CISO Corner: DoD Regs, Neurodiverse Talent & Tel Aviv's Light Rail
Also in this issue: How the SEC's reporting rules are being weaponized, quishing attacks plaguing execs, and tabletop exercises making a comeback.
February 9, 2024
Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Tech, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.
In this issue:
How the SEC's Rules on Cybersecurity Incident Disclosure Are Exploited
Managed Everything? Vendors Shift Focus to Services
DR Global: Q&A: Tel Aviv Railway Project Bakes in Cyber Defenses
World Govs, Tech Giants Sign Spyware Responsibility Pledge
The DoD's CMMC Is the Starting Line, Not the Finish
Why Demand for Tabletop Exercises Is Growing
How Neurodiversity Can Help Fill the Cybersecurity Workforce Shortage
QR Code 'Quishing' Attacks on Execs Surge, Evading Email Security
How the SEC's Rules on Cybersecurity Incident Disclosure Are Exploited
Commentary by Ken Dunham, Cyber Threat Director, Qualys Threat Research Unit
Cyber hygiene is no longer a nice-to-have but necessary for organizations that want to survive the relentless barrage of cyberattacks being unleashed daily.
The Securities and Exchange Commission (SEC) recently adopted new rules that require publicly traded companies to report cyberattacks with a material impact. Failure to do so likely will result in financial penalties and reputational damage.
While that's a boon for company stakeholders in theory, threat actors are seeing an extortion opportunity. For instance, the ALPHV ransomware gang allegedly breached MeridianLink's network in November, exfiltrating data without encrypting systems. When MeridianLink failed to pay a ransom to protect its data, ALPHV sent a complaint directly to the SEC outing the breach.
It's a glimpse of how things could go moving forward in the fast-evolving world of extortion tactics, particularly given the sheer volume of opportunity for compromising companies these days. There were 26,447 vulnerabilities disclosed in 2023 according to Qualys analysts, and of those categorized as high-risk or critical, hackers pounced upon a quarter of them and published "n-day" exploits on the same day that they were disclosed.
Thankfully, there are some steps companies can take to thwart this kind of pressure.
Read on: How the SEC's Rules on Cybersecurity Incident Disclosure Are Exploited
Related: A Cyber Insurer's Perspective on How to Avoid Ransomware
Managed Everything? Vendors Shift Focus to Services
By Robert Lemos, Contributing Writer, Dark Reading
More companies are opting for managing complex security capabilities, such as data detection and response.
Threat management firm Rapid7 and data security firm Varonis announced new managed services this week, becoming the latest security companies to bundle complex security capabilities together in managed offerings.
In many ways, managed detection and response (MDR) covers a lot of ground and, so far, has done well for vendors and their customers. Vendors have happy clients, exceptionally rapid growth rate, and a very high margin for the service. Meanwhile, businesses can focus on the threats themselves, leading to faster detection and response. Focusing on the data could improve the response time, but that is far from certain.
Offering a managed version of an emerging security service will be an increasingly common approach, as the creation of an in-house cybersecurity capability is expensive, according to analyst firm Frost & Sullivan.
"In light of the shortage of cybersecurity professionals, organizations are looking for ways to automate the process of threat detection and response," the report stated. "The new generation of solutions and services promises to deploy machine learning and artificial intelligence, automating decision-making to improve the overall performance of the security stack."
Find out more about the move to managed: Managed Everything? Vendors Shift Focus to Services
Related: Tips for Monetizing SecOps Teams
Q&A: Tel Aviv Railway Project Bakes in Cyber Defenses
From DR Global
How a light railway in Israel is fortifying its cybersecurity architecture amid an increase in OT network threats.
Railway networks are suffering an increase in cyberattacks, most notably an August incident in which hackers infiltrated the radio frequency communications of Poland's railway network and temporarily disrupted train traffic.
Looking to avoid the same fate, Tel Aviv's Purple Line light rail transport (LRT), a line currently under construction and due to be open and running by the end of this decade, is baking cybersecurity directly into its build.
Dark Reading spoke with Eran Ner Gaon, CISO of Tel Aviv Purple Line LRT, and Shaked Kafzan, co-founder and CTO of rail cybersecurity provider Cervello, about the railway's comprehensive OT security strategy, which includes measures such as threat intelligence, technological measures, incident response plans, and training of employees related to the regulation of the Israel National Cyber Directorate.
Read more on this case study: Q&A: Tel Aviv Railway Project Bakes in Cyber Defenses
Related: Rail Cybersecurity Is a Complex Environment
World Govs, Tech Giants Sign Spyware Responsibility Pledge
By Tara Seals, Managing Editor, Dark Reading
France, the UK, the US, and others will work on a framework for the responsible use of tools like NSO Group's Pegasus, and Shadowserver Foundation gains £1 million investment.
Commercial spyware, such as NSO Group's Pegasus, is usually installed on iPhones or Android devices and can eavesdrop on phone calls; intercept messaging; take pictures with the cameras; exfiltrate app data, photos, and files; and take voice and video recordings. The tools usually make use of zero-day exploits for initial access and sell for millions of dollars, meaning that their target market tends to consist of global government clients and large commercial interests.
This week, a coalition of dozens of countries including France, the UK, and the US, along with tech giants such as Google, Meta, Microsoft, and the NCC Group, have signed a joint agreement to combat the use of commercial spyware in ways that violate human rights.
UK Deputy Prime Minister Oliver Dowden announced the kickoff for the spyware initiative, dubbed the "Pall Mall Process," which will be a "multi-stakeholder initiative … to tackle the proliferation and irresponsible use of commercially available cyber-intrusion capabilities," he explained.
More specifically, the coalition will establish guidelines for developing, selling, facilitating, purchasing, and using these types of tools and services, including defining irresponsible behavior and creating a framework for their transparent and accountable use.
Find out how why commercial spyware pledge matters: World Govs, Tech Giants Sign Spyware Responsibility Pledge
Related: Pegasus Spyware Targets Jordanian Civil Society in Wide-Ranging Attacks
The DoD's CMMC Is the Starting Line, Not the Finish
Commentary by Chris Petersen, Co-Founder & CEO, RADICL
Cybersecurity Maturity Model Certification (CMMC) and a harden, detect, and respond mindset are key to protecting defense and critical infrastructure companies.
As threat actors like Volt Typhoon continue to target critical infrastructure, the US Department of Defense's Cybersecurity Maturity Model Certification (CMMC) may soon will become a strictly enforced mandate.
Companies that achieve adherence to CMMC (which has been aligned to NIST 800-171 at the "Advanced" certification level) will become a harder target, but true cyber threat protection and resilience means going beyond "check-the-box" CMMC / NIST 800-171 compliance. That means moving to "harden-detect-respond (HDR)" operations.
Proactively identifying, fixing, and returning IT and operational weaknesses to a hardened state.
Immediately detecting and investigating possible intrusions into the IT environment, 24x7.
Hunting and rooting out embedded threats within the IT environment.
Quickly containing, mitigating, and fully responding to incidents.
CMMC/NIST 800-171 mandate most HDR capabilities. However, a company's rigor and depth in realizing them can make the difference between remaining vulnerable to the advances of a nation-state cyber threat or remaining protected.
Here are the 7 critical HDR practices: CMMC Is the Starting Line, Not the Finish
Related: How 'Big 4' Nations' Cyber Capabilities Threaten the West
Why Demand for Tabletop Exercises Is Growing
By Grant Gross, Contributing Writer, Dark Reading
Tabletop exercises can be an effective and affordable way to test an organization's defense and response capabilities against cyberattack.
Cybersecurity drills come in many forms, but one of the least expensive and most effective is the tabletop exercise. These drills typically run for two to four hours and can cost less than $50,000 (sometimes much less), with much of the expense related to planning and facilitating the event.
The common approach to tabletop exercises is old-school and low-tech, but proponents say a well-run scenario can expose holes in organizations' response and mitigation plans. And demand for tabletop exercises has grown exponentially in the past two years, driven by compliance issues, board directives, and cyber-insurance mandates.
In fact, the nonprofit Center for Internet Security calls tabletops "a must," stressing that they help organizations better coordinate separate business units in response to an attack and identify the employees who will play critical roles during and after an attack.
Read more on getting the most from tabletop exercises: Why Demand for Tabletop Exercises Is Growing
Related: Top 6 Mistakes in Incident Response Tabletop Exercises
How Neurodiversity Can Help Fill the Cybersecurity Workforce Shortage
Commentary by Dr. Jodi Asbell-Clarke, Senior Research Leader, TERC
Many people with ADHD, autism, dyslexia, and other neurodiverse conditions bring new perspectives that can help organizations solve cybersecurity challenges.
The ISC2, which says the global workforce gap is 3.4 million, advocates for companies to recruit a more diverse population, which many interpret as meaning inclusion efforts around race and gender. While that's crucial, there's another area to expand into: Neurodiversity.
Many top STEM companies, including Microsoft, SAP, and EY, have neurodiversity workforce initiatives. While most neurodiversity hiring programs originally focused on autism, many employers are expanding to include individuals with attention-deficit/hyperactivity disorder (ADHD), dyslexia, and other (sometimes nonlabeled) differences.
Neurodiversity is a competitive advantage: Some people with autism for instance excel in detailed pattern recognition and systematic thinking — perfect for jobs involving monitoring and detecting security breaches. ADHD and dyslexia meanwhile are associated with increased idea generation and the ability to see connections between new ideas — valuable for approaching problems in new and different ways.
One problem these companies face is not finding enough neurodivergent talent. Fortunately, there are strategies to overcome difficulties in uncovering these individuals.
How to recruit neurodiverse talent: How Neurodiversity Can Help Fill the Cybersecurity Workforce Shortage
Related: Cyber Employment 2024: Sky-High Expectations Fail Businesses & Job Seekers
QR Code 'Quishing' Attacks on Execs Surge, Evading Email Security
By Robert Lemos, Contributing Writer, Dark Reading
The use of QR codes to deliver malicious payloads jumped in Q4 2023, especially against executives, who saw 42 times more QR code phishing than the average employee.
Cyberattackers are embracing QR codes as a way to specifically target executives: In the fourth quarter of 2023, the average top executive in the C-suite saw 42 times more phishing attacks using QR codes compared to the average employee.
Other managerial roles suffered an increase in attacks as well, although significantly smaller, with these non-C-suite executives encountering five times more QR-code-based phishing attacks, according to the company's report.
The focus on the upper tiers of an organization could be because of the effectiveness of "quishing" in getting past endpoint defenses, which may be more stringent on higher-ups' machines. Because attackers hide their phishing link in an image, QR code phishing bypasses user suspicions and some email security products.
More than a quarter of QR code attacks (27%) in Q4 were fake notices about turning on MFA, while about one-in-five attacks (21%) were fake notifications about a shared document.
How security teams can tackle quishing: QR Code 'Quishing' Attacks on Execs Surge, Evading Email Security
Related: QR Code Phishing Campaign Targets Top US Energy Company
About the Author
You May Also Like