Briefly Briefed: Newsletter #9 (02/11/23)
Do you like scary movies?
This is week #9 of the extra-spooky Halloween edition of ‘Briefly Briefed:’ A hearty welcome to new subscribers, and many thanks to those who continue to read. I’ve been unwell this week, so please forgive any errata caused by much of this week’s edition being written in the wee hours of this morning.
My ‘if you only read two’ recommendations of the week are:
The Solarwinds vs. SEC saga! If you’re a US-based CISO, this will be especially sobering.
FIRST’s finalised publication of CVSS 4.0. It’s a timely opportunity to review what you use for vulnerability scoring and prioritisation, if you haven’t recently.
Until next time, Sidney.
Lawrence
Cyber Quote || Meme of the Week:
The Bletchley Declaration by Countries Attending the AI Safety Summit, 1-2 November 2023
Leaders from around the world met at the AI Safety Summit and issued the Bletchley Declaration. The declaration emphasises the transformative potential of Artificial Intelligence (AI), calling for its safe, human-centric, and responsible use. It acknowledges both the immense opportunities AI offers in areas like healthcare, education, and sustainable development, as well as the significant risks it poses, including in cybersecurity and biotechnology. A major focus is on 'frontier AI', which encompasses advanced general-purpose AI models that could potentially cause harm. The declaration calls for international cooperation to mitigate these risks and affirms that all stakeholders, including governments and private sectors, have roles to play in ensuring AI safety. The countries resolved to work inclusively, share scientific research, and meet again in 2024.
So What?
It’s great to see collaboration at an international level on AI. As we’ve seen with software security more generally, creators and vendors will rarely consider security without appropriate legislative intervention. In the case of AI, I’m hopeful, but still sceptical, as to whether safety and security will catch-up with functional innovation. International collaboration is especially important for new technology like AI, as the globalised economy means vastly different regulatory controls can stifle adoption and innovation. Let’s see where this goes.
SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures
The U.S. Securities and Exchange Commission (SEC) has charged Austin-based software firm SolarWinds and its CISO, Timothy G. Brown, with fraud and internal control failures. The charges relate to misleading investors about the company's cybersecurity measures from its 2018 IPO to its 2020 announcement of a cyberattack named "SUNBURST." Internal documents suggest that SolarWinds and Brown were aware of significant cybersecurity risks but failed to disclose these to investors, leading to accusations of fraud. Following the disclosure of the SUNBURST attack, SolarWinds’ stock price dropped significantly. The SEC seeks various penalties, including civil fines and an officer and director bar against Tim Brown. This case serves as a stern reminder for companies to be transparent about their cybersecurity risks and practices.
So What?
Yikes. As a CISO myself, this certainly makes me nervous (and happy to be based outside the U.S.) This is a clear message on personal accountability from the SEC for CISOs. This approach gives parity, in terms of accountability, to CISOs for information security in the same way that CFOs or CEOs are accountable for corporate finance. While that may be appropriate in terms of the CISO being the most senior ‘Cyber person’ in the business, in most organisations seniority and remuneration are not geared for this level of accountability. In a similar situation to Joseph Sullivan (the Uber CISO who served during the 2014 and 2016 breaches) there was proven wrongdoing. Both concealed issues where there should have been transparency. This was obviously caused by serious misjudgement by both individuals, although I don’t suppose to know the pressures (or potential coercions) that they were under in both instances. It does provide a few lessons though:
Never compromise your ethics.
Go on record when you feel the wrong course of action is being taken.
We need to work together to de-stigmatise CISOs who’re on watch during a breach (as we all know it’s inevitable during your career).
CISOs need a seat at the ‘big table’ if they’re subject to this level of personal risk and accountability.
Don’t accept or pursue cringey Cyber awards. It’s embarrassing enough to nominate yourself then campaign your friends and colleagues for votes, without something like this happening after being named CISO of the year.
Four dozen countries declare they won’t pay ransomware ransoms by AJ Vicens
A significant gathering of the International Counter Ransomware Initiative is on the horizon. Convened first by U.S. President Joe Biden in 2021, this year's focus is on information sharing, artificial intelligence, and blockchain analysis to combat ransomware. Most notably, member nations, including 48 countries, the European Union, and Interpol, are committing to a joint policy statement declaring they will no longer pay ransoms. This move has stirred controversy, yet aims to strike at the financial core of ransomware operations. The initiative will also share a blacklist of cryptocurrency wallets related to ransomware. While ransomware attacks are on the rise, the collective move aims to set a norm against paying ransoms and to intensify international actions against ransomware groups.
So What?
Another challenge for security teams! However, I believe this is likely the right course of action. There will be significant short-to-medium term pain for organisations hit by ransomware attacks, and what this means for Cyber insurance will be interesting. There will certainly need to be greater support for medium-sized businesses and small enterprises from Governments, as they’re currently a sweet spot for cyber criminals. Support will need to be offered at both the preventative and recovery side of the incident, in order to be effective. I foresee this being a protracted battle, as this is an ‘easy buck’ for threat actors, and there is a risk of organisations being tempted to conceal payments.
FIRST Officially Publishes Common Vulnerability Scoring System (CVSS v4.0)
FIRST has officially released CVSS version 4.0, a significant update to the Common Vulnerability Scoring System. The tool assesses the severity of security vulnerabilities, offering a numerical score and qualitative severity rating. The new version aims to provide higher fidelity in vulnerability assessment and introduces additional metrics, such as Automatable, Recovery, and Value Density. Notably, CVSS v4.0 is more applicable to OT/ICS/IoT environments. With refined base metrics and enhanced effectiveness in assessing specific security requirements, CVSS 4.0 is hoped [by FIRST] to be a 'game-changer'. It also introduces new nomenclature like CVSS-B (Base Score), CVSS-BT (Base + Threat Score), and others.
Additional links:
Specification: https://www.first.org/cvss/v4.0/specification-document
User Guide: https://www.first.org/cvss/v4.0/user-guide
Examples: https://www.first.org/cvss/v4.0/examples
FAQ: https://www.first.org/cvss/v4.0/faq
Calculator: https://www.first.org/cvss/calculator/4.0So What?
Vulnerability risk scoring and remediation prioritisation are hot areas right now. There are quite a few options emerging, which aim to supersede the incumbent and ubiquitous, CVSS. These include the likes of EPSS and SSVC.
Anecdotally, there seem to be two camps when it comes to CVSS. The ‘early rejectors’ and ‘the faithful’. I sit firmly in the first camp, and although there have been some great changes in 4.0, I think the standard is getting overly complex, to the point where you need to spend more time modelling than remediating. One of the key reasons CVSS became hated by those responsible for making prioritisation decisions, is that only the base score is automatable. This meant that there was a lack of context and large amounts of manual toil. Moreover, there’s a lack of context around exploitation likelihood through CTI, something that’s addressed by EPSS and initiatives like CISA’s KEV. Ultimately, organisations prioritised the wrong things. Notwithstanding these points, some organisations will find utility in the new standard and it’s horses for courses.
Confirmed: Palo Alto Networks buys Dig Security for $400M by Ingrid Lunden
Palo Alto Networks, a prominent U.S. security firm, has confirmed the acquisition of Dig Security, an Israel-based company. Although the official financial terms remain undisclosed, sources indicate a deal worth around $400 million. There's ongoing speculation about Palo Alto's second acquisition, Talon, which when combined with Dig, could sum up to a $1 billion investment for the firm. This acquisition is significant for Israel's tech landscape, especially given the prevailing political tensions and events. Amidst these, the tech sector, especially cybersecurity, plays a pivotal role in the country's economy. Dig Security specialises in data security posture management, assisting organisations in understanding their assets across various cloud environments. This acquisition will see Dig's offerings integrated into Palo Alto's Prisma business, focusing on cloud security. The partnership aims to enhance cloud security, especially with the rise of AI-enabled applications and the surge in data transfers to the cloud.
So What?
I wrote a longer article on what I think is playing out through some of these bigger acquisitions back in September. Suffice to say, this is another big swing from Palo Alto and probably a smart play. xSPM-as-a-service is the new
EDR MDR XDRmXDR, I’m calling it now!
State of the CISO: A global report on priorities, pain points, and security gaps by Salt Security
This survey and report investigates the transformation of the Chief Information Security Officer (CISO) role due to the digital-first economy. It covers how digitalisation has not only impacted security frameworks but also generated personal challenges for CISOs such as increased stress and litigation risks. The paper flags a critical issue: the security vulnerabilities around APIs (who would have guessed an API security company would reach this conclusion!), now deemed by Gartner as potential mega risks. With cybercriminals weaponising AI, CISOs find themselves in a race to adopt AI for good, to counterbalance these threats. The report also stresses that enhancing security is not solely the duty of the CISO; it requires attention from all C-level executives. The study is based on a sample of 300 CISOs from varied sectors and countries, collected in April 2023.
Key findings:
1. The Healthcare and Financial Services industries face the biggest security impact due to the rapid pace of digital transformation initiatives.
2. Almost half of CISOs worldwide have concerns that a security breach in their organisation may result in personal litigation and liability.
3. 78% of CISOs are prioritising API security more highly than two years ago, and 95% of CISOs say API security is a planned priority over the next two years.
4. The speed of AI adoption is the global development most impacting the CISO’s role.
5. 91% of CISOs say hiring of qualified cybersecurity talent remains a significant issue to deliver digital transformation initiatives.So What?
There’s nothing surprising in an API security company creating a report that shows API security is super important. However, there are some useful nuggets in this report and definitely some presentation and business case stats worth caching.
How To Build A Security Strategy in 13 Easy Steps by Jesper Johansson
The article outlines a 13-step approach to constructing an effective security strategy. Starting with the identification of business objectives, the article emphasises aligning security goals with the company's vision. From there, it navigates the complexities of risk assessment, emphasising its significance in prioritising threats. The author suggests regular updates to the strategy, ensuring it remains relevant in a dynamic threat landscape. By following these steps, businesses can fortify their defences, making them resilient to emerging challenges.
Unmanaged Or Non-Centralised Assets
Weak User Authentication
Over Privileged Users
Vendor And Other External Access
Unpatched Assets
Secrets Storage And Rotation
Non-ephemeral Infrastructure
Lack Of Outbound Traffic Restrictions
Improper Security Dependencies
Software Dependencies
Unnecessary Services Or Foot Print
First Party Software Security Controls
Lack Of Visibility
So What?
Not exactly a risk-based approach, but a good list of things to think about, with some sensible recommendations as to how they can be achieved.
Understanding Malicious Cyber Activity in the United Kingdom by GreyNoise Labs
The post investigates the nature of malicious cyber activity targeting and originating from the United Kingdom. Utilising their “planetary-scale sensor network”, the researchers observed nearly 600,000 malicious exploitation attempts against U.K. IPs, alongside 8,293 attacks coming from the U.K. The most malicious traffic originates from ISP networks, and alarmingly, mobile networks are the third most common source. The Mirai botnet tops the list for malicious activity, being a constant threat to unsecured systems. The report concludes with a nod to the U.K.'s cybersecurity measures, as only 3.4% of inbound malicious attempts were U.K.-specific, suggesting effective national cyber defence mechanisms.
So What?
Some useful high-level numbers for UK-based cyber folks. GreyNoise produce similar reports for other countries, which can be found here.
How to Banish Heroes from Your SOC? by Anton Chuvakin
The blog addresses the pitfalls of relying on 'heroism' in a Security Operations Centre (SOC). Heroism, defined here as individuals compensating for systemic issues, often leads to unsustainable and inefficient operations. Examples include analysts working extended hours and ad-hoc solutions to systemic problems. The author argues for moving from an 'artisanal' approach, dependent on individual heroics, to an 'industrial' system that prioritises automation, consistent processes, and a systematic approach. The key takeaway is that it's better to let a flawed process break to reveal systemic issues, rather than depending on individuals to constantly patch holes. A call to action is made for SOCs to 'de-heroise' and adopt more scalable, sustainable methods.
So What?
I don’t believe this is new thinking, as there are analogues to various other fields, and (IMO) this is standard feature of human systems when left unchecked. Hero-driven development is likely the architype of this in the tech world. However, Anton does make a great point in identifying this in SOCs. There is a broader scaling issue that creates these sorts of dynamics, and this is often compounded with businesses pushing to ‘do more with less’ and failing to invest in automation.
Detecting and annoying Burp users by Julien Voisin
An older post that’s been trending again recently, but is still relevant. The post outlines techniques for disrupting the use of BurpSuite, a popular application security (and hacking) tool that works by intercepting and modifying HTTP requests.
So What?
This sort of active defence has been discussed for some time, I think it’s really useful and I’m glad this particular post is doing the rounds again. This has largely evolved into ‘deception tech’, although it’s fallen out of favour somewhat of late. My favourite talk on this topic is Chris John-Riley’s at DEFCON back in 2013, it’s still relevant and contains some solid logic.
The 2023 OWASP Global Board election has been finalised
Although it will not be publicly announced until next week, an email was sent to the OWASP mailing list, confirming that the following people have been elected to the Global Board:
Steve Springett
Sam Stepanyan
Kevin Johnson
Avi Douglen
So What?
Congratulations to those elected!
For those who haven’t been following the this year’s OWASP drama, it started with an open letter, signed by a number of prominent members calling for significant change. OWASP responded, but it wasn’t emphatic enough, causing Mark Curphey (one of the founders) to step down and subsequently Glenn Cate to be removed from the board. This triggered a migration of a number of members to join the newly formed Software Security Project under the Linux Foundation. Shortly after, one of the flagship project (OWASP ZAP) announced they were moving over to the SSP also. Let’s see how this pans out, and whether there is room for an OWASP competitor.