Welcome to CISO Corner. Dark Reading's weekly article digest is tailored specifically for security operations readers and security his leaders. Each week, we bring you stories from across our news operations, The Edge, DR Technology, DR Global, and commentary sections. We are committed to providing diverse perspectives to support the operationalization of cybersecurity strategies for leaders in organizations of all shapes and sizes.
In this issue of CISO Corner:
-
Companies that adopt cyber governance create nearly 4x more value
-
Even cyber pros get fooled: Inside real vishing attacks
-
Mitigating third-party risk requires a collaborative and thorough approach
-
Global: Australian government doubles down on cybersecurity after major attack
-
CISO Materiality and Risk Determination Guide
-
Zero-day bonanza drives more exploits against enterprises
-
Put security remediation on the board meeting agenda
Companies that adopt cyber governance create nearly 4x more value
David Strom, Contributing Writer, Dark Reading
Rather than relying on the entire board, committees that create special committees that include cyber experts are more likely to improve security and financial performance.
Companies that made an effort to follow guidelines to improve cybersecurity governance created nearly four times more shareholder value than those that did not.
That's the conclusion of a new study jointly conducted by Bitsight and Diligent Institute. The survey measured cybersecurity expertise across 23 different risk factors, including: Presence of botnet infectionservers hosting malware, outdated encryption certificates for web and email communications, and open network ports on public servers.
The report also found that creating separate board committees focused on professional risk and audit compliance produces the best results. “Boards that conduct cyber oversight through specialized committees of cyber expert members, rather than relying on the entire board, are more likely to improve their overall security posture and financial performance.” Ladi Adefala, consultant and CEO of Omega315, agrees.
read more: Companies that adopt cyber governance create nearly 4x more value
Related: With TikTok banned, now is the time for operational governance
Even cyber pros get fooled: Inside real vishing attacks
By Elizabeth Montalbano, Contributing Writer, Dark Reading
Successful attackers focus on psychologically manipulating human emotions, so anyone can become a victim, even cyber professionals and tech-savvy individuals.
It all started around 10:30 a.m. on Tuesday when I received a call from an unknown mobile number. I work from home on my computer and usually don't answer calls from people I don't know. For some reason, I decided to quit what I was doing and answer that call.
That was the first of a series of mistakes I made over the next four hours. Victim of vishing or voice phishing campaign. By the end of the ordeal, I had transferred nearly 5,000 euros in Bitcoin from my bank account to the scammer. My bank was able to cancel most transfers. However, I lost 1,000 euros that I sent to the attacker's Bitcoin wallet.
Experts say it doesn't matter how much expertise an attacker has in knowing the tactics and experience they use when detecting fraud. The key to attackers' success is older than technology and lies in manipulating what makes us human: our emotions.
read more: Don't Answer the Phone: Inside a Real Malicious Attack
Related: North Korean hackers target security researchers again
Mitigating third-party risk requires a collaborative and thorough approach
Commentary by Matt Mettenheimer, Associate Director, Cybersecurity Practice, Cyber Advisory, S-RM
While this issue may seem daunting, most organizations have more ownership and flexibility than they realize in dealing with third-party risk.
Third-party risks pose unique challenges for organizations. On the surface, third parties may appear trustworthy. But without complete transparency into the inner workings of third-party vendors, how can organizations ensure the safety of entrusted data?
Organizations often downplay this pressing issue due to long-standing relationships with third-party vendors. However, the emergence of fourth-party and even fifth-party vendors should incentivize organizations to protect external data.Are doing Appropriate security due diligence on third-party vendors Going forward, this should include investigating whether third parties are outsourcing their clients' private data to further downstream parties. Thanks to the proliferation of SaaS services, third parties are more likely to outsource.
Fortunately, there are five easy steps you can take right away to provide your organization with a starting roadmap to successfully mitigate third-party risk.
read more: Mitigating third-party risk requires a collaborative and thorough approach
Related: Cl0p claims MOVEit attack.This is how the gang works
Australian government doubles down on cybersecurity after major attack
John Leyden, Contributor, Dark Reading Global
The government is proposing more modern and comprehensive cybersecurity regulations for businesses, governments and critical infrastructure providers.
Weaknesses in Australia’s cyber incident response capabilities exposed in September 2022 Cyber attack on telecommunications provider Optusfollowed in October by a ransomware-based attack on health insurance provider Medibank.
As a result, the Australian government is planning to update its cybersecurity laws and regulations with a strategy to position the country as a world leader in cybersecurity by 2030.
As well as addressing gaps in existing cybercrime laws, Australian lawmakers should amend the Security of Critical Infrastructure (SOCI) Act 2018 to focus on threat prevention, information sharing and cyber incident response. I hope.
read more: Australian government strengthens cybersecurity after major attack
Related: Australian ports resume operations after devastating cyber disruption
CISO Materiality and Risk Determination Guide
Commentary by Peter Dyson, Kovrr Head of Data Analysis
For many CISOs, “materiality” remains an ambiguous term. Even so, you need to be able to discuss materiality and risks with your board.
The SEC currently requires publicly traded companies to: Assess whether a cyber incident is “severe”; as a threshold for reporting them. However, for many CISOs, materiality remains a nebulous term, open to interpretation based on an organization's unique cybersecurity environment.
At the heart of the confusion surrounding materiality is determining what constitutes a “material loss.” Some people believe that the importance affects 0.01% of the previous year's revenue, which is equivalent to about 1 basis point of revenue (corresponding to his hourly revenue of a Fortune 1000 company).
By testing various thresholds against industry benchmarks, organizations can gain a clearer understanding of their vulnerability to serious cyberattacks.
read more: CISO Materiality and Risk Determination Guide
Related: Prudential files voluntary notice of violation with SEC
Zero-day bonanza drives more exploits against enterprises
Written by Becky Bracken, Dark Reading Senior Editor
According to Google, sophisticated attackers are increasingly turning their attention to enterprise technologies and their vendors, while end-user platforms are successfully thwarting zero-day exploits by investing in cybersecurity.
The number of zero-day vulnerabilities exploited in the wild in 2023 was 50% higher than in 2022. Businesses have been particularly hard hit.
According to research from Mandiant and the Google Threat Analysis Group (TAG), sophisticated state-sponsored attackers are leveraging a vast corporate attack surface. A footprint of software from multiple vendors, third-party components, and sprawling libraries provides a rich hunting ground for those with the ability to develop zero-day exploits.
Cybercriminal groups have a particular focus on security software such as: Barracuda Email Security Gateway; Cisco Adaptive Security Appliance. Ivanti Endpoint Manager, Mobile, Sentry. and Trend Micro Apex One, the study added.
read more: Zero-day bonanza drives more exploits against enterprises
Related: Attackers exploit Microsoft security to avoid zero-day bugs
Put security remediation on the board meeting agenda
Comment from Matt Middleton-Leal, Managing Director, Qualys EMEA North:
IT teams can withstand scrutiny by helping the board understand the risks, how to resolve them, and explain the long-term vision for risk management.
CEOs of the past may have lost sleep over how their security teams approached specific CVEs; CVE for dangerous bugs such as Apache Log4j Many organizations are unpatched, making security remediation a broader challenge. This means more security leaders will be asked for insight into how well they are managing risk from a business perspective.
This leads to difficult questions, especially regarding budgets and how to use them.
Most CISOs want to use information about basic IT security principles (number of outages, updates introduced, number of critical issues fixed), but they must compare it to other business risks and issues. It can be difficult to stay focused and demonstrate that CISOs are delivering results. .
To overcome these issues, you need to use comparative and contextual data to tell your risk story. Providing basic numbers about the number of patches deployed does not account for the enormous effort expended to fix critical issues that put revenue-generating applications at risk. It also doesn't show you how your team will perform against other teams. Fundamentally, you need to demonstrate what good looks like for your board and how you can continue to deliver results over time.
read more: Put security remediation on the board meeting agenda
Related: What your board is missing: a CISO
