CISO Corner: Ivanti's Mea Culpa; World Cup Hack; CISOs & Cyber Awareness
Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: Dealing with a Ramadan cyber spike; funding Internet security; and Microsoft's Azure AI changes.
April 5, 2024
Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.
In this issue of CISO Corner:
How CISOs Can Make Cybersecurity Awareness a Long-Term Priority for Boards
Global: Cybersecurity Threats Intensify in the Middle East During Ramadan
Funding the Organizations That Secure the Internet
How Soccer's 2022 World Cup in Qatar Was Nearly Hacked
Microsoft Beefs Up Defenses in Azure AI
Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed
Why Cybersecurity Is a Whole-of-Society Issue
How CISOs Can Make Cybersecurity Awareness a Long-Term Priority for Boards
Commentary by Shaun McAlmont, CEO, NINJIO Cybersecurity Awareness Training
Cybersecurity is far more than a check-the-box exercise. To create companywide buy-in, CISOs need to secure board support, up their communication game, and offer awareness-training programs to fight social engineering and help employees apply what they've learned.
CISOs play a vital role in building stakeholder support for cybersecurity across the company — including when it comes to earning long-term support for awareness training from their boards. Winning strategies include communicating cybersecurity concepts in an engaging and non-technical way, and showing board members that cybersecurity programs offer significant ROI.
This column lays out five ways that CISOs can show boards that it's time to prioritize cybersecurity:
Know how to communicate with non-technical audiences. Cybersecurity is an intimidating subject for non-technical audiences, but it doesn't have to be. CISOs can make a comprehensible and convincing case for cybersecurity by pointing to the devastating real-world consequences of successful cyberattacks, for instance.
Focus on the entire cyber-impact chain. Cyberattacks can lead to severe reputational damage, disrupted operations, legal and regulatory consequences, and crippling effects on the health of the company's workforce.
Stress the human element. CISOs stress that 74% of all breaches involve a human element — an alarming reminder that social engineering remains one of the most powerful weapons in the cybercriminal arsenal.
Outline how awareness-training programs can be measured. CISOs need to make accountability a central pillar of their case for awareness training. When board members see that cybersecurity spending is paying off, CISOs will be able to maintain support.
Secure long-term support. Because the cyber threat landscape is always shifting, companies have to keep employees updated on the latest cybercriminal tactics — such as the use of AI to craft convincing and targeted phishing messages at scale.
Read more: How CISOs Can Make Cybersecurity a Long-Term Priority for Boards
Related: CISOs Struggle for C-Suite Status Even as Expectations Skyrocket
Cybersecurity Threats Intensify in the Middle East During Ramadan
By Alicia Buller, Contributing Writer, Dark Reading
How security teams in the region fortify their defenses amid short-staffing — and increased DDoS, phishing, and ransomware campaigns — during the Muslim holy month.
The ninth month of the Muslim calendar is observed around the world, as followers take the time to reflect and practice fasting, and cybersecurity teams often operate with skeletal staffing. Ramadan is also a period where Muslim shoppers tend to up their spending on specialty foods, gifts, and special offers.
All of this also creates a perfect storm for bad actors to conduct fraudulent activities and scams. Endpoint-protection firm Resecurity has observed a significant increase in cyber malevolence during Ramadan, which began on March 10. The company estimates the total financial impact from these cyberattacks and cyberscams against the Middle East has reached up to $100 million so far during this year's Ramadan.
Middle East-based companies can step up cybersecurity with extra vigilance and outsourced support amid shortened working hours and increased ecommerce activity.
"Many organizations proactively enhance their outsourced contracts during this period, particularly focusing on bolstering 24/7 security operations," says Shilpi Handa, associate research director of security, Middle East, Turkey, and Africa (META) at IDC, adding that deploying a remote and diverse workforce is particularly advantageous during Ramadan as around-the-clock security shifts can be fully covered by a mix of Muslim fasters and non-Muslim staff.
Read more: Cybersecurity Threats Intensify in the Middle East During Ramadan
Related: Middle East Leads in Deployment of DMARC Email Security
Funding the Organizations That Secure the Internet
By Jennifer Lawinski, Contributing Writer, Dark Reading
Common Good Cyber is a global consortium connecting nonprofit, private sector, and government organizations to fund organizations focused on securing Internet infrastructure.
There's no single entity responsible for maintaining and securing the Internet. Instead, that task falls upon a diverse group of organizations and individuals that preserve this public utility with little funding, or by subsisting on tight budgets. The stakes are incredibly high, but the amount of resources available for keeping this infrastructure secure falls short.
"Key components of the Internet are maintained by volunteers, nonprofits, and NGOs, and others who work with razor-thin budgets and resources," said Kemba Walden, president of Paladin Global Institute and former US acting national cyber director. "Consider this: The underpinnings of our digital infrastructure, the infrastructure that enables civil society to thrive in our economy today and to grow, rest on a network of volunteers, nonprofits, NGOs and others."
An initiative called Common Good Cyber is finding new ways to build adequate funding into law and policy, business policies and government, and other funding vehicles sufficient to meet the common need for cybersecurity. Ideas include creating joint funding organizations; federated fundraising for nonprofits; inventorying who is doing what to support the Internet's infrastructure; and a hub or accelerator to provide resources to the groups securing the Internet.
Read more: Funding the Organizations That Secure the Internet
Related: Neglecting Open Source Developers Puts the Internet at Risk
How Soccer's 2022 World Cup in Qatar Was Nearly Hacked
By Jai Vijayan, Contributing Writer, Dark Reading
A China-linked threat actor had access to a router configuration database that could have completely disrupted coverage, a security vendor says.
About six months before the 2022 FIFA World Cup soccer tournament in Qatar, a threat actor — later identified as China-linked BlackTech — quietly breached the network of a major communications provider for the games and planted malware on a critical system storing network device configurations.
The breach remained undetected until six months after the games, during which the cyber-espionage group gathered up an unknown volume of data from targeted customers of the telecommunications provider — including those associated with the World Cup and vendors providing services for it.
But it's the "what else could have happened" that's the really scary part: The access that BlackTech had on the telecom provider's system would have allowed the threat actor to completely disrupt key communications — including all streaming services associated with the game. The fallout from such a disruption would have been substantial in terms of geopolitical implications, brand damage, national reputation, and potentially hundreds of millions of dollars in losses from the licensing rights and ads negotiated prior to the World Cup.
Read more: How Soccer's 2022 World Cup in Qatar Was Nearly Hacked
Related: NFL, CISA Look to Intercept Cyber Threats to Super Bowl LVIII
Microsoft Beefs Up Defenses in Azure AI
By Jai Vijayan, Contributing Writer, Dark Reading
Microsoft adds tools to protect Azure AI from threats such as prompt injection, as well as to give developers the capabilities to ensure generative AI apps are more resilient to model and content manipulation attacks.
Amid growing concerns about threat actors using prompt injection attacks to get generative AI (GenAI) systems to behave in dangerous and unexpected ways, Microsoft's AI Studio is rolling out resources for developers to build GenAI apps that are more resilient to those threats.
Azure AI Studio is a hosted platform that organizations can use to build custom AI assistants, copilots, bots, search tools, and other applications, grounded in their own data.
The five new capabilities that Microsoft has added — or will soon add — are Prompt Shields, groundedness detection, safety system messages, safety evaluations, and risk and safety monitoring. The features are designed to address some significant challenges that researchers have uncovered recently — and continue to uncover on a routine basis — with regard to the use of large language models (LLMs) and GenAI tools.
"Generative AI can be a force multiplier for every department, company, and industry," said Microsoft's chief product officer of responsible AI, Sarah Bird. "At the same time, foundation models introduce new challenges for security and safety that require novel mitigations and continuous learning."
Read more: Microsoft Beefs Up Defenses in Azure AI
Related: Forget Deepfakes or Phishing: Prompt Injection is GenAI's Biggest Problem
Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed
By Jai Vijayan, Contributing Writer, Dark Reading
So far this year, Ivanti has disclosed a total of 10 flaws — many of them critical — in its remote access products, and one in its ITSM product.
Ivanti CEO Jeff Abbott this week said his company will completely revamp its security practices even as the vendor disclosed another fresh set of bugs in its vulnerability-riddled Ivanti Connect Secure and Policy Secure remote access products.
In an open letter to customers, Abbott committed to a series of changes the company will make in the coming months to transform its security operating model following a relentless barrage of bug disclosures since January. The promised fixes include a complete do-over of Ivanti's engineering, security, and vulnerability management processes and implementation of a new secure-by-design initiative for product development.
How much these commitments will help stem growing customer disenchantment with Ivanti remains unclear given the company's recent security track record. In fact, Abbot's comments came one day after Ivanti disclosed four new bugs in its Connect Secure and Policy Secure gateway technologies and issued patches for each of them.
Read more: Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed
Related: Feds to Microsoft: Clean Up Your Cloud Security Act Now
Why Cybersecurity Is a Whole-of-Society Issue
Commentary by Adam Maruyama, Field CTO, Garrison Technology
Working together and integrating cybersecurity as part of our corporate and individual thinking can make life harder for hackers and safer for ourselves.
We are drowning in vulnerabilities: Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), at a recent Congressional hearing on Chinese cyber operations, said simply that "we've made it easy on" attackers through poor software design. But it will take a whole-of-society effort to reshape the market for cybersecurity to create technologies that are both high-performing and secure.
As CISA articulated in its Secure by Design initiative, secure coding by vendors is the first step to creating technologies that are both secure and usable. But businesses must realize, as Easterly put it, that "cyber-risk is business risk" by incorporating cybersecurity into all their business practices. In particular, by increasing the stature of CISOs and giving them holistic cybersecurity oversight of the entire business, particularly procurement decisions, companies can incorporate cybersecurity as an organic step in business processes.
Meanwhile, cybersecurity and IT professionals — two closely related but often clashing groups — must come together to build networks that are both secure and functional for their users. And, the final piece of a whole-of-society approach to cybersecurity is both the most difficult and the most critical: integrating cybersecurity into the day-to-day lives of citizens through things like multifactor authentication.
About the Author
You May Also Like