CISO Corner: Federal Cyber Deadlines Loom; Private Chatbot Danger
Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: fighting cybersecurity burnout; BlackSuit ransomware; the SEC breach rules and risk management.
May 31, 2024
Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.
In this issue of CISO Corner:
Making the Case for 'Reasonable' Cybersecurity
Flawed AI Tools Create Worries for Private LLMs, Chatbots
The SEC's New Take on Cybersecurity Risk Management
BlackSuit Claims Dozens of Victims With Carefully Curated Ransomware
9 Tips to Avoid Burnout in Cybersecurity
Global: China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
Preparing Your Organization for Upcoming Cybersecurity Deadlines
Making the Case for 'Reasonable' Cybersecurity
By Stephen Lawton, Contributing Writer, Dark Reading
Reasonable cybersecurity is highly subjective. Organizations need to plan carefully in order to quantify cyber-risk and apply security controls.
For regulators overseeing enterprise cybersecurity practices, the standard of proof is "reasonable cybersecurity," or taking measures to protect data based on what a reasonably prudent person would do in similar circumstances.
However, "reasonable cybersecurity" is intentionally ambiguous and depends heavily on context. A cyber insurance carrier will often use a questionnaire asking whether various security controls are in place, and underwriters might or might not approve a policy. But if a breach occurs later, the insurer might dispute the claim, as in 2022, when Travelers Insurance won a lawsuit against International Control Services over misrepresented security controls.
To eliminate much of the confusion, security frameworks such as the NIST Cybersecurity Framework (CSF), CIS's own Critical Security Controls (CIS Controls), and others provide enterprises with the controls they need to meet the reasonableness legal requirement. But other steps are important too.
Read more: Making the Case for 'Reasonable' Cybersecurity
Related: Anatomy of a Data Breach: What to Do If It Happens to You, a free Dark Reading virtual event scheduled for June 20. Verizon's Alex Pinto will deliver a keynote, Up Close: Real-World Data Breaches, detailing DBIR findings and more.
Flawed AI Tools Create Worries for Private LLMs, Chatbots
By Robert Lemos, Contributing Writer, Dark Reading
Companies are looking to large language models to help their employees glean information from unstructured data, but vulnerabilities could lead to disinformation and, potentially, data leaks.
This week, Synopsys disclosed a cross-site request forgery (CSRF) flaw that affects applications based on the EmbedAI component created by AI provider SamurAI; it could allow attackers to fool users into uploading poisoned data into their language model, and could let an attacker affect even a private LLM instance or chatbot.
The finding underscores that the rush to integrate generative AI chatbots into business processes does pose risks, especially for companies that are giving LLMs and other generative-AI applications access to large repositories of data.
"You cannot just give the LLM access to a giant dump of data and say, 'OK, everyone has access to this,' because that's the equivalent of giving everyone access to a database with all the data inside of it, right?" says Protect AI threat researcher Dan McInerney. "So you've got to clean the data."
Read more: Flawed AI Tools Create Worries for Private LLMs, Chatbots
Related: Hugging Face AI Platform Riddled With 100 Malicious Code-Execution Models
The SEC's New Take on Cybersecurity Risk Management
Commentary by Dr. Sean Costigan, Managing Director, Resilience Strategy, Red Sift
Insights from three companies that recently reported breaches under the new disclosure regulations.
Under the SEC's new disclosure rules, registrants must report within four days any cybersecurity incident they have determined to have a "material impact," meaning it could significantly affect the company's operations or finances.
The short time frame is leaving many companies grappling with meeting the requirements, but fortunately there are already important insights to be gleaned from the experiences of several major entities that have reported breaches and made disclosures.
These include Clorox, Prudential Financial, and UnitedHealth, all of which offer early lessons for enterprise risk management: Companies must now explain the details of breaches and should have continuous visibility into all their digital assets; It's critical to maintain transparency and do the basics right; and, information sharing has proven its value for all sectors.
Read more: The SEC's New Take on Cybersecurity Risk Management
Related: Concerned about SEC rules changes? Don't miss Episode 1 of our new podcast, Dark Reading Confidential, "The CISO and the SEC," featuring views from the trenches: Frederick “Flee” Lee, CISO of Reddit, attorney-at-law Beth Burgin Waller, and Ben Lee, chief legal officer of Reddit, join DR staff for a frank discussion.
BlackSuit Claims Dozens of Victims With Carefully Curated Ransomware
By Elizabeth Montalbano, Contributing Writer, Dark Reading
Researchers went in-depth on an attack by the threat group, which mainly targets US companies in the education and industrial goods sectors, specifically to maximize financial gain.
The BlackSuit ransomware gang has leaked stolen data from attacks against 53 organizations; the group has been active since May 2023.
BlackSuit — believed to be spun off from the Royal ransomware gang — primarily targets US-based companies in critical sectors such as education and industrial goods, choosing targets carefully to maximize financial gain.
"This targeting pattern strongly suggests a financial motivation with a focus on critical sectors that either have smaller cybersecurity budgets or a low tolerance for downtime, thereby increasing the likelihood of a successful attack or a speedy ransom payment," according to the Reliaquest Threat Research Team post.
Read more: BlackSuit Claims Dozens of Victims With Carefully Curated Ransomware
Related: Attackers Target Check Point VPNs to Access Corporate Networks
9 Tips to Avoid Burnout in Cybersecurity
By Joan Goodchild, Contributing Writer, Dark Reading
When security professionals are at the end of their rope — feeling both mentally and physically exhausted — it's often because of burnout. Here are ways to combat it.
Cybersecurity is known for its high-stress environment, near-nonstop work cycles, and demanding nature. That takes a toll on one's mental health — specifically in the form of burnout.
It's not hard to find evidence of pervasive burnout among security professionals. A recent Gartner Peer Community survey found 62% of IT and security leaders have experienced burnout, and that many CISOs plan to leave their jobs or careers due to what Gartner called "unique stressors." And a survey from Mimecast found 56% of cybersecurity workers experience increased work stress every year.
So what can be done? In this slideshow, we examine nine tips for managing your stress and preventing burnout.
Read more: 9 Tips to Avoid Burnout in Cybersecurity
Related: Persistent Burnout Is Still a Crisis in Cybersecurity
Global: China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
By Nate Nelson, Contributing Writer, Dark Reading
One of China's biggest espionage operations owes its success to longstanding Microsoft Exchange bugs, open source tools, and old malware.
A Chinese state-aligned threat group has been exfiltrating emails and files from high-level government and military targets across the Middle East, Africa, and Southeast Asia on a daily basis since late 2022.
Operation Diplomatic Specter, a brazen espionage campaign described in a new report by Palo Alto Networks' Unit 42, targets ministries of foreign affairs, military entities, embassies, and more, in at least seven countries on three continents. Its goal is to obtain classified and otherwise sensitive information about geopolitical conflicts, diplomatic and economic missions, military operations, political meetings and summits, high-ranking politicians and military personnel, and, most of all, embassies and foreign affairs ministries.
The campaign is ongoing, and the attackers have already demonstrated a willingness to continue spying, even after being exposed and booted from compromised networks.
Read more: China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
Related: China-Backed APT Pwns Building-Automation Systems With ProxyLogon
Preparing Your Organization for Upcoming Cybersecurity Deadlines
Commentary by Karl Mattson, Field CISO, Noname Security
Federal and state regulators have introduced new rules and mandates aimed at holding organizations accountable when it comes to cybersecurity. Here's how to get ready.
The threat landscape is expanding rapidly, and everything from companies' data to critical infrastructure is at risk. Adding to the challenge, both federal and state regulators in the US have introduced new rules and mandates aimed at holding organizations accountable when it comes to cybersecurity, and deadlines to comply are fast approaching.
For instance, smaller reporting companies must comply with the SEC's new breach disclosure rules (deadline: June 15), i.e. those with "a public float of less than $250 million, as well as registrants with annual revenues of less than $100 million for the previous year and either no public float or a public float of less than $700 million."
And, federal agencies must meet zero-trust goals (deadline: Sept. 30). Agencies are required to have completed 19 specific tasks aligned with the five pillars (Identity, Devices, Networks, Applications and Workloads, and Data) of the Cybersecurity and Infrastructure Security Agency's Zero Trust Maturity Model.
These new requirements carry significant ramifications and are a step in the right direction, but to be truly effective, a larger shift in philosophy regarding security must occur.
Read more: Preparing Your Organization for Upcoming Cybersecurity Deadlines
Related: OMB Issues Zero-Trust Strategy for Federal Agencies
About the Author
You May Also Like
Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024