandate a culture of resilience and recommends risk leaders recognize resilience as a strategic imperative to survive a confluence of threats. The mission is no longer just to protect, but to build trust that the business can operate even under strenuous conditions and to accelerate innovation within business units. That is very different from how security teams operated for the last two decades.
Businesses that invest in cybersecurity as a competitive advantage are transforming their business models. Every company is or will become a technology company, and those doing it faster are winning. Accenture refers to companies that have doubled down on technology and innovation as “leap froggers”, growing five times faster than laggards in the past three years.
Geopolitics contributes to this storm and need for board change
Geopolitical conflict has raised the stakes even further and is here to stay, whether in its aggressive form of the Ukraine conflict or more subtle, as in the competition between the U.S. and China. That means companies that are a meaningful part of the economy of their countries, or that hold strategic importance because of the sector they operate in, will find themselves increasingly as targets in those conflicts.
In addition to needing to significantly increase their collective understanding of technology innovation risk and objectives, CEOs and board members need to understand how the current geopolitical situation could be affecting the organization’s risk posture, adversaries’ motivations, and how best to dedicate resources.
Many CEOs and board members are finding it exceedingly complex in this current climate to accurately identify, much less reduce risk, which is why shifting the makeup of boards is needed. A vast majority of board members are former CEOs and CFOs, with most new directors still coming from those backgrounds (26% and 23%, respectively). The good news is that 17% of new directors now come from the technology sector which is beginning to fill the hands-on experience gap of navigating technology-led businesses.
CISOs as board members
One natural solution to infuse more technology and security expertise on boards is to recruit CISOs and CIOs for those positions. While just a few years ago that was mostly unthinkable, today an increasing number of boards are seeking out those experts, even if it means attracting board members with no prior board experience. That in itself is helping break another unfortunate aspect of boards: a lack of diversity and infusion of fresh perspectives and experience to handle emerging oversight challenges such as digital transformation and cyber and operational resilience. While we aren’t where we need to be, progress is happening and now 14% of CISOs say they sit on a corporate board or both a board and an advisory committee.
Even as first-timers, successful CISOs make for successful board members. In the last few years, the best CISOs have pushed their organizations outside of their comfort zones, resulting in high-ROI projects that contribute significantly toward the digital transformation of the organization. The spirit of this relentless pursuit to transform is highly impactful at the board level, and the practical knowledge those CISOs bring is very valuable.
Another encouraging trend, Gartner predicts that by 2025, 40% of companies will have a dedicated cybersecurity committee. Who is better suited than a CISO to lead that conversation? Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. CISOs can provide advice on moving forward with digital change initiatives and help companies prepare for the future. They can explain the organization’s risk posture, including exposure related to geopolitical conflict as well as to new business initiatives and emerging threats, and what can be done to mitigate risk.
Lastly, the role of the CISO has evolved from being a risk metrics presenter to a translator of risk to the business. Therefore, the expertise CISOs have developed in recent years in how to explain risk to the board makes them valuable contributors to these conversations. They can elevate the discussion to ensure deep understanding of the tradeoffs between growth and risk, enable more informed decision-making, and serve as guardrails for total business alignment.
The future belongs to the companies who are fastest and boldest in their adoption of technology as a competitive advantage. To best protect this future, we need technology and cybersecurity leaders on boards who understand and can translate the risk side of equations into successful business outcomes.
The post Why CISOs Make Great Board Members appeared first on SecurityWeek.
Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December 2022, the US Government Accountability Office (GAO) says in a new report.
Bad actors find themselves at a constant advantage. They can determine when, where, and how they will attack an enterprise, using time and patience to pick the moment they want to strike.