"Zero trust" doesn't mean "zero testing."

Source: Alexander Yakimov via Alamy Stock Photo

COMMENTARY

Despite never-ending data breaches and ransomware attacks, too many companies still rely on the outdated "trust but verify" cybersecurity strategy. This approach assumes that any user or device inside a company's network can be trusted once it has been verified. The approach has clear weaknesses: Many businesses are putting themselves at additional risk by verifying once, then trusting forever.

There was a time when trust but verify made sense, namely when networks were self-contained and well-defined. But at some point, perhaps due to the overwhelming volume of devices on a network, the number of patches needing to be applied, user demands, and resource constraints in the cybersecurity team, things began to slip. Initial verification meant the asset was trusted, but no additional verification ever took place.

**The User Example of Trust Without Ongoing Verification**

It's easy to see how this happens with users. A user typically goes through a background check when they join the company, but once onboarded, despite any number of changes in their lives that could affect their trustworthiness, we allow them to access our systems and data without further verification. 

In the majority of cases, the absence of further verification does not cause damage. However, if the user decides to act against the best interest of their employer, the results can be catastrophic. The more sensitive the information the individual has access to, the greater the risk. This is why individuals with security clearances are regularly re-vetted, and security personnel may conduct regular finance checks to identify any issues early and intervene to mitigate possible damage.

In organizations that follow a trust-but-verify approach, two personas stand out: those that have considered the risk of one-time asset verification acceptable; and — the minority — those that try to manage the risk with a re-verification program. A shift in persona from the former to the latter usually only occurs after a breach, a crisis in availability, or another "career limiting disaster."

The reality is that there are simply not enough hours in the day for security practitioners to do all of the things that must be done. Have security patches been correctly applied to all vulnerable devices? Are all third-party security assessments properly analyzed? Do all Internet of Things (IoT) devices really belong on the network? Are managed security services performing as expected? 

Compromising one of these trusted devices means being granted trust to move laterally across the network, accessing sensitive data and critical systems. Organizations likely will not know the extent of their exposure until something goes wrong. 

**The Costly Consequences of Insufficient Verification**

When these breaches are eventually discovered, the costs begin to mount. Companies face not only the direct costs of incident response, but potentially also regulatory fines, class-action lawsuits, lost customers, and lasting damage to their brand reputation. Relatively small incidents can cost millions of dollars, while large incidents regularly cost billions.

In addition to these direct costs, insufficient verification also leads to more frequent and expensive compliance audits. Regulators and industry bodies are increasingly demanding that companies demonstrate robust identity and access management controls, for example under the European Union's upcoming Digital Operational Resilience Act (DORA), as well as continuous monitoring and validation of user and device activity. Certifications and accreditations can no longer be accepted at face value. 

**The Path Forward: Adopt a Zero-Trust Approach**

Instead of trusting after verification, businesses should instead allow only what the business needs, for as long as it needs it. Never trust, always verify. This is how a zero-trust architecture operates.

Every user, device, and application that attempts to make a connection, regardless of its location, is scrutinized and validated, dramatically limiting the potential damage from a successful compromise. A zero-trust architecture replaces firewalls and VPNs, so there are fewer devices to maintain, and a reduced attack surface means fewer opportunities for attackers to gain a foothold.

Zero trust doesn't mean zero testing; testing should form an integral part of any IT and cybersecurity strategy. However, it does mean the likelihood of a major failure stemming from trust being extended to users, devices, or applications that do not deserve it, is a thing of the past. 

**About the Authors**

Vice President, Cybersecurity Advocacy, Zscaler

Rob Sloan is vice president, cybersecurity advocacy, for Zscalera. He is a cybersecurity, risk, and technology expert with broad business skills and management responsibility. Prior to joining Zscaler, he served as research director at Dow Jones and The Wall Street Journal, where he led a research team focused on cybersecurity, AI, and sustainability issues, and wrote a weekly column to help board directors navigate cyber-risk. Before the WSJ, Rob worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating, and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob began his career working for the UK government in defense and foreign affairs, looking at some of the earliest state sponsored cyberattacks against the government, military, and critical national infrastructure networks.

VP & CISO in Residence, Zscaler

Sam Curry is VP and chief information security officer (CISO) in residence at Zscaler. He began his career in signals and cryptanalysis and was the first employee at Signal 9 Solutions, a small start-up that invented the personal firewall, executed the first commercial implementation of Blowfish, and devised early symmetric key VPN technology. Sam served as chief security architect there and as head of product for McAfee before holding several positions at RSA (the Security Division of EMC), including head of RSA labs at MIT and chief technology officer (CTO) and Distinguished Engineer for EMC. After seven years with RSA, Curry acted as SVP and CISO at Microstrategy, CSO and CTO for Arbor Networks, and as chief security officer (CSO) for Cyberreason. Sam holds 17 active patents in cybersecurity and a master’s degree in counterterrorism, and sits on two boards of directors. In addition, he teaches courses at Harvard (online), Wentworth Technology Institute, and Nichols College. He is also a Fellow at the National Security Institute at George Mason University.

Too Much 'Trust,' Not Enough 'Verify'

Changes at CISA and promises of more public-private partnerships and deregulation are just a few ways the incoming administration could upend the feds' role in cybersecurity.

Abaca Press via Alamy Stock Photo

Before it was subsumed by political commentary, the Cybersecurity and Infrastructure Security Agency (CISA) was a Trump accomplishment — signed into existence in 2018 during his first administration. But that was before accusations of dirty politics and free speech shenanigans turned CISA into a conservative pariah.

Now, CISA is facing an existential political clash with the incoming Trump administration, threatening to take much of the US federal government's involvement in cybersecurity along with it. The result could potentially increase cyber-risk, but also open up business, investment, and innovation opportunities. A lot of things can be true at once.

CISA's original mandate couldn't have seemed more apolitical: coordinate defending US infrastructure against cyberattacks, and then help share critical information among US enterprises to increase the nation's overall posture in the bargain. But then came the 2020 election, CISA's efforts to combat what the agency deemed "misinformation," and the subsequent conservative backlash.

**Trump and the Politics of CISA**

Chis Krebs, then the agency's director, was very publicly fired just weeks after the 2020 election for rejecting claims of fraud from the Trump administration, and has remained a high-profile political player ever since. Krebs is a regular on the cable news circuit, and in July 2023, he confirmed to CNN that he was interviewed by special counsel Jack Smith in the investigation into Trump and the 2020 election. In the runup to the 2024 election, Krebs appeared on outlets including Face the Nation to once again push back on Trump campaign claims of election fraud.

His replacement, Jen Easterly, took a more low-key approach. Her accessibility, deep military ties, and cybersecurity expertise — sprinkled with a dash of aspirational cool-girl charm — made her a hit among the cyber rank-and-file. She also mostly stayed away from politics, leading the fledgling agency through a crucial four years. But that effort, however disciplined and well intentioned, hardly spared Easterly or CISA from widespread conservative ire. In January 2024, Easterly was even targeted at home in a swatting incident.

"I think Jen Easterly had a tremendous challenge solidifying the role of a very young agency, and one mired in allegations from Republican politicians," cybersecurity expert Jake Williams tells Dark Reading. "Given those very real challenges, she did an outstanding job. I can only imagine what could have been with bipartisan support for CISA's many missions."

Following the 2024 election, Easterly said she will resign on Inauguration Day. But the agency is still at work, publishing a draft of an updated National Cyber Incident Response Plan for federal agencies and industry to work together during major cyber events, which is open for comments until January 2025.

That kind of coordination between CISA and the private sector was exactly what the agency was built to become under the Biden administration. It took a proactive role in developing cybersecurity standards, and offering cybersecurity grants to states to invest in their own cyber operations, led largely by the efforts of Easterly. During his administration, President Biden allocated billions to strengthen the US cybersecurity infrastructure, and signed a flurry of executive orders on everything from AI to zero trust in an effort to raise the country's level of cyber preparedness.

Some of the agency's notable accomplishments during the past four years included establishment of the joint cyber defense collaborative (JCDC) and the Known Exploited Vulnerabilities (KEV) program, according to Casey Ellis, Bugcrowd founder. Ellis also worked with CISA on the federal CEB vulnerability disclosure program, where CISA serves as a repository for researchers who discover flaws in government systems so they can be reported and mitigated more quickly.

There have been setbacks as well. While the KEV list has been credited with speeding up remediation, it can take months to make the list. Much of that new cyber infrastructure and rulemaking also came with regulation and compliance headaches that some criticized as a barrier to innovation, particularly by Congress. Others defended the agency's moves as necessary to drive security investment.

"Under Jen Easterly, CISA's proactive initiatives such as Secure by Design and faster reporting of attacks by companies were positive for both the sell and buy side of the cybersecurity industry," says Jason Soroko, senior fellow at Sectigo. "What could be seen as regulatory burden was actually a positive call to arms to do the right thing."

Accomplishments and accolades aside, Easterly and CISA haven't been able to convince key conservatives like Sen. Rand Paul, who is about to chair the Senate Homeland Security and Governmental Affairs Committee, which oversees CISA, that the agency is doing any good. After acknowledging he probably won't be able to eliminate CISA altogether, last month Paul vowed to inflict strict limits for actions he said the agency took to target conservative voices as part of its work in combatting foreign influence operations. At a minimum, CISA will likely be stripped of its mandate to investigate misinformation.

Williams also expects the agency will have a diminished role in overseeing election security, the very issue that catapulted the cyber agency into the national headlines in 2020.

**Cybersecurity Opportunities Under Trump 2.0**

A shrinking CISA footprint and the Trump administration's expressed distaste for regulation and interest in opening government operations to more public-private partnerships mean there are going to be potential opportunities in the next few months for the private sector that hadn't existed before.

"I expect we'll see a more direct set of conversations around cyber offense and deterrence, especially as it relates to countering Russia, Iran, and in particular, China," Ellis predicts. "This could include changes to the structure of \[the National Security Agency\] and Cyber Command, and the inclusion of the private sector in defend-forward and disruption operations."

Beyond new opportunities to work with government, Ellis adds cybersecurity deregulation is on the way.

"In general, I think we can expect a more overt and domestically deregulated approach to cyberspace, reflecting the general policy approach of the Trump administration and a more open acknowledgement that Cold War 2 is already underway."

The new administration also likely signals a change in federal enforcement of Securities and Exchange Commission (SEC) regulations against chief information security officers (CISOs), like what security executives from SolarWinds and Uber experienced, according to expert John Bambenek.

"Regulatory enforcement on companies will lessen, for instance, \[and\] it is doubtful CISOs will see any government attempts to make them liable for breaches," Bambenek says. "I'm not sure any more antitrust action will commence against large tech companies either, which will fuel further consolidation of technology and security companies."

There is cautious optimism this more hands-off approach from the Trump administration will include maintaining a basic role for the federal government in cybersecurity. It's particularly necessary in terms of resources, according to Roselle Safran, the director of the White Office of the President security operations center under Barack Obama, and currently president of cybersecurity company KeyCaliber.

"While there are certainly plenty of other issues that appear to be top priorities for the next administration, it is my hope that cybersecurity will not be relegated to the back burner," Safran says. "It's important that there is recognition that cybersecurity needs significant and sustained resources."

Trump takes office against the backdrop of unprecedented numbers of cyberattacks, the rise of artificial intelligence, and cyber-military conflicts across the globe. Keeping politics out of the conversation is the best way for CISA to continue its work beyond the next election, experts advise. However, that might be an impossible challenge.

"I'm concerned about some of the negative sentiment around CISA impacting progress that has been made since 2018," Ellis adds. "However, I am cautiously optimistic that the priorities Trump had in mind when he formed the agency will see its overall defensive mission carry forward."

Trump 2.0 Portends Big Shift in Cybersecurity Policies

The security extensions for the Domain Name System aimed to make the Internet more reliable, but instead the technology has exchanged one set of problems for another.

Source: Artistdesign.13 via Shutterstock

A pair of attacks revealed by researchers this year underscored the fragility of the Domain Name System (DNS) and the security extensions (DNSSEC) that were adopted to help secure the world's internet infrastructure.

For the past year, Internet infrastructure firms and software makers have worked to patch DNS servers for a critical set of flaws in DNSSEC. Originally discovered more than a year ago by four researchers at Goethe-Universität Frankfurt and Technische Universität Darmstadt, the so-called KeyTrap denial-of-service (DoS) attack could trick DNS servers into spending hours attempting to validate signatures on specially created DNSSEC packets, according to their presentation at the Black Hat Europe 2024 conference earlier this month.

The researchers notified major Internet providers of the issues late last year and worked with them to produce patches earlier this year, but the flaws in DNSSEC are systematic, says Haya Schulmann, a professor of computer science at Goethe-Universität Frankfurt and one of the researchers involved in the work.

"I would not say that the core of the problem has been resolved," she says. "There are patches which mitigate the most severe problems, but the core issue is yet to be addressed."

The KeyTrap security weaknesses were not the only DNS attacks to surface in 2024. In May, a team of Chinese researchers revealed that they had discovered three logic vulnerabilities in DNS that allowed three types of attacks: DNS cache poisoning, DoS, and resource consumption. Dubbed TuDoor, the attack affected some 24 different DNS software codebases, the researchers stated in a summary of their work.

Related:Millions of Pen Tests Show Companies' Security Postures Are Getting Worse

The discovery of the two classes of DNS and DNSSEC flaws highlight that security and availability are often at odds with each other, and that the Internet as a whole still has areas of fragility.

"The Internet was an experimental research project which gradually evolved, and it started with very few networks and gradually evolved to support this huge commercial platform — of course, it's fragile," Schulmann says. "It's a wonder that it works."

**'Accept Liberally, Send Conservatively' Falls Down**

The design philosophy of much of the Internet boils down to a principle espoused by computer scientist Jonathan Postel, which the German researchers paraphrased as: "Be liberal in what you accept and conservative in what you send." The principle aims to improve robustness by calling for software to be "written to deal with every conceivable error, no matter how unlikely; sooner or later a packet will come in with that particular combination of errors and attributes, and unless the software is prepared, chaos can ensue," according to RFC 1122, "Requirements for Internet Hosts -- Communications Layers."

Related:Time to Get Strict With DMARC

However, other critiques have found that tolerating the unexpected often leads to harmful consequences. Rigorous standards can slowly decay and suffer feature creep when software is too liberally accepting, especially when the protocols are not adequately maintained, software engineers Martin Thomson and David Schninazi argue in RFC 9413.

"Careless implementations, lax interpretations of specifications, and uncoordinated extrapolation of requirements to cover gaps in specification can result in security problems," they wrote. "Hiding the consequences of protocol variations encourages the hiding of issues, which can conceal bugs and make them difficult to discover."

The German university researchers exploited the expansion of DNSSEC's acceptance of various cryptographic algorithms to developed an attack vector that allowed them to create an off-path attack — in other words, they did not need to control a router or DNS server that processed a DNSSEC transaction. By sending DNSEC packets containing hundreds of cryptographic signatures and hundreds of keys, they forced DNS servers to try to validate all the combinations — all because the servers supported a wide variety of cryptographic methods.

"When you have cryptography, there are challenges and complexity that start when you need to deploy multiple algorithms," Schulmann says. "You have to sign using all these algorithms, and every resolver has to validate the algorithms and identify which ones were sent ... and validate the signature, and that is the problem."

**DNSSEC Pushes Its Limits**

Fixing the DNSSEC weakness required the digital equivalent of chewing gum and baling wire. Cloudflare, for example, placed limits on the maximum numbers of keys its servers will accept when requests cross zones, such as .com delegating a response to cloudflare.com, the firm stated.

Yet, there is no simple fix, so Internet infrastructure companies have had to be agile as well.

"Even with this limit already in place and various other protections built for our platform, we realized that it would still be computationally costly to process a malicious DNS answer from an authoritative DNS server," Cloudflare stated in its analysis and response memo on the issue. "We added metrics which will allow us to detect attacks attempting to exploit this vulnerability." The company also placed additional limits on requests.

There are currently more than 30 RFCs related to DNSSEC, underscoring the need for defenders to repeatedly patch the standard to adapt to attackers' tactics. Developers have to be closely involved with the infrastructure operators and researchers in the community to make sure that they are building their software to the highest standard.

"In our research, we see that the more functionality you have, the more features you add, then the more bugs and the more problems you have — and all of those can be exploited to launch attacks," she says. "Routing networks, DNS, and other systems — they are no different."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

DNSSEC Denial-of-Service Attacks Show Technology's Fragility

The number of Non-Human Identities (NHIs) in many organizations has exploded. Key trends, drivers, and market landscape in this fast-developing area are explored.

Don Tait, Senior Analyst, Omdia

December 23, 2024

4 Min Read

COMMENTARY

The growth in systems communicating over the internet without human involvement has been dramatic in recent years. The Internet of Things (IoT) is driving more machine-to-machine (M2M) communications without human intervention. There is also an explosion in application development underpinning the need for digital transformation, which is turbocharged by remote working and the ever-increasing adoption of e-commerce. This means that pieces of software code are interacting autonomously across networks as never before.   

There is a need to manage system identities in the sense of what they are and what they can and cannot do when they are online. For example, can they both send and receive data? Where can they send it? In what volumes and formats? Can they access data that resides elsewhere, make copies, and forward it on, even to recipients outside the organization? Just as importantly, has their identity changed since the last time they were online, e.g., with extra access rights or new software on board that was not there before? Non-human identities (NHI) are already estimated to outnumber human identities by a ratio of 50 to one (50:1). With more and more business processes being automated by artificial intelligence (AI)/generative AI (GenAI) and accessed by AI-enabled services, NHI growth is likely to accelerate even further, bringing yet more expansion in the threat landscape.

Related:Identity Orchestration Is Gaining Traction

**Why NHI Management is Required**

NHIs can be defined as digital identities tied to entities like applications, services, and machines within an enterprise technology stack. These include bots, API keys, service accounts, OAuth tokens, cloud services, and other credentials that allow machines or software to authenticate, access resources, and communicate within a system.

The need for effective NHI management (NHIM) arises from several key factors:

*   IT infrastructures are becoming more complex: Modern IT infrastructures are characterized by their complexity, featuring a myriad of interconnected systems, cloud services, and devices, including, in many cases, a host of IoT devices that operate autonomously. Managing the identities of non-human entities within such environments is essential for ensuring accountability, traceability, and security.
    
*   An increase in automation: Organizations are increasingly adopting automation to streamline processes, improve efficiency, and reduce manual intervention, with agentic AI only intensifying the trend. Non-human entities, including bots, scripts, and automated workflows, execute tasks autonomously, necessitating proper identity management to prevent unauthorized access and misuse.
    
*   An increase in cybersecurity threats: Cybercriminals often target NHIs, particularly those in the IoT area that operate without human intervention, seeking to exploit vulnerabilities for malicious purposes. Weak authentication mechanisms, misconfigured permissions, and inadequate monitoring can leave non-human entities susceptible to attacks, leading to data breaches, system compromises, and service disruptions.
    

Related:How CISOs Can Communicate With Their Boards Effectively

**A Nascent Market, Ripe for Acquisitions**

The NHI market is still developing, as demonstrated by the fact that most players are startups. This includes companies like: 

*   Aembit; Andromeda Security; Astrix; AxisNow; Clarity Security; Clutch Security; Corsha; Entro Security; Natoma; Oasis; P0 Security; SlashID; TrustFour; Unosecur; Veza; Whiteswan Security
    

Some of these vendors are focused more specifically on NHI security while others provide broader NHIM capabilities, often described as NHI governance. We plan to deliver a report comparing and contrasting the leading players in this space in 2025.

Omdia believes that since most of the players in the NHI market are startups, they are ripe for acquisition by the larger identity security platform vendors. Indeed, one or two startups have already been acquired, such as Authomize, which privileged access management (PAM) vendor Delinea purchased in January this year. Whilst in May 2024, CyberArk (the market leader in PAM) acquired Venafi for $1.5bn. Venafi was an exception amongst the NHI specialists, because it had been around much longer, thanks to its certificate lifecycle management (CLM) and key management background.

Related:Managing Threats When Most of the Security Team Is Out of the Office

**Conclusions**

The growth in devices communicating over the internet with no humans involved in the process has raised awareness of the need to manage these system’s identities. Omdia believes that over the coming years, NHI growth is likely to accelerate and further increase the threat landscape. Enterprises must be aware that trends such as the adoption of cloud, microservices, and DevOps have fueled the growth of NHIs in enterprise environments. Omdia also believes that opportunities for vendors in the identity security market are still huge, as machine identities already outnumber human identities by a ratio of 50:1. That figure is only likely to increase going forward.

Non-Human Identities Gain Momentum, Requires Both Management, Security

With the increased frequency of board reporting, CISOs need to ensure their interactions are brief, productive, and valuable.

Source: Stephen Barnes via Alamy Stock Photo

COMMENTARY

The role of the chief information security officer (CISO) today is not the CISO's role of the past. The ever-evolving threat landscape, adoption of new technologies like generative AI (GenAI), increased regulatory pace, ongoing employee education and training programs, and maintaining operational resilience have found CISOs under increased pressure and stress. On top of this, 49% of CISOs now report to their board on at least a weekly basis, presenting them with a new skill they need to master: the art of communication.

Historically, board support increased only after a cyberattack, putting CISOs in a reactive rather than proactive role. But with today's increased visibility of breaches, product failures, and the legal ramifications amplified by the media, there's a microscope on cybersecurity practices within every organization. Boards are now interested in understanding the security status of their organization and the security decisions being made at the highest level. This increased desire requires extended engagement with the board, which has also elevated the CISO's position and visibility within the company.

Today's CISOs report to the board on topics covering cybersecurity risk management, assessment and mitigation plans, high-level strategic overviews, planning and alignment, and regulatory compliance and audit results. This information helps boards understand the organization's overall preparedness and standing relating to the latest regulatory guidance and threats, as well as future planning and alignment with the overall business strategy.

While CISOs agree board engagement is helping to drive positive changes in their cybersecurity strategies, communication and knowledge barriers still exist. Speaking the business language is a skill many CISOs still need to develop to align with their board and succeed in securing additional budgets and resources for their programs. 

Here are a few tips for CISOs to keep in mind when reporting to their board, and ones I've found success with: 

**1\. Preparation Is Key**

Go into these meetings with a high degree of preparation and understanding, with clarity on the numbers. Collaborate with your C-suite ahead of time and ensure alignment on specific strategies — this will help position your initiatives alongside innovation. 

**2\. Find an Ally**

Try to find a sympathetic ear on the board beforehand — someone who wants to lean in and understand cybersecurity a little better. Run your presentation by them in advance to ensure you're delivering the right level of content. 

**3\. Less Is More**

The deck should start with a high-level overview. Understand there is a lot more you want to say, but there's only so much the board will receive. Summarize anything less important so you can call their attention to the items that really matter. Stick all the items that aren't essential in the appendix. 

**4\. Stay on Topic**

Pass out copies of your presentation to each board member before you present — and avoid reading your slides. The slides ultimately become an addendum to the discussion that happens in the room — but it's important you move each discussion along succinctly to ensure there's enough time to cover the most important topics. 

**5\. Align Your Cybersecurity Objectives With Business Goals**

Align your initiatives with business goals and frame them in terms of business value — enabling growth, protecting brand reputation, and preventing financial losses. Many, if not all, board members don't have the cybersecurity expertise or technical background you do, and they won't understand the technology jargon. Up-level your messaging and align it with the key business goals. It's not about what you need to run the department; it's about what they need to run the business. 

**6\. Communicate in Terms of Risk**

Aligning with business goals and communicating risks in financial terms will help you bridge the knowledge gap and further position you as a valuable seat at the table. People understand numbers — focus on the ones that have an impact. Your program is an investment — so what are the results? Are there any areas that need more investment — or less?

**7\. Include Industry Insights**

Include insights into something currently or recently happening at another company in your industry and what it could mean for you. If the same thing happens to you, would the impact be material? That's the question you need to have an answer to. Focus on business and operational resilience, as well as crisis communications preparedness.

With the increased frequency of board reporting, CISOs need to ensure their interactions are brief, productive, and valuable. The CISOs who will succeed in this expanded role are those who can evolve beyond technical acumen to adopt a more business-focused lens and master the art of storytelling.

**About the Author**

As chief information security officer (CISO), Harold Rivas leads Trellix's global security and compliance initiatives, enabling the company to best protect against threats, manage compliance needs and third-party risks, and implement industry-wide best practices. Harold brings more than two decades of cybersecurity experience to Trellix. Prior to joining Trellix, he was CISO at loanDepot and held previous CISO roles at multiple companies, including Santander Consumer and Fujitsu America. He also led global cybersecurity programs at Citigroup.

  
Harold holds a bachelor of science in business administration, master of business administration, and maintains multiple industry certifications, including a certified information systems security professional (CISSP). Additionally, he is an active public speaker and Federal Bureau of Investigations (FBI) InfraGard member.

How CISOs Can Communicate With Their Boards Effectively

Since October 2023, cyberattacks among countries in the Middle East have persisted, fueled by the conflict between Israel and Hamas, reeling in others on a global scale.

Source: Skorzewiak via Alamy Stock Photo

It's been more than a year since the conflict between Hamas and Israel began, and the cyber battle between the two entities rages on, involving a variety of perpetrators and using playbooks of other global conflicts.

Here are some of the top developments over the duration of this cyberwar and what we can expect to see in 2025.

**Beginning Stages**

Soon after Hamas launched its strikes against Israel, more than a dozen threat groups declared their intent to begin cyberattacks against Palestine, Israel, and their respective supporters. Some of these groups include Killnet, Anonymous Sudan, Team insane, Mysterious Team Bangladesh, and Indian Cyber Force.

In the initial days, the first cyberattack victims were the Jerusalem Post at the hands of Anonymous Sudan, and the Tel Aviv Sourasky Medical Center, which was attacked by Sylhet Gang, ultimately leading to operational disruption.

As the cyberattacks continued, Krypton network offered to sell its distributed denial-of-service (DDoS) capabilities to hacktivists interested in targeting Israeli organizations. But attacks flew from the other side as well when ThreatSec reportedly attacked AlfaNet, a Palestinian Internet service provider, causing the company's servers to shut down and gaining control of more than 5,000 servers in Gaza in the process.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

Then, in its first post on X, Predatory Sparrow, a pro-Israeli hacktivist group, reappeared on the scene. 

The group said to its followers, "You think this is scary? We're back. We hope you're following the events in Gaza" — and included a link to a report on the US sending fighter planes and warships to support Israel.

**Cyberwar on a Global Scale**

Roughly a month after the conflict began, FBI Director Christopher Wray warned that the war in the Middle East raised the threat of cyberattacks against the US, citing an increase in attacks on US military bases overseas, anticipating both physical and cyberattacks.

The FBI once more issued warnings, this time regarding cybercriminals masquerading as fundraisers and charities, reaching out to individuals via email, social media, phone calls, and crowdfunding websites, all to convince victims that their cryptocurrency funds would go to Israeli or Palestinian victims. A Netcraft report traced $1.6 million of crypto to these fake accounts, a grand show of their influence.

By the end of 2023, Israeli company CyTaka hired a network of cyber hackers from around the world to counter anti-Israel online activity, while cyberattackers known as Gaza Cybergang used a variation of the Pierogi++ backdoor malware against both Palestinian and Israeli targets.

Related:Governments, Telcos Ward Off China's Hacking Typhoons

**A Year in Review**

This past year began with Turkish hacktivists projecting political, violent messages about the conflict between Israel and Gaza at a highly frequented movie theater in Tel Aviv. 

In July, an Israeli army chief reported thwarting some 3 billion cyberattacks since the conflict began. Cyberattacks against the Israeli Defense Forces (IDF) included targeting operation systems necessary for the military's functioning, though details were not provided on the nature of the attacks.

Then in October, security firm ESET reported a "security incident" affecting its partner company in Israel. It cited a malicious email campaign that was blocked and ultimately denied any true compromise over its systems. 

Just last month, "Wirte," an advanced persistent threat (APT) supporting Hamas and its agenda, was reported to be conducting espionage against governments in the Middle East and wiper attacks against Israel. The APT uses phishing attacks containing documents, legitimate resources, and malware, sometimes using the IronWind loader, which employs a multistage infection chain to drop its malicious payload.

**Next on the Horizon**

Observers and industry experts expect more of the same in 2025. The conflict has intensified cyber threats, with state-sponsored actors and hacktivist groups continuing to exploit global tensions.

Related:African Law Enforcement Nabs 1,000+ Cybercrime Suspects

"We can expect an escalation in sophisticated phishing campaigns, disinformation efforts, and attacks on critical infrastructure," said Stephen Kowski, field CTO at SlashNext Email Security+, in an emailed statement to Dark Reading. "Organizations should prioritize real-time threat intelligence and advanced AI-powered detection systems to stay ahead of evolving tactics."

In addition, he recommended that organizations prepare themselves with robust employee training and implement multilayered security measures to mitigate against future attacks.

"\[This\] will be crucial in defending against the anticipated surge in social engineering and targeted malware attacks," Kowski added.

John Bambenek, president of Bambenek Consulting, offered a different take. "At this point, with the loses endured by Hamas, they are more focused on survival and have significantly reduced capabilities even in the cyber realm," Bambenek said in an emailed statement to Dark Reading.

In 2025, he believes attention should be focused on Iran, a country that has been a major power player in this conflict.

"If recent reports are true and Israel is considering military strikes in the short term against Iran, that likely could easily escalate into a 'weapons-free' mindset with cyberattacks," he said. "Recent research by Team82 indicates the Iranian government has already decided to field test and preplace capability to launch ICS/OT attacks broadly, should such an escalation occur and those attacks likely will include the US and Europe."

Middle East Cyberwar Rages On, With No End in Sight

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 gift card.

Every person in this scene is just so joyful that we can't help by wonder, what are they so happy about? Send us a cybersecurity-related caption to describe the above scene and our favorite entry will win its wordsmith a $25 gift card.

Here are four convenient ways to submit your ideas before the Jan. 17 deadline:

*   Via social media: X, Bluesky, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Shout out — and a $25 gift card — to Dr. Dana Hackley for sending us the winning caption for last month's "Meeting of Minds" cartoon. Some noteworthy contenders included "'Welcome to BYOD: Bring Your Own Duvet,'" "SOCs in bed, yes, or no? Inquiring CISOs want to know!" and "Next on todays meeting, retiring EoL tech…" A big thank you to all who participated.

**About the Author**

Cartoonist

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Toon: Sneaking Around

This Tech Tip outlines what enterprise defenders need to do to protect their enterprise environment from the new NTLM vulnerability.

Roy Akerman, VP of Identity Security Strategy, Silverfort

December 20, 2024

4 Min Read

Source: Supapixx via Alamy Stock Photo

A new zero-day vulnerability in NTLM discovered by researchers at 0patch allows attackers to steal NTLM credentials by having a user view a specially crafted malicious file in Windows Explorer — no need for the user to open the file. These password hashes can be used for authentication relay attacks or for dictionary attacks on the password, both for identity takeover.

NTLM refers to a suite of old authentication protocols from Microsoft that provide authentication, integrity, and confidentiality to users. While NTLM was officially deprecated as of June, our research shows that 64% of Active Directory user accounts regularly authenticate with NTLM — evidence that NTLM is still widely used despite its known weaknesses.

The flaw is exploitable even in environments using NTLM v2, making it a significant risk to enterprises that have not yet moved to Kerberos and are still relying on NTLM. Considering Microsoft may not patch this issue for a while, enterprise defenders should take steps to mitigate the vulnerability in their environments. This Tech Tip outlines how dynamic access policies, a few hardening steps, and multifactor authentication (MFA) can help limit attempts to exploit this vulnerability. Upgrading the protocol, where possible, could eliminate the issue completely.

**What Is the NTLM Vulnerability?**

When a user views a malicious file in Windows Explorer — whether by navigating to a shared folder, inserting a USB drive containing the malicious file, or just viewing a file in the Downloads folder that was automatically downloaded from a malicious Web page — an outbound NTLM connection is triggered. This causes Windows to automatically send NTLM hashes of the currently logged-in user to a remote attacker-controlled share.

These NTLM hashes can then be intercepted and used for authentication relay attacks or even dictionary attacks, granting attackers unauthorized access to sensitive systems. Attackers can also potentially use the exposed passwords to access the organization's software-as-a-service (SaaS) environment due to the high rates of synced users.

The issue impacts all Windows versions from Windows 7 and Server 2008 R2 up to the latest Windows 11 24H2 and Server 2022.

The fundamental problem with NTLM lies in its outdated protocol design. NTLM transmits password hashes instead of verifying plaintext passwords, making it vulnerable to interception and exploitation. Even with NTLM v2, which uses stronger encryption, the hashes can still be captured and relayed by attackers. NTLM's reliance on weak cryptographic practices and lack of protection against relay attacks are key weaknesses that make it highly exploitable. Moreover, NTLM authentication does not support modern security features, such as MFA, leaving systems open to a variety of credential theft techniques, such as pass-the-hash and hash relaying.

**What Defenders Need to Do**

To mitigate this vulnerability, Microsoft has updated previous guidance on how to enable Extended Protection for Authentication (EPA) on LDAP, Active Directory Certificate Services (AD CS), and Exchange Server. On Windows Server 2022 and 2019, administrators can manually enable EPA for AD CS and channel binding for LDAP. There are scripts provided by Microsoft to activate EPA manually on Exchange Server 2016. Where possible, update to the latest Windows Server 2025 as it ships with EPA and channel binding enabled by default for both AD CS and LDAP.

Some organizations may still be dependent on NTLM due to legacy systems. Those teams should consider additional authentication layers, such as dynamic risk-based policies, for protecting existing NTLM legacy systems against exploitations.

Harden LDAP configurations. Configure LDAP to enforce channel binding and monitor for legacy clients that may not support these settings.

Check impact on SaaS. If you are unsure whether there are applications or clients in your environment that rely on NTLMv2, you can use Group Policy to enable the Network Security: Restrict NTLM: Audit incoming NTLM traffic policy setting. This will not block NTLMv2 traffic but will log all attempts to authenticate using NTLMv2 in the Operations Log. By analyzing these logs, you can identify which client applications, servers, or services still rely on NTLMv2, so you can make targeted adjustments or updates.

Using Group Policy to limit or disable NTLM authentication via the Network Security: Restrict NTLM setting will reduce the risk of fallback scenarios where NTLM is unintentionally used.

Monitor SMB traffic. Enabling SMB signing and encryption can help prevent attackers from impersonating legitimate servers and triggering NTLM authentication. Blocking outbound SMB traffic to untrusted networks will also reduce the risk of NTLM credential leakage to rogue servers. Implement network monitoring and alerting for unusual SMB traffic patterns, particularly outbound requests to unknown or untrusted IP addresses.

Leave NTLM behind. NTLM has been deprecated. Administrators should audit NTLM usage to identify which systems still rely on NTLM. Organizations should prioritize transitioning those systems away from NTLM to more modern authentication protocols, such as Kerberos. Once a more modern protocol is in place, implement MFA to add an additional layer of protection.

Taking these steps will help organizations address the fundamental flaws in NTLM and improve their security posture.

**About the Author**

VP of Identity Security Strategy, Silverfort, Silverfort

Roy Akerman is the VP of Identity Security Strategy at Silverfort and former co-founder and CEO of Rezonate. Prior to Rezonate, Roy served as VP of Product and Innovation at Cybereason, responsible for growing 3 new business lines on cloud security, mobile defense, and XDR. Roy is leading product incubations and new business initiatives, fusing the practices of advanced Technology, Psychology, and Business in forming new disruptive products and anti-disciplinary innovation teams. Akerman is blending business and innovation practices acquired in his MIT and business journey with problem-solving and tech approaches based on his Government and Military experience. Roy has 20 years of experience in Cybersecurity, as one of the senior leaders and founders of NISA - the Israeli Equivalent to the NSA/Cyber Command, retired as the chief of global cyber operations. In this role, Roy and his teams ran global counter-cyber defense operations for Israel’s Cyber Defense, built cutting-edge cyber security tech. They established partnerships and alliances with numerous states and business partners.

How to Protect Your Environment From the NTLM Vulnerability

Dual Russian-Israeli national Rostislav Panev was arrested last August and is facing extradition to the US for playing a critical role in LockBit's RaaS activities, dating back to the ransomware gang's origins.

Source: Peter Werner via Alamy Stock Photo

NEWS BRIEF

A newly unsealed criminal complaint by US law enforcement shows they have been working to dismantle the LockBit ransomware-as-a-service group for several years, including a previously undisclosed arrest of one of the operation's lead developers in Israel last August.

Rostislav Panev, a 51-year-old with dual Russian-Israeli citizenship, is facing extradition to the US to face charges along with two others accused of similarly working for LockBit, not just to develop the ransomware itself but also tools used by affiliates. For his part, Panev is accused of working on LockBit ransomware from its beginnings in 2019, eventually creating one of the most prolific ransomware operations in the world, according to the Justice Department's statement about the arrest.

Panev, according to the Justice Department, at the time of his arrest had admin credentials for LockBit's Dark Web online repository with the ransomware's source code, as well as the source code for an affiliate tool called "StealBit" used to exfiltrate stolen data. His laptop also had he access credentials for the LockBit control panel used by affiliates. The Justice Department's statement adds that Panev confessed to his role in the LockBit ransomware operation.

"The Justice Department’s work going after the world’s most dangerous ransomware schemes includes not only dismantling networks, but also finding and bringing to justice the individuals responsible for building and running them," Attorney General Merrick Garland said in a statement about the arrests. "Three of the individuals who we allege are responsible for LockBit’s cyberattacks against thousands of victims are now in custody, and we will continue to work alongside our partners to hold accountable all those who lead and enable ransomware attacks."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

LockBit Ransomware Developer Arrested in Israel

While a number of threat groups have used TP-Link bugs to infiltrate networks, a proposed ban of the company's popular routers is more about geopolitics than actual cybersecurity — and that may not be a bad thing.

Source: metamorworks via Shutterstock

With US government agencies and lawmakers reportedly considering a ban on TP-Link's products in the United States, one might think the company would rank high on the list of networking vendors with the most vulnerabilities currently being exploited by cyberattackers.

Not by a long shot.

The Chinese firm, whose products are popular among consumers and small businesses, currently has two security issues gracing the Known Exploited Vulnerabilities (KEV) list curated by the Cybersecurity and Infrastructure Security Agency (CISA), compared with 74 for Cisco Systems, 23 for Ivanti, and 20 for D-Link.

Yet US government officials' concern is less about known vulnerabilities, and more about unknown risks, including its routers' popularity in the United States — where it accounts for about two-thirds of the market — and the degree to which the company is beholden to China's government.

While no researcher has called out a specific backdoor or zero-day vulnerability in TP-Link routers, restricting products from a country that is a political and economic rival is not unreasonable, says Thomas Pace, CEO of extended Internet of Things (IoT) security firm NetRise and a former head of cybersecurity for the US Department of Energy.

"The value to me \[of a ban\] is almost more around economic policy value than pure technical cybersecurity value," he says. "To me, there is value in saying you shouldn't buy these things because of X, Y, and Z reasons \[and to make it\] more difficult for small businesses, or whoever, to get their hands on devices from these companies."

Related:BlackBerry to Sell Cylance to Arctic Wolf

**TP-Link — Not a Vulnerability Stand-Out**

In April 2024, one of two TP-Link vulnerabilities attracted the most vulnerability scanning by threat actors, according to an analysis by cloud and application-security firm F5. The issue, a command injection vulnerability for TP-Link's Archer AX21 router (CVE-2023-1389), allows an unauthenticated attacker to easily compromise a device via a simple POST request.

TP-Link ranks low on the list of networking vendors with known exploited vulnerabilities. Source: Author from CISA data

In another incident, security firm Check Point Software Technologies discovered that TP-Link devices were also compromised with an implant known as Camaro Dragon. The implanted components were discovered in modified TP-Link firmware images, and not the original software shipped by the company, says Itay Cohen, research lead at Check Point Research.

Yet Cohen stresses that the implants were written in a firmware-agnostic manner and not specific to any particular product or vendor.

"It is worth noting that this kind of attack is not aimed specifically at sensitive networks, but rather at regular residential and home networks," he says. "Therefore, infecting a home router does not necessarily mean that the homeowner was a specific target, but rather that their device was merely a means to an end for the attackers."

Related:Versa Introduces Integrated Endpoint Data Loss Prevention in SASE Solution

The threat posed by such vulnerabilities and implants are real, but the data from the KEV catalog shows that other manufacturers are just as likely to have their vulnerabilities exploited — and there are more of them. The lesson is that vulnerabilities in embedded devices are not unique to any one manufacturer or country of origin, says Sonu Shankar, chief product officer at Phosphorus Cybersecurity, an extended IoT cybersecurity provider.

"Nation-state actors frequently exploit weaknesses in devices from companies worldwide, including those sold by American manufacturers," he says. "Devices lacking basic security hygiene — such as the use of strong passwords, timely firmware patching, or proper configurations — can become easy targets for cyberattacks."

TP-Link stressed this fact in a statement sent to Dark Reading.

"Many brands of consumer electronics are targeted by hackers, and we support government efforts to hold all producers to the same standard," a company spokesperson said. "We welcome opportunities to engage with the federal government to demonstrate that our security practices are fully in line with industry security standards, and to demonstrate our ongoing commitment to the American market, American consumers, and addressing US national security risks."

Related:Test Your Cyber Skills With the SANS Holiday Hack Challenge

**China's Government Oversight Is Pervasive**

But those assertions may be minimizing the influence of the Chinese government on the company's operations: Most Western companies do not understand the degree to which Chinese officials monitor China's business sectors — and cybersecurity firms — as a component of government policy and national strategy, NetRise's Pace says.

"It's a totally different business culture," he says. "There is a member of the PRC in every company — that's not even like an opinion, it's just how it is. And if you think they're not there to exert their influence, then you're just an unbelievably naive person, because that's exactly what they do, \[including\] for the purposes of intelligence gathering."

Threat intelligence analysts have flagged the Chinese government national strategy documents and evidence showing their increasing efforts to compromise rival nations' infrastructure — such as the attacks by Volt Typhoon and Salt Typhoon.

"In recent years we see Chinese threat actors’ increasing interest in compromising edge devices, aiming to both build resilient and more anonymous C2 infrastructures, and to gain a foothold in certain targeted networks," Check Point stated in its analysis, but added that the "discovery of the firmware-agnostic nature of the implanted components indicates that a wide range of devices and vendors may be at risk."

China's networking products are not alone in being targeted by the US government, which also banned the products of antivirus firm Kaspersky because of national security concerns, given that it's a Russian company.

**The Global Cyber Reality of Home Routers: Buyer Beware**

Companies and consumers should do their due diligence, keep their devices up to date with the latest security patches, and consider whether the manufacturer of their critical hardware may have secondary motives, says Phosphorus Cybersecurity's Shankar.

"The vast majority of successful attacks on IoT are enabled by preventable issues like static, unchanged default passwords, or unpatched firmware, leaving systems exposed," he says. "For business operators and consumer end-users, the key takeaway is clear: adopting basic security hygiene is a critical defense against both opportunistic and sophisticated attacks. Don’t leave the front door open."

For companies worried about the origin of their networking devices or the security their supply chain, finding a trusted third party to manage the devices is a reasonable option. In reality, though, almost every device should be monitored and not trusted, says NetRise's Pace.

"It's a crazy world that exists when it comes to device security," he says. "You're accepting this device that you know nothing about — and that you really can't know anything about — unlike Windows \[or another operating system\] ... where you can also install three agents and a firewall in front of it to mitigate the risk of the software."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Source

DARKReading