Welcome to CISO Corner, a weekly digest of articles tailored specifically for Dark Reading's Security Operations readers and security leaders. Every week, we bring you articles collected from our News Operations, The Edge, DR Technology, DR Global, and Commentary sections. We are committed to providing diverse perspectives to support the job of operationalizing cybersecurity strategy for leaders of organizations of all shapes and sizes.
In this edition of CISO Corner, we’ll cover:
-
Insisting on the need for “rational” cybersecurity
-
Faulty AI tools raise fears for private LLMs and chatbots
-
SEC's New View on Cybersecurity Risk Management
-
BlackSuit Arrests Dozens of Victims for Well-Crafted Ransomware
-
9 Tips to Avoid Burnout in Cybersecurity
-
Global: Chinese APTs steal geopolitical secrets from the Middle East, Africa, and Asia
-
Preparing your organization for upcoming cybersecurity deadlines
Insisting on the need for “rational” cybersecurity
By Stephen Lawton, Dark Reading Contributing Writer
Proper cybersecurity is highly subjective: organizations must quantify their cyber risks and carefully plan for applying security controls.
For regulators overseeing companies' cybersecurity practices, the standard of proof is “reasonable cybersecurity” – taking measures to protect data based on what a reasonably prudent person would do in similar circumstances.
But “reasonable cybersecurity” is intentionally vague and highly context-dependent. Cyber insurers often use questionnaires asking whether various security controls are in place, and underwriters then decide whether to approve the policy. If the breach occurs at a later date, the insurer may dispute the claim.In 2022, Travelers Insurance filed and won a lawsuit against International Control Services for misrepresenting security controls.
To largely eliminate confusion, security frameworks such as the NIST Cybersecurity Framework (CSF) and CIS’s own Critical Security Controls (CIS Controls) provide companies with the controls necessary to meet the legal requirement of reasonableness, although other steps are also important.
read more: Insisting on the need for “rational” cybersecurity
Related: Analyzing a Data Breach: What to do if it happens to youis a free Dark Reading virtual event scheduled for June 20. Verizon's Alex Pinto will deliver a keynote address, “Up Close: Real-World Data Breaches,” where he will dive deeper into the DBIR findings and more.
Faulty AI tools raise fears for private LLMs and chatbots
Robert Lemos, Dark Reading contributor
Companies are turning to large-scale language models to help employees glean information from unstructured data, but vulnerabilities could lead to the spread of misinformation and, in some cases, data leaks.
This week, Synopsys disclosed a cross-site request forgery (CSRF) vulnerability affecting applications based on the EmbedAI component created by AI provider SamurAI. The vulnerability could allow attackers to trick users into uploading tainted data to language models, potentially affecting private LLM instances and even chatbots.
The findings of this study are: Integrate a generative AI chatbot Incorporating AI into business processes carries risks, especially for companies that allow LLMs and other AI-generated applications access to large data repositories.
“You can't just give LLM access to a ton of data and say, 'OK, anyone can access this,' because that's like giving everyone access to a database with all that data in it,” says Dan McInerney, a threat researcher at Protect AI. “So you need to clean up the data.”
read more: Faulty AI tools raise fears for private LLMs and chatbots
Related: Hugging Face AI platform loaded with 100 malicious code execution models
SEC's New View on Cybersecurity Risk Management
Commentary by Dr. Sean Costigan, Managing Director of Resilience Strategies at Redshift
Insights from three companies that recently reported violations under the new disclosure regulations.
Under the SEC's new disclosure rules, registrants must report within four days any cybersecurity incident that they determine to be of “material impact,” meaning an incident that could have a significant effect on the company's operations or finances.
Given the short deadline, many companies are struggling to meet the requirements, but fortunately, the experience of some major companies that have reported violations and made disclosures is already providing important insights.
These include Clorox, Prudential FinancialUnitedHealth and others all provide early lessons on enterprise risk management. Companies need to detail breaches and maintain continuous visibility into all digital assets. Being transparent and getting the basics right is key. Information sharing has proven its value across all sectors.
read more: SEC's New View on Cybersecurity Risk Management
RELATED: Worried about SEC rule changes? Don't miss the first episode of our new podcast. Dark Reading Confidential“CISO and SEC” will feature voices from the field and will feature Reddit CISO Frederick “Flee” Lee, attorney Beth Burgin Waller, and Reddit's Chief Legal Officer Ben Lee joining DR staff for a candid discussion.
BlackSuit Arrests Dozens of Victims for Well-Crafted Ransomware
By Elizabeth Montalbano, Dark Reading Contributor
The researchers took an in-depth look at attacks by this threat group, which primarily targets US companies in the education and industrial products sectors to maximize financial gain.
The BlackSuit ransomware group has leaked data stolen in attacks against 53 organizations, and the group has been active since May 2023.
Black suit — supposedly Separated from the Royal ransomware group — They primarily target U.S. companies in critical sectors such as education and industrial products, carefully selecting their targets to maximize financial gain.
According to a post by the Reliaquest threat research team, “This targeting pattern strongly suggests a financial motivation with a focus on critical sectors with smaller cybersecurity budgets or lower tolerance for downtime, increasing the likelihood of a successful attack and/or a quick ransom payment.”
read more: BlackSuit Arrests Dozens of Victims for Well-Crafted Ransomware
Related: Attackers Target Check Point VPNs to Access Corporate Networks
9 Tips to Avoid Burnout in Cybersecurity
Joan Goodchild, Dark Reading Contributing Writer
When security professionals feel mentally and physically exhausted and at their limit, burnout is often the culprit. Here's what you can do about it.
Cybersecurity is known for its high-stress environment, near-constant work cycle and demanding nature, which can have a negative impact on mental health, especially in the form of burnout.
The evidence is not hard to find Burnout is widespread among security professionalsA recent Gartner Peer Community survey found that 62% of IT and security leaders experience burnout and many CISOs plan to leave their jobs or careers due to what Gartner calls “unique stressors,” while a Mimecast survey found that 56% of cybersecurity workers experience increased job stress each year.
So what can you do? This slideshow offers nine tips to help you manage stress and prevent burnout.
read more: 9 Tips to Avoid Burnout in Cybersecurity
Related: Persistent burnout remains a cybersecurity crisis
Global: Chinese APTs steal geopolitical secrets from the Middle East, Africa, and Asia
By Nate Nelson, Dark Reading Contributing Writer
One of China's biggest espionage operations was successful thanks to long-standing bugs in Microsoft Exchange, open source tools, and old malware.
Chinese government-affiliated threat groups have been stealing emails and files from senior government and military officials across the Middle East, Africa and Southeast Asia every day since late 2022.
Operation Diplomatic Specter, an audacious espionage operation described in a new report by Palo Alto Networks' Unit 42, targets foreign ministries, military organizations, embassies, and other entities in at least seven countries across three continents. Its objective is to obtain classified and other sensitive information about geopolitical conflicts, diplomatic and economic missions, military operations, political conferences and summits, high-ranking politicians and military personnel, and above all, embassies and foreign ministries.
The campaign is still ongoing and the attackers have already Willingness to continue espionageEven after being exposed and kicked out of a compromised network,
read more: Chinese APTs steal geopolitical secrets from the Middle East, Africa, and Asia
Related: China-backed APT uses ProxyLogon to take control of building automation systems
Preparing your organization for upcoming cybersecurity deadlines
Commentary by Karl Mattson, Field CISO, Noname Security
Federal and state regulators have introduced new rules and regulations aimed at holding organizations accountable when it comes to cybersecurity. Here's how to prepare.
The threat landscape is evolving rapidly, with data from companies Critical infrastructure is at riskAdding to the challenge, federal and state regulators in the U.S. are introducing new rules and mandates aimed at holding organizations accountable for cybersecurity, with compliance deadlines fast approaching.
For example, smaller reporting companies will need to comply with the SEC’s new breach disclosure rules (deadline: June 15th), namely “companies with publicly traded equity of less than $250 million and registered companies with annual revenues of less than $100 million for the prior fiscal year and either no publicly traded equity or less than $700 million in publicly traded equity.”
Federal agencies also have a deadline to meet their Zero Trust goals: September 30. Each agency must complete 19 specific tasks that align with the five pillars of the Cybersecurity and Infrastructure Security Agency's Zero Trust Maturity Model: identity, devices, networks, applications and workloads, and data.
These new requirements will have a significant impact and are a step in the right direction, but to be truly effective they require a major shift in how we think about security.
read more: Preparing your organization for upcoming cybersecurity deadlines
Related: OMB Announces Zero Trust Strategy for Federal Agencies