In three separate incidents, engineers at the Korean electronics giant reportedly shared sensitive corporate data with the AI-powered chatbot.

Recent reports about engineers at Samsung Electronics inadvertently leaking sensitive company information via ChatGPT in three separate incidents highlight why policies governing employee use of AI services in the workplace are quickly becoming a must for enterprise organizations.

The Economist Korea, one of the first to report on the data leaks, described the first incident as involving an engineer who pasted buggy source code from a semiconductor database into ChatGPT, with a prompt to the chatbot to fix the errors. In the second instance, an employee wanting to optimize code for identifying defects in certain Samsung equipment pasted that code into ChatGPT. The third leak resulted when an employee asked ChatGPT to generate the minutes of an internal meeting at Samsung.

The incidents played out exactly the same way that researchers have been warning that they could, since OpenAI made ChatGPT publicly available in November. Security analysts have noted how, in all instances where users share data with ChatGPT, the information ends up as training data for the machine learning/large language model (ML/LLM). They have noted how someone could later retrieve the data using the right prompts. 

ChatGPT creator, OpenAI, itself has warned users on the risk: "We are not able to delete specific prompts from your history. Please don't share any sensitive information in your conversations," OpenAI's user guide notes.

**Samsung Enacts Emergency Anti-ChatGPT Measures**

The situation has apparently prompted a rethink of ChatGPT use at Samsung after the third incident, just barely three weeks after the South Korean electronics giant allowed employees access to the generative AI tool. The company had initially banned the technology over security and privacy concerns before relenting.

The Economist reported Samsung's emergency measures to limit ChatGPT use internally as including restricting employees from asking questions of ChatGPT that were larger than 1,024 bytes and considering disciplinary action against employees who share corporate data with LLMs such as ChatGPT.

Samsung did not respond to a Dark Reading request seeking clarification on the three incidents and the company's response to them. Security researchers, however, have been warning that such leaks could become common as employees begin leveraging ChatGPT for various use cases within the enterprise.

A study that Cyberhaven conducted earlier this year found many workers at client companies pasting source code, client data, regulated information, and other confidential data into ChatGPT. Examples included an executive who pasted his company's 2023 strategy document into the chatbot so it could generate a PowerPoint slide presentation, and a doctor who entered a patient's name and medical diagnosis so ChatGPT could generate a letter to the patient's insurance company.

**AI: A Risk vs. Benefit Gamble for Enterprises**

"From an employee's perspective, ChatGPT-like tools offer the potential to be exponentially more productive, making them hard to ignore," says Krishna Vishnubhotla, vice president of product strategy at Zimperium. However, it's important to consider the risks vs. rewards equation, which will vary depending on specific roles and responsibilities, he notes. For instance, employees working with intellectual property would require more guidance and precautions on how to use tools like ChatGPT he says: "It is crucial for organizations to understand how productivity will look and where it will come from before they embrace this opportunity."

Michael Rinehart, vice president of artificial intelligence at Securiti, says it's important to remember that advanced Generative AI tools such as ChatGPT cannot distinguish between what they should and should not memorize during training. So, organizations that want to harness them for different use cases should consider using tools for classifying, masking, or tokenizing personal and other sensitive data.

Or "a second approach is the use of differential privacy. Differential privacy offers provable protection of individuals in structured data," Rinehart says.

**Differential Privacy**

Rinehart describes differential privacy as a technique for protecting data in a dataset. "It involves adding noise — or error — to real data," he says. The synthetic data will have many of the important characteristics of real-world data without exposing the individuals in the dataset. "If used properly, even if the synthetic dataset were leaked, privacy would still be protected. Enterprise-grade synthetic data generators with differential privacy are now available," he says.

Rinehart perceives attempts by organizations to ban ChatGPT use in the workplace as ill conceived and unlikely to work. "A consistent story in the field of security is that it may be better to offer a secure path to using a tool than to block it," he says. "If a tool offers incredibly high benefits, people may attempt to circumvent blocks to take advantage of it."

Melissa Bischoping, director of endpoint security at Tanium, says the issue with sharing data to ChatGPT lies in the fact that the creators can see the data and use it to understand how the model continues to train and grow. Once a user shares information with ChatGPT, that information becomes part of the next model. 

"As organizations want to enable use of powerful tools like ChatGPT, they should explore options that allow them to leverage a privately trained model so their valuable data is only used by their model and not leveraged by iterations on training for the next publicly available model."

Samsung Engineers Feed Sensitive Data to ChatGPT, Sparking Workplace AI Warnings

Microsoft and others are doubling down on incident response, adding services and integrating programs to make security analysts and incident response engagements more efficient.

Incident response is shifting from a service that organizations hope they never need to a capability that every business aims to have, and a variety of companies — from consulting firms to insurance companies to cloud providers — are preparing to take advantage of the trend.

In late March, Microsoft announced that the company would focus its generative AI offering, Copilot, on helping companies triage and respond to incidents, with an aim toward bolstering organizations' incident-response capabilities. The company also announced that it would start offering incident response services and consulting on cybersecurity posture as a retainer to companies upon request.

The announcement marks a significant change at Microsoft. In 2019, Microsoft labeled its incident response team — known then as the Detection and Response Team (DART) — as the "cybersecurity team we hope you never meet." Now the team hopes to meet clients on a regular basis.

The moves are about offering the right services to improve incident response capabilities across the board, says Ping Look, director of the Microsoft Incident Response Team.

"We intend to build our customer base and give our customers more flexibility," she says. "Really, I think it's a growth inflection point."

**Building IR Relationships**

Microsoft is not alone. Incident response services have taken off, and the companies that offer them are looking to build relationships rather than one-off engagements. Google bought incident response bellwether Mandiant in 2022, adding to its other incident response-focused acquisitions of Siemplify and Chronicle and its security advisory services. Consulting firms Deloitte, Booz Allen, Kroll, and PricewaterhouseCoopers have long offered incident response, while managed service firms such as CrowdStrike and Secureworks have focused expertise. Large business-technology and service firms — such as IBM, AT&T, Verizon, and Palo Alto Networks — have also long been players in the incident response space.

Even with the extensive list of players, however, the demand for services continues to skyrocket, says Jurgen Kutscher, executive vice president for services at Mandiant.

"The demand always seems to outpace the supply, so I do believe there's plenty of work for all of these organizations because the threats keep changing," he says. "The organizations that are being targeted, especially when you look at much more opportunistic attacks, like ransomware and similar types of attacks — anybody could be a target."

**Incidents Extend into the Cloud**

Microsoft and Google are well-positioned because more attacks are impacting assets in the cloud — in an area where both companies have significant expertise — in part because business infrastructure and data have sprawled out into the cloud, or usually multiple clouds.

A few years ago, for example, a quarter of the attacks investigated by Palo Alto Networks, a network security and incident response provider, involved cloud assets; now, approximately half are cloud-related, says Sam Rubin, vice president of Palo Alto Networks' Unit 42 threat intelligence and incident response group. The company collects more than 500 billion security events per day from endpoint agents, network appliances, and cloud telemetry, he says.

Rubin does not expect that trend to slow, which can make incident response a challenge.

"It's very hard for organizations to only live and operate in one cloud environment, and even if most of your workloads are in the cloud, there are still systems at headquarters, there's still users with endpoints," he says. "We believe that having somebody who can cut across the entire environment, the headquarters, the remote users, and the cloud — whatever the case may be — that is going to remain an important strategy for securing the enterprise."

While Microsoft and other companies aim to use generative AI to process incidents faster and present incident responders with analyses in near real time, the efforts are largely aspirational at this point. Handling that data with large language models (LLMs) and other forms of advanced machine learning will require a great deal of development and learning, says Pete Shoard, vice president at business intelligence firm Gartner.

"Automated response for complex security incidents is absolutely a long, long way out," he says. "Where AI will help greatly is in that area of task-based automation, finding the right kind of information quickly, and providing a lot more information for the humans to be able to do their job more efficiently and effectively."

**Insurance and Legal Remain Driving Forces**

Corporate legal requirements and cyber-insurance policies have an outsized impact on incident response. Often, the first call for an engagement comes not from a company executive, but from an outside counsel hired to handle the crisis (often because attorney-client privilege shields a company from legal discovery). In other cases, an insurance company would bring in incident responders to help reduce the cost of recovering from a breach and to assess the security of a policyholder.

Legal counsel and insurance firms will likely continue to push for incident response retainers as a way to make sure that companies are doing a base level of training and preparation every year. That can create a net benefit, says Jess Burn, a security analyst with Forrester Research.

"Insurance firms are asking if you're doing incident readiness and incident preparedness exercises as part of your application or policy," she says. "Those same incident response firms can do assessments and tabletop exercises at the technical and executive level — and all of those things can help them, and you, really understand your environment."

Overall, companies that have incident response team and a tested incident-response plan save an average of 58% of the costs of mitigating a data breach, or about $2.6 million for large companies, compared with companies that have neither a team nor a well-tested plan, according to IBM's "2022 Cost of a Data Breach" report.

In the end, everyone can save when the incident response firm and the clients have an ongoing relationship, says Mandiant's Kutscher.

"Having organizations consulting with business partners and with cyber-insurance companies so that they don't just put out the fire, but then working with the organization to reduce the risk of having a similar event happen again, is very, very critical," he says. "That's something that the cyber-insurance industry is definitely driving toward."

**The Future Is Pre-Crime (Pre-Incident, That Is)**

Another benefit from the ongoing relationship with an incident response vendor is that companies will know what they need to have in place for effective incident response. With ongoing advice and expertise from incident response firms, when an attack happens, the incident response firm will know the company has retained the right data, which helps immeasurably in the investigation.

"When they do need us for incident response, we are not coming in cold and coming up to speed in a live-fire situation," Palo Alto's Rubin says.

Even companies with their own security operations center, which would not have qualified for Microsoft's DART services, will now be able to put the incident response group on a retainer, says Microsoft's Look.

"We want to be able to take care of our customers, even if they're not using our Microsoft security staff," she says. "Because that's where we primarily deliver our investigations from, using telemetry that comes in through that. But we're expanding well beyond that too — not as fast as I would like, but we're getting there."

Renewed Focus on Incident Response Brings New Competitors and Partnerships

The marketplace for malicious Google Play applications and app-takeover tools is thriving, thanks to novel hacking techniques and lax enterprise security.

Cybercriminals are finding ways around the official Google Play app store's security, developing tools for trojanizing existing Android applications and selling their malicious wares for up to $20,000 a piece on cybercrime markets.

In an April 10 blog post, researchers from Kaspersky published the results of a broad study of nine of the most popular Dark Web forums. Tracking activity from 2019 and 2023, they found a thriving marketplace of buyers and sellers trading access to app developer accounts, botnets, and malicious Android applications, sometimes for thousands of dollars at a time.

In some cases, particularly useful wares — like source code that can burrow you into an existing cryptocurrency or dating app on Google Play — are going for multiple thousands of dollars.

"It's an infinite cat and mouse game," Kaspersky researcher Georgy Kucherin says of Google's app security. "The attackers find a way to bypass security scanners. Then the people developing the security scanners deploy patches to ensure that doesn't happen again. Then the attackers find new flaws. And it goes on and on."

A Google spokesperson tells Dark Reading, “Google Play has policies in place to keep users safe that all apps must adhere to. All Android apps undergo security testing before appearing in Google Play. We take security and privacy claims against apps seriously, and if we find that an app has violated our policies, we take appropriate action. Users are also protected by Google Play Protect, which can warn users or block identified malicious apps on Android devices.”

**The Marketplace for Google Play Hacks**

Any software uploaded to Apple's or Google's app stores is subject to rigorous vetting.

"But just like any security solution that exists in the world, it's not 100% effective,” according to the Kaspersky researchers. "Every scanner contains flaws that threat actors exploit to upload malware to Google Play."

Generally speaking, there are two common ways to sneak malware onto an app store.

Method number one involves uploading a perfectly harmless app to the marketplace. Then, after it's approved — or, even better, after it's accrued a substantial-enough audience — hackers push an update containing malicious code.

Alternatively, hackers might compromise legitimate app developers, latching onto their accounts to upload malware to existing apps. App developer accounts can be cracked more easily without strong password policies and two-factor authentication in place. In some cases, credential leaks can do most of the job for the hackers, providing the logins necessary for breaching accounts and sensitive corporate development systems.

Depending on the developer, access to a "GP" (Google Play) account might only cost as little as $60, as seen in the example Dark Web listing below. But other, more useful accounts, tools, and services come with much higher price tags.

For instance, because of the power they afford, loaders — the software necessary to deploy malicious code into an Android app — can go for big money on the cybercrime underground. This listing offered loaders for rent or development for up to $5,000 each.

Source: Kaspersky’s Securelist blog

Well-resourced criminals might shell out for a premium package, like the source code for a loader.

"You can do whatever you want with that — deploy it to as many apps as you want," Kucherin explains. "You can modify the code as much as you want, adapting it to your needs. And the original developer of the code may even provide support, like updates for the code, and maybe new ways to bypass security measures."

This full-service Google Play hacking suite can run you up to $20,000.

**How Businesses Can Protect Against Google Play Threats**

The threats in Google Play are of particular concern to organizations with weak enterprise security. Kucherin points out that many businesses still have lax bring-your-own-device arrangements in place, which extend the security perimeter beyond corporate networks and into the hands of employees, literally.

"Say an employee installs a malicious app on the phone," Kucherin posits. "If this app turns out to be a stealer, cybercriminals can get access to, for example, corporate emails or sensitive corporate data, then they can upload it to their servers and sell it on the Dark Web. Or even worse: An employee might keep their passwords in, for example, their phone's notes app. Then hackers can steal those notes and get access to corporate infrastructure."

There are two simple ways to prevent such an outcome, he adds.

For one "you can teach the employees cyber-hygiene principles, like to not download apps that are not trusted," Kucherin says.

That may not be enough, though, so "another thing you can do — though it's more expensive — is give your employees a separate phone, which they will use only for purposes of work. Those devices will contain a limited number of apps — just the essentials like email, phone, no other apps allowed."

Just as it is for the cybercriminals, you have to pay more to get more, he notes: "Using dedicated work devices is more effective, but more expensive."

Apps for Sale: Cybercriminals Sell Android Hacks for Up to $20K a Pop

Unpatched Macs, iPhones, and iPads open to browser takeover and system kernel-level malicious code execution, Apple warns.

On April 7, Apple released two security updates warning about two zero-day vulnerabilities under active exploit in the wild. By April 10, those were added to the Cybersecurity and Infrastructure Security Agency (CISA) known exploited vulnerabilities (KEV) list.

The impact of the two vulnerabilities is widespread, affecting macOS Ventura 13.3.1 for Apple Macs, in addition to the iOS 16.4.1 and iPadOS 16.4.1 operating systems used to run iPhones and iPads, according to Apple.

The first bug, CVE-2023-28205, is a flaw in Apple iOS, iPad OS, macOS, and Safari WebKit that could lead to code injection while processing malicious Web content, CISA explained. The second, CVE-2023-28206, affects Apple iOS, iPadOS, and macOS IOSurfaceAccelerator that, worryingly, could allow a malicious app to execute code with kernel privileges, CISA said.

Apple has issued updates for iOS 16 and iPad OS 16. Other macOS versions including Big Sur Monterey, and Ventura have patches that need to be installed, and as Sophos pointed out in a separate advisory, it's still unclear whether the bugs will impact iOS 15 users with older devices.

Both issues were reported by Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International's Security Lab, giving cybersecurity experts reason to believe the flaws are being exploited by state actors to deploy spyware.

"It is interesting that Amnesty International's Security Lab was one of the organizations involved in finding reporting the issue," Mike Parkin, senior technical engineer with Vulcan Cyber explained in a statement provided to Dark Reading. "While Apple hasn't said much about the exploits, it seems likely, given the reporting and earlier history, that the exploits were deployed by state-level threat actors."

Pair of Apple Zero-Days Under Active Exploit; Patch & Update Accordingly

When ransomware strikes, how much should you gamble on your resources and opponents' intentions? Here's how to deal yourself a rational, informed way to weigh your options after an attack.

When it comes to the ransomware game, it's worth comparing it to another high-stakes activity, poker. It's important for organizations to understand what they're gambling with when they decide whether or not to "negotiate with terrorists."

There's still a certain secrecy or even shame attached if an organization decides to pay the ransom to unlock systems and files — which can cost anywhere from thousands to millions of dollars. However, there shouldn't be, according to Brandon Clark, CEO and founder of cybersecurity consulting firm Triton Tech Consulting. 

He should know, as his security strategy and compliance practice — with expertise in business continuity and disaster recovery — often deals with clients who have to clean up the mess that ransomware attacks leave behind.

"Let's say if you have a hardware failure and a vendor comes in and says, 'We can get you back up and running for a grand total of a million dollars,'" he says, referring to ransomware negotiation services. "It would be unfortunate — and that would be bad press and nobody wants to see that — but there would also be a fair amount of, 'Yeah, that happens.'"

Ransomware also happens, to organizations both large and small. They're then faced with a complex dilemma encompassing not only practical, logistical, and business consequences, but also emotional ones — especially if reputations (or even lives, in healthcare settings) are at stake, when systems go down.

**Ransomware Response: Know When to Fold 'Em

"There is a lot of moral ambiguity," says Clark, who plans to present a session at this month's RSA Conference 2023 that lays out a rational strategy for navigating ransomware response. 

When ransomware actors target hospitals with potentially life-threatening attacks, for example, "what's the moral obligation we have to our customers to get our customers back up and running?" he asks. "If systems are down with ransomware and a patient dies, should they have paid the ransom just to have their systems back?"

    

Triton Tech's Brandon Clark will discuss ransomware response and poker at RSAC 2023.

And while poker and ransomware may not seem to have much in common, they are both activities in which a lot of money can be won or lost, Clark says. Just like each poker player and game is unique, so is every ransomware scenario, which means there is no one-size-fits-all solution for every organization.

Deciding whether or not to pay a ransom, then, must be an informed decision that takes various factors into account without the knee-jerk response of balking at giving attackers what they want purely because it's not seen as the right thing to do, he says.

****Know Who's at the Poker Table & When They Bluff**

When deciding whether or not to pay a ransom, an organization should take a similar approach to a poker player sitting at a table, Clark says. That is, it should have an idea of with whom it is playing, along with a knowledge of the typical aspects of the game, such as how much money is at stake.

"When you're at a poker table, the cards are important, but the person sitting across from you is even more important," he says. "We need to be making an informed decision about who we are playing against."

Thus, threat intelligence is a key aspect of this, he says, because you need to know if your opponent could be bluffing. For instance, if the ransomware attacker involved has a reputation for claiming to have exfiltrated data when it hasn't, or if it is known for not unlocking files even after a ransom is paid, those are things to take into consideration.

"\[Companies ask\], 'if we pay the ransom, how do I know if they're going to lock us out again?'" Clark notes. "The answer is: You don't. That's when the threat intelligence piece is super important."

Organizations also need to know what's at stake — such as knowing what your system resiliencies are, what it's going to cost if something is not available — as well as what resources they have available to recover systems on their own, such as if they have good backups and segmentation tools, he says: "All of that goes in together to help you make an informed business decision."

For example, if a ransomware attacker is asking for $5 million but it's going to cost a company $70 million or $100 million to recover its data on its own, the question becomes, "Why aren't we paying that?" Clark says. "On the flip side, if it's only going to cost us $5,000, why would we pay that $5 million?"

Ultimately, it's up to the organization involved to decide, based on multiple factors, which route to take to recover from a ransomware attack — just as a poker player can go in several directions once a hand is dealt, Clark says.

"You can say, 'do I raise,' that is, are we are going to go this alone — and that's what a lot of companies do," he says. A company can also do the poker equivalent of folding by giving in and deciding that the data kept in some lost systems is not worth the cost to recover them, and thus rebuild them from scratch, Clark says.

**Upping the Ante on Cyber Defense**

In the meantime, there are a number of ways a company can put itself in a more empowering position to negotiate — or not — before a ransomware attack even happens, Clark says. Some of the advice is obvious, such as implementing secure passwords and multifactor authentication (MFA), so systems aren't breached in the first place, he says.

And in many instances, phishing remains the primary way that attackers gain access to user credentials and thus enterprise systems, so "making sure you have strong controls around that" in the form of email filtering and security awareness "is incredibly helpful," Clark says.

One recommendation that he says many organizations don't implement very often yet is to have "some sort of Dark Web scanning or threat intelligence" in place to identify when credentials for an enterprise user have been compromised, he says.

Organizations also should engage in ransomware-impact analysis using a ransomware simulation tool that they can develop alongside security consulting experts, he explains. This can help them understand better how to react if the situation arises, as there is not a lot of time to do a risk assessment in the immediate aftermath of an attack.

Regarding backups, which organizations cite as a surefire way to recover systems on their when they lose data to ransomware, Clark advises that organizations take a cautious approach to betting too much on them, versus paying a ransom or another alternative solution.

"According to some of the research we've seen, most of the attackers are in the environment up to 10 months before they detonate," he says. This means that's there's a good chance there is already malware in an organization's backups, Clark adds.

"You need to make sure you're working with a forensics team when you restore," he advises, "so you don't end up redeploying malware from seven months ago."

High-Stakes Ransomware Response: Know What Cards You Hold

A hacktivist group working with Russia claims it breached DELTA, the Ukrainian battlefield management system (BMS).

The Joker DPR threat group has been around and functioning as an arm of the Russian state since 2019, largely focused on spreading disinformation and leaking sensitive Ukrainian government and military secrets stolen by insiders friendly to Russia. Its goal is undermining people's confidence in the country's institutions, but no one should be fooled into thinking Joker DPR is a sophisticated group of super-hackers — it's not.

In its own words, Joker DPR wants to "destroy the clowns" running Ukraine's government ("DPR" is the English acronym for a separatist group in eastern Ukraine called Donetsk People's Republic). And in November, it made a startling claim that would seem to further that agenda — that it had real-time access to DELTA, the Ukraine military's battlefield management system (BMS). If true, this would have given the group insights into military planning for the Armed Forces of Ukraine (AFU).

However, according to new analysis from Recorded Future, that claim was vastly exaggerated.

**Exaggerated Access to Ukraine's Troop Movement Data**

Recorded Future and other cybersecurity experts were dubious about the hacktivist group's allegations and found after analysis of Joker DPR's "proof" of compromise that instead of gaining full access, the threat group is far more likely to have access to an individual user account.

The distinction hardly mattered to Joker DPR, since Russian media quickly picked up the story and proclaimed that the Russians had a full backdoor into Ukraine's DELTA system.

After the claim of compromise, AFU commanders might choose not to use the sophisticated system on the battlefield — a win for Russia. The Recorded Future researchers said they have sources which show that this tactic was effective.

"Given that the breach was unlikely to have occurred in the manner Joker DPR described, in real terms, the greatest damage Joker DPR could have inflicted was through the assertion of the breach's existence," the Recorded Future researchers added. "Joker DPR was essentially claiming that it had real-time access to the BMS."

The report added that the fact that Russian media was so eager to pick up the story further signals Joker DPR didn't actually have the access to DELTA as claimed. If it had real-time intel into the AFU's movements, Russia would not be so quick to give away their advantage, Recorded Future's research explained.

**Don't Believe the Hacker Hype**

Although the group wants to give the impression of being a band of super hackers, in reality, the group hasn't displayed dazzling hacking abilities, according to Recorded Future's analysis.

"Put simply, the group does not appear to specialize in hacking, and it will 'take what it can get' to support its information agenda," a researcher who prefers to remain anonymous from Recorded Future tells Dark Reading. "Joker DPR first and foremost specializes in information operations, and any cyber activity that occurs within the umbrella of the group is only meant to support those operations."

That makes it tricky to try and predict Joker DPR's next target.

"Joker DPR's activities suggest the group is more opportunistic with its cyber activity, using its platform to amplify news of compromises in an effort to undermine the credibility of the Ukrainian government and military," Recorded Future's researcher says. "This is in contrast to groups like Killnet that display consistency in their tactics, techniques, and procedures (TTP) and targets."

The likelihood of international law enforcement reaching Joker DPR in Russia is small, but Recorded Futures' analysis hopes to raise the group's profile to help protect Ukraine's forces from Russian-aligned groups, as well as push pack against ongoing Russian disinformation campaigns.

Russia's Joker DPR Claims Access to Ukraine Troop Movement Data

Complex multicloud environments present organizations with security challenges, but also opportunities for efficiency.

Many enterprises find themselves with hybrid and multicloud environments. While the days where everything was either on-premises or in private clouds are gone, it is far from the case that enterprises have put all — or even the vast majority of — their applications and infrastructure into the cloud. Further, it is nearly never the case that an enterprise has consolidated everything into a single cloud provider; instead, businesses operate with a complex mix of diverse environments. It appears that this will be the case for quite some time.

What may be less known, or at least less considered, is the amount of complexity and the number of challenges that these environments bring. What this means for most enterprises is that they find themselves struggling to efficiently manage and secure hybrid and multicloud environments. In addition, many enterprises find themselves spinning up and maintaining multiple technology stacks within each environment, often requiring entire teams dedicated to this function. As the popular security mantra so aptly says, complexity is the enemy of security.

How so? For starters, complexity introduces the opportunity for human error and oversight. This often brings with it security holes, which in turn increase the attack surface of business-critical applications and the infrastructure they run on.

To get an idea of how complex of an environment most enterprises are faced with, let's look at a few data points from F5's "2023 State of Application Strategy" report:

*   85% of organizations operate multiple application architectures and locations.
*   90% of organizations that maintain multicloud infrastructures report challenges.
*   42% of organizations leverage four or more cloud providers.
*   37% of applications are deployed on-premises.
*   15% of applications are deployed in the cloud.
*   58% of organizations are using digital services to substantially drive the business, with those services accounting for half or more of the firm's annual revenue.

The data clearly articulates the complexity that most enterprises face, and it also shows that hybrid and multicloud environments — and the challenges they bring — are here to stay.

**Business Challenges of Multicloud Environments**

What are some of these challenges that businesses face? While not an exhaustive list, here are a few of them:

*   Managing and securing multiple complex environments.
*   Applying policy and security consistently across diverse environments.
*   Easily provisioning the required networking and security infrastructure.
*   Deploying applications easily where required across the ecosystem.
*   Ensuring the requisite connectivity and security across applications.
*   Needing a central console to manage multiple complex environments.
*   Gaining visibility into infrastructure and applications to ensure health, compliance, and security.
*   Properly monitoring for and responding to infrastructure and security issues.

Thankfully, enterprises have options when it comes to addressing these points and can leverage distributed cloud and multicloud solutions to help reduce complexity and simplify. Doing so allows enterprises to more efficiently and effectively manage and secure their hybrid and multicloud environments.

**What to Look for in Distributed Cloud**

When looking at distributed cloud solutions, enterprises should take into account a few important points:

*   Workload protection and application security (at layer 7) is a must, particularly for applications that span multiple environments.
*   While many solutions provide network security (layers 3 and 4), fewer seamlessly integrate workload protection and application security on top of network security.
*   The user layer (layer 8) is extremely important when looking to protect against automated attacks and fraud. This is mainly because differentiating between human and automated traffic and between legitimate and fraudulent traffic requires an understanding of intent that can only be gleaned from the user layer.
*   A central console that brings everything together and facilitates the management and security of both applications and infrastructure is imperative.
*   Inclusion in the architecture and design of the enterprise early on, with an ability to flexibly consume different features and grow around, is central.
*   An ability to efficiently address what the market demands — flexibility and fast pace — without introducing complexity and security holes is important.

Although it requires some investment and effort, taking control of the challenges that hybrid and multicloud environments present is essential for enterprises to remain competitive, keep costs under control, reduce complexity, and adequately manage and secure both applications and infrastructure. The sooner an enterprise begins tackling these challenges, the sooner it can efficiently and securely provide its customers the functionality they seek.

How and Why to Put Multicloud to Work

A CISO with a focused role will be better prepared to thrive in an organization and accelerate adoption and understanding of cybersecurity.

Effective cybersecurity operations are as unique as the business models and technology choices of the companies they protect. Their creation and management are constantly complicated by a lack of common terminology and set of expectations, due mainly to the chaotic path our industry has taken since its relatively recent birth.

Cybersecurity leaders are similarly difficult to measure and understand because our language and their capabilities aren't clear, with the lack of a common nomenclature further reflected in the assessment of skill sets and qualifications. The mix of cybersecurity complexity, opaqueness, and urgency creates a vague picture of who can successfully lead and hold responsibility for the operation.

The relative immaturity of the cybersecurity function leaves insufficient organizational precedent for titles and hierarchy. Some organizations default to practicality: Whoever runs IT or the help desk becomes be the security leader. Others are interested in hiring a chief information security officer (CISO) who will manage the details of security that are unfamiliar to all other business leaders. Neither of these approaches are healthy.

The popular narrative around security is dominated by images of fear, uncertainty, and doubt. We're led to believe security is terrible, that breaches are inevitable, or that the right leader can render the organization invulnerable. This kind of absolutism usually comes from those new to the space who aren't yet well-versed in security. It's pervasive, it's incorrect, and it breeds insecurity for both the organization and the individual. 

According to one report, stress (60%) and burnout (53%) were the largest personal risks CISOs face. It doesn't have to be that way. These difficulties start early, with CISO job postings that are poorly constructed, written by someone who doesn't have proficiency in security, and without clear descriptions of desired outcomes. A game-changing shift is a focus on those outcomes and the role that supporting business objectives play in evangelizing, and ultimately delivering, security. The resulting CISO is far better prepared to thrive in the organization and accelerate adoption and understanding of cybersecurity.

How does a CISO do that? Here's the advice I would offer — a guide to creating supporters, champions, and realistic expectations.

**1\. Set Expectations**

The difference between successful leaders and those who burn out is communicating the realities of cybersecurity, from current measures to potential future states. The burnouts accept and even promote the expectation that they will heroically keep an organization from getting breached. History has painfully, and repeatedly, proven that the very best CISO cannot block everything. Successful, more balanced CISOs focus on improvements in protection and in demonstrating progress.

Successful CISOs are specific and transparent about what they will do in their role. They reinforce the reality that security is a team sport. These communications and collaborations are far more important than any technology purchase or deployment. Security budgets may have tripled over the past four years in the face of increasing cyberattacks, but a bigger wallet won't solve every problem. 

When you create a common language and vision within your organization, everyone understands the topics when you evangelize security for a particular outcome. It also means that everyone knows what to do in the event of one of those fires. As a result, the stress levels will lessen, as will the frequency and pain of today's CISO burnouts.

**2\. Be a Business Executive First, Cyber Expert Second**

The ability to solve business problems using security is what turns a security practitioner into a CISO. This is especially difficult for the organization that has asked a non-security IT professional to oversee security. That person may not understand that the role isn't just about being an elevated security expert. Understanding risk, tradeoffs, costs, and enabling business objectives is what creates successful relationships and outcomes

As an example, imagine a company expanding into Europe. That expansion is subject to General Data Protection Regulation (GDPR), and this will influence priorities and investments in areas that may not be as critical to a purely security-focused program. A valuable CISO recognizes the business need and context for the controls they recommend. In this example, fines could easily outpace the financial impact of a minor breach, and communicating those tradeoffs is good for the business and good for the reputation of the CISO.

In general, successful business leaders have an area of personal expertise, but thrive by enabling macro-objectives. As CISO, your security expertise should always make cybersecurity a business accelerator, not a hindrance.

**3\. Align on a Strategy**

Long-lived and successful CISOs are intentional and calculated in their planning and decision making. Without a strategy, you're purely reactive, and you find yourself reacting to fires all day, every day.

Instead, when you design a security program, create a structure that allows you to manage by exception, not rule. This lights a torch to guide others in the organization, empowering them to excel. You'll quickly find that most people want to do the right thing. If you explain what that success looks like rather than point out their failures, you'll start building a security muscle, and security support, across the organization. Peers will know when to put their hand up and ask for help, and it will be easier for you to impact direction because you're not advocating the changes alone.

**Be That CISO**

When you've created this kind of culture, management expectations are rooted in reality, where everyone considers their effect on the organization's security posture, and CISOs aren't faced with surprises, resistance, and friction that make them want to quit. If you advocate with the clarity that most cannot find in cybersecurity, you will achieve the outcomes everyone is striving for.

Rethinking Cybersecurity's Structure & the Role of the Modern CISO

It's not hacking if organizations fail to terminate password access after employees leave.

An alarming number of organizations are not properly offboarding employees when they leave, especially in regard to passwords. In a March PasswordManager.com survey of 1,000 U.S. workers who had access to company passwords at their previous jobs, 47% admitted to using them after leaving the company.

Security teams should be terminating access to all employee accounts, such as email, cloud applications, and internal tools, after employees leave. For accounts or services where multiple employees share passwords, those passwords should be rotated to ensure that the former employees no longer have access.

According to the survey, 58% of respondents indicated they were still able to use their former company's passwords after they left. One in three respondents said they had been using the passwords for upwards of two years, which is a distressingly long time for organizations not to be aware of who is accessing those accounts and services.

“Ideally the company creates standard operating procedures or consistent schedules of updating passwords based on criticality,” says Daniel Farber Huang, head of privacy and cybersecurity at PasswordManager.com.

When asked what they use the passwords for, 64% said to access their former email accounts and 44% to access company data. Though the majority of the respondents, 56%, said they were accessing the accounts for personal use, a concerning 10% said they were trying to disrupt company activities.

A survey from Beyond Identity in 2022 had similar findings: Fifty-three percent of employee respondents admitted to using their access to harm their former employers, and 74% of business leaders reported suffering damages from former employees who exploited their digital access.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Almost Half of Former Employees Say Their Passwords Still Work

The effort aims to disrupt the use of altered Cobalt Strike software by cybercriminals in ransomware and other attacks.

Microsoft's Digital Crimes Unit (DCU), security software vendor Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC), have joined forces to remove cracked legacy copies of Cobalt Strike by way of legal and technical action.

Using dated and maliciously altered versions of the Cobalt Strike software, threat actors have targeted healthcare organizations in nearly 70 ransomware attacks in 19 countries.

Cobalt Strike, sold by Fortra, is a reputable and popular post-exploitation security tool, but its older versions have become a favorite for cybercriminals to employ in nefarious activities. Pulling these legacy copies globally is a new approach for Microsoft's DCU, and it's aimed at cutting off the threat at the source: illegal distribution of compromised, malicious software.

"While this action will impact the criminals' immediate operations, we fully anticipate they will attempt to revive their efforts. Our action is therefore not one and done," Microsoft stated in a blog post. "Through ongoing legal and technical action, Microsoft, Fortra and Health-ISAC, along with our partners, will continue to monitor and take action to disrupt further criminal operations, including the use of cracked copies of Cobalt Strike."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading