CISO Corner: Red Sox CloudSec; Deepfake Biz Risk; Ticketmaster Takeaways
Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: Proactive playbooks, a US-Kenya partnership, and the trouble with shadow engineering.
June 7, 2024
Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.
In this issue of CISO Corner:
Inside Baseball: The Red Sox Cloud Security Game
Technology, Regulations Can't Save Orgs From Deepfake Harm
Cybersecurity Job Hunting May Come Down to Certifications
Global: As Allies, Kenya & US Aim to Bolster Digital Security in Africa
Ticketmaster Breach Showcases SaaS Data Security Risks
Understanding Security's New Blind Spot: Shadow Engineering
Inside Baseball: The Red Sox Cloud Security Game
By Tara Seals, Managing Editor, News, Dark Reading
Inside the baseball team's strategy for building next-gen security operations through zero trust and initiatives aiming to safeguard team data, fan info, and the iconic Fenway Park — which, by the way, is now a smart stadium.
In response to the 2013-2014 hack of the Houston Astros by a former Saint Louis Cardinals exec, Major League Baseball set out to build a core cybersecurity competency that all 30 teams could make use of — and the Boston Red Sox were an early adopter. It was the first team to hire a full-time cybersecurity person on staff, and one of the first three teams to actually sign up for the formal MLB cyber program.
"Our ownership group in particular has been very supportive of everything that we've wanted to do," says Randy George, vice president of technology operations and information security for the Sox. "In fact, I've never I've never got the answer of no when it comes to a security investment."
And those investments have been myriad, lately revolving around a migration to the cloud and upgrading Fenway to a smart stadium powered by IoT. Ai is next: "We have this venue, Fenway Park, with 30,000 people running all over the place. We want to leverage AI to identify threats to the venue, track children while they're traversing the stadium, and to help secure and improve the fan experience. There are so many opportunities, but we need to have a policy framework for those AI tools."
Read more: Inside Baseball: The Red Sox Cloud Security Game
Related: Paris Olympics Cybersecurity at Risk via Attack Surface Gaps
Technology, Regulations Can't Save Orgs From Deepfake Harm
By Robert Lemos, Contributing Writer, Dark Reading
Monetary losses, reputational damage, share price declines — it's hard to counter, much less try to stay ahead of, AI-based attacks.
Currently, deepfakes top the list of concerning cyber threats, with a third of companies considering deepfakes to be a critical or major threat, according to a report from Deep Instinct. But it could get much, much worse.
In the short term, the impact of a deepfake campaign aiming to undermine the reputation of a company could be so great that it affects the firm's general creditworthiness, according to Moody’s Ratings.
Longer term, experts expect deepfakes to improve upon current fraud strategies, using generative AI to create attacks against financial institutions' know-your-customer (KYC) measures, manipulate stock markets with reputational attacks against specific publicly traded firms, and blackmail executives and board members with fake — but still embarrassing — content.
In short, "deepfakes have potential for substantial and broad-based harm to corporations," according to one Moody's analyst.
Read more: Technology, Regulations Can't Save Orgs From Deepfake Harm
Related: Deepfake-Generating Apps Explode, Allowing Multimillion-Dollar Corporate Heists
Cybersecurity Job Hunting May Come Down to Certifications
By Edge Editors
If current cybersecurity workers only fill 85% of the need in the US, why are so many people still looking for positions? The data from the private-public NIST partnership CyberSeek offers some insight.
In the United States, current cybersecurity professionals can meet only 85% of the employer demand — leaving almost half a million (469,930) positions open. That's according to CyberSeek, a joint project between tech certification organization CompTIA, labor market analyst Lightcast, and NICE, a US federal program focused on cybersecurity.
The cyber-workforce gap is real, in other words. Of course, geography matters: if you were job-hunting in California, you would be better off checking San Diego, where only 87% of the jobs demand is met, than Fresno, where the ratio tips the other way, at 120% of jobs demand met.
CyberSeek's interactive map provides an interesting clue as to why experienced professionals may feel overlooked by hiring managers.
Access the map: Cybersecurity Job Hunting May Come Down to Certifications
Related: Solving the Cybersecurity Skills Gap with Racial Inclusivity
Perfecting the Proactive Security Playbook
Commentary by Nabil Hannan, Field CISO, NetSPI
It's more important than ever for organizations to prepare themselves and their cybersecurity postures against known and unknown threats.
Any good sports coach will tell you a playbook is a critical tool in ensuring a team's continued success — and the same applies to cybersecurity. Without an effective security playbook, organizations expose themselves to vulnerabilities by not preparing for potential outcomes, ramifications, and remediations.
A key first step in creating any playbook is planning. Just as coaches have to make customized playbooks for each new opponent, security leaders must have plans in place for various crises and situations so that all involved parties — from employees to customers to contractors — know what's expected of them in the event of a breach.
In the world of sports, wins are determined by the score on game day. A team's "win" is a bit more ambiguous in cybersecurity. No matter what success looks like, teams must hold practices to assess strategy, pinpoint weak links, and identify hurdles to success. Tabletop exercises continue to be an effective strategy for this.
The threat landscape continues to evolve and become more complex, largely due to skyrocketing AI adoption. And while not everyone is an AI expert — and nor should they be — security leaders need to understand where their team is at in the AI journey. To address any skill gaps and ensure AI-based threats are detected, leaders should ask themselves, "How do we deliver the best value to our internal team, given their technical capabilities?"
Read more: Perfecting the Proactive Security Playbook
Related: Ivanti Gets Poor Marks for Cyber Incident Response
Global: As Allies, Kenya & US Aim to Bolster Digital Security in Africa
By Robert Lemos, Contributing Writer, Dark Reading
Amid surging attacks, Kenya aims to expand its technology sector and improve cybersecurity to protect the country's fast-growing digital economy.
With a visit to the United States and his country's designation by the US as a major non-NATO ally, Kenyan President William S. Ruto committed to the Framework for Responsible State Behavior in Cyberspace — an existing agreement between European, North American, and Asian countries — to follow specific norms in cyberspace.
The US and Kenya's leaders also agreed to share threat information between partners in the East Africa region and highlighted private industry collaborations, including a joint effort between the Kenyan government and Google to establish a cyber-operations platform along with an e-government pilot project. The US also committed to providing policy and regulatory advisory services.
Read more: As Allies, Kenya & US Aim to Bolster Digital Security in Africa
Related: Africa Ranks Low on Phishing Cyber Resilience
Ticketmaster Breach Showcases SaaS Data Security Risks
By Jai Vijayan, Contributing Writer, Dark Reading
MFA and other mechanisms are critical to protecting against unauthorized access to data in cloud application environments, but businesses still fall down on the job.
A massive data breach at Ticketmaster and another one at Santander Bank last month both stem from a failure to secure a third-party cloud database, which analysts have identified as Snowflake.
The incidents, affecting more than half a billion people, are the latest reminders of why organizations storing sensitive data in the cloud need to implement multifactor authentication (MFA), IP restrictions, and other mechanisms to protect access to it.
This might seem like low-hanging fruit, but it's clear that even IT-mature companies continue to overlook cloud security in the rush toward digital transformation, calling into question of the effectiveness of the shared-responsibility model for cloud security.
Read more: Ticketmaster Breach Showcases SaaS Data Security Risks
Related: Shouldering the Increasingly Heavy Cloud Shared-Responsibility Model
Understanding Security's New Blind Spot: Shadow Engineering
Commentary by Yair Finzi, Co-Founder & CEO, Nokod Security
In the rush to digital transformation, many organizations are exposed to security risks associated with citizen developer applications without even knowing it.
Low-code/no-code (LCNC) technology that allows individuals without formal coding or software development training to easily build applications has spawned a new problem for businesses: "shadow engineering."
By providing intuitive, drag-and-drop, and generative AI (GenAI) interfaces, LCNC platforms enable employees to independently create and deploy apps outside the purview of the security team — thus unknowingly exposing organizations to security risks associated with citizen developer applications.
These apps also bypass the usual code tests designed to flag software vulnerabilities and misconfigurations, which could lead to a breach. For example, a low-code automation created by the sales team to process credit card payments could leak sensitive data and violate PCI DSS requirements while being invisible to the security operations team.
Fortunately, companies can address the risks associated with shadow engineering by applying traditional application security principles to LCNC apps.
Read more for how to address shadow-engineering risk: Understanding Security's New Blind Spot: Shadow Engineering
Related: Rogue Azure AD Guests Can Steal Data via Power Apps
About the Author
You May Also Like