A machine learning bill of materials (MLBOM) framework can bring transparency, auditability, control, and forensic insight into AI and ML supply chains.

Source: Cagkan Sayin via Alamy Stock Photo

COMMENTARY

The days of large, monolithic apps are withering. Today's applications rely on microservices and code reuse, which makes development easier but creates complexity when it comes to tracking and managing the components they use. 

This is why the software bill of materials (SBOM) has emerged as an indispensable tool for identifying what's in a software app, including the components, versions, and dependencies that reside within systems. SBOMs also deliver deep insights into dependencies, vulnerabilities, and risks that factor into cybersecurity.

An SBOM allows CISOs and other enterprise leaders to focus on what really matters by providing an up-to-date inventory of software components. This makes it easier to establish and enforce strong governance and spot potential problems before they spiral out of control.

Yet in the age of artificial intelligence (AI), the classic SBOM has some limitations. Emerging machine learning (ML) frameworks introduce remarkable opportunities, but they also push the envelope on risk and introduce a new asset to organizations: the machine learning model. Without strong oversight and controls over these models, an array of practical, technical, and legal problems can arise. 

That's where machine learning bills of materials (MLBOMs) enter the picture. The framework tracks names, locations, versions, and licensing for assets that comprise an ML model. It also includes overarching information about the nature of the model, training configurations embedded in metadata, who owns it, various feature sets, hardware requirements, and more.

**Why MLBOMs Matter**

CISOs are realizing that AI and ML require a different security model — and the underlying training data and models that run them are frequently not tracked or governed. An MLBOM can help an organization avoid security risks and failures. It addresses critical factors like model and data provenance, safety ratings, and dynamic changes that extend beyond the scope of SBOM.

Because ML environments are in a constant state of flux and changes can take place with little or no human interaction, issues related to data consistency — including where it originated, how it was cleaned, and how it was labeled — are a constant concern.

For example, if a business analyst or data scientist determines that a data set is poisoned, the MLBOM simplifies the task of finding all the various touch points and models that were trained with that data. 

**MLBOMs Can Elevate Protection**

Transparency, auditability, control, and forensic insight are all hallmarks of an MLBOM. With a comprehensive view of the "ingredients" that go into an ML model, an organization is equipped to manage its ML models safely.

Here are some ways to build a best practice framework around an MLBOM:

*   Recognize the need for an MLBOM: It's no secret that ML fuels business innovation and even disruption. Yet it also introduces significant risks that can extend to reputation, regulatory compliance, and legal issues. Having visibility into ML models is critically important.
    

*   Conduct essential due diligence: An MLBOM should integrate with the CI/CD pipeline and deliver a high level of clarity. Support for standard frameworks like JSON or OWASP's CycloneDX can unify SBOM and MLBOM processes.
    

*   Analyze policies, processes, and governance: It's essential to sync an MLBOM with an organization's workflows and business processes. This increases the odds that ML pipelines will work as intended, while minimizing risks related to cybersecurity, data privacy, compliance, and other risk-associated areas.
    

*   Use an MLBOM with machine learning gates: Rigorous controls and gateways lead to essential AI and ML guardrails. In this way, the business and the CSO can build on successes and harness ML to unlock greater cost savings, performance gains, and business value.
    

Machine learning is radically changing the business and IT landscape. By extending proven SBOM methodologies to ML through MLBOMs, it's possible to take a giant step toward boosting machine learning performance and protecting data and assets.

**About the Author(s)**

CISO, Protect AI

Diana Kelley is CISO for Protect AI. She was Cybersecurity Field CTO for Microsoft, Global Executive Security Advisor at IBM Security, GM at Symantec, VP at Burton Group (now Gartner), a Manager at KPMG, CTO and co-founder of SecurityCurve, and Chief vCISO at SaltCybersecurity.

Why MLBOMs Are Useful for Securing the AI/ML Supply Chain

Phony call center company conducted online fraud and other Internet scams.

Source: JJ Gouin via Alamy Stock Photo

Law enforcement in Zambia this week raided a Chinese company that hired unsuspecting young Zambian citizens purportedly for positions at a call center that instead was a front for cybercrime and money laundering.

The so-called Golden Top Support services company directed the employees "with engaging in deceptive conversations with unsuspecting mobile users across various platforms such as WhatsApp, Telegram, chatrooms and others, using scripted dialogues," Nason Banda, director general of Zambia's Drug Enforcement Commission (DEC) told the BBC, which reported on the case. The DEC, law enforcement, immigration, and anti-terrorism units assisted in the investigation and arrests at the shell company.

A recent rise in bank fraud in Zambia raised alarms and led authorities there to investigate and ultimately raid the company. Banda said the "illicit operations extended beyond Zambia's borders," including victims in Singapore, Peru, the United Arab Emirates (UAE), and other parts of Africa.

Authorities found some 13,000 SIM cards, 11 SIM boxes for disguising the caller's location, and firearms, and 22 Chinese citizens were arrested. Banda said Zambian workers were charged and release in order to cooperate in the investigation.

**About the Author(s)**

Zambia Busts 77 People in China-Backed Cybercrime Operation

Following the Volt Typhoon attacks on critical infrastructure in the region by China, the US reportedly will share cybersecurity threat information with both countries.

Source: Viacheslav Lopatin via Shutterstock

The US, Japan, and the Philippines reportedly will join forces in cybersecurity defense with a strategic cyber threat-sharing arrangement in the wake of rising attacks by China, North Korea, and Russia.

The initiative will launch during high-level trilateral talks between US President Joe Biden, Japanese Prime Minister Fumio Kishida, and Philippine President Ferdinand Marcos Jr. during a trilateral summit in Washington this week, according to the English-language version of the Nihon Keizai Shimbun. The cyber alliance comes on the heels of Volt Typhoon, a group of cyberattackers linked to China's military, targeting critical infrastructure networks in the Philippines and US territories in the region.

Over the past three months, the number of cyberattack attempts against national government agencies in the Philippines has increased 20% week over week, according to data from Trend Micro shared with Dark Reading. 

"Traditional US allies in Asia — Japan, Taiwan, Philippines — are of high interest to Chinese-aligned attackers," says Robert McArdle, director of forward-looking threat research with the cybersecurity firm. "There has been an increase in tensions in the region recently as well as important political events including presidential elections that China maintains interest in."

The cybersecurity concerns come as geopolitical tensions have ratcheted up in the region. China has both expanded its military presence, especially with its claims to large sections of the South China Sea — as far away as 1,000 km from its mainland and encroaching on Philippines territory. The military buildup has been matched by increases in cyberattacks by Chinese state-sponsored actors, such as Mustang Panda, which compromised a Philippines government agency last year. The widespread Volt Typhoon attacks have claimed critical infrastructure networks in the Philippines, US, UK, and Australia.

**Philippines at Risk**

The dispute over the South China Sea comes at a time when the Philippines has seen significant growth in its technology development and business sectors and increased urbanization and Internet access, says Myla Pilao, director for technical marketing for Trend Micro, who works in the company's Manila office.

"This growth path, \[however\], also presents challenges including service reliability, workforce skills shortages, and data/privacy management issues \[that\] make the Philippine ecosystem a more vulnerable target," she says.

With greater reliance on the Internet and technology comes greater cyber threats. Last May, Microsoft warned that Volt Typhoon, an advanced persistent threat (APT) group linked to China's military, had infiltrated critical-infrastructure networks, possibly as a way to pre-position cyber-operations teams in foreign networks prior to an outbreak in hostilities.

Volt Typhoon is a severe threat to critical infrastructure in the region, raising the priority of information sharing, says Lisa J. Young, an APAC intelligence officer with the Financial Services Information Sharing and Analysis Center (FS-ISAC).

"This trilateral agreement specifically calls out cyber threats targeting critical infrastructure," she says. "As the nature of warfare evolves, tactics increasingly incorporate an online element through cyber-attacks and mis- \[or\]disinformation campaigns, with an increasingly fragmented array of actors. Governments are working to adapt by incorporating both defensive and offensive cyber capabilities."

**US "Hunt Forward" Initiative**

The cyber agreement with the Philippines is not a new strategy: The United States and Japan already have entered into trilateral talks with South Korea in July and August, when the three governments agreed to consult on regional threats and share data on foreign information-manipulation. Japan and South Korea also have joined NATO's Cooperative Cyber Defense Center of Excellence (CCDCOE) in 2018 and 2022, respectively, where allies regularly share cyber threat intelligence.

The trilateral agreements with South Korea and the Philippines are aligned with a part of the US strategy known as "Hunt Forward," where the US Cyber Command deploys military cybersecurity specialists to allies to hunt for malicious cyber activity. So far, more than two dozen allies have hosted Hunt Forward teams, and their deployment will likely raise tensions, Jason Bartlett, a research associate in the Atlantic Council's Energy, Economics, and Security for a New American Security group, said in an analysis in August.

"Incorporating 'Hunt Forward' operations within US cyber strategy with allies in the Indo-Pacific will most likely agitate already sensitive ties between Southeast Asia and China, but the United States needs to increase its cyber presence in the region due to its constant exposure to illicit cyber activity," Bartlett said. "Numerous state-sponsored hackers, especially from North Korea, have operated from within Southeast Asia and other regions in the Indo-Pacific for years with little punitive backlash from local and national governments."

The trilateral agreement tackles both cybercrime — especially from North Korea — and nation-state cyberattacks from China, Russia, and North Korea, and works towards isolating bad actors in China, says FS-ISAC's Young.

"This joint framework among the US, Japan, and the Philippines is a step towards strengthening cyber defenses, mitigating potential attacks, and shoring up supply chains to reduce dependence on China," she says. "Information sharing across the public and private sectors remains that best way to ensure collective protection of critical infrastructure sectors against the evolving threat landscape."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Japan, Philippines &amp; US Forge Cyber Threat Intel-Sharing Alliance

Much of the open source code embedded in enterprise software stacks comes from small, under-resourced, volunteer-run projects.

Source: Juliana\_haris via Shutterstock

The recent discovery of a backdoor in the XZ Utils data compression utility — present in nearly all major Linux distributions — is a stark reminder that organizations who consume open source components ultimately own responsibility for securing the software.

XZ Utils, like thousands of other open source projects, is volunteer-run and, in its case, has a single maintainer managing it. Such projects often have little to no resources for handling security issues, meaning organizations use the software at their own risk. That means security and development teams must implement measures for managing open source risk the same way they do with internally developed code, security experts say.

"While it's unlikely an organization can effectively prevent \[all\] exposure to supply chain risks, organizations can absolutely focus on a strategy to reduce the probability that a supply chain attack is successful," says Jamie Scott, founding product manager at Endor Labs.

Open source is not the same as outsourcing: "Open source maintainers of software are volunteers. At an industry level, we need to treat them as such. We own our software; we are responsible for the software we re-use."

**Well-Intentioned, Under-Resourced**

Concerns over open source software security are by no means new. But it often takes discoveries like the Log4Shell vulnerability and the backdoor in XZ Utils to really drive home just how vulnerable organizations are to components in their code. And often, the code comes from well-intentioned yet hopelessly under-resourced open source projects that are minimally maintained.

XZ Utils, for instance, is essentially a one-person project. Another individual managed to sneak the backdoor into the utility over a nearly three-year period, by gradually gaining enough trust from the project maintainer. If a Microsoft developer had not chanced upon it in late March when investigating odd behavior associated with a Debian installation, the backdoor might well have ended up on millions of devices globally — including those belonging to large corporations and government agencies. As it turned out, the backdoor had minimal impact because it affected versions of XZ Utils that were only present in unstable and beta versions of Debian, Fedora, Kali, open SUSE, and Arch Linux.

The next such open source code compromise could be far worse. "The scariest part for enterprise organizations is that their applications are built on top of open source software projects just like XZ Utils," says Donald Fischer, co-founder and CEO of Tidelift. "XZ Utils is one package of tens of thousands that are in use every day by typical enterprise organizations," he says.

Most of these organizations lack sufficient visibility into the security and resilience of this part of their software supply chain to be able to evaluate risk, he notes.

A recent Harvard Business School study estimated the demand-side value of open source software to be an astonishing $8.8 trillion. Maintainers are at the core of this ecosystem and many of them are flying solo, Fischer says. A survey conducted by Tidelift last year found 44% of open source project maintainers describe themselves as the sole maintainers of their projects. Sixty percent identified themselves as unpaid hobbyists, and the same percentage said they have either quit or have considered quitting their roles as project maintainers. Many maintainers described their efforts as stressful, lonely, and financially unrewarding work, Fischer says.

"The XZ utils hack brings into stark relief the risks of under-investing in the health and resilience of the open source software supply chain \[that\] enterprise organizations rely on," Fischer says. "Enterprise organizations need to realize that the majority of the most relied-upon open source packages are maintained by volunteers who describe themselves as unpaid hobbyists. These maintainers are not enterprise suppliers but are expected to work and deliver like them."

**Danger: Transitive Dependencies**

A study that Endor conducted in 2022 found that 95% of open source vulnerabilities are present in so-called transitive dependencies, or secondary open source packages or libraries that a primary open-source package might depend upon. Often, these are packages that developers don't directly select themselves but are automatically employed by an open source package in their development project.

"For example, when you trust one Maven package, on average there are an additional 14 dependencies you implicitly trust as a result," Scott says. "This number is even larger in certain software ecosystems such as NPM where you on average import 77 other software components for every one you trust."

One way to start start mitigating open source risks is to pay attention to these dependencies and be selective about what projects you choose, he says.

Organizations should vet dependencies, especially the smaller, one-off-packages, manned by one- and two-person teams, adds Dimitri Stiliadis, Endor's CTO and co-founder. They should determine if dependencies in their environment have proper security controls or if a single individual commits all code; whether they have binary files in their repositories that no one knows about; or even if someone is actively maintaining the project at all, Stiliadis says.

"Focus your efforts on improving your response effectiveness — foundational controls such as maintaining a mature software inventory remains one of the highest value programs you can have in place to quickly identify, scope, and respond to software risks once they're identified," Scott advises.

Software-composition analysis tools, vulnerability scanners, EDR/XDR systems, and SBOMs can also all help organizations quickly identify vulnerable and compromised open source components.

**Acknowledging the Threat**

"Mitigating exposure starts with shared understanding and acknowledgement in the C-suite and even at the board level that roughly 70% of the ingredients of the average software product are open source software historically created by mostly uncompensated contributors," Tidelift's Fischer says.  

New regulations and guidelines in the financial services industry, the FDA, and NIST will shape how software is developed in the years ahead and organizations need to prepare for them now. "Winners here will quickly adapt from a reactive strategy to a proactive strategy to managing open source-related risk," he says.

Fischer recommends that organizations get their security and engineering teams to identify how new open source components come into their environment. They should also define roles for monitoring these components and proactively remove ones that don't fit the company's risk appetite. "Reacting to late stage problems has become an ineffective way to deal with the scale of the risk to the business over the last several years, and the US Government is signaling that era is coming to an end," he says.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

XZ Utils Scare Exposes Hard Truths About Software Security

PRESS RELEASE

FORT MEADE, Md. – Dave Luber began as the National Security Agency’s (NSA) new Director of Cybersecurity on April 1. As the new Cybersecurity Director, he oversees NSA’s Cybersecurity Directorate (CSD), whose critical mission is to prevent and eradicate cyber threats to the Department of Defense, National Security Systems, and the Defense Industrial Base.

“I am honored to take the helm as the Director of Cybersecurity at NSA,” Luber said. “I look forward to building on the outstanding accomplishments of our team, and continuing to work with partners across the community.”

Luber’s wealth of experience and impressive diversified portfolio made him uniquely qualified to fill this critical role for NSA and the nation. Luber served for over 37 years in myriad roles to include NSA’s Deputy Director of Cybersecurity; Executive Director (EXDIR) for U.S. Cyber Command (USCYBERCOM), the highest-ranking-civilian and third-in-command at USCYBERCOM; Director of NSA Colorado; Program Director within the Office of the Under Secretary of Defense for Intelligence; and Chief of NSA’s Remote Operations Center, Tailored Access Operations, and Computer Network Operations.

Luber succeeds Rob Joyce, who retired after 35 years of service to NSA. Joyce took on the role of director of the NSA’s Cybersecurity Directorate (CSD) in 2021. He led CSD’s mission to prevent and eradicate threats to National Security Systems and critical infrastructure, and oversaw the expansion of strong partnerships across the U.S. Government, Defense Industrial Base, industry, allies, and academia.

Luber’s impressive career history and commitments to keeping cybersecurity transformational, advancing the awareness of new capabilities and capacities, and growing the next generation of critical cybersecurity professionals will elevate NSA’s performance and partnerships.

You May Also Like

National Security Agency Announces Dave Luber As Director of Cybersecurity

PRESS RELEASE

MIAMI, April 8, 2024/PRNewswire/ -- MedSec, a leading medical device security services firm, announced today it is expanding its service offerings to include a hospital cybersecurity service called Hospital Roadmap to Resilience Program SM. The program is designed to support resource-constrained hospitals on their cybersecurity journey. 

Hospitals are experiencing increased pressure to address cybersecurity. To deal with the growing number of hospitals and patients impacted by cybersecurity attacks, the U.S. Department of Health and Human Services (HHS) recently announced voluntary cyber performance goals. HHS is also evaluating how to tie reimbursement to achieving specific cybersecurity capabilities. 

"Patient safety is the top priority for hospitals. One aspect of patient safety involves taking actions to protect against cybersecurity threats," says Debra Bruemmer, senior director of clinical security, MedSec. "Many hospitals lack a meaningful cybersecurity program to protect patients from malicious cybersecurity events. This is primarily due to a lack of qualified people and funding to create and run the program. Our program can help solve that problem."

Core elements of the Hospital Roadmap to Resilience ProgramSM: 

*   Leverage established best practices to build a foundational cybersecurity program based on policy, process, and procedure.
    
*   Assess existing tools for unused functionality that can be leveraged for security purposes. 
    
*   Invest in an appropriate, new tool. 
    

"The Hospital Roadmap to Resilience ProgramSM positions hospitals to make informed risk decisions, know assets and recovery needs, and manage basic network risks," said Michelle Jump, MedSec CEO. "Ultimately helping hospitals create a practical and effective security program they can maintain even without senior security staff."

Bruemmer noted, "Hospitals want to do the right thing and address cybersecurity, but many simply can't. MedSec is approaching the problem differently. The Hospital Roadmap to Resilience ProgramSM provides an actionable set of foundational policies, processes, and procedures aligned to meet industry best practices. The program gives resource-constrained hospitals a roadmap to accelerate their journey toward being more cyber secure and protecting their patients."

About MedSec, LLC

Most cybersecurity companies work in a variety of industries. MedSec is different, focusing exclusively on medical devices and healthcare. We provide healthcare delivery organizations and medical device manufacturers with a holistic knowledge of cybersecurity - including technical expertise, regulatory guidance, implementation, and technical services for medical device manufacturers. To connect with our subject-matter-experts, email \[email protected\] or visit us at www.medsec.com.

You May Also Like

MedSec Launches Cybersecurity Program For Resource-Constrained Hospitals

PRESS RELEASE

NEW YORK, April 10, 2024 – Cloud security leader Wiz has announced the acquisition of New York-based startup Gem Security. With a valuation of $10 billion and $900 million raised to date, Wiz aims to add to its Cloud Native Application Protection Platform (CNAPP) with Gem's technology. The acquisition advances Wiz’s Cloud Detection and Response (CDR) capabilities, and also demonstrates Wiz’s commitment to consolidation: as organizations push to combat tool sprawl, siloes, and visibility gaps, Wiz is building the world’s go-to platform for protecting everything organizations build and run in the cloud.  

Founded in 2022, Gem transforms how organizations approach detection and response in the cloud with a real-time CDR (Cloud Detection and Response) solution that shortens the time to investigate and contain cloud-native threats. In contrast to static industry solutions lacking real-time monitoring capabilities, the company’s technology centralizes real-time visibility into multi-cloud environments and provides automated incident timelines to understand the root causes of cloud breaches. With $34 million raised to date from Team8, Notable Capital (formerly GGV Capital), IBM Ventures, Cisco Investments and Silicon Valley CISO Investments (SVCI) Gem's employees will be joining Wiz, and the company's co-founders (CEO Arie Zilberstein, CTO Ron Konigsberg, and VP Product Ofir Brukner) will join the Wiz executive team. 

This is Wiz's second acquisition since its inception in 2020, after the company acquired Raftt, a cloud-based developer collaboration platform, in December. New York-based Wiz is considered the world's fastest-growing startup, recently announcing that it has reached $350 million in ARR, with over 40% of the Fortune 100 as customers. The company previously expressed interest in pursuing M&A opportunities as part of its mission to build a holistic cloud security platform catering to a wide array of industry needs. Wiz is now targeting $1 billion in revenue, ahead of a potential Wall Street IPO. 

“Consolidation is the future of the security industry. With cloud infrastructure growing at an accelerated pace, not to mention the broad adoption of AI applications, the world’s largest organizations require consolidated, cloud-native security platforms to effectively address a wide and ever-changing range of security needs,” said Assaf Rappaport, Co-Founder and CEO, Wiz. “The acquisition of Gem brings the industry’s leading CDR to Wiz. Coupled with our CNAPP, which customers have ranked number one, we’re creating a powerful real-time solution for SOC and Cyber Defense teams to combat emerging threats and building the world’s leading cloud security platform.” 

"Since our inception two years ago, Gem has been revolutionizing the way organizations approach security operations in the cloud," said Arie Zilberstein, Co-Founder & CEO of Gem Security. "Together with Wiz, we're thrilled to deliver even more value to security operations teams around the world as part of Wiz's industry-leading platform. We look forward to joining the team and embarking on a new chapter of Gem's growth journey with Wiz." 

For more information, visit https://www.wiz.io/blog.

About Wiz

Wiz secures everything organizations build and run in the cloud. Founded in 2020, Wiz is the fastest-growing software company in the world. Wiz enables hundreds of organizations worldwide, including 40 percent of the Fortune 100, to rapidly identify and remove critical risks in cloud environments. Its customers include Salesforce, Slack, Mars, BMW, Avery Dennison, Priceline, Cushman & Wakefield, DocuSign, Plaid, and Agoda, among others. Wiz is backed by Sequoia, Index Ventures, Insight Partners, Salesforce, Blackstone, Advent, Greenoaks, Lightspeed and Aglaé. Visit https://www.wiz.io for more information.

Wiz Acquires Gem Security to Expand Cloud Detection and Response Offering

Prioritizing security and user experience will help you build a robust and reliable authentication system for your business.

Source: Tomasz Zajda via Alamy Stock Photo

Authentication protocols serve as the backbone of online security, enabling users to confirm their identities securely and access protected information and services. They define how claimants (users trying to access a digital service) and verifiers (the entities authenticating them) communicate. The protocols exchange information to verify the validity of the authentication service and confirm that the claimant possesses the appropriate token to authenticate their identity.

With myriad authentication protocols available, however, selecting the appropriate one for your organization can be daunting. Following are the key authentication protocols, along with insights into choosing the right one for your business needs.

Each authentication protocol offers unique features tailored to specific use cases and security requirements. If you're trying to figure out which one is best for your business, consider these four authentication protocols and their potential use cases.

OAuth/OpenID Connect (OIDC): OAuth, primarily designed for authorization, allows users to grant third-party applications limited access to their private resources without revealing their credentials. You might consider using OAuth from providers such as Google and GitHub to prioritize quick user registrations while getting validated information.

OpenID Connect (OIDC) is an open standard that builds on OAuth by providing authentication capabilities using an ID token to verify user identity securely. OIDC suits scenarios in which interoperability and user authentication across multiple systems are crucial, such as in federated identity management systems.

Both OAuth and OpenID Connect are widely adopted, allowing for interoperability between different systems, and they let users authenticate once to use the same credentials across multiple services. OAuth and OpenID Connect are, however, susceptible to phishing attacks and token theft if not implemented securely.

Security Assertion Markup Language (SAML): SAML is an XML-based standard for exchanging identity information between the user, the identity provider (IdP), and the service provider (SP). SAML offloads authentication responsibilities to specialized IdPs, reducing the burden on SPs and enhancing security. SAML works best for single sign-on (SSO) authentication in enterprise environments, where centralized authentication and access control are essential.

SAML supports use cases like identity federation, but SAML configurations can be complex and require careful management. SAML's reliance on XML may also introduce complexity owing to it being an older format than more modern ones, like JSON.

FIDO2/WebAuthn: FIDO2 is an open standard for passwordless authentication that relies on registered devices or hardware security keys to verify user identities. WebAuthn, a component of FIDO2, enables passwordless authentication through possession-based and biometric methods. You may want to consider WebAuthn for consumer-facing applications and mobile-first experiences, leveraging native device capabilities for seamless and secure authentication.

Passkeys, which are cross-device credentials based on the WebAuthn standards, have been implemented in several large organizations like Google, Apple, Shopify, Best Buy, TikTok, and GitHub over the past few years. Success stories from early adopters and increased awareness among end users are sure to continue driving adoption in the years to come.

FIDO2 and WebAuthn provide strong security against phishing and other attacks — because they don't rely on shared secrets like passwords — and a user-friendly experience, because users don't need to remember complex passwords. That said, FIDO2 and WebAuthn aren't compatible with all devices and browsers; current support gaps might make these protocols cumbersome for some users.

Time-Based One-Time Password (TOTP): TOTP generates single-use passcodes based on a shared secret key and the current time, often providing an additional layer of security in multifactor authentication (MFA) setups. TOTP supports both hardware tokens and software-based authenticator applications. You should consider TOTP for various authentication scenarios that require enhanced security.

TOTP provides an additional layer of security beyond a password, as the code changes frequently and is tied to the specific device generating it. TOTP does, however, require the user to have a separate device to generate the codes, and it doesn't protect against phishing if the user is tricked into handing the code over to the attacker.

**Factors in Selecting an Authentication Protocol**

It's easy to generalize which of the above four protocols you should use. Business applications targeting enterprises should use SAML because of its robust SSO capabilities and centralized authentication management. Consumer and mobile applications should pick WebAuthn/passkeys to provide a seamless and secure authentication experience that leverages native device features, like biometrics.

That said, each business has unique requirements, and it's not always best to generalize. Here are some factors to keep in mind when choosing an authentication protocol:

1.  Security levels: Prioritize protocols that offer robust security measures to safeguard user data and prevent unauthorized access.
    
2.  Integration: Choose protocols that seamlessly integrate with your existing infrastructure to streamline implementation and maintenance processes.
    
3.  Scalability: Ensure that the selected protocol can accommodate your organization's growth and an increasing user base without compromising performance or security.
    
4.  Authentication method: Consider the authentication methods your users prefer and select protocols that align with their expectations and UX preferences.
    

Choosing the right authentication protocol is critical for maintaining the security and trust of your users. By understanding the features and use cases of different protocols and considering factors such as security, integration, scalability, and user experience, you can select the most suitable protocol for your organization's needs.

**About the Author(s)**

Meir Wahnon is a co-founder at Descope, a drag-and-drop customer authentication and identity management platform. Before Descope, Meir served as senior director of engineering at Palo Alto Networks after the acquisition of Demisto, where he was part of the founding team. Meir is passionate about open source, no-code / low-code platforms, and ML. In his spare time, Meir likes to try out new Michelin-star restaurants around the world.

Selecting the Right Authentication Protocol for Your Business

Agency encourages broader use of encryption, data-loss prevention, as well as data rights management to safeguard data, networks, and users.

Source: Brain Light via Alamy Stock Photo

The National Security Agency has published its latest guidance for organizations interested in moving toward a zero-trust cybersecurity framework, with a particular focus on stopping unauthorized access to data both in transit and in storage.

NSA recommendations include the use of encryption, tagging, labeling, data-loss prevention strategies, and data rights management tools. The NSA suggestions are intentionally aligned with zero-trust frameworks to help government agencies and enterprises defend against increasingly sophisticated cyberattacks.

"Malicious cyber actors continuously increase their ability to infiltrate networks and gain access to sensitive data," Dave Luber, the NSA's director of cybersecurity, said in a statement about the latest round of NSA zero-trust advisories. "Assuming that breaches will occur, implementing the pillars of the zero-trust framework is how we combat that activity."

This focus on what the NSA in its report calls the "data pillar" is the continuation of the agency's development of zero-trust best practices, begun when it first released "Embracing a Zero Trust Security Model" in February 2021.

Just last month, the NSA updated its guidelines for implementing zero trust, which drew a distinction between macro- and microsegmentation of networks. Macrosegmentation is intended for workgroups and departments; micro-segmentation separates traffic even further so that not all users have the same access rights — a bid to reduce an organization's attack surface.

**About the Author(s)**

NSA Updates Zero-Trust Advice to Reduce Attack Surfaces

It's finally happening: Rather than just for productivity and research, threat actors are using LLMs to write malware. But companies need not worry just yet.

Source: Ole.CNX via Shutterstock

Researchers from Proofpoint recently observed a malicious campaign targeting dozens of organizations across various industries in Germany. One part of the attack chain stood out in particular: an otherwise ordinary malware dropper whose code had clearly been generated by artificial intelligence (AI).

What the researchers discovered: Initial access broker (IAB) TA547 is using the AI-generated dropper in phishing attacks.

Though it may be a harbinger of more to come, it's no cause for panic. Defending against malware is the same no matter who or what writes it, and AI malware isn't likely to take over the world just yet.

"For the next few years, I don't see malware coming out of LLMs being more sophisticated than something a human is going to be able to write," says Daniel Blackford, senior manager of threat research at Proofpoint. After all, AI aside, "We've got very talented software engineers who are adversarially working against us."

TA547 has a long history of financially motivated cyberattacks. It came to prominence trafficking Trickbot, but has cycled through handfuls of other popular cybercrime tools, including Gozi/Ursnif, Lumma stealer, NetSupport RAT, StealC, ZLoader, and more.

"We're seeing — not just with TA547, but with other groups as well — much faster iteration through development cycles, adoption of other malware, trying new techniques to see what will stick," Blackford explains. And TA547's latest evolution seems to have been with AI.

Its attacks began with brief impersonation emails — for example, masquerading as the German retail company Metro AG. The emails contained password-protected ZIP files couching compressed LNK files. The LNK files, when executed, triggered a Powershell script that dropped the Rhadamanthys infostealer.

Sounds simple enough, but the Powershell script that dropped Rhadamanthys had one strange characteristic. Within the code, above each and every component, was a hashtag followed by hyper-specific comments about what the component achieved.

A snippet of the TA547 dropper. Source: Proofpoint

As Proofpoint noted, this is characteristic of LLM-generated code, indicating that the group — or whoever originally wrote the dropper — used some sort of chatbot to write it.

**Is Worse AI Malware to Come?**

Like the rest of us, cyberattackers have been experimenting with how AI chatbots can help them achieve their goals more easily, expeditiously, and effectively.

Some have figured out little ways to use AI to enhance their day-to-day operations, for example by aiding research into targets and emerging vulnerabilities. But aside from proofs-of-concept and the odd novelty tool, there hasn't been much evidence that hackers are writing useful malware with the help of AI.

That, Blackford says, is because humans are still far better than robots at writing malicious code. Plus, AI developers have taken steps to prevent the misuse of their software.

At least for now, he says, "the ways that these groups are going to leverage AI to scale up their operations is more of an interesting problem than the idea that they're going to create some new super malware with it."

And even once they do autogenerate super malware, the job of defending against it will remain the same. As Proofpoint concluded in its post, "In the same way LLM-generated phishing emails to conduct business email compromise (BEC) use the same characteristics of human-generated content and are caught by automated detections, malware or scripts that incorporate machine-generated code will still run the same way in a sandbox (or on a host), triggering the same automated defenses."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading