NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.
The post NSA Shares Guidance on Maturing ICAM Capabilities for Zero Trust appeared first on SecurityWeek.
ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.
The post ChatGPT Integrated Into Cybersecurity Products as Industry Tests Its Capabilities appeared first on SecurityWeek.
Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.
The post New Tool Made by Microsoft and Mitre Emulates Attacks on Machine Learning Systems appeared first on SecurityWeek.
In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.
The post Register Now: Attack Surface Management Summit – Feb. 22 appeared first on SecurityWeek.
About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Attack Surface Management – Attack surface management (ASM) is an approach for delivering cybersecurity. IBM describes the attack surface as “the sum of vulnerabilities, pathways or methods – sometimes called attack vectors – that hackers can use to gain unauthorized access to the network or sensitive data, or to carry out a cyberattack.”
ASM requires “the continuous discovery, analysis, remediation and monitoring of the cybersecurity vulnerabilities and potential attack vectors that make up an organization’s attack surface. Unlike other cybersecurity disciplines, ASM is conducted entirely from a hacker’s perspective, rather than the perspective of the defender. It identifies targets and assesses risks based on the opportunities they present to a malicious attacker.”
ASM is consequently predicated on total visibility of assets, vulnerabilities, and exploits.
Attack surface management is not a new concept, notes Mark Stamford, founder and CEO at OccamSec. “As long as there has been a thing to attack, there has been an attack surface to manage (for example, the walls of a castle and the people in it).” The castle is a good analogy. If you can see the wall, you can attack it. You can batter it down, you can employ the original Trojan Horse to gain access through the front door, you can find a forgotten and unprotected entrance, or you can persuade an insider to leave a side gate unlocked.
For the defender, relying on the wall and being aware of any weak areas is not enough. People are also part of the attack surface, and the defender needs to have total visibility of the entirety of the attack surface and how it could be exploited. But the wall is a perimeter, and we no longer have perimeters to defend – or at least every single asset held anywhere in the world has its own perimeter.
“The attack surface,” continued Stamford, “is anything tied to an organization that could be a vector to get to a target. What this means in practice is all your applications that face the Internet, all the services (beyond applications) that are reachable, cloud-based systems, SaaS solutions you use (depending on what the bad guys’ target is), third parties/supply chain, mobile devices, IOT, and your employees. All of that and more is your attack surface and all of it needs to somehow be monitored for exposures and dealt with.”
The need for ASM, like other current approaches to cybersecurity (such as zero trust, which itself can be viewed as part of ASM), comes from the demise of a major defensible perimeter. Migration to the cloud, expanding business transformation, and remote working all add complexity to the modern infrastructure. If anything touches the internet, it can be attacked. Even the addition of new security controls that send data to and from the cloud add to the attack surface.
“The adoption of multi-cloud and hybrid cloud will continue to rise in 2023,” comments Aditi Mukherjee, director of product marketing management at Lacework. “As enterprises continue their cloud migration and digital transformation, they will realize that traditional approaches with siloed tools, rules-based policies, and disparate security data actually introduce more security risks, creating an expanded attack surface for bad actors.”
But ASM goes beyond the cloud alone. “The traditional attack surfaces are physical, digital and social,” explains Sam Curry, CSO Cybereason; “but digital really needs to be broken down into subdomains for classical environments and networks, legacy data centers, cloud infrastructure and the aggregate software-as-a-service topography.”
He doesn’t believe ASM will provide a complete answer, but is a solid doctrine for minimizing the exposure in each domain, giving least options and succor to attackers. “There are also key existing and emerging control planes around identity, application governance and data-centrism that need to be strongly protected and managed in a similar manner, even before thinking of the advanced techniques around obfuscation and deception.”
All security strategies, he says, should think about both reducing complexity in each attack surface and control plane, about gaining leverage in each, about reducing vulnerabilities and exposure in each and about how to bring the full security game to bear in each.
Attack surfaces will get more complex and more distributed throughout 2023; and effective ASM will be more complicated.
The complexity of the modern infrastructure makes the complete elimination of threats an impossible task. ASM is not about the elimination of all threats, but the reduction of threat to an acceptable level. It’s a question of risk management.
“The idea behind attack surface management is to ‘reduce’ the ‘area’ available to attackers to exploit. The more you ‘reduce the attack surface’ the more you limit and minimize attackers’ opportunities to cause harm,” says Christopher Budd, senior manager of threat research at Sophos.
He believes that ASM will be more challenging in 2023 because of the attackers’ increasingly aggressive and successful misuse of legitimate files and utilities in their attacks – living off the land – making the detection of a malicious presence challenging. “We can expect this trend to continue to evolve in 2023, making it more important that defenders update their detection and prevention tactics to counter this particularly challenging tactic,” he says.
Part of reducing risk comes from understanding what vulnerabilities exist within the infrastructure, and which of them are exploitable. Omer Gafni, VP surface at Pentera, reminds us that ASM looks at threats from the attacker’s perspective. To effectively reduce risk, you need to understand not only what vulnerabilities exist, but also which are exploitable and serve the hackers’ end goals.
“With the number of annual reported vulnerabilities now exceeding 20,000 per year, companies cannot remediate every alert, and need to become more surgical with their remediation strategies,” he says. “To achieve this, we will start to see a shift from a focus on vulnerability to exploitability. Companies will start to put a major emphasis on understanding which targets are most impactful from the hacker’s perspective, and therefore the most exploitable targets.”
CISA’s Known Exploited Vulnerabilities Catalog (the KEV list) can help here. Focusing remediation on exploited vulnerabilities is a key part of ASM, and the catalog is described by many as ‘CISA’s must patch list’. This list will continue to grow through 2023.
Pentesting and red teaming are also effective ways of locating exploitable vulnerabilities, but in the past, they have not been used effectively. “One of the most frustrating things as a pentester is when you return to organizations a year later and see the same issues as before,” says Ed Williams, director of Trustwave SpiderLabs EMEA. “There is no value to this for the clients. They are not maturing. In fact, they are regressing.”
But he expects an improvement – perhaps encouraged by the growing acceptance of ASM – in 2023. “I expect an unprecedented appreciation for how pentesting effectively exposes gaps in security, and this in turn will help to reinforce the importance of those all-important security basics. In 2023 I implore organizations to work with pentesters for the best, year on year result.”
Chad Peterson, MD at NetSPI, believes the nature and effectiveness of pentesting will evolve over 2023, “The attack surface has become more fluid, so you have to be able to scan for new assets and entry points continuously,” he says. “In 2023, organizations will combine traditional pentesting, which in many cases will still be required for regulatory needs, with the proactive approach of more continuous assessment of their attack surface. The result will be better awareness of the attack surface and more comprehensive traditional pentesting as there is more information about the true attack surface.”
Ben Johnson, CTO and co-founder of Obsidian, chooses SaaS. “2023 will be the year of SSPM [SaaS security posture management] and securing SaaS,” he says. “But for that to happen, we must continue educating organizations on the risks of SaaS. In doing so, organizations must ensure their left-of-boom teams (vulnerability management and GRC) are able to reduce SaaS risk while ensuring their right-of-boom teams (security operations, incident response, threat hunting) have continuous threat management capabilities.”
SaaS security has given organizations the ability to scale applied security, not just awareness. “Now is the time to distribute security hardening and operations to go with the distributed technology and distributed responsibility. As we know, the pandemic sped up the hybrid work model, and organizations that prioritized endpoint or public cloud security over the past couple years are now ready to secure SaaS and the modern workflow.”
Jonathan Lee, senior product manager at Menlo Security, focuses on the browser, which is possibly the biggest single threat surface. This is where users spend most of their time. “Vendors are now looking at ways to add security controls directly inside the browser,” he said. “Traditionally, this was done either as a separate endpoint agent or at the network edge, using a firewall or secure web gateway.”
The big players, Google and Microsoft, are also in on the act, providing built-in controls inside Chrome and Edge to secure at a browser level rather than the network edge, he added. “But browser attacks are increasing, with attackers exploiting new and old vulnerabilities, and developing new attack methods like HTTP smuggling. Remote browser isolation is becoming one of the key principles of zero trust security where no device or user – not even the browser – can be trusted.”
Noticeably, 2022 has already seen investor interest in startups developing secure browsers – such as Red Access and LayerX.
Ed Williams highlights a failure in using and accounting for the user – and uses ransomware as an example. “Cyber threats, including ransomware, will never be prevented by implementing shiny new products and solutions unless the underlying security issues are addressed. Therefore, in 2023,” he added, “I hope organizations shift their mindset away from feeling as though they need the latest tempting tech, and instead focus on consistently achieving the human-centric security basics. These basics include patching, strong passwords, and a detailed security policy.”
If ‘management’ is the key word in ASM, ‘visibility’ is the key enabler. You can only manage what you can see. “In 2023, organizations should embrace the mindset of empowering their teams with visibility into assets and relationships and overcoming data silos between AppSec, infrastructure, and data security teams,” suggests Erkang Zheng, founder and CEO at JupiterOne.
He recalls the words of John Lambert: “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers will win.” Attackers will win, especially if cybersecurity defenders cannot quickly understand graph-based relationships between data, networks, and user accounts in their own networks to limit the blast radius when they are under attack.
“Contextual intelligence is likely necessary to win in a threat vector where organizations face more complex, destructive, and irreversible threats than ever before,” he says. “This visibility and understanding are the primary benefits of attack surface management technologies and practices, along with secondary benefits such as compliance and evidence automation.”
Marcus Fowler, CEO of Darktrace Federal, has no doubt that ASM will be a top priority for organizations in 2023. The problem is the attack surface is never static; it’s constantly evolving with the level of risk changing daily. “Tracking down the full extent of the attack surface is not something that can be left to human resources. It requires real-time data from an AI engine taking a hacker’s approach,” he says. He believes that most organizations currently miss as much as 50% of their true attack surface.
“That’s where seeing AI take on the key ASM functions of discovery, assessment and prioritization, risk prevention and integration can expose the true level of exposed risk,” he added. “Only the automation and scalability of AI can provide the up-to-date, continuous copy of the internet that CISOs need to get a grip on the attack surface. Paired with AI’s unique understanding of an organization’s digital estate, you get an outside-in, inside-out risk management program that will be vital for the CISOs of tomorrow.”
Part of ASM is external attack surface management (EASM). Microsoft defines the external attack surface as “the entire area of an organization or system that is susceptible to an attack from an external source.” We should note that this excludes malicious or naive insiders, who should also be considered as part of a full ASM approach to cybersecurity. Nevertheless, there will be a growing number of EASM support systems released by security vendors during 2023. CrowdStrike, for example, announced in September 2022 that it would be buying EASM company Reposify, with an expectation to close during CrowdStrike’s fiscal third quarter.
“In response to evolving attack tactics and an expanded attack surface,” comments Karin Shopen, VP of cybersecurity solutions and services at Fortinet, “we expect a shift in the tools CISOs consider in 2023. When it comes to attack surface management, CISOs will shift from one-time assessments to constant and continuous early evaluation of their organization’s external attack surface. EASM solutions, which help provide organizations with an adversary’s view of their attack surface, will be at the top of their lists, as will machine learning and the use of seasoned threat hunters that offer takedown services.”
Furthermore, she added, “CISOs and security teams will more closely evaluate EASM solutions based on their ability to not only detect but prioritize and remediate threats using machine learning to help resource-depleted SOC teams.”
Chris Morales, CISO at Netenrich, describes his own approach. “I have one priority for 2023 – to be data driven for risk making decisions,” he says. “My commitment starting fiscal year 2023 is to be data driven with quantitative risk management practices. That means providing the business units with a dashboard and trending metrics to the state of assets, vulnerabilities and threats that comprise their attack surface. From this we can continually score threat likelihood and business impact to make informed decisions on where to best focus resources.”
It isn’t simple, but worth the effort. “Making this happen requires a tightly integrated security stack that shares data into a single aggregated data lake to threat model and answer questions.”
The concept is supported by Shira Shamban, CEO at Solvo. “In 2023, we are going to see a data-centric approach to cybersecurity emerge and grow,” she says. “At its core, cybersecurity is a problem of managing all the data, assets, and sensitive resources an organization has, and determining how to protect it. This sensitive data can often include PII, PHI or IP. This is the top concern for CISOs and security practitioners, so security approaches and products will begin to put data at the center, rather than focusing solely on the environments the data is in.”
Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on those areas of the IT infrastructure that can be attacked. There is no product that can provide ASM, but a growing number of products that can help. It requires complete visibility of all assets, and detailed knowledge of exploits so that assets can be protected. It is, like zero trust, a journey – one that is gaining traction and will gain more traction in 2023.
Mark Stamford describes the problem and offers his own route for the journey. “ASM tools produce a lot of noise that can send a security group down an endless number of rabbit holes. In the rush to simplify the problem everything gets reported on and all kinds of vulnerability data gets included. There’s usually some shoddy logic applied which seems to state if you have a lot of stuff facing the Internet you are more at risk, which piles further pressure on the security group. I’ve seen ASM tools which report on old SSL certs, low level vulnerabilities, all kinds of stuff that really, poses little to no risk.”
The route he proposes is to start by discovering all the assets, organizations, devices, and people that could create a problem. Then assess which could have a harmful impact. “A web server hosting some static pages in AWS, that connect to nothing, may cause a headache, but is probably not going to lead to a breach,” he says. “On the flip side, your Internet accessible financial system is a key component.”
Next assess how everything is connected – could an attacker get from A to B and cause an impact. “Draw a circle around that and start looking at how you protect it.” But importantly, “Accept that you don’t need to protect everything and move from there.”
The real problem, he concludes, is that data is everywhere. “This really does expand the attack surface, so you have to use a logical, risk-based approach which considers the context of your business – how you achieve what you are trying to achieve – and then protect it.”
About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
Related: The Rise of Continuous Attack Surface Management
Related: Investors Bet on Cyberpion in Attack Surface Management Space
Related: IBM to Acquire Randori for Attack Surface Management Tech
Related: Attack Surface Management Play Censys Scores $35M Investment
The post Cyber Insights 2023: Attack Surface Management appeared first on SecurityWeek.
The world has been taught numerous life lessons over the last couple of years, but it’s clear that millions of people still haven’t learned one of the most basic when it comes to security. A report from NordPass has revealed that millions of people still haven’t broken the habit of using easy-to-remember, but easy-to-hack passwords. Of the 200 most common passwords, ‘password’ took the number one spot, but unfortunately for the more than four million people using it, it can be broken in less than a second. Other popular passwords included ‘guest’ and the ever-so-creative ‘123456’. When it comes to breaches, all roads still lead to identity. Hackers don’t hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the password dependency cycle. But how can this be done?
Typically, hackers seek the path of least resistance and target the weakest link in the cyber defense chain ― humans. Consequently, most of today’s data breaches are front-ended by credential harvesting campaigns, followed by credential stuffing attacks. Once inside, hackers can fan out and move laterally across the network, hunting for privileged accounts and credentials that help them gain access to an organization’s most critical infrastructure and sensitive data. In fact, a study by the Identity Defined Security Alliance (IDSA) reveals credential-based data breaches are both ubiquitous (94% of survey respondents experienced an identity-related attack) and highly preventable (99%).
Today’s economic climate exacerbates these cyber risks, and the impact of the COVID-19 pandemic has led to an acceleration in digital transformation and technical change that will further stress-test organizations’ dependency on passwords. This creates new challenges in minimizing access-related risks across traditional datacenters, cloud, and DevOps environments. As a result, organizations need to look beyond usernames and passwords when it comes to granting access to valuable data and critical systems. While employee education and training can help, what’s needed are additional measures to ensure secure access…which is what Zero Trust Network Access (ZTNA) provides.
ZTNA solutions create an identity- and context-based, logical access boundary around an application or a set of applications. Access is granted to users based on a broad set of factors, for instance, the device being used, as well as other attributes such as the device posture (e.g., if anti-malware is present and functioning), time/date of the access request, and geolocation. Upon assessing the contextual attributes, the solution then dynamically offers the appropriate level of access at that specific time. As there is a constant change in the risk levels of users, devices, and applications, access decisions are made for each individual access request.
Roadmap to Success
When it comes to implementing emerging technologies like ZTNA, it is always important to listen to the early adopters, as they can provide insights into key factors to success and help avoid pitfalls. Organizations that have recently adopted ZTNA report the following key factors were critical to their success:
While there are a variety of paths to break the dependency on passwords, ZTNA allows organizations to minimize their attack surface while ensuring the productivity of their remote workforce.
The post Password Dependency: How to Break the Cycle appeared first on SecurityWeek.
Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December 2022, the US Government Accountability Office (GAO) says in a new report.
Since 1997, the GAO has been regarding information security as a government-wide high-risk area and expanded it twice since: in 2003 to include critical cyber infrastructure and in 2015 to include the protection of personally identifiable information.
During this time, GAO performed assessments of the risks associated with the information technology systems of federal agencies and critical infrastructure (such as communications, energy, financial services, and transportation organizations) and recommended actions to improve their cybersecurity risks.
“Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them,” GAO notes.
GAO has now published the first in a series of four reports that bring into focus cybersecurity areas that need to be urgently addressed, starting with the need for a comprehensive cybersecurity strategy.
The White House and the National Security Council (NSC) issued a National Cyber Strategy and an Implementation Plan in 2018 and 2019, respectively, but GAO reported in 2020 that these do not address all desirable characteristics of national strategies (only three out of six characteristics were included).
While an Office of the National Cyber Director position was established and filled in 2021, a comprehensive national strategy has yet to be fully developed and implemented.
“We recommended that the National Security Council work with relevant federal entities to update cybersecurity strategy documents to include goals, performance measures, and resource information, among other things,” GAO notes.
Another area that the GAO has been looking into is federal agencies’ supply chain risk management practices. In 2020, out of 23 agencies reviewed, none had fully implemented all the seven foundational practices in the area and 14 had implemented none of these practices.
Despite that, agencies heavily rely on information and communications technology (ICT) products and services to conduct operations.
According to GAO, “implementing foundational practices for ICT supply chain risk management is essential to agencies addressing the risks of malicious actors disrupting mission operations, stealing intellectual property, or harming individuals.”
GAO’s new report also underlines the need for the Office of the National Cyber Director to address continuing cybersecurity workforce challenges, for federal agencies to improve the security of internet-connected devices – including Internet of Things (IoT) and operational technology (OT) devices – and for the federal government to address the risks associated with quantum computing and artificial intelligence (AI) technologies.
Related: US Offshore Oil and Gas Infrastructure at Significant Risk of Cyberattacks
Related: Over 12,000 Cyber Incidents at DoD Since 2015, But Incident Management Still Lacking
Related: U.S. Department of State Approves New Cyberspace Security Bureau
The post Majority of GAO’s Cybersecurity Recommendations Not Implemented by Federal Agencies appeared first on SecurityWeek.
The National Security Agency (NSA) has published guidance to help the Department of Defense (DoD) and other system administrators identify and mitigate cyber risks associated with transitioning to Internet Protocol version 6 (IPv6).
Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December 2022, the US Government Accountability Office (GAO) says in a new report.
Software engineers tracking the quality of software bill of materials have stumbled on a startling discovery: Barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.
