The semiconductor manufacturing giant's security team describes how hardware hackathons, such as Hack@DAC, have helped chip security by finding and sharing hardware vulnerabilities.

Source: kawin ounprasertsuk via Alamy Stock Photo

Ever since the first Hack@DAC hacking competition in 2017, thousands of security engineers have helped discover hardware-based vulnerabilities, develop mitigation methods, and perform root cause analysis of issues found.

Intel initially decided to organize the competition, which draws security professionals from academia and industry partners around the world, to raise awareness about hardware-based vulnerabilities and to promote the need for more detection tools, says Arun Kanuparthi, a principal engineer and offensive security researcher at Intel. Another goal behind Hack@DAC, capture-the-flag competitions, and other hackathonsis to draw the attention of chip designers, to motivate them to design silicon more securely, he says.

"There is very little awareness of hardware security weaknesses in general," says Kanuparthi, who spoke about lessons Intel learned from years running Hack@DAC at the recent Black Hat Asia conference in Singapore. "And we thought, really, how can we get this awareness amongst the security research community?"

"If you look at software, there are lots of tools for security, with software or firmware, but when you look at hardware, there are really only a handful of EDA or electronic design automation tools," Kanuparthi says.

These kinds of events are effective for bringing people together to find vulnerabilities and share their knowledge. CTFs are established methods for teaching and learning new skills and best practices. Intel also believes it is important to give students "an experience of what it feels like to be a security researcher at a design company," says Kanuparthi.

Intel is now accepting entries for the 2024 Hack@DAC, which will take place in June in San Francisco.

**Tackling Hard Problems**

When Intel first organized Hack@DAC, there was no standard design or open-source platform for discovering or sharing information on hardware vulnerabilities, says Hareesh Khattri, a principal engineer for offensive security research at Intel. That has changed with Intel’s collaboration with Texas A&M University and Technical University of Darmstadt in Germany. The professors and students took open-source projects and inserted existing hardware vulnerabilities to create a common framework for detecting them and new ones.

"And now a lot of hardware security research papers have also started citing this work," Khattri says.

In 2020, Intel joined other semiconductor manufacturers in aligning with MITRE’s Common Weakness Enumeration (CWE) team, which lists and classifies potential vulnerabilities in software, hardware and firmware to bring more focus to hardware.  It was an attempt to address a gap, since MITRE only maintained software weakness types, and CWE fell short of addressing root cause analyses of hardware vulnerabilities, Kanuparthi recalls.

"If a hardware issue was identified, \[the CWE\] would be tagged with some generic catch-all kind of \[alert that said\] there’s a problem or the system does not work as expected," Kanuparthi says. "But now there is a design view for hardware which you can root cause that this is specifically the problem. And that has largely been the output of some of the work that we have been doing that led to hack attack and the creation of the hybrid CWE."

As semiconductor manufacturers accelerate their focus on adding designs that can support new AI capabilities, security researchers are looking to identify weaknesses even closer to hardware design, Khattri adds. That has accelerated interest in new efforts like the Google-contributed OpenTitan Project, an open-source reference design and integration guidelines for securing root of trust RoT chips.

The efforts behind Hack@DAC and Intel’s work with MITRE on CWE have led to improved tooling, Khattri says. For example, hardware vulnerability assessment tool provider Cycuity (which uses OpenTitan as a benchmark for how its tool measures CWEs) claims its Radix can now identify 80% of known hardware weaknesses in the CWE database.

"We’ve seen a lot of progression in this space compared to when we started it," Khattri says. "Now, a lot of security research communities’ focus has gone towards trying to identify weaknesses that are closer to the hardware design."

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Intel Harnesses Hackathons to Tackle Hardware Vulnerabilities

You can't thinking about inclusion in the workplace without first understanding what kinds of exclusive behaviors prevent people from advancing in their careers.

Source: Jose Luis Stephens via Alamy

Most of us do not want to be excluded at work – especially if we are trying to innovate, collaborate, and make a meaningful impact in our role. Making connections with colleagues, ensuring you are invited to key meetings, and getting face time with important executives in the company are all essential elements to learning and growing in an organization. But systemic exclusion is a troubling reality for many in the cybersecurity industry.

Olivia Rose, at IANS Research faculty member and CISO/founder of Rose CISO Group, is a 17-year CISO and industry veteran. She has experienced exclusionary practices based on her gender throughout her career.

"I believe the interference is rooted in making assumptions about women," Rose says. "When I got married years ago and was in cybersecurity consulting, a leader told my manager to keep my workload light for a few months as I would surely be planning my wedding. I've not been invited to happy hours and to company trips as I have kids and who would watch them? Whether it's intentional or not, making assumptions about women and the various roles we play puts us into a box where it's just another hurdle we need to overcome to be regarded equally."

Women are five times more likely to report exclusion from direct managers and peers, according to Women in CyberSecurity's (WiCyS) "2023 State of Inclusion Benchmark in Cybersecurity Report." But exclusion is not just limited to gender. Individuals with disabilities and intersectional identities experience levels of workplace exclusion comparable to, or even exceeding, those related to gender, emphasizing the compounded impact of multiple differing identity traits.

**Microaggressions Are Subtle**

It’s not just about being left out of the room. Being on the receiving end of disrespectful behaviors, sexually inappropriate advances, and a lack of appreciation for skills and experience can also make it hard to advance in the workplace. These kinds of microaggressions are difficult to pin down, Rose says.

"I don't personally believe research can help much when it comes to understanding microaggressions and how they are the silent killer for women's careers," she says. "I speak from experience when I say that these microaggressions are so slight and menial that women can't go to HR to report them."

Rose recalls a corporate leader at one point in her career who would attempt to undermine her regularly during meetings by sharply blowing air out of his nostrils whenever she spoke.

"By itself, this doesn't mean anything," Rose says. "\[But\] add it to the multiple instances where I had seen this individual trying to cut me out of the picture, by sending emails 'forgetting' to copy me, and not providing requested information to my team, and the puzzle starts to come together. How do you even start to explain this, though, to your manager or HR?"

Rose advises managers she works with to take what employees say seriously and write down every instance of reported discrimination and exclusion to form a larger picture of a pattern of problematic behavior.

**Pressure in the Room Where It Happens**

Umaimah Khan, founder and CEO of identity security company Opal Security, says cybersecurity is more asymmetrical than other tech sectors, largely due to the emphasis on product development processes and sales-driven culture, which often targets executives. This high-risk and high-pressure environment amplifies biases and is resistant to change, says Khan, whose background is in academia and research labs before founding Opal.

Women are also pressured to be both business-savvy and technically adept in their roles, and assertiveness can be misconstrued as aggressiveness. This dichotomy can deter many from entering or remaining in the cybersecurity field, Khan says, noting that "they are not willing to go through pain and frustration and having to be second-guessed."

For her part, Khan strives to build a diverse team at Opal. But even under the best circumstances, she thinks resilience is an essential attribute for women to thrive. Women often need to prove themselves repeatedly and must develop a thick skin, she says.

"I think there is truth to having to be twice as good," Khan adds. "I found myself in my early days having to prove myself in those rooms. You have this feeling that \[you\] have to be right 100% of the time."

**Steps to Change and Improve Inclusion**

Exclusion is intricately intertwined with career issues, such as inadequate compensation and being passed over for promotions. Combating these issues requires communicating clearly with both peers and management, says Larci Robertson, a senior sales engineer at Obsidian Security. Document accomplishments and have metrics to demonstrate success, she suggests.

"Talk about pay with your peers," Robertson says. "Have a clear path to promotions and raises for people from management. Expectations and a pathway clearly communicated will take care of the, 'Why didn’t I get promoted over someone else?'"

Finally, find an internal mentor who can help shepherd you along the right path and get the kudos you deserve.

"It's very hard to learn and grow without an advocate," Robertson says.

**About the Author(s)**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Held Back: What Exclusion Looks Like in Cybersecurity

Though PAN originally described the attacks exploiting the vulnerability as being limited, they are increasingly growing in volume, with more exploits disclosed by outside parties.

Source: SOPA Images Limited via Alamy Stock Photo

Palo Alto Networks (PAN) is sharing updated remediation information regarding a max-critical vulnerability that is actively being exploited in the wild.

The vulnerability, tracked as CVE-2024-3400, has a CVSS vulnerability-severity score of 10 out of 10, and can allow an unauthenticated threat actor to execute arbitrary code with root privileges on the firewall device, according to the update.

Present in PAN-OS 10.2, 11.0, and 11.1, the flaw was originally disclosed on April 12 after being discovered by researchers at Volexity.

PAN said that the number of attacks exploiting this vulnerability continue to grow and that "proof of concepts for this vulnerability have been publicly disclosed by third parties."

The company is recommending that customers upgrade to a fixed version of PAN-OS, such as PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all later PAN-OS versions, as this will fully protect their devices. PAN has also released additional hotfixes for other deployed maintenance releases.

PAN recommends that in order to mitigate the issue fully, customers should take actions based on suspected activity. For instance, if there has been probing or testing activity, users should update to the latest PAN-OS hotfix, and secure running-configs, create a master key and elect AES-256-GCM. This is defined as there being either no indication of a compromise, or evidence that the vulnerability being tested for on the device (i.e., a 0-byte file has been created and is resident on the firewall, but there's no indication of any known unauthorized command execution).

"PAN-OS hotfixes sufficiently fix the vulnerability," according to the update. "Private data reset or factory reset is not suggested as there is no indication of any known unauthorized command execution or exfiltration of files."

However, if a file on the device has been copied to a location accessible via a Web request (in most cases, the file being copied is running\_config.xml, according to PAN), users should perform a private data reset, which eliminates risks of potential misuse of device data. And if there's evidence of interactive command execution (i.e., the presence of shell-based back doors, introduction of code, pulling files, running commands), PAN suggested doing a full factory reset.

Palo Alto Updates Remediation for Max-Critical Firewall Bug

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: security license mandates; a move to four-day remediation requirements; lessons on OWASP for LLMs.

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner:**

*   Kindervag Says: 5 Hard Truths About the State of Cloud Security 2024
    
*   MITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs
    
*   Lessons for CISOs From OWASP's LLM Top 10
    
*   Cyberattack Gold: SBOMs Offer an Easy Census of Vulnerable Software
    
*   Global: Licensed to Bill? Nations Mandate Certification & Licensure of Cybersecurity Pros
    
*   Johnson & Johnson Spin-Off CISO on Maximizing Cybersecurity
    
*   SolarWinds 2024: Where Do Cyber Disclosures Go From Here?
    

**5 Hard Truths About the State of Cloud Security 2024**

By Ericka Chickowski, Contributing Writer, Dark Reading

Dark Reading talks cloud security with John Kindervag, the godfather of zero trust.

Most organizations aren't working with fully mature cloud security practices, despite almost half of the breaches originating in the cloud and almost $4.1 million lost to cloud breaches in the past year.

That's a big problem, according to the godfather of zero trust security, John Kindervag, who conceptualized and popularized the zero-trust security model as an analyst at Forrester. He tells Dark Reading that there are some hard truths to face in order to turn things around.

1\. You don't become more secure just by going to the cloud: The cloud is not innately more secure than most on-premises environments: hyperscale cloud providers may be very good at protecting infrastructure, but the control and responsibility they have over their customers' security posture is very limited. And the shared responsibility model doesn't really work.

2\. Native security controls are hard to manage in a hybrid world: Quality is inconsistent when it comes to offering customers more control over their workloads, identities, and visibility, but security controls that can be managed across all the multiple clouds are elusive.

3\. Identity won't save your cloud: With so much emphasis placed on cloud identity management and disproportionate attention on the identity component in zero trust, it's important for organizations to understand that identity is only part of a well-balanced breakfast for zero trust in the cloud.

4\. Too many firms don't know what they're trying to protect: Each asset or system or process will carry its own unique risk, but organizations lack a clear idea of what is in the cloud or what connects to the cloud, let alone what needs protecting.

5\. Cloud-native development incentives are out of whack: Too many organizations simply do not have the right incentive structures for developers to bake in security as they go — and, in fact, many have perverse incentives that end up encouraging insecure practice. "I like to say that the DevOps app people are the Ricky Bobbys of IT. They just want to go fast," Kindervag says.

Read more: 5 Hard Truths About the State of Cloud Security 2024

Related: Zero Trust Takes Over: 63% of Orgs Implementing Globally

**MITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs**

By Nate Nelson, Contributing Writer, Dark Reading

The irony is lost on few, as a nation-state threat actor used eight MITRE techniques to breach MITRE itself — including exploiting the Ivanti bugs that attackers have been swarming on for months.

Foreign nation-state hackers have used vulnerable Ivanti edge devices to gain three months' worth of "deep" access to one of MITRE Corp.'s unclassified networks.

MITRE, steward of the ubiquitous ATT&CK glossary of commonly known cyberattack techniques, previously went 15 years without a major incident. The streak snapped in January when, like so many other organizations, its Ivanti gateway devices were exploited.

The breach affected the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified, collaborative network the organization uses for research, development, and prototyping. The extent of the NERVE damage (pun intended) is currently being assessed.

Whatever their goals were, the hackers had ample time to carry them out. Though the compromise occurred in January, MITRE was only able to detect it in April, leaving a quarter-year gap in between.

Read more: MITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs

Related: Top MITRE ATT&CK Techniques & How to Defend Against Them

**Lessons for CISOs From OWASP's LLM Top 10**

Commentary by Kevin Bocek, Chief Innovation Officer, Venafi

It's time to start regulating LLMs to ensure they're accurately trained and ready to handle business deals that could affect the bottom line.

OWASP recently released its top 10 list for large language model (LLM) applications, so developers, designers, architects, and managers now have 10 areas to clearly focus on when it comes to security concerns.

Almost all of the top 10 LLM threats center around a compromise of authentication for the identities used in the models. The different attack methods run the gamut, affecting not only the identities of model inputs but also the identities of the models themselves, as well as their outputs and actions. This has a knock-on effect and calls for authentication in the code-signing and creating processes to halt the vulnerability at the source.

While more than half of the top 10 risks are ones that are essentially mitigated and calling for the kill switch for AI, companies will need to evaluate their options when deploying new LLMs. If the right tools are in place to authenticate the inputs and models, as well as the models' actions, companies will be better equipped to leverage the AI kill-switch idea and prevent further destruction.

Read more: Lessons for CISOs From OWASP's LLM Top 10

Related: Bugcrowd Announces Vulnerability Ratings for LLMs

**Cyberattack Gold: SBOMs Offer an Easy Census of Vulnerable Software**

By Rob Lemos, Contributing Writer, Dark Reading

Attackers will likely use software bills-of-material (SBOMs) for searching for software potentially vulnerable to specific software flaws.

Government and security-sensitive companies are increasingly requiring software makers to provide them with software bills of material (SBOMs) to address supply-chain risk — but this is creating a new category of worry.

In a nutshell: An attacker who determines what software a targeted company is running, can retrieve the associated SBOM and analyze the application's components for weaknesses, all without sending a single packet, says Larry Pesce, a director for product security research and analysis at software supply-chain security firm Finite State.

He's a former penetration tester of 20 years who plans to warn about the risk in a presentation on "Evil SBOMs" at the RSA Conference in May. He will show that SBOMs have enough information to allow attackers to search for specific CVEs in a database of SBOMs and find an application that is likely vulnerable. Even better for attackers, SBOMs will also list other components and utilities on the device that the attacker could use for "living off the land" post-compromise, he says.

Read more: Cyberattack Gold: SBOMs Offer an Easy Census of Vulnerable Software

Related: Southern Company Builds SBOM for Electric Power Substation

**Global: Licensed to Bill? Nations Mandate Certification & Licensure of Cybersecurity Pros**

By Robert Lemos, Contributing Writer, Dark Reading

Malaysia, Singapore, and Ghana are among the first countries to pass laws that require cybersecurity firms — and in some cases, individual consultants — to obtain licenses to do business, but concerns remain.

Malaysia has joined at least two other nations — Singapore and Ghana — in passing laws that require cybersecurity professionals or their firms to be certified and licensed to provide some cybersecurity services in their country.

While the legislation's mandates have yet to be determined, "this will likely apply to service providers that provide services to safeguard information and communications technology device of another person — \[for example\] penetration testing providers and security operation centers," according to Malaysia-based law firm Christopher & Lee Ong.

Asia-Pacific neighbor Singapore has already required the licensing of cybersecurity service providers (CSPs) for the past two years, and the West African nation of Ghana, which requires the licensing and the accreditation of cybersecurity professionals. More widely, governments such as the European Union have normalized cybersecurity certifications, while other agencies — such as the US state of New York — require certification and licenses for cybersecurity capabilities in specific industries.

However, some experts see potentially dangerous consequences from these moves.

Read more: Licensed to Bill? Nations Mandate Certification & Licensure of Cybersecurity Pros

Related: Singapore Sets High Bar in Cybersecurity Preparedness

**J&J Spin-Off CISO on Maximizing Cybersecurity**

By Karen D. Schwartz, Contributing Writer, Dark Reading

How the CISO of Kenvue, a consumer healthcare company spun out from Johnson & Johnson, combined tools and new ideas to build out the security program.

Johnson & Johnson's Mike Wagner helped shape the Fortune 100 company's security approach and security stack; now, he's the first CISO of J&J's year-old consumer healthcare spinoff, Kenvue, tasked with creating a streamlined and cost-effective architecture with maximum security.

This article breaks down the steps that Wagner and his team worked through, which include:

Define key roles: Architects and engineers to implement tools; identity and access management (IAM) experts to enable secure authentication; risk management leaders to align security with business priorities; security operations staff for incident response; and dedicated staff for each cyber function.

Embed machine learning and AI: Tasks include automating IAM; streamlining supplier vetting; behavioral analysis; and improving threat detection.

Choose which tools and processes to retain, and which to replace: While J&J's cybersecurity architecture is a patchwork of systems created by decades of acquisitions; tasks here included inventorying J&J's tools; mapping them to Kenvue's operating model; and identifying new needed capabilities.

Wagner says there is more to do. Next, he plans to lean into modern security strategies, including adoption of zero trust and enhancement of technical controls.

Read more: J&J Spin-Off CISO on Maximizing Cybersecurity

Related: A Peek into Visa's AI Tools Against Fraud

**SolarWinds 2024: Where Do Cyber Disclosures Go From Here?**

Commentary by Tom Tovar, CEO & Co-Creator, Appdome

Get updated advice on how, when, and where we should disclose cybersecurity incidents under the SEC's four-day rule after SolarWinds, and join the call to revamp the rule to remediate first.

In a post-SolarWinds world, we should move to a remediation safe harbor for cybersecurity risks and incidents. Specifically, if any company remediates the deficiencies or attack within the four-day time frame, it should be able to (a) avoid a fraud claim (i.e., nothing to talk about) or (b) use the standard 10Q and 10K process, including the Management Discussion and Analysis section, to disclose the incident.

On Oct. 30, the SEC filed a fraud complaint against SolarWinds and its chief information security officer, alleging that even though SolarWinds employees and executives knew about the increasing risks, vulnerabilities, and attacks against SolarWinds' products over time, "SolarWinds' cybersecurity risk disclosures did not disclose them in any way."

To help prevent liability issues in these situations, a remediation safe harbor would allow companies a full four-day time frame to evaluate and respond to an incident. Then, if remediated, take the time to disclose the incident properly. The result is more emphasis on cyber response and less impact to a company’s public stock. 8Ks could still be used for unresolved cybersecurity incidents.

Read more: SolarWinds 2024: Where Do Cyber Disclosures Go From Here?

Related: What SolarWinds Means for DevSecOps

CISO Corner: Evil SBOMs; Zero-Trust Pioneer Slams Cloud Security; MITRE's Ivanti Issue

Attackers will likely use software bills-of-material (SBOMs) for searching for software potentially vulnerable to specific software flaws.

Source: ArtemisDiana via Shutterstock

Government and security-sensitive companies are increasingly requiring software makers to provide them with software bills-of-material (SBOMs), but in attackers' hands, the list of components making up an application could provide a blueprint for exploiting the code.

An attacker who determines what software a targeted company is running, can retrieve the associated SBOM, and analyze the application's components for weaknesses, all without sending a single packet, says Larry Pesce, a director for product security research and analysis at software supply-chain security firm Finite State.

Today, attackers will often have to do technical analysis, reverse engineer source code, and look to see if specific known-vulnerable components exist in an exposed software application in order to find vulnerable code. Yet, if the targeted company maintains SBOMs that are publicly accessible, then a lot of that information is already available, says Pesce, a former penetration tester of 20 years who plans to warn about the risk in a  
presentation on "Evil SBOMs" at the RSA Conference in May.

"As an adversary, you're having to do a lot of that work upfront, but if companies are required to provide SBOMs, either publicly or to customers, and that ... leaks out into other repositories, you don't have to do any work, it's already been done for you," he says. "So it's kind of like — but not exactly — pressing the Easy button."

SBOMs are quickly proliferating, with more than half of companies currently requiring that any application be accompanied by a list of components — a number that will reach 60% by next year, according to Gartner. Efforts to make SBOMs a standard practice see transparency and visibility as the first steps to help the software industry better secure their products. The concept has even spread to the critical infrastructure sector, where energy giant Southern Company embarked on a project to  
create a bill of materials for all the hardware, software, and firmware in one of its substations in Mississippi.

**Using SBOMs for Evil Cyberattack Purposes**

Producing a detailed list of software components in an application can have offensive implications, Pesce argues. In his presentation, he will show that SBOMs have enough information to allow attackers to search for specific CVEs in a database of SBOMs and find an application that is likely vulnerable. Even better for attackers, SBOMs will also list other components and utilities on the device that the attacker could use for "living off the land" post-compromise, he says.

"Once I've compromised a device ... an SBOM can tell me what the device manufacturer left behind on that device that I could potentially use as tools to start probing other networks," he says.

The minimum baseline for SBOM data fields include the supplier, the component name and version, dependency relationships, and a timestamp of when the information was last updated,  
according to the US Department of Commerce guidelines.

In fact, a comprehensive database of SBOMs could be used in a manner similar to the Shodan census of the Internet: Defenders could use it to see their exposure, but attackers could use it to determine what applications might be vulnerable to a particular vulnerability, Pesce says.

"That would be a really cool project, and honestly, I think we're probably going to something see like that — whether it is a company that does a giant database or it is something that the government mandates," he says.

**Red Team Early & Often**

When Pesce mentioned the talk to one SBOM advocate, they argued that his conclusions would make the struggle to get companies to adopt SBOMs more difficult. Yet, Pesce argues that those concerns miss the point. Instead, application-security teams should take to heart the adage that, "Red informs Blue."

"If you're an organization that is consuming or generating SBOMs, know that there are going to be people like me — or worse — that are going use SBOMs for evil," he says. "So use them for evil yourself: Bring them in as part of your overall vulnerability management program; bring them in as part of your pen test program; bring them in as part of your secure development lifecycle — bring them in as part of all of your internal security programs."

While software-makers could argue that SBOMs should only be shared with customers, limiting SBOMs will likely be a Herculean task. SBOMs will likely leak to the public, and the widespread availability of tools to generate SBOMs from binaries and from source code will make limiting their publication a moot point.

"After being in this industry long enough, we know that when something is private, it will eventually become public," he says. "So there will always be someone that leaks the information \[or\] someone will spend money on a commercial tool to go generate SBOMs on their own."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Cyberattack Gold: SBOMs Offer an Easy Census of Vulnerable Software

Understand what security measures you have in place, what you need to keep secure, and what rules you have to show compliance with.

Source: Emre Akkoyun via Alamy Stock Photo

In the IT security space, we have to care about everything. Any issue, no matter how small, can become the vehicle for remote code execution or, at the very least, a landing point for threat actors to live off the land and turn our own tools against us. It's not surprising that IT security staff face burnout and stress. According to research by Enterprise Strategy Group and ISSA, around half of IT security professionals think they will leave their current job in the next 12 months.

Security teams are professionally responsible — and now, for chief information security officers (CISOs), personally liable — for the security of their organizations. Yet in other areas of IT and technology, there is a completely different mindset. From Mark Zuckerberg's mantra of "move fast and break things" through to Eric Ries' Lean Startup and the minimum viable product (MVP) model, the thought in these areas is to move quickly but also to deliver just enough so the organization can move forward and improve.

Now, IT security teams can't embrace this model. There are too many regulations to consider. But what can we learn from a mental exercise around minimum viable compliance (MVC), and how can we use that information to help us in our approach?

**What Would MVC Involve?**

MVC involves covering off what's needed in order to be effectively secure. To achieve this, you have to understand what you have in place and what is critical to keep secure, and what rules or regulations you have to demonstrate that you are compliant with.

For asset management, ideally you have to know all of the assets that you have installed. Without that level of oversight, how can you call yourself secure? For a MVC approach, would you need 100% insight into what you have?

In reality, asset management projects like configuration management databases (CMDBs) aim to provide full visibility into IT assets, but they are never 100% accurate. In the past, asset accuracy hovered around the 70% to 80% mark, and even the best deployments today are not able to achieve full visibility and keep it there. So, should we spend our MVC budget on this area? Yes, but not quite in the way that we might traditionally think.

One deputy CISO told me that he understands the ideal of full coverage, but that it was not possible; instead, he cares about full and continuous visibility for the organization's critical infrastructure — about 2.5% of the total assets — while the other workloads were tracked as frequently as possible. So, while visibility is still a necessary element for IT security programs, the effort should go into protecting the highest-risk assets first. However, this is a short-term goal, as you are only a single vulnerability disclosure away from a low-risk asset becoming a high risk one. While going through this process, do not mix up compliance with security — they are not the same thing. A compliant business may not be a secure one.

**Regulation Planning**

As part of MVC, we have to think about regulations and how to comply with them. The challenge for security teams is how to think ahead around these rules. The typical approach is to get the legislation in, then see where it applies to our applications, and then make changes to the systems as needed. However, this can be a very stop-start approach that involves change — and therefore expense — each and every time a new regulation is brought in or a significant change takes place.

How can we make this process easier for our teams? Rather than looking at each regulation separately, can we look at what is common to the applicable regulations, and then use that to reduce the amount of work required in compliance with them all? Rather than putting the team through huge exercises to bring systems into compliance, what can we either take out of scope or use as a service to provide the infrastructure in a secure way instead? Similarly, can we use common best practices like cloud controls to remove whole sets of problems, rather than looking at each issue individually?

At the heart of this approach, we have to reduce the overhead around security and concentrate on what represents the biggest risks to our businesses. Rather than thinking about specific technologies, we can examine these problems as processes and people issues, because regulations will always evolve and change as the market goes on. Taking this mindset makes security planning easier, because it does not get bogged down in some of the details that can plague our teams when processes have been built to look at CVEs and threat data rather than in practical risk terms around what is really an issue.

The idea of doing the minimum required to meet market demands or pass a set of rules might be appealing at face value. But the mindset of MVP is not just about getting to a specific level and then settling there. Instead, it is about getting to that minimum standard and then iterating as fast as possible to improve the situation further. For security teams, this mindset of continuous improvement and looking out for ways to reduce risk can be a useful alternative to the traditional IT security model. By focusing on what improvements would have the most risk impact in the shortest timeframe, you can increase your effectiveness and reduce risk in general.

**About the Author(s)**

Managing Director for EMEA North, Qualys

Matt Middleton-Leal is Managing Director for EMEA North at Qualys, a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions designed to streamline and consolidate customer’s security and compliance solutions in a single platform. Qualys helps organizations build security into digital transformation initiatives for greater agility, better business outcomes, and substantial cost savings. Matt has over 20 years' experience in the cybersecurity industry with a deep understanding of both customers' and suppliers' needs. Matt is also a Certified Information Systems Security Professional (CISSP®).

Minimum Viable Compliance: What You Should Care About and Why

The targeted operation utilized CVE-2017-8570 as the initial vector and employed a notable custom loader for Cobalt Strike, yet attribution to any known threat actor remains elusive.

Source: Yuriy Tuchkov via Alamy Stock Photo

An unknown threat actor targeted government entities in Ukraine toward the end of 2023 using an old Microsoft Office remote code execution (RCE) exploit from 2017 (CVE-2017-8570) as the initial vector and military vehicles as the lure.

The threat actor initiated the attack using a malicious PowerPoint file (.PPSX) sent as an attachment through a message on secure messaging platform Signal. This file, which masqueraded as an old instruction manual by the US Army for mine-clearing blades for tanks, had in fact a remote relationship to an external script hosted on a Russian virtual private server (VPS) provider domain protected by Cloudflare.

The script executed the CVE-2017-8570 exploit to achieve RCE, according to a Deep Instinct blog post on the attack this week, in an effort to steal information.

**Underneath the Hood of a Tricky Cyberattack**

In terms of the technical nitty-gritty, the obfuscated script masqueraded as Cisco AnyConnect APN configuration and was responsible for setting persistency, decoding, and saving the embedded payload to disk, which happened in several stages to evade detection.

The payload includes a loader/packer dynamic link library (DLL) named "vpn.sessings" that loads a Cobalt Strike Beacon into memory and awaits instructions from the command-and-control (C2)  server of the attacker.

Mark Vaitzman, threat lab team leader at Deep Instinct, notes that the penetration testing tool Cobalt Strike is very commonly used among threat actors, but this particular beacon makes use of a custom loader that relies on several techniques that slow down analysis.

"It is continuously updated to provide attackers with a simple way to move laterally once the initial footprint is set," he says. "\[And\] it was implemented in several anti-analysis and unique evasion techniques."

Vaitzman notes that in 2022, a severe CVE allowing RCE was found in Cobalt Strike — and many researchers predicted that threat actors would alter the tool to create open source alternatives.

"Several cracked versions can be found on underground hacking forums," he says.

Beyond the tweaked version of Cobalt Strike, he says, the campaign is also notable for the lengths to which the threat actors continuously attempt to masquerade their files and activity as a legitimate, routine OS and common applications operations, to remain hidden and maintain the control of infected machines as long as possible. In this campaign, he says, the attackers took this "living off the land" strategy further.

"This attack campaign shows several masquerading techniques and a smart way of persistence that has not been documented yet," he explains, without divulging details.

**Cyberthreat Group Has Unknown Make & Model**

Ukraine has been targeted by multiple threat actors on multiple occasions during its war with Russia, with the Sandworm Group serving as the aggressor's primary cyberattack unit.

But unlike in most attack campaigns during the war, the threat lab team couldn’t link this effort to any known threat group, which may indicate that this is the work of a new group or representative of a fully upgraded tool set of a known threat actor.

Mayuresh Dani, manager of security research at Qualys Threat Research Unit, points out the use of geographically disparate sources to help the threat actors dispel attribution also make it difficult for security teams to provide targeted protection based on geographical locations.

"The sample was uploaded from Ukraine, the second stage was hosted and registered under a Russian VPS provider, and the Cobalt beacon \[C2\] was registered in Warsaw, Poland," he explains.

He says that what he found most interesting about the chain of attack was that the initial compromise was accomplished via the secure Signal app.

"The Signal messenger has been largely used by security-focused personnel or those who are involved in sharing clandestine information, such as journalists," he notes.

**Beef Up Cyber Armor With Security Awareness, Patch Management**

Vaitzman says that because most of cyberattacks start with phishing or link-luring via emails or messages, broader employee cyber awareness plays an important role in mitigating such attack attempts.

And for security teams, "We also recommend scanning for the provided IoCs in the network, as well as making sure that Office is patched to the latest version," Vaitzman says.

Callie Guenther, senior manager of cyber threat research at Critical Start, says that from a defense perspective, the reliance on older exploits also stresses the importance of robust patch management systems.

"Additionally, the sophistication of the attack underscores the need for advanced detection mechanisms that go beyond signature-based cyber-defense approaches," she says, "incorporating behavior and anomaly detection to identify modified malicious software."

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Military Tank Manual, 2017 Zero-Day Anchor Latest Ukraine Cyberattack

The payment card industry pushes for more security in financial transactions to help combat increasing fraud in the region.

Source: Brian Jackson via Alamy Stock Photo

The Payment Card Industry (PCI) Security Standards Council plans to extend its role to the Middle East, as the volume of card-based payments continues to climb in the region and, along with it, payment-card fraud.

In April, the PCI SSC assigned a regional director to the Middle East to work with regulators, banking and financial institutions, and service providers on initiatives to improve the security of card transactions. The move comes as the volume of global card fraud is expected to hit $36 billion in 2024, up from $28 billion in 2020, although the share of fraud compared to transaction volume will shrink slightly, to 6.5 cents per $100, according to the annual "Nilson Report" released in December.

The PCI SSC plans to work closely with any organization that handles payments within the Middle East payment ecosystem, with a focus on security, says Nitin Bhatnagar, PCI Security Standards Council regional director for India and South Asia, who will now also oversee efforts in the Middle East.

"Cyberattacks and data breaches on payment infrastructure are a global problem," he says. "Threats such as malware, ransomware, and phishing attempts continue to increase the risk of security breaches. Overall, there is a need for a mindset change."

The push comes as the payment industry itself faces significant changes, with alternatives to traditional payment cards taking off, and as financial fraud has grown in the Middle East. 

Through 2027, the payments industry will likely grow at an annual rate of 6.2% — a healthy pace, albeit lower than the 8.3% growth rate of the past five years, according to a September 2023 report published by the Boston Consulting Group. While card-based financial transactions continue to dominate, accounting for more than $30 trillion in point-of-sale and e-commerce transactions in 2023, alternate payment methods are taking off, totaling more than $11 trillion in 2023 and growing at twice the rate of card-based payments, according to BCG's Global Payments Model.

Currently, there are more than 5,000 fintechs globally that account for $100 billion in revenue, a number set to grow to $520 billion by 2030, according to BCG.

**Digital Wallets, Not Plastic Cards**

The Middle East is one region where the changes are most pronounced. Middle East consumers prefer digital wallets to cards, 60% to 27%, as their most preferred method of payment, while consumers in the Asia-Pacific region slightly prefer cards, 43% to 38%, according to an August 2021 report by consultancy McKinsey & Company.

Cybercriminals follow these shifts as well, and that worries businesses in the region. Seven out of every 10 businesses executives in the United Arab Emirates, for example, believe financial crimes risks will worsen in the next 12 months, essentially the same as US executives, according to the "2023 Fraud and Financial Crime Report" published by consultancy Kroll.

The PCI Security Standards Council plans to adapt to the digital landscape, and in November 2022 introduced a mobile payments standard, PCI Mobile Payments on COTS (MPoC), which provides a standard for development of mobile-app-based payments.

"Emerging technologies and innovation are reshaping our industry, along with the rise in popularity of mobile payments and contactless transactions," Bhatnagar says. "Organizations need to become aware of security risks and take them seriously, because the criminals take it seriously — their sole objective is to break into an organization and steal data and monetize it."

**Cybersecurity Education & Technology**

Preventing payments fraud has become a priority in the Middle East and Africa (MEA) region, as efforts to improve financial inclusion have led to more mobile payment and digital bank accounts.

The open source Tazama Project, for example, is building an antifraud platform for banks and governments to allow them to use data on account holders and transactions to detect likely fraud. Meanwhile, Network International, a digital commerce platform in the Middle East and Africa, adopted Mastercard's AI-powered fraud-prevention solution to reduce fraud in digital transactions.

"Organizations should start prioritizing data security as an important element in their day-to-day business activities," Bhatnagar says. "Investing in cybersecurity is equally important. Getting employees trained and improving on cyber hygiene will help organizations take steps in the right direction."

Technologies like generative AI could both help and hurt payment security. While cybercriminals are increasingly using the technology to part consumers from their cash, businesses are able to use the technology to catch more fraud schemes. Currently, two-thirds of executives (64%) plan to invest in antifraud technology and more than half (56%) plan to increase their cybersecurity budget to deal with the risk, according to consultancy Kroll.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

PCI Launches Payment Card Cybersecurity Effort in the Middle East

Eight out of nine apps that people use to input Chinese characters into mobile devices have weakness that allow a passive eavesdropper to collect keystroke data.

Source: badboydt7 via Shutterstock

Nearly all keyboard apps that allow users to enter Chinese characters into their Android, iOS, or other mobile devices are vulnerable to attacks that allow an adversary to capture the entirety of their keystrokes.

This includes data such as login credentials, financial information, and messages that would otherwise be end-to-end encrypted, a new study by Toronto University's Citizen Lab has uncovered.

**Ubiquitous Problem**

For the study, researchers at the lab considered cloud-based Pinyin apps (which render Chinese characters into words spelled with roman letters) from nine vendors selling to users in China: Baidu, Samsung, Huawei, Tencent, Xiaomi, Vivo, OPPO, iFlytek, and Honor. Their investigation showed all but the app from Huawei to be transmitting keystroke data to the cloud in a manner that enabled a passive eavesdropper to read the contents in clear text and with little difficulty. Citizen Lab researchers, who have earned a reputation over the years for exposing multiple cyber espionage, surveillance, and other threats targeted at mobile users and civil society, said each of them contain at least one exploitable vulnerability in how they handle transmissions of user keystrokes to the cloud.

The scope of vulnerabilities should not be underestimated, Citizen Lab researchers Jeffrey Knockel, Mona Wang and Zoe Reichert wrote in a report summarizing their findings this week: The researchers from Citizen Lab found that 76% of keyboard app users in mainland China, in fact, use a Pinyin keyboard to input Chinese characters.

"All of the vulnerabilities that we covered in this report can be exploited entirely passively without sending any additional network traffic," the researchers said. And to boot, the vulnerabilities were easy to discover and do not require any technological sophistication to exploit, they noted.  "As such, we might wonder, are these vulnerabilities actively under mass exploitation?"

Each of the vulnerable Pinyin keyboard apps that Citizen Lab examined had both a local, on-device component and a cloud-based prediction service for handling long strings of syllables and particularly complex characters. Of the nine apps they looked at, three were from mobile software developers — Tencent, Baidu, and iFlytek. The remaining five were apps that Samsung, Xiaomi, OPPO, Vivo, and Honor — all mobile device manufacturers — had either developed on their own or had integrated into their devices from a third-party developer.

**Exploitable via Active & Passive Methods**

Methods of exploitation differ for each app. Tencent's QQ Pinyin app for Android and Windows for instance had a vulnerability that allowed the researchers to create a working exploit for decrypting keystrokes via active eavesdropping methods. Baidu's IME for Windows contained a similar vulnerability, for which Citizen Lab created a working exploit for decrypting keystroke data via both active and passive eavesdropping methods.

The researchers found other encrypted related privacy and security weaknesses in the Baidu's iOS and Android versions but did not develop exploits for them. iFlytek's app for Android had a vulnerability that allowed a passive eavesdropper to recover in plaintext keyboard transmissions because of insufficient mobile encryption.

On the hardware vendor side, Samsung's homegrown keyboard app offered no encryption at all and instead sent keystroke transmissions in the clear. Samsung also offers users the option of either using Tencent's Sogou app or an app from Baidu on their devices. Of the two apps, Citizen Lab identified Baidu's keyboard app as being vulnerable to attack.

The researchers were unable to identify any issue with Vivo's internally developed Pinyin keyboard app but had a working exploit for a vulnerability they discovered in a Tencent app that is also available on Vivo's devices.

The third-party Pinyin apps (from Baidu, Tencent, and iFlytek) that are available with devices from the other mobile device makers all had exploitable vulnerabilities as well.

These are not uncommon issues, it turns out. Last year, Citizen Labs had conducted a separate investigation in Tencent's Sogou — used by some 450 million people in China — and found vulnerabilities that exposed keystrokes to eavesdropping attacks.

"Combining the vulnerabilities discovered in this and our previous report analyzing Sogou's keyboard apps, we estimate that up to one billion users are affected by these vulnerabilities," Citizen Lab said.

The vulnerabilities could enable mass surveillance of Chinese mobile device users — including by signals intelligence services belonging to the so-called Five Eyes nations — US, UK, Canada, Australia, and New Zealand — Citizen Lab said; the vulnerabilities in the keyboard apps that Citizen Lab discovered in its new research are very similar to vulnerabilities in the China-developed UC browser that intelligence agencies from these countries exploited for surveillance purposes, the report noted.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Chinese Keyboard Apps Open 1B People to Eavesdropping

The refunds will be made to individual affected customers through thousands of PayPal payments, available to be redeemed for a limited time.

Source: Len Holsborg via Alamy Stock Photo

The Federal Trade Commission (FTC) is refunding over $5.6 million to Ring customers after a 2023 privacy settlement.

Last year the FTC filed complaints against Ring, the home security company owned by Amazon, after accusations arose that employees were spying on female customers in bedrooms and bathrooms. Not only this, but the company failed to notify and obtain consent from customers regarding use of security video footage for training purposes until 2018.

The FTC asserted that Ring had failed to restrict access to its videos, failed to gain user consent, and failed to implement security safeguards leading to "egregious violations of users' privacy."

The FTC will be making the refunds through 117,044 PayPal payments to customers, depending on the type of Ring device used during the period when unauthorized users could have accessed Ring video footage.

**About the Author(s)**

Source

DARKReading