The security principle of zero trust is the cornerstone of robust cloud security.

In an era where data breaches and cyberattacks continue to dominate headlines, the importance of robust security measures has never been more evident. As organizations increasingly migrate their data and operations to the cloud, a paradigm shift in security strategy is essential. Enter zero trust, a security concept that has emerged as the cornerstone of cloud security. This article will explore why zero trust is crucial for safeguarding cloud environments.

**The Cloud Security Challenge**

Adopting cloud computing has brought unprecedented flexibility, scalability, and cost efficiency for businesses; however, migration to the cloud has also opened new avenues for cyber threats. The traditional security perimeter model — protecting the network perimeter — must change. Security must adapt to the challenges of this dynamic landscape with data residing in remote data centers and users accessing resources from anywhere.

**What Is Zero Trust?**

Zero trust is not just a technology but a holistic security approach that fundamentally shifts the security paradigm. The core tenet of zero trust is simple: "Never trust, always verify." In essence, zero trust means security teams should not inherently trust anyone or anything, regardless of whether they are inside or outside the network.

The fundamental principles of zero trust include:

1.  **Continuous verification:** Every access request is verified, regardless of the user's location or device. This principle includes strong multifactor authentication (MFA) and device health checks.
2.  **Least privilege access:** Security teams grant users and systems only the minimum access required to perform their tasks, reducing the attack surface and potential damage in case of a breach.
3.  **Micro-segmentation:** Networks are divided into small, isolated segments with access controls enforced between them, preventing lateral movement by attackers.
4.  **Data-centric security:** Zero trust prioritizes data protection, ensuring data is encrypted, classified, and rigorously access-controlled.

**Why Zero Trust for Cloud Security?**

Reasons zero trust is important for securing cloud environments include:

1.  **Perimeterless environments:** Cloud environments are inherently perimeterless. Traditional security models that rely on securing the network perimeter are ineffective when data and applications are dispersed across multiple cloud providers and accessed from anywhere. Zero trust, which focuses on continuous verification, addresses this challenge by securing access at the individual request level.
2.  **Evolving threat landscape:** Cyber threats are constantly evolving, becoming more sophisticated and persistent. Zero trust's continuous monitoring and verification principle helps organizations stay one step ahead of these threats by detecting and responding to anomalies and breaches in real time.
3.  **Remote workforce:** The rise of remote work has blurred the lines between corporate networks and the public Internet. With employees accessing cloud resources from various locations and devices, zero trust ensures access is granted based on user identity and device trustworthiness, not just network location.
4.  **Data protection:** In cloud environments, data is the crown jewel. Zero trust places data protection at its core, ensuring that even if a breach occurs, sensitive data remains encrypted and inaccessible to unauthorized parties.
5.  **Compliance and regulations:** Many industries are subject to strict data protection regulations. Zero trust helps organizations meet these compliance requirements by enforcing stringent access controls, monitoring activities, and maintaining an audit trail.

**Implementing Zero Trust in Cloud Environments**

To implement zero trust in cloud security, organizations should consider:

1.  **Identity and access management (IAM):** Implement strong authentication methods and access controls based on user identity.
2.  **Continuous monitoring:** Utilize threat detection and response tools to monitor activities and identify anomalies.
3.  **Least privilege access:** Grant minimal access permissions to users and systems based on their roles and responsibilities.
4.  **Data encryption:** Encrypt data at rest and in transit and classify data based on sensitivity.
5.  **Micro-segmentation:** Implement network segmentation to control lateral movement within cloud environments.

**Zero Trust Is Not Optional**

As organizations continue their digital transformation journey by embracing cloud technologies, zero trust emerges as the bedrock of cloud security. The principles of continuous verification, least privilege access, and data-centric security align perfectly with cloud environments' dynamic and distributed nature. Embracing zero trust is not merely an option; it's necessary to protect sensitive data, mitigate risks, and ensure the security of cloud-based operations in an ever-evolving threat landscape. Zero trust isn't just a buzzword; it's the future of cloud security. To learn more about zero trust, AI, and other topics in the ever-evolving threat landscape, log into the #AskCyderes webcast.

**About the Author**

    

Patrick Carter has 15 years of industry experience across security architecture, cloud security, security program management, and strategic consulting. He has a strong understanding of multicloud security architecture, working with both commercial and enterprise-level clients in Azure, AWS, and GCP. He has extensive experience in practice development and service optimization utilizing multiple disciplines. Having consulted enterprises of multiple industries, Patrick is passionate about developing cloud security programs that meet clients' specific needs and building strong relationships that enable them to secure their cloud journey.

Why Zero Trust Is the Cloud Security Imperative

Progress Software plans to collect millions in cyber insurance policy payouts after the MOVEit breaches, which will make getting coverage more expensive and harder to get for everyone else, experts say.

In its recent Security and Exchange Commission (SEC) filing, Progress Software, the company behind the MOVEit file transfer software that's been used to breach dozens of major organizations, says it plans to try and fully collect on its $15 million cyber insurance policy. But how is that fat $15 million payout likely to effect how insurers approach their own businesses?

Faced with class action lawsuits, fines, and a battered business brand, there's little question the company will need millions to cover its losses. And to boot, Progress Software was already collecting on a claim related to a previous incident in November 2022, unrelated to the MOVEit ransomware campaign, according to its most recent 10-Q filing with the SEC.

"As of August 31, 2023, we have recorded approximately $4.9 million in insurance recoveries, of which $3 million was related to the November 2022 cyber incident and $1.9 million was related to the MOVEit vulnerability, providing us with $10.1 million of additional cybersecurity insurance coverage (which is subject to a $0.5 million retention per claim). We will pursue recoveries to the maximum extent available under our insurance policies."

**Higher Premiums, Less Coverage**

Cyber insurers don't have the historical data or developed risk models that others do, like car or home insurers, which means they are constantly adjusting their "risk appetite," according to Mark Millender, senior advisor for global executive engagement at Tanium. He thinks payouts like the one Progress Software is seeking will both drive up premiums and ratchet up requirements for coverage across the cyber insurance ecosystem.

"As loss ratios increase and drive down profitability, risk tolerance recedes and the need to drive up revenues is reflected in premium charges," Millender says.

And, getting policies renewed in the wake of this Progress Software claim, and others, is going to get trickier, he predicts.

"At the same time, the insured submitting the claim will be under increased scrutiny at the time of renewal," according to Millender. "The insured's ability to renew with the same or another carrier will depend on many factors, including this claim experience, but also general cybersecurity defense posture and how the incident was addressed."

Cyber insurance policies are undoubtedly already getting more expensive and providing less coverage than before: Two-thirds of companies surveyed for a report from Delinea on the current state of the cyber insurance industry said they saw a 50% increase in cyber insurance premiums, with more narrow coverage over the past year. And, a full 80% of companies reported they submitted at least one claim in the past year.

"Three key factors are driving the growth of the cyber insurance market," Bud Broomhead, CEO at Viakoo says. "This includes the expanding liabilities from cyber breaches, boards and senior management holding more responsibility for breaches, and the 'forcing function' that cyber insurance provides to maintain their cyber security posture."

Broomhead adds that as the cyber insurance market matures, these factors will change, but the bottom-line result is likely to be a continuing trend towards more expensive policies with less coverage. But as cyber insurers refine their risk evaluations, premiums should stabilize, he adds.

**Cyber Insurers Communicating With Security Teams**

Cyber insurers are taking a closer look at the risk profiles of their clients, a trend that will be driven to new heights by the Progress situation. One of the outcomes of this increased scrutiny has been greater cooperation between cyber insurers and their policy holders, Dara Gibson, cyber insurance services leader with Optiv, explains.

"Cyber insurers are now communicating with cybersecurity teams," Gibson says. "It's going to become more of a collaborative effort between the insurers, cybersecurity and the insured because a greater understanding of what 'good' looks like is taking shape."

It's up to enterprise teams to do the same kinds of assessments, Broomhead advises.

"Risk assessment and cyber insurance will always be evolving in the same way that threat vectors themselves evolve," Broomhead says. "The most important thing is for an organization to do its own risk assessment and ensure that their internal policies address their entire attack surface."

How MOVEit Is Likely to Shift Cyber Insurance Calculus

CISA and FBI warn the RaaS provider's affiliates are striking critical industries, with more attacks expected to come from additional ransomware groups in the months ahead.

US authorities issued a warning this week about potential cyberattacks against critical infrastructure from ransomware-as-a-service (RaaS) operation AvosLocker.

In a joint security advisory, the Cybersecurity Infrastructure and Security Agency (CISA) and FBI warned that AvosLocker has targeted multiple critical industries across the US as recently as May, using a wide variety of tactics, techniques, and procedures (TTPs), including double extortion and the use of trusted native and open source software.

The AvosLocker advisory was issued against a backdrop of increasing ransomware attacks across multiple sectors. In a report published Oct. 13, cyber-insurance company Corvus found a nearly 80% increase in ransomware attacks over last year, as well as a more than 5% increase in activity month-over-month in September.

**What You Need to Know About AvosLocker Ransomware Group**

AvosLocker does not discriminate between operating systems. It has thus far compromised Windows, Linux, and VMWare ESXi environments in targeted organizations.

It's perhaps most notable for how many legitimate and open source tools it uses to compromise victims. These include RMMs like AnyDesk for remote access, Chisel for network tunneling, Cobalt Strike for command-and-control (C2), Mimikatz for stealing credentials, and the file archiver 7zip, among many more.

The group also likes to use living-off-the-land (LotL) tactics, making use of native Windows tools and functions such as Notepad++, PsExec, and Nltest for performing actions on remote hosts.

The FBI has also observed AvosLocker affiliates using custom Web shells to enable network access, and running PowerShell and bash scripts for lateral movement, privilege escalation, and disabling antivirus software. And just a few weeks ago, the agency warned that hackers have been double-dipping: using AvosLocker and other ransomware strains in tandem to stupefy their victims.

Post-compromise, AvosLocker both locks up and exfiltrates files in order to enable follow-on extortion, should its victim be less than cooperative.

"It's all kind of the same, to be honest, as what we've been seeing for the past year or so," Ryan Bell, threat intelligence manager at Corvus, says of AvosLocker and other RaaS groups' TTPs. "But they're becoming more deadly efficient. Through time they're getting better, quicker, faster."

**What Companies Can Do to Protect Against Ransomware**

To protect against AvosLocker and its ilk, CISA provided a long list of ways critical infrastructure providers can protect themselves, including implementing standard cybersecurity best practices — like network segmentation, multifactor authentication, and recovery plans. CISA added more specific restrictions, such as limiting or disabling remote desktop services, file and printer sharing services, and command-line and scripting activities and permissions.

Organizations would be smart to take action now, as ransomware groups will only grow more prolific in the months to come.

"Typically, ransomware groups take a little bit of a summer vacation. We forget that they are people, too," Bell says, citing lower-than-average ransomware numbers in recent months. September's 5.12% bump in ransomware cyberattacks, he says, is the canary in the coal mine.

"They will increase attacks through the fourth quarter. That's usually the highest we see throughout the year, as in both 2022 and 2021, and we're seeing that holds true even now," he warns. "Things are definitely climbing up all across the board."

Feds: Beware AvosLocker Ransomware Attacks on Critical Infrastructure

The Cyber Resilience Act's requirement to disclose vulnerabilities within 24 hours could expose organizations to attacks — or government surveillance.

The European Union (EU) may soon require software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of an exploitation. But many IT security professionals want this new rule, set out in Article 11 of the EU's Cyber Resilience Act (CRA), to be reconsidered.

The rule requires vendors to disclose that they know about a vulnerability actively being exploited within one day of learning about it, regardless of patch status. Some security professionals see the potential of governments abusing the vulnerability disclosure requirements for intelligence or surveillance purposes.

In an open letter signed by 50 prominent cybersecurity professionals across industry and academia, among them representatives from Arm, Google, and Trend Micro, the signatories argue that the 24-hour window is not enough time — and would also open doors to adversaries jumping on the vulnerabilities without allowing organizations enough time to fix the issues.

"While we appreciate the CRA's aim to enhance cybersecurity in Europe and beyond, we believe that the current provisions on vulnerability disclosure are counterproductive and will create new threats that undermine the security of digital products and the individuals who use them," the letter states.

Gopi Ramamoorthy, senior director of security and GRC at Symmetry Systems, says there is no disagreement about the urgency of patching the vulnerabilities. The concerns center on publicizing the vulnerabilities before updates are available, which leaves organizations at risk of attack and unable to do anything to prevent it.

"Publishing the vulnerability information before patching has raised concerns that it may enable further exploitation of the unpatched systems or devices and put private companies, and citizens, at further risk," Ramamoorthy says.

**Prioritize Patching Over Surveillance**

Callie Guenther, senior manager of cyber threat research at Critical Start, says the intent behind the CTA is commendable, but it's vital to consider the broader implications and potential unintended consequences of governments having access to vulnerability information before updates are available.

"Governments have a legitimate interest in ensuring national security," she says. "However, using vulnerabilities for intelligence or offensive capabilities can leave citizens and infrastructure exposed to threats."

A balance must be struck wherein governments prioritize patching and protecting systems over exploiting vulnerabilities, Guenther says, proposing some alternative approaches for vulnerability disclosure, starting with tiered disclosure.

"Depending on the severity and impact of a vulnerability, varying time frames for disclosure can be set," she says. "Critical vulnerabilities may have a shorter window, while less severe issues could be given more time."

A second alternative Guenther describes concerns preliminary notification, where vendors can be given a preliminary notification with a brief grace period before the detailed vulnerability is disclosed to a wider audience.

A third way focuses on coordinated vulnerability disclosure, which encourages a system where researchers, vendors, and governments work together to assess, patch, and disclose vulnerabilities responsibly.

Any rule must include explicit clauses to prohibit the misuse of disclosed vulnerabilities for surveillance or offensive purposes, she adds.

"Additionally, only select personnel with adequate clearance and training should have access to the database, reducing the risk of leaks or misuse," Guenther says. "Even with explicit clauses and restrictions, there are numerous challenges and risks that can arise."

**When, How, and How Much to Disclose**

Responsible disclosure of vulnerabilities is a process that has, traditionally, included a thoughtful approach that enabled organizations and security researchers to understand the risks and develop patches before exposing the vulnerability to potential threat actors, notes John A. Smith, CEO at Conversant Group.

"While the CRA may not require deep details about the vulnerability, the fact that one is now known to be present is enough to get threat actors probing, testing, and working to find an active exploit," he cautions.

From Smith's perspective, the vulnerability should also not be reported to any individual government or the EU; that requirement will reduce consumer confidence and damage commerce due to nation-state spying risks.

"Disclosure is important — absolutely. But we must weigh the pros and cons of when, how, and how much detail is provided during research and discovery to mitigate risk," he says.

An alternative to this "arguably knee-jerk approach," Smith says, is to require software companies to acknowledge reported vulnerabilities within a specified but expedited time frame, and then require them to report back on progress to the discovering entity regularly, ultimately providing a public fix within a maximum of 90 days.

Guidelines on how to receive and disclose vulnerability information, as well as techniques and policy considerations for reporting, are already outlined in ISO/IEC 29147.

**Impacts Beyond EU**

The US has an opportunity to observe, learn, and subsequently develop well-informed cybersecurity policies, as well as proactively prepare for any potential ramifications if Europe moves forward too quickly, Guenther adds.

"For US companies, this development is of paramount importance," she says. "Many American corporations operate on a global scale, and regulatory shifts in the EU could influence their global operations."

The ripple effect of the EU's regulatory decisions, as evidenced by the General Data Protection Regulation's influence on the California Consumer Privacy Act and other US privacy laws, suggests that European decisions could presage similar regulatory considerations in the US, she points out.

"Any vulnerability disclosed in haste due to EU regulations doesn't confine its risks to Europe," Guenther cautions. "US systems employing the same software would also be exposed."

Security Pros Warn That EU's Vulnerability Disclosure Rule Is Risky

The botnet — built for DDoS, backdooring, and dropping malware — is evading standard URL signature detections with a novel approach involving Hex IP addresses.

Cyberattackers are targeting Linux SSH servers with the ShellBot malware, and they have a new method for hiding their activity: using hexadecimal IP (Hex IP) addresses to evade behavior-based detection.

According to researchers at the AhnLab Security Emergency Response Center (ASEC), the threat actors are translating the familiar "dot-decimal" command-and-control URL formation (i.e., hxxp://39.99.218\[.\]78,) into a Hex IP address format (such as hxxp://0x2763da4e/), which most URL-based detection signatures won't parse or flag.

"IP addresses can be expressed in formats other than the dot-decimal notation, including decimal and hexadecimal notations, and are generally compatible with widely used Web browsers," according to the ASEC advisory on the Hex IP attacks. "Due to the usage of curl for the download and its ability to support hexadecimal just like Web browsers, ShellBot can be downloaded successfully on a Linux system environment and executed through Perl."

ShellBot, aka PerlBot, is a well-known botnet that uses dictionary attacks to compromise servers that have weak SSH credentials. From there, the server endpoint is marshalled into action to deliver distributed denial-of-service (DDoS) attacks or drop payloads like cryptominers on infected machines.

"If ShellBot is installed, Linux servers can be used ... for DDoS attacks against specific targets after receiving a command from the threat actor," ASEC explained. "Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server."

To protect their organizations from ShellBot attacks, administrators should simply up their password hygiene game, using strong passwords and making sure to rotate their hardened credentials on a regular basis.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

ShellBot Cracks Linux SSH Servers, Debuts New Evasion Tactic

The goal of the program is to uncover critical or important vulnerabilities within the AI-powered Bing program.

Microsoft has announced its AI bug-bounty program to encourage researchers worldwide to discover vulnerabilities within the Bing generative AI chatbot and AI integrations. Bounty rewards will range from $2,000 to $15,000 for qualified submissions.

Eligible participants must be at least 14 years old, with permission from a legal guardian if they are a minor, and an individual researcher. Should a participant be a public sector employee, the bounty award must go to the public sector organization and be signed by an attorney or executive responsible for its ethics policies. 

The scope of the bounty program extends to AI-powered Bing on bing.com, AI-powered Bing integration in Microsoft Edge, AI-powered Bing integration in the Microsoft Start app, and AI-powered Bing integration in the Skype Mobile app. Any vulnerabilities found in these integrations are qualified for submission and are eligible to win a reward.

Microsoft stated that the goal of the program is to uncover vulnerabilities that have a significant impact on the security of its customers within the AI-powered "Bing experience." When submitting a vulnerability, researchers must ensure that it has not been previously reported, is of critical or important severity as per the Microsoft Vulnerability Severity Classification for AI Systems, and is reproducible on the latest version of the product with clear steps as to how to reproduce the vulnerability. 

Further directions as to how to get started and enter a submission; specific information on different types of vulnerabilities and the winnings they have the potential to earn; research rules of engagement; and terms and conditions, are listed on Microsoft’s website.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Debuts AI Bug-Bounty Program, Offers $15K

Mandiant's John Hultquist says to expect anti-Israel influence and espionage campaigns to ramp up as the war grinds on.

Researchers are on the lookout for state-sponsored information operations springing from the Israel-Hamas conflict, but so far, no major initiatives have cropped up. Yet that could quickly change as more hacktivists and espionage actors enter the fray.

On a press call held this week, John Hultquist, chief analyst for Mandiant Intelligence at Google Cloud, said that so far, no "coordinated cyber activity" has been identified, but attacks are expected to increase over time as the situation continues. He called out distributed denial-of-service (DDoS) activity as a possible precursor to other types of political activity, naming Anonymous Sudan in particular as being active.

And meanwhile, he noted, expect disruptive threats begin to ramp up — or at least claims of critical infrastructure hacks.

**The Beginning of Influence Operations**

Information operations have twin definitions: They can refer to the collection of tactical information about an adversary, and/or the spread of propaganda in pursuit of a competitive advantage over an opponent.

On the latter front, Hultquist said two notable information operations campaigns have been identified so far. The first is related to Iran, which he said is "promoting narratives related to the crisis." In particular, this has involved Iranian posing as Egyptians to stir up historical hostilities in influence campaigns. In previous influence instances, groups have leveraged networks of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests, including anti-Israeli and pro-Palestinian themes.

The messages claim that Israel was humiliated by a small force, and that this exposed the weakness of one of the most advanced military superpowers, and that Israeli soldiers are now afraid of Hamas. Hultquist said these claims have not been validated, and merit "extreme skepticism."

Another information operation campaign being monitored is related to the Dragon Bridge campaign, which was identified last year as supporting the political interests of China. Hultquist said that it was seeing activity from multiple accounts associated with the Dragon Bridge campaign and that this is consistent with how the group follows news cycles and ongoing crises to portray the United States and its allies in a negative light.

In this instance, the accounts are amplifying the stance that the initial attack on Oct. 7 was a failing by the Israeli government, which didn't seem to be aware of the incoming attacks.

Hultquist said: "The silver lining is we haven't had any indication that it's getting major pickup or authentic traction, which is consistent with previous Dragon Bridge campaigns. It's one thing to broadcast these messages and create this content. It's quite another to actually penetrate the consciousness of everyday citizens."

**Beyond Influence Campaigns: Next Phase of Attacks**

Hultquist said that going forward, more espionage activity is expected, especially from actors related to Iran and Lebanon-based Hezbollah. He also said that he expects to see activity designed to look like financially motivated cybercrime, including extortion-based ransomware deployments where no money is collected, just a threat is made around data exfiltration and leaking.

"We have definitely seen Iranian actors do exactly that in Israel, and that's something that we're sort of anticipating," he said.

Meanwhile, threats and posturing against critical infrastructure will ramp up. Just this week, threat groups declared their intention to launch disruptive attacks against Israel, Palestine, and their supporters, while Anonymous Sudan claimed it attacked the Jerusalem Post. However, Hultquist did call out the amount of "dubious information" about the severity of such attacks, and noted that many claims to successfully hit major targets are just another form of influence activity.

"We're seeing threat actors take advantage of a tremendously confusing environment by lying about what they can do and what they've accomplished, or 'almost' accomplished because they recognize that these things are hard to validate by experts," he said. “By making these dubious claims that linger in the open without being validated or invalidated, they can still have the intended effect. We anticipate we'll see a lot of that in the coming days, and it could potentially have adverse psychological effects."

Gaza Conflict Paves Way for Pro-Hamas Information Operations

Apple, Google, and Microsoft are promoting passkeys as a solution for accounts recovery, but enterprises are slow-walking their adoption.

The growing support for passkeys means consumers and small businesses finally have an easy-to-use technology for passwordless access to websites and cloud applications, but enterprises will likely not see a usable form of the technology for some time yet.

The passwordless authentication approach, based on the FIDO Alliance's WebAuthn standard, allows developers to leverage the user device's authentication technology — such as FaceID and fingerprint sensors — to log into cloud services and Web applications. While WebAuthn resulted in many implementations, which added significant complexity for consumers, passkeys are supported by major Internet firms — including Apple, Google, and Microsoft — which dramatically simplifies their use for consumers.

Yet that usability, which could extend to cloud-native small businesses, does not allow for the control and attestation necessary for passkeys in large corporations, says Jasson Casey, CEO of Beyond Identity. Instead, passkeys will likely develop into a optional factor in their current public key infrastructure (PKI) or credential-based system.

"I honestly think it's going to be a love child of passkeys and PKI that ultimately businesses need," Casey says. "The really cool thing about passkeys is the idea that there's a well-defined interface between a browser or user agent and an actual authenticator that manages credentials and keys."

Major companies have pushed passkeys as a more secure way to sign into online accounts. In June, Google began allowing companies to switch their Workspace users over to passkeys rather than using passwords. On Oct. 10, the company began giving users the ability to make passkeys the default option across their personal accounts, prompting them to make the switch when they sign in.

Apple and Microsoft have both added support for passkeys in their hardware and software, with iOS, Mac OS, and Windows 11 all supporting the technology.

For companies, passkeys could eliminate some of the cost of improving managing identity and improving authentication, says Steve Won, chief product officer at 1Password, an identity and password management firm.

"I'm really optimistic that enterprise adoption will be totally tenable within the next decade," Won says. "I've talked to so many businesses that are like, holy crap, \[passkeys are\] basically usable certificates or ... usable Yubikeys. Certificates are such a nightmare to be able to handle, and on the Yubikey side, nobody wants to be in the business of managing hardware."

**The End of Phishing?**

Done right, passkeys could eliminate phishing attacks aimed at harvesting credentials because there are no passwords to steal. The specification, which aims for interoperability among the largest identify providers, allow a user's device to attest to their identity, using private and public keys to then log the user into a service.

A major sticking point was the issue of recovering the keys when a device is lost, says Beyond Identity's Casey.

"A passkey is actually anchored in an enclave on my device, so if I throw that device in the ocean because — I don't even need a reason — and I go buy a new device, how do I log back in? That was viewed as a major stumbling block for the B2C \[business-to-consumer\] community," he says.

Apple, Google, and Microsoft fix this problem by tying the keys to their services. A user who logs back into one of the services can then recover by being issued a new set of keys.

Despite the promise of phishing resistance and doing away with shared secrets, businesses are still hesitant to commit to passkeys, says Andras Cser, vice president and principal analyst at Forrester Research.

"We still see zero to minimal adoption in the market," he says. "Service providers — \[such as\] retailers, healthcare orgs, \[and financial services\] companies — are concerned about device attestation and presence of the person authenticating."

**Companies Need More Than Passkeys**

The problems faced by enterprises are different. For companies, passkeys hold the promise of providing a standardized PKI as a way of interacting with online resources, as long as four requirements are met, says Casey. The system has to guarantee that keys cannot move; it solves the recovery problem for lost devices; it works across all sorts of devices, browsers, and online services; and it provides companies with centralized policy management for devices.

"An effective passkey system is going to have a distributed, automated PKI system under the hood that is providing similar security guarantees but without requiring you to actively manage the service ... regardless of whether the device is managed or BYOD devices," Casey says. "Classical PKI systems don't do any of that for you, not without a huge administrative burden."

While some small businesses may mandate the use of passkey, companies will more likely offer the technology as an authentication option for their customers.

**Another Zero-Trust Possibility**

If passkey providers and identity and access management (IAM) companies solve the enterprise-use problems of passkeys, they could take off in business. While consumers need easy-to-use services, companies can mandate that their employees use a specific technology, even if that technology has a learning curve or adds some steps to daily workflows, says Ian Hassard, senior director of product management at Okta, a single sign-on provider.

"If you look at customer identity being focused around balancing security and friction, because if you have too much friction, people don't buy your products," he says. "But in workforce identity, if you're managing your workforce, you have a bit more of a captive audience in the sense of, you can apply more friction to ensure a higher level of assurance and security."

Okta, for example, focuses on the management of identities, access privileges, and ensuring the user's device has the proper security controls in place and does not show signs of compromise, says Hassard. These are all foundational for a zero-trust approach to security.

"You want that assurance that the device is not compromised," he says. "Because obviously a lot of this technology is great until the client device is completely owned, and that's not a good thing."

Passkeys Are Cool, but They Aren't Enterprise-Ready

The writers' strike shows that balancing artificial intelligence and human ingenuity is the best possible outcome for creative as well as cybersecurity professionals.

In the wake of the Writers Guild of America's (WGA) momentous five-month strike, one thing is abundantly clear: The creative industry stands at a crossroads where technology and human creativity must learn to coexist harmoniously. The strike, one of Hollywood's longest labor disputes, has finally drawn to a close, and its implications extend far beyond the glitzy confines of Tinseltown. At its core, this dispute revolved around the role of artificial intelligence (AI) in creative processes, a topic that demands thoughtful consideration as we navigate the uncharted territory of AI's vast potential in many sectors, including cybersecurity.

The crux of the matter lay in writers' concerns that studios could leverage AI to diminish writers' role in the creative process, and thus, their earnings and artistic recognition. The approved agreement, which bans the independent or exclusive use of AI for writing, rewriting, or crafting source material for scripts, marks a significant victory for writers' rights. It ensures that writers will be duly credited for their creative contributions, irrespective of whether they choose to leverage AI for the creative process. This provision sets a vital precedent for industries worldwide, reinforcing the principle that AI should be a tool that enhances, rather than replaces, human creativity.

**Putting AI's Power to Work, From Art to Cybersecurity**

It is important to acknowledge the undeniable power of AI across a wide variety of domains, especially as it relates to its unparalleled ability to automate routine tasks and increase efficiency. While the WGA and Screen Actors Guild — American Federation of Television and Radio Artists (SAG-AFTRA) strikes are among the first formal, organized forms of backlash against AI's potential for disruption, the possibility for rapid and transformational change is by no means limited to Hollywood.

Take, for instance, the realm of cybersecurity — and more specifically, phishing detection and remediation — where AI algorithms are already being used to swiftly and effectively identify malicious activities and intercept potential threats. These AI-driven systems analyze vast datasets and identify patterns that are often too complex for human operators to process alone. Armed with this information, the AI-driven systems are then able to reliably and efficiently prevent attacks that may otherwise have slipped through traditional defenses unnoticed.

This technology has undoubtedly elevated our ability to combat cyber threats efficiently. However, just as the WGA argued in its collective bargaining efforts, we must also acknowledge AI's inherent limitations. While AI can excel in pattern recognition and automation of repetitive tasks, it lacks the nuanced understanding, intuition, and emotional intelligence that human beings possess. AI's greatest value in the fight against cybercrime will be its ability to automate away routine tasks, making existing security professionals more efficient, and assist humans in the fight against cybercrime. It will also help make those who aren't security professionals become assets, rather than liabilities.

However, it lacks the higher-level executive capabilities required to judge things like context, intent, and significance. And, as a result, AI tools can be prone to false positives and negatives, which can have serious consequences, particularly in fields where human lives, creativity, or reputation are at stake. This is precisely why human backup is essential whenever AI is in use.

**Striking a Balance Between AI and Human Ingenuity**

The Hollywood writers' strike exemplifies the delicate balance that must be struck between AI and human creativity. The new contract wisely allows writers to use AI tools, provided they are agreeable and informed, without forcing them into AI's embrace. It mandates transparency, ensuring that writers are aware when AI-generated materials are used in their projects. This approach respects the capabilities of AI while safeguarding the irreplaceable essence of human creativity and judgment.

In essence, AI should be viewed as a powerful ally, augmenting our abilities and amplifying our potential. But it should never be allowed to undermine the spirit of human creativity and the irreplaceable role it plays in our cultural, artistic, and business landscapes. The Hollywood Writers Guild has set an important precedent that other unions and industries should heed, securing the rights of workers and preventing them from being supplanted by AI.

The future undoubtedly belongs, in part, to AI, but it also belongs to those who recognize the irreplaceable value of human ingenuity. The most powerful stories, the most profound works of art, and the most impactful technological innovations will always emerge from the singular minds of human beings. While AI represents a very powerful, very exciting addition to humanity's ever-expanding arsenal of creative enablers, it should never be confused for a replacement for the primary source, human ingenuity. With this understanding, we can create a brighter future for all.

Artificial intelligence has the awesome potential for augmenting human creativity and decision making, but never replacing it. Its greatest potential lies in empowering humanity and democratizing our ability to express ourselves in new and unimagined ways. The sooner we, as a society, embrace this role for AI, the sooner we can get over our fears and begin reaping the immense opportunities it has to offer.

What the Hollywood Writers Strike Resolution Means for Cybersecurity

Finding the right post-quantum cryptographic (PQC) algorithms is necessary, but not sufficient, to future-proof cybersecurity.

The quantum threat to cybersecurity is easy enough to state. A quantum computer of sufficient size can efficiently factor integers and compute discrete logarithms by Shor's algorithm, breaking much of the public-key cryptography in use today, including Rivest–Shamir–Adleman (RSA) and elliptic curve cryptography (ECC). Vulnerable public-key cryptography permeates all layers of the stack, creating a pressing need for post-quantum cryptography (PQC) — public-key algorithms that can protect against quantum computing threats.

Security analysis of the National Institute for Standards and Technology (NIST) candidate algorithms for PQC standardization suggests the need for cryptographic agility, meaning the ability to easily change the underlying cryptographic algorithms or implementations. For example, in the third and fourth rounds of the NIST algorithm evaluation process, experts developed novel attacks against the GeMSS and Rainbow digital signature schemes and the KEM candidate SIKE, causing their elimination from consideration. And recent research demonstrated a side-channel attack on Crystals-Kyber — one of the four algorithms NIST selected for standardization.

In a few years' time, it is unlikely that PQC algorithms and implementations will look exactly as they do now. However, organizations cannot afford to wait to begin the migration to PQC. A breakthrough in quantum computing research could mean that a quantum computer with enough power to break current public-key cryptography gets deployed before organizations have fully inventoried and upgraded all instances of vulnerable cryptography in all internal and third-party applications. Cryptographic orchestration — the ability to centrally view and manage the use of cryptography throughout an enterprise — needs to be a near-term strategy to address security and compliance at scale.

**The Importance of Agility**

The typical deployment model for cryptography is highly decentralized and fragmented, with cryptography coupled directly to end applications and provided by a mix of platform- or language-specific libraries. This model, in turn, leads to reduced visibility and agility. As a result, it is no wonder that a recent memo from the NSA sets a target date of 2035 for the migration to PQC — over 10 years from now.

To balance the need to begin migration now with the realities of an immature ecosystem, organizations should pursue PQC solutions that are agile. Fundamentally, cryptographic agility for a library, protocol, or application means the ability to swap out the cryptographic algorithms or implementations in use with minimal disruption. A cryptographically agile system can rapidly respond to novel cryptanalysis or implementation bugs by easily swapping out or upgrading vulnerable cryptography. Cryptographic agility also allows systems to take advantage of new implementations that are faster or use less memory.

Cryptographic agility, however, should not be the end of the story. Just as with previous transitions — from DES to AES, MD5 to SHA-1, and SHA-1 to SHA-2 — cryptographic algorithms have a life cycle that includes improved iterations and occasionally a phase-out stage. To future-proof their security, organizations should look to develop or integrate solutions with cryptographic orchestration — a single system interface to track and manage the cryptography in use by applications and devices throughout the entire algorithm life cycle.

**Why Orchestration Matters**

The idea of cryptographic orchestration mirrors software-defined networking (SDN) in computer networking. Managing a traditional IP network is a time-intensive, error-prone process that involves manually configuring switches, routers, and middleboxes using vendor-specific tools or command-line interfaces.

The innovation of SDN is a layer of middleware that abstracts away the low-level details of the switches and routers responsible for forwarding packets and exposes an abstract interface at the network policy level. The middleware ensures that the low-level elements implement a given policy. With SDN, implementing dynamic routing policies at scale becomes a tractable problem.

Cryptographic orchestration applies a similar level of abstraction and automation on top of the low-level entities executing cryptographic protocols or algorithms to expose an interface for cryptographic policy. By working at the level of policy, orchestration can also ease the burden for organizations to meet current and future regulatory and compliance requirements at scale.

In the migration to PQC, consider that any compliance target, such as FIPS 140-2, that references vulnerable public-key cryptography will have to change with the quantum threat. Cryptographic orchestration makes such tasks much easier by providing visibility into which algorithms, key sizes, key rotation policies, or entropy sources any instance of cryptography is using, in addition to providing the means to easily swap out vulnerable or noncompliant instances. Orchestration will become even more important as the number of devices and applications in an organization increases due to computing trends such as "bring your own device" (BYOD) and the Internet of Things (IoT).

**PQC Lessons for Enterprise**

Overall, the migration to PQC brings a couple of key considerations for enterprise security to the forefront. First, the PQC standardization process is still ongoing. Experts continue to attack and probe the candidates, while submission teams look to patch deficiencies and optimize implementations in software and hardware. In the short term, the shifting PQC landscape requires cryptographic agility in libraries, protocols, and applications to securely navigate the migration away from vulnerable public-key algorithms.

Second, the PQC process more broadly reminds us that cryptographic algorithms have a life cycle. Classical public-key algorithms are nearing the end of their life cycle, whereas most of the PQC algorithms are still at the beginning. No one can foresee if a new classical or quantum attack will make a particular algorithm obsolete and require yet another migration — or if another technology as disruptive as quantum computing is on the horizon. Consequently, it is critical that we engineer systems that can adequately respond to new developments. Orchestrated and agile cryptography is a vision to achieve this lofty goal and empower organizations to meet security, regulatory, and compliance goals at scale.

Though the PQC migration represents a major challenge for organizations across government and industry, it also represents a fantastic opportunity to shift the enterprise cryptography paradigm toward one of agility and orchestration.

Source

DARKReading