به CISO Corner، خلاصه مقالات هفتگی Dark Reading که به طور خاص برای خوانندگان عملیات امنیتی و رهبران امنیتی طراحی شده است، خوش آمدید. هر هفته، ما مقالاتی را ارائه خواهیم کرد که از سراسر عملیات خبری، The Edge، DR Technology، DR Global، و بخش تفسیر خود جمع آوری شده اند. ما متعهد هستیم که مجموعه‌ای از دیدگاه‌های متنوع را برای پشتیبانی از کار عملیاتی کردن استراتژی‌های امنیت سایبری، برای رهبران سازمان‌هایی با هر شکل و اندازه‌ای به شما ارائه دهیم.

در این شماره از CISO Corner:

5 حقیقت سخت در مورد وضعیت امنیت ابری 2024

توسط Ericka Chickowski، نویسنده مشارکت کننده، Dark Reading

Dark Reading talks cloud security with John Kindervag, the godfather of zero trust.

Most organizations aren’t working with fully mature cloud security practices, despite almost half of the breaches originating in the cloud and almost $4.1 million lost to cloud breaches in the past year.

That’s a big problem, according to the godfather of zero trust security, John Kindervag, who conceptualized and popularized the zero-trust security model as an analyst at Forrester. He tells Dark Reading that there are some hard truths to face in order to turn things around.

1. You don’t become more secure just by going to the cloud: The cloud is not innately more secure than most on-premises environments: hyperscale cloud providers may be very good at protecting infrastructure, but the control and responsibility they have over their customers’ security posture is very limited. And the shared responsibility model doesn’t really work.

2. Native security controls are hard to manage in a hybrid world: Quality is inconsistent when it comes to offering customers more control over their workloads, identities, and visibility, but security controls that can be managed across all the multiple clouds are elusive.

3. Identity won’t save your cloud: With so much emphasis placed on cloud identity management and disproportionate attention on the identity component in zero trust, it’s important for organizations to understand that identity is only part of a well-balanced breakfast for zero trust in the cloud.

4. Too many firms don’t know what they’re trying to protect: Each asset or system or process will carry its own unique risk, but organizations lack a clear idea of what is in the cloud or what connects to the cloud, let alone what needs protecting.

5. Cloud-native development incentives are out of whack: Too many organizations simply do not have the right incentive structures for developers to bake in security as they go — and, in fact, many have perverse incentives that end up encouraging insecure practice. “I like to say that the DevOps app people are the Ricky Bobbys of IT. They just want to go fast,” Kindervag says.

ادامه مطلب: 5 حقیقت سخت در مورد وضعیت امنیت ابری 2024

مرتبط: Zero Trust Takes Over: 63% of Orgs Implementing Globally

MITER ATT&CKED: مورد اعتمادترین نام InfoSec به ایوانتی باگ می رسد

توسط نیت نلسون، نویسنده مشارکت کننده، تاریک خواندن

The irony is lost on few, as a nation-state threat actor used eight MITRE techniques to breach MITRE itself — including exploiting the Ivanti bugs that attackers have been swarming on for months.

Foreign nation-state hackers have used vulnerable Ivanti edge devices to gain three months’ worth of “deep” access to one of MITRE Corp.’s unclassified networks.

MITRE, steward of the ubiquitous ATT&CK glossary of commonly known cyberattack techniques, previously went 15 years without a major incident. The streak snapped in January when, like so many other organizations, its Ivanti gateway devices were exploited.

این نقض بر روی محیط آزمایش، تحقیق و مجازی سازی شبکه ای (NERVE)، شبکه ای طبقه بندی نشده و مشارکتی که سازمان برای تحقیق، توسعه و نمونه سازی از آن استفاده می کند، تأثیر گذاشت. میزان آسیب عصبی ( جناس مورد نظر) در حال حاضر در حال ارزیابی است.

Whatever their goals were, the hackers had ample time to carry them out. Though the compromise occurred in January, MITRE was only able to detect it in April, leaving a quarter-year gap in between.

ادامه مطلب: MITER ATT&CKED: مورد اعتمادترین نام InfoSec به ایوانتی باگ می رسد

مرتبط: Top MITRE ATT&CK Techniques & How to Defend Against Them

درس هایی برای CISO ها از 10 برتر LLM OWASP

Commentary by Kevin Bocek, Chief Innovation Officer, Venafi

It’s time to start regulating LLMs to ensure they’re accurately trained and ready to handle business deals that could affect the bottom line.

OWASP recently released its top 10 list for large language model (LLM) applications, so developers, designers, architects, and managers now have 10 areas to clearly focus on when it comes to security concerns.

تقریباً همه top 10 LLM threats center around a compromise of authentication for the identities used in the models. The different attack methods run the gamut, affecting not only the identities of model inputs but also the identities of the models themselves, as well as their outputs and actions. This has a knock-on effect and calls for authentication in the code-signing and creating processes to halt the vulnerability at the source.

While more than half of the top 10 risks are ones that are essentially mitigated and calling for the kill switch for AI, companies will need to evaluate their options when deploying new LLMs. If the right tools are in place to authenticate the inputs and models, as well as the models’ actions, companies will be better equipped to leverage the AI kill-switch idea and prevent further destruction.

ادامه مطلب: درس هایی برای CISO ها از 10 برتر LLM OWASP

مرتبط: Bugcrowd رتبه بندی آسیب پذیری را برای LLM ها اعلام می کند

Cyberattack Gold: SBOM ها سرشماری آسانی از نرم افزارهای آسیب پذیر ارائه می دهند

توسط راب لموس، نویسنده مشارکت کننده، تاریک خواندن

Attackers will likely use software bills-of-material (SBOMs) for searching for software potentially vulnerable to specific software flaws.

Government and security-sensitive companies are increasingly requiring software makers to provide them with software bills of material (SBOMs) to address supply-chain risk — but this is creating a new category of worry.

In a nutshell: An attacker who determines what software a targeted company is running, can retrieve the associated SBOM and analyze the application’s components for weaknesses, all without sending a single packet, says Larry Pesce, a director for product security research and analysis at software supply-chain security firm Finite State.

He’s a former penetration tester of 20 years who plans to warn about the risk in a presentation on “Evil SBOMs” at the RSA Conference in May. He will show that SBOMs have enough information to allow attackers to CVE های خاص را در پایگاه داده SBOM ها جستجو کنید و برنامه ای را پیدا کنید که احتمالاً آسیب پذیر است. او می‌گوید که حتی برای مهاجمان بهتر است، SBOM‌ها سایر اجزا و ابزارهای کاربردی روی دستگاه را نیز فهرست می‌کنند که مهاجم می‌تواند برای «زندگی خارج از زمین» پس از سازش استفاده کند.

ادامه مطلب: Cyberattack Gold: SBOM ها سرشماری آسانی از نرم افزارهای آسیب پذیر ارائه می دهند

مرتبط: شرکت جنوبی SBOM برای پست برق می‌سازد

Global: Licensed to Bill? Nations Mandate Certification & Licensure of Cybersecurity Pros

توسط رابرت لموس، نویسنده مشارکت کننده، خواندن تاریک

Malaysia, Singapore, and Ghana are among the first countries to pass laws that require cybersecurity firms — and in some cases, individual consultants — to obtain licenses to do business, but concerns remain.

Malaysia has joined at least two other nations — سنگاپور and Ghana — in passing laws that require cybersecurity professionals or their firms to be certified and licensed to provide some cybersecurity services in their country.

While the legislation’s mandates have yet to be determined, “this will likely apply to service providers that provide services to safeguard information and communications technology device of another person — [for example] penetration testing providers and security operation centers,” according to Malaysia-based law firm Christopher & Lee Ong.

Asia-Pacific neighbor Singapore has already required the licensing of cybersecurity service providers (CSPs) for the past two years, and the West African nation of Ghana, which requires the licensing and the accreditation of cybersecurity professionals. More widely, governments such as the European Union have normalized cybersecurity certifications, while other agencies — such as the US state of New York — require certification and licenses for cybersecurity capabilities in specific industries.

However, some experts see potentially dangerous consequences from these moves.

ادامه مطلب: Licensed to Bill? Nations Mandate Certification & Licensure of Cybersecurity Pros

مرتبط: سنگاپور نوار بالایی را در آمادگی امنیت سایبری تعیین می کند

J&J Spin-Off CISO در به حداکثر رساندن امنیت سایبری

By Karen D. Schwartz, Contributing Writer, Dark Reading

How the CISO of Kenvue, a consumer healthcare company spun out from Johnson & Johnson, combined tools and new ideas to build out the security program.

Johnson & Johnson’s Mike Wagner helped shape the Fortune 100 company’s security approach and security stack; now, he’s the first CISO of J&J’s year-old consumer healthcare spinoff, Kenvue, tasked with creating a streamlined and cost-effective architecture with maximum security.

This article breaks down the steps that Wagner and his team worked through, which include:

Define key roles: Architects and engineers to implement tools; identity and access management (IAM) experts to enable secure authentication; risk management leaders to align security with business priorities; security operations staff for incident response; and dedicated staff for each cyber function.

Embed machine learning and AI: Tasks include automating IAM; streamlining supplier vetting; behavioral analysis; and improving threat detection.

Choose which tools and processes to retain, and which to replace: While J&J’s cybersecurity architecture is a patchwork of systems created by decades of acquisitions; tasks here included inventorying J&J’s tools; mapping them to Kenvue’s operating model; and identifying new needed capabilities.

Wagner says there is more to do. Next, he plans to lean into modern security strategies, including adoption of zero trust and enhancement of technical controls.

ادامه مطلب: J&J Spin-Off CISO در به حداکثر رساندن امنیت سایبری

مرتبط: A Peek into Visa’s AI Tools Against Fraud

SolarWinds 2024: افشاگری‌های سایبری از اینجا به کجا می‌رسند؟

Commentary by Tom Tovar, CEO & Co-Creator, Appdome

Get updated advice on how, when, and where we should disclose cybersecurity incidents under the SEC’s four-day rule after SolarWinds, and join the call to revamp the rule to remediate first.

In a post-SolarWinds world, we should move to a remediation safe harbor for cybersecurity risks and incidents. Specifically, if any company remediates the deficiencies or attack within the four-day time frame, it should be able to (a) avoid a fraud claim (i.e., nothing to talk about) or (b) use the standard 10Q and 10K process, including the Management Discussion and Analysis section, to disclose the incident.

On Oct. 30, the SEC filed a fraud complaint against SolarWinds and its chief information security officer, alleging that even though SolarWinds employees and executives knew about the increasing risks, vulnerabilities, and attacks against SolarWinds’ products over time, “SolarWinds’ cybersecurity risk disclosures did not disclose them in any way.”

To help prevent liability issues in these situations, a remediation safe harbor would allow companies a full four-day time frame to evaluate and respond to an incident. Then, if remediated, take the time to disclose the incident properly. The result is more emphasis on cyber response and less impact to a company’s public stock. 8Ks could still be used for unresolved cybersecurity incidents.

ادامه مطلب: SolarWinds 2024: افشاگری‌های سایبری از اینجا به کجا می‌رسند؟

مرتبط: What SolarWinds Means for DevSecOps

• محتوای مبتنی بر SEO و توزیع روابط عمومی. امروز تقویت شوید.
• PlatoData.Network Vertical Generative Ai. به خودت قدرت بده دسترسی به اینجا.
• PlatoAiStream. هوش وب 3 دانش تقویت شده دسترسی به اینجا.
• PlatoESG. کربن ، CleanTech، انرژی، محیط، خورشیدی، مدیریت پسماند دسترسی به اینجا.
• PlatoHealth. هوش بیوتکنولوژی و آزمایشات بالینی. دسترسی به اینجا.
• منبع: https://www.darkreading.com/cybersecurity-operations/ciso-corner-evil-sboms-zero-trust-cloud-security-mitre-ivanti