Despite warnings from Health-ISAC and the NCC Group, the remote access software maker says defense-in-depth kept customers' data safe from Midnight Blizzard.

Source: Tuta via Alamy Stock Photo

This week, TeamViewer said that while the Russian group APT29, aka Midnight Blizzard, managed to access its corporate network, the threat actors were limited to the company's internal IT network because of "strong segmentation" between its environments. Thus, no customers were affected.

In public statements on June 27 (reiterated today), the German maker of remote desktop software said, "\[W\]e keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our 'defense in-depth' approach."

Defense-in-depth is a set of basic techniques, including network segmentation, that the US government consistently urges people to implement. Others include network monitoring, multifactor authentication, and access control lists.

Even so, because of the potential mischief a bad actor with desktop access can wreak, TeamViewer users should up their security game, according to industry groups. The NCC Group, which originally issued a warning under an amber/limited classification but then changed it to green/public, advised its customers that, while awaiting final confirmation of the extent of compromise, they remove TeamViewer from their systems if possible and closely monitor hosts that had the application installed if not.

The Health Information Sharing and Analysis Center (H-ISAC) meanwhile issued similar advice to the healthcare sector, adding that organizations should implement two-factor authentication (2FA) and allowlists/blocklists to control who gets to access systems via TeamViewer.

Stakes are particularly high for remote access application security because of the legitimate access to users' systems such software provides. In January, Huntress reported that two hacking attempts started with TeamViewer instances, and there is a long history of attackers using remote desktop software to implant malware. The apparently limited impact of the latest incident shows the value of defense-in-depth techniques to limit the effect of intrusions.

**About the Author(s)**

TeamViewer Credits Network Segmentation for Rebuffing APT29 Attack

PRESS RELEASE

SAN FRANCISCO, June 26, 2024 /PRNewswire/ -- Ballistic Ventures, the venture capital firm dedicated exclusively to funding and incubating entrepreneurs and innovations in cybersecurity, is pleased to announce that co-founder Kevin Mandia is now General Partner.

Mandia is one of the world's most recognized experts in cybersecurity, known for his relentless efforts to fight cyber threats for more than 30 years. In 2004, he founded renowned cybersecurity firm Mandiant, serving as CEO from 2004 to 2013, when Mandiant Corporation was acquired by FireEye. Mandia took the helm as CEO of FireEye in 2016, guiding the company through a divestiture and corporate name change to Mandiant, Inc. in 2021, and through a successful acquisition by Google in 2022. Mandia recently transitioned to an advisory role within Google Cloud, and he continues to sit on the Google Public Sector board.

In 2023, Mandia was appointed by President Biden to serve as a member of the National Security Telecommunications Advisory Committee (NSTAC). He is also a member of the Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Advisory Committee. Previously, he held senior positions in the security consulting divisions of Sytex, acquired by Lockheed Martin, and Foundstone, acquired by McAfee. He also served in the United States Air Force as a computer security officer at the Pentagon, and later as a special agent in the Air Force Office of Special Investigations.

"I am very excited to dedicate more of my energy to Ballistic Ventures, and I especially look forward to working with the entrepreneurs who are shaping the future of cybersecurity," said Mandia.

Ballistic Ventures was co-founded in 2021 by Mandia and General Partners Barmak Meftah, Ted Schlein, Jake Seid and Roger Thornton. While CEO of Mandiant (now part of Google Cloud), Mandia jointly served as Co-founder and Strategic Partner at Ballistic, leading the firm's investment in SpecterOps, the Attack Path Management company, where he is an Observer to the company's Board of Directors. Mandia also served as the second investing partner for five of the VC firm's 18 investments to date, and is a Board Observer to portfolio company Alethea, the disinformation detection and mitigation company.

"We're excited to have Kevin as a General Partner at Ballistic," said Schlein. "Kevin's expertise in the cybersecurity industry is unparalleled, and his knowledge of the market and customer set is unmatched."

As General Partner, Mandia will draw from his extensive knowledge of the threat landscape and expertise as a successful founder and CEO to expand his investments within the firm and continue to mentor entrepreneurs and scale companies across the Ballistic portfolio.

Mandia's move to General Partner comes on the heels of Ballistic Ventures announcing the close of its $360 million oversubscribed second fund. The firm is actively looking to deploy the new capital in novel innovations led by passionate cybersecurity entrepreneurs.

About Ballistic Ventures  
Ballistic Ventures is a venture capital firm solely dedicated to early-stage cybersecurity and cyber-related companies. The partners have spent their entire careers defending against every cyber threat conceivable. Members of the firm have founded, operated, and funded over 100 successful cybersecurity firms – including Abnormal Security, AlienVault, ArcSight, Fortify, Mandiant, and Shape Security – led over 10,000 security professionals globally, and have 40+ years of experience in venture capital. The Ballistic portfolio includes Aembit, Alethea, ArmorCode, AuthMind, Codezero, Concentric AI, Mimic, Nudge Security, Oligo, Pangea, Perygee, Reach Security, SpecterOps, Talon (PANW), Veza and WitnessAI. Our experience provides entrepreneurs impactful support from people focused on the same mission. Our networks and relationships open doors for our founders. Learn more at ballisticventures.com.

Cybersecurity Veteran Kevin Mandia Named General Partner of Ballistic Ventures

The company is urging users running vulnerable versions to patch CVE-2024-5655 immediately, to avoid CI/CD malfeasance.

Source: Bill Crump via Alamy Stock Photo

A critical GitLab vulnerability could allow an attacker to run a pipeline as another user.

GitLab is a popular Git repository, second only to GitHub, with millions of active users. This week, it released new versions of its Community (open source) and Enterprise Editions.

The updates include fixes for 14 different security issues, including cross site request forgery (CSRF), cross site scripting (XSS), denial of service (DoS), and more. One of the issues is deemed of low severity according to the Common Vulnerability Scoring System (CVSS), nine are of medium severity, and three are high — but there's also one critical bug with a CVSS score of 9.6 out of 10.

**CVE-2024-5655 Offers Critical Threat to Code Development**

That critical one, CVE-2024-5655, affects GitLab versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, according to the company. It enables an attacker to trigger a pipeline as another user, but only under circumstances which GitLab did not elaborate on (nor did it provide any other information about the vulnerability).

A pipeline automates the process of building, testing, and deploying code in GitLab. Theoretically, an attacker with the ability to run pipelines as other users can access their private repositories, and manipulate, steal, or exfiltrate sensitive code and data contained therein.

Unlike with CVE-2023-7028 — a 10 out of 10 account takeover bug known to have been exploited earlier this Spring — GitLab has thus far found no evidence of CVE-2024-5655 exploits in the wild. Though, that could quickly change.

**A Compliance Issue, Not Just Security**

 Issues rooted deep in the development process like CVE-2024-5655 can sometimes cause headaches beyond the simple risk they pose on paper.

"In a worst-case scenario, this vulnerability doesn't even have to be exploited to cost companies money in lost revenue," says Jamie Boote, associate principal consultant at Synopsys Software Integrity Group. The mere fact that a software or software-driven product was built using a vulnerable version of GitLab could itself be cause for concern.

"Pipeline vulnerabilities like this can not only pose a security risk but a regulatory and compliance risk as well. As US companies are working towards compliance with the Self-Attestation Form requirements that they need to meet to sell software and products to the US Government, not addressing this vulnerability could lead to a compliance gap which could put sales and contracts at risk," he explains. In particular, he points to line item 1c in Section III of the US Department of Commerce's Secure Software Development Attestation Form Instructions, which requires "Enforcing multi-factor authentication and conditional access across the environments relevant to developing and building software in a manner that minimizes security risk."

"Compliance with item 1c is in jeopardy for companies who don't address this vulnerability as an exploit would allow attackers to bypass those conditional access controls that companies are relying on for compliance," he concludes.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Critical GitLab Bug Threatens Software Development Pipelines

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps.

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**Your Phone's 5G Connection Is Vulnerable to Bypass, DoS Attacks**

By Nate Nelson, Contributing Writer, Dark Reading

Wireless service providers prioritize uptime and lag time, occasionally at the cost of security, allowing attackers to take advantage, steal data, and worse.

At the upcoming Black Hat 2024 in Las Vegas, a team of seven Penn State University researchers will describe how hackers can go beyond sniffing your Internet traffic by literally providing your Internet connection to you (over 5G). From there, spying, phishing, and plenty more are all on the table.

The Penn State researchers have reported all the vulnerabilities they discovered to the respective 5G mobile vendors, which have all since deployed patches.

A more permanent solution, however, would have to begin with securing 5G authentication. As Hussain says, "If you want to ensure the authenticity of these broadcast messages, you need to use public key infrastructure (PKI). And deploying PKI is expensive — you need to update all of the cell towers. And there are some non-technical challenges. For example, who will be the root certificate authority of the public keys?"

Read more: Your Phone's 5G Connection Is Vulnerable to Bypass, DoS Attacks

Related: Black Hat USA 2024 Sessions Agenda

**Dark Reading Confidential: Meet the Ransomware Negotiators**

Episode 2: Incident response experts-turned-ransomware negotiators Ed Dubrovsky, COO and managing partner of CYPFER, and Joe Tarraf, chief delivery officer of Surefire Cyber, explain how they interact with cyber threat actors who hold victim organizations' systems and data for ransom. Among their fascinating stories: how they negotiated with cybercriminals to restore operations in a hospital NICU where lives were at stake, and how they helped a church, where the attackers themselves "got a little religion."

Listen now: Meet the Ransomware Negotiators

Visit the podcast archive, available here.

**DR Global: China-Linked Cyber-Espionage Teams Target Asian Telecoms**

By Robert Lemos, Contributing Writer, Dark Reading

In the latest breaches, threat groups compromised telecommunications firms in at least two Asian nations, installing backdoors and possibly eavesdropping or pre-positioning for a future attack.

Tools from a trio of China-linked groups — Fireant, Neeedleminer, and Firefly — were used to compromise telecommunications companies in at least two Asian nations, according to an analysis published by technology giant Broadcom's Symantec cybersecurity division. The groups — also known as Mustang Panda, Nomad Panda, and Naikon, respectively — previously have been associated with widespread attacks against a variety of countries in the Asia-Pacific region.

Attackers see telecommunications companies as a strong launchpad from which to compromise other systems, eavesdrop on communications, or cybercrime

"There's the potential for eavesdropping and surveillance but also, because telecoms is critical infrastructure, you could create significant disruption in your target country," says Dick O'Brien, principal threat intelligence analyst for Symantec's threat hunter team. "We think that there is a distinct possibility that the motive for these attacks was similar to what the US government has been repeatedly warning about."

Read more: China-Linked Cyber-Espionage Teams Target Asian Telecoms

Related: Japan, Philippines & US Forge Cyber Threat Intel-Sharing Alliance

**Key Takeaways From the British Library Cyberattack**

Commentary by Steve Durbin, CEO, Information Security Forum

Knowledge institutions with legacy infrastructure, limited resources, and digitized intellectual property must protect themselves from sophisticated and destructive cyberattacks.

In October 2023, the British Library underwent a crippling cyberattack that cost the library £7 million (US$8.9 million) in recovery costs, or about 40% of its reserve budget. Although the online catalogue was restored in January, full recovery is not expected before the end of the year.

The British Library ransomware attack is a wake-up call for all knowledge institutions, libraries, and government-funded organizations that have similar risks in terms of legacy infrastructure, limited resources, and a significant portion of their intellectual property and research existing in a digital format. Such organizations should follow best practices to help protect themselves from sophisticated and destructive cyberattacks.

The institution issued a report outlining details of the attack and sharing valuable lessons, which include:

1.  Assess your technical debt;
    
2.  Maintain a holistic view of cyber-risk;
    
3.  Practice good information governance;
    
4.  And, adopt a defense-in-depth approach.
    

Read more on the lessons learned: Key Takeaways From the British Library Cyberattack

Related: Enhancing Incident Response Playbooks With Machine Learning

**The NYSE's $10M Wake-up Call**

Commentary by Jeffrey Wells, Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

The settlement between the SEC and the owner of the New York Stock Exchange is a critical reminder of the vulnerabilities within financial institutions' cybersecurity frameworks as well as the importance of regulatory oversight.

In 2018, a severe cyberattack on a subsidiary of Intercontinental Exchange Inc. (ICE), the owner of the New York Stock Exchange (NYSE), exposed highly sensitive information. The SEC's subsequent investigation revealed that ICE failed to implement adequate cybersecurity measures, compromising its systems.

As a result, ICE was required to pay a $10 million settlement. This incident is a stark reminder of the critical need for robust cybersecurity practices, particularly for entities handling such vital financial data.

The primary accountability lies with ICE, which neglected to enforce stringent cybersecurity protocols. The SEC's findings indicate that ICE's subsidiary had multiple vulnerabilities that must be addressed adequately. This lack of preparedness is a significant breach of fiduciary duty to protect sensitive financial information.

However, the $10 million fine, while significant, raises questions about whether it is enough to deter future negligence by major financial institutions.

Read more: The NYSE's $10M Wake-up Call

Related:  Don't Forget to Report a Breach: A Cautionary Tale

**CISA Releases Guidance on Network Access, VPNs**

By DR Techology Staff

CISA outlines how modern cybersecurity relies on network visibility to defend against threats and scams.

The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and similar entities in New Zealand, has issued guidance on modern approaches to network access security.

With the growing number of breaches and data incidents, organizations need to be thinking about, and planning to adopt, modern firewall and network access management technologies to gain visibility over the network.

CISA lays out three specific approaches its guidance: zero trust, secure service edge (SSE), and secure access service edge (SASE).

Read more: CISA Releases Guidance on Network Access, VPNs

Related: Attackers Target Check Point VPNs to Access Corporate Networks

CISO Corner: The NYSE &amp; the SEC; Ransomware Negotiation Tips

Despite more than 50% of all open source code being written in memory-unsafe languages like C++, we are unlikely to see a massive overhaul to code bases anytime soon.

A comprehensive new study has unearthed fresh details on the extensive and troubling use of memory-unsafe code in major open source software (OSS) projects.

However, the chances that fresh insight on a long known issue will spur any immediate changes to the software landscape remain bleak, given just how enormous, costly, and complex the task is of rewriting codebases entirely in memory-safe code.

Memory-unsafe programming languages such as C and C++ allow programmers to have more direct control over memory-related functions in code, which can often lead to very common application security issues like buffer overflows and use-after-free errors. Such flaws represent a large proportion of all vulnerabilities in modern application software. In contrast, memory-safe languages — the most common examples of which include Rust, Python, Java, and Go —offer guardrails such as built-in runtime and compile time checks to mitigate against common memory related errors.

**Most OSS Projects Contain Memory-Unsafe Code**

The US Cybersecurity and Infrastructure Security Agency (CISA) along with the FBI and counterparts at the Australian Cyber Security Centre and the Canadian Centre for Cyber Security this week released a report summarizing the results of their investigation into the use of memory-unsafe code in OSS.

The findings, while troubling, are not entirely unexpected given past data on the extensive use of memory-unsafe languages in almost all modern codebases. Fifty-two percent of the 172 major open source projects that the research authors looked at contained code written in a memory-unsafe language. More than half (55%) of the total lines of code in all the projects combined were written in a memory-unsafe language, with the larger projects being the worst culprits.

Some 95% of the total lines of code in Linux for instance are memory-unsafe. For MySQL Server, that number was 84%; for TensorFlow it was 64%; for Zephyr 84%; and for Chromium 51%. On average, 26% of the total lines of code in the 10 largest open source projects consisted of memory-unsafe code. Even projects written in memory-safe languages were at risk from dependencies on unsafe components.

"Most critical open source projects analyzed, even those written in memory-safe languages, potentially contain memory safety vulnerabilities," the report noted. "This can be caused by direct use of memory-unsafe languages or external dependency on projects that use memory-unsafe languages."

In addition, the tendency — and often the need — to disable memory-safety features to accommodate functional requirements in applications can often neutralize the benefits of using otherwise memory-safe languages.  

"These limitations highlight the need for continued diligent use of memory safe programming languages, secure coding practices, and security testing," the report authors noted.

**CISA Consistent With Previous OSS Data**

The findings are consistent with numerous previous studies that have examined the extensive problems tied to the use of memory-unsafe languages.  

And indeed, concerns over the ubiquity of the problem have prompted calls for change over the years. The most recent is a February 2024 technical report from the White House that urged industry stakeholders to go back to the building blocks and start over with using memory safe code in all software. In 2022, the US National Security Agency (NSA) urged software makers and all organizations developing software to consider adopting memory-safe languages to reduce risk from memory management related software issues in modern code bases. The continued pounding away at the topic over the years has spurred some change, but most expect it will take years — if not even decades — for a whole scale shift to memory-safe languages to happen.

"Adopting memory-safe code is challenging, primarily because changing a programming language often requires a complete rewrite of existing code," says Neatsun Ziv, CEO and Co-Founder of OX Security. The cost and effort required to undertake such a massive overhaul without significant economic incentives will likely make any change, a slow process.

**Making the World Memory-Safe: A Huge & Complex Challenge**

Omkhar Arasaratnam, general manager at OpenSSF says memory safety issues aren't specifically a problem for either open or closed-source software. It's a problem in general for all modern software.

"There are many memory-safe languages available today like JavaScript, Python, and Java, but software engineers often use memory-unsafe older languages like C/C++ for performance or low-level hardware access," he says.

Also, while Rust has emerged as a viable alternative to C/C++ for low level systems programming in recent years, there are many embedded systems and safety-critical applications for which Rust is not appropriate, he adds.

"While it is certainly possible to write memory-safe code in a memory-unsafe language, 25 years of CVEs tells us it is highly unlikely," Arasaratnam says. "It is not that people are bad programmers, but defensively writing code that is memory-safe in a memory-unsafe language is very difficult," he notes. As newer projects adopt memory-safe languages, expect the use of memory-unsafe languages to decrease over time, in all but niche applications.

Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group, says the new report does a good job showing how some major open source software projects such as Kubernetes and WordPress are authored in a memory-safe language. However, there are other issues that remain unexplored, he says. For example, it would be interesting to know if memory-safe languages are being used in new projects on GitHub, and whether memory-safe libraries are being used as dependencies in larger projects.

"We can safely say that awareness of memory safe languages is growing, but is it growing at a rate that would displace older languages? For example, are the creators of new embedded software solutions using C++ or Rust, and to what degree?"

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CISA's Flags Memory-Unsafe Code in Major Open Source Projects

Though the Chicago-area hospital did not pay a ransom, a host of sensitive medical information is now at risk.

Source: Helen Sessions via Alamy Stock Photo

A full 791,000 of patients have had their personal information compromised in a cyberattack that resulted in Lurie Children's Hospital in Chicago taking its systems offline.

Cybercriminals accessed the children's hospital's systems, disrupting its patient portal, communications, and ability to access medical records.

In a data breach notification this week, the hospital cited the investigation as ongoing and said that the threat actors accessed the systems between Jan. 26 and 31, 2024.

Once the hospital went offline, it implemented standard response procedures, including its downtime procedures, though it has remained open throughout the duration of the investigation thus far.

While still determining the nature and scope of the attack, the hospital said, information "relating to certain individuals, such as name, address, date of birth, dates of service, driver's license number, email address, health claims information, health plan, health plan beneficiary number, medical condition or diagnosis, medical record number, medical treatment, prescription information, Social Security number, and telephone number, was impacted," though it varies depending on the individual.

The hospital's notice did not specifically say that it was the victim of a ransomware attack, but it noted that the hospital did not pay a ransom of any kind.

"Experts have advised that making a payment to cybercriminals does not guarantee the deletion or retrieval of data that has been taken," according to the hospital.

The cybercriminals in question are in the Rhysida ransomware gang, which has claimed responsibility of the attack, listing the hospital on its website and the apparent 600GB it claims to have stolen as "sold."

The hospital is in the process of informing affected individuals and is providing 24 months to Experian Identity Works. A call center is available to address questions and concerns about the information released on the cyberattack as well.

Hundreds of Thousands Impacted in Children's Hospital Cyberattack

The ransomware group claimed it had breached the Federal Reserve, but the target now appears to have been an Arkansas-based bank, Evolve.

Source: Anthony Pierce via Alamy Stock Photo

Evolve Bank, a financial institution headquartered in Arkansas, was the victim of an attack by the LockBit ransomware group which resulted in a data leak onto the Dark Web this week.

LockBit had drawn attention to itself earlier this week after claiming to have hacked the US Federal Reserve.

The announcement was seen by some within the IT security community as a bold — some used the word "desperate"­ — comeback attempt following the recent, high-profile law enforcement takedown of the ransomware giant. 

After publishing a post on its data leak site threatening to release "33 terabytes of juicy banking information containing Americans' banking secrets" if a ransom was not paid, LockBit then released some of the data, which was actually stolen from Evolve.

"It appears these bad actors have released illegally obtained data, including personal identification information (PII), on the Dark Web," according to an Evolve statement. "The data varies by individual, but may include your name, Social Security number, date of birth, account information and/or other personal information."

The statement noted the company had contacted law enforcement authorities as part of the bank's investigation and response efforts.

"Based on what our investigation has found and what we know at this time, we are confident this incident has been contained and there is no ongoing threat," the statement said.

The company added that retail banking customers’ debit cards, online, and digital banking credentials did not seem to be affected by the breach.

"Those credentials appear to be secure," a statement said.

**Evolve Already Target of Fed Action**

Earlier this month, the Federal Reserve Board issued an enforcement action against Evolve Bancorp and Evolve Bank & Trust, accusing the company of deficiencies in their anti-money laundering, risk management, and consumer compliance programs.

"Examinations conducted in 2023 found Evolve did not maintain an effective risk-management program or controls sufficient to comply with anti-money laundering laws and laws protecting consumers," the Fed statement read.

Stephen Gates, principal security SME for Horizon3.ai, said in an emailed statement that once an organization experiences a breach, and the smoke begins to clear, the biggest decision is what to do next.

"Everything in the networking environment is now suspect, possibly riddled with other exploitable vulnerabilities and weaknesses that likely remain hidden," he said.

That means that teams must find the attack path that allowed the breach to happen, and they need to uncover other attack paths that could enable it to happen again.

"Now is the time to thoroughly assess the entire networking environment, both on-premises and cloud, but that could take months if not longer," Gates said.

**Financial Sector Defenses Must Evolve**

Piyush Pandey, CEO at Pathlock, says the recent enforcement action against Evolve Bancorp underscores the critical importance of robust sensitive data and application access controls within financial institutions.

"As traditional banking continues to intersect with innovative fintech solutions, maintaining stringent identity and access controls is a must," he says.

He also points out that the interconnectedness and complexity of supply chains in the financial sector increases the difficulty of managing and securing third-party access.

"Given how highly regulated the financial sector is with regards to data protection and privacy, ensuring that third-party vendors comply with these regulations is crucial, yet challenging," Pandey explains.

He adds that by focusing on rigorous controls testing and enforcement, including stringent management of third-party identities and access, financial institutions can significantly strengthen their security posture, protect sensitive data, and ensure compliance with regulatory requirements.

"This proactive approach not only safeguards customer data — and trust — but also enhances the institution's overall resilience against these types of attacks," Pandey says.

Narayana Pappu, CEO at Zendata, notes that financial and medical institutions store significant amount highly sensitive data with significant monetary impact for exposed organizations.

"Therefore, it makes sense that organizations like LockBit are going after this information," he says.

From his perspective, data minimization — not capturing or storing data that is not needed — would help these institutions significantly.

"The trend to date has been to capture, store and make multiple copies of information that is not really needed to run the business," Pappu says. "Just 5% of data collected is properly labeled and governed, for example."

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

LockBit Attack Targets Evolve Bank, Not Federal Reserve

There is an extreme lack of evidence of AI-related danger, and proposing or implementing limits on technological advancement isn't the answer.

Aaron Rosenmund, Senior Director of Content Strategy and Curriculum, Pluralsight

June 28, 2024

4 Min Read

Source: Mopic via Alamy Stock Photo

COMMENTARY

Skynet becoming self-aware was the stuff of fiction. Despite this, reports that stoke apocalyptic fears about artificial intelligence (AI) appear to be on the uptick. Published insights on AI need to be handled and reported responsibly. It is a disservice to us all to showcase survey findings in a way that invokes the doomsday endgame brought on by the non-human antagonists of the Terminator films. 

Earlier this year, a governmentwide action plan and report was released based on an analysis that AI may bring with it catastrophic risks, stating AI poses "an extinction-level threat to the human species." The report also finds that the national security threat AI poses likely will grow if tech companies fail to self-regulate and/or work with the government to reign in the power of AI. 

Considering these findings, it's important to note that survey results are not grounded in scientific analysis, and published reports are not always backed by a thorough comprehension of AI's underlying technology. Reports focusing on AI that lack tangible evidence to back up AI-related concerns can be viewed as inflammatory rather than informative. Furthermore, such reporting can be particularly damaging when it's provided to governmental organizations that are responsible for AI regulation.

Beyond conjecture, there is an extreme lack of evidence of AI-related danger, and proposing or implementing limits on technological advancement is not the answer. 

In that report, comments like "80% of people feel AI could be dangerous if unregulated" prey upon our country's cultural bias of fearing what we don't understand to stoke flames of concern. This kind of doom-speak may gain attention and garner headlines, but in the absence of supporting evidence, it serves no positive goal.

Currently, there's nothing to point to that tells us future AI models will develop autonomous capabilities that may or may not be paired with human-aimed catastrophic intent. While it's no secret that AI will continue to be a highly disruptive technology, this does not necessarily mean it will be destructive to humanity. Furthermore, AI as an assistive tool to develop advanced biology, chemistry, and/or cyber weaponry is not something that the implementation of new US policies or laws will solve. If anything, such steps are more likely to guarantee that we'd end up on the losing side of an AI arms race.

**The AI That Generates a Threat Is the Same AI That Defends Against It**

Other countries or independent entities who intend harm can develop destructive AI-based capabilities outside of the reach of the US. If forces beyond our borders plan to use AI against us, it's important to remember that the AI that can, for example, create bioweapons, is the same AI that would provide our best defense against that threat. Additionally, the development of treatments for diseases, cures to toxins, and the advancement of our own cyber industry capabilities are equal outcomes of advancing AI technology and will be a prerequisite to combating malicious use of AI tools in the future.

Business leaders and organizations need to proactively monitor the implementation of regulations related to both the development and use of AI. It's also critical to focus on the ethical application of AI across the industries where it's prevalent and not just how models are advancing. For example, in the EU, there are restrictions on using AI tools for home underwriting to address concerns over inherent biases in datasets that could allow for inequitable decision-making. In other fields, "human in the loop" requirements are employed to create safeguards related to how AI analysis and decision-making are applied to job recruitment and hiring.

**No Way to Predict What Level of Computing Generates Unsafe AI**

As reported by Time, the aforementioned report — Gladstone's study — recommended that Congress should make it illegal "to train AI models using more than a certain level of computing power" and that the threshold "should be set by a federal AI agency." As an example, the report suggested that the agency could set the threshold "just above the levels of computing power used to train current cutting-edge models like OpenAI's GPT-4 and Google's Gemini."

However, while it is clear that the US needs to create a road map for how AI should be regulated, there is no way to predict what level of computing would be required to generate potentially unsafe AI models. Setting any computing limit to put a threshold on AI advancement would be both arbitrary and based on limited knowledge of the tech industry. 

More importantly, a drastic step to stifle change in the absence of evidence to support such a step is harmful. Industries shift and transform throughout time, and as AI continues to evolve, we are simply witnessing this transformation in real-time. That being the case, for now, Terminator's Sarah and John Connor can stand down. 

**About the Author(s)**

Senior Director of Content Strategy and Curriculum, Pluralsight

Aaron Rosenmund is a cybersecurity operations expert, with a background in federal and business defensive and offensive cyber operations and system automation. Leveraging his administration and automation experience, Aaron actively contributes to multiple open and closed source security operation platform projects and continues to create tools and content to benefit the community. As an educator and cybersecurity researcher at Pluralsight, he is focused on advancing cybersecurity workforce and technologies for business and national enterprises alike. In support of the Air National Guard, he contributes those skills part time in various initiatives to defend the nation in cyberspace.

Unfounded Fears: AI Extinction-Level Threats &amp; the AI Arms Race

Just because mainframes are old doesn't mean they're not in use. Mainframe Security Posture Management brings continuous monitoring and vigilance to the platform.

1touch.io has announced the launch of its mainframe security posture management (MSPM) product, which relies on contextual artificial intelligence (AI) to provide visibility and accuracy in data discovery and classification across mainframe environments.

With new technologies proliferating and attention focused on modern architectures, it's easy to forget that mainframes continue to run much of the world. They handle 68% of the world's production IT workloads and are used by 71% of Fortune 500 companies, according to 1touch.io. Use is particularly heavy in industries such as banking, insurance, healthcare, and the government, where organizations rely on mainframes for their reliability, security, and massive processing capabilities.

Even so, mainframe security — which includes data security, compliance, and governance — is particularly challenging when integrating mainframes into hybrid cloud environments. Keeping these challenges in mind, 1touch.io added comprehensive visibility across hybrid environment and fast database scanning.

1touch.io MSPM integrates with all mainframe data sources to continuously monitor and analyze sensitive data, which it integrates with other enterprise data — regardless of whether it is structured, unstructured, stored locally, or stored in the cloud — to provide a single, accurate record for each mainframe data asset.

MSPM supports various mainframe data sources, including Virtual Storage Access Method files and IBM Z's Db2. There are plans to extend to IBM Information Management System and flat files, the company said.

**About the Author(s)**

1Touch.io Integrates AI Into Mainframe Security

Responding to an incident quickly is important, but it shouldn't come at the expense of reporting it to the appropriate regulatory bodies.

Source: Nico El Nino via Alamy Stock Photo

When the Intercontinental Exchange (ICE) identified a breach in its virtual private network (VPN), the organization immediately launched investigation and remediation efforts. However, it was not until four days later that the company reported the breach to regulators, violating not only the Security and Exchange Commission's (SEC) compliance requirements but also the company's own internal cyber incident reporting procedures. This is according to the SEC in its May announcement of a $10 million fine. The question of why ICE delayed reporting the incident was never answered publicly.

The SEC stated: "The SEC's order finds that ICE personnel did not notify the legal and compliance officials at ICE's subsidiaries of the intrusion for several days in violation of ICE’s own internal cyber incident reporting procedures. As a result of ICE's failures, those subsidiaries did not properly assess the intrusion to fulfill their independent regulatory disclosure obligations under Regulation SCI (Regulation Systems Compliance and Integrity), which required them to immediately contact SEC staff about the intrusion and provide an update within 24 hours unless they immediately concluded or reasonably estimated that the intrusion had or would have no or a de minimis impact on their operations or on market participants."

Both ICE and the SEC declined to answer Dark Reading's inquiries, but there are some possible explanations. It is also a cautionary tale for other critical infrastructure organizations that consider bypassing compliance for quicker incident response.

A popular misconception is that enterprises have a cavalier attitude about compliance and think that it is easier to pay the fine and chance the consequences of bad press and lawsuits, rather than file the necessary compliance documents and deal with the outcome of suffering a breach.

"I've never been in a situation or a meeting where someone has seriously said, 'Well, we'll just pay the fine,'" says Fred Rica, a partner at certified public accounting firm BPM Associates. "I think most boards and management committees strive to do the right thing and abide by the rules and regulations that they're bound to."

The challenge remains that nontechnical board members often do not understand cybersecurity implications, while CISOs may struggle to explain threats in business terms. Rica emphasizes the need for boards to ask better questions and be more engaged with cybersecurity issues. 

"The first thing that has to change is, boards need to start asking better questions," he says, adding that the time where boards could pass off cyber threats to the technical team has passed.

"What was sufficient even three years ago probably is not sufficient anymore," Rica says.

In the case of ICE, the VPN attack turned out to have “de minimis impact on their operations or on market participants," the SEC said. While that alone does not change the need to report attacks against critical infrastructure within 24 hours, it could indicate that the company focused on fixing a problem as quickly as possible. Or it simply might mean that the company dropped the ball on what should have been a task that should have been done within 24 hours.

A company that doesn't report a data breach could face greater scrutiny of its cyber insurance policy. Companies with adequate security controls get better rates and terms on their cyber policies, while those with shortcomings face higher rates and less favorable terms, notes Bridget Quinn Choi, an attorney at Woodruff-Sawyer & Co.

In this case, she says, ICE was on top of the incident almost immediately.

"They had a criticality matrix. They had reporting controls, they were looking at the severity, and they fairly quickly went in and found the vulnerability. They found that there was a minor intrusion, and they remediated so quickly," she says. "It wasn't a big deal. So it was a pretty good result from an incident response perspective. The thing that was missing is that in their incident response plan, they had to report within 24 hours if there was a reasonable suspicion of an intrusion. They didn't do it."

Choi notes that while the response was fast, the company had procedural issues.

"Even the SEC came back and said this was de minimis. But it's their second violation," she says. (The company previously violated the SEC's Regulation SCI for failing to have appropriate backup and backup procedures.)

"I think that there's a common misconception that cyber is an infosec issue," she says.

Rather, cybersecurity is a business process that can have a wide-ranging effect on the company, its reputation, and revenue.

"The impact to the company can be wide-ranging," she says. There can be cascading costs, there's regulatory issues, \[and\] there's a plaintiff's bar that is hungry to get into this game. So it's not just doing things, right? It's doing things right."

**About the Author(s)**

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at \[email protected\].

Source

DARKReading