Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CISO. Show all posts
Security Audit
Bank Security bfsi CIO CISO Cybersecurity PenTesting Security Audit

The Importance of Whitelisting Scanner IPs in Cybersecurity Assessments


In the realm of cybersecurity, ensuring the safety and integrity of a network is a multifaceted endeavor. One crucial aspect of this process is the regular assessment of potential vulnerabilities within the system. As a cybersecurity professional, our work revolves around identifying these vulnerabilities through automated scans and red team exercises, meticulously recording them in a Bugtrack Excel sheet, and collaborating with human analysts to prioritize and address the most critical issues. However, a recurring challenge in this process is the reluctance of some customers to whitelist the IP addresses of our scanning tools.

The Role of Whitelisting in Accurate Assessments

Whitelisting the scanner IP is essential for obtaining accurate and comprehensive results during security assessments. When the IP address of the scanning tool is whitelisted, it allows the scanner to perform a thorough evaluation of the network without being hindered by security measures such as firewalls or intrusion detection systems. This unrestricted access enables the scanner to identify all potential vulnerabilities, providing a realistic picture of the network's security posture.

The Reluctance to Whitelist

Despite the clear benefits, many customers are hesitant to whitelist the IP addresses of cybersecurity vendors. The primary reason for this reluctance is the perception that it could expose the network to potential threats. Customers fear that by allowing unrestricted access to the scanner, they are inadvertently creating a backdoor that could be exploited by malicious actors.

Moreover, there is a prevalent falsity in this approach. By not whitelisting the scanner IP, the results of the security assessments are often incomplete or misleading. The scanners may miss critical vulnerabilities that are hidden behind security measures, resulting in a report that underestimates the actual risks. Consequently, the management and auditors, relying on these reports, task the IT team with addressing only the identified issues, leaving the undetected vulnerabilities unaddressed.

The Illusion of Security

This approach creates an illusion of security. The customer, management, and auditors may feel satisfied with the apparent low number of vulnerabilities, believing that their network is secure. However, this false sense of security can be detrimental. Hackers are relentless and innovative, constantly seeking new ways to infiltrate networks. They are not deterred by the same security measures that hinder our scanners. By not whitelisting the scanner IP, customers are effectively blinding themselves to potential threats that hackers could exploit.

The Hacker's Advantage

Hackers employ manual methods and conduct long-term reconnaissance to find vulnerabilities within a network. They utilize a combination of sophisticated techniques and persistent efforts to bypass security measures. The tools and strategies that block scanner IPs are not effective against a determined hacker's methods. Hackers can slowly and methodically map out the network, identify weaknesses, and exfiltrate data without triggering the same alarms that automated scanners might. This means that even if a scanner is blocked, a hacker can still find and exploit vulnerabilities, leading to potentially catastrophic breaches.

The Need for Continuous and Accurate Scanning

Security scanners need to perform regular assessments—daily or weekly—to keep up with the evolving threat landscape. For these scans to be effective, the scanner IP must be whitelisted to ensure consistent and accurate results. This repetitive scanning is crucial for maintaining a robust security posture, as it allows for the timely identification and remediation of new vulnerabilities.

The Conference Conundrum

Adding to this challenging landscape is the current trend in cybersecurity conferences. Instead of inviting actual security researchers, security engineers, or architects who write defensive software, many conferences are being hosted by OEM vendors or Consulting organizations. These vendors often showcase the users of their security products rather than the experts who develop and understand the intricate details of cybersecurity defense mechanisms. This practice can lead to a superficial understanding of security products and their effectiveness, as the focus shifts from in-depth technical knowledge to user experiences and testimonials.

Conclusion

In conclusion, the reluctance to whitelist scanner IPs stems from a misunderstanding of the importance of comprehensive and accurate security assessments. While it may seem counterintuitive, whitelisting these IP addresses is a necessary step in identifying and addressing all potential vulnerabilities within a network. 

By embracing this practice, customers can move beyond the illusion of security and take proactive measures to protect their networks from the ever-evolving threats posed by cybercriminals. The ultimate goal is to ensure that both the customer and their management are genuinely secure, rather than merely appearing to be so. Security measures that block scanner IPs won't thwart a dedicated hacker who uses manual methods and long-term reconnaissance. Thus, comprehensive vulnerability assessments are essential to safeguarding against real-world threats. Additionally, there needs to be a shift in how cybersecurity conferences are organized, prioritizing the inclusion of true security experts to enhance the industry's collective knowledge and capabilities.

--

Suriya Prakash and Sabari Selvan

CySecurity Corp 

Read more »
Wipro Ltd
Business CISO Cyber Security Generative AI Wipro Ltd

Why Every Business is Scrambling to Hire Cybersecurity Experts


 

The cybersecurity arena is developing at a breakneck pace, creating a significant talent shortage across the industry. This challenge was highlighted by Saugat Sindhu, Senior Partner and Global Head of Advisory Services at Wipro Ltd. He emphasised the pressing need for skilled cybersecurity professionals, noting that the rapid advancements in technology make it difficult for the industry to keep up.


Cybersecurity: A Business Enabler

Over the past decade, cybersecurity has transformed from a corporate function to a crucial business enabler. Sindhu pointed out that cybersecurity is now essential for all companies, not just as a compliance measure but as a strategic asset. Businesses, clients, and industries understand that neglecting cybersecurity can give competitors an advantage, making robust cybersecurity practices indispensable.

The role of the Chief Information Security Officer (CISO) has also evolved. Today, CISOs are responsible for ensuring that businesses have the necessary tools and technologies to grow securely. This includes minimising outages and reputational damage from cyber incidents. According to Sindhu, modern CISOs are more about enabling business operations rather than restricting them.

Generative AI is one of the latest disruptors in the cybersecurity field, much like the cloud was a decade ago. Sindhu explained that different sectors face varying levels of risk with AI adoption. For instance, healthcare, manufacturing, and financial services are particularly vulnerable to attacks like data poisoning, model inversions, and supply chain vulnerabilities. Ensuring the security of AI models is crucial, as vulnerabilities can lead to severe backdoor attacks.

At Wipro, cybersecurity is a top priority, involving multiple departments including the audit office, risk office, core security office, and IT office. Sindhu stated that cybersecurity considerations are now integrated into the onset of any technology transformation project, rather than being an afterthought. This proactive approach ensures that adequate controls are in place from the beginning.

Wipro is heavily investing in cybersecurity training for its employees and practitioners. The company collaborates with major universities in India to support training courses, making it easier to attract new talent. Sindhu emphasised the importance of continuous education and certification to keep up with the fast-paced changes in the field.

Wipro's commitment to cybersecurity is evident in its robust infrastructure. The company boasts over 9,000 cybersecurity specialists and operates 12 global cyber defence centres across more than 60 countries. This extensive network underscores Wipro's dedication to maintaining high security standards and addressing cyber risks proactively.

The rapid evolution of cybersecurity presents pivotal challenges, but also underscores the importance of viewing it as a business enabler. With the right training, proactive measures, and integrated approaches, companies like Wipro are striving to stay ahead of threats and ensure robust protection for their clients. As the demand for cybersecurity talent continues to grow, ongoing education and collaboration will be key to bridging the skills gap.



Read more »
SIEM
CISO Cyber Security Cybersecurity regulation data security DHS Digital Privacy EDR SIEM

The Indispensable Role of the CISO in Navigating Cybersecurity Regulations

 

With evolving cyber threats and stringent regulatory requirements, CISOs are tasked with ensuring the confidentiality, integrity, and availability of an organization’s digital systems and data. This article examines the regulatory landscape surrounding cybersecurity and explores effective strategies for CISOs to navigate these requirements. CISOs must stay updated on regulations and implement robust security practices to protect their organizations from legal consequences. 

The SEC has introduced rules to standardize cybersecurity risk management, strategy, governance, and incident disclosures. These rules apply to public companies under the Securities Exchange Act of 1934 and include both domestic and foreign private issuers. Companies are required to promptly disclose material cybersecurity incidents, detailing the cause, scope, impact, and materiality. Public companies must quickly disclose cybersecurity incidents to investors, regulators, and the public to prevent further damage and allow stakeholders to take necessary actions. 

Detailed disclosures must explain the incident's root cause, the affected systems or data, and the impact, whether it resulted in a data breach, financial loss, operational disruption, or reputational harm. Organizations need to assess whether the incident is substantial enough to influence investors’ decisions. Failure to meet SEC disclosure requirements can lead to investigations and penalties. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCA) mandates that companies report significant cyber incidents to the Department of Homeland Security (DHS) within 24 hours of discovery. 

CISOs must ensure their teams can effectively identify, evaluate, validate, prioritize, and mitigate vulnerabilities and exposures, and that security breaches are promptly reported. Reducing the organization’s exposure to cybersecurity and compliance risks is essential to avoid legal implications from inadequate or misleading disclosures. Several strategies can strengthen an organization's security posture and compliance. Regular security tests and assessments proactively identify and address vulnerabilities, ensuring a strong defense against potential threats. Effective risk mitigation strategies and consistent governance practices enhance compliance and reduce legal risks. Employing a combination of skilled personnel, efficient processes, and advanced technologies bolsters an organization's security. Multi-layered technology solutions such as endpoint detection and response (EDR), continuous threat exposure management (CTEM), and security information and event management (SIEM) can be particularly effective. 

Consulting with legal experts specializing in cybersecurity regulations can guide compliance and risk mitigation efforts. Maintaining open and transparent communication with stakeholders, including investors, regulators, and the board, is critical. Clearly articulating cybersecurity efforts and challenges fosters trust and demonstrates a proactive approach to security. CISOs and their security teams lead the battle against cyber threats and must prepare their organizations for greater security transparency. The goal is to ensure effective risk management and incident response, not to evade requirements. 

By prioritizing risk management, governance, and technology adoption while maintaining regulatory compliance, CISOs can protect their organizations from legal consequences. Steadfast adherence to regulations, fostering transparency, and fortifying defenses with robust security tools and best practices are essential for navigating the complexities of cybersecurity compliance. By diligently upholding security standards and regulatory compliance, CISOs can steer their organizations toward a future where cybersecurity resilience and legal compliance go hand in hand, providing protection and peace of mind for all stakeholders.
Read more »
Ticketmaster
CISO cyber threat Data Breach MFA Santander ShinyHunters Ticketmaster

Ticketmaster and Santander Breaches Expose Cloud Security Flaws


Recent data breaches at Ticketmaster and Santander Bank have exposed major security vulnerabilities in the use of third-party cloud storage services. These breaches highlight the urgent need for robust security measures as more organisations move their data to the cloud.

On May 20, Ticketmaster experienced a data breach involving a third-party cloud storage provider. The breach, disclosed in a regulatory filing by its parent company Live Nation Entertainment, compromised the data of approximately 550 million customers. This stolen data, including sensitive personal information, was reportedly put up for sale on a Dark Web forum by a group known as "ShinyHunters."

Just a week earlier, on May 14, Santander Bank revealed a similar breach. Unauthorised access to a cloud-hosted database exposed data belonging to customers and employees, primarily affecting those in Spain, Chile, and Uruguay. ShinyHunters also claimed responsibility for this breach, offering the stolen data—which includes 30 million customer records, 28 million credit card numbers, and other sensitive information—for sale at $2 million.

Both breaches have been linked to Snowflake, a renowned cloud storage provider serving numerous high-profile clients like MasterCard, Disney, and JetBlue. Although Snowflake acknowledged recent malicious activities targeting its customers, an investigation by Mandiant and CrowdStrike found no evidence of a vulnerability or breach within Snowflake’s own platform. The attackers apparently exploited single-factor authentication credentials obtained through infostealer malware, highlighting the importance of robust authentication measures.

David Bradbury, Chief Security Officer at Okta, stressed the importance of implementing multi factor authentication (MFA) and network IP restrictions for securing SaaS applications. However, he pointed out that attackers are increasingly bypassing MFA by targeting post-authentication processes, such as stealing session tokens. This highlights the need for additional security mechanisms like session token binding.

Michael Lyborg, CISO at Swimlane, emphasised the shared responsibility model in cloud security. While cloud providers like Snowflake offer best practices and security guidelines, it is ultimately up to customers to follow these protocols to protect their data. Lyborg suggested that enforcing MFA and adopting a zero-trust security model by default could enhance data protection by a notable measure.


Challenges in Enforcing Security Standards

Patrick Tiquet, VP of Security and Architecture at Keeper Security, argued that while uniform security measures might enhance protection, they could also limit the flexibility and customization that customers seek from cloud services. He noted that some organizations might have their own robust security protocols tailored to their specific needs. However, the recent breaches at Ticketmaster and Santander highlight the dangers of relying solely on internal security measures without adhering to industry best practices.

The breaches at Ticketmaster and Santander serve as critical reminders of the risks associated with inadequate cloud security measures. As organisations increasingly transition to cloud-based operations, both cloud providers and their customers must prioritise robust security strategies. This includes implementing strong authentication protocols, adhering to best practices, and fostering a culture of security awareness. Ensuring comprehensive protection against cyber threats is essential to safeguarding sensitive data in the digital age.


Read more »
Social Engineering
CISO Cyber Security Healthcare Healthcare Industry healthcare sectors patient data protection Social Engineering

Strengthening Healthcare Cybersecurity: A Collaborative Imperative

 

In recent years, cyberattacks have surged, putting every segment of the nation's healthcare system—from hospitals and physician practices to payment processing companies and biomedical facilities—under stress. These attacks disrupt patient care and cost the industry billions. Erik Decker, Vice President and Chief Information Security Officer (CISO) at Intermountain Health, emphasized the need for an "adversarial mindset" to counter these sophisticated threats during a recent U.S. News and World Report virtual event. 

Decker, who also chairs the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council, highlighted that cybercriminals aim to maximize profits swiftly, targeting vulnerable points within the healthcare sector. Marc Maiffret, Chief Technology Officer of BeyondTrust, explained that attackers typically infiltrate through three primary avenues: social engineering, misconfigured devices, and risky third-party connections. Social engineering often involves phishing emails or impersonation calls to service desks, where attackers request the enrollment of new devices using compromised credentials. 

Misconfigured devices exposed to the internet also provide easy entry points for attackers. The third method involves exploiting unattended remote access systems. Once inside, cybercriminals often target active directory and administrator workstations to gain critical credentials. To bolster defenses, Decker highlighted that the Department of Health and Human Services offers resources and voluntary cybersecurity performance goals developed with the HSCC’s Joint Cybersecurity Working Group. 

Zeynalov described Cleveland Clinic's approach of understanding the business thoroughly and aligning cybersecurity measures with healthcare needs. His team visited various locations to map the patient journey from admission to discharge, ensuring that protections are seamless and do not hinder patient care. Incident response planning is crucial. Maiffret advised against overly imaginative scenarios, favoring practical preparedness. Decker recommended establishing clear command structures and regularly simulating attack responses to build effective "muscle memory." “Your event that happens will never happen according to the way you planned it. 

For smaller, financially constrained hospitals, Zeynalov advocated for shared defense strategies. The Biden Administration’s 2025 fiscal year budget proposal allocates $1.3 billion through HHS to support cybersecurity adoption in under-resourced hospitals, reminiscent of the electronic medical records stimulus from the American Recovery and Reinvestment Act. 

Ultimately, the panelists emphasized a collaborative defense approach to withstand sophisticated cyber threats. By pooling resources and strategies, the healthcare sector can enhance its resilience against the ever-evolving landscape of cybercrime. This shared defense strategy is crucial, as Decker concluded, “We cannot do this stuff individually, trying to stop the types of organizations that are coming after us.” By uniting efforts, the healthcare industry can better protect itself and ensure the safety and trust of its patients.
Read more »
irda
Banks bfsi CIO CISO Cyber Security insurance irda

Enhancing Cybersecurity: Automated Vulnerability Detection and Red Team Exercises with Validation Scans



In today's digital age, cybersecurity has become a top priority for organizations of all sizes. The ever-evolving landscape of cyber threats necessitates robust and comprehensive approaches to identifying and mitigating vulnerabilities.

Two effective methods in this domain are automated vulnerability detection and red team exercises. This article explores how these methods work together, the process of recording identified vulnerabilities, and the crucial role of human analysts in prioritizing them.

Automated Vulnerability Detection:

Automated vulnerability detection tools are designed to scan systems, networks, and applications for known vulnerabilities. These tools leverage databases of known threats and employ various scanning techniques to identify potential security weaknesses. The benefits of automated detection include:

1. Speed and Efficiency: Automated tools can quickly scan large volumes of data, significantly reducing the time needed to identify vulnerabilities.

2. Consistency: Automated processes eliminate the risk of human error, ensuring that every scan is thorough and consistent.

3. Continuous Monitoring: Many automated tools offer continuous monitoring capabilities, allowing organizations to detect vulnerabilities in real time.

However, automated tools are not without their limitations. They may not detect new or complex threats, and false positives can lead to wasted resources and effort.


Red Team Exercises:


Red team exercises involve ethical hackers, known as red teams, who simulate real-world cyber attacks on an organization's systems. These exercises aim to uncover vulnerabilities that automated tools might miss and provide a realistic assessment of the organization's security posture. The advantages of red team exercises include:

1. Real-World Scenarios: Red teams use the same tactics, techniques, and procedures as malicious hackers, providing a realistic assessment of the organization's defenses.

2. Human Ingenuity: Human testers can think creatively and adapt to different situations, identifying complex and hidden vulnerabilities.

3. Comprehensive Assessment: Red team exercises often reveal vulnerabilities in processes, people, and technologies that automated tools might overlook.

Recording and Prioritizing Vulnerabilities:

Once vulnerabilities are identified through automated tools or red team exercises, they need to be meticulously recorded and managed. This is typically done using a bugtrack Excel sheet, which includes details such as the vulnerability description, severity, affected systems, and potential impact.

The recorded vulnerabilities are then reviewed by human analysts who prioritize them based on their severity and potential impact on the organization.

This prioritization is crucial for effective vulnerability management, as it ensures that the most critical issues are addressed first. The analysts categorize vulnerabilities into three main levels:

1. High: These vulnerabilities pose a significant risk and require immediate attention. They could lead to severe data breaches or system compromises if exploited.

2. Medium: These vulnerabilities are less critical but still pose a risk that should be addressed promptly.

3. Low: These vulnerabilities are minor and can be addressed as resources allow.

Machine-Readable Vulnerability Reports and Automated Validation:

Once the vulnerabilities are prioritised and added to the bugtrack, it is essential to provide customers with the information in a machine-readable format. This enables seamless integration with their existing systems and allows for automated processing. The steps involved are:

1. Machine-Readable Format: The bugtrack data is converted into formats such as JSON or XML which can be easily read and processed by machines.

2. Customer Integration: Customers can integrate these machine-readable reports into their security information and event management (SIEM) systems or other security tools to streamline vulnerability management and remediation workflows.

3. Automated Remediation and Validation: After addressing the vulnerabilities, customers can use automated methods to validate the fixes. This involves re-scanning the systems with automated tools to ensure that the vulnerabilities have been effectively mitigated. This is done using YAML scripts specifically added to the vulnerability scanning tool to scan. Output is analyzed to see if a vulnerability is fixed.

Network and Application Vulnerability Revalidation:

For network level vulnerabilities, revalidation can be done using the Security Content Automation Protocol (SCAP) or by automating the process using YAML/Nuclei vulnerability scanners.

These tools can efficiently verify that the identified network vulnerabilities have been patched and no longer pose a risk.

For application level vulnerabilities, SCAP is not suitable. Instead, the bugtrack system should have a feature to revalidate vulnerabilities using YAML/Nuclei scanners or validation scripts via tools like Burp Suite Replicator plugin. These methods are more effective for confirming that application vulnerabilities have been properly addressed.

Conclusion:

Combining automated vulnerability detection with red team exercises provides a comprehensive approach to identifying and mitigating security threats.  Automated tools offer speed and consistency, while red teams bring creativity and real-world testing scenarios. Recording identified vulnerabilities in a bugtrack Excel sheet, providing machine-readable reports, and validating fixes through automated methods ensure that resources are effectively allocated to address the most pressing security issues.

By leveraging these methods, organizations can enhance their cybersecurity posture, protect sensitive data, and mitigate the risk of cyber attacks. As the threat landscape continues to evolve, staying proactive and vigilant in vulnerability management will remain essential for safeguarding digital assets.

The entire vulnerability monitoring with the automated machine-readable format for validating has been implemented in DARWIS VM module.

-----------
Suriya Prakash & Sabari Selvan
CySecurity Corp 
www.cysecuritycorp.com
Read more »
Security
Antiphish Banks bfsi CISO phishing Phishing and Spam Security

Case Study: Implementing an Anti-Phishing Product and Take-Down Strategy


Introduction:

Phishing attacks have become one of the most prevalent cybersecurity  threats, targeting individuals and organizations to steal sensitive information such as login credentials, financial data, and personal information. To combat this growing threat, a comprehensive approach involving the deployment of an anti-phishing product and an efficient take-down strategy is essential.

This case study outlines a generic framework for implementing such measures, with a focus on regulatory requirements mandating the use of locally sourced solutions and ensuring proper validation before take-down actions.


Challenge:

Organizations across various sectors, including finance, healthcare, and e-commerce, face persistent phishing threats that compromise data security and lead to financial losses. The primary challenge is to develop and implement a solution that can detect, prevent, and mitigate phishing attacks effectively while complying with regulatory requirements to use locally sourced cybersecurity products and ensuring that take-down actions are only executed when the orginization is phished/imitated.


Objectives:

1. Develop an advanced anti-phishing product with real-time detection and response capabilities.

2. Establish a rapid and effective take-down process for phishing websites.

3. Ensure the anti-phishing product is sourced from a local provider to meet regulatory requirements.

4. Implement a policy where take-down actions are only taken when the orginization is phished.


Solution:

A multi-faceted approach combining technology, processes, and education was adopted to address the phishing threat comprehensively.


1. Anti-Phishing Product Development

An advanced anti-phishing product from a local cybersecurity provider was developed with the following key features:

Real-time Monitoring and Detection:

Utilizing AI and machine learning algorithms to monitor email traffic, websites, and network activity for phishing indicators.

- Threat Intelligence Integration:

  Incorporating global threat intelligence feeds to stay updated on new phishing tactics and campaigns.

- Automated Detection of Brand Violations: Implementing capabilities to automatically detect the use of logos, brand names, and other identifiers indicative of phishing activities.

- Automated Response Mechanisms:

Implementing automated systems to block phishing emails and malicious websites at the network level, while flagging suspicious sites for further review.

- User Alerts and Guidance: Providing immediate alerts to users when suspicious activities are detected, along with guidance on how to respond.


2. Phishing Website Take-Down Strategy

We developed a proactive approach to swiftly take down phishing websites, ensuring a balance between automation and human oversight, and validating the phishing activity before take-down:

- Rapid Detection Systems: Leveraging real-time monitoring tools to quickly identify phishing websites, especially those violating brand identities.

- Collaboration with ISPs and Hosting Providers:

Establishing partnerships with internet service providers and hosting companies to expedite the take-down process.

- Human Review Process and Validation of Phishing Activity:

Ensuring that no site is taken down without a human review to verify the phishing activity, preventing erroneous takedowns/rejections.

- Legal Measures:

Employing legal actions such as cease-and-desist letters to combat persistent phishing sites.

- Dedicated Incident Response Team:

Forming a specialized team to handle take-down requests and ensure timely removal of malicious sites, following human verification.


Results:

1. Reduction in Phishing Incidents: Organizations reported a significant decrease in successful phishing attempts due to the enhanced detection and response capabilities of the locally sourced anti-phishing product.

2. Efficient Phishing Site Take-Downs:

The majority of reported phishing websites were taken down within 24 hours, following human review and validation of phishing activity, minimizing the potential impact of phishing attacks.


Conclusion:

The implementation of an advanced, locally sourced anti-phishing product, combined with a robust take-down strategy and comprehensive educational initiatives, significantly enhances the cybersecurity posture of organizations. By adopting a multi-faceted approach that leverages technology, collaborative efforts, and user education, while ensuring compliance with regulatory requirements to use local solutions and validating phishing activity before take-down actions, organizations can effectively mitigate the risks posed by phishing attacks. This case study underscores the importance of an integrated strategy, ensuring automated systems are complemented by human oversight, in protecting against the ever-evolving threat of phishing.


By

Suriya Prakash & Sabari Selvan

CySecurity Corp

Read more »
XDR Firm
CISO Cyber Security IBM Palo Alto Networks Software XDR Firm

IBM's Exit from Cybersecurity Software Shakes the Industry


 

In an unexpected move that has disrupted the cybersecurity equilibrium, IBM has announced its exit from the cybersecurity software market by selling its QRadar SaaS portfolio to Palo Alto Networks. This development has left many Chief Information Security Officers (CISOs) rethinking their procurement strategies and vendor relationships as they work to rebuild their Security Operations Centers (SOCs).

IBM's QRadar Suite: A Brief Overview

The QRadar Suite, rolled out by IBM in 2023, included a comprehensive set of cloud-native security tools such as endpoint detection and response (EDR), extended detection and response (XDR), managed detection and response (MDR), and key components for log management, including security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms. The suite was recently expanded to include on-premises versions based on Red Hat OpenShift, with plans for integrating AI capabilities through IBM's Watsonx AI platform.

The agreement, expected to close by the end of September, also designates IBM Consulting as a "preferred managed security services provider (MSSP)" for Palo Alto Networks customers. This partnership will see the two companies sharing a joint SOC, potentially benefiting customers looking for integrated security solutions.

Palo Alto Networks has assured that feature updates and critical fixes will continue for on-premises QRadar installations. However, the long-term support for these on-premises solutions remains uncertain.

Customer Impact and Reactions

The sudden divestiture has taken the cybersecurity community by surprise, particularly given IBM's significant investment in transforming QRadar into a cloud-native platform. Eric Parizo, managing principal analyst at Omdia, noted the unexpected nature of this move, highlighting the substantial resources IBM had dedicated to QRadar's development.

Customers now face a critical decision: migrate to Palo Alto's Cortex XSIAM platform or explore other alternatives. Omdia's research indicates that IBM's QRadar was the third-largest next-generation SIEM provider, trailing only Microsoft and Splunk (now part of Cisco). The sudden shift has left many customers seeking clarity and solutions.

Market Dynamics

This acquisition comes at a pivotal time in the cybersecurity industry, with SIEM, SOAR, and XDR technologies increasingly converging into unified SOC platforms. Major players like AWS, Microsoft, Google, CrowdStrike, Cisco, and Palo Alto Networks are leading this trend. Just before IBM's announcement, Exabeam and LogRhythm revealed their merger plans, aiming to combine their SIEM and user and entity behaviour analytics (UEBA) capabilities.

Forrester principal analyst Allie Mellen pointed out that IBM's QRadar lacked a fully-fledged XDR offering, focusing more on EDR. This gap might have influenced IBM's decision to divest QRadar.

For Palo Alto Networks, acquiring QRadar represents a significant boost. The company plans to integrate QRadar's capabilities with its Cortex XSIAM platform, known for its automation and MDR features. While Palo Alto Networks has made rapid advancements with Cortex XSIAM, analysts like Parizo believe it still lacks the maturity and robustness of IBM's QRadar.

Palo Alto Networks intends to offer free migration paths to its Cortex XSIAM for existing QRadar SaaS customers, with IBM providing over 1,000 security consultants to assist with the transition. This free migration option will also extend to "qualified" on-premises QRadar customers.

The long-term prospects for QRadar SaaS under Palo Alto Networks remain unclear. Analysts suggest that the acquisition aims to capture QRadar's customer base rather than sustain the product. As contractual obligations expire, customers will likely need to transition to Cortex XSIAM or consider alternative vendors.

A notable aspect of the agreement is the incorporation of IBM's Watsonx AI into Cortex XSIAM, which will enhance its Precision AI tools. Gartner's Avivah Litan highlighted IBM's strong AI capabilities, suggesting that this partnership could benefit both companies.

In conclusion, IBM's exit from the cybersecurity software market marks a paradigm shift, prompting customers to reevaluate their security strategies. As Palo Alto Networks integrates QRadar into its offerings, the industry will closely watch how this transition unfolds and its impact.




Read more »
Technology
Artificial Intelligence CISO Hybrid Cloud Private Cloud Technology

AI Enables the Return of Private Cloud

 

Private cloud providers may be among the primary winners of today's generative AI gold rush, as CIOs are reconsidering private clouds, whether on-premises or hosted by a partner, after previously dismissing them in favour of public clouds. 

At the heart of this trend is a growing recognition that in order to handle AI workloads while keeping costs under control, organisations will eventually rely on a hybrid mix of public and private cloud. 

"With how fast things are changing in the data and cloud space, we believe in a hybrid model of cloud and data centre strategy," claims Jim Stathopoulos, SVP and CIO of Sun Country Airlines, who joined the regional airline from United Airlines in early 2023 and acquired a Microsoft Azure cloud infrastructure and Databricks AI platform, but is open to future IT decisions.

Controlling escalating cloud and AI expenses and minimising data leakage are the primary reasons why organisations are considering hybrid infrastructure as their AI solution. Most experts agree that most IT leaders will need to choose a hybrid approach that includes on-premises or co-located private clouds to provide cost control and data integrity in the face of AI's resource requirements and critical business concerns about its deployment. 

According to IDC's top cloud analyst, Dave McCarthy, private cloud platforms such as Dell APEX and HPE GreenLake, which provide generative AI capabilities, as well as co-locating with partners such as Equinix to host workloads in private clouds, could provide a solution to enterprise customers. 

“The excitement and related fears surrounding AI only reinforces the need for private clouds. Enterprises need to ensure that private corporate data does not find itself inside a public AI model,” McCarthy notes. “CIOs are working through how to leverage the most of what LLMs can provide in the public cloud while retaining sensitive data in private clouds that they control.” 

Generative AI changes the cloud calculus 

Somerset Capital Group is one company that has chosen to go private to run its ERP software and pave the path for generative AI. The Milford, Conn.-based financial services corporation moved data to the public cloud over a decade ago and will continue to add workloads, particularly for customer-centric apps. Somerset's EVP and CIO, Andrew Cotter, believes that the company's important data, as well as any future generative AI data, will most likely run on its new hosted private cloud. 

"As we are testing and dipping our toes in the water with AI, we are choosing to keep that as private as possible," he says, noting that while the public cloud provides the horsepower needed for many LLMs today, his firm has the option of adding GPUs if needed via its privately owned Dell equipment. "You don't want to make a mistake and have it ingested or used in another model. We're maintaining tight control and storing it in the private cloud." 

Todd Scott, senior vice president of Kyndryl US, recognises that AI and cost are important drivers driving organisations to private clouds. 

Buying into the private cloud

Analysts believe that private cloud spending is on rise. According to Forrester's Infrastructure Cloud Survey in 2023, 79% of the almost 1,300 enterprise cloud decision-makers polled claimed their companies are developing internal private clouds that will include virtualization and private cloud management. Over a third (31%) of respondents are creating internal private clouds employing hybrid cloud management technologies such as software-defined storage and API-consistent hardware to make the private cloud more similar to the public cloud, Forrester added.

IDC predicts that global spending on private, dedicated cloud services, which comprise hosted private cloud and dedicated cloud infrastructure as a service, would reach $20.4 billion in 2024 and more than double by 2027. According to IDC, global spending on enterprise private cloud infrastructure, which includes hardware, software, and support services, will reach $51.8 billion in 2024 and $66.4 billion in 2027. 

While those figures pale in comparison to the public cloud's projected $815.7 billion in 2024, IDC's McCarthy views hybrid cloud architecture as the future for most organisations in this space. According to McCarthy, the introduction of turnkey private cloud products from HPE and Dell provides customers with a private cloud that can be run on-premises or in a co-location facility that offers managed services. Private clouds may also help organisations better control their overall cloud costs, but he emphasises that both have benefits as well as drawbacks. 

“Enterprises are in a bit of a pickle with this,” McCarthy added. “Security concerns are what is driving them to private cloud, but the specialised hardware required to do large-scale AI is expensive and requires extensive power and cooling. This is a problem that companies like Equinix believe they can help solve, by allowing enterprises to build a private cloud in Equinix datacenters that are already equipped to handle this type of infrastructure.”
Read more »
Technological Updates
CISO Cyber Safety Cyber Security Cyberattacks CyberCrime Microsoft Technological Updates

Microsoft Revamps Security Leadership, Empowering Deputy CISOs

 


There have been a series of major security breaches recently, and Microsoft is making changes to its security practices, organizational structure, and executive compensation to address the issue, as government leaders and big customers increasingly pressure the company to address the issue.

A portion of the company's senior executive compensation will be tied to progress towards security goals, according to the company. Each product group will be headed by a deputy chief information security officer (CISO), and teams from the company's major platforms and product teams will be brought together in "engineering waves" to revamp security procedures. 

A new team of deputy chief information security officers has been set up by Microsoft in response to blistering criticism from federal officials in April about the lack of security governance. They will be embedded within engineering as part of a sweeping new security governance framework that has been implemented by Microsoft. 

It has been announced that Redmond will tie "part of the compensation of its Senior Leadership Team to our progress toward meeting the security milestones and plans that we set forth for the company." Microsoft security chief Charlie Bell announced on May 2. A spokesperson for Microsoft's Executive Vice President of Security, Charlie Bell, has mentioned on LinkedIn that Microsoft's Secure Future Initiative is a part of the decision to restructure the company's security leadership. 

It was introduced by Microsoft in November to boost the security levels of its wide range of software products and is intended to enhance the security of those products.  Igor Tsyganskiy, a CISO with a long-standing role at the company, will be transitioning from his long-term role of Chief Security Adviser to the role of Chief Security Adviser in a blog post published on December 5. 

According to Bell, Igor Tsyganskiy is expected to assume the role of CISO in the New Year, he will become the company's new chief information security officer. Microsoft spokespersons said that Ann Johnson, a long-time corporate vice president at the company, will be adding the title of deputy CISO, customer outreach, and regulated industries as a result of the changes. 

Bloomberg first reported the changes regarding Microsoft's security chiefs, and Johnson will be tasked with scaling customer engagement and communicating about Microsoft's security. Johnson will be responsible for scaling customer engagement and communication about Microsoft's security. A new role for Microsoft CISO Igor Tsyganskiy will be devoted to nation-state actors and threat hunting. 

It was a result of the findings reported by the Cyber Safety Review Board in early April, in which the company received heavy criticism regarding their response to the hack of Microsoft Exchange Online in the summer of 2023, which led to renewed scrutiny of Microsoft. It was pointed out by the board that the attack -- in which 60,000 emails from the State Department were stolen and Gina Raimondo's account was hacked - was entirely preventable and criticized the company for focusing on product development and features over security for its customers. 

Cybersecurity and Infrastructure Security Agency has issued mitigation guidance to key federal agencies following a separate attack on credentials and source code stolen by the Russia-linked threat group Midnight Blizzard, which resulted in the hacker stealing credentials and source code. 

Compared to recent announcements from other organizations that have appointed business information security officers, Jess Burn, principal analyst at Forrester, said the Microsoft announcements were necessary steps.  The former Microsoft CTO previously served at Bridgewater Associates LP, an investment firm that serves institutional clients like pension funds, endowments, foundations, foreign governments, and central banks as their Chief Technology Officer. 

As a Senior Vice President of Product Management and Head of SAP SE's Advanced Technology Group, Tsyganskiy served as a Senior Vice President of Product Management at Salesforce Inc. and previously led Salesforce Inc.'s Advanced Technology Group. With the advent of technologies such as artificial intelligence (AI), which must be developed with a strong focus on cybersecurity, Microsoft is becoming more optimistic about the development of these technologies. 

There is a commitment to reducing vulnerabilities within Microsoft's product ecosystem that sits at the core of the Secure Future Initiative. To minimize the risk of specific bugs that may be exploited by cyber attackers, the company plans to increase the use of memory-safe programming languages, such as Java, C#, and Python. 

It has also been announced that Microsoft will be using CodeQL, an open-source tool developed by GitHub for automated code vulnerability scanning as well as streamlining its threat modeling procedures. Microsoft plans to double the speed at which it fixes security flaws in its cloud services by accelerating the deployment of security patches by incorporating a remediation methodology called dSDL, which is based on continuous integration and continuous delivery software.  

A report from Microsoft called for the CEO and board to be in charge of all security initiatives directly and closely. As a result of the CSRB report, it was noted that all senior leaders should be held accountable for ensuring that all necessary changes are implemented as soon as possible. It was introduced by Senator Ron Wyden of Oregon, who cited Microsoft's "shambolic cybersecurity practices" as a reason to reduce the U.S. government's reliance on Microsoft software after the report was released.

It is Bell who wrote that Microsoft has decided to incorporate the recommendations made by the CSRB as well as lessons learned from high-profile cyberattacks as part of the changes announced Friday. Microsoft announced on Friday that it would change the compensation for the company's senior leaders, the top executives who report directly to Satya Nadella. 

However, the company did not indicate how much of their compensation would be based on their security credentials. On the company's quarterly earnings call last week, Nadella hinted at these changes by saying the company would "put security before all else, before all other features and investments." He continued by adding that security will be a top priority. Friday morning, Nadella released an internal memo that elaborated on the themes presented in Bell's public blog post, delivering a directive to employees.
Read more »
Threat Landscape
CISO Cyber Security data science Penetration Testing Threat Landscape

Offensive Security Necessitates a Data-driven Approach for CISOs

 

There remains a significant disparity in utilisation of resources between defensive and offensive cybersecurity technologies. When comparing the return on investment (ROI) for defensive and offensive investments, security experts discovered that offensive security routinely outperforms defensive security. For example, penetration testing not only identifies vulnerabilities, but it also addresses and seals potential access sites for hackers. 

This recognition should drive organisations and their security leaders to consider why there is so little investment in offensive security solutions. Many CISOs recognise a clear market gap in offensive security tactics, with acquired tooling fatigue unable to satisfy the changing needs of modern enterprises. CISOs must now look into how a data-driven approach may generate a proven ROI for each offensive security expenditure they make. 

Data science and cybersecurity: A powerful duo

In an era of digital transformation and networked systems, cybersecurity incidents have increased tremendously. Businesses face a slew of dangers, including unauthorised access and malware attacks. To tackle this, data science may give analytics that assist security leaders in making informed decisions about their cyber resiliency plans and tactics. 

Data analytics, whether powered by security providers and in-house technology like AI/ML or threat intelligence feeds, entails identifying patterns and insights from cybersecurity data, generating data-driven models, and developing intelligent security systems. By analysing relevant data sources from security testing across assets, systems, customers, and industries (including network activity, database logs, application behaviour, and user interactions), they may deliver actionable intelligence to secure their assets.

However, the most significant component of data analytics is that it improves data-driven decision-making by giving much-needed context and proof behind user behaviours, whether authorised or unauthorised. Data-Driven Decision Making in Offensive Security Data-driven decision-making is the foundation for effective offensive security. Here's how it takes place.

• Threat Intelligence: Data analytics allows organisations to gather, process, and analyse threat intelligence. Defenders obtain real-time insights from monitoring indicators of compromise (IoCs), attack patterns, and vulnerabilities. These findings inform proactive steps like fixing key vulnerabilities and modifying security rules. 

• Behavioural analytics: Understanding user behaviour is critical. Data-driven models detect anomalies and highlight questionable activities. For example, unexpected spikes in data exfiltration or atypical login patterns will prompt an alarm. Behavioural analytics can also help uncover insider threats, which are becoming increasingly prevalent. 

Challenges and future directions 

While data analytics can boost offensive security and decision-making, major challenges persist. Data quality is critical for accurate and actionable intelligence; as the phrase goes, "Garbage in, garbage out." Balancing privacy and ethics can also be difficult, but because security testing data should be free of PII, this should not be the primary focus, but rather intelligence that can help make better decisions.

Ultimately, offensive security practitioners must anticipate adversary attacks. However, the future seems promising, as data analytics can propel offensive security as a viable and evidence-based strategy. With analytics, security executives can proactively defend against attacks. As threats develop, so should our data-driven defences.
Read more »
Technology
AI CISO cyber threat Data protection LLM Machine learning Ransomware Technology

Enterprise AI Adoption Raises Cybersecurity Concerns

 




Enterprises are rapidly embracing Artificial Intelligence (AI) and Machine Learning (ML) tools, with transactions skyrocketing by almost 600% in less than a year, according to a recent report by Zscaler. The surge, from 521 million transactions in April 2023 to 3.1 billion monthly by January 2024, underscores a growing reliance on these technologies. However, heightened security concerns have led to a 577% increase in blocked AI/ML transactions, as organisations grapple with emerging cyber threats.

The report highlights the developing tactics of cyber attackers, who now exploit AI tools like Language Model-based Machine Learning (LLMs) to infiltrate organisations covertly. Adversarial AI, a form of AI designed to bypass traditional security measures, poses a particularly stealthy threat.

Concerns about data protection and privacy loom large as enterprises integrate AI/ML tools into their operations. Industries such as healthcare, finance, insurance, services, technology, and manufacturing are at risk, with manufacturing leading in AI traffic generation.

To mitigate risks, many Chief Information Security Officers (CISOs) opt to block a record number of AI/ML transactions, although this approach is seen as a short-term solution. The most commonly blocked AI tools include ChatGPT and OpenAI, while domains like Bing.com and Drift.com are among the most frequently blocked.

However, blocking transactions alone may not suffice in the face of evolving cyber threats. Leading cybersecurity vendors are exploring novel approaches to threat detection, leveraging telemetry data and AI capabilities to identify and respond to potential risks more effectively.

CISOs and security teams face a daunting task in defending against AI-driven attacks, necessitating a comprehensive cybersecurity strategy. Balancing productivity and security is crucial, as evidenced by recent incidents like vishing and smishing attacks targeting high-profile executives.

Attackers increasingly leverage AI in ransomware attacks, automating various stages of the attack chain for faster and more targeted strikes. Generative AI, in particular, enables attackers to identify vulnerabilities and exploit them with greater efficiency, posing significant challenges to enterprise security.

Taking into account these advancements, enterprises must prioritise risk management and enhance their cybersecurity posture to combat the dynamic AI threat landscape. Educating board members and implementing robust security measures are essential in safeguarding against AI-driven cyberattacks.

As institutions deal with the complexities of AI adoption, ensuring data privacy, protecting intellectual property, and mitigating the risks associated with AI tools become paramount. By staying vigilant and adopting proactive security measures, enterprises can better defend against the growing threat posed by these cyberattacks.

Read more »
Threat Landscape
Business Security CISO Cyber Security Dark Web Data Privacy Threat Landscape

Here's Why Tracking Everything on the Dark Web Is Vital

 

Today, one of the standard cybersecurity tools is to constantly monitor the Dark Web - the global go-to destination for criminals - for any clues that the trade secrets and other intellectual property belonging to the organisation have been compromised. 

The issue lies in the fact that the majority of chief information security officers (CISOs) and security operations centre (SOC) managers generally assume that any discovery of sensitive company data indicates that their enterprise systems have been successfully compromised. That's what it might very well mean, but it could also mean a hundred different things. The data may have been stolen from a supply chain partner, a corporate cloud site, a shadow cloud site, an employee's home laptop, a corporate backup provider, a corporate disaster recovery firm, a smartphone, or even a thumb drive that was pilfered from a car.

When dealing with everyday intellectual property, such as consumer personal identifiable information (PII), healthcare data, credit card credentials, or designs for a military weapons system, knowing that some version of it has been acquired is useful. However, it is nearly hard to know what to do unless the location, timing, and manner of the theft are known. 

In some cases, the answer could be "nothing." Consider some of your system's most sensitive files, including API keys, access tokens, passwords, encryption/decryption keys, and access credentials. If everything is carefully recorded and logged, your team may find that the discovered Dark Web secrets have already been systematically deleted. There would be no need for any further move.

Getting the info right

Most CISOs recognise that discovering secrets on the Dark Web indicates that they have been compromised. However, in the absence of correct details, they frequently overreact — or improperly react — and implement costly and disruptive modifications that may be entirely unnecessary. 

This could even include relying on wrong assumptions to make regulatory compliance disclosures, such as the European Union's General Data Protection Regulation (GDPR) and the Securities and Exchange Commission's (SEC) cybersecurity obligations. This has the potential to subject the organisation to stock drops and compliance fines that are avoidable. 

Establishing best practices

You must keep a tightly controlled inventory of all of your secrets, including intricate and meticulous hashing techniques to trace all usage and activity. This is the only way to keep track of all activity involving your machine credentials in real time. If you do this aggressively, you should be able to detect a stolen machine credential before it reaches the Dark Web and is sold to the highest bidder.

Another good strategy is to regularly attack the Dark Web — and other evil-doers' dens — with false files to add a lot of noise to the mix. Some discriminating bad guys may avoid your data totally if they are unsure if it is genuine or not.
Read more »
Technology
Artifcial Intelligence CISO Cyber Attacks CyberCrime DevSecOps Privacy and Security Technology

AI's Dark Side: Splunk Report Forecasts Troubled Trends in Privacy and Security

 




There is no doubt that AI is going to be very beneficial to security professionals, but cybercriminals will be looking for ways to harness the power of AI to their advantage as well. As bad actors push artificial intelligence to new extremes, Splunk's Security Predictions 2024 report predicts that it will certainly expand organisations' attack surfaces. 
As a result of the advancement of artificial intelligence, malicious actors will have a better chance of enhancing their portfolios and strategies. As it is anticipated that new threats will emerge in 2024, a new wave of attack methods spawning not only from artificial intelligence but also from the robust adoption of 5G in India is anticipated.

As a result, cybercriminals will have more opportunities to exploit cybercriminals since the attack surface is already wide. According to Robert Pizzari, Group Vice President, Strategic Advisor, Asia Pacific, Splunk, cybercriminals will have more opportunities. Among the key trends in security and observability that Splunk has identified for 2024, are the following: 

It is anticipated that, by 2024, CISOs will also have a greater stake at stake due to the increasing stringency, complexity, and difficulty of navigating the regulatory environment. According to the State of Security 2023, 79% of line-of-business stakeholders see the security team as either a trusted resource for information or as one of the most critical enablers of the organisation's mission. 

It was recently found in a recent Splunk report that 86% of security leaders believe that generative AI will help alleviate skill gaps and talent shortages. AI will take on security tasks. It will become more of a virtual assistant than an assistant, as it will take care of repetitive, mundane, and labour-intensive tasks that are not necessary to perform. 

While the majority of people are excited about AI, they are also nervous - CIOs and CTOs will feel the pressure to get more from less in this year's budget, making it the year of mindful budgets and massive disruption. People are excited about AI, but they are also nervous - and there will be tremendous pressure on CIOs and CTOs. With artificial intelligence, users can better understand what's going on in an environment by detecting and identifying anomalies. 

However, it would not replace manual troubleshooting. Many companies are going to use artificial intelligence to detect anomalies first, then move on to investigation and respond automatically. 

Automated remediation is something people can expect to see shortly. It has become apparent that observability can be a meaningful signal for security operations: There are a significant number of vendors who sell security products separate from one another. 

The lack of interoperability of their products is often a cause of frustration for their customers. There's no question that a DevSecOps mindset will lead the organisation - whether it's big or small - towards digital resilience, no matter if the servers are in the cloud or in the back corner of your garage.
Read more »
Technology
CIO CISO CISOs Cyber Security IT Companies Technology

The Convergence of CIO and CISO Roles in the Digital Age

 


As businesses embrace the cloud, software-as-a-service (SaaS), and remote work, a million-dollar question arises: How will these roles evolve? The answer seems as complex as the myriad factors influencing it – company size, industry, culture, existing organizational charts, and future digital transformation plans, to name a few. Some advocate maintaining the status quo, while others propose a more specialized split between a business-oriented executive focused on risk management and compliance, and a technical executive honing in on threat prevention and response.

Regardless of the path chosen, the crux of the matter remains – the imperative need for collaboration and alignment between CIOs and CISOs. In a world where successful digital transformation is contingent upon the delicate relation between innovation and security, these IT leaders find themselves at the forefront, shaping the future of businesses large and small. The article will delve into the intricacies of this new development, shedding light on the collaborative journey of CIOs and CISOs as they navigate the ever-changing currents of technology and cybersecurity.

About two decades ago, CIOs primarily focused on managing an organization's IT infrastructure and applications. However, with the rise of digital transformation, cloud computing, and remote work, their role has shifted. Today, CIOs act as brokers of IT services, concentrating on how technology can drive innovation and effectively managing resources.

Concurrently, the profile of CISOs has been on the rise, fueled by compliance mandates, data breaches, and emerging cybersecurity threats. Compliance requirements such as HIPAA, PCI DSS, GDPR, and SOC 2 have played a dual role – increasing the visibility and budgets for cybersecurity teams but often falling short in addressing sophisticated threats like phishing and ransomware.

The growing importance of digital security at the board level has prompted CIOs, traditionally the voice of digital matters, to delve deeper into understanding cybersecurity. This trend blurs the lines between the roles of CIOs and CISOs.

Enter digital transformation, offering an opportunity to enhance cybersecurity. Despite some skepticism about its promises, digital transformation has necessitated closer collaboration between CIOs and CISOs. While CIOs continue to guide the ship, CISOs have become proactive partners, deeply involved in operational decision-making from the outset.

As companies embrace the cloud, software-as-a-service (SaaS), and remote work, the question arises – how will these roles evolve? The answer is not straightforward and depends on various factors like company size, industry, culture, and existing IT setup. Some suggest maintaining the status quo, while others propose splitting the roles into a business-oriented executive focusing on risk management and compliance, and a more technical executive concentrating on threat prevention and response.

Regardless of the direction these roles take, the overarching theme is the critical need for collaboration and alignment between CIOs and CISOs for successful digital transformation. This synergy is essential not only during the transformation process but also for navigating the evolving cybersecurity landscape.

In essence, the traditional boundaries between CIOs and CISOs are fading, giving way to a collaborative approach that acknowledges the intertwined nature of technology and cybersecurity. As companies navigate this evolution, the success of their digital transformation hinges on the ability of these IT leaders to work hand-in-hand, ensuring a secure and innovative future for businesses of all sizes.

This transformative shift emphasises the importance of simplifying and strengthening the relationship between CIOs and CISOs, creating a united front against the ever-growing challenges of the digital age.


Read more »
RBI
Banks CISO Corporate Cyber Security Opensource RBI

Enhancing API Security: CSPF's Contribution to Wallarm's Open-Source Project

 

In the ever-evolving landscape of digital security, the Cyber Security & Privacy Foundation (CSPF) remains a beacon of innovation and support. Our mission extends beyond mere advocacy for cybersecurity; we actively enhance the tools that fortify our digital world. A testament to this commitment is our recent focus on Wallarm's API Firewall, a robust tool designed to protect APIs from emerging cyber threats. 
 
Our journey with Wallarm's API Firewall began with a simple yet powerful intention: to make this tool not just effective but also adaptable to the stringent requirements of B2B and high-security environments. In doing so, we embarked on a path that not only led us to add new functionalities but also to discover and rectify hidden vulnerabilities. 
 
Introducing the AllowedIPList Feature and Addressing the Denylist Bug 
 
The new feature we introduced, the AllowedIPList, is a game-changer for API security. It restricts API access to specific, pre-approved IP addresses, an essential requirement for secure, business-to-business communications and high-security domains. This addition ensures that only authorized machines can interact with the API, thereby enhancing the security manifold. 
 
In our journey of innovation, we encountered a critical bug in the existing Denylist feature. The Denylist, designed to block requests using certain compromised keys, cookies, or tokens, had a significant flaw. The bug stemmed from a cache implementation error, leading to the failure of adding entries to the Denylist if the list was shorter than 53 characters. This vulnerability was particularly concerning for shorter tokens, commonly used in HTTP basic authentication and cookies.  
 
Our team promptly addressed this issue, ensuring that the Denylist functioned as intended, regardless of the character count. The resolution of this bug, alongside the implementation of the AllowedIPList, marked a significant enhancement in the API Firewall's security capabilities. 
 
The Broader Impact of Open-Source Contributions 
 
This initiative underscores the importance of not just using open-source software but actively contributing to it. While the immediate financial returns might be non-evident, such contributions lead to a more secure and robust digital ecosystem. It is through diverse collaboration and multiple perspectives that we can uncover and rectify latent vulnerabilities. 

Link - 

https://github.com/CSPF-Founder/api-firewall/tree/main
 
Founder & TechCore Team
Cyber Security and Privacy Foundation
https://github.com/CSPF-Founder/
Read more »
Digital Security
Chief Information Security Office CISO CISO role Cyber Defence Cyber Privacy Cyber Security Digital Security

Why T-POT Honeypot is the Premier Choice for Organizations

 

In the realm of cybersecurity, the selection of the right tools is crucial. T-POT honeypot distinguishes itself as a premier choice for various reasons. Its multifaceted nature, which encompasses over 20 different honeypots, offers a comprehensive security solution unmatched by other tools. This diversity is pivotal for organizations, as it allows them to simulate a wide range of network services and applications, attracting and capturing a broad spectrum of cyber attacks. 
 
Moreover, the integration with the custom code developed by the Cyber Security and Privacy Foundation is a game-changer. This unique feature enables T-POT to send collected malware samples to the Foundation's threat intel servers for in-depth analysis. The results of this analysis are displayed on an intuitive dashboard, providing organizations with critical insights into the nature and behaviour of the threats they face. This capability not only enhances the honeypot's effectiveness but also provides organizations with actionable intelligence to improve their defence strategies. 
 
The ability of T-POT to provide real-time, actionable insights is invaluable in today’s cybersecurity landscape. It helps organizations stay one step ahead of cybercriminals by offering a clear understanding of emerging threats and attack patterns. This information is crucial for developing robust security strategies and for training cybersecurity personnel in recognizing and responding to real-world threats. 
 
In essence, T-POT stands out not only as a tool for deception but also as a platform for learning and improving an organization’s overall cybersecurity posture. Its versatility, combined with the advanced analysis capabilities provided by the integration with the Cyber Security and Privacy Foundation's code, makes it an indispensable tool for any organization serious about its digital security. The honeypot api analyses malware samples and the result of the honeypot can be seen on the backend dashboard. 
 
Written by: Founder, cyber security and privacy foundation.
Read more »
RBI
App Developers Banks CISO Developers RBI

Security Issue in Banking Applications?

Recently, we tested a mobile application of a BFSI platform, which allowed the organization's employees to view and interact with new customer leads. 

The mobile app had a password-based authentication system, with the username being the mobile number of the user. We identified a major weakness in this mobile app. The app allows a user to reset the password if they can prove themselves via an OTP. When the 'forgot password' button is pressed, the user is sent to a page where they are prompted to enter an OTP. The OTP is sent to the phone number, and if the wrong OTP is entered, the server responds with `{"OTP":"Failure"}`. While this seems to have been implemented properly, we tried to change the server response by conducting an MITM. We changed the response from the server to `{"OTP":"Success"}`. This redirection led us to the password change screen, where we were prompted to enter a new password. 

Initially, we believed this was only a visual bug and that the password reset would fail. However, we soon discovered that the password reset page itself does not check the OTP, and there is no session to track the successful OTP. This means any attacker can take the password change request, replace the phone number, and change the password of any other user (phone number). In simple terms, the OTP verification and the password reset page are not connected. The password reset API call did not have any verification or authentication to ensure only the correct user can change the password. 

This reveals how BFSI developers, when asked to build an app, often create the requested features without considering any security architecture. These apps are usually rushed, and only the positive/happy paths are checked. Security testing and architecture are often considered only as an afterthought. Unless BFSI incorporates security architecture into the development stage itself, such vulnerabilities will continue to emerge.  

By
Suriya Prakash
Head DARWIS 
CySecurity Corp

Read more »
Subscribe to: Posts (Atom)