Machine learning offers great opportunities, but it still can't replace human experts.

Machine intelligence has captured the human imagination since the invention of the first modern computer in the mid-20th century. And the latest milestone in artificial intelligence, ChatGPT, has reinvigorated our pervasive interest in AI's ability to simplify the way we work.

ChatGPT's advancements in machine learning are impressive: Its high-quality outputs feel close to human. The strides it represents for AI systems signal that even more remarkable achievements are close to reality. But while ChatGPT suggests that the full potential of AI is drawing nearer, the reality is it still isn't quite here. Right now, there are great opportunities for machine learning to augment human intelligence, but it still cannot replace human experts.

**The Obstacles Between ChatGPT and the Future It Promises**

A complete reliance on AI can only happen if any given AI technology is proven more effective than all the other tools used to serve the same purpose. And AI hasn't yet developed to run entirely autonomously. Narrow AI (ANI) often describes the AI we see today: AI designed for a single task, such as a chatbot or image generator. ANI still requires human supervision and some manual configuration to function and is not always run and trained upon the latest data and intelligence. In this case, Reinforcement Learning from Human Feedback (RLHF), which allows the model to learn from correct and incorrect responses to requests, helped train ChatGPT.

Our human inputs into AI systems pose a significant challenge as well. Machine learning models can be colored by our personal views, culture, upbringing, and world perspectives, limiting our ability to create models that entirely remove bias. If improperly used and trained, ANI can further ingrain our biases into our work, systems, and culture. We've even seen bug bounties dedicated to removing AI bias, underscoring these challenges. Complete dependence would be problematic unless we can identify how to build more robust AI systems that mitigate human bias.

**It's Foolish to Rely Fully on AI for Cybersecurity**

The growing threat landscape, diversification of attack vectors, and highly resourced cybercriminal groups necessitate a multipronged approach that leverages the strengths of both human and machine intelligence. A survey conducted in 2020 found 90% of cybersecurity professionals believed cybersecurity technology is not as effective as it should be and is partially responsible for the continued success of attackers. Fully trusting AI will only exacerbate many organizations' already significant overreliance on these ineffective automation and scanning tools, and vulnerability reports generated by AI with "confidently wrong" false positives can even add friction to remediation efforts.

Technology has its place, but nothing will compare to what a skilled human with a hacker mindset can produce. The type of high-severity vulnerabilities found by many hackers requires creativity and a contextual understanding of the affected system. A vulnerability report written by ChatGPT compared with one developed end to end by a hacker demonstrates this gap in proficiency. When tested, the former's report was repetitive, lacked specificity, and failed to provide accurate information, while the latter offered full context and detailed mitigation guidance.

**AI Can Supercharge Your Security Team**

There is a middle ground. Artificial intelligence _can_ accomplish tasks faster and more efficiently than any one person. That means AI can make work much easier for cybersecurity professionals.

Ethical hackers already use existing AI tools to help write vulnerability reports, generate code samples, and identify trends in large data sets. The diverse skill set of the hacker community fills the capability gaps of AI. Where AI really helps is providing hackers and security teams with the most critical component for vulnerability management: speed.

With nearly half of organizations lacking the confidence to close their security gaps, AI can play an instrumental role in vulnerability intelligence. AI's ability to reduce time to remediation by helping teams process large data sets faster could supercharge how quickly internal teams analyze and categorize vast swaths of their unknown attack surface.

**Narrow AI Could Help Address Major Industry Challenges**

We're already seeing governments recognize the potential of narrow AI: The Cybersecurity and Infrastructure Security Agency (CISA) lists AI as one possible vulnerability intelligence solution for software supply chain security. When the daily minutiae of important cybersecurity work is eliminated, the humans behind the technology are freed to pay closer attention to their attack surface, remediate vulnerabilities better, and build stronger strategies to defend against cyberattacks.

Soon, ANI could unlock even more potential from the hackers and cybersecurity professionals that use it. Instead of worrying about AI taking their jobs, security professionals should cultivate a diverse skill set that complements AI tooling while also maintaining a keen awareness of its current limitations. AI is far from replacing human thought, but that doesn't mean it cannot help create a better future. For an industry with a significant skills gap, AI could make all the difference in building a safer Internet.

Chat Cybersecurity: AI Promises a Lot, But Can It Deliver?

Use threat intelligence to reduce chance of success for malicious insider and Dark Web threats.

Insider threats are a serious and growing problem. According to recent research, malicious employees contribute to 20% of incidents and the attacks that insiders are involved in are, on average, 10 times larger than those conducted by external actors. Further data (PDF) has shown an increase in insider threat attacks over the past two years, as the risk has been exacerbated by the remote working through the pandemic.

To minimize insider threats, all organizations should monitor marketplaces, forums, and social media channels for chatter about their company. This helps them to spot the early warning signs of an imminent attack, such as cybercriminals looking for insider knowledge, or disgruntled employees making unsavory comments. This monitoring must also extend to the Dark Web, as this is a gold mine for cybercriminal reconnaissance on organizations, because threat actors believe that they're out of the reach of law enforcement and cybersecurity teams.

**Types of Insider Threat**

When we talk about insider threats it is important to understand that there is more than one type of malicious insider. Broadly, you can categorize them in three groups:

**Insiders motivated by financial gains****:** In the current economic climate, employees can be nudged into malicious activity by threat groups. For example, the threat group Lapsus$ infamously posted a recruitment call for help from employees in telecom companies, software and gaming corporations, and call centers — offering money in exchange for information.

    

Ad that Lapsus$ ran.

**Loners and opportunistic threat actors:** These are hard-to-spot insiders who use their privileged position in the network to harm the company. While they're statistically less common, they can have a severe impact on an organization when they do strike. For example, the New York Post employee who took an ax to the company's reputation recently by posting offensive messages on its corporate Twitter account. Dark Web analysis can help to spot these malicious actors if and when they publish an inquiry or ask for help on specific issues they face when navigating around the corporate environment. They can also be spotted offering to sell insider information on the Dark Web.

**Innocent insiders:** These can also unwittingly harm the company by being involved in threat activity without their consent or knowledge. According to research, employees are more than twice as likely to make an error and click malicious links, rather than to maliciously misuse their access.

That's who you're up against, but it's also important to understand what malicious actors could be looking for, inquiring about, or selling.

**Threat Modeling for Insider Threat**

Companies threat modeling for malicious insiders need to identify where their infrastructure is the most insecure, what assets they have that are the highest value, and which tactics are most regularly used by threat actors. Insight into the Dark Web can help the organization establish how criminals go about their reconnaissance and use malicious insiders, which can help inform their defenses.

The most popular method used to gain access to a company's environment is obtaining and utilizing leaked credentials. But apart from basic "password and username" sales, businesses also need to look out for cookie-session leaks for apps such as Slack and Teams, which threat actors can use to socially engineer their way into the company and abuse the trust of an employee.

Another aspect that companies need to be conscious of are trigger events that increase the likelihood of a company being targeted for attack. For example, if an oil company is set to announce its annual revenue during a cost-of-living crisis, the organization must assess the animosity level from employees, ex-employees, and outsiders reacting to the announcement. The revenue reveal, in this example, is a potential trigger event, requiring the business to be particularly diligent in monitoring the Dark Web for any chatter around the company before, during, and after the event. In cases like these, companies must ask themselves whether they should implement extra defenses or apportion additional resources.

During trigger events, companies could potentially spot malicious insiders by monitoring an uptick in alerts or irregular online activity. Connections between a company device and the Tor network are a very reliable data point for discovering an insider threat, because there is virtually no good reason why an employee would be connecting to the Dark Web in most organizations.

**Shifting Left in the Cyber Kill Chain**

As with any incident, time is always of the essence. Where possible, organizations need to pinpoint insider threat activity during reconnaissance, the first stage of the cyber kill chain, to successfully mitigate against a malicious actor. Logic dictates that the earlier, or further to the left in the kill chain, that threat actors can be identified, then the less likely they are to be successful in their attack.

Organizations understand the need for preparedness, shielding their borders, and educating their employees. However, these are simply a solid foundation of security infrastructure that requires augmenting with intelligence to stop threats earlier. Dark Web threat intelligence should be considered as an integral component to enhancing an organizations' security posture. As most cybercriminals rely on Dark Web infrastructure to conduct their operations, cutting off this channel can vastly reduce the chance of insider threats taking hold and disrupting business operations.

Hunting Insider Threats on the Dark Web

Categories: News
Tags: Google

Tags:  Rust

Tags:  Chromium

Tags:  Mailchimp

Tags:  SweepWizard

Tags:  bossware

Tags:  TikTok

Tags:  surveillance firm

Tags:  Voyager Labs

Tags:  TracketPacer

Tags:  Facebook

Tags:  Instagram

Tags:  Vice Society

Tags:  Liquor Control Board of Ontario

Tags:  Zoho ManageEngine

Tags:  GitHub

Tags:  LastPass

Tags:  Git flaw

Tags:  ransomware

Tags:  credit card fraud

The most interesting security related news from the week of January 16-22.



(Read more...)




The post A week in security (January 16—22) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (January 16—22)

Categories: Podcast
This week on Lock and Code, we speak with Lexie Cooper, the owner behind the TikTok account TrackerPacer, about the vitriol she faced online after talking about the gender gap in technology. 



(Read more...)




The post Fighting technology's gender gap with TracketPacer: Lock and Code S04E02 appeared first on Malwarebytes Labs.

Posted: January 16, 2023 by

Last month, the TikTok user TracketPacer posted a video online called “Network Engineering Facts to Impress No One at Zero Parties.”  TracketPacer regularly posts fun, educational content about how the Internet operates. The account is run by a network engineer named Lexie Cooper, who has worked in a network operations center, or NOC, and who’s earned her Cisco Certified Network Associate certificate, or CCNA. 

In the video, Cooper told listeners about the first spam email being sent over Arpanet, about how an IP address doesn't reveal _that much_ about you, and about how Ethernet isn't really a cable—it's a protocol. But amidst Cooper's bite-sized factoids, a pair of comments she made about something else—the gender gap in the technology industry—set off a torrent of anger. 

As Cooper said in her video:   

> “There are very few women in tech because there’s a pervasive cultural idea that men are more logical than women and therefor better at technical, 'computery' things.”

This, the Internet decided, would not stand. 

The IT industry is “not dominated by men, well actually, the women it self just few of them WANT to be engineer. So it’s not man fault," said one commenter. 

“No one thinks it’s because women can’t be logical. They’re finally figuring out those liberal arts degrees are worthless," said another. 

“The women not in computers fact is BS cuz the field was considered nerdy and uncool until shows like Big Bang Theory made it cool!” said yet another. 

The unfortunate reality facing many women in tech today is that, when they publicly address the gender gap in their field, they receive dozens of comments online that not only deny the reasons _for_ the gender gap, but also, together, likely contribute _to_ the gender gap. Nobody wants to work in a field where they aren't taken seriously, but that's what is happening. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with Cooper about the gender gap in technology, what she did with the negative comments she received, and what, if anything, could help make technology a more welcoming space for women. One easy lesson, she said:

> "Guys... just don't hit on people at work. Just don't." 

Tune in today.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

**RELATED ARTICLES**

Fighting technology's gender gap with TracketPacer: Lock and Code S04E02

Catchpoint’s Internet Performance Monitoring Platform helps IT teams identify and mitigate BGP incidents, including hijack attempts and routing issues, with the industry’s broadest network of vantage points in the world drawing on real-time BGP monitoring.

**January 11, 2023 --** Catchpoint, The Internet Resilience Company, releases major enhancements to its industry-leading Network Experience solution. These enhancements include network reachability, engineering & traffic routing improvements, as well as comprehensive monitoring for SASE, VPN, and the entire Internet stack. This makes it even easier for IT professionals to catch issues before they impact the business.

The latest release includes a wide range of enhancements to Catchpoint’s Network Experience solution including:

*   **The world’s largest observability network** with over two thousand vantage points around the world. This includes **the world’s most extensive global BGP coverage** with over a thousand vantage points around the globe from more than 400 ASNs and support for both IPv6 and IPv4 real-time global data:

*   143 Catchpoint peers
*   388 University of Oregon Route Views Project peers
*   744 RIPE NCC RIS peers

*   **An improved BGP Smartboard** to identify incidents and root cause faster and with fewer clicks for improved MTTR. The new Smartboard lets IT teams investigate BGP peer event data across selected timeframes, view announcements and withdrawals, then drill down to the details of each event. The result is faster and more effective troubleshooting.
*   **An enhanced BGP Dashboard & Score Metrics** to see the health of the networks you rely upon at a glance. Information presented includes visibility for reachability, hijacks, peer visibility, mass withdrawals, RPKI status, and BGP data by region.
*   **Route Hijack Detection** via the updated control center library, which stores a list of customer ASNs. The BGP Overview Dashboard flags any prefix announced from unexpected ASNs, so IT is immediately alerted to potential hijacks.
*   **Network Mesh/Node-to-Node General Availability testing** to continuously monitor the availability & performance of the network, including jitter, latency and packet loss. This ensures an always-on, high-quality network experience. 
*   **Traceroute enhancements**, including Path MTU and TCP MSS features for more effective network path visualization and troubleshooting.
*   **A DNSSEC Custom Monitor** that authenticates the resolution of IP addresses with a cryptographic signature and ensures that answers provided by the DNS server are valid and authentic. 

To learn more about these updated features, please join us on January 18, 2023 for our upcoming webinar “Catchpoint Launches New Capabilities to Power Internet Performance Monitoring.”

**View and Pinpoint All BGP Issues from One Dashboard  **

All these capabilities are available via the Catchpoint Platform. The market leader in Internet Performance Monitoring (IPM), Catchpoint provides deep visibility into every aspect of the Internet stack that impacts your business. Only Catchpoint offers the breadth and depth of IPM solutions to help make IT, Network Operations, and SREs jobs easier and ensure Internet Resilience with fewer resources. 

“With this release, Catchpoint helps our customers uncover BGP issues with more confidence and in less time. We now deliver more detailed real-time information from three distinct BGP peer sources that we are able to collect from over 1000 BGP peers worldwide. By comparison, our nearest competitor monitors less than 100 peers and provides data that is at least 15 minutes old. That 15-minute delay is a lifetime when you’re dealing with an issue like a BGP hijack, and you don’t know where your data is going!” said Catchpoint’s EVP of Product, Matt Izzo. 

Catchpoint’s customers agree. “We were never able to monitor reachability in this detail before using the Catchpoint solution. Now we can figure out whether an issue is related to a BGP announcement, routing, or something else instead of blindly trusting our partners that everything is working as it should,” said Andreas Lunz, Chief Technology Officer, Team Internet.

“The top websites in the world rely on Catchpoint as their main platform to monitor, detect, and mitigate BGP incidents, as well as any other incidents in their Internet stack,” said Dritan Suljoti, CTO and co-founder of Catchpoint. “Today, all businesses rely on the Internet to survive, and there is really no other platform that comes close to what we have developed over fourteen years of dedication to Internet Performance Monitoring.” 

**Learn More**

*   Read more about Catchpoint’s Network Experience Solution at catchpoint.com/network-experience.
*   Dive into our Comprehensive Guide to BGP.
*   Join us at our upcoming webinar, “Catchpoint Launches New Capabilities to Power Internet Performance Monitoring” on January 18, 2023. 
*   Watch a brief but helpful demo on BGP. 
*   Request an evaluation of the Catchpoint platform.

**About Catchpoint**

Catchpoint is the Internet Resilience Company™. The top online retailers, Global2000, CDNs, cloud service providers, and xSPs in the world rely on Catchpoint to increase their resilience by catching any issues in the Internet stack before they impact their business. The Catchpoint platform offers synthetics, RUM, performance optimization, high fidelity data and flexible visualizations with advanced analytics. It leverages thousands of global vantage points (including inside wireless networks, BGP, backbone, last mile, endpoint, enterprise, ISPs and more) to provide unparalleled observability into anything that impacts your customers, workforce, networks, website performance, applications, and APIs. Learn more at www.catchpoint.com.

Catchpoint Announces Solution to Monitor and Protect Companies From BGP Incidents

CISOs' top cloud challenge is harmonizing standards, policies, and procedures across blended environments.

In Coalfire's "2023 State of CISO Influence" report, developed in partnership with Dark Reading — security executives in major industries and companies of all sizes called out _lack of good governance strategy_ as one of the top challenges they face in managing cloud migration.

With any move to the cloud, corporate leaders focus intently on leveraging capabilities and harnessing myriad services, with IT often juggling the management of multiple assets in a hybrid environment. CISOs want to take the existing security program and wrap it around newly migrated systems to keep people, processes, and policies as consistent as possible and avoid the need to invent anything new. Updating and unifying standards and procedures usually lands last on the list.

While no single governance model is the right answer for all organizations, governance in the cloud age must, at a minimum, establish oversight, strategy, and enforcement of standards to ensure alignment of operational practices to the objectives and risk tolerance of the organization.

Security governance bridges business priorities with technical implementation like architecture, standards, and policy.

For smaller companies especially, the governance function is sometimes overlooked until it's too late. C-level security executives at firms with 500 or fewer employees ranked governance problems 10 points ahead of their midsize and larger enterprise counterparts.

**Optimizing Governance to Bolster Brand Confidence**

The report confirmed what I believe to be the essence of business resilience today: setting priorities, communicating effective incident response strategy, preplanning continuity of systems, and assuring continuous compliance.

Business goals and risk management are the best security program guideposts, ensuring that efforts are optimized to focus on the organization's top areas of concern. So naturally, it's becoming mission-critical to optimize governance processes to work effectively in today's hybrid server environments. Increasing infrastructure complexity drives hard questions, such as:

*   _How do we absorb the operational risk introduced by third parties within our cloud-based ecosystem?_
*   _How do we configure and uniformly apply access policies for employees, customers, vendors, remote workers, IoT, etc.?_
*   _Can we achieve zero trust, and can it be retrofitted to effectively fit into a hybrid environment?_
*   _What's our strategy and execution plan to enable operational resilience with pervasive incident detection and response?_
*   _How do we assure customers and stakeholders of our business's ability to continue operations after a disruption or during a mitigation?_

Addressing these questions facilitates a rational, cost-efficient approach instead of the outdated "sky is falling/spend more" mentality that has proven to be unsustainable. With the ever-expanding attack surface of the hyperscale cloud, CISOs can't eliminate risk, nor can they justify impulsive spending on endless identification of threats and scanning for vulnerabilities. Instead, they must respond and remediate problems, reduce costs, and enhance secure product life cycles to bolster brand reputation and customer confidence.

**Align Governance Responsibilities to Avoid Conflict**

Our research reflects that service delivery across industries is moving further into the cloud every year. Though all on-premises systems are eventually considered candidates for transition, legacy systems aren't going away tomorrow, so we need a pragmatic management style to keep the cloud momentum going while dealing with an expanding attack surface — the other "top two" concern of CISOs in the survey along with lack of good governance.

When developing governance strategies for hybrid cloud operations, it's critical that CISOs understand what services are provided by cloud and SaaS vendors, and that they have clarity on where the responsibilities and liabilities fall. While security professionals are more effectively closing known gaps, security teams still feel most of the heat when there are problems. Cloud vs. on-premises staff may fall into an adversarial pattern that results in attempts to deflect responsibility or engage in finger-pointing.

A well-planned governance model that assigns roles and responsibilities through a RACI responsibility alignment matrix is one of the best ways to avoid these situations. Failure to develop those plans up front can exacerbate the impact of even minor conflicts. Forward-thinking security leaders road map what needs to be done and who's going to do what, well ahead of time. At the onset of any migration or lift-and-shift, savvy CISOs need to start with a clear understanding of "who's on first." Prioritize that forethought by shifting core governance functions to the far-left side of the project management planning matrix.

Great CISOs don't just implement security measures, they build trust by working with business leadership to apply essential governance disciplines that align business strategy, risk management, asset protection, and innovation security while providing guidance to drive execution of security best practices and controls.

Across the board, CISOs in every sector and company size say governance is too often an afterthought. Lack of strategy produces hazards such as potential breach, disruption, and policy failures, as well as interdepartmental friction between cloud and on-prem teams. Whether it's a risk steering committee or a Cloud Advisory Board, good governance keeps the business moving and the supply chain flowing. It's a core competency for all security leaders.

**About the Author**

    

Michael Eisenberg is a seasoned information security professional with more than 31 years of experience working across public and private sectors, including two global Fortune 250 organizations (Aon and McDonald's Corporation), the government sector and the U.S. military. As vice president of Strategy, Privacy, and Risk at Coalfire, Michael leverages his experience through a range of security consultative services that help C-level officers build and improve security strategies and deliver cybersecurity programs. He received a master's degree in computer science from Illinois Institute of Technology. Michael holds CISSP, CISA, CISM, and CRISC security certifications.

Governance in the Cloud Shifts Left

Shift your mindset from risk to resilience.

As the lyrics of "Auld Lang Syne" so eloquently say, "Should old acquaintance be forgot and never brought to mind?" As security leaders look forward to what the new year brings, they're taking stock of everything — their teams, their technologies, their budgets — and trying to plan for what looks to be another challenging year.

While I don't have a Magic 8 Ball, 2023 looks like more of the same — the same budget constraints, the same supply chain problems, and the same cybersecurity challenges. There is also a lot of pressure currently on security leaders to do more with less while also facing more scrutiny and more accountability for the effectiveness of their cybersecurity programs. Sophisticated and frequent cyberattacks, shrinking budgets, and a scattered workforce have only exacerbated preexisting security challenges to the point that it's hard to know what to address first. So, if you're a security leader still working on your New Year's resolutions, cyber resilience should be No. 1 on your list.

**Shifting Your Mindset****

Most security leaders today have adopted "it's not if, but when" mindset in relation to cybersecurity incidents. Additionally, risk management — constantly identifying risk and implementing the appropriate mitigating controls — continues to be a key component of overall cybersecurity program management. But what if you're unable to implement the necessary controls or if you fail to identify a critical risk? The real question is, what is your plan for readiness when you're faced with a risk that has been realized due to having no mitigating controls, inadequate mitigating controls, or blind spots?

Recently, I met with a potential customer, and security staffers outlined their current cybersecurity challenges, program/technology wants and needs, and talent shortages. As they described their top cybersecurity concerns, I asked if they were thinking about their problems correctly; instead of focusing on problem X, perhaps they should focus on problem Y instead. But then I realized that the security leader at that company sees the same problems day in and day out, and they're specific to the organization. In contrast, however, being in a role similar to that of a security solutions consultant, I see many different types of problems being approached and solved in multiple ways.

I wondered how much this difference in perspective affects our ability as an industry to align on cybersecurity baselines, metrics, prioritization approaches, etc. It's difficult to solve problems within our cybersecurity programs when the problems, the organizations we protect, and our priorities change every day. If we agree that "it's not if, but when," we also agree that we must accept a degree of uncertainty when managing our security. We cannot, however, allow those blind spots to result in business disruption. Instead, there must be a mindset shift in the way cybersecurity programs are managed, from a traditional risk management model to cyber resilience.

****Understanding the Security Game****

The good news is we're starting to see a shift in organizations prioritizing resilienc and not just risk, even though effective risk management is an important component of cyber resilience. According to a recent Forrester report, there has been a significant increase in chief risk officers (CROs) reporting directly to the CEO. This is one example of a much-needed pivot in the enterprise mindset, with security evolving from a compliance checkbox to an investment in a strategy for cyber resilience. For companies with inadequate protections in place, CISOs will need to focus their budgets on having a resourced team, proper tools, and robust training.

Part of this mindset shift is also understanding the security game you need to play and then being able to explain that strategy to your leadership team and board of directors. When all you think about is the risk — we're risky here, so we'll plug this hole with this solution, then we're risky over here, so we'll plug that hole over there with this other solution — it's like playing a game of whack-a-mole. Try taking that approach to your board as a well-defined strategy.

Instead, the message needs to be something along the lines of: According to industry research in our vertical, here are the top threats that attackers can leverage in our type of environment, and here's how we can improve our environment. Our strategy is to be more resilient.

Now you have something measurable and can build a reasonable cybersecurity program road map.

****Why Cyber Resilience Should Be No. 1 on Your To-Do List****

The CISOs who will be most effective in 2023 will not look to answer the question "Are we safe?" Because the answer is always no — there will always be risk. The right question is "How ready are we?" You want to think about what you learned from that cyber incident — which is more than just reactively identifying the risk, assessing costs, and then implementing controls accordingly. Guess what? Attackers also have those controls. And by the time you go through your procurement process, proof of value, vendor selection, and solution implementation, attackers are several steps ahead of you.

There will always be gaps in what you know about your environment, so focusing on the continuous improvement of your security program through the lens of being ready to anticipate, withstand, recover, and adapt is how you should approach 2023.

Now is the time for security leaders to create a cyber resilience-focused program. Companies can't eliminate all risk, but we will see organizations putting in place full-scale plans and spending where they need to so they are prepared to measure progress and improvement in their cybersecurity program. Those organizations that go with the "good enough" approach will most likely pay the price (and more) later.

**

The Resolution Every CSO/CISO Should Make This Year

It's imperative we collaborate and partner to improve software security. This may require developing tools and standards that can enrich SBOMs and provide deeper analysis.

Many in our industry are weighing the benefits that software bills of materials (SBOMs) could possibly bring to software quality and security. I think SBOMs are needed to understand and assess risk in software because they should provide visibility into the software construction process for a given software system. At some level, SBOMs already exist for certain products and software systems; however, their application for evaluating quality and security as stipulated in Executive Order 14028, Improving the Nation's Cybersecurity and recent federal guidance by the US Office of Management and Budget, the National Institute of Standards and Technology, and the Cybersecurity Infrastructure and Security Agency is fairly new and unproven at scale.

**The Royce Bill That Never Passed****

Around 2013, SBOM legislation H.R.5793 – Cyber Supply Chain Management and Transparency Act (known as the Royce Bill) was introduced but never gained the momentum it needed to pass as a mandate, bill, or requirement. The industry did not then have the appetite for transparency to manage software supply chain risk.

The issues this legislation would have addressed are outlined in the Congressional Record – Extensions of Remarks. These issues have now been exacerbated given the overwhelming amount of complexity and growing size in modern software development, and the increasing rate of attacks against open source software. With the increasing consumption rate of open source software in modern software development, consumers must be aware of the technical debt in open source software projects that has accumulated over time to better manage software risk. The idea of more software complexity, larger software systems, and mounting technical debt does not bode well for the federal government's desire for software integrity and trustworthiness through the software supply chain.

The fact that the Royce Bill didn't pass can be seen as a missed opportunity to address the growing threats and risk in software security at the time. Almost a decade later, the industry is still struggling to figure out how to implement SBOMs and strike the right balance to make them useful and not a target for adversaries to exploit. This raises major concern in industry about whether SBOMs are ready for prime time given the skepticism regarding the current requirements outlined in federal guidance.

****SBOM Must Inform About Unknown Risk****

One of the challenges for SBOMs is advancing and understanding how risky software is determined. I use the term "risky" because all software has vulnerabilities, and the SBOM must be able to differentiate or provide context to the level of risk associated with a software component, whether in isolation or once it has been implemented and integrated into a software system. To simply say you can't use this software component because it has CVEs (common vulnerabilities and exposures) associated with it becomes moot because all software can have vulnerabilities. SBOMs must be able to succinctly qualify which CVEs are the most dangerous and exploitable given the context the software will be implemented and used — the component function (logging, encryption, access control, authorization), the environment, and whether it can be hardened to reduce a given attack surface. The way in which software components are integrated into a system matters because software components can be implemented poorly or incorrectly, exposing vulnerabilities in software systems.

Using CVEs to establish a security baseline for open source software consumption make sense; however, tallying a bunch of CVEs to determine what software is less risky or riskier only focuses on the "known knowns" (as shown in the figure below) and does very little to help organizations understand what weaknesses are lurking that may expose vulnerabilities and impact the overall hygiene of that software component (over a period of time). Furthermore, the current state of practice regarding SBOMs doesn't encourage software supply chainers to understand the defect proneness or attack proneness rates associated with software. This is important because some software components are highly targeted and require significant patching due to inherent technical debt, low code quality, and security issues that expose vulnerabilities. More patching means developers and engineering teams are spending less time on creating and delivering new features and functionality to customers.

Defect proneness refers to the likelihood that a software component will be defective after a software product is released. There are various socio-technical factors that contribute to defect proneness such as low code quality and design flaws. Attack proneness refers to the rate at which software components can be successfully exploited, or the likelihood that software components will contain exploitable weaknesses — bug, defect, or flaw — or vulnerabilities.

    

Source: Kevin Greene

SBOM solutions must give organizations visibility into potential risk for a given software component as shown in the figure above, helping organizations make informed decisions about which software components to use and which software components to avoid. For instance, advice in the National Security Agency (NSA) Cybersecurity Information Sheet encourages developers to avoid using software developed in C and C++ because those programming languages were not intended to enforce good memory management checks. It will be interesting to see how this advice will affect the software supply chain, mainly for embedded safety critical systems, and whether suppliers will turn to programming languages that are memory safe, such as Rust and Go.

****Go Deeper to Guide SBOM****

SBOMs are not going away, so it's imperative we all collaborate and partner to improve software security. This may require developing tools and standards that can enrich SBOMs and provide deeper analysis and insight about the characteristics of software that help inform about software risk. This will help organizations effectively evaluate and attest to software integrity, as well as other software assurance properties. Ultimately, it's important for software supply chainers to understand not just the risk associated with a given software component but the potential maintenance associated with using that software component over a period of time, given the challenges in industry to remediate vulnerabilities in software in a timely fashion. The use of defect and attack proneness rates could provide actionable intelligence that helps lower the consumption of risky software with poor hygiene, and guide software supply chainers in building software systems that are more resilient to cyberattacks. 

In theory, software components with high defect and attack proneness rates should be avoided to help stimulate and encourage the use of alternatives with better hygiene. In my opinion, SBOMs don't improve code quality and security directly, but they can make software supply chainers more aware of risk in their software construction process. Improving code quality and security for open source software requires a culture shift given that having many eyes does not make all bugs shallow.

**

Don't Be Blindsided by Software Bills of Materials

Job applicants could face a raft of follow-on attacks after cyber intruders accessed their data in an opportunistic attack.

The Five Guys burger empire has been hit with what appears to be a "smash-and-grab" operation: Cyberattackers busted into a file server and made off with the personally identifiable information (PII) of people who applied to work at the chain.

Details are scant, but in a form letter to the impacted sent out on Dec. 29, Five Guys chief operating officer Sam Chamberlain noted that an "unauthorized access to files" was discovered on Sept. 17 and was blocked the same day.

He added, "We conducted a careful review of those files and, on December 8, 2022, determined that the files contained information submitted to us in connection with the employment process, including your name and \[variable data\]."

What was that "variable data," one might ask? Turke & Strauss LLP, a law firm that's investigating the matter on behalf of the victims, identifies the information as including Social Security numbers and drivers' license data.

Five Guys did not immediately respond to a request for verification or comment from Dark Reading.

Five Guys employs about 5,000 people worldwide, according to Forbes, and presumably the turnover and number of applications for open positions is similar to other food-service jobs. But while that means that a large number of people could potentially be affected by the breach, the company has so far left it unclear how many people were actually caught up in the incident.

Five Guys also hasn't announced what, if any, shoring up of security it plans to do in the wake of the incident, only noting that it engaged law enforcement and a cybersecurity firm, and that it would provide credit monitoring. Brad Hong, customer success manager at Horizon3ai, notes that improvements to defense should be an important part of the incident response.

"An unfortunate precedent has been set \[by the infamous Equifax breach\] to simply provide credit monitoring, shifting the onus of action back to the consumer instead of the organization announcing the technological steps taken to prevent breaches in the future," he says.

**A Whole Menu of Follow-on Attacks**

Researchers note that the unfolding situation could prove difficult for both the individual victims and the burger purveyor itself. This isn't Five Guys' first time being flamed on the cybercrime grill, as BullWall executive vice president Steve Hahn notes — and a prior incident illustrates just what could be at stake for both.

"In a past breach of Five Guys, the threat actor used the stolen data to make fraudulent charges on bank debit and credit cards, and one such bank, Trustco, was hit with $100,000 in fraudulent charges from customers of theirs that have been part of this data breach," he tells Dark Reading. "If the bad guys got that much out of Trustco, imagine how much they've bilked from Chase or Bank of America.”

As for the impact to the company, Trustco went on to file a lawsuit against Five Guys in New York for damages related to issuing new cards and reimbursing victims for fraudulent charges.

In this more recent case, John Bambenek, principal threat hunter at Netenrich, notes that there are any number of follow-on attacks that threat actors could mount using the data, even if it doesn't include payment-card information.

"The most immediate use of this data is to realize there are a handful of people on the lower end of the economic scale who are looking for jobs," he says. "I imagine there will be scams and mule recruitment lures sent to those people in the near future."

Hahn meanwhile mentions that the craftier cybercriminal types will often also try to take advantage of the fear and reaction in the market when such an incident is publicized, in the form of ultra-believable phishing efforts.

"Victims may get an email: 'We apologize but as you may have heard your data was part of our data breach,'" he explains. "'Please click here to reset your password.' These emails can look identical to emails from Five Guys and they can even spoof the Five Guys domain. Once the user puts in their credentials, they threat actor now has access to all the other sites they use that password on, like PayPal, Amazon, or Venmo."

Jim Morris, chief security adviser at Tanium, also tells Dark Reading that the potential for a cybercrime ripple effect could also include extortion, affecting applicants and organizations alike.

"Any victimized organization could receive double extortion threats — i.e., ask for money to not leak or sell the data," he says. "Individuals whose information is contained in the breach could be victims of triple extortion, whereby the attackers demand money from them to in turn not sell or use their data."

**A Smash (& Grab) Burger of Data Theft**

Since the data breach notice indicates that the bad guys accessed a single file server, with no lateral movement, this is likely a case of financially motivated attackers looking for low-hanging fruit, researchers say — and finding it.

Restaurants and food-service outlets have a unique set of financial challenges (like razor-thin margins) that can often lead to them deprioritizing security, even as they collect reams of data via online ordering, reservations systems, HR systems, and more, on an order of magnitude that far outstrips other sectors, says Andrew Barratt, vice president at Coalfire.

"The challenge is real — we have adaptive threat actors who will chase down any point of access versus defenders with limited budgets and a whole raft of macro-economic stresses to focus in on too," he says. "Really, we need to keep visibility of these kind of compromises high so that executives don't discount them as 'won’t happen to me.'"

Others are less charitable. Horizon3ai's Hong adds, "Unless the attack vector in this incident was a novel one, all signs point to this incident being another example of a company that chose returns over security. With Five Guys pulling in close to $2 billion in revenue, I’d be interested to see what their cybersecurity spend was."

Meanwhile, Web-facing systems could exacerbate the risk, Casey Ellis, founder and CTO at Bugcrowd, says.

"This sounds a lot like a recruiting system where candidates upload their resumes," he tells Dark Reading. "Having these sorts of systems available to the Internet makes sense when you consider the recruiting and job application process, but if something is more available to a public user, it's also more available to a potential attacker."

He adds, "Common Web coding flaws like Indirect Object References (IDOR), authentication flaws, and even injection flaws can enable this type of attacker outcome without the need for lateral movement."

Indeed, Tanium's Morris notes that the most common break-in approaches by threat actors looking for easy pickings tend to be the exploitation of known vulnerabilities, and phishing and stolen credentials. As such, there are simple steps that could make bottom-feeding data thieves simply move on to an easier target.

"Organizations can combat these attacks by having robust life-cycle management of all computer hardware and software. This requires identifying critical assets and data and protecting them accordingly," he says. "Asset life-cycle management must also include sustainable and efficient vulnerability and patching programs. Additionally, strong authentication and authorization processes that includes multifactor authentication need to be employed."

Five Guys Data Breach Puts HR Data Under a Heat Lamp

Linux suffers from two seccomp bugs with a PT_SUSPEND_SECCOMP permission bypass and ptracer death race condition.

Tag

#acer