PRESS RELEASE

SEATTLE – April 3, 2024 – A new survey from the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, and Google Cloud, found that a remarkable 55% of organizations surveyed plan to adopt GenAI solutions within the next year, signaling a substantial surge in GenAI integration. The State of AI and Security Survey Report indicates that the push behind AI’s adoption can be attributed in large part to C-level executives (82% of respondents indicated executive leadership as being behind the push), who recognize the competitive advantage it offers in the modern business environment.

The study also found that AI integration into cybersecurity is not just a concept but also a practical reality for many, with 67% of respondents stating that they have tested AI specifically for security purposes. As for the ability to leverage AI, 48% of professionals expressed confidence in their organization's ability to execute a strategy for leveraging AI in security, with 28% feeling reasonably confident and 20% very confident. Given the nascent stage of GenAI in this field, this level of assurance suggests that many professionals might be optimistic about their preparedness or overlook the intricacies of AI integration.

“The insights shared in this report into how industry experts view and prepare for AI's evolving role in cybersecurity are pivotal in navigating this transition and ensuring a resilient, forward-looking digital infrastructure,” said Hillary Baron, lead author and Senior Technical Director for Research, Cloud Security Alliance.

“AI is transforming cybersecurity, offering both exciting opportunities and complex challenges. However, the disconnect between the C-suite and staff in understanding and implementing AI highlights the need for a strategic, unified approach to successfully integrate this technology," said Caleb Sima, chair of CSA’s AI Safety Initiative.

“Once in a generation, we see a chance for profound cybersecurity transformation, not just incremental gains. With generative AI, we have the potential to turn the tables on attackers by 10x’ing the capabilities of defenders. While we need to counter attacker use of AI, it’s even more important to get going on integrating AI into cyber defenses today. The findings in the report resonate well with Google’s Secure AI Framework,” said Phil Venables, CISO, Google Cloud.

Among the survey’s other key findings:

*   Security professionals are cautiously optimistic about AI. 63% of respondents believe in AI's potential to enhance security measures, especially in improving threat detection and response capabilities. However, 34% see AI as more beneficial for security teams, while 31% view it as equally advantageous for both protectors and attackers, and a notable 25% of respondents expressed concerns that AI could be more advantageous to malicious parties.
    
*   AI will empower, not replace, security professionals. Only a small fraction (12%) of security professionals believe it will completely replace their role. The majority believe it will help enhance their skill set (30%), support their role generally (28%), or replace large parts of their role (24%), freeing them up for other tasks.
    
*   C-suite executives have different perspectives from their staff when it comes to AI. C-levels demonstrate a notably higher self-reported familiarity with AI technologies than their staff. Moreover, C-levels report having a clearer understanding of potential AI use cases, with 51% feeling very clear about them, compared to just 14% of staff.
    
*   2024 will be the year for AI Implementation. Over half (55%) of organizations are planning to implement security solutions and tools with GenAI and are exploring a diverse range of use cases for these technologies, with the top use cases being rule creation (21%), attack simulation (19%), and compliance violation detection (19%).
    

Google Cloud commissioned CSA to develop a survey and report to better understand the industry’s knowledge, attitudes, and opinions regarding AI. Google Cloud financed the project and co-developed the questionnaire with CSA research analysts. The survey was conducted online by CSA in November 2023 and received 2,486 responses from IT and security professionals from organizations of various sizes across the Americas, APAC and EMEA. CSA’s research analysts performed the data analysis for this report.

Download the State of AI and Security Survey Report.

About Cloud Security Alliance  
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

More Than Half of Organizations Plan to Adopt AI Solutions in Coming Year, Reports Cloud Security Alliance and Google Cloud

PRESS RELEASE

Austin, TX – April 3, 2024 – CyberRatings.org (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has completed an independent test of eleven market leading Cloud Network Firewall vendors. Six products were Recommended, one product received a Neutral rating, and four received a Caution rating.

Cloud network firewalls are considered to be the first line of defense when deployed in public cloud providers such as Amazon Web Services, Google Cloud Platform and Microsoft Azure. But implementing security in the cloud can be complex, with multiple factors influencing effectiveness. 

CyberRatings tested the cloud firewall products to determine how they handled TLS/SSL (authentication) 1.2 and 1.3 cipher suites (algorithms), how they defended against 984 exploits (attacks that take advantage of a software flaw or install malware), and whether any of 1,645 evasions could bypass protection. At all times the devices needed to remain stable under adverse conditions. To provide a more realistic rating based on modern network traffic, both clear text (HTTP) and encrypted traffic (HTTPS) were measured. Amazon Web Services (AWS) was the public cloud service chosen to run the test.

The combination of Security Effectiveness and Value dictated where products landed on the Security Value Map™ (SVM). Six out of the eleven products were Recommended for their Security Effectiveness with scores ranging from 99.70% to 100%. Recommended ratings are based on threat prevention (how many exploits and evasions were blocked?), TLS/SSL functionality, routing and policy enforcement, and stability and reliability to achieve a final Security Effectiveness score. These same products also demonstrated competitive pricing in the Total Cost per Protected Mbps (Value). The product rated Neutral received a 48.44% Security Effectiveness score. Four products rated Caution had Security Effectiveness scores ranging from 5.39% to 48.37%. 

“We have been testing firewalls for years, and more recently cloud network firewalls,” said Vikram Phatak, CEO of CyberRatings.org. “All of the products chosen were market leaders and the range of scores clearly shows that building a product for the cloud is different than building a product on an appliance where you control the environment,” said Phatak. “We recommend that enterprises check with their service providers or IT teams to see which cloud firewall products are currently deployed in their networks.”

As part of the cloud firewall test, CyberRatings also checked to see if products were secure by default. It was discovered that some firewall evasion defenses are not on by default, potentially leaving customers at significant risk. In response, CyberRatings is providing a policy and configuration guide to help enterprises ensure that their firewalls are configured properly.

Encryption matters: roughly 80% of web traffic is encrypted. The top four cipher suites account for over 95% of HTTPS traffic. In some products, decryption was not on by default. Firewalls will not see attacks delivered via HTTPS unless configured to do so. Performance is significantly different when TLS/SSL is turned on. With the exception of one vendor that failed to handle TLS 1.3 despite claiming support, all other vendors supported encryption. 

Enterprises should monitor security and performance capabilities, and update firewalls regularly. With the everchanging cloud platform and agile development, something can go wrong even when the security vendor does not make a change. 

The following products were evaluated:

Cloud Network Firewall

Rating

Security

Effectiveness

Rated Throughput

(Mbps)

Price per Protected Mbps

Amazon Web Services (AWS) Network Firewall

Caution

5.39%

1,000

$601.34

Barracuda CloudGen Firewall

Caution

11.38%

441

$287.86 

Check Point CloudGuard

Recommended

99.80%

1,180

$12.70 

Cisco Secure Firewall Threat Defense Virtual 

Caution

20.86%

373

$76.91 

Forcepoint NGFW

Recommended

99.80%

698

$8.45 

Fortinet FortiGate-VM

Recommended

100%

1,458

$10.56 

Juniper Networks vSRX

Recommended

99.70%

1,228

$5.72 

Palo Alto Networks VM-Series Next-Generation Firewall w/ Advanced Threat Prevention

Recommended

100%

1,036

$5.83 

Sophos Firewall

Caution

48.37%

135

$83.16 

Versa Networks NGFW

Recommended

99.90%

2,553

$7.58 

WatchGuard Firebox Cloud

Neutral

48.44%

291

$27.06 

Additional Resources:

Cloud Network Firewall Comparative Report and Test Reports

2024 Best Practices for Cloud Network Firewall Deployment

Exploring the Landscape of Cloud Network Firewalls Available on AWS

Why Firewalls Should be Secure by Default

About CyberRatings.org 

CyberRatings.org is a 501(c)6 non-profit organization dedicated to providing confidence in cybersecurity products and services through our research and testing programs. We provide enterprises with independent, objective ratings of security product efficacy to make informed decisions. To become a member, visit www.cyberratings.org and follow us on LinkedIn.

CyberRatings.org Announces Test Results for Cloud Network Firewall

PRESS RELEASE

MINNEAPOLIS, April 2, 2024 – Businesses are facing a critical gap when it comes to protecting endpoint data, according to a study released today by TAG Infosphere, Inc., a leading  cybersecurity research and advisory firm. The report, conducted in partnership with CrashPlan, identified the ever-growing potential for ransomware attacks, frequent misuse of cloud collaboration tools as a substitute for backup, and an over-reliance on manual policies as the break in the chain for current enterprise security configurations. 

For the study, TAG surveyed a group of CISOs and security practitioners, and the key findings were clear: The overwhelming majority (93%) of IT and cybersecurity teams aren’t confident in their policies to protect their enterprise data. Furthermore, survey respondents acknowledged the likelihood of a severe data breach through an employee’s endpoint.

“We were surprised to learn that a whopping 71% of those asked responded that they would not be surprised if they had a serious data breach on their PCs and laptops. If the question was extended to include that they might be surprised, the number grew to 86%,” said Dr. Edward Amoroso, Chief Executive Officer and founder of TAG Infosphere. “This is important because it implies that serious risk exists in this area. If that many CISOs would not be surprised if something bad happened, then that’s a problem.”

TAG introduces the MEAD framework (Malware, EDR, Analytics, and Data) for modernizing endpoint security. Central to MEAD is the adoption of endpoint backup solutions as a pivotal measure for enhancing cyber resilience. The report advocates for endpoint backup to reduce risks to data on endpoints, detailing how this strategy safeguards data against hardware malfunctions, user errors, and cyber threats. 

“New cybersecurity technologies are introduced every year, yet data breaches continue to happen,” said Todd Thorsen, Chief Information Security Officer for CrashPlan. “The reality is work habits have changed. Most companies now have a hybrid work model—and this has shined a light on just how ineffective manual policies are when it comes to protecting endpoint data. To improve resiliency, you simply can’t lose sight of the foundation. Despite new tools and technology designed to identify, detect and protect against bad actors and malicious activity, breaches will still happen. Which is why having strong data backup and resilience capabilities are critical for effective response and recovery.”

CrashPlan offers a cloud-native platform designed to address the aggregate risk associated with data stored on endpoints within organizations. It offers a comprehensive backup and data protection system that safeguards valuable business data from loss, theft, or accidental deletion. Businesses of all sizes, across all different business sectors, use CrashPlan today to ensure a more robust data protection and resilience approach.                                          

About CrashPlan  
CrashPlan® enables organizational resilience through secure, scalable, and straightforward endpoint data backup. With automatic backup and customizable file version retention, you can bounce back from any data calamity. What starts as endpoint backup and recovery becomes a solution for ransomware recovery, breaches, migrations, and legal holds. So, you can work fearlessly and grow confidently.

About Tag Infosphere

TAG is a trusted research and advisory company that provides insights and recommendations in cybersecurity, artificial intelligence, and climate science to thousands of commercial solution providers and Fortune 500 enterprises. Founded in 2016 and headquartered in New York City, TAG bucks the trend of pay-for-play research by offering unbiased and in-depth guidance, market analysis, project consulting, and personalized content—all from a practitioner perspective.

About Dr. Edward Amoroso

Dr. Ed Amoroso is currently Chief Executive Officer of TAG Infosphere Inc, a global research and advisory company that supports enterprise cyber security teams and commercial security vendors around the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.

Ed has served as Research Professor at the Tandon School of Engineering at NYU since 2017. He has also been Adjunct Professor of Computer Science at the Stevens Institute of Technology for the past thirty years, where he has introduced nearly two thousand graduate students to the topic of information security. Ed also serves the Applied Physics Laboratory at Johns Hopkins University as a senior advisor. He is author of six books on cyber security and dozens of major research and technical papers and articles in peer-reviewed and major publications.

TAG Report Reveals Endpoint Backup Is Essential to Improving Data Resiliency

PRESS RELEASE

PALO ALTO, Calif., April 2, 2024/PRNewswire-PRWeb/ -- TruCentive, a leader in incentive automation solutions, announced a significant enhancement to its platform: HIPAA-compliant personal information de-identification (PII) capabilities. This new feature is designed to strengthen privacy protections and ensure the security of sensitive information, marking a significant step forward in TruCentive's commitment to data protection for researchers worldwide.

With the healthcare industry's increasing reliance on digital platforms, the need for stringent data protection measures has never been more critical. TruCentive's latest update addresses this need by providing a robust solution for de-identifying personally identifiable information, ensuring that all data processed through its platform meets the rigorous standards set by the Health Insurance Portability and Accountability Act (HIPAA).

"This enhancement is a testament to TruCentive's dedication to privacy, security, and compliance," said Lori Laub, CEO of TruCentive. "By integrating HIPAA-compliant de-identification, we're safeguarding participants' personal information and providing our clients with the peace of mind that comes from knowing their incentive programs are fully compliant with federal regulations."

The de-identification process removes all identifiers that could potentially link back to an individual, such as email addresses, names, dates, and compensation selections directly related to an individual. This allows TruCentive's clients to utilize the platform for research compensation while ensuring the anonymity and privacy of individuals' data.

"We are excited to expand Shaip's expertise in data privacy to the Incentive Automation marketplace," said Hardik Parikh, co-founder and CRO of Shaip. "This marks a milestone in blending technological innovation with strict compliance to protect sensitive information and build client trust."

TruCentive's HIPAA compliant personal information de-identification feature is immediately available to Enterprise platform users, reaffirming the company's position at the forefront of secure and compliant incentive automation solutions.

Please visit https://trucentive.com/research-compensation/ for more information about TruCentive and its new HIPAA compliant de-identification capabilities.

About TruCentive

TruCentive helps organizations engage with employees, partners, and customers in personalized, innovative ways. By seamlessly integrating the delivery of merchandise, gift cards, and payments, companies increase the effectiveness of their existing incentive programs and improve relationships. With thousands of merchandise options, 3,000+ gift cards worldwide, 85,000+ local merchant options, Visa, AmEx, and MasterCard cards, payment options including Deposit-to-Debit-Card, PayPal, and Venmo, and integrations with popular marketing, sales, and HR tools, TruCentive is essential to successful HR, demand generation, account-based, and customer appreciation and incentive programs.

About Shaip

Headquartered in Louisville, Kentucky, Shaip is a fully managed data platform designed for companies looking to solve their most demanding AI challenges, enabling smarter, faster, and better results. Shaip supports all aspects of AI training data, from data collection to licensing, labeling, transcribing, and de-identifying, by seamlessly scaling our people, platform, and processes to help companies develop their AI and ML models. To learn how to make your data science team and leaders' lives easier, visit us at www.shaip.com.

TruCentive Enhances Privacy With HIPAA Compliant Personal Information De-identification

A China-linked threat actor had access to a router configuration database that could have completely disrupted coverage, a security vendor says.

Source: rarrarorro via Shutterstock

About six months before the 2022 FIFA World Cup soccer tournament in Qatar, a threat actor — later identified as China-linked BlackTech — quietly breached the network of a major communications provider for the games and planted malware on a critical system storing network device configurations.

The breach remained undetected until six months after the games, when researchers at NetWitness spotted it during a routine audit for the service provider. During that period, the cyber-espionage group gathered up an unknown volume of data from targeted customers of the telecommunications provider — including those associated with the World Cup and vendors providing services for it.

**A Near Miss**

But it's the "what else could have happened" that's the really scary part, says Stefano Maccaglia, global practice manager, incident response, at NetWitness, discussing the incident for the first time with Dark Reading recently.

The access that BlackTech had on the telecom provider's system would have allowed the threat actor to completely disrupt key communications — including all streaming services associated with the game. The fallout from such a disruption would have been substantial in terms of geopolitical implications, brand damage, national reputation, and potentially hundreds of millions of dollars in losses from the licensing rights and ads negotiated prior to the World Cup, Maccaglia says.

"We are normally very collected, but in this case, we were terrified," Maccaglia says of NetWitness' discovery. "The threat actor literally had their finger on the button but didn't push it."

NetWitness' involvement in the Qatar World Cup began in 2022, about six months before the event, when several local service providers hired the company to assess the cybersecurity preparedness of some of the supporting IT infrastructure for the games. Like with other security vendors involved in the effort, the telecom provider gave NetWitness access to a substantial portion of its tech stack and environment — but not to all of it.

According to Maccaglia, the NetWitness team detected and remediated several issues on parts of the provider's tech stack to which the company had access. But it wasn't until early 2023 that the service provider finally opened up the rest of the environment to NetWitness for additional auditing. This was when NetWitness unearthed log activity suggesting that someone had gained access to the provider's network.

**A Rootkit and a Backdoor**

The company's subsequent investigation showed the attacker had planted a sophisticated rootkit and a backdoor, dubbed Waterbear, on a critical configuration management database (CMDB) storing device configurations for the provider's customers. NetWitness found the attackers had used PLEAD — a remote access Trojan commonly associated with the BlackTech APT — to target additional systems within the environment.

"The attacker aimed to control this database \[from\] the beginning, because it would allow him/her to swap configurations on the fly and revert them back, once finished, leaving no traces," Maccaglia says.

BlackTech is a threat actor that the US Cybersecurity and Infrastructure Security Agency (CISA) last year identified as a threat to organizations in the telecommunications, technology, media, electronics, and industrial sectors. In an advisory, CISA described the threat actor (aka Radio Panda, Circuit Panda, Temp.Overboard, and Palmerworm) as particularly adept at modifying router malware without detection and the exploiting routers' domain-trust relationships to gain access to victim networks. "BlackTech actors' TTPs include developing customized malware and tailored persistence mechanisms for compromising routers," CISA noted. "These TTPs allow the actors to disable logging and abuse trusted domain relationships to pivot between international subsidiaries and domestic headquarters' networks."

In the attack on the telecom provider in Qatar, BlackTech actors used their access to the CMDB to change configurations on Asus routers associated with various organizations in such a manner as to make systems belonging to these organizations become accessible over the Internet. They then uploaded PLEAD — concealed in legitimate looking software updates from Asus — to these systems by modifying the DNS resolution of asus.com. The threat actor then leveraged PLEAD to steal data from the victim organizations. Among the systems infected in this manner were those associated with the World Cup games. The attackers would change the router config details for a few hours at a time and then revert back to the original rules to minimize the chances of detection, Maccaglia says.

**Worrying Lack of Visibility**

The fact that no one was able to spot the intrusion in the months leading up to the World Cup, during the event, or for months later is worrisome, Maccaglia says. With the countdown for the 2024 Summer Olympics well underway, it is imperative that the entire technology stack supporting the games be vetted for security issues, he says.

The Olympics, like other major sporting events, such as the Super Bowl, have become huge cyberattack targets in recent years. In 2019, for instance, a threat group later identified and linked to Russia's military intelligence also attempted to disrupt the opening of the Winter Olympics in South Korea after Russian athletes were banned from participating over doping concerns.

"As we saw with the World Cup, threats can live in obscure places and keep a very low profile," Maccaglia says, adding, "You can't find what you aren't allowed to look for," in advocating for broader visibility for companies like NetWitness into the entire supporting infrastructure for the game.

"When you behave as if there's always a threat present, you put yourself in a position to mitigate damage and, potentially, get ahead of the threat in the environment," he says. "This will be critical for the 2024 Summer Games."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

How Soccer's 2022 World Cup in Qatar Was Nearly Hacked

Effective Rhadamanthys phishing campaign spoofs nonexistent "Federal Bureau of Transportation" to compromise recipients, analysts discover.

Source: Frode Koppang via Alamy Stock Photo

An updated version of the Rhadamanthys malware-as-a-service (MaaS) is being deployed against oil and gas companies, using an effective new lure with a concerning amount of success.

Cofense has been tracking the campaign, which uses emails and a PDF file disguised as communications from the "Federal Bureau of Transportation," according to a new flash alert from the email security analysts. No such bureau exists, and may be a mashup of the Department of Transportation and the Bureau of Transportation Statistics, an purview.

"It is not clear as to why this specific sector is \[being targeted\], but the campaign in its current form could be relevant in most sectors if threat actors decided to change targets," the Cofense alert explained. "While the campaign was actively sending emails, it was successfully reaching targets at an alarming rate."

The campaign appeared just days after the LockBit takedown in February, the analysts said. The latest version of Rhadamanthys, 5.0, was updated earlier in 2024 with improvements to its evasion and data stealing capabilities, Cofense added.

The phishing emails are also carefully crafted, the researchers pointed out. The phishers crafted multiple, provocative subject lines like, "Notification: Incident Involving Your Vehicle," and "Attention Needed: Your Vehicle's Collision."

"As peculiar as it might seem to use vehicle incidents as a phishing lure, the threat actor(s) here put immense effort to ensure that their emails along with the infection chain target recipient's emotions," Cofense added. "Each email body and subject are both different than the next, but they can be summarized by notifying an employee of a car incident through an employer notification, possible legal actions, or even a notice of contacting law enforcement."

**About the Author(s)**

Oil &amp; Gas Sector Falls for Fake Car Accident Phishing Emails

As part of its Secure by Design initiative, CISA urged companies to redouble efforts to quash SQL injection vulnerabilities. Here's how.

Source: Casimiro PT via Shutterstock

For more than a decade, injection vulnerabilities have literally topped the charts of critically dangerous software flaws, deemed more serious than all other types of vulnerabilities in the 2010, 2013, and 2017 Top 10 lists maintained by the Open Web Application Security Project (OWASP).

Still, the warnings have failed to weed out the issues. Last year, the Cl0p group stole data from companies using a previously unknown SQL injection (SQLi) vulnerability in MOVEit's file-transfer application. In late March, the Cybersecurity and Infrastructure Security Agency (CISA) called for companies to redouble their efforts to eliminate the security issue, which application security experts consider one of 13 different "unforgivable" classes of vulnerabilities that programmers should catch during development.

"Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk," the agency stated in its March 25 advisory. "Vulnerabilities like SQLi have been considered by others an 'unforgivable' vulnerability since at least 2007."

The root of injection vulnerabilities is a lack of input sanitization; when the application receives variable input, there's always the risk of that input being tainted, says Randall Degges, head of developer relations at application security firm Snyk.

"Although this has been an issue since programming existed, the reason it’s still in the top 10 vulnerabilities after all this time is because there are an infinite number of ways to use input, and often time sanitizing input is tricky," he says.

For software developers looking to nix this particular issue, here's how.

**1\. Educate Yourself and Others**

The first step is always education. OWASP offers cheat sheets on SQLi, how to detect the vulnerability, and ways of creating safe code. Some Web application frameworks aim to educate developers while they are programming, using application programming interface (API) names to make the risk of some functions clear, such as React's "dangerouslySetInnerHTML" function, says James Kettle, director of research at PortSwigger, an application security testing firm.

In addition, developers should not necessarily trust the makers of open source software — especially components that have not been well vetted — to use safe code, and online tutorials are often unsafe as well, he says.

"I think the core issue is that there's a lot of unsafe APIs, where anyone using the API is vulnerable by default," Kettle says. "Even when there are more modern secure APIs available, fresh code is written using the unsafe versions, thanks to old unsafe examples in StackOverflow."

**2\. Harden the DevOps Pipeline Using Automated Tools**

Developers should implement unit tests to check code for SQLi flaws — and other common security issues — during development, add static application security testing (SAST) both prior to and after commits, and include scans for SQLi as part of dynamic application security testing (DAST).

Unit tests can be added using frameworks such as tSQLt for testing Microsoft SQL Server, pgTAP for testing applications that use PostgreSQL, and Pytest and SQLAlchemy for unit testing in Python programs. A variety of SQL unit testing best practices should be followed to make the tests more useful, such as isolating the SQL tests from dependencies and avoiding descriptive naming of the tests.

In addition to automated tests in the development pipeline, developers should make sure to use SQL frameworks, such as SQLAlchemy, because many security improvements are already baked in, says Snyk's Degges.

"Pretty much all modern SQL frameworks and tools provide convenience methods to help with this nowadays, so your best bet is to thoroughly read through the relevant framework documentation to ensure you're using it correctly when building queries," he says.

**3\. Play Around With SQLMap**

The open source program SQLMap is a great tool for penetration testers to experiment with SQLi, exploit any potential vulnerabilities, and dump a database to prove that the vulnerability can be exploited. The tool can also educate application developers to the true dangers of SQLi and how vulnerable code can be exploited.

However, the tool is not necessarily the best way to scan for potential vulnerabilities, says PortSwigger's Kettle.

"In my experience, the detection capabilities are slow, heavyweight, and prone to false positives," Kettle says. "Also, it can't explore websites to find the attack surface, which is one of the biggest challenges for finding these vulnerabilities automatically."

**4\. Consider a DAST Service**

Automating SQL injection scanning using DAST as part of the quality assurance stage — and even earlier in the DevOps pipeline, if possible — can help catch any overlooked vulnerabilities. In addition, DAST scanning is a good way to find SQLi in legacy code.

While Web application firewalls (WAFs) can prevent SQLi attacks from reaching an application, they should be used only as part of a defense-in-depth strategy, Kettle says.

"Personally, I've seen runtime protection like WAFs bypassed so many times that I don't have much confidence in them," he says. "I would recommend a bug-bounty program as an effective way to surface undetected vulnerabilities instead, and use WAFs as a last resort for systems that are in such a bad state that known vulnerabilities can't be patched."

**5\. Expand Beyond SQL**

Finally, companies should also look for other types of injection vulnerabilities and make sure their developers recognize risky patterns, since SQLi is only one class of injection vulnerabilities.

OWASP broadened the definition of an injection vulnerability to be any software flaw where user-supplied data is not validated or sanitized by an application and then sent to an interpreter. Cross-site scripting, SQL, operating system scripting, and parsing the Lightweight Directory Access Protocol (LDAP) are all areas that can be vulnerable to injection.

With the advent of artificial intelligence models, for instance, prompt injection is the latest form of an injection attack.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

How to Tame SQL Injection

Guests affected by the companywide disruption vented their frustrations on social media.

Source: Andrew Shurtleff via Alamy Stock Photo

UPDATE

This story was updated at 3:30 ET on April 4 to reflect new information about the cause of the outage.

Omni Hotels & Resorts last week experienced a cyberattack that led to an outage, bringing down the company's IT systems.

In a notice on the Omni Hotel website, the company explained that after learning of the cyberattack, it shut down its systems to protect its data.

This cyberattack impacted operations and hotel functions such as reservations, hotel room door locks, and point-of-sale (POS) systems, but it is unclear what data, if any, was impacted.

The Omni's website went down Friday as well but was back in service by the weekend, with a notification to customers reading, "Dear valued guest, we are currently experiencing technical difficulties, please try back at a later time."

Customers shared their experiences on social media sites like X (formerly known as Twitter) and Reddit.

On a "r/hotels" Reddit thread, a user posted about the hotel outage, alerting that the computer systems were down. Another user responded saying "It's pretty bad. They have it so you have to text them to come let you into your room, and it usually takes 30+ minutes for an employee to get there and unlock it for you," referencing the inoperable digital locks on hotel rooms.

Omni hasn't disclosed what caused this cyberattack, ransomware or otherwise, though Elise Carmichael, CTO of Lakeside Software, said that identifying the causes of these kinds of outage can be "like finding a needle in a haystack" for some companies.

"Organizations will go into a war room either literally or virtually — pulling a dozen people at all hours to find this needle. Unfortunately, today, finding this needle is exceedingly difficult as nearly every organization is reactionary," Carmichael said in an emailed statement to Dark Reading. 

Carmichael recommended that organizations and businesses collect the kind of data they need to solve these kinds of issues prior to an event like an outage or cyber incident actually happening. 

"With this kind of visibility, they can predict problems before they disrupt the business at wide scale, preventing most of these war room situations," Carmichael added.

Omni has launched an ongoing investigation into the attack and is working to restore whatever systems are not yet fully operational. The hotels will remain open and are accepting new guests and reservations on its website.

Omni Hotel IT Outage Disrupts Reservations, Digital Key Systems

Security teams often confuse tool purchasing with program management. They should focus on what a security program means to them, and what they are trying to accomplish.

Source: Panther Media GmbH via Alamy Stock Photo

COMMENTARY

I've had the pleasure of speaking to hundreds of security teams, and the biggest mistake I've seen is that they often mistake tool purchasing with program management, meaning they often think of the tool driving the program, rather the tool being a part of the program. Instead of focusing on the tool, security teams should focus on what a security program means to them, and what they are trying to accomplish. Below, I share insights that can improve your cybersecurity strategy.

**The Misconceptions and Limitations of Cybersecurity Tools**

Not planning a program end to end can lead to failure. Being able to detect something, but doing nothing about it, isn't useful. Too often, security teams fall for the misconception that a security tool is a comprehensive security program. But can we fault them?

Cybersecurity tools are packaged to be appealing: sleek dashboards, integrations, APIs, multiple language support, the promise to find everything. These features give the illusion of a sure bet for security. Security teams buy these tools expecting, then hoping, finally pleading, that their bet will pay off. 

**The Known-Bug Breach**

Organizations routinely need weeks to months to fix a software vulnerability. Even more startling, in a third of security breaches, the pending security fix was known before it was exploited. Why? This often stems from security tickets falling in priority because of the inability to drive a meaningful vulnerability management program and getting stakeholder buy-in. 

**Best Practices for Building Effective Cybersecurity Programs**

The National Institute of Standards and Technology (NIST) defines a security program "as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions." A security program answers: why this, what to do about it, when, how, and who. It simplifies those answers by forming them into policies and instructions for everyone to follow.

"In my org," a former chief information security officer (CISO) told me, "we didn't greenlight any tool purchasing until a remediation plan was established for the tool." This ex-CISO understands that managing security well is managing the security program, which, in turn, is managing, maintaining, and building a security culture. To be effective, you have to embed the security program in every layer of the business.  

My advice: Before you buy a tool like SAST, lay the groundwork for a security program.

There are so many threat models and definitions out there that it can be overwhelming. Instead, keep it simple to start. Use this tried-and-true formula:

program = tool + people + processes + goals

If you do this, you will avoid the misconception that a tool is a program. These best practices bolster more effective cybersecurity programs that are resilient, adaptable, and capable of remediating bugs. 

In the following two sections, I want to call out two important and often overlooked pieces of this equation that might be misunderstood.

**Stakeholder Engagement in Security Programs**

Stakeholder engagement is crucial to a security program. The vast majority of a security team's success is based on the relationships and buy-in they achieve with key stakeholders, like engineering teams. Forgetting stakeholder buy-in and commitment will fail the vast majority of purchases.

Stakeholder engagement ensures that everyone understands the importance of cybersecurity and eliminates ambiguity. The security program helps every individual understand their role in security and importance in fulfilling that role. In the case of implementing a SAST tool, not having buy-in from your engineering team means you're going to rack up a vulnerability count because you can't act on it. 

**Vulnerability Management **

Vulnerability management is a core component of a strong security program, and generally applicable to most security tools. We've found only the largest of enterprises will hire a dedicated vulnerability manager, and often most organizations don't have someone owning and driving those vulnerabilities.

Vulnerability management involves identifying, assessing, prioritizing, and then addressing vulnerabilities in the system. This is a continuous process that requires regular monitoring and updating. 

For example, in fixing code vulnerabilities from a SAST tool, essential to vulnerability management is remediation and, later, prevention. There is plenty of information about proactive efforts. The big addition I can add here is using cutting-edge tools to achieve rapid maturation for your vulnerability management program — namely, auto-remediation. The recent developments in AI have enabled teams to behave like their counterparts. For example, product managers can now do data science tasks. Additionally, AI is enabling teams to automatically fix vulnerable source code. Security teams can't scale their efforts alone. They need to invest in actions and systems that help them drive programs. 

**Conclusion**

Cybersecurity tools are no replacement for a robust security program. No one buys construction tools and starts building willy-nilly. Without a plan, they'd end up with a chaotic assembly of screwed-in screws, hammered nails, and sawed boards. That isn't productivity. It's busywork. Sadly, a tool without a robust plan behind it can go the same way. A security program assures that security tools are effective and deliver value for your organization — and, ultimately, increase the security of your organization.

**About the Author(s)**

Founder & CEO, Corgea

Ahmad Sadeddin is the founder and CEO of Corgea. A three-time startup founder and product leader, he's worked on building and scaling software products for over 15 years. Securing software products was always a challenge, so Corgea was born from his frustration at the manual and inefficient processes to remediate security issues. Corgea automatically fixes insecure code.

The Biggest Mistake Security Teams Make When Buying Tools

A federal review board demanded that the tech giant prioritize its "inadequate" security posture, putting the blame solely on the company for last year's Microsoft 365 breach that allowed China's Storm-0558 to hack the email accounts of key government officials.

Source: Wachirawit Lemlerkchai via Alamy Stock Photo

A federal review board has called on Microsoft to prioritize its approach to cloud security and stop pushing the burden of it onto customers in the wake of a July 2023 cyberattack that let Chinese threat actors breach Microsoft 365 accounts to spy on key US government officials.

A report released on April 2 by the independent Department of Homeland Security (DHS) Cyber Safety Review Board offered an incendiary review of Microsoft's security culture, putting the blame squarely on the company and a "cascade of security failures" for the cyber espionage attack by China-based threat group Storm-0558, which "never should have happened."

The board — which was investigating the breach at the behest of President Joe Biden — demanded that the technology giant put cybersecurity at the top of its agenda. It also should be held to strict account to make significant revisions to its cloud-security position, even prioritizing these changes ahead of new product features and development.

"To drive the rapid cultural change that is needed within Microsoft, the board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company's security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products," officials said in the report.

**Put Security Before Product Innovation**

As part of its review, the board made a series of recommendations to this end, including that top executives not only develop this plan but also hold leaders at all levels across the company accountable for implementing it.

Microsoft leadership also should consider directing internal Microsoft teams to "deprioritize feature developments across the company's cloud infrastructure and product suite until substantial security improvements have been made," instead assessing and addressing security before deploying any new features, the board concluded.

Given the dependence on the security of Microsoft's cloud-based services and infrastructure, the software giant and other CSPs also need to take more accountability overall for the security outcomes of their customers. An action item at the top of this list is to halt the practice of making customers pay for security-related logging, making it "a core element" of cloud offerings instead of an add-on service for an extra fee.

Microsoft already relented and dropped fees associated with expanded logging access for all levels of 365 license holders shortly after the breach following complaints that it was effectively levying a logging tax on customers.

**This One Is on Microsoft**

The overall finding of the board is that the blame for the breach — which allowed Storm-0558 to gain access to email accounts across 25 government agencies in Western Europe and the US — is solely with Microsoft, and was directly due to a series of security failings on the part of the company.

As the fallout from the breach intensified in the weeks after its initial detection, Microsoft eventually in September 2023 owned up to a series of mistakes that led to Storm-0558 using a Microsoft account (MSA) consumer signing key to forge Azure AD tokens for accessing enterprise email accounts. MSA consumer keys are typically used to cryptographically sign into a Microsoft consumer application or service such as Outlook.com, OneDrive, and Xbox Live.

The company said at the time that a race condition resulted in the signing key being present either in a crash dump or a snapshot of the crashed system. The key eventually ended up with the debugging team on Microsoft's Internet-connected corporate network, where threat actors likely picked it off.

However, government officials held executives feet to the fire over the company's failure to detect the compromise of its "cryptographic crown jewels on its own," as it was a customer — a human rights organization who did not have access to advanced cloud security logging — that first alerted the company to a potential issue.

Moreover, Microsoft has never proven that the key used by attackers ended up in any crash dump or snapshot, and failed to correct statements claiming this as the root cause "in a timely manner." Indeed, Microsoft did not roll back its story on how the key got into the hands of Storm-0558 until last month, when it amended its blog post and acknowledged it never located a crash dump containing the key.

Finally, Microsoft is generally lax in comparison to other cloud service providers (CSPs) when it comes to cloud security, failing to keep security controls to a similar standard, the board found. The company must level up immediately given that its ubiquitously used products "underpin essential services that support national security, the foundations of our economy, and public health and safety," which in turn, requires Microsoft "to demonstrate the highest standards of security, accountability, and transparency," officials concluded.

A Microsoft spokesperson said that the company appreciates the work of the board to investigate the attack, and that in its aftermath the company has recognized a"a need to adopt a new culture of engineering security in our own networks."

To that end, Microsoft unveiled what it's calling a Secure Future Initiative, to mobilize its engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.

"Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries," the spokesperson said, adding that Microsoft will also take into consideration any additional recommendations by the board.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Source

DARKReading