25 years of cybersecurity evolution: Insights from an industry veteran – CyberTalk

Eric has been working in technology for over 40 years with a focus on cybersecurity since the 90’s. Now serving primarily as Chief Cybersecurity Evangelist and part of the Executive Leadership Team, Eric has been with Atlantic Data Security starting from its inception, filling various roles across the company. He leverages this broad perspective along with his passion, collective experience, creative thinking, and empathetic understanding of client issues to solve and advocate for effective cybersecurity.

In this highly informative interview, Atlantic Data Security Evangelist Eric Anderson reflects on the past 25 years in cybersecurity, discusses important observations, and provides valuable recommendations for businesses worldwide.

In looking back across the past 25 years, what has “wowed” you the most in the field of cybersecurity? Why?

Eric: It’s often taken for granted now, but I used to be absolutely amazed at the pace of things. Not that it’s not still impressive, but I think we’ve all gotten a bit used to the speed at which technology evolves. It’s even more pronounced in our specific field. Cybersecurity may have a somewhat unique driver of innovation, since it’s largely pushed by illicit actors that are constantly searching for new threat vectors. Defenders are forced to invest in developing responses to keep up.

While all areas of tech evolve with amazing speed, most are driven by the constant gradual pressure of consumer desire. Meanwhile cybersecurity has a daily requirement for advancement due to the actions of external forces. We often have to take big leaps into entirely new product categories to respond to new risks.

Can you share insights into the early days of cybersecurity and how Atlantic Data Security was involved with the first firewall installations?

Eric:  My personal journey with Check Point started in the mid 90’s with one of Check Point’s early reseller partners. By 1998 or 1999, our business transitioned from being a network integrator/VAR to a dedicated security shop — primarily selling, installing, and supporting Check Point firewall and VPN solutions. Shortly after that, I became our second certified Check Point instructor to help handle the massive demand for training. I have continued to get more involved with all aspects of Check Point ever since (from the partner side), including taking the helm of the Check Point User Group back in 2014.

One of my favorite aspects of our current company is how many of us have known each other for decades; either working at the same company, as partners, or competitors, and how much of that history shares Check Point as a common thread.

My favorite example is with Kevin Haley, one of the owners of ADS. When I first met him in 2001, he had long since been running the security reseller division of a company called Netegrity. He had been focused primarily on selling and supporting Check Point products from back when their name was Internet Security Corporation — which had the distinction of being Check Point’s first partner in the U.S.

What are some of the key lessons learned via efforts around the first firewall installations and how do they inform cybersecurity strategies today?

Eric:  Back then, we were all learning a lot about security. Many of us had some comprehensive networking experience, but the extent of our “security” exposure was often just a handful of passwords. Our footprint was typically contained within a few buildings and maybe a small group of remote users.

It was amazing to see how rapidly the internet changed our security exposure from local to global. Almost overnight we had to start contending with an entirely new class threats. Forward-thinking companies like Check Point were there to give us the tools we needed, but we had to quickly grow from network engineers to cybersecurity experts. This rapid reshaping of the landscape has never really stopped. Every time things seem to settle down a bit, a new trend or technology, like cloud adoption or the shift to remote work, comes along to shake it up.

Ultimately, we need to remain agile and flexible. We can’t reliably predict the next big change we so need to have buffers in our planning. I think it goes beyond incident planning and is more something like “paradigm shift planning.” What resources do we have available for the next big thing? Having a good handle on current projects and priorities can allow for better optimization of resources.

We saw this with the adoption of VPN almost 30 years ago. Organizations were either using either modems and phone lines or slow, expensive direct connections, like frame relay and T1’s.  While VPN wasn’t a required shift, its was vastly better, reducing costs, improving speed, and enhancing security. Clients who were flexible enough to adopt VPN early reaped significant advantages. Others took much longer to adapt, having to deal with higher costs and more cumbersome operations throughout. While this wasn’t an essential shift to deal with an imminent threat, it clearly illustrated the advantages that organizations can gain by being flexible and the role of cybersecurity in enabling the business to function more broadly.

The CISO role is known for its evolution. Given all of the demands placed on modern CISOs (technology, people management, board-level commitments), does it still make sense to have a single CISO role? How do you foresee the role continuing to evolve? How would you like to see it evolve?

Eric: I recently spoke to a room full of CISOs and others serving similar roles. I asked them two questions: “Who among you will not be held responsible in the event of a breach?” No one raised their hand. “Who among you has all of the necessary power and resources to keep it from happening?” A few hands did go up; all from people working at smaller organizations with relatively flat hierarchies, allowing them more latitude and purview than we see in most mid-sized organizations or larger. But they all agreed that while CISOs bear the massive burden of cyber defense, they aren’t given the budget, staff, authority, or support to keep from buckling under it.

While I’d love to see the role of the CISO change, I fear that the broad interpretation of the title/term is unlikely to shift significantly.

What I really want to see is for security to become part of every department’s structure and culture. It would be great to have security officers within each department; from infrastructure, to desktops, to finance, especially in DevOps, and everywhere else. Those officers could be more in tune with their group’s specific drivers and needs, working closely with them to reach goals, with security as an overarching priority and mandate. A CISO’s role in that environment would be to globalize and unify security efforts across an organization.

I have seen things like this being done in some forward-thinking organizations. Making security a part of all aspects of an organization will only make it stronger.

Given the current pace of technological advancement, how do you anticipate that cybersecurity technology will evolve across the next decade? What are your thoughts about the role of artificial intelligence?

Eric:  That’s a loaded one! There are some clear areas that are already starting to show improvement. Tool consolidation and orchestration solutions have helped manage complexity more effectively than ever. As a field, we’re getting better at cultivating security-conscious cultures in our organization.

One major trend that I hope will continue is progress towards greater accountability. While GRC can feel overreaching and burdensome, when implemented properly, it grants us the freedom to share and use data. Our industry developed so quickly that it was impossible to put guardrails on it. If we look at a more mature industry like transportation or finance, they have rules and regulations that have evolved over a much longer time. While speed limits and safety inspections can seem restrictive, we largely accept them. It’s similar to how rules and regulations allow drivers to share roads with some degree of confidence that their safety isn’t in immediate jeopardy. Companies have repeatedly demonstrated that responsibility and accountability won’t be adopted voluntarily. Painful as they may seem, regulations and standards like PCI, HIPAA, and GDPR have shown some positive movement in this direction.

AI is proving to be an area where this type of governance is essential and welcomed by most. Not to be too flippant, but if science-fiction is any indicator of our potential non-fiction future, as it often is, unchecked, unregulated, unleashed AI could eventually be our downfall.

While it’s a very hot topic right now, and it will continue to reshape the world around us, I don’t subscribe to the idea that it will be a tool used primarily for either good or evil. Experience has shown me that every technological advancement has ultimately provided benefits to both the well-meaning and ill-intended. I may be overly optimistic, but I feel like both sides eventually find ways to leverage the same tools to effectively cancel each other out. One concern is the gap created as each side leverages new tech at a different rate. The time it takes to develop a response is nail-biting.

Another interesting yet frightening advancement may show up in the area of computational power; either true quantum computing or something close to it. As has always been the case, as stronger computing becomes available, it can be used both for data protection and compromise. While both keep pace with each other, a significant leap in computational power may lead to a downside that’s hard to counter: Data captured today, no matter how securely encrypted by today’s standards, would be trivial to crack tomorrow. It’s a major concern, and if I had the answer, I’d be off working up a business plan.

Are there specific threat vectors, such as supply chain vulnerabilities, that you expect to become more prevalent in the near future?

Eric:  I think the most prevalent vector will usually be closely tied to whatever our biggest weakness is. In an odd way, I hope that it continues to change — because that moving target means we’re successfully dealing with our biggest weaknesses, forcing threat actors to change tactics.

Specifically, I think DevOps is an area that needs major improvement — or at least more focus on security. This was recently underscored by a joint CISA/FBI alert urging executives at all levels to work harder to eliminate SQL injection related vulnerabilities.

Identity management and authentication is another area that needs more scrutiny. Weak credentials and unnecessarily elevated access continue to be a leading factors in security breaches. While MFA and stronger rights management can be inconvenient and challenging, they need to be embraced and adopted comprehensively. It’s that one, old, forgotten “test” account that will be exploited.

Back to my hopeful redefining of the CISO role, parts of an organization that don’t recognize security as an essential, integral priority, will continue to expose us. Security as an afterthought, applied with duct tape and followed by prayers, isn’t working.

If you were to select 1-2 meaningful highlights of your career, what would they be and what corresponding lessons can be shared with other cybersecurity professionals?

Eric:  It’s a tough question because I’ve been fortunate enough to have quite a few. I think the seminal moment, however, came as a teenager, before I was able to drive. While my summer job was not technical in nature, I spent a lot of time with our hardware technician. He happened to be out sick one day and I was asked if I could help a customer in need. Thus began a career in IT — once someone agreed to drive me to the customer’s office.

One broad highlight for me has been meeting new people. I’ve had the good fortune to get to know some amazing folks from all over the world, whether I was the one traveling or they were. Interactions with each and every one of them have shaped me into who I am, for better or worse. My advice in that area is not to pass up an opportunity to engage, and when given that chance, to check your ego at the door. My younger self always wanted to be the smartest person in the room. I’ve learned that, while maybe once or twice I was (or was allowed to believe I was), that gets boring and stressful. While I’m still often called on to share my knowledge, experience, opinions, and creative/wacky ideas, I revel in being able to listen and learn from others. I’m happy to be proven wrong as well, because once I have been, I’m more knowledgeable than I was before.

Do you have recommendations for CISOs regarding how to prioritize cybersecurity investments in their organizations? New factors to consider?

Eric:  I find myself repeatedly advising CISOs, not to get sucked into a knee-jerk replacement of technology. It’s easy to point fingers at products or solutions that aren’t “working.” Often, however, the failure is in the planning, execution, administration, or even buy-in. I cry a little on the inside when I learn about aggressive rip-and-replace initiatives that could have been salvaged or fixed for far less money and with much less grief. If the core problems aren’t addressed, the replacement could ultimately suffer the same fate.

I’ve also seen successfully aggressive marketing campaigns lead to impulse purchases of products that are either unnecessary or redundant because an existing solution had that unrealized, untapped capability.

The bottom line is to take comprehensive stock of what you have and to investigate alternatives to all-out replacement. Don’t level the house in favor of a complete re-build just because of a leaky pipe. Of course, if the foundation is collapsing…

Would you like to share a bit about your partnership with Check Point? What does that mean to your organization?

Eric:  Check Point is how I personally cut my teeth in cybersecurity, and therefore will always have a special place in my heart. But at Atlantic Data Security, I’m far from the only one with that long standing connection. It’s almost like Check Point is in our DNA.

Starting with the invention of the modern firewall, continuing for over 30 years of constant innovation, Check Point has been the most consistent vendor in the industry. Many players have come and gone, but Check Point has never wavered from their mission to provide the best security products. I’ve learned to trust their vision and foresight.

As a similarly laser-focused advisor and provider of security solutions and services to our clients, we have complete confidence that properly deployed and maintained Check Point solutions won’t let us or the client, down.

We work with a variety of vendors, providing us with the flexibility to solve client challenges in the most effective and efficient way possible. We always evaluate each need and recommend the optimal solution — based on many factors. Far more often than not, Check Point’s offerings, backed by their focus, research, and vision, prove to be the best choice.

Our commitment to and confidence in this has allowed us to amass an outstanding, experienced, technical team. Our unmatched ability to scope, plan, deploy, support, maintain, and train our clients on Check Point’s portfolio is leveraged by organizations of all types and sizes.

I’m confident that between ADS and Check Point, we’re making the cyber world a safer place.

Is there anything else that you would like to share with Check Point’s executive-level audience?

Cybersecurity is not one department’s responsibility. For every employee, every manager, every executive, and yes, even the entire C-cuite, cybersecurity is everyone’s responsibility.

Strategic patch management & proof of concept insights for CISOs – CyberTalk

Augusto Morales is a Technology Lead (Threat Solutions) at Check Point Software Technologies. He is based in Dallas, Texas, and has been working in cyber security since 2006. He got his PhD/Msc in Telematics System Engineering from the Technical University of Madrid, Spain and he is also a Senior Member of the IEEE. Further, he is the author of more than 15 research papers focused on mobile services. He holds professional certifications such as CISSP and CCSP, among others.

One of the burdens of CISO leadership is ensuring compliance with endpoint security measures that ultimately minimize risk to an acceptable business level. This task is complex due to the unique nature of each organization’s IT infrastructure. In regulated environments, there is added pressure to implement diligent patching practices to meet compliance standards.

As with any IT process, patch management requires planning, verification, and testing among other actions. The IT staff must methodically define how to find the right solution, based on system’s internal telemetry, processes and external requirements. A Proof of Concept (PoC) is a key element in achieving this goal. It demonstrates and verifies the feasibility and effectiveness of a particular solution.

In other words, it involves creating a prototype to show how the proposed measure addresses the specific needs. In the context of patch management, this “prototype” must provide evidence that the whole patching strategy works as expected — before it is fully implemented across the organization. The strategy must also ensure that computer resources are optimized, and software vulnerabilities are mitigated effectively.

Several cyber security vendors provide patch management, but there is no single one-size-fits-all approach, in the same way that there is for other security capabilities. This makes PoCs essential in determining the effectiveness of a patching strategy. The PoC helps in defining the effectiveness of patching strategy by 1) discovering and patching software assets 2) identifying vulnerabilities and evaluating their impact 3) generating reports for compliance and auditing.

This article aims to provide insights into developing a strategic patch management methodology by outlining criteria for PoCs.

But first, a brief overview of why I am talking about patch management…

Why patch management

Patch management is a critical process for maintaining the security of computer systems. It involves the application of functional updates and security fixes provided by software manufacturers to remedy identified vulnerabilities in their products. These vulnerabilities can be exploited by cyber criminals to infiltrate systems, steal data, or take systems hostage.

Therefore, patch management is essential to prevent attacks and protect the integrity and confidentiality of all users’ information. The data speaks for itself:

  • There are an average of 1900 new CVEs (Common Vulnerabilities and Exposures) each month.
  • 4 out of 5 cyber attacks are caused by software quality issues.
  • 50% of vulnerabilities are exploited within 3 weeks after the corresponding patch has been released.
  • On average, it takes an organization 120 days to remediate a vulnerability.

Outdated systems are easy targets for cyber attacks, as criminals can easily exploit known vulnerabilities due to extensive technical literature and even Proof-of-Concept exploits. Furthermore, successful attacks can have repercussions beyond the compromised system, affecting entire networks and even spreading to other business units, users and third parties.

Practical challenges with PoC patch management

When implementing patch management, organizations face challenges such as lack of visibility into devices, operating systems, and versions, along with difficulty in correctly identifying the level of risk associated with a given vulnerability in the specific context of the organization.
I’ll address some relevant challenges in terms of PoCs below:

1) Active monitoring: PoCs must establish criteria for quickly identifying vulnerabilities based on standardized CVEs and report those prone to easy exploitation based on up-to-date cyber intelligence.

2) Prioritization: Depending on the scope of the IT system (e.g. remote workers’ laptops or stationary PCs), the attack surface created by the vulnerability may be hard to recognize due to the complexity of internal software deployed on servers, end-user computers, and systems exposed to the internet.  Also, sometimes it is not practical to patch a wide range of applications with an equivalent sense of urgency, since it will cause bandwidth consumption spikes. And in case of errors, it will trigger alert fatigue for cyber security personnel. Therefore, other criteria is needed to identify and to quickly and correctly patch key business applications. This key detail has been overlooked by some companies in the past, with catastrophic consequences.

3) Time: To effectively apply a patch, it must be identified, verified, and checked for quality. This is why the average patch time of 120 days often extends, as organizations must balance business continuity against the risk of a cyber attack. The PoC process must have ways to collect consistent and accurate telemetry, and to apply compensation security mechanisms in case the patch process fails or cannot be completely rolled out because of software/OS incompatibility, drop in performance and conflict with existing endpoint controls (e.g. EDR/Antimalware). Examples of these compensation controls include: full or partial system isolation, process/socket termination and applying or suggesting security exclusions.

4) Vendor coordination: PoCs must ensure that software updates will not introduce new vulnerabilities. This situation has happened in the past. As an example, CVE-2021-30551 occurred in the Chrome Browser, where the fix inadvertently opened up another zero-day vulnerability (CVE-2021-30554) that was exploited in the wild.

Another similar example is Apple IOS devices with CVE-2021-1835, where this vulnerability re-introduced previously fixed vulnerabilities by allowing unauthorized user access to sensitive data, without the need for any sophisticated software interaction. In this context, a PoC process must verify the ability to enforce a defense in depth approach by, for example, applying automatic anti-exploitation controls.

Improving ROI via consolidation – The proof is in the pudding?

In the process of consolidating security solutions, security posture and patch management are under continuous analysis by internal experts. Consolidation aims to increase the return on investment (ROI).

That said, there are technical and organizational challenges that limit the implementation of a patch and vulnerability management strategy under this framework, especially for remote workers. This is because implementing different solutions on laptops, such as antimalware, EDR, and vulnerability scanners, requires additional memory and CPU resources that are not always available. The same premise applies to servers, where workloads can vary, and any unexpected increase or latency in service can cause an impact on business operations. The final challenge is software incompatibility that, together with legacy system usage, can firmly limit any consolidation efforts.

Based on the arguments above, consolidation is feasible and true after demonstrating it by the means of a comprehensive PoC. The PoC process should validate consolidation via a single software component a.k.a. endpoint agent and a single management platform. It should help cyber security practitioners to quickly answer common questions, as described below:

  • How many critical vulnerabilities exist in the environment? What’s the breakdown?
  • Which CVEs are the most common and what are their details?
  • What is the status of a specific critical CVE?
  • What’s the system performance? What/how it can be improved?
  • How does threat prevention works in tandem with other security controls? Is containment possible?
  • What happens if patching fails?

Failure in patch management can be catastrophic, even if just a small percentage fail. The PoC process must demonstrate emergency mitigation strategies in case a patch cannot be rolled out or assets are already compromised.

Managing this “mitigation” could limit the ROI, since extra incident response resources could be needed, which may involve more time, personnel and downtime. So, the PoC should demonstrate that the whole patch management will maintain a cyber-tolerance level that could be acceptable in conjunction with the internal business processes, the corresponding applicable regulations, and economic variables that keep the organization afloat.

Check Point Software Technologies offers Harmony Endpoint, a single agent that strengths patch management capabilities and hence, minimizes risks to acceptable levels. It also provides endpoint protection with advanced EPP, DLP, and XDR capabilities in a single software component, ensuring that organizations are comprehensively protected from cyber attacks while simplifying security operations and reducing both costs and effort.

CISA employees impersonated by phone scammers – CyberTalk

EXECUTIVE SUMMARY:

Earlier today, the Cybersecurity and Infrastructure Security Agency (CISA) reported that cyber criminals are impersonating its employees. In CISA’s own words, the agency is aware of “recent impersonation scammers claiming to represent the agency.”

What happened

Scammers placed phone calls to unsuspecting professionals, claiming to represent CISA and to be relaying an urgent message pertaining to a security vulnerability. The scammers ultimately intended for victims to transfer financial resources to external accounts.

This cyber sliminess reflects a broader trend. Cyber criminals are now trying to cover for their scams by weaponizing government employees’ names and titles.

CISA’s response

For its part, CISA notes that staff will never contact anyone in order to request money – whether that’s wired, cash, cryptocurrency or use of gift cards. It will also never instruct people to keep phone-based discussions secret.

Impersonation scams

In 2023, Americans reported more than $1.4 billion in financial losses due to impersonation scams, according to the Federal Trade Commission. That’s a 3X increase over the reported estimate from 2020.

Some scammers are now impersonating more than one organization in a single scam. In theory, a scammer might impersonate CISA, and then offer to transfer you to a fake FBI or Federal Trade Commission employee, for fake assistance.

Best practices

Even the pros can fall victim to scams, especially those that involve impersonation of CISA contacts. In the event that you find yourself on the receiving end of a CISA scam call, write down the phone number though which the call came in and follow standard procedure – immediately hang up.

Afterwards, call CISA to have the agency validate the phone number (844-729-2472) or report the scam attempt to law enforcement.

Protect your organization

  • To safeguard your organization from cyber scams, provide employees with training around phishing attempts, which can occur via phone, text or email.
  • Also, since scammers are commonly after valuable assets or the money itself, establish clear protocols for verifying any requests for sensitive information or financial transfers.
  • Beyond that, ensure that your organization leverages the latest email security solutions and advanced threat prevention technologies. Learn more here.

Scam insights

For more insights into the latest cyber scams, see CyberTalk.org’s past coverage:

  • Discover how hackers tried to scam this Check Point cyber security professional – click here
  • Get details about the latest 401(k) scams – click here
  • Read about how hundreds of people were rescued from cyber scam factories – click here

Lastly, to receive cyber security thought leadership articles, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.

Elevate your cyber security with Check Point Infinity – CyberTalk

EXECUTIVE SUMMARY:

In the absence of the right precautions, cyber attacks can prove devastating. Like an unexpected and intense tropical hurricane, a cyber attack can upend the foundations of everything that an organization has built, displacing the valuable, requisite components that served as the lifeblood of organizational endeavors.

As with natural disaster preparedness, cyber disaster preparedness can keep what matters secure (and operational), despite severe threats. In this article, discover how Check Point Infinity can reduce risk exposure and elevate an organization’s cyber security posture.

To learn more, keep reading…

Centralized visibility across environments

Traditional security solutions commonly provide partial views of what’s happening across an environment, forcing security admins to shuffle between screens and to cross-check information.

Advanced security solutions, like Check Point Infinity, present a centralized, consolidated view of all environment components — networks, endpoints and clouds.

Easy-to-understand, single-pane-of-glass visibility enables cyber security teams to get to the heart of an issue quickly. As a result, teams can tackle the issue in a timely manner, and potentially prevent the issue from escalating.

AI-driven threat detection & automated response

The Check Point Infinity platform is powered by advanced analytics, machine learning and artificial intelligence. To that effect, the solution can identify and respond to threats in real-time. This not only reduces the impact of attacks on an organization, but also lowers the corresponding costs.

Streamlined security policy management & integration

Check Point Infinity’s automated policy management ensures that organizations maintain consistent, up-to-date security policies across environments. This eliminates potential errors associated with manual configurations, optimizing operational efficiency while improving cyber security.

Further, Check Point Infinity’s seamless integration with third-party solutions allows teams to continue to make use of existing security investments while simultaneously deploying (and benefiting from) advanced capabilities.

Robust compliance & reporting

Organizations across industries need to keep up with compliance mandates. The Check Point Infinity solution offers extensive reporting and compliance-friendly features. In turn, organizations can easily demonstrate compliance to relevant authorities.

Ahead of evolving threats

Because of Check Point’s commitment to providing cutting-edge technologies, organizations that use Check Point Infinity will consistently find themselves at the forefront of cyber security innovation.

Dedicated support & training resources

Check Point recognizes that successful cyber security goes beyond just deploying advanced technology solutions — that’s why Check Point Infinity is supported by a team of highly skilled professionals who can provide comprehensive assistance and training materials.

From initial deployment and configuration to ongoing maintenance and optimization, Check Point’s experts are available to ensure that organizations can fully leverage the capabilities of Check Point Infinity, maximizing the return on the investment.

Further information

When it comes to preventing advanced cyber threats, take a more proactive stance. Prepare for what’s next with the power of artificial intelligence and machine learning. Get detailed information about Check Point Infinity here.

Plus, read this informative expert interview about “Platformization”. Lastly, to receive cyber security thought leadership articles, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.

5 ways generative AI will impact CISOs & cyber security teams – CyberTalk

EXECUTIVE SUMMARY:

Enterprises and individuals have adopted generative AI at an extremely impressive rate. In 2024, generative AI is projected to reach 77.8 million users worldwide — an adoption rate of more than double that of smartphones and tablets across a comparable time frame.

While the integration of generative AI into work environments offers coveted agility and productivity gains, such benefits remain tenuous without the right workforce (and societal) structures in-place to support AI-driven growth.

It nearly goes without saying — Generative AI introduces a new layer of complexity into organizational systems. Effective corresponding workplace transformation — one that enables people to use generative AI for efficiency and productivity gains —  depends on our abilities to secure it, secure our people, and secure our processes.

In the second half of 2024, CISOs and cyber security teams can facilitate the best possible generative AI-based business outcomes by framing discussions and focal points around the following:

5 ways generative AI will impact CISOs and security teams

1. Expanded responsibilities. It should have been written on a neon sign…Generative AI will add new ‘to-dos’ to CISOs’ (already extensive) list of responsibilities. Only 9% of CISOs say that they are currently prepared to manage the risks associated with generative AI.

New generative AI-related responsibilities will involve dealing with data security and privacy, access control, model integrity and security, and user training, among other things.

2. AI governance. As generative AI’s footprint expands within enterprises, cyber security leaders must develop comprehensive governance frameworks to mitigate corresponding risks.

This includes addressing the potential for “shadow generative AI,” referring to the unsanctioned use of generative AI tooling. Shadow generative AI poses challenges that parallel those associated with shadow IT.

To build a strategic AI governance plan for your organization, start with an assessment of your organization’s unique needs and generative AI use-cases.

3. User training. Successful AI governance hinges on effective user awareness and training initiatives. Currently, only 17% of organizations have fully trained their teams on the risks around generative AI.

Prioritize generative AI awareness programs, as to communicate acceptable and unacceptable use-cases. This ultimately minimizes the potential for painful cyber security stumbles.

4. The dual-use dilemma. This concept refers to the notion that generative AI technologies can be applied for both beneficial and malicious gain.

The overwhelming majority of CISOs (70%) believe that generative AI will lead to an imbalance in “firepower,” enabling the cyber criminals to wreak havoc on organizations at an unprecedented rate.

Will AI-generated phishing emails achieve a higher click-through rates and perpetuate a high volume of attacks? No one knows. In the interim, CISOs are advised to proactively update and upgrade cyber security technologies.

5. AI in security tooling. Just over a third of CISOs currently use AI — either extensively, or peripherally — within cyber security functions. However, within the next 12 months, 61% of CISOs intend to explore opportunities for generative AI implementation in security processes and protocols.

If your organization is currently assessing AI-based cyber security threat prevention technologies, see how Check Point’s Infinity AI Copilot can advance your initiatives. Learn more here.

Also, be sure to check out this CISO’s Guide to AI. Lastly, to receive cyber security thought leadership articles, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.

Who moved my firewall? Security in the SASE age – CyberTalk

Six Degrees has been a staple of the security industry since the ‘90s, working with a wide range of companies and government entities to advise on and design solutions for information security. We have partnered with Check Point for many years, working with some of the company’s largest customers on extensive and complex projects. A central challenge is maintaining the confidentiality, integrity, and availability of information over time. For those of us who focus on this aspect of the industry, the definition of SASE by the industry in 2019 should have been a wake-up call. But it took a worldwide pandemic to get our attention.

The past few years have brought dramatic alterations to how and where users access company resources. These alterations have significantly impacted the ability to enforce security controls. The traditional data center firewall found itself with fewer people and assets behind it. That led to a new question. How do we offer remote users the same protections as a data center firewall when remote users are increasingly accessing applications that aren’t hosted within the data center?

Timing is everything

In 2019, Check Point created the Harmony product pillar and moved to Infinity Portal. (Harmony was designed to provide unified security for the end user and Infinity Portal provided cloud-based rather than on-prem security management). With the pandemic in full swing, Six Degrees focused on helping customers provide access for their newly remote users via the existing firewalls. At the same time, Six Degrees built a team focused on addressing email security using Harmony Email & Collaboration (HEC). HEC leveraged a patented technology formerly known as Avanan and incorporated Check Point ThreatCloud (AI-based analysis technologies) for even greater protection.

The initial results of the new Six Degrees email team were impressive. In 2023, the team brought on more Check Point customers than in any previous year in Six Degrees’ history. The key to this success was the pace at which the proof of value for HEC could be realized. With a 15-minute setup and 14-day trial led by a Six Degrees email specialist, customers were easily able to see the risk mitigation and automation benefits of the HEC solution. Six Degrees and Check Point recognized the success, and both added additional solutions team members to the effort.

Near the halfway point of 2024, we are seeing a true shift to the new edge with the pace of adoption already exceeding that of 2023. Conversations are expanding from email to many other aspects of the new edge. Customers that were new to Check Point last year are now fans of HEC, and they are more open to trying additional Harmony solutions. There is a sort of muscle memory that comes from successful HEC trials that makes it easy for a customer to imagine extra value from an application that is just a click away in the Infinity Portal. We are seeing remarkable success with SASE, SaaS, Endpoint, MDR, Browse, and of course, HEC. Success compounds as we build on previous successes. All of Check Point’s solutions supply AI-powered, cloud-delivered security, making deployment rapid without the need for additional headcount.

Protecting against what you don’t know

The newly launched Harmony SaaS service complements HEC deployment through an ecosystem approach to SaaS security. Organizations, on average, use 130 SaaS applications, yet there is research showing that there are often more than 700 additional SaaS applications in use without the knowledge of IT. Most SaaS data leakage and supply chain attacks are a result of these connections. With Harmony SaaS, SaaS security isn’t left to chance. App-to-app connections are monitored and mitigated, including potential integrations with shadow SaaS tools, APIs, and plugins.

Essentials of the SaaS Security offering:

  • Installs in minutes
  • Discovers your SaaS applications, plugins and APIs
  • Analyzes security posture gaps
  • Provides single-click remediation
  • Automatically stops SaaS attacks in their tracks

Additionally, and possibly best of all, Harmony SaaS doesn’t require prior expertise, making it easy for anyone on the team to manage SaaS security.

The combination of Check Point Infinity Portal and Harmony Email & Collaboration gives CIOs the best possible protection for their organizations. The products are solutions for responding to and staying ahead of increasingly sophisticated threats. Get more information or schedule a trial by contacting Six Degrees, either through a call or the link below.

Learn more here. For additional cyber resilience insights, please see CyberTalk.org’s past coverage or explore this eBook.

Data breach litigation, the new cyber battleground. Are you prepared? – CyberTalk

By Deryck Mitchelson, EMEA Field Chief Information Security Officer, Check Point Software Technologies.

Nearly everyone trusts Google to keep information secure. You trust Google with your email. I use Google for my personal email. Yet, for three years – from 2015 to 2018 – a single vulnerability in the Google Plus platform resulted in the third-party exposure of millions of pieces of consumer data.

Google paid a settlement of $350M in a corresponding shareholder lawsuit, but most organizations cannot afford millions in settlements. For most organizations, this level of expenditure due to a breach is unthinkable. And even for larger organizations with financial means, constant cycles of breach-related lawsuits are unsustainable.

Yet, across the next few years, especially as organizations continue to place data into the cloud, organizations are likely to see a significant uptick in post-breach litigation, including litigation against CISOs, unless they adopt stronger cyber security protocols.

Litigation looms large

Organizations that have experienced data breaches are battling a disturbing number of lawsuits. In particular, privacy-related class actions against healthcare providers are taking off.

Globally, there were 2X the number of data breach victims in 2023 as compared to 2022.

In 2023 alone, breach related class actions and government enforcement suits resulted in over $50 billion in settlement expenditures.

The Irish Health Service Executive, HSE, was severely impacted by a large cyber attack in 2021 with 80% of its IT services encrypted and 700 GB of unencrypted data exfiltrated, including protected health information. The HSE subsequently wrote to 90,936 affected individuals. It has been reported that the HSE is facing 473 data-protection lawsuits, and this number is expected to continue rising.

I recently spoke with a lawyer who specializes in data breach litigation. Anecdotally, she mentioned that breach-related lawsuits have grown by around 10X in the last year. This is becoming the new normal after a breach.

While organizations do win some of these lawsuits, courts have become increasingly sympathetic to plaintiffs, as data breaches can result in human suffering and hardship in the forms of psychological distress, identity theft, financial fraud and extortion. They can also result in loss of human life, but more about that later.

In courts of justice, an organization can no longer plead ‘we made an error or were unaware’, assuming that such a line will suffice. The World Economic Forum has found that 95% of cyber security threats can, in some capacity, be traced to human error. These cases are not complex. But the level of litigation shows that businesses are still making avoidable missteps.

To that effect, businesses need to not only start thinking about data protection differently, but also need to start operating differently.

Personal (and criminal) liability for CISOs

CISOs can be held personally liable, should they be found to have failed in adequately safeguarding systems and data that should be protected. At the moment, we’re not seeing much in the way of criminal liability for CISOs. However, if CISOs appear to have obfuscated the timeline of events, or if there isn’t full transparency with boards on levels of cyber risk, courts will indeed pursue a detailed investigation of a CISO’s actions.

The patch that would have fixed a “known critical vulnerability” should have been applied immediately. If the organization hadn’t delayed, would it still have been breached?

Therefore, it is in CISOs’ best interest to record everything – every interaction, every time that they meet with the board, and every time that they’re writing a document (who said what information, what the feedback was, who has read it, what the asks are), as a proactive breach preparedness measure.

If a CISO ends up in litigation, he or she needs to be able to say ‘this risk was fully understood by the board’. CISOs will not be able to argue “well, the board didn’t understand the level of risk” or “this was too complex to convey to the board”, it is the CISOs job to ensure cyber risk is fully understood.

We’re starting to see a trend where CISOs are leaving organizations on the back of large breaches, which may mean that they knew their charter, but failed to take full responsibility and accountability for the organization’s entire cyber security program.

The consumer perspective

As a consumer, I would expect CISOs to know what their job is – to understand the attack surface and to map out where they have weaknesses and vulnerabilities. And to have a program in-place in order to mitigate against as much.

But even if CISOs have a program in place to mitigate breaches, consumers can still come after them for a class action. Consumers can still argue that cyber security staff should have and could have moved faster. That they should have attempted to obtain additional investment funding from the board in order to remediate problems efficiently or to increase their operational capacity and capability to prevent the data breach.

The challenge that CISOs have got is that they’re trying to balance funding acquisition, the pace of change, innovation, and competitive advantage against actually ensuring that all security endeavors are done correctly.

A current case-study in liability

In Scottland, the National Health System of Dumfries and Gallloway recently experienced a serious data breach. The attack led to the exposure of a huge volume of Personally Identifiable Information (PII). Reports indicate that three TB of sensitive data may be been stolen. As means of proof, the cyber criminals sent screenshots of stolen medical records to the healthcare service.

As expected, a ransom demand was not paid. The criminals have now leaked a large volume of data online. Having previously worked in NHS Scotland, I find such criminal activity, targeting sensitive healthcare information, deplorable. Will we now, similar to HSE, see already constrained taxpayers’ money being used to defend lawsuits?

Liability leverage with proper tooling

CISOs cannot simply put in tooling if it can’t stand up to scrutiny. If CISOs are looking at tooling, but less-so at the effectiveness/efficacy of that tooling, then they should recognize that the probability of facing litigation is, arguably, fairly high. Just because tooling functions doesn’t mean that it’s fit for purpose.

In regards to tooling, CISOs should ask themselves ‘is this tool doing what it was advertised as capable of?’ ‘Is this delivering the right level of preventative security for the organization?’

Boards should also demand a certain level of security. They should be asking of CISOs, ‘Is the efficacy of what you’ve implemented delivering at the expected level, or is it not?’ and ‘Would our security have prevented a similar attack?’ We don’t see enough senior conversation around that. A lot of organizations fail to think in terms of, ‘We’ve got a solution in-place, but is it actually performing?’

CISOs need to approach data the same way that banks approach financial value. Banks place the absolute best safeguards around bank accounts, investments, stocks and money. CISOs need to do the same with all data.

Third-party risk

One of the areas in which I often see organizations struggle is supply chain and third-party risk. As you’ll recall, in August of 2023, over 2,600 organizations that deployed the MOVEit app contended with a data breach.

What lessons around due diligence can be learned here? What more could organizations have done? Certainly, CISOs shouldn’t just be giving information to third parties to process. CISOs need to be sure that data is being safeguarded to the right levels. If it’s not, organizational leaders should hold CISOs accountable.

If the third party hasn’t done full risk assessments, completed adequate due diligence and understood the information that they’ve got, then consider severing the business connection or stipulate that in order to do business, certain security requirements must be met.

The best litigation defense

In my view, the best means of avoiding litigation consists of improving preventative security by leveraging a unified platform that offers end-to-end visibility across your entire security estate. Select a platform with integrated AI capabilities, as these will help prevent and detect a breach that may be in-progress.

If an organization can demonstrate that they have deployed a security platform that adheres to industry best practices, that’s something that would enable an organization to effectively demonstrate compliance, even in the event of a data breach.

With cyber security systems that leverage AI-based mitigation, remediation and automation, the chances of a class-action will be massively reduced, as the organization will have taken significant and meaningful steps to mitigate the potentiality of a breach.

Reduce your organization’s breach probability, and moreover, limit the potential for lawsuits, criminal charges against your CISO and overwhelming legal expenditures. For more information about top-tier unified cyber security platforms, click here.

7 advanced persistent threats (APTs) to know about right now – CyberTalk

EXECUTIVE SUMMARY:

An unseen adversary could stealthily lurk within your networks for months or even years. Methodically reconnoitering, establishing footholds, mapping out critical assets – this is the modus operandi of Advanced Persistent Threats (APTs).

These sophisticated, well-resourced actors don’t just strike and disappear. Rather, they entrench themselves within systems while obfuscating their presence as they move towards their ultimate objective; a devastating cyber attack. By the time that a given organization detects an APT, the damage might have already been done.

Believe it or not, 80% of organizations have contended with downtime due to APT incidents.

Develop a stronger understanding of the APT landscape and the adversaries that are targeting your industry. Beyond that, learn about mitigation techniques that can strengthen your security and fortify your resilience capabilities. Get the details below.

7 advanced persistent threats to know about right now

1. The US-CERT has released a technical alert regarding two malware strains; Joanap and Brambul, deployed by the North Korean APT group known as Hidden Cobra.

The alert, issued in collaboration with the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), explains that Hidden Cobra has been using these malware variants since at least 2009. Targets have included organizations in the media, aerospace, finance and critical infrastructure space.

Joanap is a remote access trojan (RAT) that allows Hidden Cobra operatives to remotely issue commands to infected systems via a command and control server. It usually infiltrates systems as a payload dropped by other Hidden Cobra malware, which people inadvertently download through compromised ads or attachments.

In contrast, Brambul is a brute-force authentication worm that propagates through SMB shares by using a list of hard-coded login credentials to perform password attacks; thereby gaining access to victims’ networks.

To mitigate the risks associated with these threats, US-CERT advises organizations to keep systems updated with the latest patches and antivirus software, to enforce the principle of least privilege for user permissions and to deploy effective email security software that can scan and block suspicious attachments.

In addition, disabling Microsoft’s File and Printer Sharing connection requests can prevent this type of malware from spreading within networks.

2. A new advanced persistent threat group, dubbed LilacSquid, engages in data exfiltration attacks across various industry sectors in both the U.S. and the E.U. The tactics employed by the threat group are similar to those of the North Korean threat group known as Andariel, a sub-cluster of the Lazarus group.

LilacSquid’s initial compromise methods include exploitation of known vulnerabilities in internet-facing application servers and use of stolen RDP credentials. After infiltrating a system, LilacSquid leverages a series of open-source tools, including MeshAgent, which allows for remote management, and InkLoader, which allows for decrypting and loading malicious content.

To mitigate the threat posed by LilacSquid, organizations are advised to focus on ensuring that software systems are up-to-date with the latest security patches. It is also suggested that organizations implement strong password policies and multi-factor authentication. Further, organizations should monitor network traffic and deploy advanced threat detection tools.

3. In Southeast Asia, a trio of state-aligned threat actors are executing Operation Crimson Palace, which is currently impacting a high-profile government group. Attackers have exfiltrated sensitive military and political secrets, including strategic documents related to the contested South China Sea.

The operation weaponizes advanced malware tools, involves over 15 DLL sideloading efforts, and innovative evasion techniques.

The operation’s first phase, in March of 2022, involved the deployment of the “Nupakage” data exfiltration tool by Mustang Panda. This was followed by covert backdoor deployments in December of that year. In early 2023, the main campaign began.

To mitigate this type of threat, organizations may wish to implement comprehensive cyber security measures. These include robust network segmentation, regular system updates and advanced threat protection systems that can identify novel malware and backdoor techniques. Also, consider investing in security solutions that use AI.

4. To infiltrate European diplomatic agencies, nation-state backed hackers (attribution unclear) have recently leveraged two new backdoors, known as LunarWeb and LunarMail. The hackers breached the Ministry of Foreign Affairs belonging to an undisclosed European country – one with diplomatic missions in the Middle East.

The attack chain initiates with spear-phishing emails that contain Word documents embedded with malicious macros, which deploy the LunarMail backdoor. This backdoor establishes persistence by creating an Outlook add-in, which activates anytime that the email client is launched.

The attack also exploits misconfigured Zabbix network monitoring tools to deliver the LunarWeb payload. LunarWeb persists by masquerading as legitimate traffic, utilizing techniques such as the creation of Group Policy extensions, replacing system DDLs, and embedding in legitimate software. Both backdoors are decrypted and activated by a component named ‘LunarLoader’ using RC4 and AES-256 ciphers, ensuring that they run exclusively within the targeted environment.

To prevent these types of threats, organizations should install robust email security protocols. Using advanced threat prevention and detection systems is also a must when it comes to enhancing APT resilience.

5. State-backed hacking group APT24 has recently employed advanced social engineering approaches to disrupt networks and to access cloud data across a variety of sectors. The group targets organizations in Western and Middle Eastern NGOs, media organizations, academia, legal services and activists.

The group’s tactics involve posing as journalists and event organizers. This strategy enables APT42 to harvest credentials and gain initial access to cloud environments, from which the group can exfiltrate attractive data.

To counteract these types of threats, take the time to learn about the latest social engineering tactics. Threat intelligence can also enhance an organization’s abilities to contend with such sophisticated campaigns.

6. The advanced persistent threat (APT) operation known as HellHounds has been deploying the Windows version of Decoy Dog malware against telecommunications, IT, government and space industry entities across Russia. At least 48 different organizations have been affected thus far.

To maintain a presence within Russian organizations and to evade malware defenses, the HellHounds group has modified open-source tools. The HellHounds toolkit, though primarily based on open-source projects, has been optimized to ensure prolonged covert operations within compromised environments.

To mitigate this threat, organizations are advised to implement robust multi-factor authentication, regularly update and patch systems, and to employ advanced threat prevention and defense solutions.

7. APT28 is targeting European networks using HeadLace malware and credential harvesting techniques. Operating with stealth, APT28 employes legitimate internet service (LIS) and living off-the-land binaries (LOLBins) to hide their malicious activities within the stream of regular network traffic, significantly complicating detection efforts.

To mitigate the threat, cyber security professionals are advised to block spear phishing attempts, implement comprehensive email security services, and apply multi-factor authentication.

For more insights into the latest malware threats, please see CyberTalk.org’s past coverage. Lastly, to receive cyber security thought leadership articles, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.

How CISOs can master the art of cyber security storytelling – CyberTalk

EXECUTIVE SUMMARY:

Powerful stories can mean the difference between stagnant security that incites adverse outcomes and 10X better security that fully protects the environment.

Bridging the divide

Due to the volume of cyber threats and the impact that they can have, Chief Information Security Officers are now regularly invited to corporate board meetings. More than 90% of CISOs report attending such meetings – a trend that’s expected to continue as new cyber security rules take effect.

However, when asked to lead boardroom cyber security discussions, CISOs’ points or requests are commonly dismissed, as board members lack the context for and interest in the material at-hand.

This disconnect with and diminishment of cyber security widens a chasm that can potentially lead to egregious cyber security gaps and gaffes. If the board does not understand the need for email threat prevention tools, for example, a stealthy attack could undermine the organization.

Chief Storytelling Officer

In turn, the CISO needs to become the Chief Storytelling Officer – someone who can clearly convey cyber security concepts in a way that builds favorable sentiment and consensus around solutions.

As CISO Tom August adroitly notes, “…a confused mind always says no.” It is incumbent upon CISOs to help board members connect the dots in the language of business, not just the language of security.

Storytelling transforms the abstract into the tangible and comprehensible. Yet, the real feat is to ensure that cyber security storytelling not only informs and expands viewpoints, but that it inspires action.

Cyber security storytelling best practices

So, how can a CISO develop storytelling capabilities and transcend communication gaps?

The key lies in starting with the ‘why’. As many an expert has observed before, change of any kind is a participation sport. For people to participate, they must buy into it via the story that’s told about it. A story provides the opportunity to facilitate an emotional connection with the ‘why’.

CISO stories should also have a ‘throughline’ or a connecting thread that brings various ideas and examples together. The throughline is a core message that stakeholders should be able to easily convey to other stakeholders. It should be memorable and repeatable.

In telling a story, CISOs need to humanize cyber risks. CISOs need to show the impact of failing to take certain actions vs. moving forward with certain actions. Claims should be supported with data and metrics, although not with so many metrics that the audience loses interest.

The final messaging in a CISO’s story should point the board in the direction of the response that is required.

Nailing the narrative approach

Think of the narrative approach as savvy and strategic, rather than a watered-down version of reality for cyber security simpletons. The objective is to create a shared understanding, a shared sense of purpose and a shared interest in solving a business problem.

As cyber security threats and needs change, and as the business itself changes, so too should the narratives that cyber security leaders tell. CISOs should aim to continuously educate the audience and to bring them along on a shared journey.

In conceptualizing the CISO role as that of a Chief Storytelling Officer, at least in the context of board-level discussions, CISOs can reshape dynamics and empower organizations to make informed decisions that ultimately enrich cyber security and ensure resilience.

For more on this topic, click here. Lastly, to receive thought leadership insights, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.

 

Check Point warns of PDF malware surge – CyberTalk

EXECUTIVE SUMMARY:

In a startling discovery, Check Point Research has found that nearly 70% of all file-based email attacks worldwide now leverage malicious PDFs. This figure represents a 20% increase, year-over-year.

One out of every 246 email attachments is malicious.

Such a sharp year-over-year spike indicates that cyber criminals perceive PDFs as an effective malware delivery mechanism — one which they will continue to employ until relevant threat prevention tools see widespread adoption.

PDF attacks

As Check Point security engineer Rudi van Rooyen explains it, PDF-based attacks exploit vulnerabilities in traditional, signature-based security scanners. Cyber criminals embed hidden content in PDFs and the content effectively bypasses security checks.

The healthcare industry has been particularly hard-hit by PDF-based threats and, given the operational damage that could occur and the lives that could be affected, the need for effective countermeasures is readily apparent.

AI-powered protection

To address this issue, Check Point has launched an AI-powered engine called Deep PDF. It utilizes deep learning algorithms to review all PDF content components.

Deep PDF examines:

  • The internal structure of PDFs
  • Embedded images and their placement
  • Embedded URLs and their context within the document
  • Raw content within the PDF

Says Van Rooyen, Deep PDF technology is a component of Check Point’s ThreatCloud AI. It’s available to all Check Point customers; from small businesses to multi-national companies that leverage the complete security platform.

To analyze malicious PDFs, Check Point’s ThreatCloudAI not only utilizes the Deep PDF tool, but also deploys over 300 machine learning features to conduct a comprehensive analysis of a given email attachment and its payload.

Call to action for security leaders

The sharp spike in PDF-based malware indicates that security leaders need to take action. Flawed email security (signature-based defense) is no longer good enough.

To stay ahead of attachment-focused adversaries, organizations need to proactively embrace AI/ML-driven threat prevention.

Partner with industry leading security providers, like Check Point, to obtain cutting-edge technologies that can effectively detect and prevent the most sophisticated of malware-based attacks.

Key takeaways for security leaders

  • Leverage AI-powered technologies, like Deep PDF, to enhance your organization’s cyber security posture.
  • Implement regular cyber security awareness programs for employees. Discuss PDF-based attacks, how to approach a potentially malicious PDF, and how to proceed if a suspect file is accidentally downloaded or opened.
  • Ensure that your organization maintains a comprehensive incident response plan. Detail procedures for containing and mitigating cyber security incidents. Regularly test and evolve the plan to reflect new threats, like PDF-based malware.
  • Collaborate across your sector and with security providers, as partnerships can provide stabilizing resources and support.

For technical information concerning PDF-based threats, please visit the Check Point Research website. For more malware-related insights, please see CyberTalk.org’s past coverage.

Lastly, to receive thought leadership insights, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.