Raytheon Intelligence & Space's Jon Check joins Dark Reading's Terry Sweeney at Dark Reading News Desk at RSA Conference to talk about how hiring must change.

It was tough to find good, experienced security professionals already — then along the came the Great Resignation to make hiring even tougher, notes Jon Check, executive director of cyber protection solutions for Raytheon Intelligence and Space. Check explains how hiring practices must change, as well as new ways to attract new talent and how to encourage a better work-life balance among SOC personnel.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

A Few Simple Ways to Transform Your Cybersecurity Hiring

Next-generation AI products learn proactively and identify changes in the networks, users, and databases using "data drift" to adapt to specific threats as they evolve.

In March 2019, Norsk Hydro, a Norwegian renewable energy and aluminum manufacturing company, faced a ransomware attack. Rather than paying the ransom, a cybersecurity team used artificial intelligence to identify the corruption in the computer system and rebuild the operations in an uncorrupted parallel system. LockerGoga ransomware was eventually identified as the culprit, which spread via Windows-based systems. While Norsk avoided paying the ransom, the attack still forced it to operate without computer systems for an extended period of time (weeks to months), while the security team isolated and scanned thousands of employee accounts for malicious activity.

Signature-based detection is an approach in which a unique identifier is established about a known threat so that it can be identified in the future. However, signature-based approaches require continuous updates that take time and effort to maintain. Next-generation artificial intelligence (AI) products learn proactively and identify changes in the networks, users, and databases through what is called data drift to adapt to specific threats as they evolve.

AI products are the linchpin of a multifaceted defense system that can be utilized in the background prophylactically, especially against unknown threats. Cyberattacks that make the evening news are usually the ones that end in disaster; it is hardly ever reported how AI could have prevented those attacks in the first place. In addition, cyberattacks that are contained or thwarted on a daily basis, while AI is ubiquitously at work, are almost never reported in the news because they happen so frequently.

Unfortunately, as a result of the lack of coverage on these "non-events" in public forums, most people don't understand how AI makes an effective cyber defense achievable and not just theoretical. Here is what you should know.

**Deep-Learning Next-Generation AI Tools**

Data drift is a term used to measure changes in underlying data patterns. A typical example would be if an e-commerce business launched a new payment gateway to sell furniture. In this instance, BECS direct deposit might be a new financial term introduced in the business workflow. BECS, or Bulk Electronic Clearing System, governs how direct debits, automatic payments, bill payments, and direct credits work and how a range of bulk electronic transaction types are made between its participants.

Deep-learning AI models can detect the term and, with minimal human assistance, classify it as a financial transaction. Next-generation AI then can monitor financial transaction data flows and correlate the data accordingly, associating it with financial context and sensitivity.

The financial data monitoring can involve, for example, an application programming interface while the user checks out via online shopping cart or even general business flow. The advantage of the auto-detection approach is that a security team doesn't need to be on the lookout for new vulnerability patches for these terms. Instead, the security team can rely on AI to recommend new data patterns and self-patch accordingly.

A successful effort to thwart phishing attacks that endangered Stanford University can be used as an illustration. WannaCry ransomware threatened campus systems, but the university's self-patching AI software, in addition to its firewall protections and email security solutions, prevented the threats from successfully escalating.

Data transformers are one of the AI tools used to auto-discover and classify data patterns. A transformer model memorizes and tracks relationships between changes in data attributes to create contextual insights. It is similar in many ways to how a human brain works when reading a book. Although you often do not understand a character's role in the story or their relationships with the other characters when they first appear, you gain that knowledge as the story develops.

Data transformers use attention-based mechanisms constantly learning in the same way to gain a greater understanding of networks, files, emails, etc., and how the content of data relate to and interact with each other to identify and classify malicious changes. The text is represented by mathematical datasets, which derive data representations that can be later used to quantify the changes in data as it is being processed by a transformer.

Deep-learning models can also be used for behavioral purpose classification, which assist security teams with efficiently identifying sensitive or harmful content. An AI transformer model uses its understanding of natural language to analyze email data it has never been exposed to, such as credit offers, lottery ticket promotions, employment offers, or COVID test results, in order to classify and identify malicious content. Similar mechanisms can be used to identify malicious content in documents containing employee health information even though the AI model had never analyzed any kind of healthcare data before. The transfer model proactively alerted security teams regarding the sharing of sensitive data before a breach occurred.

**What This Means for Your Business**

Not only is it important to ensure that cybersecurity systems are in place to defend against and prevent threats, but it's also important to have the right one that synthesizes with your business's needs. Manual document classification for documents, emails, and text messages is complex and requires technical expertise. Deep-learning transformers simplify those tasks, and if done right, can be leveraged efficiently to save costs and effort.

However, an AI model with incorrect settings can result in false positives, and in turn, generate too many alerts, creating headaches for security teams. As a result, one should always seek expert advice when selecting products with AI components. The next-gen AI tools will be able to automate your business processes with minimal setup, human intervention, rules, and policies.

Artificial Intelligence and Security: What You Should Know

In 1985, a group of klezmer musicians from the US rendezvoused with underground dissidents in Tbilisi, Georgia. This is the story of how they pulled it off with homebrew cryptography.

RSA CONFERENCE 2022 — Not all activists carry a picket sign. Some carry a soprano saxophone and a music notebook.

"1985 was a really rough go of it for people who were human-rights activists," said Dr. Merryl Goldberg, music professor at California State University San Marcos, at a keynote at RSA Conference 2022 on Wednesday. "Dissidents, human rights activists, refuseniks, Helsinki Monitors had formed — in Tbilisi, Georgia, of all places — a group, a musical group, to band together, literally." This was the Phantom Orchestra, which she would travel across the world to meet.

Her own band was Klezmer Conservatory Band. Goldberg and bandmates Hankus Netsky, Rosalie Gerut, and Jeff Warschauer traveled together to the USSR, according to a 1986 article. Activist groups in the United States, particularly Action for Soviet Jewry, conceived their mission as a way to bring international notice to a group of dissidents who otherwise could be disposed of namelessly. If the world knows these people exist and are facing persecution, the thinking went, the Soviet government would not have as free a hand.

"That's when some people in Boston had the idea, 'Maybe we should go in and support them — but also find out if there was information that should come out as well,'" Goldberg said. So this group of four young musicians volunteered to take a trip to the Soviet Union, during the Cold War.

    

Dr. Merryl Goldberg (Source: RSA Conference screengrab)

Despite the cloak-and-dagger feel, this wasn't a spy mission. The information they were seeking to smuggle out was simple personal information like names, family relationships, and birth dates. The information simple but essential if a Soviet citizen wanted to get an invitation to travel outside the USSR — and from there defect.

"There were a couple of people who wanted to be invited, and so we coded all of their information in order to bring that out so they could receive an invitation," Goldberg said. "Most of the folks ended up emigrating, which is really good, but what they had to put up with in order to emigrate was really something."

Don't worry. This ties into cryptography.

**What Music Can Mean, Literally**

Because of the precarious position of the people Goldberg and her bandmates were hoping to meet, the Americans had to encode the contact information for the Georgian dissidents.

"We couldn't write down the names of people or their addresses or things like that because it would put them in jeopardy if at customs they saw that," she said. "And it would put us in jeopardy as well."

So she found a way to write things down without making them explicit: using musical notation as an alphabet, essentially. Goldberg didn't go into the details of her code, though she did lead the audience through the directions to a dissident's apartment, shown in the image above.

Britta Glade, senior director of content and curation for RSA Conference, interviewed Goldberg. "Let's jump into some of your coding," she said.

The first Phantom Orchestra members they were to meet were the Goldsteins, brothers Isai and Grigory. 

"You're seeing directions to get to one of the apartments. So we knew we had to go on the Orange line \[subway\], stop at the end, Cross Street — that's the name of the street," Goldberg explained. "On the bottom line, I couldn't figure out a way to write it out, so I actually drew where the apartment was in the building. That's what that is. There's a little tiny square in the top square, and that was where the apartment was."

For the more complex information, like names and other personal information, Goldberg had to come up with a flexible alphabet that couldn't be read at a glance. "What I did — without giving away the story of the whole code — is I just assigned certain notes to certain letters, and then I played around with some decoy stuff in terms of the clefs," she said.

Glade is also a musician — she played one of Goldberg's encoded songs on a keyboard set up on the stage. "There's a scientific, predictable way music is gonna sound," Glade said. "It's just like programming, right?" And this programming sounded ... kinda bad.

"If you study music, like modern music, you would hear music like this, perhaps," Goldberg said, laughing. "One of the cool things about music and coding is people invent notation anyway. And they write crazy things." That made it difficult for anyone to look at even that awkward sheet music and see any real grounds for suspicion.

**What Music Can Mean, Metaphorically**

As technologist Bruce Schneier said during his RSA keynote, any system can be a code. Goldberg used her system — music — to encode directions that helped her and her bandmates connect with musicians in the USSR and to bring home information that would allow some of those dissidents to emigrate. So for those refuseniks, music meant freedom.

"Before I met the people in the Phantom Orchestra, I understood the power of music – I'm a musician. I play, and when I play, I get into this other space," Goldberg said. "When we played with the Phantom Orchestra, the power of our playing together and the freedom in our brains was something that I'll never forget. It has become a part of me."

She had to choke back some emotion to say, "But while we're playing, I understood: You can be imprisoned, you can be put wherever, and ultimately we were interrogated many more times and put under arrest, \[but\] in your brain you can still feel free. And I hadn't understood that power of music until then."

Glade brought it back to cybersecurity. "We're constantly getting pounded, pounded, pounded – you're under attack from this, this is happening here – we need to be taken, transformed, put in a \[new\] place," she said. "What does music offer us?"

Goldberg answered.

"Music is used as a way to center and ground yourself. The act and the discipline to practicing music enables you to listen better," she said. "A lot of what you do, from my understanding, is really dealing with people and understanding people and how they make decisions. They do problem-solving, right? The arts, music, but also visual arts, teach you how to solve problems, how to work well with each other."

**'Long Shadows of the Cold War'**

The invasion of Ukraine is casting "some long shadows of the Cold War that are maybe bringing up some emotions," Glade said. "What's in your heart and your head?"

"I really admire the musicians and the activists who are in Ukraine, who stay — Denys \[Karachevtsev\], who's the cellist you've seen," she answered.

Glade added, "The little girl singing in the subway."

"Yes," Goldberg said. "I also think about Brittney Griner. And I think, 'I hope she can ... keep her brain free, even though she's not.' Because that makes such a difference."

"I really think about what's going on and how people are coping," she added.

Glade and Goldberg closed out with one good way to cope: a klezmer song called "Broyges Tantz" — Yiddish for "angry dance."

How 4 Young Musicians Hacked Sheet Music to Help Fight the Cold War

Cloud migration, DevSecOps, cyber insurance, and more have emerged as important motivators for cybersecurity investment and focus.

RSA CONFERENCE — San Francisco — Security hygiene and software supply-chain/vendor risk have emerged as the top two security priorities for chief information security officers (CISOs) at medium-sized organizations, new research has revealed.

That's according to Forgepoint Capital, which surveyed CISOs across a spectrum of industries and sizes. For organizations with 50 to 1,000 employees, security hygiene is seen as particularly critical, according to the data.

"Most breaches are due to unpatched systems, misconfigurations, poor passwords, and other easily avoidable issues," the report, shared with Dark Reading at the 2022 RSA Conference this week, pointed out. "Typically, organizations of this size don’t have the budget to build multiple backups and failovers, with real scenarios where a security incident can put the company out of business."

That said, there was notable variance across industry segments. For instance, zero percent of respondents in the healthcare vertical cited security hygiene as a priority.

"It's not that they think that nurses don't need to worry about passwords," says Will Lin, managing director of Forgepoint. "It's that security responsibility is much more distributed than in other industries. If I'm, say, BlueCross BlueShield, I can't control the password requirements and security hygiene of all the subsidiaries I have. It's each one's own responsibility to do it. I have to prioritize what I can actually solve."

There's a different narrative for professional services firms, where more than 80% said security hygiene is a top focus.

"They're exactly the opposite from healthcare," Lin says. "They're responsible for the security of all their consultants. These are all my employees, I need to do it. So that's why it becomes the highest priority for this group."

**Cybersecurity Workforce Shortage**

Meanwhile, CISOs at organizations with less than 50 employees cited talent development and social-engineering awareness as their top two priorities, with the ongoing cybersecurity workforce shortage of particular concern.

"Talent departure and social-engineering attacks can have major ramifications," according to the report. "Due to the small size of their employee base, these companies can realistically affect more change by focusing on human capital than a large organization can. As companies grow larger, no matter how much access control is established, threat vectors will remain. Thus, the focus shifts from personnel to security automation and incident response."

When examining CISOs' views of security prioritization by industry, the survey found that all security professionals prioritize areas with the highest return on investment (ROI). For example, 50% of professional services companies marked security hygiene as an essential focus, but healthcare professionals are focused more on the software supply chain and third-party vendor risk, such as the security of connected medical devices, given its bigger tie to ROI in their field.

**Cloud Migration and Digital Transformation**

Forgepoint also found that cloud migration is driving security prioritization for medium-sized businesses in particular, with 73% of survey respondents noting that it's a factor in 75% or more of their efforts. In contrast, just 13% of very large businesses (more than 10,000 employees) and 43% of large businesses (1,000 to 10,000 employees) said the same. For businesses with fewer than 50 employees, half of them said the move to the cloud is driving 75% of their security choices.

"Very large companies, surprisingly enough, are actually the furthest behind cloud migration," Lin tells Dark Reading. "And the smaller companies are further along in cloud migration. The big companies have a lot of legacy infrastructure, so it's going to take them a much longer time to move to the cloud, while smaller companies are more cloud native, and they're trying to cut costs, which the cloud helps with."

Digital transformation also emerged as a top security motivator for CISOs in every industry except for professional services — likely due to the ongoing reality of remote working forcing businesses to embrace software-as-a-service and other corporate working apps.

This is driving a new security focus on securing application programming interfaces (APIs, cited by 62% of all respondents) and DevSecOps for embedding security into application development (cited by 54%).

**Areas of Control and Cyber Insurance**

Survey respondents said traditional access control areas like data security (40%) and identity (41%) are still top priorities for organizations. But more than a quarter (28%) of CISOs highlighted an emerging area, cyber insurance, as a top control area of interest.

With ransomware, malware, APTs, and other cyberattacks at all-time highs, organizations of all sizes are considering investing in cyber insurance — however, it's a painful process, Lin says, especially as many insurance firms don't cover ransomware incidents, and the application process can be onerous and dictate where precious security dollars are invested.

"The cost of cyber insurance is going up, and the coverage is going down," Lin says. "And perhaps most of all, the questionnaires that cyber insurance companies give companies to fill out in order to determine how expensive coverage will be don't provide a representational picture of how good of a bet insuring a company is."

For instance, many require companies to have multifactor authentication (MFA) on all accounts in order to qualify for affordable coverage — but its across-the-board implementation at the expense of other efforts (patching, for instance) may not be the best approach for defending the business.

"Companies themselves often don't know how effective their controls are, so how could a cyber insurance underwriter be predictive?" Lin says. "If the question is, do you have an MFA on everything, companies can never check yes to that. Because there are some places where you can't have MFA. It's just not physically possible. Or, in some cases the app that's doing all the authentication might not have an MFA feature enabled. So they have to click no, and when they do, they immediately see a premium increase."

Meanwhile, just 24% of all respondents cited monitoring threat intelligence as a priority — which is a function of it being perceived as difficult to operationalize, Lin says.

"The key issue is, even like organizations like Google have no idea what to do with all of the telemetry and data," Lin said. "Companies simply have a tough time figuring out what to do with their threat intel — it's just the actionability of it."

Overall, the survey also found that three-quarters (76%) of CISO survey respondents say they expect security budgets to increase this year.

"As cybersecurity budgets increase, it’s expected that budgets will become more flexible to accommodate new and emerging products that defy the limitations of the currently identified categories," Forgepoint concluded.

In a Quickly Evolving Landscape, CISOs Shift Their 2022 Priorities

The proof-of-concept attack from MIT CSAIL researchers undermines the pointer authentication feature used to defend the Apple chip's OS kernel.

Security researchers today released details about a new attack they designed against Apple's M1 processor chip that can undermine a key security feature that protects the operating system (OS) kernel from memory corruption attacks. Dubbed PACMAN, the proof-of-concept attack targets ARM Pointer Authentication, a processor hardware feature that's used as a last line of defense against software bugs that can be leveraged to corrupt the content of a memory location, hijack the execution flow of a running program, and ultimately gain complete control of the system.

"The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system," says MIT CSAIL Ph.D. student Joseph Ravichandran, co-lead author of a new paper about PACMAN. "We've shown that pointer authentication as a last line of defense isn't as absolute as we once thought it was."

Lauded as the most powerful chips Apple has ever built, the M1 Pro and M1 Max were rolled out last fall to accolades not only for their power efficiency and performance, but also for the security afforded by the M1 system-on-chip (SoC) architecture.

Among those defenses is pointer authentication, an ARM feature that defends pointer integrity in memory by protecting pointers with a cryptographic hash that verifies they haven't been modified. That hash is called a Pointer Authentication Code (PAC), which the system uses to validate the use of a protected pointer by a program. When the wrong PAC is used, a program will crash. PAC sizes are relatively small, but a straight brute-forcing attack would cause enough crashes to detect malicious behavior — not to mention that a program restart causes the PAC to be refreshed.

The MIT CSAIL team shows that it is possible to use a hardware side-channel attack to brute-force a PAC value and suppress crashes, kicking off a chained attack to ultimately build out a control-flow hijacking attack.

"The key insight of the PACMAN attack is to use speculative execution attacks to leak PAC verification results stealthily via micro-architectural side channels without causing crashes," the paper explains.

Since the attack uses the speculative execution space, it doesn't leave behind traces — and being a hardware attack, it also can't be patched. The work offers a tangible example of how the one-two punch of hardware vulnerabilities and low-level software flaws can provide ample opportunities for attackers to run rampant in the kernel.

**New Tools for Vulnerability Research**

According to MIT professor and paper co-author Mengjia Yan, her team's work offers insight into why software vulnerabilities at the kernel level should still be of concern to developers.

"It's a new way to look at this very long-lasting security threat model. Many other mitigation mechanisms exist that are not well studied under this new compounding threat model, so we consider the PACMAN attack as a starting point," she says. "We hope PACMAN can inspire more work in this research direction in the community."

To encourage researchers to build off of their work, the MIT CSAIL team is releasing two sets of tools that are a product of their work analyzing Apple chips, which are closed source and undocumented.

"We expect these tools to unblock the community from conducting research on existing and future Apple Silicon devices," the paper states, announcing availability of the tools at pacmanattack.com.

Design Weakness Discovered in Apple M1 Kernel Protections

Sysdig's Omer Azaria joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to talk about cloud security.

Cloud security can challenge security pros like nothing else, including workload security issues arising from app design patterns or DevOps practices, says Sysdig's Omer Azaria. He also dives into whether cloud services and containers be should treated like endpoints similar to hosts or employee workstations, as well as how cloud-based threats can impact an organization's environments on-premises.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Sysdig Takes a Deeper Cut at Cloud Security

Noname Security's Shay Levi joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to talk about making code more secure.

Software code has come under attack in innovative and deeply troubling ways, says Noname Security CTO and co-founder Shay Levi. These attacks have altered the security landscape for both developers and their organizations, not to mention their suppliers, partners, and customers. API security testing has emerged as one solution, as has a more proactive approach to application security, without impeding development speed and efficiency, Levi says.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Noname: Proactiveness Is the Name of the Game in App Security

Lacework's Mark Nunnikhoven joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to talk about AI and cloud security.

Artificial intelligence is essential for endowing multicloud environments with greater visibility, insights and actions, according to Mark Nunnikhoven, distinguished cloud strategist for Lacework. And AI is key to automating security tasks, he adds. AI, in turn, can help enable faster innovation with security built in from the first line of code, as well as gain meaningful security insights to build apps quickly and confidently by highlighting any potential issues well before they reach production, according to Nunnikhoven.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Lacework Blends Artificial Intelligence and Automation to Bolster Cloud Security

Darktrace's Mike Beck joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to talk about risk management.

Pressure to reduce and manage risk — internally and externally — is more urgent than ever, according to Mike Beck, global CISO for Darktrace. That's why organizations require more sophistication and integration in their security management platforms. Beck discusses some of the features of Darktrace's new Prevent platform as well as some of the common use cases Prevent can address.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Prevent Breaches and Malware With Proactive Defenses

The certificate management company plans to integrate DNS services throughout its portfolio.

DigiCert has acquired DNS Made Easy, a provider of managed Domain Name System (DNS) services for enterprises, as well as affiliated brands, including Constellix.

The addition of DNS Made Easy enhances the company's certificate validation and lifecycle management portfolio, it said in a company statement on the acquisition. Specifically, DigiCert will integrate domain control validation into its certificate offering and pave the way for simplified DNS configuration, it said.

“The integration of DigiCert and DNS Made Easy adds value to customers,” said Greg Clark, managing partner at Crosspoint Capital Partners and chairman of DigiCert’s Board of Directors, in the statement. “In addition to providing excellent DNS services, this combination enhances the security of certificate validation and enables the automation of future validations, paving the way for automated certificate lifecycle management."

Terms of the deal were not disclosed.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading