Welcome to CISO Corner. Dark Reading's weekly article digest is tailored specifically for security operations readers and security his leaders. Each week we bring you stories from across News Operations, The Edge, DR Technology, DR Global, and Commentary sections. We are committed to providing diverse perspectives to support the operationalization of cybersecurity strategies for leaders in organizations of all shapes and sizes.
In this issue of CISO Corner:
-
Kindervag says: 5 hard truths about the state of cloud security in 2024
-
MITER ATT&CKED: The most trusted name in InfoSec is at Ivanti Bugs
-
Lessons for CISOs from OWASP’s Top 10 LLMs
-
Cyberattack Gold: SBOM provides easy investigation of vulnerable software
-
Global: Is Bill Licensed? States Require Certification and Licensing of Cybersecurity Professionals
-
Johnson & Johnson spinoff CISO talks maximizing cybersecurity
-
SolarWinds 2024: Where does cyber disclosure go from here?
5 hard truths about the state of cloud security in 2024
Ericka Chickowski, Contributing Writer, Dark Reading
Dark Reading talks about cloud security with John Kindervag, the godfather of Zero Trust.
Most organizations are not fully aligned Mature cloud security practicesdespite nearly half of breaches originating from the cloud and nearly $4.1 million lost to cloud breaches in the past year.
This is a big problem, according to the godfather of Zero Trust security, John Kinderveig, who conceptualized and popularized the Zero Trust security model as an analyst at Forrester. He tells Dark Reading that he needs to face some hard truths in order to turn things around.
1. Just moving to the cloud doesn't make it more secure. The cloud is not inherently more secure than most on-premises environments. Hyperscale cloud providers may be great at protecting their infrastructure, but they have very limited control and responsibility over their customers' security posture. And the shared responsibility model doesn't really work.
2. Native security controls are difficult to manage in a hybrid world. The quality is inconsistent when it comes to giving customers more control over workloads, identity, and visibility, but security controls that can be managed across multiple clouds are difficult.
3. Identity won’t save the cloud: With so much focus on cloud identity management and a disproportionate focus on the identity component of zero trust, organizations should realize that identity is just one part of a balanced breakfast for zero trust in the cloud. It's important to understand.
4. Too many companies don't understand what they're trying to protect. While each asset, system, and process carries its own risks, organizations have a lot of questions about what's in the cloud, what's connected to it, much less what needs to be protected. Lacking clear ideas.
5. Cloud-native development incentives are disabled: Too many organizations don't have the right incentive structures for developers to build in security, and in fact, many have perverse incentives that end up encouraging insecure practices. “I like to say that the DevOps app guy is the Ricky Bobby of the IT world. They just want to go fast,” he says.
read more: 5 hard truths about the state of cloud security in 2024
Related: Zero Trust is taking over: 63% of organizations worldwide have adopted it
MITER ATT&CKED: The most trusted name in InfoSec is at Ivanti Bugs
By Nate Nelson, Contributing Writer, Dark Reading
Few people understand this irony. A nation-state threat actor used his eight MITER techniques to compromise MITER itself. That includes exploiting a bug in Ivanti that attackers have been flocking to for months.
used by foreign state hackers Vulnerable Ivanti edge devices Get 3 months of “deep” access to one of MITER Corp.'s non-classified networks.
MITER, the custodian of the ATT&CK glossary of commonly known cyber attack techniques, has not had a major incident in 15 years. Like many other organizations, this streak ended in January when his Ivanti gateway device was exploited.
The breach affected the Network Experimentation Research Virtualization Environment (NERVE), a non-classified collaborative network used by the organization for research, development, and prototyping. The extent of the NERVE damage (just kidding) is currently being evaluated.
Whatever their goal, the hackers had plenty of time to carry it out. The breach occurred in January, but MITER was only able to detect it in April, with a four-year gap in between.
read more: MITER ATT&CKED: The most trusted name in InfoSec is at Ivanti Bugs
Related: Top MITER ATT&CK techniques and how to defend against them
Lessons for CISOs from OWASP’s Top 10 LLMs
Comments from Kevin Bocek, Venafi Chief Innovation Officer
The time has come to start regulating LLMs to ensure they are accurately trained and able to handle business transactions that may impact revenue.
OWASP recently released its Top 10 List of Large-Scale Language Model (LLM) Applications. This gives developers, designers, architects, and managers 10 areas of clear focus when it comes to security concerns.
almost all Top 10 LLM Threats The focus is on compromising the authentication of the identities used in the model. Different attack methods run the gamut and affect not only the identity of a model's inputs, but also the identity of the model itself and its outputs and actions. This has a ripple effect, requiring code signing and authentication at the creation process to prevent vulnerabilities at the source.
More than half of the top 10 risks are mitigable in nature and require an AI kill switch, but companies should evaluate their options when implementing a new LLM. With the right tools in place to authenticate inputs and models, as well as model actions, enterprises are better equipped to take advantage of the idea of an AI kill switch and prevent further disruption.
read more: Lessons for CISOs from OWASP’s Top 10 LLMs
Related: Bugcrowd Announces LLM Vulnerability Assessment
Cyberattack Gold: SBOM provides easy investigation of vulnerable software
Author: Rob Lemos, Contributor, Dark Reading
Attackers may use software bills of materials (SBOMs) to search for software that is potentially vulnerable to specific software flaws.
Governments and security-sensitive companies are increasingly asking software manufacturers to provide software bills of materials (SBOMs) to address supply chain risks, creating new types of concerns.
In a nutshell, an attacker can identify the software a targeted company is running, retrieve the associated SBOM, and analyze weaknesses in the application's components without sending a single packet. says Larry Pesce, director of product security research and analysis at Software. supply chain security company Finite State;
He has been a penetration tester for 20 years and will be warning of the risks in a presentation on “evil SBOM” at the RSA conference in May. He will show that there is enough information in the SBOM for an attacker to do something about it. Search SBOM's database for a specific CVE Find potentially vulnerable applications. Even better for attackers, he says, the SBOM also lists other components and utilities on the device that attackers can use to “live off the land” after a breach.
read more: Cyberattack Gold: SBOM provides easy investigation of vulnerable software
Related: Southern Company builds SBOM for substations
Global: Is Bill Licensed? States Require Certification and Licensing of Cybersecurity Professionals
Robert Lemos, Contributing Writer, Dark Reading
Malaysia, Singapore and Ghana were among the first countries to pass laws mandating cybersecurity Companies, and in some cases individual consultants, will also need to obtain a license to do business, but concerns remain.
Malaysia joins at least two other countries – Singapore Ghana has passed a law requiring cybersecurity professionals or their companies to be certified and licensed to provide some cybersecurity services in the country.
Although the law's obligations have not yet been determined, “it is likely to apply to service providers who provide services that protect the information and communication technology devices of others. [for example] penetration testing providers and security operations centres,” said Malaysia-based law firm Christopher & Lee Ong.
Neighboring Singapore in Asia-Pacific has already required licensing for cybersecurity service providers (CSPs) for the past two years, and the West African country of Ghana has required licensing and certification for cybersecurity professionals. More broadly, governments such as the European Union are standardizing cybersecurity certifications, while other government agencies, such as the US state of New York, require certification and licensing of cybersecurity capabilities in specific industries.
But some experts see potentially dangerous consequences from these moves.
read more: Is Bill Licensed? States Require Certification and Licensing of Cybersecurity Professionals
Related: Singapore sets high standards for cybersecurity preparedness
J&J spinoff's CISO works to maximize cybersecurity
Author: Karen D. Schwartz, Contributing Writer, Dark Reading
The CISO at Kenvue, a consumer healthcare company spun out of Johnson & Johnson, explains how he combined tools and new ideas to build his security program.
Mike Wagner at Johnson & Johnson helped shape the security approaches and security stacks of Fortune 100 companies. Now, as the founding CISO of Kenvue, his J&J's year-old consumer healthcare division, he is tasked with building a streamlined, cost-effective architecture with maximum security. .
This article details the next steps Wagner and his team took.
Define key roles. Architects and engineers implementing tools. Identity and access management (IAM) experts enable secure authentication. risk management leader Align security with business priorities. Security operations staff for incident response. Dedicated staff handles each cyber function.
Incorporate machine learning and AI: Tasks include IAM automation. Streamline supplier vetting. Behavior analysis. and improve threat detection.
Choose which tools and processes to keep and which to replace. J&J's cybersecurity architecture is a patchwork of systems created through decades of acquisitions. Tasks here include managing inventory of J&J's tools. Map them to Kenvue's operating model. and identify new functionality needed.
Wagner says there's still work to be done. Next, we plan to focus on modern security strategies, including adopting zero trust and strengthening technical controls.
read more: J&J spinoff's CISO works to maximize cybersecurity
Related: A look at Visa's AI tools against fraud
SolarWinds 2024: Where does cyber disclosure go from here?
Comments from Tom Tovar, Appdome CEO and Co-Developer
Get the latest advice on when, where, and how to disclose cybersecurity incidents under the SEC's 4-day rule after SolarWinds, and join the call to revise the rules to remediate first .
In a post-SolarWinds world, you need to move to a safe place to remediate cybersecurity risks and incidents. Specifically, if a company remediates a defect or attack within his 4 days, it either (a) avoids a fraud claim (i.e., doesn't need to be talked about), or (b) is subject to standard 10Q and 10K processes. You should be able to use Disclose the incident, including a management discussion and analysis section.
On October 30, the SEC filed the following documents: Allegations of Fraud Against SolarWinds and its chief information security officer stated that even though SolarWinds employees and executives knew about the risks, vulnerabilities, and attacks on SolarWinds products that increased over time, “SolarWinds' Cybersecurity Risk Disclosure: They did not disclose them at all.”
To prevent liability issues in these situations, the remediation safe harbor gives businesses a full four-day period to assess and respond to the incident. Then, if it is remedied, take the time to properly disclose the incident. As a result, there will be more emphasis on cyber response and less impact on a company's public equity. 8K may continue to be used for unresolved cybersecurity incidents.
read more: SolarWinds 2024: Where does cyber disclosure go from here?
Related: What SolarWinds means for DevSecOps
