Enterprise security goes beyond tech leadership, and beyond the CISO's office. Achieving cybersecurity and resilience is a team effort, and requires building a culture of security awareness.

Source: Image Source via Alamy Stock Photo

A chain is only as strong as its weakest link. When it comes to cybersecurity and resilience, the entire organization should be involved. Good security hygiene needs to be a fundamental part of company culture, and the organization's executive leadership should make it clear that abiding by security practices is part of achieving business objectives.

Infusing security and operational resilience throughout the organization requires understanding the needs and workflows of all departments, how different teams use technology, where sensitive assets are stored, and who has access to them. To align security and business goals, company leaders must plan ahead, encourage proactive communication across departments, and foster and reward a collaborative culture.

**Everyone Has a Role to Play**

We believe cybersecurity risk should be viewed through the lens of overall business risk. A security breach can be devastating for an organization, with long-lasting impacts that reverberate across many facets of its operations. A data breach can significantly damage a company's reputation, erode customer trust, and make it challenging to attract and retain talent. With that in mind, cybersecurity hygiene is as much about business strategy as it is about technological tools.

With so much at stake, the responsibility for cybersecurity and resilience extends far beyond the office of the chief information security officer (CISO). Successful organizations understand the multifaceted nature of security, and recognize that successful CISOs closely partner with their peers to define and implement the organization's security strategy. In this article, we take a closer look at effective collaboration amongst these stakeholders, as further described below.

The CEO establishes the business strategy and is accountable for the operational risks that could impact the business, partnering closely with the chief operating officer (COO) who is responsible for the implementation of that strategy. It’s important that the CISO develop, communicate, and implement a security program that’s aligned to the business strategy, risk appetite, and strategic organizational goals, while simultaneously mitigating the organization's risk. This is an area where the CEO, COO, and CISO can provide executive leadership and speak with one voice to ensure a security-oriented mindset is considered when developing policies and deploying technical and operational controls.

Likewise, the CISO and the chief technology officer (CTO) should collaborate to articulate a cybersecurity strategy that closely aligns with the organization's technology plans, jointly assessing the risks inherent in existing and planned technology initiatives, and defining the controls posture needed to achieve compliance with relevant policies, rules and regulations.

We’ve observed that in many organizations, the roles of the CISO and the chief information officer (CIO) often overlap to some extent, with the CIO typically focusing on the features and functionality of information systems, while the CISO is more oriented toward security and compliance. Working together, these leaders can develop a highly functional system that aligns to the needs of the organization and helps deliver on business goals whilst enabling security, privacy, and compliance.

In addition to working closely with the stakeholders noted above, the CISO would benefit from forming ties with the organization’s chief risk officer (CRO) as well, with whom there are opportunities for collaboration to align on the overall scope of operational risk faced by the organization and identify opportunities to mitigate that risk through a strategy that appropriately balances people, process, and technology in a manner commensurate with its overall risk appetite.

Similarly, the CISO would be wise in also partnering with the chief compliance officer (CCO) to ensure that the development of the organization’s cybersecurity posture is informed by and aligned with relevant regulatory requirements which may span multiple regulatory jurisdictions and geographies.

A comprehensive understanding of the respective spheres of influence and requirements from the various stakeholders noted above can inform corporate policies and procedures, and serve as the basis for building a culture of cybersecurity awareness that's reinforced with regularly recurring training and communication throughout the organization.

**Organizational Principles **

Putting this approach into practice, organizations often turn to cybersecurity frameworks, such as those developed by NIST or the Cloud Security Alliance, which can be instrumental in holistically and programmatically assessing security risks. For instance, the NIST framework sets out its core elements as belonging to one of the functions noted below:

*   Identify: Assess the organization, including how work actually gets done in different business units and where potential vulnerabilities can be found.
    
*   Protect: Put safeguards in place for sensitive data and critical services.
    
*   Detect: Define how cybersecurity incidents will be detected.
    
*   Respond: Document plans for responding to a cybersecurity incident and make sure impacted stakeholders are scoped into the response.
    
*   Recover: Plan for how the company will recover from a cybersecurity incident, both in the short term and over time.
    

However, these frameworks are just tools, and should not be conflated with serving as a security strategy. Building and maintaining a resilient and secure company means cultivating a culture of security awareness throughout. Effective collaboration between leaders and departments is crucial for the successful execution of an organization's cyber strategy and its ability to provide a holistic picture of the state of cybersecurity in the organization, as well as individual team members' understanding of their roles in supporting and executing the overall strategy.

Ongoing professional development and building cross-functional security teams are crucial elements of developing this culture of security aimed at identifying and preventing incidents from occurring. However, it's equally important to consider how learnings can be gleaned from incidents in the unfortunate event that they do occur. That's where practices like blameless postmortems come in. A sense of teamwork and a "we're all in this together" approach are vital for building a cybersecurity culture that takes root throughout your organization. 

Read more Partner Perspectives from Google Cloud

**About the Author(s)**

AMERS Financial Services Executive Trust Lead, Google Cloud Office of the CISO

Marina supports Google Cloud’s financial services customers in the Americas on Trust topics throughout their cloud journey, focusing on regulatory compliance, risk management, governance and oversight, cybersecurity and privacy.

Prior to joining Google, Marina held Legal and Compliance roles on Wall Street, overseeing the broker dealer compliance program at Thomson Reuters (now Refinitiv), leading US Compliance for the Technology, Human Capital Management and Corporate Services divisions at Goldman Sachs, and most recently, running the Digital Compliance team at BNP Paribas where she specialized in advising on emerging technologies including AI/ML and digital assets, and oversaw programs related to cybersecurity, data privacy, and cloud digital transformation initiatives.

Office of the CISO, Financial Services, Google Cloud

David is in the Office of the CISO at Google Cloud where he shapes cloud security and risk management practices for the Financial Services Sector.  He has over 15 years of experience implementing security policies and strategies, protecting information assets, preparing and testing incident response plans, and developing security protocols.

David helps customers reduce operational risk by ensuring organizations have the people, technologies, and processes in place to enable business operations while preventing, detecting, and responding to threats. He also specializes in advising on compliance to laws, regulations, and standards that govern information security, including ISO, NIST, and FISMA frameworks.

Before Google, David worked in both the U.S. government at DoD and DHS and the financial services sector at JP Morgan Chase and Credit Suisse.

Cybersecurity is a Team Sport

Sanctions on Kimsuky/APT43 focuses the world on disrupting DPRK regime's sprawling cybercrime operations, expert says.

Source: Stuart Miles via Alamy Stock Photo

The US Department of the Treasury Office of Foreign Assets Control (OFAC) has announced it has sanctioned cyberespionage group Kimsuky (aka APT43) for collecting intelligence on behalf of the Democratic People's Republic of Korea (DPRK).

The OFAC said the sanctions are technically in retaliation for a North Korean military reconnaissance satellite launch on Nov. 21, but, more broadly, they are designed to block the DPRK from revenue, materials, and intelligence necessary to perpetuate its weapons of mass destruction development program the Treasury's sanctions announcement added.

Kimsuky is a well-known advanced persistent threat (APT) group active since 2013 that works on behalf of the Kim Jong Un regime.

The move to file the sanctions is an important step forward in stymying the DPRK's malicious cyber activities, according to a statement from Michael Barnhart, Mandiant principal analyst, Google Cloud.

"Recent actions, including the OFAC sanctions of today and increased global awareness of these cyber threats, are forcing North Korea to adapt its strategies," Barnhart explained via email. "While these measures have undoubtedly disrupted the regime's cyber activities, it is crucial to recognize that North Korea remains a formidable threat."

**Can the DPRK Cybercrime Machine Be Stopped?**

In October, Kimsuky waged a campaign abusing Remote Desk Protocols (RDP) and other tools to to take over targeted systems. The previous March, the group had already emerged as what researchers characterized "unusually aggressive" APT, becoming adept at achieving the dueling goals of using social engineering to gather intelligence, as well as operating a massive cryptomining operation to raise funds for the North Korean regime.

The wider strategy to shut down cyberattacks from the DPRK must include a combination of greater public awareness of their activities, robust cybersecurity measures, as well as additional targeted sanctions and other measures that help disrupt the regime's cyber threat, according to Barnhart.

"Despite the exposure of their operations, APT43 has demonstrated remarkable resilience, continuing to employ sophisticated social engineering tactics to target unsuspecting individuals and organizations," he added. "This highlights the need for heightened vigilance and a comprehensive approach to combating North Korea's cyber threats."

The US is joined in sanctioning the cyber-threat group with allied nations Australia, Japan, and the Republic of Korea, according to the OFAC announcement.

"As an intelligence gathering apparatus for the Reconnaissance General Bureau (RGB), APT43 operates with the full backing of the North Korean regime, tasked with gathering sensitive information on a wide range of topics, including nuclear technology, sanctions evasion, and unification efforts," Barnhart said. "APT43 and DPRK-aligned cyber threats pose a significant and evolving challenge to the global community."

North Korea APT Slapped With Cyber Sanctions After Satellite Launch

Hundreds of consumer and enterprise-grade x86 and ARM models from various vendors, including Intel, Acer, and Lenovo, are potentially vulnerable to bootkits and takeover.

Source: Tetra Images via Alamy Stock Photo

Researchers have uncovered "LogoFAIL," a set of critical vulnerabilities present in the Unified Extensible Firmware Interface (UEFI) ecosystem for PCs.

Exploitation of the vulnerabilities nullify essential endpoint security measures and provide attackers with deep control over affected systems.

The flaws originate in image-parsing libraries within the boot process, impacting all major device manufacturers on both x86 and ARM-based devices, according to a Binarly Research report that will be officially released at Black Hat Europe in London next week.

The severity of LogoFAIL is exacerbated by its widespread reach, researchers warn, noting that it affects the entire ecosystem, not just individual vendors here and there. The findings were reported via the CERT/CC VINCE system, with anticipated vendor patches scheduled for December 6, in tandem with the Black Hat talk, which is entitled, "LogoFAIL: Security Implications of Image Parsing During System."

**Hijacking the Boot Process With LogoFAIL**

Binarly researchers found that by embedding compromised images in the EFI System Partition (ESP) or unsigned firmware update sections, threat actors can execute malicious code during boot-up, enabling them to hijack the boot process.

This exploitation bypasses crucial security measures like Secure Boot and Intel Boot Guard, facilitating the insertion of a persistent firmware bootkit operating beneath the OS level.

"Because the attacker is getting the privileged code execution into the firmware, it's bypassing the security boundaries by design, like a Secure Boot," explains Alex Matrosov, CEO and founder of Binarly. "The Intel Boot Guard and other trusted boot technologies are not extended in runtime, and after the firmware is verified, it just boots further in the system boot flow."

He says the Binarly Research team originally was experimenting with logo modification on one of the Lenovo devices they have in the lab.

"One day, it suddenly started to reboot after showing the boot logo," he says. "We realized that the root cause of the issue was the change of the original logo, which led to a deeper investigation."

He adds, "In this case, we are dealing with continued exploitation with a modified boot logo image, triggering the payload delivery in runtime, where all the integrity and security measurements happen before the firmware components are loaded.”

This is not the first Secure Boot bypass ever discovered; in November 2022, a firmware flaw was found in five Acer laptop models that could be used to disable Secure Boot and allow malicious actors to load malware; and the BlackLotus or BootHole threats have opened the door to boot process hijacking before. However, Matrosov says that LogoFAIL differs from prior threats because it doesn't break runtime integrity by modifying the bootloader or firmware component.

In fact, he says LogoFAIL is a data-only attack, occurring when malicious input comes from the firmware image or the logo is read from the ESP partition during the system boot process — and thus, it's hard to detect.

"Such an approach with the ESP attack vector leaves zero evidence of the firmware attack inside the firmware itself, since the logo comes from an outside source," he explains.

**Majority of the PC Ecosystem Is Vulnerable**

Devices equipped with firmware from the three major independent BIOS vendors (IBVs), Insyde, AMI, and Phoenix, are susceptible, indicating a potential impact across diverse hardware types and architectures. Between them, the three cover 95% of the BIOS ecosystem, Matrosov says.

In fact, Matrosov says LogoFAIL affects "most devices worldwide," including consumer and enterprise-grade PCs from various vendors —Acer, Gigabyte, HP, Intel, Lenovo, MSI, Samsung, Supermicro, Fujitsu, and "many others."

"The exact list of affected devices is still being determined, but it's crucial to note that all three major IBVs — AMI, Insyde, and Phoenix — are impacted due to multiple security issues related to image parsers they are shipping as a part of their firmware," the Binarly report warned. "We estimate LogoFAIL impacts almost any device powered by these vendors in one way or another."

For its part, Phoenix Technologies published an early security notification this week (now taken down but available as a cache until it goes back up Dec. 6) detailing that the bug (CVE-2023-5058) is present in all versions lower than 1.0.5 of its Phoenix SecureCore Technology 4, which is a BIOS firmware that provides advanced security features for various devices.

"The flaw exists in the processing of user-supplied splash screen during system boot, which can be exploited by an attacker who has physical access to the device," according to the notification, which noted that an updated version is available. "By supplying a malicious splash screen, the attacker can cause a denial-of-service attack or execute arbitrary code in the UEFI DXE phase, bypassing the Secure Boot mechanism and compromising the system integrity."

LogoFAIL is also tracked by Insyde as CVE-2023-40238, and by AMI as CVE-2023-39539 and CVE-2023-39538.

Matrosov says the company is actively collaborating with multiple device vendors to coordinate disclosure and mitigation efforts across the spectrum.

**Firmware Updates Key to Minimizing Risk**

To minimize firmware risk in general, users should stay updated with manufacturer advisories and promptly apply firmware updates, as they often address critical security flaws.

Also, vetting suppliers is a must. "Be picky about the device vendors you rely on daily as personal device or devices across your enterprise infrastructure," Matrosov adds. "Don't blindly trust the vendors, but rather validate the vendor's security promises and identify the gaps across your device inventory and beyond."

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Critical 'LogoFAIL' Bugs Offer Secure Boot Bypass for Millions of PCs

The agency, known as JAXA, has shut down parts of its network as it conducts an investigation to discover the scope and impact of the breach.

Source: Tofino via Alamy Stock Photo

Japan's Space Exploration Agency (JAXA) reported this week that it experienced a cyber incident this past summer stemming from a breach of Microsoft Active Directory (AD) — raising concerns that nation-state actors might be after the country's space program data.

Chief cabinet secretary Hirokazu Matsuno raised the topic of the incident in a morning briefing on Nov. 29, mentioning that the agency investigated and preliminarily found that illegal access had indeed taken place. The agency was allegedly unaware of the attack until it was contacted by the authorities.

As mentioned, the breach was located in the organization's AD environment, the central server that manages access control for JAXA's network, including admin passwords for corporate applications. According to The Japan News, an official related to JAXA reportedly stated that "as long as the AD server was hacked, it was very likely that most of the information was visible. This is a very serious situation," though there is much that has not yet been confirmed.

This is not the first time that this Microsoft component has led to a compromise of information. Just earlier this year, US Sen. Ron Wyden (D-Ore.) wrote to the heads of CISA, the Justice Department, and the FTC asking them to hold Microsoft responsible after a Microsoft 365 breach due to three vulnerabilities in its Exchange Online email service and the Azure Active Directory. And just prior to that, it was discovered that a stolen Microsoft account key could allow threat actors to create access tokens for a variety of different types of Azure Active Directory applications.

**State-Sponsored Hackers After Japan's Space Program Secrets?**

The breach raises concerns that Japan's space program has been exposed, according to Ted Miracco, CEO of mobile security company Approov, who noted that JAXA has been a target before; in 2016 and 2017, JAXA was among 200 Japanese companies and research institutes allegedly targeted by Chinese military hackers.

"The cyberattack on Japan's aerospace exploration agency bears all the characteristics reminiscent of past incidents, raising questions about the involvement of state-sponsored actors," Miracco said via email. "In the historical context, previous attacks were linked to Chinese military hackers, and the reported exploitation of a vulnerability disclosed by a network equipment manufacturer in June adds a layer of sophistication to the attack, indicating a state-sponsored attack.

He added, "The motivation behind the cyber intrusion, given the nature of JAXA's operations in satellite development and advanced missions, points towards an interest in strategic intelligence and technological advancements. Understanding the identity, methods, and motivations of the perpetrators becomes crucial in fortifying cybersecurity measures to mitigate future risks, as these attacks are unlikely to stop anytime soon."

Meanwhile, JAXA has shut down part of its network and launched a full investigation to determine the scope of the breach and its impact. The agency is working with the central government, as well as police, on the matter.

Japan's Space Program at Risk After Microsoft Active Directory Breach

UAE security leaders warn that people, tech, and process gaps are exposing their organizations to cybercrime.

Source: Chroma Craft Media Group via Alamy Stock Photo

A vast majority of security chiefs in the United Arab Emirates believe their organization must improve how their teams, processes, and tech function in order to mitigate future cyberattacks.

Research by Trellix recently found that 96% of CISOs — who have experienced security incidents — feel improvements are needed, while 52% of respondents say their organization doesn't possess the technical knowledge to handle complex security incidents.

**Reliance on Manual Processes**

Forty-eight percent of security leaders believe that their organization is too reliant on manual processes, which hampers the mean time to detect and repair cyber incidents.

In addition to this, 44% blame the failure to fight cybercrime on poorly documented and implemented processes, with another 44% warning that disconnected security controls caused a lack of context.

Jake Moore, global cybersecurity adviser at ESET, says continual investment in protection is crucial for companies as cyber threats are increasingly sophisticated and common.

"Furthermore, now with the introduction of AI threats we are seeing cyberattacks become even more relentless and powerful," he says. "Companies need to bear in mind that the cost of recovery from an attack usually outweighs the cost of preventive security measures."

**Mind the Gaps**

While gaps in technical resources make it difficult for organizations to spot and respond to cybersecurity incidents, stretched or ill-equipped security teams also make this difficult. More than half of respondents (52%) cited gaps in their security capabilities as contributors to a security incidents experienced by their organization. 

Meanwhile, 44% admitted that they hadn’t properly configured their IT stacks or enabled their detection policies. A further 40% said their IT and security tools don't offer “adequate visibility” of incidents. 

Moore says: "Neglecting cybersecurity in terms of the people and process can leave a business dangerously exposed to preventable or mitigable attacks with potentially severe consequences."

**About the Author(s)**

Technology Journalist

Nicholas Fearn is a freelance tech journalist from the Welsh valleys. He's written for major outlets like Forbes, Financial Times, The Guardian, The Independent, The Telegraph, HuffPost and Business Insider, as well as tech publications like Gizmodo, TechRadar, Laptop Mag, Computer Weekly, ITPro and many more. When Nicholas isn't geeking over the latest gadgets and tech trends, he's probably listening to Mariah Carey on repeat.

Emirates CISOs Flag Rampant Cybersecurity Gaps

Saudi companies are seeking extra help in droves, because of a lack of tools and personnel.

Source: Hakan Gider via Alamy Stock Photo

More than half of Saudi Arabian companies plan to outsource their cybersecurity measures in the next year, as a lack of resources continues to plague the region.

Up to 58% of respondents plan to invest in different forms of outsourcing cybersecurity in the next 12 to 18 months as a measure to strengthen their posture, according to research from Kaspersky. Reasons given include a lack of necessary tools for threat detection (22%), and a shortage of internal IT security staff (34%).

Also, 42% plan to outsource their cybersecurity to managed service providers (MSPs), while 10% want the help of external consulting specialists.

The push for outsourcing comes as 71% of Saudi companies reported a cyber incident over the last two years, and 74% said the incidents were "serious."

**About the Author(s)**

Saudi Companies Outsource Cybersecurity Amid 'Serious' Incidents

A more proactive approach to fighting cyberattacks for US companies and agencies is shaping up under the CISA's proposal to emphasize real-time attack detection and response.

Source: Wavebreakmedia Ltd IFE-210813 via Alamy Stock Photo

COMMENTARY

The United States faces an ever-growing threat of cyberattacks on its critical infrastructure, government agencies, and private sector companies.

These attacks can have severe consequences, from the theft of sensitive information to the disruption of essential services. To effectively combat these threats, the US needs to adopt a comprehensive and proactive approach to cybersecurity, similar to the one taken by Germany with its IT-SiG 2.0 mandate.

Where are we now, and are we on the right track to adopt a similar mandate on this side of the Atlantic?

**The IT-SiG Approach Compared With the US's Current Capabilities**

One of the key features of the IT-SiG 2.0 mandate is its emphasis on real-time attack detection and response. This approach recognizes that preventing all cyberattacks is impossible and focuses on quickly identifying and mitigating the effects of successful attacks. This mitigation is achieved through advanced security technologies, such as intrusion-detection systems, security information and event management (SIEM) systems, and security orchestration, automation, and response (SOAR) systems, which can detect and respond to potential threats in near real time.

In contrast, the US has traditionally relied on patching vulnerabilities and responding to attacks after they have occurred and, ideally, been resolved. While this approach can effectively mitigate the effects of individual attacks, more is needed to keep pace with the rapidly evolving cyber-threat landscape. The US has needed a more proactive approach, like the IT-SiG 2.0 mandate, emphasizing real-time attack detection and response to stay ahead of potential threats.

**With This Strategy, Visibility Is Key**

Another critical aspect of the IT-SiG 2.0 mandate is its focus on improving visibility into the cybersecurity posture of organizations. Visibility is achieved through regular security assessments and penetration testing, which help identify vulnerabilities and weaknesses in an organization's systems and networks. By comprehensively understanding an organization's cybersecurity posture, the IT-SiG 2.0 mandate encourages organizations to identify issues and take steps to remediate them, improving overall security.

The United States has taken steps toward improving visibility into the cybersecurity posture of federal agencies with the Cybersecurity & Infrastructure Security Agency's Binding Operational Directive 23-01 in October 2022. However, this directive only applies to federal agencies and not to private-sector companies; many organizations may not have the same level of visibility into their cybersecurity posture as federal agencies.

According to Statista's Research Department, in the fiscal year 2020 the number of cybersecurity incident reports by federal agencies in the United States was over 30,000, around an 8% increase from the previous year.

To effectively combat cyber threats, it's essential that all organizations, not just federal agencies, have the necessary visibility into their cybersecurity posture. Therefore, the US should consider expanding the reach of Directive 23-01, like the IT-SiG 2.0 mandate, to include private-sector companies. This expansion would ensure that all organizations have visibility into their cybersecurity protection.

**Recent US Steps**

In brighter news, we might be beginning on the path toward a more effective national cybersecurity strategy akin to IT-SiG 2.0. In March, the Biden administration announced its National Cybersecurity Strategy. Among the plan's emphases are defending critical infrastructure; disrupting the ability for cybercriminals to attack agencies, organizations, and individuals; encouraging market forces to lead the way to broader security and resilience; and fostering international collaboration between private and public sectors to stay ahead of bad actors.

It appears the plan emphasizes less the cybersecurity tools that will be used and more the means of making sure they're being adopted and used correctly, shoring up weak links in complex business and government affairs. While the White House laid out this plan, a significant amount of the burden will fall on the shoulders of those most capable of fighting back against waves of cyberthreats — namely, the business world alongside the government. A redefinition of the "social contract" of cybersecurity seems to be what they're after here, with smaller businesses and individuals able to benefit from the processes put in place by larger organizations.

Taking up this plan and running with it, in August the Cybersecurity & Infrastructure Security Agency (CISA) released its Cybersecurity Strategic Plan for the fiscal years 2024 through 2026. "It's up to all of us, government and private sector, domestic and international, to execute \[the cybersecurity plan\]," Eric Goldstein, Executive Assistant Director for Cybersecurity wrote on the CISA website.

How does CISA's plan compare with IT-SiG 2.0? If we're going by real-time attack detection and visibility as the main driving points, then CISA's plan directly lines up, at least in concept. CISA's plan outlines three major goals: address immediate threats, harden the terrain, and drive security at scale.

So, visibility into vulnerabilities, quick real-time responses, and proactive mitigation of weaknesses that could be exploited are the primary focus. While this is still in plan form, it does seem like CISA has homed in on the same key points the IT-SiG 2.0 is going after.

**Looking Toward a More Secure Future**

Statista's Research Department found that in the first half of 2022, the number of data compromises in the US came in at 817 cases. Over 53 million individuals were affected by those data compromises, which included data breaches, data leakage, and data exposure.

The US faces an ever-growing threat of cyberattacks on its critical infrastructure, government agencies, and private sector companies. To effectively combat these threats, the United States needs to adopt a comprehensive and mandated approach to cybersecurity, similar to the one taken by Germany with its IT-SiG 2.0 mandate. This approach forces real-time attack detection and response, improves visibility into organizations' cybersecurity approach, and offers a solid beginning to a more secure digital world.

There's work to be done — by both government agencies and businesses, as the shift in the social contract implores everyone to do what they can — but by taking these first steps, the United States can improve its overall cybersecurity posture for all companies and better protect digital assets against potential threats.

**About the Author(s)**

CTO & Co-Founder, SecurityBridge

Ivan Mans is a long time SAP technology consultant, having worked in the SAP space since 1997 — the early days of R/3. In 2012, Ivan co-founded SecurityBridge, and in his current role as CTO, he is a motivated driver, inspires people, and pushes technology that contributes to the continuous innovation of the SecurityBridge Platform. In recent years, Ivan has been a regular speaker at SAP events, evangelizing SAP security.

The US Needs to Follow Germany's Attack-Detection Mandate

Apparently all it takes to get a chatbot to start spilling its secrets is prompting it to repeat certain words like "poem" forever.

Source: Ascannio via Shutterstock

Can getting ChatGPT to repeat the same word over and over again cause it to regurgitate large amounts of its training data, including personally identifiable information and other data scraped from the Web?

The answer is an emphatic yes, according to a team of researchers at Google DeepMind, Cornell University, and four other universities who tested the hugely popular generative AI chatbot's susceptibility to leaking data when prompted in a specific way.

**'Poem' as a Trigger Word**

In a report this week, the researchers described how they got ChatGPT to spew out memorized portions of its training data merely by prompting it to repeat words like "poem," "company," "send," "make," and "part" forever.

For example, when the researchers prompted ChatGPT to repeat the word "poem" forever, the chatbot initially responded by repeating the word as instructed. But after a few hundred times, ChatGPT began generating "often nonsensical" output, a small fraction of which included memorized training data such as an individual's email signature and personal contact information.

The researchers discovered that some words were better at getting the generative AI model to spill memorized data than others. For instance, prompting the chatbot to repeat the word "company" caused it to emit training data 164 times more often than other words, such as "know."

Data that the researchers were able to extract from ChatGPT in this manner included personally identifiable information on dozens of individuals; explicit content (when the researchers used an NSFW word as a prompt); verbatim paragraphs from books and poems (when the prompts contained the word "book" or "poem"); and URLs, unique user identifiers, bitcoin addresses, and programming code.

**A Potentially Big Privacy Issue?**

"Using only $200 USD worth of queries to ChatGPT (gpt-3.5-turbo), we are able to extract over 10,000 unique verbatim memorized training examples," the researchers wrote in their paper titled "Scalable Extraction of Training Data from (Production) Language Models."

"Our extrapolation to larger budgets suggests that dedicated adversaries could extract far more data," they wrote. The researchers estimated an adversary could extract 10 times more data with more queries.

Dark Reading's attempts to use some of the prompts in the study did not generate the output the researchers mentioned in their report. It's unclear if that's because ChatGPT creator OpenAI has addressed the underlying issues after the researchers disclosed their findings to the company in late August. OpenAI did not immediately respond to a Dark Reading request for comment.

The new research is the latest attempt to understand the privacy implications of developers using massive datasets scraped from different — and often not fully disclosed — sources to train their AI models.

Previous research has shown that large language models (LLMs) such as ChatGPT often can inadvertently memorize verbatim patterns and phrases in their training datasets. The tendency for such memorization increases with the size of the training data.

Researchers have shown how such memorized data is often discoverable in a model's output. Other researchers have shown how adversaries can use so-called divergence attacks to extract training data from an LLM. A divergence attack is one in which an adversary uses intentionally crafted prompts or inputs to get an LLM to generate outputs that diverge significantly from what it would typically produce.

In many of these studies, researchers have used open source models — where the training datasets and algorithms are known — to test the susceptibility of LLM to data memorization and leaks. The studies have also typically involved base AI models that have not been aligned to operate in a manner like an AI chatbot such as ChatGPT.

**A Divergence Attack on ChatGPT**

The latest study is an attempt to show how a divergence attack can work on a sophisticated closed, generative AI chatbot whose training data and algorithms remain mostly unknown. The study involved the researchers developing a way to get ChatGPT "to 'escape' out of its alignment training" and getting it to "behave like a base language model, outputting text in a typical Internet-text style." The prompting strategy they discovered (of getting ChatGPT to repeat the same word incessantly) caused precisely such an outcome, resulting in the model spewing out memorized data.

To verify that the data the model was generating was indeed training data, the researchers first built an auxiliary dataset containing some 9 terabytes of data from four of the largest LLM pre-training datasets — The Pile, RefinedWeb, RedPajama, and Dolma. They then compared the output data from ChatGPT against the auxiliary dataset and found numerous matches.

The researchers figured they were likely underestimating the extent of data memorization in ChatGPT because they were comparing the outputs of their prompting only against the 9-terabyte auxiliary dataset. So they took some 494 of ChatGPT's outputs from their prompts and manually searched for verbatim matches on Google. The exercise yielded 150 exact matches, compared to just 70 against the auxiliary dataset.

"We detect nearly twice as many model outputs are memorized in our manual search analysis than were detected in our (comparatively small)" auxiliary dataset, the researchers noted. "Our paper suggests that training data can easily be extracted from the best language models of the past few years through simple techniques."

The attack that the researchers described in their report is specific to ChatGPT and does not work against other LLMs. But the paper should help "warn practitioners that they should not train and deploy LLMs for any privacy-sensitive applications without extreme safeguards," they noted.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Simple Hacking Technique Can Extract ChatGPT Training Data

Early disclosures related to September compromise insisted less than 1% of Okta customers were impacted; now, the company says it was all of them.

Source: Ilnur Khisamutdinov via Alamy Stock Photo

Identity access management vendor Okta has released an update following an investigation into a hack this fall on its systems, revising the number of impacted customers up from less than 1% to a staggering 100%.

A blog post dated Nov. 29 from Okta chief security officer David Bradbury explained that an analysis of a breach from September revealed that an unauthorized user was able to run a report on Sept. 28 containing data on every user of Okta's customer support system, which leaked the following data: company name, contact information, user name, role description, and a "collection of other data." This type of information could be useful to threat actors in launching social engineering attacks, like the ones that leveraged Okta to breach MGM Resorts and Caesars Entertainment.

Thus, Okta is warning all of its customers to be prepared for similar phishing and social engineering cyber-scams.

"Given that names and email addresses were downloaded, we assess that there is an increased risk of phishing and social engineering attacks directed at these users," Bradbury wrote. "While 94% of Okta customers already require MFA \[multifactor authentication\] for their administrators, we recommend all Okta customers employ MFA and consider the use of phishing-resistant authenticators to further enhance their security."

The company added that it does not have any evidence the compromised Okta customer data is being actively exploited yet, however. Even so, cybersecurity experts advise Okta customers to focus on cybersecurity best practices, including user training.

"What is needed to secure Okta customers is a focus on best practices; for example, 6% of their users do not have multifactor authentication enabled," says Viakoo CEO Bud Broomhead. "Likewise, setting session timeouts or requiring reauthentication for sessions from a new IP address should be done across all Okta users."

**Okta Breach Brand & Financials Ramifications**

That bit of bad news for Okta customers was tempered by another piece of data out of Okta on Nov. 29. According to its latest quarterly financial report, the company announced that it has seen a more than 20% increase in revenues. The bottom-line growth increase is marked for the quarter ending Oct. 31, the same quarter Okta's systems were used in high-profile breaches of MGM and Caesars.

"Our Q3 performance was highlighted by solid top-line growth, record non-GAAP operating profit, and record free cash flow," Todd McKinnon, CEO and co-founder of Okta, said in a statement about the company's earnings. "We are particularly enthusiastic about the adoption of Okta Identity Governance and the general availability of Okta Privileged Access, which uniquely positions us as the only unified modern identity platform. Over 18,800 leading organizations around the world put their trust in Okta and we are thankful for their continued partnership."

The news of the leaked customer data did drive down Okta stock prices when it happened, but the investor fallout appears to be hovering in the single digits.

That said, the time lag for sales revenues to be impacted by major cyber incidents like the ones Okta has experienced should be taken into account when analyzing whether the breach impacted the brand, according to Jasson Casey, CEO of Beyond Identity.

"The sales cycle for midmarket customers is typically three to four months, while the enterprise sales cycle can be six-plus months," Casey tells Dark Reading. "Revenue numbers being reported today don't reflect the market's processing and intake of the latest news."

However, Casey tells Dark Reading that personally, he's seeing a market shift away from Okta.

"Anecdotally, we're seeing a large number of companies actively search for migration pathways from Okta to other SSO \[single sign-on\] platforms due to the continued string of news related to Okta security practices," he adds. "Okta has a hard road in front of them to convince the mid/enterprise market that security is a foundational principle given their continued missteps over the last two years."

Okta declined to comment on customer reactions to the compromise.

Okta Breach Widens to Affect 100% of Customer Base

Cybercriminals use legal search terms to ensnare unwitting victims, then launch ransomware or business email compromise attacks.

Source: The Lightwriter via Adobe Stock

Cyberattackers are doubling down on their attacks against law firms and corporate legal departments, moving beyond their historical activity of hacking and leaking secrets to targeting the sector with financial attacks, such as ransomware and business email compromise (BEC).

On Nov. 24, managed service provider CTS, which provides IT services to law firms, acknowledged that the firm had suffered a breach, but did not give details about the source of the attack. The incident has reportedly affected services to dozens of law firms, particularly in the real estate sector. The attack follows claims by the LockBit group that it compromised London-based law firm Allen & Overy, listing the firm among the victims on its data-leak site and demanding a ransom. The firm confirmed a breach, but did not acknowledge the ransomware attack.

The attacks are only the latest to target law firms and legal departments. At least one attack group has targeted law firms specifically, seeding compromised sites with legal jargon to make the sites rise in search rankings and then deliver a ransomware attack chain to visitors, says Keegan Keplinger, a senior security researcher with managed detection and response firm eSentire.

"When \[the targeting\] hasn't been a legal organization, it's often been the legal department or a legal user — a paralegal or the legal consultant — in an organization," he says. "We saw a hospital get hit once, but it was the legal user in that hospital that downloaded \[the malware\]."

GootLoader, which leads to Blackcat ransomware, has focused heavily on law firms. Source: eSentire

Hackers have long favored law firms as a way to steal secrets, absconding with Uber drivers' personal information from law firm Genova Burns LLC in January; hijacking data on the contracts and personal emails from 200 high-profile celebrities — including Lady Gaga, Madonna, and Rod Stewart — from New York law firm Grubman Shire Meiselas & Sacks in 2020; and allegedly leaking the "Panama Papers" — 11.5 million documents on wealthy tax evaders — from Panama-based law firm Mossack Fonseca.

Traditionally, the attraction for online attackers has not been money, says Ilia Kolochenko, chief architect at application security firm ImmuniWeb.

"Law firms are pretty far from being attractive victims for cybercriminals," he says. "However, their clients — namely, secrets of their clients — make law firms a magnet for all kind of cybercriminals."

**Clickbait Turns to SEO Poisoning**

That has changed, as cybercriminals increasingly focus on law firms as a way to cash in with ransomware and BEC attacks. More than a quarter of law firms (27%) suffered a security breach in 2022, up from 25% in 2021, according to the American Bar Association's annual cybersecurity report, which stresses that a security breach is not as severe a classification as a data breach. The legal sector is the fourth most targeted sector by cybercriminals — behind services, manufacturing, and financial firms, according to eSentire's data.

The most significant threat to law firms may be GootLoader, a browser-based threat that is delivered through search engine optimization (SEO) poisoning. The group behind GootLoader has seeded malicious content and malvertising linked to 3.5 million search terms, a high percentage of which are legal terms. As a result, a lawyer or paralegal who searches for specific content may find the top search result leading to a GootLoader-infected file. Downloading and opening the file will execute the program, which almost always leads to BlackCat ransomware, says Joe Stewart, a principal security researcher at eSentire.

"This \[is\] what I call a landmine approach," he says. "They're just mining the entire Web with these search keywords and just waiting for somebody in the legal profession, or somebody who needs this legal document, to just stumble on it and open it up, say, 'What's this? Oh, I will click on this JavaScript. No problem.'"

Ransomware is not the only worry for law firms. A number of threat groups are also targeting law firms with BEC scams. Law firms are the perfect victims for such schemes, says Dan Caplin, director of cybersecurity and incident response at S-RM, a cybersecurity consultancy.

"Firstly, they do a lot of business over and in emails, and secondly, law firms often occupy a privileged position in situations where payment instructions and details are exchanged — this, again, is mostly done over email," he says. "This makes email account takeover, intercepting a thread about a legitimate payment, and diverting funds to a fraudulent bank account a really effective approach."

**Will Get Worse Before It Gets Better**

Because law firms tend to be smaller, often just one or two people, cybersecurity knowledge is often lacking, says ImmuniWeb's Kolochenko.

"Solo practitioners and small law firms are usually poorly protected, having very modest budgets for cybersecurity," he says. "Large law firms, however, increasingly spend more on cybersecurity and cyber defense, \[but most firms\] have similar problems as all other industries including shadow IT, working from home, \[and\] underprotected third parties."

Unfortunately, law firms are often tasked as the custodian of extremely sensitive information, making any breach a problem and making the firm more likely to pay a ransom. It's little wonder that GootLoader has targeted the industry, says eSentire's Keplinger.

"For a variety of reasons, law firms are behind the curve a little bit on security," he says. "With ransomware — especially the double whammy (both stealing and encrypting the data) — legal firms are an obvious organization that would be vulnerable to that — especially, that would care about publishing their data."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Source

DARKReading