The Cyber Defense eMagazine November Edition for 2023

More documents

Recommendations

Info

from basic hygiene concerns like patch maintenance and breach detection to higher order concerns such as managing security policy and direction, all reside entirely with security staff, executives, and system administrators retained by the organization. The ability to prevent attackers from successfully breaching systems, moving laterally, and ultimately gaining access to these "God" accounts is entirely a function of how much the organization prioritizes security, and in some cases, how much legacy baggage to which they are subjected. As Attack Surface Expands, Targets Shift Contrast this with modernized organizations: What does the attack surface look like when many businesscritical assets have now been shifted to the cloud, organizations are increasingly leveraging third parties to handle what were previously core business IT functions (i.e., the adoption of products like Office365 and G Suite), many employees are working remotely, and more development processes have migrated from slow, gated releases to being effectively continuous? Fundamentally, it means that the traditional system administrator accounts likely don't have credentials centralized in quite the same way they were before, and traditional access vectors outside of more unsophisticated approaches like phishing, such as exploitation, are more expensive than they were previously. It becomes much more challenging, for example, to find an unpatched mail server or domain controller to compromise when that entire function has now been effectively outsourced to Microsoft. Additionally, engineering teams now have far more access than they enjoyed previously, with far fewer security controls. Many organizations have no endpoint protection on developer systems or have policy exceptions for build and test directories. Cloud infrastructure is often maintained "as code.” Many modern, business-critical assets are now described by a set of scripts that are read, modified, tested, and deployed through Continuous Integration / Continuous Deployment (CI/CD) solutions. The same is generally true of most modern development processes. Large enterprises now field hundreds or thousands of builds every day. From a security perspective, software developers and CI/CD systems now have access to a tremendous amount of business-critical functionality. In order to operate, developers often have administrative access to cloud infrastructure, credentials for production data, and intellectual property, not to mention systems featuring little-to-no security tooling, almost universal local administrative privileges, and unfettered access to download things from the open internet. What this means is the balance has shifted. In the past, system administrators were the quick, easy targets attackers used to gain broad access and the ability to operate with impunity throughout an organization. Those targets have become harder and much more expensive for attackers to reach, with now substantially-reduced rewards. On the other hand, modern organizations face an absolutely staggering amount of risk in the activities performed by their development workforces and processes, including CI/CD infrastructures, and shockingly few tools exist to help mitigate or even give insight into the challenges faced. On top of this, attackers have taken note - leveraging these open channels to steal credentials, production data, intellectual property, and more. Perhaps the most frightening aspect of most of these incidents is Cyber Defense eMagazine – November 2023 Edition 104 Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
the fact that many organizations lack even basic visibility into these activities, or try to rely on more traditional controls such as standard endpoint products, which don't at all align with the threat model these types of attacks represent. This means that many more such breaches are likely already underway, albeit undetected. So how do attackers use these channels to gain initial access, and how does this really change the threat model? One of the most active vectors that adversaries are currently leveraging to gain a foothold in organizations is the Open Source Software (OSS) ecosystem. While this may seem a bit unintuitive at first blush, let's consider briefly how OSS development and consumption has evolved, and what that statement really entails. Open Source Software: Rewards and Risks OSS has risen to prominence in the last two decades, despite having a relatively rich history well before. These days, nearly every organization in existence, from governments to regulated industries to advertising agencies, rely on it for business-critical functions. It has led to many great things, including massive cost reductions for development and faster time to field. However, it does come with sharp edges. While many of the more traditional issues, like problematic licenses and unpatched vulnerabilities, are relatively well understood, there is also an entire strata of new issues that have risen to the forefront in the last few years as well - driven by a migration of processes from static to continuous, backed by systems that were fundamentally designed without security in mind. What does the open-source ecosystem as an access vector really mean, and how does this relate to developers? Consider that most modern software projects of any sophistication contain thousands of third-party, open-source software packages. These packages are published, managed, and maintained by tens of thousands of volunteer software developers from all over the globe. While some may have corporate backing from a large enterprise, there is fundamentally no sort of traditional supplier relationship between those who create the OSS, and those who consume it. Everything is effectively supplied as-is. These packages are pulled down and incorporated into business-critical systems in a massive, messy web. For example, a software developer may install a popular package to solve a common business problem. That package may depend on two or three other packages, which will also silently get pulled down and installed. Each of those two or three packages, in turn, will likely depend on more packages, and so on. From a security practitioner's perspective, that single software developer installing that one, innocuous, popular package has now effectively integrated a supply chain of software spanning thousands of possible individual software packages, maintained by tens of thousands of strangers that have no relationship or vetting process of any sort with your organization, into a business-critical piece of software. Worse yet, each one of those thousands of software packages gets the ability to execute code each and every time the software developer or CI/CD runner hits "install" or "update." Cyber Defense eMagazine – November 2023 Edition 105 Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
Page 1 and 2:
Artificial Deception: The State Of
Page 3 and 4:
OT Cybersecurity: Safeguarding Buil
Page 5 and 6:
The Crumbling Castle --------------
Page 7 and 8:
@CYBERDEFENSEMAG CYBER DEFENSE eMAG
Page 9 and 10:
Cyber Defense eMagazine - November
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Artificial Deception: The State Of
Page 23 and 24:
Human-in-the-Middle In creating AI
Page 25 and 26:
effectiveness of defenses in place
Page 27 and 28:
this information and related activi
Page 29 and 30:
leading to the potential exploit of
Page 31 and 32:
An Age-by-Age Guide to Online Safet
Page 33 and 34:
Educate: It’s never too early to
Page 35 and 36:
About the Author Chelsea Hopkins is
Page 37 and 38:
Securing Infrastructure Against Bre
Page 39 and 40:
AI And Ad Fraud: Growing Risks for
Page 41 and 42:
enable organisations to make better
Page 43 and 44:
Bolster an Organizational Cybersecu
Page 45 and 46:
in EDP in addition to regular cyber
Page 47 and 48:
prioritize a Secure Software Develo
Page 49 and 50:
6. Deployment: Once the software ha
Page 51 and 52:
Beyond Passwords: AI-Enhanced Authe
Page 53 and 54: 3. Improving the Defensive Cybersec
Page 55 and 56: 7 Steps to Build a Defense in Depth
Page 57 and 58: The same risks associated with USB
Page 59 and 60: About the Author Mr. Spears has ove
Page 61 and 62: As Zombie APIs are essentially forg
Page 63 and 64: How To Combat the Mounting ‘Hackt
Page 65 and 66: y pro-Russia hacktivists. These hav
Page 67 and 68: Unlike IT cybersecurity attacks, wh
Page 69 and 70: The Cyber Risk Nightmare and Financ
Page 71 and 72: fell -11.3%, and underperformed the
Page 73 and 74: DevOps’ Big Challenge: Limiting R
Page 75 and 76: By making this single alteration to
Page 77 and 78: ChatGPT For Enterprises Is Here - B
Page 79 and 80: usiness email communication, data s
Page 81 and 82: Chromecast End-of-Life Announcement
Page 83 and 84: Going beyond awareness and fosterin
Page 85 and 86: But the most crucial innovations ha
Page 87 and 88: About the Author Vinaya is a highly
Page 89 and 90: card transactions often comprise a
Page 91 and 92: About the author Stefan Auerbach, C
Page 93 and 94: Consider the following data and rea
Page 95 and 96: 4. Create a digital estate plan. Th
Page 97 and 98: do untold damage to a company’s r
Page 99 and 100: About the Author Sean Newman is the
Page 101 and 102: eing monitored to protect against m
Page 103: Developers Hold the New Crown Jewel
Page 107 and 108: Expect to Fail: How Organizations C
Page 109 and 110: The more personnel that you train t
Page 111 and 112: How to Create a Threat Hunting Prog
Page 113 and 114: 5. Decide Whether to Automate Altho
Page 115 and 116: How To Improve Security Capacities
Page 117 and 118: eing noticed in a practice and some
Page 119 and 120: In Pursuit of a Passwordless Future
Page 121 and 122: than to guess their password, but i
Page 123 and 124: configurable data privacy. These bu
Page 125 and 126: It’s Time to Tear Down the Barrie
Page 127 and 128: Is it Time to Re-evaluate Your Thre
Page 129 and 130: Building For a More Secure Future:
Page 131 and 132: OAuth 1.0 to OAuth 2.0, or increasi
Page 133 and 134: About the Author Jeremy Butteriss a
Page 135 and 136: which helped feed the development o
Page 137 and 138: Protecting Your Business and Person
Page 139 and 140: Mitigating Phishing with Domain Nam
Page 141 and 142: About the Author Brian Lonergan, VP
Page 143 and 144: adoption is more than just an IT tr
Page 145 and 146: North Korea-Russia Summit A new all
Page 147 and 148: factors on both sides of the confli
Page 149 and 150: That being said, the Russian regime
Page 151 and 152: Protecting Critical Infrastructure
Page 153 and 154: spared from the wrath of Russian ha
Page 155 and 156:
About the Author Richard Staynings
Page 157 and 158:
The Illusion of Ruthless Prioritiza
Page 159 and 160:
Ditch the Worry - Switch to Secure
Page 161 and 162:
others are continuing to increase a
Page 163 and 164:
Shifting Left Means Shifting Smart:
Page 165 and 166:
triggers to allow for a more standa
Page 167 and 168:
• The Rise of Remote Work: The CO
Page 169 and 170:
About the Author Jaye Tillson is a
Page 171 and 172:
In terms of prioritization, out of
Page 173 and 174:
Three Things to Know About the New
Page 175 and 176:
For example, if a security leader n
Page 177 and 178:
Cloud adoption has witnessed a sign
Page 179 and 180:
The Tech Jobs That AI Will Not Disr
Page 181 and 182:
Examples of tech jobs that will sur
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Free Monthly Cyber Defense eMagazin
Page 193 and 194:
Page 195 and 196:
show all

The Cyber Defense eMagazine November Edition for 2023

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?