The Digital Insider | Category: Digital Security

AWS zero trust: A CISO’s path to improved cloud visibility & control – CyberTalk

EXECUTIVE SUMMARY:

It’s undisputed — the cloud has transformed how organizations operate. The cloud provides increased scalability, agility, and cost savings. However, the distributed nature of cloud environments has also introduced security challenges that traditional perimeter-based security models struggle to address.

As cyber threats continue to evolve, one area in which CISOs need to adopt a proactive and comprehensive approach is in relation to securing AWS environments. AWS plays an incredibly important role in organizational operations and has serious implications for security.

This is where AWS zero trust comes in. AWS zero trust is a robust security approach that empowers CISOs to gain critical visibility and control over cloud resources. Here’s what CISOs should know about its potential:

Benefits of AWS zero trust

Implementing an AWS zero trust strategy offers several benefits. These include:

Improved visibility and control. By gaining comprehensive visibility into an AWS environment and enforcing least privilege access, security staff can significantly improve the overall security posture and attain greater control over cloud resources.
Reduced risk of data breaches. The zero trust model reduces the risk of data breaches by limiting the potential attack surface and enforcing strict access controls.
Compliance with industry standards and regulations. Many industry standards and regulations, such as PCI DSS, HIPAA, and GDPR require organizations to implement security controls that align with zero trust principles.
Scalability and agility. The AWS zero trust model is designed to be scalable and agile, allowing organizations to rapidly adapt to changing business requirements and security threats.

In short, by implementing an AWS zero trust strategy, CISOs can significantly reduce the risk of data breaches, maintain compliance with industry regulations, and foster a more secure, resilient cloud infrastructure.

Adopting an AWS zero trust strategy involves several steps, as outlined below:

1. Gaining comprehensive visibility. The first step in implementing AWS zero trust is to gain comprehensive visibility into your AWS environment. This includes identifying all resources, users, and access patterns. AWS offers several tools to help with this, including AWS Config, AWS CloudTrail, and AWS Security Hub.

2. Implementing least privilege access. With a clear understanding of the AWS environment, you can implement least privilege access controls. This means granting users and services the minimum permissions required to perform their tasks. AWS Identity and Access Management (IAM) is a powerful tool for managing access permissions.

3. Enforcing multi-factor authentication (MFA). MFA should be enforced for all AWS user accounts and privileged access to critical resources. AWS supports various MFA options, including virtual MFA devices, hardware tokens, and SMS-based authentication.

4. Implementing micro-segmentation. Micro-segmentation involves dividing your AWS environment into smaller, isolated segments based on workloads, applications, or security zones. This limits the potential blast radius of a security incident and helps enforce least privilege access. AWS Security Groups, Network Access Control Lists (NACLs), and VPC Peering are useful tools for micro-segmentation.

5. Automating security and compliance. Automating security and compliance processes is crucial in the dynamic AWS environment. AWS Config Rules, AWS Lambda, and AWS CloudFormation can be used to automatically enforce security policies, respond to security events, and maintain compliance with industry standards and regulations.

6. Continuous monitoring and auditing. Continuous monitoring and auditing are essential for maintaining visibility and control in the AWS zero trust model. AWS CloudTrail, AWS Config, and AWS Security Hub can be used to monitor and audit AWS resources, user activities, and security events.

7. Integrating with third-party security solutions. While AWS provides a robust set of security services, many organizations choose to integrate with third-party security solutions for additional visibility, control, and advanced security features. AWS Security Hub and AWS Security Partners can help you identify and integrate with trusted security solutions.

Further thoughts

CISOs must prioritize robust cloud security strategies, AWS zero trust among them, to effectively secure their cloud infrastructures.

While not a silver bullet, AWS zero trust empowers organizations to maintain a strong cloud security posture without sacrificing the agility and scalability benefits of AWS.

For more CyberTalk.org cloud resources, please see below:

Lastly, subscribe to the CyberTalk.org newsletter for timely insights, cutting-edge analyses and more, delivered straight to your inbox each week.

Want to prevent a 7-figure disaster? Read these 8 AI books – CyberTalk

EXECUTIVE SUMMARY:

As artificial intelligence (AI) continues to rapidly advance, the risks posed by malicious exploitation or the misuse of AI systems looms large. For cyber security leaders, getting ahead of AI-based risks has become mission-critical. No one wants to contend with a potentially disastrous situation involving AI.

Whether it’s preventing the misuse of generative AI models, like ChatGPT, defending against adversarial machine learning attacks or understanding how to leverage AI-based cyber security tools, cyber security professionals should make AI literacy a top priority.

One of the best ways to build knowledge? Read AI books written by top experts in the field. In this article, discover eight essential AI books that should be on the reading list of any cyber security professional who aims to prevent a 7-figure AI disaster.

8 must-read AI books

1. The Alignment Problem, by Brian Christian. In this award-winning, captivating and clear treatise, the author unpacks the immense challenge that is ensuring alignment between advanced AI systems and human ethics. Mike Krieger, cofounder of Instagram, says “This is the book on artificial intelligence we need right now.”

2. You Look Like a Thing and I Love You, by Janelle Shane. This book came out in 2019, before the release of now ubiquitous chatbots. However, it’s a smart and funny introduction to how AI works and how to get the most out of AI. If you’re looking for an easy on-ramp into the subject, this is it.

The author also maintains a blog on AI Weirdness, which may be of interest to the time-constrained.

3. Top Questions That CISOs Should be Asking About AI (and Answers), by CyberTalk.org. Although this is an eBook, we found it worth including, as it provides evidence-backed strategies and tactics for elevating your organization’s use of AI (and ensuring its security). Download here.

4. Artificial Intelligence for Cybersecurity, as edited by Mark Stamp, Corrado Aaron Visaggio, Francesco Mercaldo and Fabio Di Troia. This technical manual describes how AI techniques can be applied to enhance anomaly detection, threat intelligence and adversarial machine learning capabilities.

5. Hands-on Artificial Intelligence for Cybersecurity, by Alessandro Parisi. In this handbook, you’ll see how you can infuse AI capabilities into smart cyber security mechanisms. After reading, you will be able to establish a strong cyber security posture, using AI.

6. AI for Defense and Intelligence, by Dr. Patrick T. Biltgen. This book tackles scaling AI in the cloud, customizing AI for unique mission applications and the issues endemic to the defense and intelligence sector. Given the government agency focus, the piece is perfect for those who support national security.

7. Life 3.0: Being Human in the Age of Artificial Intelligence, by Swedish-American physicist Max Tegmark. This book prompts readers to immerse themselves in the most important conversations of our times. Readers tend to find this piece both engaging and empowering.

8. AI, Machine Learning and Deep Learning, edited by Fei Hu, and Xiali Hei. Since the aforementioned concepts are all somewhat new to those in the cyber security field, this book aims to provide a comprehensive picture of challenges and solutions that professionals face today. Explore how to overcome AI attacks with AI-based tools.

Further thoughts

Build policies and programs to mitigate AI-based threats before they potentially cause a 7-figure – or even larger – disaster.

In cyber security, knowledge is a powerful line of defense. Equip yourself with new knowledge (via these essential AI books) as you work to protect your organization from AI risks.

For more insights into AI books and other cyber security must-reads, please see CyberTalk.org’s past coverage. Lastly, subscribe to the CyberTalk.org newsletter for timely insights, cutting-edge analyses and more, delivered straight to your inbox each week.

Cyberbiosecurity 101: protecting life sciences in the digital age – CyberTalk

EXECUTIVE SUMMARY:

In May of 2017, the life sciences industry contended with the WannaCry campaign, one of the most widespread and destructive cyber attacks in history. It rapidly propagated across networks, encrypting data and systems; leaving organizations crippled and desperate.

Some life sciences groups permanently lost intellectual property or data. Others were forced to halt production of certain drugs and vaccines. The combination of costly system downtime and ransom demands left a few enterprises financially insolvent.

Why life sciences?
Cyber criminals perceive life sciences as an attractive target due to the intellectual property available on computer systems. Ninety-five percent of all cyber attacks in the life sciences sector center around intellectual property (IP).

For the life science sector, WannaCry served as a cyber security wake-up call. However, not every organization took adequate action and the threat landscape has grown more perilous in the years since.

Here’s what to know about preventing and defending against cyberbiosecurity threats:

Addressing the challenge

First, know where the problems are. Conduct a thorough risk assessment – one that’s specific to your organization’s unique network environment. Identify critical assets, including intellectual property, research data and other proprietary information. Implement layered defenses to mitigate risks. These include firewalls, intrusion detection systems and endpoint detection systems.

But that alone isn’t enough. Be sure to train your employees effectively. Provide education around cyber threats, including social engineering. Develop a cyber security-conscious culture, where everyone understands the importance of safeguarding information. Provide regular supplemental training to address evolving threats.

Beyond that, ensure that your organization’s software developers use secure coding practices. Regularly patch and update software to address vulnerabilities.

Develop and test incident response (IR) plans that are specific to cyberbiosecurity/incidents in the life sciences sector. As goes for any IR plans, establish communication channels, delegate roles and clarify responsibilities, all of which will hasten the response in the event of a breach. Practice tabletop exercises to simulate real-world scenarios.

Leverage threat intelligence and information sharing efforts. Participate in Information Sharing and Analysis Centers (ISACs) or working groups that are focused on cyberbiosecurity. This will enable your organization to learn from peers and to exchange tactics. Your organization may also wish to collaborate on joint prevention and defense initiatives.

Cyber and physical system integration

Another aspect of the cyberbiosecurity situation to consider is reliance on cyber-physical systems. These types of systems integrate cyber-based control mechanisms into physical infrastructure. Examples include building automation systems and certain types of data collection and analysis instruments.

To protect these systems, ensure that your organization limits physical access to critical infrastructure and the toggles that control infrastructure functions. In addition, consider installing surveillance cameras and monitor access points.

Further, ahead of acquiring new cyber-physical technology, assess the security practices of the vendors who are providing the equipment. Ensure that vendors follow cyber security best practices.

More recommendations for CISOs

Have you completed all of the aforementioned recommendations? Great work! Take the next step: thoroughly test for vulnerabilities. Based on the results of the testing, devise and implement a remediation strategy. This will significantly minimize cyber risk. If you’re looking for experts with deep knowledge concerning how to resolve cyber security gaps, click here.

Closing thoughts

The life sciences community has an opportunity (and perhaps, an obligation) to lead when it comes to securing digital resources. Investing in cyberbiosecurity ensures the secure future of scientific research, life-saving vaccines, and life-changing pharmaceutical treatments.

For more insights like this, please see CyberTalk.org’s past coverage. Lastly, subscribe to the CyberTalk.org newsletter for timely insights, cutting-edge analyses and more, delivered straight to your inbox each week.

Cyber security is a social issue; here’s how we get young people…

Cyber security shares many similarities with the climate crisis. Both are systemic risks; one threatens the security of our planet and the other the security of our digital livelihood. Both are also consistently in the top 5 current risks, and top 10 risks over both a 2 year and 10 year period, according to the World Economic Forum Risk Report 2024.

When asked at the World Economic Forum’s Annual Meeting in 2024 why cyber security isn’t at the top of young people’s minds, young changemakers from over 40 countries responded that cyber security is intangible, inaccessible and inconvenient.

Cyber security may not come with the same stark visuals of wildfires or floods, but these digital forest fires have devastating real-world ramifications. For instance, in the United States alone, in 2023, at least 141 hospitals were directly affected by ransomware attacks, hindering their ability to deliver care.

Cyber security may not be a top social issue for young people today, but statistics show that this generation reports higher victimization rates in terms of social media account compromise, phishing, identity theft and cyber bullying. There is a fallacy that because young people — the digital natives — are tech savvy, they must be cyber savvy. This is an unfounded equivalence.

We are living in an increasingly frictionless world, with ride-sharing and food delivery at our fingertips. This sleek entanglement with our digital gadgets can result in individuals choosing convenience over security. Having a higher risk acceptance can subsequently translate to indifference.

But the responsibility of demanding cyber security shouldn’t fall to an individual user. We need collective action across public, private and community stakeholders. Young people must be convinced to spend their already limited time to inspire action; we must instill a sense of immediacy in cyber security, however abstract it may seem.

Cyber security and its intersecting issues

To make cyber security more tangible and urgent, we must consciously and emotionally connect it to social causes young people already care deeply about, bringing it to a meaningful level in a language they already speak. We also need to frame cyber security as an enabler for these social issues, and not just a risk to be offset:

The climate crisis and cyber security

Starting with the climate crisis, a sustainable future needs a cyber secure one. Cyber attacks on industrial systems that manage hazardous materials, such as water treatment plants, can result in environmental disasters. In addition to these systems, growth of digitized green technologies has created a new class of technology to protect. Advancements in green digital solutions include software-defined power grids, sensors that monitor efficient energy consumption and electrical vehicle charging stations. These are often interconnected and integrated devices and can create system-level vulnerabilities…

For young people at the forefront of climate action, integrating cyber security into new green technologies, their supply chains and environmental data-sharing can help achieve sustainability in both senses of the word; reducing environmental harms and ensuring that these technologies are themselves built to last and carry out their purpose.

Gender equality and cyber security

Another conversation young people are advancing is one of gender equality. Gender inequality offline translates to gender inequality online, and technology often creates new vectors to entrench existing inequalities. Chatham House’s toolkit on integrating gender into cyber capacity building notes several examples of this. Disruptions to public service systems can impede access to women’s health services. We recently saw very real examples of artificially generated explicit images, whose consequences are most serious for women and marginalized groups.

Therefore, for young people championing gender equality, building a cyber secure digital environment can create a safe space for women to participate in the digital (and by extension, the physical) sphere, and without being disincentivized to use new technologies.

Mental health and cyber security

Cyber security controls can also help maximize the opportunities of digital technologies while minimizing the mental health harms. The Australian Mental Health Commission 2023 report finds that depression, anxiety, self-harm, low self-esteem and loneliness have all been associated with online bullying, with people who have existing mental health concerns being more likely to be bullied. Furthermore, the study finds algorithms and recommender systems also may increase the likelihood of young people seeing harmful and unreliable content online, leading to psychological distress.

For young people who support mental health advocacy, pushing for investments into cyber security and privacy-centric features in online platforms can help put control back in users’ hands. This can look like restrictions on commenting and reposting, settings that limit who can see and interact with a user or the ability to block and report users, among other things.

Young people have a key role to play in shaping the future of many social issues. Cyber security is an enabler; it’s a tool to safeguard critical infrastructure and a means to create a more inclusive society. It is a purposeful cause in its own right, as a keystone in the architecture of our global community.

This article was originally published by the World Economic Forum and has been reprinted with permission.

7 cyber assets expanding your attack surface and how to find them

EXECUTIVE SUMMARY:

You’ve invested in cyber prevention and defense tools; next-gen firewalls, endpoint detection and response, SIEM, and more. However, despite this, breaches continue to occur. Perhaps your organization has contended with more breaches than it would care to admit.

And at this point, maybe you’re ready to just about toss in the towel. But before you’re bought out by burnout, consider the following:

One reason for consistent breaches pertains to obscure cyber assets. Yes, your enterprise might have a trove of cyber assets that are unknown to your team, flying under the radar and secretly expanding your attack surface.

These marauding and elusive assets create unseen vulnerabilities that cyber attackers are eager to exploit. From rogue cloud instances to server misconfigurations, any untracked cyber resource or failure represents a potential entry point into your networks.

In this article, discover seven frequently overlooked cyber assets that could accidentally increase your cyber risk exposure. We also provide guidance on how to identify these hidden threats within your environment. Keep reading to learn more.

1. Orphaned cloud resources. As cloud adoption accelerates, it becomes easier for cloud resources like storage buckets, databases, and compute instances to go untracked and unprotected. Orphaned from active monitoring, these ghost assets provide attackers with a backdoor into your cloud environment.

2. Rogue internet-exposed assets. From authenticated web apps to database servers, any internet-exposed asset represents risk if not properly secured. Rogue assets that slip through the cracks give hackers a direct path into your internal networks.

3. Forgotten personal/BYOD devices. With hybrid workforces now the norm, personal and BYOD devices have multiplied. Many go unaccounted for and lack security controls. They serve as unmonitored entry points to corporate data.

4. Sprawling internet of things (IoT). The attempted business optimization efforts, as through IoT, have flooded networks with countless smart devices. However, IoT security is frequently an afterthought, leaving deployments of smart cameras, sensors, HVAC controllers and more as low-hanging fruit for hackers.

5. Misconfigured network infrastructure. Oversights like open ports, unsecured protocols, and improper access controls on routers, switches and other network equipment can enable lateral movement within your infrastructure.

6. Outdated software/hardware. From OS vulnerabilities to end-of-life appliances, outdated and unpatched systems inevitably creep into complex environments, creating exploitable weaknesses.

7. Acquired company/asset blind spots. Mergers and acquisitions often introduce inherited risks in the form of untracked assets, technical debt, and risky integrations from the acquired entity.

Attack surface monitoring

How can you identify and mitigate the risks that derive from these unknown, but extant, cyber resources? The answer is continuous attack surface monitoring.

Advanced attack surface management solutions provide real-time discovery of all cyber assets across on-prem, cloud, home, and IoT environments. With a high level of visibility, as presented through a unified platform, you can accurately assess security posture and prioritize previously unknown risks.

Leaving any asset untracked is akin to leaving your doorway wide open to attackers. Illuminate your entire attack surface, and eliminate your hidden cyber risks. Learn more about top-tier attack surface monitoring and management tools, here.

Lastly, subscribe to the CyberTalk.org newsletter for timely insights, cutting-edge analyses and more, delivered straight to your inbox each week.

Is your outdated WAN putting the brakes on your business? What to watch for – CyberTalk

Peter Elmer, Check Point Office of the CTO and Mor Ahuvia, Check Point Office of the CTO.

By 2026, 70% of enterprises will have adopted SD-WAN. The shift towards cloud-based services and infrastructure is driving organizations to rethink their networking infrastructure. At present, your organization may be experiencing some of the following challenges:

Core WAN limitations

1. Latency issues. Latency refers to the time it takes for a data packet to travel from its source to its destination. Traditional WAN infrastructure often leads to extremely high latency, as all traffic, including internet-bound traffic, is routed through the headquarters or data center for security inspection. This can result in sluggish application performance, slow file transfers and reduced responsiveness, ultimately hindering business efficiency.

2. High MPLS costs. While MPLS offers security and reliability, it comes with a substantial price tag. These costs can become a financial burden, especially for organizations with multiple branches or remote locations. Nowadays, there are much more cost-effective alternatives to MPLS, such as broadband and 5G wireless internet connections.

3. Challenges with adding new branches. Traditional WAN architectures often lack the flexibility and speed needed to keep up with the addition of new branches. Adding new sites typically requires the physical installation of new private lines by the service provider, a time-consuming and complex process.

Further, integrating new sites into the existing WAN infrastructure can be challenging. This can make it difficult to accommodate expanded global operations and/or to execute mergers and acquisitions. Typically, adding new branches with WAN requires specialized hardware and manual configurations at each branch. This increases overhead for already burdened admin teams.

4. WAN as a single point of failure. Traditional WANs can easily become a single point of failure. If your Internet Service Provider (ISP) experiences an outage for any reason, your branch, office or remote site loses internet connectivity. This affects your ability to support customers, employees or automated operations. By enabling failover to a secondary or even tertiary link connecting to different service providers, you can ensure greater business resilience, regardless of circumstances.

Leveraging your current investment

Some security gateways enable you to implement SD-WAN easily, via a simple software update. This prevents you from having to install yet another point product. As a result, there’s no need for you to ‘rip-and-replace’ your current investment. This saves time, money and spares everyone from potential disruptions. For example, see Check Point’s SD-WAN solutions.

Improving WAN resilience

Here are a series of items to consider when evaluating your current security gateways for improved WAN resilience.

1. Preventing vs. detecting advanced threats. Ensure that your network is protected against the latest cyber threats, including zero-days, ransomware and DNS attacks. Check your solution’s catch rate to assess how well it can protect your business from known and unknown attacks, ideally using AI and machine learning technology.

2. Shorten the learning curve. Transitioning to new technology can be intimidating. By utilizing a familiar user interface, IT teams can quickly adapt to the new infrastructure, requiring fewer staff hours to learn and operate the network. Also, with an all-in-one solution, your team doesn’t have to operate and maintain a separate SD-WAN appliance.

3. Support for different types of connections. Shifting from traditional MPLS to broadband internet and 5G cellular connections can significantly reduce costs without compromising network performance. Check on which types of links your organization would need to stay connected, such as 5G wireless for rural, remote and even maritime sites. Consider embedded Wi-Fi if you’re looking for an all-in-one branch solution.

Get the full article here. Lastly, subscribe to the CyberTalk.org newsletter for timely insights, cutting-edge analyses and more, delivered straight to your inbox each week.

Anticipating the future of malicious open-source packages: next gen insights

Ori Abramovsky is the Head of Data Science of the Developer-First group at Check Point, where he leads the development and application of machine learning models to the source code domain. With extensive experience in various machine learning types, Ori specializes in bringing AI applications to life. He is committed to bridging the gap between theory and real-world application and is passionate about harnessing the power of AI to solve complex business challenges.

In this thoughtful and incisive interview, Check Point’s Developer-First Head of Data Science, Ori Abramovsky discusses malicious open-source packages. While malicious open-source packages aren’t new, their popularity among hackers is increasing. Discover attack vectors, how malicious packages conceal their intent, and risk mitigation measures. The best prevention measure is…Read the interview to find out.

What kinds of trends are you seeing in relation to malicious open-source packages?

The main trend we’re seeing relates to the increasing sophistication and prevalence of malicious open-source packages. While registries are implementing stricter measures, such as PyPI’s recent mandate for users to adopt two-factor authentication, the advances of Large Language Models (LLMs) pose significant challenges to safeguarding against such threats. Previously, hackers needed substantial expertise in order to create malicious packages. Now, all they need is access to LLMs and to find the right prompts for them. The barriers to entry have significantly decreased.

While LLMs democratise knowledge, they also make it much easier to distribute malicious techniques. As a result, it’s fair to assume that we should anticipate an increasing volume of sophisticated attacks. Moreover, we’re already in the middle of that shift, seeing these attacks extending beyond traditional domains like NPM and PyPI, manifesting in various forms such as malicious VSCode extensions and compromised Hugging Face models. To sum it up, the accessibility of LLMs empowers malicious actors, indicating a need for heightened vigilance across all open-source domains. Exciting yet challenging times lie ahead, necessitating preparedness.

Are there specific attack types that are most popular among hackers, and if so, what are they?

Malicious open-source packages can be applied based on the stage of infection: install (as part of the install process), first use (once the package has been imported), and runtime (infection is hidden as part of some functionality and will be activated once the user will use that functionality). Install and first use attacks typically employ simpler techniques; prioritizing volume over complexity, aiming to remain undetected long enough to infect users (assuming that some users will mistakenly install them). In contrast, runtime attacks are typically more sophisticated, with hackers investing efforts in concealing their malicious intent. As a result, the attacks are harder to detect, but come with a pricier tag. They last longer and therefore have higher chances of becoming a zero-day affecting more users.

Malicious packages employ diverse methods to conceal their intent, ranging from manipulating package structures (the simpler ones will commonly include only the malicious code, the more sophisticated ones can even be an exact copy of a legit package), to employing various obfuscation techniques (from classic methods such as base64 encoding, to more advanced techniques, such as steganography). The downside of using such concealment methods can make them susceptible to detection, as many Yara detection rules specifically target these signs of obfuscation. Given the emergence of Large Language Models (LLMs), hackers have greater access to advanced techniques for hiding malicious intent and we should expect to see more sophisticated and innovative concealment methods in the future.

Hackers tend to exploit opportunities where hacking is easier or more likely, with studies indicating a preference for targeting dynamic installation flows in registries like PyPI and NPM due to their simplicity in generating attacks. While research suggests a higher prevalence of such attacks in source code languages with dynamic installation flows, the accessibility of LLMs facilitates the adaptation of these attacks to new platforms, potentially leading hackers to explore less visible domains for their malicious activities.

How can organisations mitigate the risk associated with malicious open-source packages? How can CISOs ensure protection/prevention?

The foremost strategy for organisations to mitigate the risk posed by malicious open-source packages is through education. One should not use open-source code without properly knowing its origins. Ignorance in this realm does not lead to bliss. Therefore, implementing practices such as double-checking the authenticity of packages before installation is crucial. Looking into aspects like the accuracy of package descriptions, their reputation, community engagement (such as stars and user feedback), the quality of documentation in the associated GitHub repository, and its track record of reliability is also critical. By paying attention to these details, organisations can significantly reduce the likelihood of falling victim to malicious packages.

The fundamental challenge lies in addressing the ignorance regarding the risks associated with open-source software. Many users fail to recognize the potential threats and consequently, are prone to exploring and installing new packages without adequate scrutiny. Therefore, it is incumbent upon Chief Information Security Officers (CISOs) to actively participate in the decision-making process regarding the selection and usage of open-source packages within their organisations.

Despite best efforts, mistakes can still occur. To bolster defences, organisations should implement complementary protection services designed to monitor and verify the integrity of packages being installed. These measures serve as an additional layer of defence, helping to detect and mitigate potential threats in real-time.

What role does threat intelligence play in identifying and mitigating risks related to open-source packages?

Traditionally, threat intelligence has played a crucial role in identifying and mitigating risks associated with open-source packages. Dark web forums and other underground channels were primary sources for discussing and sharing malicious code snippets. This allowed security professionals to monitor and defend against these snippets using straightforward Yara rules. Additionally, threat intelligence facilitated the identification of suspicious package owners and related GitHub repositories, aiding in the early detection of potential threats. While effective for simpler cases of malicious code, this approach may struggle to keep pace with the evolving sophistication of attacks, particularly in light of advancements like Large Language Models (LLMs).

These days, with the rise of LLMs, it’s reasonable to expect hackers to innovate new methods through which to conduct malicious activity, prioritizing novel techniques over rehashing old samples that are easily identifiable by Yara rules. Consequently, while threat intelligence remains valuable, it should be supplemented with more advanced analysis techniques to thoroughly assess the integrity of open-source packages. This combined approach ensures a comprehensive defence against emerging threats, especially within less-monitored ecosystems, where traditional threat intelligence may be less effective.

What to anticipate in the future?

The emergence of Large Language Models (LLMs) is revolutionising every aspect of the software world, including the malicious domain. From the perspective of hackers, this development’s immediate implication equates to more complicated malicious attacks, more diverse attacks and more attacks, in general (leveraging LLMs to optimise strategies). Looking forward, we should anticipate hackers trying to target the LLMs themselves, using techniques like prompt injection or by trying to attack the LLM agents. New types and domains of malicious attacks are probably about to emerge.

Looking at the malicious open-source packages domain in general, a place we should probably start watching is Github. Historically, malicious campaigns have targeted open-source registries such as PyPI and NPM, with auxiliary support from platforms like GitHub, Dropbox, and Pastebin for hosting malicious components or publishing exploited data pieces. However, as these registries adopt more stringent security measures and become increasingly monitored, hackers are likely to seek out new “dark spots” such as extensions, marketplaces, and GitHub itself. Consequently, malicious code has the potential to infiltrate EVERY open-source component we utilise, necessitating vigilance and proactive measures to safeguard against such threats.

Victim of cyber crime? 7 crucial steps your business should take – CyberTalk

EXECUTIVE SUMMARY:

For a business, falling victim to cyber crime is a disquieting and stressful experience. In the immediate aftermath, there are a number of hurdles to clear and obstacles to overcome. Potentially worsening the degraded cyber security situation, failure to act fast can exacerbate financial or reputational damage, and even lead to legal consequences.

So, where should businesses begin? After falling victim to cyber crime, how can your enterprise respond in a way that will yield the most optimal outcomes and greater business resilience? Chase down those hackers (just kidding, don’t do that). Aim to regain control of the situation quickly. Here’s how:

1. Identify and contain the incident. The first step is to identify the nature and scope of the cyber attack. Engage your cyber security team or bring in external experts to conduct a thorough investigation. Once the type of incident is determined, take immediate action to contain the situation and prevent further damage or data loss.

2. Preserve evidence. Preserving evidence is critical, not only for your internal investigation but also for potential legal action and regulatory compliance purposes. Ensure that all relevant logs, data, and system artifacts are securely collected and stored in a forensically sound manner.

3. Notify authorities and regulatory bodies. Depending on the nature and severity of the cyber incident, you may be legally required to notify relevant authorities, such as law enforcement agencies or regulatory bodies. Consult with your legal team to understand the obligations. Ensure compliance with applicable laws and regulations.

4. Communicate effectively. Transparency and clear communication are key during a cyber crisis. Develop a comprehensive communication plan. Keep stakeholders, customers, and employees informed about the issue, especially if it becomes persistent. Provide regular updates. Be truthful about the impact and the steps being taken to remediate the situation.

5. Conduct a vulnerability assessment. Once the immediate threat has been addressed, it’s crucial to identify and remediate any vulnerabilities that enabled the cyber attack in the first place. Engage cyber security professionals to conduct a thorough vulnerability assessment and implement the necessary security controls and patches.

6. Develop an Incident Response Plan (IRP). If your organization doesn’t already have an incident response plan in place, now is the time to develop one. A well-crafted plan will outline the roles, responsibilities, and procedures to follow in the event of a cyber incident, ensuring a coordinated and efficient response.

7. Review and enhance cyber security measures. A cyber attack should serve as a wake-up call to review and enhance your organization’s overall cyber security posture. Evaluate your existing security measures, policies, and employee training programs. Make necessary improvements to better protect your business against future threats.

The best time to stop a cyber attack is before it happens. Ensure that you have a comprehensive cyber security strategy and a unified cyber security solution in-place.

For more business best practices around cyber security, please click here. Lastly, subscribe to the CyberTalk.org newsletter for timely insights, cutting-edge analyses and more, delivered straight to your inbox each week.

Malicious open-source packages: Insights from Check Point’s Head of Data Science

What kinds of trends are you seeing in relation to malicious open-source packages?

Are there specific attack types that are most popular among hackers, and if so, what are they?

How can organisations mitigate the risk associated with malicious open-source packages? How can CISOs ensure protection/prevention?

What role does threat intelligence play in identifying and mitigating risks related to open-source packages?

What to anticipate in the future?

Securing Kubernetes: mitigating the RCE flaw for Windows nodes – CyberTalk

EXECUTIVE SUMMARY:

As the backbone of modern container orchestration, Kubernetes plays a pivotal role in managing workloads across clusters. However, recent research has shed light on a critical vulnerability that demands attention from security practitioners. In this article, we delve into the specifics of the flaw and provide practical steps that can help you safeguard your Kubernetes environment.

The vulnerability

The flaw, tracked as CVE-2023-5528, allows attackers to remotely execute code with system privileges on Windows endpoints within a Kubernetes cluster. The severity score of 7.2 underscores the urgency around addressing this issue.

Exploitation mechanism

The vulnerability exploits Kubernetes volumes — a feature designed for data sharing between pods or persistent storage. By manipulating these volumes, attackers can escalate their privileges to admin level on Windows nodes.

“It is very easy to exploit this vulnerability because an attacker would only need to modify a parameter and apply 3 YAML files to gain remote control execution (RCE) over the Windows endpoints,” says cyber security analyst Tomer Peled. The Kubernetes framework leverages YAML files for “basically everything,” Peled noted.

Risk assessment and impact

Why should you be concerned?

1. Full takeover potential. Successful exploitation enables hackers to control all Windows nodes within the cluster.

2. Ease of exploitation. Modifying a single parameter and applying three YAML files is all it takes to achieve RCE.

3. Widespread impact. Default Kubernetes installations (versions earlier than 1.28.4) running on-premises or in Azure Kubernetes Service are vulnerable. Even if your cluster lacks Windows nodes, patching remains critical.

Mitigation strategies

Patch the cluster

Immediate action: The flaw resides in the source code, making it an ongoing threat. Apply the available patch promptly, regardless of your cluster’s Windows node configuration.

YAML hygiene

Audit YAML files. Regularly review YAML files used for pod creation and volume management. Ensure proper sanitization and input validation to prevent malicious injections.

Limit in-tree storage plugins

While Kubernetes supports various volume types, consider minimizing reliance on in-tree storage plugins for Windows. Explore alternatives to reduce the attack surface.

Further thoughts

Address the Kubernetes RCE flaw head-on as to maintain the integrity of clusters and to protect your organization from potential breaches. Remember: Secure Kubernetes is resilient Kubernetes.

Please feel free to share this article with your cyber security team. For more insights into severe cyber security vulnerabilities, please see CyberTalk.org’s past coverage.

Lastly, subscribe to the CyberTalk.org newsletter for timely insights, cutting-edge analyses and more, delivered straight to your inbox each week.