02.09.2024 Views

The Cyber Defense eMagazine September Edition for 2024

Cyber Defense eMagazine September Edition for 2024 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, Editor-in-Chief and many more writers, partners and supporters who make this an awesome publication! 347 page September Edition fully packed with some of our best content. Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES

Cyber Defense eMagazine September Edition for 2024 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, Editor-in-Chief and many more writers, partners and supporters who make this an awesome publication! 347 page September Edition fully packed with some of our best content. Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

<strong>The</strong> Importance of Data Anonymization<br />

In Safeguarding Sensitive Legal<br />

In<strong>for</strong>mation<br />

Lessons from the Global IT Outage of<br />

July 19, <strong>2024</strong><br />

Apple & OpenAI’s New Features: A First<br />

Look Through the Eyes of the US’ First<br />

Female CIO<br />

…and much more…<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 1<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


`<br />

CONTENTS<br />

Welcome to CDM’s <strong>September</strong> <strong>2024</strong> Issue ----------------------------------------------------------- 10<br />

<strong>The</strong> Importance of Data Anonymization In Safeguarding Sensitive Legal In<strong>for</strong>mation-------- 22<br />

By Oscar Villanueva, CEO, Nymiz<br />

Lessons from the Global IT Outage of July 19, <strong>2024</strong> --------------------------------------------------- 29<br />

By Andrew Douthwaite, Chief Technology Officer, VirtualArmour<br />

Apple & OpenAI’s New Features: A First Look Through the Eyes of the US’ First Female CIO 33<br />

By <strong>The</strong>resa Payton, Founder, Fortalice Solutions<br />

<strong>The</strong> Initial Engagement Process <strong>for</strong> Contracting with a vCISO -------------------------------------- 37<br />

By Pete Green, vCISO, <strong>Cyber</strong>security Consultant and Reporter <strong>for</strong> <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

Shifting <strong>The</strong> Focus: From Compliance to Secops In Supply Chain Security---------------------- 42<br />

By Emily Hodges, COO, Risk Ledger<br />

Preparing <strong>for</strong> EU AI Act from a Security Perspective -------------------------------------------------- 45<br />

By Manpreet Dash, Global Marketing and Business Development Lead, AIShield<br />

Steps To Protect Against <strong>Cyber</strong>security Threats During Mergers and Acquisitions ------------ 55<br />

By Saugat Sindhu, Senior Partner and Global Head, Advisory Services, Wipro Limited<br />

BYTE BY BYTE -------------------------------------------------------------------------------------------------- 58<br />

By Thomas Terronez, CEO, Medix Dental IT<br />

Why Manufacturing IT Leaders are Turning to AI-Powered <strong>Cyber</strong>security Training ------------- 62<br />

By Sam Zheng, PhD., CEO & Co-Founder, DeepHow<br />

A CISO’s Guide to Managing Risk as the World Embraces AI ---------------------------------------- 65<br />

By Karthik Swarnam, Chief Security and Trust Officer, ArmorCode<br />

A Cloud Reality Check <strong>for</strong> Federal Agencies ------------------------------------------------------------ 68<br />

By James Langley, Master Solutions Consultant, Hitachi Vantara Federal<br />

<strong>The</strong> Unsolvable Problem: XZ and Modern Infrastructure--------------------------------------------- 71<br />

By Josh Bressers, Vice President of Security, Anchore<br />

Autonomous, Deterministic Security <strong>for</strong> Mission-Critical IOT Systems -------------------------- 74<br />

By Tal Ben-David, VP R&D and Co-Founder, Karamba Security<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 2<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Benefits of Network Monitoring Systems ---------------------------------------------------------------- 81<br />

By Eddy Abou-Nehme, Owner and Director of Operations at RevNet<br />

Beyond Encryption: Advancing Data-in-Use Protection ---------------------------------------------- 84<br />

By David Close, Chief Solutions Architect at Futurex<br />

Big Faces, Big Spend, Low ROI: Why Ad Fraud is Increasingly Damaging Brands --------------- 88<br />

By Chad Kinlay, Chief Marketing Officer, TrafficGuard<br />

Breaking Up with Your Password: Why It’s Time to Move On ---------------------------------------- 91<br />

By Zarik Megerdichian, Founder and CEO, Loop8<br />

<strong>Cyber</strong>security At the Crossroads: <strong>The</strong> Role Of Private Companies In Safeguarding U.S.<br />

Critical Infrastructure --------------------------------------------------------------------------------------- 95<br />

By Chris Storey, Director of Business Development, Qriar <strong>Cyber</strong>security<br />

Ditch <strong>The</strong> Cloud Security Labels to Nail Detection and Response --------------------------------- 98<br />

By Jimmy Mesta, Co-Founder and CTO, RAD Security<br />

Is <strong>The</strong>re a DDoS Attack Ceiling? --------------------------------------------------------------------------102<br />

By Gary Sockrider, Director, Security Solutions, NETSCOUT<br />

Four Ways to Harden Your Code Against Security Vulnerabilities and Weaknesses----------105<br />

By Olga Kundzich, CTO and Co-founder, Moderne<br />

<strong>The</strong> Urgent Need <strong>for</strong> Data Minimization Standards ---------------------------------------------------109<br />

By Kathrin Gardhouse, Privacy Evangelist, Private AI and Patricia Thaine, CEO & Co-Founder, Private<br />

AI<br />

Securing the OT Stage: NIS2, CRA, and IEC62443 Take Center Spotlight ------------------------115<br />

By Vinny Sagar, Solution Architect, swIDch<br />

Best Practices in <strong>Cyber</strong>security With Exhaustive Static Analysis To Secure Software Integrity<br />

-------------------------------------------------------------------------------------------------------------------121<br />

By Gavin Hill, CMO, TrustInSoft<br />

Embracing <strong>The</strong> Intersection of Ethics and Digital Trust----------------------------------------------127<br />

By Pablo Ballarín, ISACA Emerging Trends Working Group, ISACA<br />

Driving Security Forward: How Automakers Can Stay Ahead of <strong>Cyber</strong> Threats and<br />

Compliance Challenge -------------------------------------------------------------------------------------130<br />

By Oron Lavi, Chief Technology Officer and Co-Founder, Argus <strong>Cyber</strong> Security<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 3<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Best Practices <strong>for</strong> Effective Privileged Access Management (PAM) ------------------------------134<br />

By Marcus Scharra, CEO at senhasegura<br />

Is Plat<strong>for</strong>m Engineering a Step Towards Better Governed DevOps? ------------------------------137<br />

By Kapil Tandon, VP of Product Management <strong>for</strong> Per<strong>for</strong>ce<br />

Russia, Apple, And the New Front Line in <strong>The</strong> Fight <strong>for</strong> Internet Freedom -----------------------139<br />

By Sebastian Schaub, CEO, hide.me<br />

<strong>The</strong> Traditional Advocates of the Security Perimeter Don't Want You to Know about Data-<br />

Centric Security ----------------------------------------------------------------------------------------------142<br />

By Luis Ángel del Valle, CEO, SealPath Technologies<br />

Protect SAP Supply Chains by Preventing <strong>Cyber</strong> Attacks -------------------------------------------147<br />

By Christoph Nagy, CEO, SecurityBridge<br />

How To Navigate Certification Authority Distrust: Preventing Critical Incidents by Switching<br />

To A New Vendor ---------------------------------------------------------------------------------------------150<br />

By Debbie Hayes, Director of Product Marketing, GMO GlobalSign<br />

<strong>The</strong> Common Goods and Shared Threats of the Software Supply Chain-------------------------153<br />

By Frank Catucci, CTO and Head of Security Research, Invicti<br />

Fight Fire with Fire: 3 Strategies to Defeat Deepfakes -----------------------------------------------158<br />

By Hal Lonas, Chief Technology Officer, Trulioo<br />

Navigating the Security Risks and Efficiency Gains of GenAI in Healthcare --------------------162<br />

By Lior Yaari, CEO, Grip Security<br />

A Guide <strong>for</strong> SMB <strong>Defense</strong> Contractors to Achieve CMMC Compliance --------------------------166<br />

By Seth Steinman, Vice President, PreVeil<br />

<strong>The</strong> Role of AI in Evolving <strong>Cyber</strong>security Attacks -----------------------------------------------------170<br />

By Will Poole, Head of Incident Response, CYFOR Secure | <strong>Cyber</strong> Security<br />

<strong>The</strong> Fundamental Components to Achieving Shift-Left Success ----------------------------------173<br />

By Scott Gerlach, CSO and Co-Founder at StackHawk<br />

AT&T Breach <strong>2024</strong>: Customer Data Exposed in Massive <strong>Cyber</strong> Attack ---------------------------176<br />

By Elena Thomas, Digital Content Strategist, SafeAeon Inc.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 4<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> Key to AI-Enabled Multi-Coalition Warfare--------------------------------------------------------180<br />

By George Kamis, CTO, Everfox<br />

Four Steps Security Teams Can Take to Unlock Resources In Budget-Constrained<br />

Environments -------------------------------------------------------------------------------------------------183<br />

By Jennifer Leggio, Chief Operating Officer, Tidal <strong>Cyber</strong><br />

Exploring CVSS 4.0’s Impact on Vulnerability and Threat Management -------------------------186<br />

By Alastair Williams, VP of Worldwide Systems Engineering, Skybox Security<br />

Guardians Of the Grid ---------------------------------------------------------------------------------------189<br />

By Rounak Singh, Senior Research Analyst - ICT, Marketsandmarkets Research Private Ltd.<br />

Elevating Security: <strong>The</strong> Crucial Role of Effective API Management in Today's Digital<br />

Landscape ----------------------------------------------------------------------------------------------------194<br />

By Jens-Philipp Jung, CEO, Link11<br />

Phishing in <strong>2024</strong>: Navigating the Persistent Threat and AI’s Double-Edged Sword ------------200<br />

By Joe Loomis, Marketing Director <strong>for</strong> CryptoTrust LLC<br />

<strong>The</strong> <strong>Cyber</strong> <strong>Defense</strong> Emergency Room -------------------------------------------------------------------205<br />

By Steve Carter, CEO, Nucleus Security<br />

Data Decay and <strong>Cyber</strong>security: Understanding <strong>The</strong> Risks And Mitigating <strong>The</strong> Impact On Your<br />

Business -------------------------------------------------------------------------------------------------------208<br />

By JoAnn Fitzpatrick, COO — RealValidation<br />

Protecting Your Organization Against Advanced, Multi-Stage <strong>Cyber</strong> Attacks ------------------211<br />

By Gabrielle Hempel, Customer Solutions Engineer, Exabeam<br />

Air Gap ---------------------------------------------------------------------------------------------------------214<br />

By Christopher H. Baum, MBA PMP, Chief Compliance Officer, VotRite with Alan Pham, Graduate<br />

Student, Rowan University<br />

Exposure Management: A Strategic Approach to <strong>Cyber</strong> Security Resource Constraint ------218<br />

By Katie Inns, Head of Attack Surface Management at WithSecure<br />

<strong>The</strong> Advent of Quantum Cryptography and Zero Trust: A New Era In <strong>The</strong> World Of<br />

<strong>Cyber</strong>security ------------------------------------------------------------------------------------------------222<br />

By Gayatri Mohite, Senior Associate Content Writer @Allied Analytics<br />

SWARM: Pioneering <strong>The</strong> Future of Autonomous Drone Operations and Electronic Warfare 225<br />

By Adam Gazdiev<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 5<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong>security: How to Involve People in Risk Mitigation--------------------------------------------233<br />

By Enrico Frumento, <strong>Cyber</strong>security Research Lead, Cefriel<br />

Exploring the Vishing Threat Landscape ----------------------------------------------------------------237<br />

By Ozan Ucar, CEO, Keepnet<br />

Fortifying <strong>The</strong> Links ------------------------------------------------------------------------------------------242<br />

By Julio Padilha, CISO, Volkswagen | Audi South America<br />

Growing Enterprise Data is Creating Big <strong>Cyber</strong>security Risk ---------------------------------------245<br />

By Octavian Tanase, Chief Product Officer at Hitachi Vantara<br />

How Government Agencies Can Level the <strong>Cyber</strong>security Playing Field With AI/ML -----------248<br />

By Dr. Sarbari Gupta, Founder and CEO, Electrosoft Services, Inc.<br />

How To Fight Scattered Spider Impersonating Calls to <strong>The</strong> IT Help Desk------------------------251<br />

By Ori Eisen, Founder & CEO, Trusona, Inc.<br />

How To Privacy-Proof the Coming AI Wave ------------------------------------------------------------255<br />

By Benoit Chevallier-Mames, VP Privacy-Preserving Cloud and ML, Zama<br />

How to Use AI in <strong>Cyber</strong> Deception -----------------------------------------------------------------------258<br />

By Zac Amos, Features Editor, ReHack<br />

HTTP 1.1 Vs. HTTP 2: What Are the Differences? ------------------------------------------------------262<br />

By Russell Walter, Freelance writer<br />

7 Steps International Organizations Must Take to Defend Critical National Infrastructure--267<br />

By Chris Gibson, CEO, FIRST<br />

Is Unified Access Control Zero Trust’s Silver Bullet? ------------------------------------------------272<br />

By Denny LeCompte, CEO of Portnox<br />

Managing Sensitive Security Investigations in Remote Settings-----------------------------------277<br />

By Jakub Ficner, Director of Partnership Development at Case IQ<br />

Securing Election Integrity In <strong>2024</strong>: Navigating the Complex Landscape of Modern Threats280<br />

By Karl Sigler, Senior Security Research Manager, SpiderLabs Threat Intelligence and IDS/IPS<br />

Research<br />

Passwords Are Out, Biometrics Are In ------------------------------------------------------------------284<br />

By Ajay Amlani, President and Head of Americas, iProov<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 6<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Operational Security: <strong>The</strong> Backbone of Effective Police Communication-----------------------287<br />

By Nicole Heron, Marketing Manager at Salt Communications<br />

<strong>The</strong> Power of Many: Crowdsourcing as A Game-Changer <strong>for</strong> Modern <strong>Cyber</strong> <strong>Defense</strong> --------292<br />

By Alla Yurchenko, Lead Coordinator of Threat Bounty Program at SOC Prime<br />

Tagged Files as a Road to Insider Threats --------------------------------------------------------------296<br />

By Milica D. Djekic<br />

<strong>The</strong> Age of Unseen Truths And Deceptive Lies ---------------------------------------------------------298<br />

By Julio Padilha, CISO, Volkswagen | Audi South America<br />

<strong>The</strong> <strong>Cyber</strong>security Checklist: Top Methods and Tools <strong>for</strong> Protection And Mitigation ---------300<br />

By Vishwas Pitre, Chief In<strong>for</strong>mation Security Officer & DPO, Zensar<br />

<strong>The</strong> Frontier of Security: Safeguarding Non-Human Identities -------------------------------------305<br />

By Idan Gour, CTO and Co-Founder, Astrix Security<br />

Revolutionizing Investigations: <strong>The</strong> Impact of AI in Digital Forensics ----------------------------308<br />

By Yuri Gubanov, Digital Forensics Expert, Founder and CEO of Belkasoft<br />

<strong>The</strong> Relationship Between Network and Security: Why <strong>The</strong>y're Ditching the "It's Your Fault"<br />

Game -----------------------------------------------------------------------------------------------------------316<br />

By Jaye Tillson, Field CTO, Distinguished Technologist, HPE Aruba Networking<br />

<strong>The</strong> Rise in Phishing Scams--------------------------------------------------------------------------------319<br />

By Marcelo Barros, Global Markets Leader – Hacker Rangers<br />

Three Big Reasons Ransomware Payments Are Up More Than 5X Over Last Year -------------322<br />

By John Gunn, CEO, Token<br />

Why <strong>Cyber</strong>security At <strong>The</strong> Olympics (And All Major Global Events) Shouldn't Take A Backseat<br />

-------------------------------------------------------------------------------------------------------------------327<br />

By Avani Desai, CEO of Schellman<br />

Why <strong>Cyber</strong>security Compliance in Rail Transportation Has Never Been More Important, Or<br />

More Challenging to Keep on Track ----------------------------------------------------------------------331<br />

By Robin Berthier, Co-Founder and CEO, Network Perception<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 7<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


@MILIEFSKY<br />

From the<br />

Publisher…<br />

As Publisher, I am pleased to report that both <strong>Cyber</strong> <strong>Defense</strong> Magazine, and our parent company <strong>Cyber</strong> <strong>Defense</strong> Media Group<br />

(CDMG), are getting a significant response to new and valuable initiatives we offer <strong>for</strong> the benefit of our readers and followers.<br />

For example, our participation in Black Hat USA at the beginning of August. Several of our reporters at Black Hat USA<br />

interviewed many of the top infosec innovator finalists <strong>for</strong> <strong>2024</strong> on the expo floor and in private meetings. <strong>The</strong> current issue of<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine features articles by and about many of the participants, and our website carries many more<br />

in<strong>for</strong>mational and promotional features.<br />

SPOTLIGHT OPPORTUNITIES! Due to the high volume of contributed articles in the <strong>September</strong> issue of <strong>Cyber</strong> <strong>Defense</strong><br />

Magazine, we have placed dozens of “Spotlight” articles on the magazine’s home page, under the “Spotlight” nav bar:<br />

https://www.cyberdefensemagazine.com/spotlight/ Note they are identified as “Publisher’s Spotlight” and “Innovator’s Spotlight,”<br />

depending on which of our professionals submitted the article.<br />

We would like to remind our readers that <strong>The</strong> Black Unicorn awards program is now part of the Top InfoSec Innovator awards<br />

program. Please see detailed in<strong>for</strong>mation at the Conference and Awards website:<br />

https://cyberdefenseawards.com/top-infosec-innovator-awards-<strong>2024</strong>-apply-today/<br />

<strong>The</strong> virtual red carpet is already set up, with the incredible high traffic website and social media marketing, and much more to<br />

help bolster the good news around our winners during our 2nd half of <strong>2024</strong>, 12th anniversary and 12th annual awards during<br />

<strong>Cyber</strong><strong>Defense</strong>Con <strong>2024</strong>.<br />

REMINDER: World’s First <strong>Cyber</strong> <strong>Defense</strong> Genius<br />

For those readers who have not yet accessed this new facility, we are also pleased to remind you that <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

has launched the World’s First <strong>Cyber</strong> <strong>Defense</strong> Genius the world’s first AI GPT trained specifically on over 17,000 pages of<br />

infosec expertise and learning more, daily. It is now available on our home page at https://www.cyberdefensemagazine.com/<br />

on the lower right side of the screen. We welcome your comments and feedback as you take advantage of this excellent<br />

professional resource.<br />

Our mission is constant - to share cutting-edge knowledge, real-world stories and awards on the best ideas, products, and<br />

services in the in<strong>for</strong>mation security industry to help you on this journey.<br />

Warmest regards,<br />

Gary S. Miliefsky, fmDHS, CISSP®<br />

CEO/Publisher/Radio/TV Host<br />

P.S. When you share a story or an article or in<strong>for</strong>mation<br />

about CDM, please use #CDM and @<strong>Cyber</strong><strong>Defense</strong>Mag<br />

and @Miliefsky – it helps spread the word about our free<br />

resources even more quickly<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 8<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


@CYBERDEFENSEMAG<br />

G<br />

CYBER DEFENSE eMAGAZINE<br />

Published monthly by the team at <strong>Cyber</strong> <strong>Defense</strong> Media<br />

Group and distributed electronically via opt-in Email, HTML,<br />

PDF and Online Flipbook <strong>for</strong>mats.<br />

EDITOR-IN-CHIEF<br />

Yan Ross, JD<br />

yan.ross@cyberdefensemagazine.com<br />

ADVERTISING<br />

Marketing Team<br />

marketing@cyberdefensemagazine.com<br />

CONTACT US:<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

Toll Free: 1-833-844-9468<br />

International: +1-603-280-4451<br />

https://www.cyberdefensemagazine.com<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine, a division of<br />

CYBER DEFENSE MEDIA GROUP<br />

1717 Pennsylvania Avenue NW, Suite 1025<br />

Washington, D.C. 20006 USA<br />

EIN: 454-18-8465, DUNS# 078358935.<br />

All rights reserved worldwide.<br />

PUBLISHER<br />

Gary S. Miliefsky, CISSP®<br />

Learn more about our founder & publisher at:<br />

https://www.cyberdefensemagazine.com/about-our-founder/<br />

12 YEARS OF EXCELLENCE!<br />

Providing free in<strong>for</strong>mation, best practices, tips, and<br />

techniques on cybersecurity since 2012, <strong>Cyber</strong> <strong>Defense</strong><br />

Magazine is your go-to-source <strong>for</strong> In<strong>for</strong>mation Security.<br />

We’re a proud division of <strong>Cyber</strong> <strong>Defense</strong> Media Group:<br />

CYBERDEFENSEMEDIAGROUP.COM<br />

MAGAZINE TV RADIO AWARDS<br />

PROFESSIONALS<br />

WIRE<br />

CYBERDEFENSECONFERENCES<br />

WEBINARS<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 9<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Welcome to CDM’s <strong>September</strong> <strong>2024</strong> Issue<br />

From the Editor-in-Chief<br />

<strong>The</strong> <strong>September</strong> <strong>2024</strong> issue of <strong>Cyber</strong> <strong>Defense</strong> Magazine includes a record number of articles = 80! We<br />

are pleased to provide more quality as well as more quantity, as we continue to broaden our base of<br />

authors and readers. What does that mean?<br />

First, we believe that the scope of the numerous articles address the increasing number and breadth of<br />

cyber attacks (both successfully and unsuccessfully defended) against important sectors of our critical<br />

infrastructure. We cannot emphasize too much that the protection of critical infrastructure is not at all<br />

new. <strong>The</strong> most surprising aspect is that the 16 sectors have been recognized and discussed <strong>for</strong> over 25<br />

years – but the official responses to the obvious vulnerabilities are still reactive, not pro-active.<br />

In reviewing the breadth and depth of our articles, we note that one aspect our authors have in common<br />

is that they write predictively as well as in response to cyber threats already experienced. Not only do<br />

they serve the needs of CISOs and other cyber security professionals, but also a growing cadre of<br />

vendors and suppliers and clientele of the entire range of cyber rick management providers.<br />

As always, we strive to be the best and most actionable set of resources <strong>for</strong> the CISO community in<br />

publishing <strong>Cyber</strong> <strong>Defense</strong> Magazine and broadening the activities of <strong>Cyber</strong> <strong>Defense</strong> Media Group. With<br />

appreciation <strong>for</strong> the support of our contributors and readers, we continue to pursue our role as the premier<br />

provider of news, opinion, and <strong>for</strong>ums in cybersecurity.<br />

Wishing you all success in your cybersecurity endeavors,<br />

Yan Ross<br />

Editor-in-Chief<br />

<strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

About the US Editor-in-Chief<br />

Yan Ross, J.D., is a <strong>Cyber</strong>security Journalist & U.S. Editor-in-Chief of <strong>Cyber</strong><br />

<strong>Defense</strong> Magazine. He is an accredited author and educator and has provided<br />

editorial services <strong>for</strong> award-winning best-selling books on a variety of topics. He<br />

also serves as ICFE's Director of Special Projects, and the author of the Certified<br />

Identity <strong>The</strong>ft Risk Management Specialist ® XV CITRMS® course. As an<br />

accredited educator <strong>for</strong> over 20 years, Yan addresses risk management in the<br />

areas of identity theft, privacy, and cyber security <strong>for</strong> consumers and<br />

organizations holding sensitive personal in<strong>for</strong>mation. You can reach him by e-mail at<br />

yan.ross@cyberdefensemagazine.com<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 10<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 11<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 12<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 13<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


2001 <strong>2024</strong><br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 14<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 15<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 16<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 17<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 18<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 19<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 20<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 21<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 22<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 23<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> Importance of Data Anonymization in Safeguarding<br />

Sensitive Legal In<strong>for</strong>mation<br />

By Oscar Villanueva, CEO, Nymiz<br />

Several high-profile and global law firms have been under the radar of cyber-security data breaches. For<br />

instance, the Mossack Fonseca firm experienced the Panama Papers leak in 2016, exposing sensitive<br />

financial in<strong>for</strong>mation of numerous clients. DLA Piper was hit by a ransomware attack in 2017, disrupting<br />

operations across multiple offices. In 2020, Grubman Shire Meiselas & Sacks faced a ransomware attack<br />

that led to the exposure of confidential in<strong>for</strong>mation of high-profile clients, including celebrities. <strong>The</strong>re have<br />

been operational and financial repercussions to law firms due to the pervasive threat of data breaches,<br />

and cyber-attacks. A U.S. law firm specializing in serving marquee financial institutions faced a cyberbreach<br />

that exposed the personal data of more than 325,000 people.<br />

Big law firms like Orrick, Herrington & Sutcliffe, a U.S. law firm specializing in serving marquee financial<br />

institutions faced a cyber-breach in 2023 that exposed the personal data of more than 600,000 people.<br />

For over two weeks, the attacker accessed a portion of their network, including file sharing and storage<br />

containing in<strong>for</strong>mation related to their clients. It is evident that the legal sector has been under a<br />

continuing threat of loss of client sensitive in<strong>for</strong>mation and personal data.<br />

<strong>The</strong> repercussions of a data breach at a law-firm can be long-lasting and can severely impact the viability<br />

of the organization. First and <strong>for</strong>emost, failure to protect client in<strong>for</strong>mation can impact the reputation of<br />

the organization and lead to loss of business. It bears the risk of losing current and prospective clients<br />

leading to financial losses.<br />

Second, there are several financial losses that an organization has to undertake <strong>for</strong> the purposes of<br />

investigation of the breach, remediation and cyber-security upgrades. This is exemplified in case of a<br />

global law-firm, like DLA Piper which faced a cyber-breach due to which their employees worldwide could<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 24<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


not use their official telecommunication systems while some were unable to access basic documents <strong>for</strong><br />

their work. To remediate the attack, the firm’s IT department worked more than 15,000 hours of paid<br />

overtime. Given the gravity and impact of the breach, the firm had to delete and redevelop its entire<br />

Windows environment.<br />

Third, any exposure of personal data invites regulatory consequences, which can lead to fines, sanctions<br />

and lawsuits. Any firm situated in a country with data privacy legislation needs to ensure that the personal<br />

data of their clients is protected.<br />

Fourth, any attack or data breach requires a proper investigation, and audit into the operations of the<br />

organization, and this consequently results in disruption of normal business operations. This reduces the<br />

productivity of employees, causes unsatisfactory client services, and increases the costs of the business.<br />

How does data anonymization assist in avoiding the a<strong>for</strong>ementioned repercussions <strong>for</strong> your law firm?<br />

<strong>The</strong> demand <strong>for</strong> data anonymization is due to the rise in the data economy. <strong>The</strong>re is an exponential<br />

growth of data in the legal sector, and this big data can be a game changer <strong>for</strong> law-firms. <strong>The</strong> utilization<br />

of volumes of data can be beneficial to the law-firms by analysing trends, patterns and correlations<br />

between these data sets.<br />

A good case <strong>for</strong> analyzing how global law firms utilise big data is Allen & Overy (A&O), due to the firm’s<br />

global status. It has worked on analytics, artificial intelligence, and ‘big data’ integrated solutions <strong>for</strong> its<br />

operations and customers. For example, in one M&A deal, A&O pioneered the use of data analytics to<br />

run through about 1300 contracts and completed the whole due diligence in a shorter span and at a lower<br />

cost to the client.<br />

By using big-data, law firms can predict the outcomes of a trial, understand the legal precedents, and can<br />

prepare case strategies with a better success rate. This data allows law firms to approach situations with<br />

a data-backed analysis which improves their rate of success, and efficiency assisting them in courts, as<br />

well as in negotiations.<br />

One of the pressing issues of the intersection of big data and the legal sector is data privacy and cyber<br />

breaches. <strong>The</strong> priority of law firms analysing big data is to ensure proper privacy compliance. Due to<br />

increased public scrutiny of data privacy regulations, law firms must adopt a strategy <strong>for</strong> privacy<br />

compliance. To protect client sensitive in<strong>for</strong>mation, it is necessary to adopt data anonymization.<br />

It is pivotal to grasp the process of data anonymization and how it can benefit your organization. This<br />

process of data anonymization involves altering or removing personally identifiable in<strong>for</strong>mation (‘PII’) from<br />

a piece of data to preserve the personal data of individuals and comply with privacy regulations.<br />

<strong>The</strong> anonymization process comprises masking and replacing personal data such as credit card details,<br />

resident and office addresses, visa or passport details, or social security numbers. Towards this end,<br />

values are replaced or removed, by using cryptographic techniques, or adding random noise, to protect<br />

the data.<br />

<strong>The</strong> essence of data anonymization is to protect these sensitive documents and encrypt them in a<br />

reversible or non-reversible manner so one can limit the ability of a user to view, share, edit, comment<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 25<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


and download sensitive data with unauthorized access. Any process will ensure that only verified users<br />

can access private data based on internal security policies that verify user access continuously. This is<br />

like a digital camouflage that assists in protecting the privacy of an individual, while still allowing access<br />

to this data to the organization <strong>for</strong> research and analysis.<br />

Let’s show you with an example of how data anonymization works. For this purpose, we will use a tool<br />

called Nymiz, an AI based data anonymization and redaction plat<strong>for</strong>m designed especially <strong>for</strong> legal firms.<br />

Nymiz’s plat<strong>for</strong>m provides various workflows, both reversible and irreversible, including anonymization<br />

and pseudonymization. It also offers substitution methods like tokenization and synthetic data<br />

replacement to anonymize or redact data, tailored to the specific use case and the final goals of your<br />

organization.<br />

Why use AN AI based Data Anonymization plat<strong>for</strong>m vs Traditional Techniques?<br />

Organizations in the past have followed traditional anonymization techniques. <strong>The</strong> issues with these<br />

techniques are multi-fold.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 26<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


1. Operational Delays from Manual Anonymization Processes:<br />

<strong>The</strong> time-intensive nature of manual data anonymization processes can cause significant delays in legal<br />

operations and client service.<br />

2. Manual Data Anonymization Drains Resources:<br />

Extensive hours devoted to manually anonymizing data detract from valuable time that could be better<br />

utilized <strong>for</strong> core legal activities.<br />

3. In<strong>for</strong>mation Bottlenecks Due to Unshakeable Data:<br />

Difficulty in data sharing leads to the accumulation of isolated in<strong>for</strong>mation pools, obstructing effective<br />

knowledge distribution and management within the firm.<br />

<strong>The</strong> current world is heavily dominated by technology and law firms do face the risk of cyber threats<br />

because of which important client data becomes at risk. <strong>The</strong> implications of data leaks go beyond 1 year<br />

incurring short-term costs; they can be calamitous to a firm’s reputation and its clientele.<br />

Due to the rising amounts of data produced in the legal industry, data privacy strategies are fast becoming<br />

crucial. <strong>The</strong>re are different techniques of anonymizing data including pseudonymization and tokenization<br />

which help the firms achieve privacy of the personal data used in developing insights. Apart from adhering<br />

to strict privacy laws, these methods allow firms to examine the patterns and develop better services that<br />

seize their clients’ trust without compromising the latter’s privacy. When it comes to data management,<br />

law firms should develop strong data protection mechanisms, which helps to work through the issues of<br />

the data economy and protect the interests of their clients.<br />

<strong>The</strong>re<strong>for</strong>e, the legal sector must address the issue of increasing volumes of data coupled with the<br />

responsibility to safeguard the clients’ details. Due to increased development of cyber threats law firms<br />

have to implement data anonymization measures that will help them minimise risks and con<strong>for</strong>m to<br />

privacy laws.<br />

Data privacy is not a luxury, but a necessity <strong>for</strong> the sustainability and credibility of legal business<br />

organizations. At this point, tools like Nymiz become crucial since they offer innovative solutions in data<br />

anonymization, empowering law firms to effectively protect sensitive in<strong>for</strong>mation while maximizing the<br />

utility of their data assets.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 27<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


About the Author<br />

Oscar Villanueva, CEO, Nymiz, completed his Industrial Organization<br />

Engineer from UPC, MBA from UB. He also holds Executive Development<br />

Program certificate from IESE and a Disruptive Innovation Program<br />

certificate from MIT. Entrepreneur and co-founder of three startups, as well<br />

as a mentor and investor in startups. He has over 12 years of experience in<br />

technology and innovation working with REPSOL and PETRONOR. He is<br />

currently the CEO and Co-Founder of NYMIZ Software Company. Along with<br />

his co-founder, Oscar decided to launch Nymiz in 2020 to protect the privacy<br />

of peoples’ and companys’ sensitive data using AI.<br />

Oscar can be reached online at https://www.linkedin.com/in/oscar-villanueva-canizares/ and at our<br />

company website https://www.nymiz.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 28<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Lessons from the Global IT Outage of July 19, <strong>2024</strong><br />

By Andrew Douthwaite, Chief Technology Officer, VirtualArmour<br />

On Friday, July 19, <strong>2024</strong>, the world experienced a massive IT outage that disrupted businesses,<br />

governments, and other users across the globe. <strong>The</strong> outage impacted numerous critical services—most<br />

notably medical services, emergency services, and airlines—and highlighted the vulnerabilities in our<br />

increasingly interconnected digital infrastructure. While regulators and industry leaders will rightly focus<br />

extensively in the coming months on what went wrong, it is equally important to focus on the broader<br />

lessons we can learn to mitigate future risks.<br />

Understanding the Outage<br />

Be<strong>for</strong>e delving into the lessons, we’ll first review the context of the outage. <strong>The</strong> incident was a result of a<br />

series of cascading failures that originated from a software update in a widely used security plat<strong>for</strong>m. <strong>The</strong><br />

update, intended to enhance system per<strong>for</strong>mance and security, inadvertently introduced a bug that led<br />

to widespread system failures.<br />

<strong>The</strong> affected systems included cloud services, communication plat<strong>for</strong>ms, and financial transaction<br />

systems. <strong>The</strong> outage underscored how deeply intertwined our digital services are and how a single point<br />

of failure can propagate through the network, causing extensive disruption.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 29<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Key Lessons<br />

1. <strong>The</strong> Importance of Redundancy and Resilience<br />

One of the primary takeaways from the outage is the critical need <strong>for</strong> redundancy and resilience in IT<br />

systems. While the benefits of cloud computing and centralized services are undeniable, they also pose<br />

a significant risk when those services encounter issues.<br />

Actionable Steps:<br />

• Implement Multi-Cloud Strategies: Organizations should consider adopting multi-cloud strategies<br />

to distribute their workloads across multiple cloud service providers. This approach can help<br />

mitigate the risk of a single point of failure.<br />

• Invest in Disaster Recovery: Regularly update and test disaster recovery plans. Ensure that data<br />

backups are not only frequent but also stored in multiple geographically dispersed locations.<br />

• Build Resilient Architectures: Design systems with failover capabilities and ensure that critical<br />

components have redundant systems in place.<br />

2. Robust Testing and Validation Processes<br />

<strong>The</strong> outage was triggered by a software update, highlighting the importance of rigorous testing and<br />

validation processes. Ensuring that updates do not introduce new vulnerabilities or bugs is crucial <strong>for</strong><br />

maintaining system stability. While end users have limited control over these processes, there should be<br />

significant focus among software companies on improving both their standards and the controls to ensure<br />

those standards are consistently en<strong>for</strong>ced.<br />

Actionable Steps:<br />

• Adopt Continuous Testing: Implement continuous integration and continuous deployment (CI/CD)<br />

pipelines with automated testing at every stage. This practice helps identify issues early in the<br />

development process.<br />

• Staging Environments: Use staging environments that closely mirror production systems to test<br />

updates thoroughly be<strong>for</strong>e rolling them out.<br />

• User Acceptance Testing (UAT): Involve end-users in the testing process to catch issues that<br />

automated tests might miss.<br />

3. Enhanced Monitoring and Incident Response<br />

Effective monitoring and rapid incident response can significantly reduce the impact of outages. Early<br />

detection and swift action are critical to containing issues be<strong>for</strong>e they escalate. Companies that had<br />

robust procedures in place to quickly identify and implement remediation steps were—<strong>for</strong> the most part—<br />

able to recover quickly from the outage with relatively minor impacts on the broader business.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 30<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Actionable Steps:<br />

• Comprehensive Monitoring: Deploy comprehensive monitoring tools that provide real-time<br />

visibility into system per<strong>for</strong>mance and potential issues. Use advanced analytics and AI to predict<br />

and preemptively address problems. For many companies, utilizing a partner to assist with 24/7<br />

monitoring and response helps to ensure rapid detection—and subsequent response—even<br />

during off-hours.<br />

• Incident Response Teams: Establish dedicated incident response teams trained to handle various<br />

types of outages. Conduct regular drills to ensure readiness.<br />

• Communication Protocols: Develop clear communication protocols to keep all stakeholders<br />

in<strong>for</strong>med during an outage. Transparency can help manage expectations and reduce panic.<br />

4. Collaboration and In<strong>for</strong>mation Sharing<br />

<strong>The</strong> global nature of the outage underscored the need <strong>for</strong> collaboration and in<strong>for</strong>mation sharing among<br />

industry organizations, governments, and cybersecurity entities. Collective ef<strong>for</strong>ts can enhance our ability<br />

to respond to and recover from such incidents. While these ef<strong>for</strong>ts can be challenging <strong>for</strong> any but the<br />

largest companies to fully participate in, those who partner with a managed security provider can benefit<br />

from the collective experience and industry engagement of those specialized entities.<br />

Actionable Steps:<br />

• Industry Collaboration: Participate in industry <strong>for</strong>ums and in<strong>for</strong>mation-sharing organizations to<br />

stay in<strong>for</strong>med about emerging threats and best practices.<br />

• Public-Private Partnerships: Foster strong public-private partnerships to leverage the strengths<br />

and resources of both sectors in mitigating cybersecurity risks.<br />

• Shared Threat Intelligence: Use shared threat intelligence plat<strong>for</strong>ms to gain insights into potential<br />

vulnerabilities and attack vectors.<br />

5. User Education and Preparedness<br />

End-users play a crucial role in the resilience of IT systems. Educating users about best practices and<br />

preparedness can reduce the impact of outages. While in the case the recent outage user behavior at<br />

affected companies didn’t play a role in causing the issue, inappropriate or faulty user actions are a<br />

significant contributor to most security and network availability incidents.<br />

Actionable Steps:<br />

Regular Training: Conduct regular training sessions on cybersecurity best practices and emergency<br />

procedures. Employees should complete training upon hire and at least annually.<br />

Phishing Simulations: Run phishing simulations to teach users how to recognize and respond to phishing<br />

attempts. Many organizations include this as part of annual penetration testing.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 31<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Clear Guidelines: Provide clear guidelines on what to do in the event of an outage, including how to<br />

access alternative systems or support.<br />

Looking Forward<br />

<strong>The</strong> recent global IT outage was a wake-up call to business, IT, and government leaders. It highlighted<br />

our dependence on interconnected systems and the potential <strong>for</strong> widespread disruption when things go<br />

wrong. However, it also provides valuable lessons that, if heeded, can strengthen our resilience against<br />

future incidents.<br />

By prioritizing redundancy and resilience, adopting robust testing processes, enhancing monitoring and<br />

incident response, fostering collaboration, and educating users, we can build a more secure and stable<br />

digital infrastructure. <strong>The</strong> road ahead will undoubtedly present new challenges, but with these lessons in<br />

mind, we can navigate them more effectively and safeguard the digital services that are integral to our<br />

daily lives.<br />

About the Author<br />

Andrew has over 15 years of experience leading growth in managed<br />

network and cyber security services. He joined VirtualArmour—a managed<br />

network and cyber security company providing services to clients with<br />

operations across the globe—in 2007 as a senior engineer and has been<br />

instrumental in scaling the business to its current size, as well as maturing<br />

its 24/7 Network Operations Center (NOC) and Security Operations Center<br />

(SOC) operations with systems, policies, and processes. Andrew has deep<br />

expertise with multiple network and cyber security plat<strong>for</strong>m ecosystems,<br />

including Palo Alto, Fortinet, Cisco, SentinelOne, CrowdStrike, Stellar<br />

<strong>Cyber</strong>, and others. Andrew can be reached via VirtualArmour’s company<br />

website, www.virtualarmour.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 32<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Apple & OpenAI’s New Features: A First Look Through the Eyes<br />

of the US’ First Female CIO<br />

By <strong>The</strong>resa Payton, Founder, Fortalice Solutions<br />

Even be<strong>for</strong>e my time in <strong>The</strong> White House, I was – and continue to be – captivated by the intersection of<br />

technology and policy, which is why Apple’s recent announcement of integration with OpenAI piqued my<br />

interest. While the potential <strong>for</strong> increased productivity and innovation is energizing, it is crucial to address<br />

the significant questions about privacy, security, and responsible use that this integration raises.<br />

As I have delved more deeply into this partnership, three major red flags jump out at me: privacy<br />

concerns, security risks, and the potential misuse of this new technology. While the potential <strong>for</strong> increased<br />

productivity and innovation is energizing, it is crucial to address the significant questions about privacy,<br />

security, and responsible use that this integration raises.<br />

Privacy Concerns<br />

<strong>The</strong> news about this integration has left me with more questions than answers, privacy being my biggest<br />

concern. Apple assures its users that data will be protected but does not mention the exact<br />

implementation. Will our unique device IDs be linked to the queries we pose to OpenAI? Could these<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 33<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


interactions be hacked and leaked? Will data be sold or shared with other entities? <strong>The</strong>se are valid<br />

concerns. Data breaches are a constant threat, and the potential <strong>for</strong> sensitive personal in<strong>for</strong>mation<br />

gleaned from OpenAI interactions to be exposed is chilling. Furthermore, the level of personal context<br />

being accessed and utilized might make some users rightfully uncom<strong>for</strong>table.<br />

Security Risks<br />

Beyond privacy, the security implications of this integration must be addressed. <strong>The</strong> main question is the<br />

thoroughness of testing <strong>for</strong> vulnerabilities within this integration. What safeguards has Apple put in place<br />

to prevent malicious actors from compromising data and algorithms? <strong>The</strong>re exists a real threat of system<br />

"poisoning," where bad actors could manipulate the AI to serve harmful agendas. This heightened<br />

vulnerability to hacking stems from integrating AI with personal data, and it underscores the urgent need<br />

<strong>for</strong> explicit security measures.<br />

Potential Misuse of Technology<br />

<strong>The</strong> capabilities of generative models, a core component of OpenAI's technology, also pose risks of<br />

misuse. <strong>The</strong>se models could generate misleading content or even conduct phishing attacks and AI-driven<br />

spam, creating a potential nightmare scenario <strong>for</strong> internet users. Furthermore, the limitations of AI<br />

technology, such as errors in text generation, can lead to further misunderstandings, once again<br />

highlighting the need <strong>for</strong> a commitment to transparency and reliability in developing and deploying these<br />

tools.<br />

Technical Challenges and Ethical Considerations<br />

From a technical standpoint, compatibility and integration across different apps and devices pose a<br />

challenge. Third-party app developers must ensure their creations meet the security and privacy<br />

frameworks set by Apple Intelligence, which could lead to significant development hurdles.<br />

Additionally, AI's high computational demands can significantly impact device per<strong>for</strong>mance and battery<br />

life. Imagine your phone grinding to a halt or your battery draining in minutes because of an AI-powered<br />

task. Apple must address these concerns to ensure a smooth user experience. Can our devices handle<br />

this integration? It is a simple but central question.<br />

Ultimately, the ethical implications of this integration are another aspect we cannot ignore. AI algorithms<br />

can perpetuate biases, leading to unfair and non-neutral-generated content. If my years of experience<br />

and expertise have taught me anything, it is that the potential <strong>for</strong> bias against marginalized groups is very<br />

real and particularly concerning. Apple and OpenAI must be proactive in mitigating bias in their algorithms<br />

to ensure fair and neutral-generated content.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 34<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Promising Potential, Urgent Need <strong>for</strong> Safeguards<br />

Despite these concerns, I remain cautiously optimistic about the collaboration between Apple and<br />

OpenAI. This technology harbors the potential to revolutionize how we engage with digital environments.<br />

However, the legal and regulatory landscape surrounding data privacy, security, and AI-generated<br />

content is still evolving. Unexpected regulatory challenges could hinder the use of this technology.<br />

Furthermore, the legal implications of AI-generated content must be clearly defined, especially in<br />

professional and official communications.<br />

Given these concerns, it is imperative Apple and OpenAI prioritize addressing these red flags through<br />

transparency, rigorous testing, and proactive mitigation of biases and security risks. As I continue my<br />

journey in the technology and security space, I strongly advocate <strong>for</strong> responsible innovation that<br />

prioritizes ethics, safety, and security. I urge these companies to work closely with policymakers and<br />

stakeholders to ensure this powerful technology is utilized ethically and responsibly.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 35<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


About the Author<br />

<strong>The</strong>resa Payton is the Founder of Fortalice Solutions. She made<br />

history as the first female to serve as White House Chief In<strong>for</strong>mation<br />

Officer and currently helps organizations in both the public and<br />

private sectors protect their most valuable resources. As one of the<br />

nation’s most respected authorities on secured digital<br />

trans<strong>for</strong>mation, <strong>The</strong>resa Payton is frequently requested to advise<br />

Boards of the Fortune 500, CEOs, and Technology Executives.<br />

<strong>The</strong>resa is a visionary in the digital world leading the way as an<br />

inventor of new security designs and has an approved U.S. patent in<br />

security. She provides advice drawing from her experience as a<br />

technologist first and now veteran cybercrime fighter and<br />

entrepreneur, masterfully blending memorable anecdotes with<br />

cutting-edge insights.<br />

As the star of the <strong>for</strong>mer CBS TV series Hunted, Payton identifies emerging trends and techniques to<br />

help combat cyber threats, from the impact of AI, blockchain, cryptocurrency, the Internet of Things to<br />

securing Big Data.<br />

Be<strong>for</strong>e overseeing IT operations as CIO <strong>for</strong> President George W. Bush and his administration, she held<br />

executive roles in banking technology <strong>for</strong> two of the country’s top financial institutions.<br />

She founded Fortalice Solutions in 2009 and is the CEO. Among Payton’s list of awards, she was named<br />

one of the Top 25 Most Influential People in Security by Security Magazine, featured in the book 100<br />

Fascinating Women Fighting <strong>Cyber</strong>crime and honored as the 2019 Woman <strong>Cyber</strong>security Leader of the<br />

Year. Business Insider named her one of the top 50 <strong>Cyber</strong>security Leaders of 2020, CISO Magazine<br />

named her <strong>Cyber</strong>security Crusader of the Year in 2020, and Awards Magazine named her one of the<br />

Top 50 Women in Tech in 2021. She is the author of several publications on IT strategy and cybersecurity,<br />

including Manipulated: Inside the <strong>Cyber</strong>war to Hijack Elections and Distort the Truth, an Amazon #1<br />

hottest new release when it was released in 2020. <strong>Cyber</strong> Security Experts named her one of the 100<br />

Most Influential People in <strong>Cyber</strong> Security in 2021.<br />

Payton is sought out by media news outlets to explain complex security issues and help viewers<br />

understand how to protect their privacy. She has been featured on “Last Week Tonight with John Oliver”<br />

and was on “<strong>The</strong> Daily Show with Jon Stewart”. She has been a frequent guest on <strong>The</strong> Today Show,<br />

Good Morning America, Fox Business, and Fox News and has been featured on CBS News, CNN, NBC<br />

News, and MSNBC, as well as the BBC, and Canadian and Irish news outlets.<br />

<strong>The</strong>resa can be reached online at <strong>for</strong>talice@society22pr.com, https://x.com/FortaliceLLC,<br />

https://www.facebook.com/FortaliceSolutions and at our company website<br />

https://www.<strong>for</strong>talicesolutions.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 36<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> Initial Engagement Process <strong>for</strong> Contracting with a vCISO<br />

A Primer <strong>for</strong> Small to Medium Enterprises (SMEs)<br />

By Pete Green, vCISO, <strong>Cyber</strong>security Consultant and Reporter <strong>for</strong> <strong>Cyber</strong> <strong>Defense</strong> Magazine<br />

Introduction<br />

In today’s fast-paced digital world, organizations face a myriad of cybersecurity challenges that demand<br />

expert guidance and strategic oversight. Enter the Virtual Chief In<strong>for</strong>mation Security Officer (vCISO), a<br />

role that brings top-tier security leadership without the commitment of a full-time, on-site executive. Hiring<br />

a vCISO can be a game-changer, but getting the initial engagement right is crucial. This article takes you<br />

through the process, focusing on crafting a solid Statement of Work (SOW) and addressing the key legal<br />

considerations to ensure a smooth and effective partnership.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 37<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Understanding the Need <strong>for</strong> a vCISO<br />

<strong>The</strong> decision to bring on a vCISO often stems from a few key motivations. For many organizations,<br />

especially small to medium-sized enterprises (SMEs), it’s about balancing the books. Full-time CISOs<br />

command hefty salaries, and not every organization has the budget <strong>for</strong> such an investment. vCISOs offer<br />

a cost-effective solution, providing the same level of expertise on a more flexible basis. Beyond cost, it’s<br />

the breadth of experience that vCISOs bring to the table. <strong>The</strong>y’ve seen it all, having worked across<br />

various industries and tackled a wide range of security challenges. And then there’s the scalability. Need<br />

more hands on deck <strong>for</strong> a major project? Scale up. Tight on budget next quarter? Scale down. It’s this<br />

flexibility that makes vCISOs an attractive option <strong>for</strong> many organizations.<br />

<strong>The</strong> Journey Begins: Discovery Phase<br />

<strong>The</strong> engagement process kicks off with what we call the discovery phase. Picture it as a getting-to-knowyou<br />

session, but with a lot more technical jargon. This is where the organization and the prospective<br />

vCISO sit down (virtually or in-person) and start talking specifics. What are the organization’s pain points?<br />

What’s the current state of their cybersecurity infrastructure? What are their goals? This phase is all about<br />

laying the groundwork.<br />

Once the role is clearly defined, the next step is to review the qualifications and experience of potential<br />

vCISO candidates. A strong candidate should have a robust background in cybersecurity, demonstrated<br />

by relevant certifications such as CISSP, CISM, or CISA, and extensive experience in managing<br />

cybersecurity programs. Reviewing their professional history, case studies, and references provides<br />

insights into their ability to handle complex security challenges and their track record of success.<br />

Additionally, assessing their familiarity with industry-specific regulations and standards is crucial <strong>for</strong><br />

ensuring they can address the unique compliance requirements of your organization.<br />

<strong>The</strong> interview process itself should be comprehensive and multi-faceted, involving several rounds of<br />

discussions with different stakeholders within the organization. Initial interviews typically focus on the<br />

candidate’s technical expertise and experience. <strong>The</strong>se discussions should delve into their approach to<br />

risk management, incident response, and security strategy development. Scenario-based questions can<br />

be particularly effective, allowing candidates to demonstrate their problem-solving skills and strategic<br />

thinking in real-world contexts.<br />

Subsequent interviews should explore the candidate’s soft skills and cultural fit within the organization. A<br />

vCISO must not only possess technical acumen but also the ability to communicate effectively with<br />

various stakeholders, from IT teams to executive leadership. Assessing their communication style,<br />

leadership abilities, and collaborative approach helps ensure they can integrate smoothly into the<br />

organizational structure and effectively advocate <strong>for</strong> cybersecurity initiatives. Not every vCISO is going<br />

to work <strong>for</strong> every organization and finding the right cultural fit – someone who is not too opinionated or<br />

not opinionated enough – will help determine if the vCISO is right <strong>for</strong> your organization.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 38<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Why a vCISO Might Not Be the Right Fit <strong>for</strong> Your Organization<br />

Hiring a Virtual Chief In<strong>for</strong>mation Security Officer (vCISO) can offer numerous advantages, particularly<br />

<strong>for</strong> small to medium-sized enterprises seeking expert cybersecurity leadership without the expense of a<br />

full-time executive. However, there are several reasons why this arrangement might not work <strong>for</strong> every<br />

organization. One significant drawback is the lack of on-site presence. A vCISO typically operates<br />

remotely, which can be a disadvantage <strong>for</strong> organizations requiring frequent in-person interactions and<br />

hands-on management of complex security issues. Additionally, a remote vCISO might struggle to fully<br />

understand the unique culture, dynamics, and internal politics of the organization, which are crucial <strong>for</strong><br />

effectively implementing security policies and fostering a security-conscious environment.<br />

Effective communication is another challenge when working with a vCISO. While modern communication<br />

tools facilitate remote collaboration, they can sometimes lead to miscommunication or delayed<br />

responses. Time zone differences and varying communication styles can further complicate the timely<br />

and clear exchange of in<strong>for</strong>mation.<br />

Integrating a vCISO with existing IT and security teams can also be problematic. <strong>The</strong>re might be<br />

resistance from internal staff accustomed to working with an in-house CISO, leading to potential conflicts<br />

or misunderstandings regarding roles and responsibilities. Additionally, a vCISO might be balancing<br />

multiple clients, resulting in inconsistent availability, which can be problematic <strong>for</strong> organizations requiring<br />

constant, dedicated attention, especially during security incidents that need immediate action.<br />

Specific industry requirements and cost considerations also play a role in determining the suitability of a<br />

vCISO. Certain industries, such as healthcare, finance, and government sectors, have specific regulatory<br />

and compliance needs that necessitate a deep understanding and continuous involvement, which might<br />

be difficult <strong>for</strong> a vCISO to provide remotely.<br />

While vCISOs are often more cost-effective than full-time, in-house CISOs, there can still be significant<br />

costs involved if the organization requires a high level of involvement or frequent on-site visits. This can<br />

quickly negate the financial benefits. Furthermore, building trust and ensuring accountability can be more<br />

challenging with a remote vCISO.<br />

Organizations may have concerns about the level of commitment and the ability to hold the vCISO<br />

accountable compared to an in-house executive who is part of the daily organizational fabric. <strong>The</strong>re<strong>for</strong>e,<br />

while vCISOs offer flexibility and expertise, they may not be suitable <strong>for</strong> all organizations, and companies<br />

need to carefully assess their specific needs, industry requirements, and internal dynamics be<strong>for</strong>e opting<br />

<strong>for</strong> a virtual cybersecurity leader.<br />

Crafting the Blueprint: Statement of Work (SOW)<br />

Now, let’s talk about the Statement of Work (SOW), arguably the most critical document in this process.<br />

Think of it as the blueprint <strong>for</strong> the engagement. It outlines what the vCISO will do, when they’ll do it, and<br />

how success will be measured. If the need <strong>for</strong> a vCISO is realized in the organization and all of the<br />

preliminary qualities of the vCISO “check-out” <strong>for</strong> the organization, it’s time to put the relationship into a<br />

contract.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 39<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Firstly, the service description. This section should clearly spell out the vCISO services. Are we talking<br />

about a one-time security assessment? Ongoing strategic advice? Regular security training <strong>for</strong> staff?<br />

Whatever it is, detail it here. <strong>The</strong>n there’s the matter of deliverables and milestones. <strong>The</strong>se are the<br />

tangible outputs the vCISO will produce, along with deadlines <strong>for</strong> each. It could be anything from a<br />

comprehensive risk assessment report to a fully developed incident response plan. You may also want<br />

to focus the vCISO’s ef<strong>for</strong>ts on specific system requirements and KPIs that will drive the cyber security<br />

organization.<br />

Equally important are the roles and responsibilities. This section clarifies who does what. What authority<br />

does the vCISO have? Who do they report to? What’s expected of the hiring organization in terms of<br />

support and resources? Laying this out clearly can prevent a lot of headaches down the road.<br />

We also need to establish per<strong>for</strong>mance metrics. How will we measure the vCISO’s effectiveness? <strong>The</strong>se<br />

could be quantitative metrics, like the number of vulnerabilities addressed, or qualitative ones, like<br />

improved staff awareness of cybersecurity best practices.<br />

<strong>The</strong> SOW should also cover compensation and payment terms. This includes not just the rates and fees,<br />

but also the payment schedule and any penalties <strong>for</strong> late payments.<br />

Finally, confidentiality and data protection clauses are non-negotiable. <strong>The</strong> vCISO will have access to<br />

sensitive in<strong>for</strong>mation, so robust confidentiality agreements are a must. This topic alone could fill an entire<br />

article, but just be aware this section needs to be water-tight and clearly communicated in terms which<br />

all parties can agree to.<br />

Navigating the Legal Landscape<br />

Crafting the right contract involves more than just the SOW. <strong>The</strong>re are several legal considerations to<br />

ensure both parties are protected.<br />

Confidentiality and non-disclosure agreements (NDAs) are fundamental. <strong>The</strong>se agreements protect<br />

sensitive in<strong>for</strong>mation shared during the engagement. <strong>The</strong>y define what in<strong>for</strong>mation is confidential, how<br />

long the confidentiality lasts, and any exceptions.<br />

Indemnification clauses are another key element. <strong>The</strong>se clauses protect against losses or damages<br />

arising from the vCISO’s actions or negligence. It’s essential to clearly define the scope of indemnification<br />

and any limitations and will be discussed in a follow-up article focused on cybersecurity insurance <strong>for</strong> the<br />

vCISO.<br />

Liability and limitation of liability clauses outline the extent to which each party is responsible <strong>for</strong> breaches<br />

or failures. <strong>The</strong>se clauses help cap the amount of damages one party can claim from the other, protecting<br />

both from excessive financial exposure.<br />

Termination and exit strategy clauses define the conditions under which either party can terminate the<br />

contract. This might include breach of contract, failure to meet per<strong>for</strong>mance metrics, or changes in<br />

organizational needs. An exit strategy ensures a smooth transition and continuity of security operations.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 40<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Intellectual property rights should also be addressed. This includes the ownership of any intellectual<br />

property created during the engagement, such as reports, policies, and other deliverables. It’s important<br />

to clarify whether the organization will own the IP or if it will be licensed <strong>for</strong> its use.<br />

Lastly, compliance with laws and regulations is crucial. <strong>The</strong> contract should require compliance with<br />

applicable laws and regulations, such as data protection laws (GDPR, CCPA) and industry-specific<br />

standards (HIPAA, PCI-DSS). <strong>The</strong> vCISO should be knowledgeable about these requirements and<br />

incorporate them into their services.<br />

Conclusion<br />

Engaging a vCISO can significantly enhance an organization's cybersecurity posture. By providing<br />

strategic leadership and expert guidance, a vCISO can help organizations navigate complex<br />

cybersecurity challenges. However, the initial engagement process is critical to ensuring a successful<br />

partnership. Developing a comprehensive SOW and addressing key legal considerations can help<br />

establish a productive and legally sound relationship with the vCISO. This sets the foundation <strong>for</strong><br />

improved security and resilience, ensuring that the organization is well-protected against evolving cyber<br />

threats.<br />

About the Author<br />

Pete Green, vCISO, <strong>Cyber</strong>security Consultant and Reporter <strong>for</strong> <strong>Cyber</strong><br />

<strong>Defense</strong> Magazine. Pete has over 20 years of experience in In<strong>for</strong>mation<br />

Technology related fields and is an accomplished practitioner of In<strong>for</strong>mation<br />

Security. He has held a variety of security operations positions including LAN<br />

/ WLAN Engineer, Threat Analyst / Engineer, Security Project Manager,<br />

Security Architect, Cloud Security Architect, Principal Security Consultant,<br />

Manager / Director of IT, CTO, CEO, and Virtual CISO. Pete has worked with<br />

clients in a wide variety of industries including federal, state and local<br />

government, financial services, healthcare, food services, manufacturing,<br />

technology, transportation, and hospitality.<br />

Pete holds a Master of Computer In<strong>for</strong>mation Systems in In<strong>for</strong>mation Security from Boston University, an<br />

NSA / DHS National Center of Academic Excellence in In<strong>for</strong>mation Assurance / <strong>Cyber</strong> <strong>Defense</strong> (CAE IA<br />

/ CD), and a Master of Business Administration in In<strong>for</strong>matics.<br />

Pete can be reached online at greenish@gmail.com, @petegreen, https://linkedin.com/in/petegreen and<br />

at our company website www.cyberdefensemagazine.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 41<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Shifting <strong>The</strong> Focus: From Compliance to Secops in Supply<br />

Chain Security<br />

To significantly enhance Third-Party Risk Management (TPRM), we must urgently transition it<br />

from a compliance exercise to the realm of security operations.<br />

By Emily Hodges, COO, Risk Ledger<br />

<strong>The</strong>re are two main reasons why supply chain attacks are on the increase. First, there is a general trend<br />

of companies outsourcing more critical business functions to external providers, and doing so often<br />

makes good business sense.<br />

Secondly, while threat actors' focus and methods remain the same, they target the weakest link.<br />

Outsourcing has led to increased suppliers, which is now becoming an organisation's weakest link, and<br />

the threat actors know it.<br />

Most organisations find suppliers challenging because they are outside their direct control. It is much<br />

easier to look at and control when it is inside the perimeter. It's much more challenging to ensure the<br />

safety of any third parties we do business with.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 42<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> problem with Third-Party Risk Management.<br />

<strong>The</strong> challenge with how people run their TPRM program is that it is often treated as a governance and<br />

compliance exercise. <strong>The</strong> overall goal then becomes to demonstrate that we provide adequate assurance<br />

rather than pursuing the fundamental objective of reducing security risks.<br />

It means that people don't see it as constructive and valuable, creating a vicious cycle in which, because<br />

people see it as a necessity <strong>for</strong> compliance, they don't put the required ef<strong>for</strong>t into it, which means the<br />

value depreciates. We need to break free from that vicious cycle and take a different approach to make<br />

it more effective and reduce the challenges.<br />

Embracing a More Robust and Collaborative Approach with Our Suppliers.<br />

We need to start with open and transparent communication channels with our suppliers early in the<br />

relationship. Approaching our conversations with suppliers from the angle of an audit assurance process<br />

incentivises them to be less <strong>for</strong>thcoming with their in<strong>for</strong>mation, especially when discussing security<br />

weaknesses. <strong>The</strong>y often don't want to open up about their weak points because they're trying to win or<br />

retain a contract, and you don't get an accurate view of their security posture.<br />

So, it's creating those communication channels, creating a trusted relationship with your suppliers right<br />

from the beginning, so that when something happens, we have these relationships in place and can<br />

quickly collaborate on threats when they arise and reduce the impact of incidents as much as possible.<br />

<strong>The</strong>se relationships, however, have to be built with the security teams at our suppliers - our natural allies<br />

- and not with customer success teams that traditional TPRM programmes or procurement teams would<br />

mainly be interacting with.<br />

Moving Third-Party Risk Management into SecOps.<br />

Crucially, however, we need to start approaching TPRM as an operational challenge rather than a pure<br />

governance one and involve our Security Operations teams. <strong>The</strong> first point of call is talking to in-house<br />

threat intelligence teams or external providers. Raising and utilising critical threat intelligence data to<br />

appreciate where our suppliers sit and what risks they could face is incredibly useful <strong>for</strong> responding to<br />

attacks in an operational way.<br />

Third-party risk management and incident response are usually split between the Governance and the<br />

SecOps teams, which is not a helpful way to look at the problem of how to reduce the likelihood and<br />

impacts of attacks against our corporate supply chains. It raises the question: What do we do when a<br />

supply chain incident strikes? Do we have to contact our Governance, Risk and Compliance (GRC) teams<br />

since they are supposed to have a relationship with the suppliers in question, or should this be our<br />

SecOps teams responsible <strong>for</strong> handling the incident response?<br />

It can work if TPRM programmes build a comprehensive database of suppliers and establish collaborative<br />

relationships with their security teams. Every supplier assurance review is a real opportunity to gather<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 43<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


threat intelligence data on our suppliers and develop strong relationships, helping us build that<br />

comprehensive database of security data and create alliances.<br />

So, when an incident happens in the future, whether there's an incident at that supplier in particular or a<br />

more industry-wide incident such as the MOVEit Transfer attack, we are in the position to quickly reach<br />

out and collaboratively address any problems in partnership with that supplier. It also allows you to build<br />

a system where you can quickly search and draw insights from our databases to ascertain which suppliers<br />

in your ecosystem could be most vulnerable to a specific attack, or what kind of risks they could pose to<br />

us if affected, which will further increase our ability to respond to attacks when they strike quickly.<br />

Conclusion.<br />

As an industry, we are learning that collaboration between organisations, whether within a sector, across<br />

geographies or industries, and crucially with our suppliers, is not only important but also the key to<br />

success when dealing with a security incident.<br />

We witnessed a sea change when the Solarwinds attack happened a few years ago, and security experts<br />

realised that one organisation could not address this problem alone. If we look at the SolarWinds incident,<br />

numerous organisations in that supply chain ecosystem were affected by the fallout, and it was only<br />

through collating data that they held between them that we could learn the routes the attackers had taken<br />

and what had transpired.<br />

Especially with so much outsourcing happening today in the context of rapid digitalisation of business<br />

processes, we need to find ways to collaborate more effectively and overcome barriers like commercial<br />

competition between our organisations and legal obstacles to realise that we are all in this together and<br />

that we have to Defend-as-One to stand a chance against increasingly sophisticated threat actors and<br />

an ever-growing attack surface.<br />

Finally, we must consider supply chain security not only as a compliance exercise but also as a critical<br />

operational problem. Only by shifting TPRM into the operational space will we have a tangible impact on<br />

our ability to prevent and respond to supply chain incidents when they happen.<br />

About the Author<br />

Emily Hodges is Chief Operating Officer at Risk Ledger, a UK-based startup<br />

working to secure the global supply chain ecosystem. With a background in<br />

mathematics and cryptography, Emily spent a few years in PwC's cyber security<br />

consulting practice be<strong>for</strong>e starting a new consultancy aimed at using human<br />

understanding to make tangible improvements to security. She is now driving a step<br />

change in supply chain security, challenging the status quo with Risk Ledger.<br />

Emily Hodges can be reached online at emily@riskledger.com,<br />

https://www.linkedin.com/in/emhodges/ and at our company website<br />

https://riskledger.com/index.html.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 44<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Preparing <strong>for</strong> EU AI Act from a Security Perspective<br />

What does it mean <strong>for</strong> security teams of organizations innovating, building, and deploying AI?<br />

By Manpreet Dash, Global Marketing and Business Development Lead, AIShield<br />

<strong>The</strong> world’s first artificial intelligence law, the EU AI Act, finally came into effect on 1 Aug <strong>2024</strong>, 4 years<br />

after it was initially proposed by the European Commission. After years of political debates and<br />

negotiations that culminated in this decision, what does this mean <strong>for</strong> us and the broader AI community<br />

in <strong>2024</strong>?<br />

Artificial Intelligence (AI) is trans<strong>for</strong>ming our world in unprecedented ways. From personalized healthcare<br />

to self-driving cars and virtual assistants, AI is becoming ubiquitous in our daily lives. However, this<br />

growing use of AI has raised many concerns about its impact on fundamental rights and freedoms. In<br />

response to this, the European Union (EU) has taken a significant step to regulate AI.<br />

<strong>The</strong> EU AI Act, also known as the Artificial Intelligence Act, is the world's first concrete initiative <strong>for</strong><br />

regulating AI. It aims to turn Europe into a global hub <strong>for</strong> trustworthy AI by laying down harmonized rules<br />

governing the development, marketing, and use of AI in the EU. <strong>The</strong> AI Act aims to ensure that AI systems<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 45<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


in the EU are safe and respect fundamental rights and values. Moreover, its objectives are to foster<br />

investment and innovation in AI, enhance governance and en<strong>for</strong>cement, and encourage a single EU<br />

market <strong>for</strong> AI.<br />

Stakeholders: Who is affected?<br />

<strong>The</strong> AI Act has set out clear definitions <strong>for</strong> the different actors involved in AI: providers, deployers,<br />

importers, distributors, and product manufacturers. This means all parties involved in the development,<br />

usage, import, distribution, or manufacturing of AI models will be held accountable. Moreover, the AI Act<br />

also applies to providers and users of AI systems located outside of the EU, e.g., in Switzerland, if output<br />

produced by the system is intended to be used in the EU.<br />

• AI system providers: Organizations and individuals who develop or create AI systems, including<br />

software developers and technology firms.<br />

• AI system deployers: Organizations who deploy and use AI systems in their operations, irrespective<br />

of the sector or industry.<br />

• Importers and Distributors: Organizations who bring AI systems from outside of EU and<br />

place them in EU markets.<br />

• Product Manufacturers: Organizations who place the AI systems in their offerings and<br />

products.<br />

• Regulators and supervisory bodies: Authorities responsible <strong>for</strong> monitoring and ensuring<br />

compliance with the AI Act, including data protection agencies.<br />

• Consumers and the public: Indirectly affected, as the Act aims to safeguard their rights and<br />

safety in relation to AI use. This new law will apply to non-EU organizations offering AI services<br />

in the EU market or to EU citizens, rein<strong>for</strong>cing global standards.<br />

Figure 1: Stakeholders in the EU AI Act<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 46<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


What is required?<br />

Step 1: Model inventory – understanding the current state.<br />

To understand the implications of the EU AI Act, companies should first assess if they have AI models in<br />

use and in development or are about to procure such models from third-party providers and list the<br />

identified AI models in a model repository. Many financial services organizations can utilize existing<br />

model repositories and the surrounding model governance and add AI as an additional topic.<br />

Organizations which have not needed a model repository so far should start with a status quo assessment<br />

to understand their (potential) exposure. Even if AI is not used at present, it is very likely that this will<br />

change in the coming years. An initial identification can start from an existing software catalogue or, if<br />

this is not available, with surveys sent to the various business units.<br />

Actions to take: From the start of a project, you need a clear understanding of the regulatory compliance<br />

that might be required <strong>for</strong> taking your model into production. This needs to be combined with an<br />

achievable plan on how to fulfill regulatory requirements now and in production. Without sufficient logging<br />

and reporting functionality it might be difficult if not impossible to comply with the regulatory requirements.<br />

Step 2: Risk classification of models<br />

Based on the model repository, the AI models can be classified by risk. <strong>The</strong> act sets out AI governance<br />

requirements based on risk severity categories, with an additional designation <strong>for</strong> systemic risk general<br />

purpose AI (GPAI):<br />

Figure 2: Risk Classifications of AI Models<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 47<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


1. Unacceptable Risk:<br />

<strong>The</strong> Act lays out examples of models posing an unacceptable risk. Models falling into this category<br />

are prohibited. Examples include the use of real-time remote biometric identification in public<br />

spaces or social scoring systems, as well as the use of subliminal influencing techniques which<br />

exploit vulnerabilities of specific groups. Few examples are:<br />

o<br />

o<br />

o<br />

o<br />

o<br />

Prohibited AI Practices: AI systems that manipulate behavior subliminally or exploit vulnerabilities<br />

due to age, disability, or socio-economic status.<br />

Social Scoring Systems: AI systems that evaluate or classify individuals over time based<br />

on their social behavior or personal characteristics, leading to detrimental treatment.<br />

Biometric Misuse: AI systems used <strong>for</strong> untargeted scraping of facial images <strong>for</strong> facial<br />

recognition databases, or biometric systems that infer sensitive data.<br />

Crime Prediction: AI systems used <strong>for</strong> predicting the likelihood of individuals committing<br />

crimes.<br />

Emotion and Biometric Recognition Restrictions: Use of emotion recognition and biometric<br />

categorization in workplaces and schools, except <strong>for</strong> specific reasons like medical<br />

or safety.<br />

2. GPAI Systemic Risks<br />

All providers of GPAI are subject to transparency obligations. <strong>The</strong>y are required to take steps to<br />

maintain public summaries of content of data used to train models, enhance transparency,<br />

accountability, and compliance with EU’s copyright laws, prepare and maintain technical<br />

documentation of the model (including training and testing processes, and the result of model<br />

evaluations) and provide certain model in<strong>for</strong>mation to who use the model.<br />

GPAI models are considered systemic risk when the cumulative amount of compute used <strong>for</strong><br />

training exceeds 1025 FLOPS (Floating Point Operations Per Second, which is a measure of<br />

computing power). It includes AI systems designed <strong>for</strong> broad use case across various functions<br />

such as image and speech recognition, content and response generation, and others. Examples<br />

of General Purpose AI (GPAI) tools that could potentially pose systemic risks include GPT 3, GPT<br />

4, DALL-E, ChatGPT, AI-powered Bing Search and Edge Browser.<br />

Mandatory Compliance: For GPAI models with systemic risk, it is mandatory to conduct<br />

standardized model evaluations and adversarial testing, assess and mitigate potential systemic<br />

risks (read this blog <strong>for</strong> a more detailed understanding of LLM risks), track and report serious<br />

incidents, and ensure adequate cybersecurity protections.<br />

3. High Risk:<br />

High-risk models are permitted but must comply with multiple requirements and undergo a<br />

con<strong>for</strong>mity assessment. This assessment needs to be completed be<strong>for</strong>e the model is released on<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 48<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


the market. Those models are also required to be registered in an EU database which shall be<br />

set up. Operating high-risk AI models requires an appropriate risk management system, logging<br />

capabilities and human oversight respectively ownership. <strong>The</strong>re shall be proper data governance<br />

applied to the data used <strong>for</strong> training, testing and validation as well as controls assuring the cyber<br />

security, robustness, and fairness of the model.<br />

Examples of high-risk systems are models related to the operation of critical infrastructure,<br />

systems used in hiring processes or employee ratings, credit scoring systems, automated<br />

insurance claims processing or setting of risk premiums <strong>for</strong> customers.<br />

o<br />

o<br />

o<br />

o<br />

o<br />

Critical Infrastructure Management: AI systems used in the operation of critical digital<br />

and physical infrastructures.<br />

Employment and Creditworthiness: AI systems involved in recruitment, worker management,<br />

or evaluating creditworthiness <strong>for</strong> essential services.<br />

Election Influence: AI systems used to influence election outcomes or voter behavior.<br />

Safety Components: AI systems that act as safety components in products covered by<br />

EU safety laws (e.g., vehicles, lifts, medical devices).<br />

Mandatory Compliance: <strong>The</strong>se systems require defined governance architecture, including<br />

but not limited to risk management systems, data governance, documentation, record<br />

keeping, testing, and human oversight and register the AI system in an EU database.<br />

4. Limited Risk:<br />

<strong>The</strong> remaining models are considered limited or minimal risk. For those, transparency is required,<br />

i.e., a user must be in<strong>for</strong>med that what they are interacting with is generated by AI. Examples<br />

include chat bots or deep fakes which are not considered high risk but <strong>for</strong> which it is mandatory<br />

that users know about AI being behind it.<br />

o<br />

o<br />

o<br />

Interactive AI: AI systems that directly interact with users, like chatbots.<br />

Content Generation: Systems that generate synthetic content or 'deep fakes'.<br />

Transparency Obligations: Providers and deployers must disclose certain in<strong>for</strong>mation to<br />

users, ensuring transparency in operations. Transparent labeling and a code of conduct<br />

<strong>for</strong> the deployment of AI in interactions with people to ensure end-user awareness and<br />

safety is necessary.<br />

5. Minimal Risk:<br />

<strong>The</strong>se applications are permitted without restrictions. However, <strong>for</strong> all operators of AI models,<br />

the implementation of a Code of Conduct around ethical AI is recommended. For tools and<br />

processes that fall under “minimal risk,” the draft EU AI Act encourages companies to have a<br />

code of conduct ensuring AI is being used ethically.<br />

o<br />

General AI Applications: AI systems with minimal implications, such as AI-enabled video<br />

games or email spam filters.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 49<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


o<br />

Voluntary Compliance: <strong>The</strong>se systems are encouraged to adhere to voluntary codes of<br />

conduct that mirror some high-risk requirements, but compliance is not mandatory.<br />

<strong>The</strong>se categories reflect the EU’s approach to regulate AI based on the potential risk to individuals’ rights<br />

and societal norms.<br />

Step 3: Prepare and get ready.<br />

If you are a provider, user, importer, distributor or affected person of AI systems, you need to ensure that<br />

your AI practices are in line with these new regulations. To start the process of fully complying with the<br />

AI Act, you should initiate the following steps:<br />

• assess the risks associated with your AI systems<br />

• raise awareness<br />

• design ethical systems<br />

• assign responsibility<br />

• stay up-to-date<br />

• establish a <strong>for</strong>mal governance<br />

By taking proactive steps now, you can avoid potential significant sanctions <strong>for</strong> your organization upon<br />

the Act coming into <strong>for</strong>ce. Please note that this article refers to an ongoing legislative process which might<br />

lead to changes of the requirements.<br />

Figure 3: Compliance Steps <strong>for</strong> High-Risk AI Systems<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 50<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Which senior roles are most affected?<br />

• Chief Executive Officer (CEO): Responsible <strong>for</strong> overall compliance and steering the company’s<br />

strategic response to the EU AI Act.<br />

• Chief Technology Officer (CTO) or Chief In<strong>for</strong>mation Officer (CIO): Oversee the development<br />

and deployment of AI technologies, ensuring they align with regulatory requirements.<br />

• Chief Data Officer (CDO): Manage data governance, quality, and ethical use of data in AI<br />

systems.<br />

• Chief Compliance Officer (CCO) or Legal Counsel: Ensure that AI applications and business<br />

practices adhere to the EU AI Act and other relevant laws.<br />

• Chief Financial Officer (CFO): Oversee financial implications, investment in compliance infrastructure<br />

and potential risks associated with non-compliance.<br />

• Human Resources Manager: Address the impact of AI systems on employee management<br />

and training, ensuring AI literacy among staff.<br />

• Chief In<strong>for</strong>mation Security Officer (CISO): Handle cybersecurity and data protection aspects<br />

of AI systems to ensure data integrity and prevent any unauthorized use.<br />

• Chief Privacy Officer (CPO) or Data Protection Officer (DPO): Ensure that AI systems adhere<br />

to the privacy principles, are explainable and transparent, and have safeguards in place<br />

to preserve the fundamental rights and freedoms of individuals.<br />

<strong>The</strong>se roles play a crucial part in adjusting business operations, refining technology strategies, and aligning<br />

organizational policies to comply with the EU AI Act. While some organizations have already appointed<br />

a Chief AI Officer, we <strong>for</strong>esee the emergence of a new senior role: the Chief AI Risk Officer.<br />

Implications <strong>for</strong> non-compliance<br />

<strong>The</strong> EU AI Act imposes fines <strong>for</strong> noncompliance based on percentage of worldwide annual turnover,<br />

underscoring the substantial implications <strong>for</strong> global companies of the EU’s stand on AI safety:<br />

• For prohibited AI systems — fines can reach 7% of worldwide annual turnover or €35 million,<br />

whichever is higher.<br />

• For high-risk AI and GPAI transparency obligations — fines can reach 3% of worldwide annual<br />

turnover or €15 million, whichever is higher.<br />

• For providing incorrect in<strong>for</strong>mation to a notified body or national authority — fines can reach 1%<br />

of worldwide annual turnover or €7.5 million, whichever is higher.<br />

AI Security <strong>for</strong> EU AI Act Compliance<br />

<strong>The</strong> EU AI Act is a new legal framework <strong>for</strong> developing AI that the public can trust. It reflects the EU’s<br />

commitment to driving innovation, securing AI development, national safety, and the fundamental rights<br />

of people and businesses. <strong>The</strong> fast-paced evolution of AI regulation requires organizations to stay in<strong>for</strong>med<br />

and compliant with current and future standards, ensuring AI deployments meet ethical and transparency<br />

criteria.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 51<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


AI Security is a crucial pillar of Responsible AI and Trustworthy AI adoption and is key to governance and<br />

compliance aspects in the context of EU AI Act. In the DevOps context, this means:<br />

• Developers require a straight<strong>for</strong>ward solution that can scan AI/ML models, identify vulnerabilities,<br />

and assess risks, and automatically remediate them during the development phase.<br />

• Deployers and operators, including security teams, need tools such as endpoint detection and<br />

response (EDR) specific to AI workloads. <strong>The</strong>y need to rely on solutions capable of detecting and<br />

responding to emerging AI attacks to prevent incidents and reduce the mean time to detect<br />

(MTTD) and mean time to resolve (MTTR).<br />

• Managers need visibility into the security posture of the AI/ML models they deploy to ensure<br />

better governance, compliance, and model risk management at an organizational level.<br />

Toward this end, the security industry needs a two-tiered approach that encompasses both predictive<br />

and proactive security to create safe and trustworthy AI systems. AI developers & AI Red Teams should<br />

anticipate and preemptively address potential attacks in the initial design phase by vulnerability testing.<br />

Additionally, we recommend incorporating robust defense measures into the AI system itself to shield<br />

against any real-time attacks.<br />

How AI Security Plat<strong>for</strong>m Helps Secure AI Models & Reduce AI Risk<br />

AI security plat<strong>for</strong>ms integrate multiple tools to ensure robust, compliant, and secure AI initiatives. <strong>The</strong>y<br />

typically consist of components that target distinct aspects of AI security, offering comprehensive<br />

coverage from development through operation, to ensure your AI initiatives are robust, compliant, and<br />

secure.<br />

• Early Vulnerability Detection: Focus on early-stage vulnerability detection within your AI code,<br />

leveraging Static Application Security Testing (SAST) to unearth and mitigate potential security<br />

breaches be<strong>for</strong>e they escalate. You may utilize open-source utilities which can auto discover AI<br />

models in repositories and do a comprehensive scan of models and notebooks and categorize<br />

scans into distinct risk levels. <strong>The</strong>re exist tools, such as Watchtower, which offer zero-cost AI/ML<br />

asset discovery and risk identification, coupled with insightful, actionable reporting that enables<br />

developers to rein<strong>for</strong>ce their models against vulnerabilities.<br />

• Dynamic and Interactive Security Testing: Utilize a dynamic and interactive application security<br />

(DAST and IAST) approach, ensuring vulnerabilities and AI security risks are identified and rectified<br />

in real-time. As your AI transitions from development to operation, AISpectra is one such tool<br />

that provides the vigilant defense needed to preempt threats.<br />

• Endpoint <strong>Defense</strong> Systems: Implement real-time endpoint defenses to protect AI models in operation.<br />

<strong>The</strong>se systems are essential <strong>for</strong> supporting security operations and governance teams,<br />

providing continuous oversight of the AI assets' security posture, and enabling prompt detection<br />

and remediation of any breaches. For Generative AI business applications, including tools like<br />

Large Language Models, using guardrails as cybersecurity middleware can help mitigate a wide<br />

range of risks, ensuring operations are safe, secure, and compliant with regulatory standards<br />

such as the EU AI Act. Consider exploring various capabilities in this area, including model validation<br />

and the implementation of guardrails (<strong>for</strong> example, Guardian) to ensure secure usage.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 52<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Summarizing, a comprehensive AI Security Plat<strong>for</strong>m’s ability to provide independent, on-premises<br />

deployment is particularly relevant to your needs:<br />

• Conduct AI security assessment, standardized model evaluations (ML/LLM) and adversarial testing<br />

to assess and mitigate potential risks in Blackbox and Greybox settings, helping preserve<br />

model privacy during security assessments.<br />

• Delve deeper into AI security risk assessments, quantitative insights into model security posture;<br />

utilize sample attack vectors <strong>for</strong> adversarial retraining (<strong>for</strong> model security hardening); defense<br />

model <strong>for</strong> real-time endpoint monitoring.<br />

• Have a real-time defense system that facilitates tracking and reporting serious incidents and to<br />

ensure adequate cybersecurity protections.<br />

• Report security incidents via SIEM connectors to plat<strong>for</strong>ms like Azure Sentinel, IBM QRadar and<br />

Splunk to bolster Security Operations and Governance.<br />

Figure 4: View of AI Security Plat<strong>for</strong>m Capabilities Mapped across the AI/ML Lifecycle<br />

With a comprehensive AI Security Plat<strong>for</strong>m, organizations can:<br />

• Discover personal and sensitive in<strong>for</strong>mation in AI training sets, including secrets and passwords,<br />

customer data, financial data, IP, confidential, and more.<br />

• Adopt AI safely by mitigating security risks be<strong>for</strong>e and after deployment <strong>for</strong> ML models and GenAI<br />

or GPAI systems.<br />

• Manage, protect, and govern AI with robust privacy, compliance, and security protocols, enabling<br />

zero trust and mitigating insider risk.<br />

• Assess AI model security risk, improve security posture and quickly provide reporting to EU regulatory<br />

authorities.<br />

To explore how AIShield can help your organization reduce risk and comply with requirements within<br />

the EU AI Act, please visit https://www.boschaishield.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 53<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


About the Author<br />

Manpreet Dash is the Global Marketing and Business Development Lead<br />

of AIShield, a Bosch startup dedicated to securing artificial intelligence<br />

systems globally (AI Security) and recognized by Gartner, CES Innovation<br />

Awards and IoT industry Solution Awards. His crucial responsibilities span<br />

across marketing, strategy <strong>for</strong>mulation, partnership development, and<br />

sales. Previously, Manpreet worked with Rheonics - an ETH Zurich spinoff<br />

company based in Switzerland, building next-generation process<br />

intelligence. Manpreet holds dual degrees in mechanical and industrial<br />

engineering and management from IIT Kharagpur and received the IIT<br />

Kharagpur Institute Silver Medal <strong>for</strong> graduating top of class. He has<br />

contributed to over 15 publications and talks in journals, webinars, trade<br />

magazines and conferences. Besides his professional and academic<br />

achievements, Manpreet’s commitment to innovation, technology <strong>for</strong><br />

good, and fostering young talent is evident as a co-founder of the IIT KGP Young Innovators’ Program<br />

and as a Global Shaper of the World Economic Forum. Manpreet can be reached at<br />

manpreet.dash@bosch.com and at our company website https://www.boschaishield.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 54<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Steps To Protect Against <strong>Cyber</strong>security Threats During Mergers<br />

and Acquisitions<br />

By Saugat Sindhu, Senior Partner and Global Head, Advisory Services, Wipro Limited<br />

Transactions involving U.S. targets and acquirers continue to represent a substantial percentage of<br />

overall deal volume, with U.S. M&A exceeding $1.26 trillion in 2023, according to research from the<br />

Harvard Law School Forum on Corporate Governance. Stakeholders must consider various factors,<br />

including political agendas and regulation rules, to ensure mergers are approved. While cybersecurity<br />

may not be at the top of the list of hurdles companies must overcome during a merger, it should be.<br />

Frequently, while two companies are working closely to merge, cybercriminals are taking advantage of<br />

security gaps.<br />

Company leaders must take a holistic view of cybersecurity to ensure a successful merger. To understand<br />

a company’s capabilities to identify, protect, detect, respond, and recover from cybersecurity threats,<br />

companies should focus on three core areas:<br />

• Protect against potential data breaches.<br />

• Simplify integration of critical operational and security systems.<br />

• Take a security-by-design approach.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 55<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Protect Against Potential Data Breaches<br />

<strong>The</strong> role of cybersecurity is more important than ever. Hackers are located worldwide, are equipped with<br />

the most advanced technologies, and are always looking <strong>for</strong> system weaknesses and vulnerabilities,<br />

which makes safeguarding corporate systems and data challenging. Companies entering or are currently<br />

engaged in a merger must prioritize cybersecurity measures to minimize security breaches, as these<br />

incidents can greatly reduce company valuation. Strong data security measures include planning on<br />

multiple levels and the implementation of processes, controls, and technology, such as access controls,<br />

network security, operation systems integration, and encryption.<br />

One of the primary areas to focus on is securing systems that integrate personal and business data and<br />

business-critical in<strong>for</strong>mation. <strong>The</strong>se systems contain essential data critical to a company's success, and<br />

exposing sensitive in<strong>for</strong>mation could be disastrous. It’s prudent to first focus on systems related to HR,<br />

benefits, and payroll, as they house sensitive personal in<strong>for</strong>mation. Breaches in these areas can result<br />

in legal actions, substantial financial losses, and erosion of employee and investor trust. Additionally,<br />

cybersecurity issues can lead to public data leaks, damaging the company’s value and market<br />

reputation.<br />

Management must adopt robust cybersecurity strategies to protect employees, customers, partners, and<br />

investors. This strategy should include thorough risk assessment, implementation of advanced security<br />

measures, and ongoing monitoring of newly integrated systems to ensure that all sensitive data is<br />

protected.<br />

Simplify Integration of Critical Operational and Security Systems<br />

Companies should take four steps to overcome security challenges: pre-merger, execution, transition,<br />

and post-merger integration. Addressing these challenges in four distinct phases helps ensure a<br />

smoother transition.<br />

1. Pre-merger: Create an overview of the company's cyber landscape, both currently and what is<br />

expected during the next few years. Examine all systems to determine the starting point and work<br />

closely with experts to follow essential regulations.<br />

2. Execution: After examining all systems, identify potential threats and establish steps to address<br />

them.<br />

3. Transition: Develop an integration strategy that includes addressing system redundancies. Pay<br />

attention to fixing weaknesses in the system.<br />

4. Post-merger: Once the transition has been completed, troubleshoot any new issues and identify<br />

what worked and what surprised the IT team.<br />

Take a Security-by-Design Approach<br />

One of the primary challenges during the M&A process is promoting awareness among all employees<br />

about the importance of cybersecurity. Developing and implementing a thorough merger integration plan,<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 56<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


one that is supported by management and IT, along with input from the corporate compliance team, is<br />

critical to achieving success. Attention to detail, particularly regarding how system integration affects daily<br />

business operations, is crucial.<br />

Collaboration between the two companies is essential. <strong>The</strong> acquiring company must give the target<br />

company the flexibility to adopt the integration and cybersecurity strategy without disrupting existing<br />

business processes. Doing so will benefit everyone, ranging from increasing employee collaboration to<br />

alerting all employees to the importance of adhering to cybersecurity policies.<br />

One option during the M&A process is to consider insurance <strong>for</strong> cyber risks. While the coverage depends<br />

on the potential impact of damages, the focus should be on “cost per record”. If a breach happens and<br />

bad actors demand a ransom, the question is, what is typically the average cost per compromised record?<br />

Understanding the sensitivity of data being managed is the primary issue. <strong>The</strong>re are different types of<br />

insurance coverage <strong>for</strong> this situation, so research options thoroughly be<strong>for</strong>e making any final decisions.<br />

Lastly, include other teams in the integration discussion, including management teams. <strong>The</strong>se teams can<br />

contribute in many ways, from ensuring future operating models to addressing daily business processes.<br />

Planning <strong>for</strong> Today Leads to a Better Tomorrow<br />

M&A is challenging enough <strong>for</strong> both companies, let alone the implications of IT integration and addressing<br />

cybersecurity issues. Identifying and addressing existing cybersecurity threats be<strong>for</strong>e the merger puts<br />

the new company in a stronger position to succeed.<br />

Having a carefully designed integration plan, based on the four steps outlined above, helps ensure that<br />

both companies are better protected. Seamless integration is never easy, yet it is critical to protecting the<br />

integrity, reputation, and profitability of both companies. Shining a light on the importance of cybersecurity<br />

throughout both organizations and building a solid culture around cybersecurity dramatically reduces<br />

risks and sets the new company up <strong>for</strong> success.<br />

About the Author<br />

Saugat Sindhu is the Senior Partner and Global Head, Advisory Services of<br />

Wipro Limited. He leads a diverse group of practitioners globally, providing<br />

management consulting and business advisory services at Wipro focused on<br />

cybersecurity and risk, and related technology integration and trans<strong>for</strong>mation<br />

services <strong>for</strong> commercial and public sector clients. He is responsible <strong>for</strong> leading<br />

strategy development and execution planning, industry motions, solution<br />

innovation, and client service <strong>for</strong> Wipro’s <strong>Cyber</strong> Advisory business. His major<br />

industry expertise includes Media, Technology and Telecom. Saugat can be<br />

reached online at https://www.linkedin.com/in/saugatsindhu/ and at our<br />

company website https://www.wipro.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 57<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


BYTE BY BYTE<br />

How Ransomware is Sinking its Teeth into Dental Practices<br />

By Thomas Terronez, CEO, Medix Dental IT<br />

In an era where digital trans<strong>for</strong>mation is reshaping healthcare, dental practices find themselves caught<br />

in a perfect storm of cybersecurity vulnerabilities. As ransomware attacks surge across the healthcare<br />

sector, dental offices have become prime targets, facing risks that threaten not just patient data, but the<br />

very core of their operations. Let's drill down into this pressing issue and extract some actionable insights<br />

<strong>for</strong> dental IT leaders and healthcare CISOs.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 58<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> Root Canal of the Problem: Ransomware's Evolution<br />

Ransomware attacks in healthcare aren't just a cavity in the system - they're a full-blown abscess. <strong>The</strong>se<br />

digital extortionists have evolved from opportunistic script kiddies to sophisticated criminal enterprises,<br />

targeting the healthcare sector with surgical precision. Why? Because health data is the crown jewel of<br />

personal in<strong>for</strong>mation, and dental practices are often the weakest link in the chain.<br />

<strong>The</strong> modus operandi is simple yet devastating: encrypt critical data, demand a ransom, and watch as<br />

practices scramble to maintain operations. But here's the kicker - paying the ransom is like trying to fill a<br />

cavity with cotton candy. It might provide temporary relief, but the underlying issue remains, and you're<br />

likely to face more pain down the road.<br />

X-Ray of Vulnerability: Why Dental Practices are Prime Targets<br />

Now, you might be wondering, "Why are dental practices such juicy targets?" Well, let's take a panoramic<br />

view of the situation:<br />

1. Cloud Adoption Lag: While other industries have migrated to the cloud faster than a tooth<br />

extraction, dental practices are still largely reliant on local servers. This creates an ideal petri dish<br />

<strong>for</strong> ransomware to grow and spread.<br />

2. Software Privileges: Many dental software solutions require elevated system privileges to<br />

function correctly. It's like giving every patient a key to the medicine cabinet - a recipe <strong>for</strong> disaster.<br />

3. IT Support Shortcomings: Most dental practices rely on small IT providers who, bless their<br />

hearts, are about as prepared <strong>for</strong> cybersecurity threats as a toothbrush is <strong>for</strong> a root canal. <strong>The</strong>ir<br />

focus on immediate, visible results often comes at the expense of crucial behind-the-scenes<br />

security measures.<br />

4. Training Gaps and High Turnover: <strong>The</strong> dental industry's lack of consistent cybersecurity<br />

training, combined with high staff turnover, creates a revolving door of vulnerability. It's like<br />

constantly changing the combination to your safe but <strong>for</strong>getting to tell anyone the new code.<br />

5. Underreporting of Incidents: Many ransomware attacks on individual practices go unreported,<br />

creating a false sense of security that's about as reliable as a chocolate toothpaste. This<br />

underreporting stems from a lack of understanding about legal obligations and a desire to avoid<br />

negative publicity.<br />

<strong>The</strong> Painful Bite of Ransomware: Impact on Dental Practices<br />

When ransomware strikes a dental practice, the pain is felt far beyond the initial sting. Let's break down<br />

the broader impacts:<br />

1. Operational Paralysis: Imagine walking into your practice one morning to find all your patient<br />

records, appointment schedules, and billing in<strong>for</strong>mation locked away. It's like showing up to<br />

per<strong>for</strong>m a root canal with your hands tied behind your back.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 59<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


2. Financial Hemorrhage: <strong>The</strong> costs of a ransomware attack extend far beyond any potential<br />

ransom payment. <strong>The</strong>re's the lost revenue from appointment cancellations, the expense of hiring<br />

cybersecurity experts, and potential legal fees. It's enough to make even the most successful<br />

practice feel like it's been put through the financial wringer.<br />

3. Reputational Decay: In an age where patient trust is as fragile as enamel in a soda bath, a data<br />

breach can erode years of carefully built reputation. Patients might start looking <strong>for</strong> a new dental<br />

home faster than you can say "open wide."<br />

4. Regulatory Headaches: HIPAA violations resulting from a data breach can lead to hefty fines<br />

and increased scrutiny. It's like getting a surprise audit from the dental board, but with potentially<br />

more severe consequences.<br />

Filling the Cavities: Best Practices <strong>for</strong> Prevention<br />

So, how can dental practices protect themselves from this digital decay? Here are some best practices<br />

to implement:<br />

1. Embrace the Cloud: It's time to pull that old server like an impacted wisdom tooth. Cloud<br />

solutions offer better security, automatic updates, and off-site backups.<br />

2. Implement Least Privilege Access: Not everyone needs the keys to the kingdom. Restrict<br />

access rights to the minimum necessary <strong>for</strong> each role.<br />

3. Invest in <strong>Cyber</strong>security Training: Regular training sessions <strong>for</strong> all staff members are as crucial<br />

as teaching proper brushing techniques to patients. Make it engaging, make it frequent, and make<br />

it stick.<br />

4. Backup, Backup, Backup: Implement a robust backup strategy that includes off-site and offline<br />

backups. It's your practice's dental insurance against data loss.<br />

5. Partner with <strong>Cyber</strong>security Experts: Your IT provider should be as specialized in security as<br />

you are in dentistry. Don't settle <strong>for</strong> jack-of-all-trades support when it comes to protecting your<br />

practice.<br />

6. Implement Multi-Factor Authentication: This simple step can be as effective in preventing<br />

unauthorized access as flossing is in preventing gum disease.<br />

7. Stay Updated: Keep all software and systems patched and updated. Outdated software is like<br />

an open cavity - a breeding ground <strong>for</strong> problems.<br />

8. Develop an Incident Response Plan: Have a clear, documented plan <strong>for</strong> responding to a<br />

ransomware attack. It's like having an emergency kit ready - you hope you never need it, but you'll<br />

be glad it's there if you do.<br />

Conclusion: A Call to Action<br />

<strong>The</strong> threat of ransomware to dental practices is not a matter of if, but when. As healthcare IT leaders and<br />

CISOs, it's crucial to recognize the unique vulnerabilities of dental practices and take proactive steps to<br />

protect them. By implementing robust cybersecurity measures, we can ensure that dental practices<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 60<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


continue to focus on what they do best - caring <strong>for</strong> patients' oral health - without the looming threat of<br />

digital extortion.<br />

Remember, in the fight against ransomware, an ounce of prevention is worth a pound of cure. Don't wait<br />

<strong>for</strong> a breach to occur be<strong>for</strong>e taking action. Start implementing these best practices today, and help create<br />

a future where dental practices are as secure digitally as they are sterile physically.<br />

After all, we want our patients smiling because of our excellent care, not grimacing at the thought of their<br />

data being held hostage. Let's bite back against ransomware and keep our practices - and our patients -<br />

safe and sound.<br />

About the Author<br />

Thomas Terronez is the CEO and Founder of Medix Dental IT. With over 20<br />

years of experience in dental IT, Thomas is one of the nation's renowned<br />

dental technology leaders. Thomas' mission is to lead dental organizations<br />

through operational and scaling challenges by leveraging technology. He has<br />

a <strong>for</strong>ward-thinking outlook and is solution-focused, which has led him to work<br />

with the top dental vendors on evolving and developing the technology<br />

infrastructure <strong>for</strong> the industry's future. Presently, Thomas consults with dental<br />

groups, software companies and DSOs across the country on technology<br />

strategy. Thomas can be reached online at tom@medixdental.com and at our<br />

company website https://medixdental.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 61<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Why Manufacturing IT Leaders are Turning to AI-Powered<br />

<strong>Cyber</strong>security Training<br />

By Sam Zheng, PhD., CEO & Co-Founder, DeepHow<br />

In the rapidly evolving digital landscape, cybersecurity has emerged as a critical concern, particularly <strong>for</strong><br />

the manufacturing sector. Recent data highlights a staggering 165% surge in cyber-attack attempts on<br />

manufacturing facilities, a rate significantly higher than in other industries. This alarming trend<br />

underscores not only the vulnerability of manufacturing operations to cyber threats but also the<br />

paramount importance of robust cybersecurity training.<br />

<strong>Cyber</strong>security training methods must evolve to ensure the highest level of safety <strong>for</strong> both manufacturing<br />

organizations and their respective individual employees. <strong>Cyber</strong> threat actors have often manipulated<br />

individual employees with in<strong>for</strong>mation related to their position or to senior leadership. Effective training<br />

methods to prevent common scams must be employed to ensure that every employee, at every level, is<br />

equipped with the necessary knowledge to identify the signs of an attempted attack.<br />

<strong>The</strong> Rise of <strong>Cyber</strong> Threats in Manufacturing<br />

Manufacturing facilities increasingly integrate digital technologies, making them prime targets <strong>for</strong><br />

cybercriminals. <strong>The</strong>se facilities often deal with sensitive data, proprietary manufacturing processes, and<br />

critical infrastructure systems that, if compromised, could lead to severe operational disruptions, financial<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 62<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


losses, and safety hazards. <strong>The</strong> variety of threats ranges from sophisticated ransomware campaigns to<br />

intricate phishing schemes, each designed to exploit specific vulnerabilities.<br />

In 2023, manufacturing was the third-most targeted industry <strong>for</strong> ransomware and fourth <strong>for</strong> business email<br />

compromise. In addition to frequency, which has continued to rise year after year, the median cost of a<br />

manufacturing ransomware attack is now $500,000 USD. For example, in August 2023, Clorox, a wellknown<br />

manufacturer and marketer of consumer and professional products, fell victim to a cyber-attack.<br />

Hackers infiltrated the company’s systems and deployed ransomware, encrypting critical files and<br />

demanding a ransom.<br />

To contain the spread of the ransomware, Clorox shut down its systems upon detection. Although the<br />

production systems themselves were not directly compromised, the disruption to operational support<br />

systems made it difficult to process orders effectively. This led to a halt in production, causing a supply<br />

shortage and resulting in recovery costs that exceeded $50 million.<br />

<strong>The</strong> Shift to AI-Powered <strong>Cyber</strong>security Training<br />

Given the complexity and frequency of these threats, traditional cybersecurity training methods are no<br />

longer sufficient. Manufacturing IT leaders are turning to AI-powered solutions to enhance their<br />

cybersecurity training programs. Here's why AI is becoming indispensable in this field:<br />

Personalization: AI technologies enable personalized training experiences that cater to the unique<br />

needs and learning paces of individual employees, which is crucial in a field as complex as cybersecurity.<br />

Scalability: AI-powered plat<strong>for</strong>ms can easily scale up to accommodate new users and update training<br />

modules as new threats emerge, ensuring that the cybersecurity training is always current and relevant.<br />

Simulation and Testing: Through realistic simulations, AI-driven training plat<strong>for</strong>ms can create scenarios<br />

that mimic actual cyber threats, providing employees with hands-on experience in identifying and<br />

mitigating risks without the real-world consequences.<br />

Efficiency: AI significantly reduces the time and resources required to train employees, allowing <strong>for</strong> more<br />

frequent training sessions and updates, which are essential in keeping pace with the dynamic nature of<br />

cyber threats.<br />

Benefits of AI-Driven <strong>Cyber</strong>security Training in Manufacturing<br />

<strong>The</strong> implementation of AI-driven training programs has several tangible benefits:<br />

Enhanced Threat Recognition: Employees trained through AI-enhanced programs are quicker and<br />

more accurate in recognizing potential cyber threats, reducing the likelihood of successful breaches.<br />

Faster Response Times: In the event of a cyber-attack, a well-trained work<strong>for</strong>ce can respond more<br />

swiftly and effectively, minimizing damages.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 63<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Cost Savings: By preventing cyber-attacks, companies save on the potential costs of data breaches,<br />

which can include regulatory fines, legal fees, and reputational damage.<br />

Future Outlook<br />

As cyber threats continue to evolve, so too will the technologies designed to combat them. AI in<br />

cybersecurity training will play an increasingly critical role in ensuring that employees across all levels of<br />

an organization are equipped not just to respond to cyber threats, but to anticipate and neutralize them<br />

proactively.<br />

Manufacturing IT leaders are at the <strong>for</strong>efront of adopting AI-driven cybersecurity training solutions,<br />

recognizing that these advanced tools are no longer just advantageous but essential. <strong>The</strong> shift towards<br />

AI-powered training is not just about keeping up with technological trends but about making a strategic<br />

investment in the security and resilience of manufacturing operations.<br />

As the landscape of cyber threats grows more complex, the role of AI in cybersecurity training becomes<br />

more critical. For manufacturing sectors, where the stakes are exceptionally high, it is imperative to<br />

leverage the best tools available. AI-driven cybersecurity training represents a <strong>for</strong>ward-thinking approach<br />

that not only addresses current challenges but also sets a foundation <strong>for</strong> enduring security.<br />

About the Author<br />

Sam Zheng, CEO and Co-Founder of DeepHow, spearheads a rapidly evolving<br />

startup, backed by esteemed investors. DeepHow revolutionizes skilled<br />

work<strong>for</strong>ce training with an innovative, AI-powered, video-centric knowledge<br />

capturing and transfer plat<strong>for</strong>m.<br />

Prior to DeepHow, Sam dedicated over a decade to Siemens, driving digital<br />

innovation across various industries. His noteworthy projects, such as the Cloud<br />

Digital Inspection Jacket, have significantly improved technical knowledge<br />

sharing, efficiency, and user experience, earning his team the prestigious<br />

Siemens Innovation Award.<br />

Simultaneously, Sam serves as an Adjunct Professor of Psychology at Tsinghua University and holds a<br />

Ph.D. in Engineering Psychology and a Master’s in Statistics from the University of Illinois at Urbana-<br />

Champaign.<br />

Sam Zheng can be reached online at sam.zheng@deephow.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 64<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


A CISO’s Guide to Managing Risk as the World Embraces AI<br />

Leveraging Ai to Identify, Prioritize, And Remediate Our Highest-Risk Vunerabilities<br />

By Karthik Swarnam, Chief Security and Trust Officer, ArmorCode<br />

As Generative AI becomes more deeply integrated into our digital landscape, organizations face a<br />

growing need to manage application, technology, and cybersecurity risks effectively. <strong>The</strong> rapid evolution<br />

of AI technology amplifies the ease, potential, and complexity of cyberattacks. To better navigate this<br />

dynamic environment, organizations can adopt innovative approaches to prioritize risk management,<br />

optimize security and developer team collaboration, and improve per<strong>for</strong>mance metrics.<br />

Risk Prioritization in the Face of AI<br />

<strong>The</strong> proliferation of AI-driven applications and systems has led to an explosion of new security<br />

vulnerabilities. Common vulnerabilities and exposures (CVEs) have surged 500 percent in the past<br />

decade, making it increasingly challenging <strong>for</strong> organizations to manage and prioritize risks. Traditional<br />

methods of assessing vulnerabilities based solely on technical severity are no longer sufficient. Instead,<br />

taking a comprehensive approach that considers unique business contexts and real-time threat<br />

intelligence is essential.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 65<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Modern risk prioritization tools can provide organizations with a unified view of security findings,<br />

contextualized by their potential business impact. By normalizing the severity of findings across different<br />

security tools and assessing the business implications of affected assets, organizations can generate a<br />

single adaptive risk score. This approach allows security teams to focus on the most critical vulnerabilities<br />

first, optimizing remediation ef<strong>for</strong>ts and improving overall security posture.<br />

To take it a step further, an AI-powered plat<strong>for</strong>m can ingest data from multiple security scanners/sources,<br />

normalize the findings and produce a prioritized list of risks based on business context and active threat<br />

intelligence. This method not only reduces time and resources spent on low-priority issues but also<br />

enhances security effectiveness by targeting the vulnerabilities that pose the greatest risk to the<br />

organization.<br />

Leveraging AI <strong>for</strong> Enhanced Security<br />

AI itself plays a key role in improving cybersecurity risk management. AI-driven plat<strong>for</strong>ms can analyze<br />

vast amounts of data from diverse sources to uncover trends and issues, and provide deeper insights<br />

and more accurate threat detection. Machine learning algorithms and natural language processing can<br />

also enable these plat<strong>for</strong>ms to correlate findings from different security tools, providing a more holistic<br />

view of the security landscape than using a single solution without AI.<br />

One of the other key benefits of AI-powered application security solutions is their ability to reduce<br />

duplicate findings and false positives across various scanners. For example, the same vulnerability might<br />

be reported by both static application security testing (SAST) and dynamic application security testing<br />

(DAST) tools. AI can correlate these findings, eliminate redundancy and streamline the remediation<br />

process. This capability not only reduces the workload <strong>for</strong> security and development teams but also<br />

accelerates the mean time to remediation (MTTR).<br />

Moreover, AI enhances the precision of vulnerability assessments. By integrating pre-production and<br />

runtime analysis, AI-powered plat<strong>for</strong>ms can provide strong signals about the real impact of identified<br />

issues. This enables security teams to address the root causes of vulnerabilities more efficiently,<br />

improving the speed and accuracy of remediation ef<strong>for</strong>ts.<br />

Collaboration Between Security and Development Teams<br />

Effective cybersecurity risk management also requires seamless collaboration between security and<br />

development teams. AI-powered plat<strong>for</strong>ms facilitate this collaboration by providing a unified view of risks<br />

and remediation priorities. This shared perspective helps both teams to align their ef<strong>for</strong>ts and focus on<br />

what matters most.<br />

One of the significant challenges in application security is the disconnect between security findings and<br />

their resolution. Developers often receive numerous security alerts without clear guidance on<br />

prioritization, leading to inefficient remediation processes and delayed software releases. AI-powered<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 66<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


plat<strong>for</strong>ms bridge this gap by correlating security findings with development workflows, ensuring that<br />

appropriate issues are promptly routed to the appropriate teams.<br />

Additionally, remediation workflows should be automated based on risk scores. By automating routine<br />

tasks and providing actionable insights, AI-powered solutions can enhance security team productivity<br />

and enable faster, more secure software releases. This collaborative approach not only improves security<br />

outcomes but also fosters a culture of shared responsibility and continuous improvement.<br />

Holistic Governance Layer Across Risks<br />

To protect against threats, CISOs need a comprehensive governance layer to see across their full scope<br />

of risk, including perspective on all tools and teams from developers to cloud security. As AI continues to<br />

reshape the digital landscape, managing cybersecurity risk will be more complex and critical than ever.<br />

Furthermore, proper governance helps determine the ideal time to change an organization’s scanners or<br />

shift security sources by keeping their efficacy more transparent. When that governance layer is<br />

overseeing a security approach based on risk, it is able to provide the modularity necessary to keep<br />

programs effective.<br />

<strong>The</strong> ability to identify, prioritize, and remediate the highest-risk vulnerabilities efficiently is essential. AIpowered<br />

plat<strong>for</strong>ms offer a new model <strong>for</strong> cybersecurity risk management, empowering organizations to<br />

stay ahead of emerging threats and maximize the ROI of their security investments. Organizations should<br />

prioritize their greatest business risks, use AI to enhance their security, and foster collaboration between<br />

security and development teams. By doing so, they can navigate the challenges of the AI era and improve<br />

their risk and security posture.<br />

About the Author<br />

Karthik Swarnam is Chief Security and Trust Officer at ArmorCode. He is a<br />

<strong>Cyber</strong>security Leader with over 25 years of experience, including <strong>for</strong>mer<br />

CISO roles with Kroger, DIRECTV, and TransUnion. Karthik can be reached<br />

on LinkedIn and more in<strong>for</strong>mation can be found on ArmorCode’s website<br />

https://www.armorcode.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 67<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


A Cloud Reality Check <strong>for</strong> Federal Agencies<br />

By James Langley, Master Solutions Consultant, Hitachi Vantara Federal<br />

<strong>The</strong> move to cloud is not slowing down – spending by Federal civilian agencies on cloud computing could<br />

reach $8.3 billion in Fiscal Year (FY) 2025. But despite years of guidance (from Cloud First to Cloud Smart)<br />

on how agencies should tackle that journey, cloud adoption remains an unfulfilled priority <strong>for</strong> the<br />

government.<br />

In fact, the 17 th Federal IT Acquisition Re<strong>for</strong>m Act (FITARA) scorecard included a new cloud scoring<br />

category – which subsequently caused agency scores to decline. This isn’t necessarily a bad thing – the<br />

low scores highlight clear areas of improvement <strong>for</strong> Federal agencies. Despite guidance and a clear path<br />

<strong>for</strong>ward, agencies are grappling to unlock cloud’s full potential.<br />

<strong>The</strong> Right Road to Cloud<br />

Cloud adoption is not a mere checkbox exercise, it is a strategic initiative that has the potential to offer<br />

scalability and efficiency improvements. To successfully adopt cloud technologies, agencies should start<br />

by conducting thorough cost-benefit analyses to understand the financial implications of different cloud<br />

adoption strategies and make in<strong>for</strong>med decisions that fit their budgets and operational needs.<br />

Unpredictable costs often limit agencies' ability to secure essential funds <strong>for</strong> cloud infrastructure and<br />

services. While it’s inexpensive to move data into the cloud, it costs a lot to get the data out. <strong>The</strong> costs<br />

associated with cloud adoption – like access or egress fees – are difficult to model and while agencies<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 68<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


can leverage the cloud <strong>for</strong> more availability when needed, they can’t always reduce that capacity. This<br />

leaves agencies paying <strong>for</strong> cloud capabilities they aren’t using. Further, traditional government budget<br />

cycles do not match the flexible, on-demand nature of cloud spending, posing expense management and<br />

cost-efficiency challenges.<br />

To alleviate these concerns and manage costs, agencies should regularly review and optimize resource<br />

allocations. By establishing clear governance policies <strong>for</strong> cloud spending, like setting budget limits and<br />

defining approval processes, agencies can promote accountability and ensure smart spending<br />

department-wide.<br />

When it comes to modernization, a phased approach is wise. It allows agencies to migrate workloads<br />

gradually and strategically, minimizing risks and disruptions. Prioritizing applications based on complexity<br />

and impact helps manage the migration smoothly. Hybrid cloud solutions are also beneficial, letting<br />

agencies blend their existing on-premises infrastructure with cloud resources at their own pace. This way,<br />

they maintain control over critical applications and data while embracing modern cloud capabilities<br />

effectively.<br />

Aligning Cloud Adoption with Mission Objectives<br />

It is crucial <strong>for</strong> agencies to take a mission-driven approach when pursuing cloud initiatives. This means<br />

clearly understanding how cloud technologies can directly contribute to achieving their core goals,<br />

improving service delivery, and enhancing overall operational efficiency. By developing a strategic plan<br />

that outlines specific outcomes, key milestones, and per<strong>for</strong>mance metrics, agencies can effectively map<br />

out their cloud journey to align with broader organizational objectives. This should be a dynamic<br />

document, regularly reviewed and updated to adapt to evolving priorities and new opportunities.<br />

Involving stakeholders is equally essential. Engaging IT staff, business leaders, and end-users when<br />

developing the strategy ensures that all perspectives and needs are considered from the outset. This<br />

collaboration not only enhances the quality of decision-making but also fosters a sense of ownership and<br />

commitment to the cloud adoption strategy throughout the organization. By involving stakeholders early<br />

on, agencies can leverage their expertise to identify potential challenges, refine strategies, and maximize<br />

the benefits of cloud technologies in achieving mission success.<br />

Tailored Cloud Adoption <strong>for</strong> Strategic Modernization<br />

For Federal agencies to achieve successful cloud adoption, it requires a holistic approach tailored to their<br />

specific operational needs. Instead of opting <strong>for</strong> generic solutions, agencies should customize their cloud<br />

implementations to maximize the benefits of modern technology. This not only enhances operational<br />

efficiency but also supports mission objectives more effectively.<br />

Prioritizing stringent security protocols is also crucial. Agencies must implement and continuously monitor<br />

these measures to safeguard sensitive data and comply with Federal regulations, reducing cloud<br />

adoption risks. Additionally, modernizing legacy systems requires strategic refactoring rather than a<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 69<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


simple "lift and shift" approach. By refactoring applications to utilize cloud-native features fully, agencies<br />

not only enhance per<strong>for</strong>mance but also prepare <strong>for</strong> long-term scalability and innovation in the cloud.<br />

By embracing these principles – holistic customization, robust security, and strategic modernization—<br />

Federal agencies can navigate the complexities of cloud adoption and realize the full benefits, like greater<br />

operational agility, cost-efficiency, and mission success.<br />

About the Author<br />

James Langley is the Master Solutions Consultant of Hitachi Vantara<br />

Federal, a wholly owned subsidiary of Hitachi Vantara, with more than 20<br />

years of experience in the IT industry and a decade as a trusted adviser<br />

<strong>for</strong> federal civilian, defense and intelligence agencies. James can be<br />

reached at james.langley@hitachivantarafederal.com or at our company<br />

website www.hitachivantarafederal.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 70<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> Unsolvable Problem: XZ and Modern Infrastructure<br />

By Josh Bressers, Vice President of Security, Anchore<br />

<strong>The</strong> ongoing prevalence (and rise) of software supply chain attacks is enough to keep any software<br />

developer or security analyst up at night. <strong>The</strong> recent XZ backdoor attack is finally behind us, and luckily<br />

there was no widespread reach of the backdoored library. If you hadn’t heard, this software supply chain<br />

attack was a malicious ef<strong>for</strong>t that targeted Linux systems, and this attack had been years in the making.<br />

<strong>The</strong>re’s no denying that an event like XZ will happen again, and we may not be so lucky next time. But<br />

what hasn’t been discussed is how what happened with XZ isn’t a problem we can solve with best<br />

practices today. So, if we can’t solve this problem of backdoor supply chain attacks, how do we chart a<br />

safe route <strong>for</strong>ward?<br />

<strong>The</strong> Unsolvable Problem<br />

Sometimes reality can be harsh, but the painful truth about this sort of backdoor attack is that there is no<br />

solution, we simply don’t know how to solve this one. Many projects and organizations are happy to<br />

explain how they keep you safe, or how you can prevent software supply chain attacks, by doing this one<br />

simple thing. However, the industry as it stands today lacks the ability to prevent an attack created by a<br />

motivated and resourced threat actor. In fact, the Anchore 2022 Software Supply Chain Security Report<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 71<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


shows that the security of open source software containers is ranked as the number one challenge by<br />

24% of respondents, so this is not an isolated business concern. <strong>The</strong> same survey also reports that more<br />

than half of respondents say that securing the software supply chain is a top or significant focus. This<br />

indicates that recent, high-profile attacks like the XZ attack have put software supply chain security on<br />

the radar <strong>for</strong> the majority of organizations.<br />

If there is a malicious open source maintainer, we (as an industry) lack the tools and knowledge to prevent<br />

this sort of attack, as you can’t actually stop such behavior until after it happens. When we use open<br />

source software, there is so much of it, we can’t possibly vet it. We rely on the community to help find<br />

and fix problems, which is exactly what happened with the XZ backdoor attack.<br />

However, that doesn’t mean we are helpless. We can take a page out of the playbook of the observability<br />

industry. Sometimes we're able to see problems as they happen or after they happen, then use that<br />

knowledge from the past to improve the future, that is a problem we can solve. And it’s a solution that we<br />

can measure. If you have a solid inventory of your software, past, present, and future, then looking <strong>for</strong><br />

affected versions of XZ becomes simple and effective.<br />

Today and Tomorrow<br />

Looking <strong>for</strong> a vulnerable version of XZ, specifically versions 5.6.0 and 5.6.1, sounds like it should be an<br />

easy task, but trying to solve a problem like this at scale is always a challenge. We don’t know what we<br />

will need to quickly search <strong>for</strong> in the future. Will it be a binary file, a python package, or maybe just a<br />

checksum. Since we don’t know what the next attack will be, an accurate inventory will be important.<br />

<strong>The</strong> industry is currently putting a focus on using a software bill of materials, or SBOM, as the way to<br />

track the contents of software. We see a focus on these inventories in new development standards such<br />

as the secure software development framework, or SSDF. By using an SBOM to track software inventory,<br />

we have a standardized way to not only track our own software, but to also share those inventories with<br />

our customers and partners, and to receive an SBOM from our suppliers. SBOMs aren’t perfect, but they<br />

are the first step to having software inventories we can use in the future.<br />

What Now?<br />

Anyone who has been following industry news is probably wondering what supply chain story will happen<br />

next. <strong>The</strong> size and complexity of open source software is enormous and growing more complex every<br />

day. Open source is so embedded in our products and services now there’s no way we can stop using<br />

it, it’s here to stay, so what responsibilities do we have? If it’s too big to fail, and too big to fix, we have to<br />

figure out how we can use open source in ways that make sense. We have technologies now to help<br />

keep track of your open source software components, but just keeping track is the first step. It’s just as<br />

important to move quickly when the next XZ shows up. If we’re going to use open source, we have to<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 72<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


move at the speed of open source. We can’t solve the problem that brought us to XZ, but we can make<br />

sure when the next one happens, we can start responding in minutes instead of days.<br />

About the Author<br />

Josh Bressers is the Vice President of Security at Anchore, a modern<br />

software composition analysis company that focuses on automated software<br />

compliance to save time and reduce risk.<br />

At Anchore he guides security feature development <strong>for</strong> the company’s<br />

commercial and open source solutions. He is a co-lead of the OpenSSF<br />

SBOM Everywhere project, and is a Co-Founder of the Global Security<br />

Database project at the Cloud Security Alliance.<br />

Bressers can be reached on LinkedIn or by visiting www.anchore.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 73<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Autonomous, Deterministic Security <strong>for</strong> Mission-Critical IOT<br />

Systems<br />

From <strong>Cyber</strong>security Principles to Effective Protection<br />

By Tal Ben-David, VP R&D and Co-Founder, Karamba Security<br />

Mission-Critical Iot Systems: <strong>Cyber</strong>security Principles<br />

In creating an effective cybersecurity strategy <strong>for</strong> IoT systems, software architects examine obstacles that<br />

limit the security options <strong>for</strong> their target systems.<br />

To deliver a proactive cyber defense without risking business continuity, cyber threat protection must<br />

overcome:<br />

• Business continuity interruption due to remediation lag<br />

• Zero-day and day-one attacks<br />

• False positives<br />

• Slowed per<strong>for</strong>mance<br />

<strong>The</strong> obstacles that hinder cybersecurity <strong>for</strong> IoT systems must be addressed to achieve the level of<br />

security and per<strong>for</strong>mance needed in these systems.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 74<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


With this goal in mind, we have identified five primary defense strategies:<br />

• Automatically-generated multi-dimensional allow lists<br />

• Automatically-embedded access control<br />

• Automatically-embedded Control-Flow Integrity<br />

• Enabling vendor-sourced updates<br />

• Eliminating developer disruption<br />

<strong>The</strong> solution involves hardening mission-critical IoT systems to their factory settings, where each layer<br />

of protection seals the device’s software against different types of attacks.<br />

Automatically-generated multi-dimensional allow lists<br />

To overcome multiple challenges, the backbone of cybersecurity should be deterministic (a detailed look<br />

at Deterministic Security can be found later in this article.)<br />

Such solution leverages the deterministic nature of IoT systems. Any change, which was not authorized<br />

by the system’s vendor must imply a hacking attempt. Hardening the binaries against changes and<br />

deterministically preventing any unauthorized attempt to change them means stopping hackers be<strong>for</strong>e<br />

they succeed in exploiting zero-day or day-one attacks.<br />

Allow-list of executables<br />

<strong>The</strong> allow-list en<strong>for</strong>cement component should integrate with the OS program-loading and file-access<br />

services. All executables can be checked against the allow list, including files (operating system and<br />

applications), shared objects, and scripts. Each time any binary is loaded, its unique signature is<br />

calculated based on the content of the file and compared to a database of approved application<br />

signatures.<br />

If the binary is on the allow list, it is permitted to run. If not listed, it is not a legitimate component originating<br />

within the device’s factory settings. As soon as malicious code attempts to be loaded to memory, the<br />

security filter stops the binary from loading.<br />

An additional dimension of protection can allow <strong>for</strong> definition of associative execution, in which only<br />

specified applications are allowed to run each of the executables on the Allow List.<br />

This security policy is signed with a private key to prevent tampering. <strong>The</strong> signed policy and the public<br />

key can then be embedded in the device.<br />

Automatically-embedded access control<br />

A protected application should per<strong>for</strong>m a set of finite operations, as defined in the systems’ production<br />

software.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 75<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


When applying the protection, it should be possible to specify files that will have restricted operations and<br />

access during runtime. Selected applications, identified by their hashes, can be granted access to<br />

restricted operations on the protected files.<br />

For example, it should be possible to block remove, chmod and chown operations, and limit Read and/or<br />

Write access as needed.<br />

Automatically-embedded Control-Flow Integrity (CFI)<br />

CFI is essentially an allow-list at the function graph level <strong>for</strong> the application. It enables per<strong>for</strong>ming realtime<br />

integrity validation of function calls and function returns, to make the system self-defending and<br />

impervious to in-memory attacks such as buffer overflows and heap overflows.<br />

A static analysis engine is used to analyze the binaries (not the source code) of the build. <strong>The</strong> engine<br />

then automatically maps all valid function-call sequences and call locations. With this call graph, the CFI<br />

engine ensures in runtime that only legitimate function calls are executed. It also blocks any attempt to<br />

load malware directly into memory.<br />

<strong>The</strong> resulting system is no longer a potential attack surface. Once a deviation of a function call or a return<br />

pointer from the pre-defined control flow graph is identified, it deterministically infers an attempt to exploit<br />

an in-memory vulnerability within the device’s software. Proactive measures can then be taken to prevent<br />

the attack be<strong>for</strong>e it takes control of the targeted device.<br />

Enabling vendor-sourced updates<br />

<strong>Cyber</strong>security “overkill” needs to be avoided. If a protection mechanism is designed to block all changes<br />

blindly, it would block legitimate software updates made by the vendor. When a feature is added or<br />

enhanced, the security solution must be flexible enough to allow these updates and generate<br />

corresponding policy changes.<br />

<strong>The</strong> update mechanism should be able to incorporate new validation rules seamlessly any time the<br />

software of the IoT device is updated, so that new components are allow-listed in the same secure manner<br />

as they were during the original build.<br />

Eliminating developer disruption<br />

<strong>The</strong>re is an inherent conflict between better security and the need to shorten development life cycles to<br />

increase the competitive position of the product. Any solution must harden the system without developer<br />

intervention, and without adjusting development processes.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 76<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Why Is Autonomous, Deterministic Security Crucial?<br />

Deterministic security is superior to heuristic security: deterministic validation is a distinct outcome of<br />

given circumstances, while heuristic conclusions are based on past statistics and learned behavior<br />

patterns. It is not feasible, however, to aim <strong>for</strong> deterministic protection in all types of systems and<br />

scenarios. Heuristics are there<strong>for</strong>e applied in cases where deterministic security cannot: Where changes<br />

occur frequently, and a safe baseline (“known good”) cannot be established, let alone be identical across<br />

many systems.<br />

Heuristic methods, and related analytics and machine- learning techniques, have become the de-facto<br />

standard in IT/cloud environments, <strong>for</strong> enterprises or data centers. However, this approach fails when it<br />

is applied to environments in which it cannot deliver: namely, constrained environments. In environments<br />

such as connected/IoT devices, routers, gateways, or ECUs in vehicles, heuristics can increase risk<br />

rather than reducing it.<br />

<strong>The</strong> cybersecurity approach must be adapted to the target environment it is protecting. <strong>The</strong><br />

IT/DataCenter/Cloud environment is resource-rich while the IoT device environment has limited CPU<br />

speed, I/O throughput, storage and memory capacities. Newly-deployed applications on data center<br />

servers and endpoints are diverse, while those of IoT systems are limited and pre-defined. In addition,<br />

data centers can rely on continuous internet connectivity and frequent updates, and IoT devices cannot.<br />

While in IT environments there are countless combinations and configurations, with constant updates<br />

and tolerance of a certain degree of error, networking-device and closed environments are resourceconstrained,<br />

cannot rely on internet updates, and run a defined set of functions within limited space.<br />

For a mission-critical IoT system, it is possible to define a “known- good” configuration ("factory settings"),<br />

and define a deterministic security policy, whereas each deviation from this known good can be<br />

deterministically prevented.<br />

By automatically hardening the system at the binary level, Autonomous Security aims to create selfprotecting<br />

devices. This solution reduces the need to urgently patch against newly-discovered attacks,<br />

which are deterministically prevented as changes to the device’s original binaries. <strong>The</strong> need <strong>for</strong> updates<br />

and day-to-day management, which impede both product roll-out and subsequent maintenance, is thus<br />

significantly reduced.<br />

Turning Strategies Into Effective Protection<br />

<strong>The</strong> Autonomous Deterministic Security model puts the conclusions drawn above into practice, effectively<br />

removing security constraints to create self-protecting devices.<br />

Deterministic Security can protect devices against hacking attempts automatically, including zero-day<br />

attacks and exploits of known, unpatched, vulnerabilities. It does not require developers’ intervention, and<br />

does not delay product time to market.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 77<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Deterministic Protection: Embedding Native Security<br />

Unlike laptops and servers, IoT systems are immutable. <strong>The</strong> binary code in a device can thus be sealed<br />

to prevent unauthorized changes; Only the vendor is able to modify the device, when needed. In this<br />

way, cybersecurity remains stable over the life of the device, significantly reducing the need <strong>for</strong><br />

continuous malware signature updates and security patches.<br />

Measuring Per<strong>for</strong>mance<br />

<strong>Cyber</strong>security protection cannot be added to IoT systems at the expense of hampering functionality due<br />

to slow per<strong>for</strong>mance. Any proposed solution must be tested <strong>for</strong> acceptable levels of added processing<br />

associated with validation. <strong>The</strong>re are also additional memory requirements <strong>for</strong> data structures accessed<br />

by validation code.<br />

Impact can be estimated by a set of per<strong>for</strong>mance indicators, an increase in file system size, and/or a<br />

decrease in available system RAM. Final system-per<strong>for</strong>mance tests ensure that measurements remain<br />

within the product per<strong>for</strong>mance specification’s allowed limits after security is added.<br />

Incident Response and Forensic Reporting<br />

<strong>The</strong> Autonomous Deterministic Security mechanism can issue instantaneous threat alerts as soon as an<br />

attack is detected and blocked. <strong>The</strong>se alerts identify which part of a system is being attacked, to in<strong>for</strong>m<br />

the incident response team.<br />

In accordance with best practices, self-protected solutions record any anomalous activity or attempts to<br />

access systems. <strong>The</strong>se incident logs are then sent to <strong>for</strong>ensic experts <strong>for</strong> analysis.<br />

With this goal in mind, the following elements can be logged to create a detailed threat analysis report:<br />

• File system operations<br />

• Network operations<br />

• Process and thread operations<br />

• Debugging attempts<br />

This in<strong>for</strong>mation is used to create analytic reports that include all <strong>for</strong>ensic data collected on the system<br />

around the time of the attack, including:<br />

• <strong>The</strong> exploited process<br />

• External connections involved<br />

• <strong>The</strong> type of attack (e.g., malicious application or code injection)<br />

• <strong>The</strong> malicious binary trails in the file system<br />

This type of data enables software developers to identify and fix the vulnerabilities that leave missioncritical<br />

systems exposed to potential threats.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 78<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Anti-Tampering<br />

Any cybersecurity solution must protect itself against any attempts to modify its own policies, remove<br />

en<strong>for</strong>cement engines, or hide malicious activities.<br />

This type of immutability can be achieved through a combination of software and, when available,<br />

hardware capabilities that verify the integrity of the policies and protection mechanisms.<br />

Ease of Deployment<br />

Another practical aspect of Autonomous Security relates to the time and budget constraints under which<br />

software developers operate. With a cybersecurity tool that automatically develops a customized security<br />

policy, there is no prerequisite training <strong>for</strong> the development team. <strong>The</strong> software build is enhanced<br />

automatically with allow-listing on multiple levels, and optimizations are put in place at the binary level.<br />

Automating Protection <strong>for</strong> <strong>The</strong> Life Of <strong>The</strong> Device<br />

<strong>The</strong> build process that includes an effective security solution must meet these security requirements<br />

without placing a burden on software developers. Developers should not be required to learn how to<br />

deploy, configure, and manage cybersecurity solutions; nor expose the product to coding errors that could<br />

produce new vulnerabilities.<br />

<strong>Cyber</strong>security solutions must be lightweight, since most resource-constrained devices are overloaded.<br />

Any security process that significantly increases the usage of the RAM or significantly degrades CPU<br />

per<strong>for</strong>mance will impact system operation and may result in compromised functionality.<br />

For these reasons, we recommend the described lightweight embedded solution that automatically<br />

generates the security policy during the software build process. Overhead is minimized, so there is<br />

negligible per<strong>for</strong>mance penalty in both original and updated releases.<br />

Conclusions<br />

Manufacturers following Autonomous Deterministic Security guidelines can achieve unparalleled<br />

protection of mission-critical IoT systems, while complying with industry regulations and standards.<br />

Deterministic embedded solutions provide numerous advantages:<br />

• Installed and operated without the need <strong>for</strong> developer resources or ongoing administration<br />

• Harden system binaries against <strong>for</strong>eign code or unallowed changes in runtime<br />

• Reduce the risk of false negatives and false positives<br />

• Provide immunity to zero-day and day-one in-memory and dropper attacks, regardless of<br />

unpatched vulnerabilities.<br />

• Can protect software running in containers and on hypervisor VMs<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 79<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


• Automate the security development process, reducing the time to market<br />

• Operate 24/7 without human intervention or Internet connectivity<br />

• Deliver detailed threat data <strong>for</strong> comprehensive <strong>for</strong>ensic analysis<br />

• Secure embedded systems over the lifetime of the device<br />

About Karamba Security<br />

Karamba Security is the world leader in End-to-End product security <strong>for</strong> Automotive and IoT devices.<br />

Mission-critical IoT product manufacturers such as HP, Samsung SDS, Volvo, Stellantis and Hitachi rely<br />

on Karamba’s products and services to seamlessly protect their IoT devices against cyberattacks.<br />

Karamba’s award-winning software enables IoT device manufacturers to secure their products against<br />

cyberattacks and meet industry regulations without interfering with their R&D teams or delaying their<br />

products’ time to market.<br />

About the Author<br />

Tal Ben-David is the VP R&D and Co-Founder of Karamba<br />

Security. He has over 25 years of experience in software<br />

development <strong>for</strong> high-scale, customer-facing security products. At<br />

Karamba, Tal manages the development, delivery and customer<br />

success of Karamba’s embedded security and posture<br />

management products, which are deployed in millions of devices<br />

globally.<br />

Tal can be reached online at Tal.bendavid@karambasecurity.com<br />

and at our company website https://karambasecurity.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 80<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Benefits of Network Monitoring Systems<br />

By Eddy Abou-Nehme, Owner and Director of Operations at RevNet<br />

Maintaining a resilient, secure, and efficient network infrastructure is more important than ever. Network<br />

monitoring systems, which encompass both hardware and software tools, play a pivotal role in achieving<br />

this goal. By providing real-time and historical insights, these systems enable businesses to proactively<br />

detect and resolve potential issues be<strong>for</strong>e they escalate into critical problems. Beyond just problem<br />

detection, network monitoring enhances security, optimizes per<strong>for</strong>mance and efficiency, and offers<br />

significant cost savings by minimizing downtime.<br />

As organizations strive to stay ahead of the curve, investing in a comprehensive network monitoring<br />

solution becomes not just a technical necessity but a strategic imperative <strong>for</strong> long-term success. Here,<br />

we explore the myriad benefits of network monitoring systems and highlight why they are essential <strong>for</strong><br />

future-proofing your business against the ever-evolving challenges of the digital age.<br />

What are Network Monitoring Systems?<br />

A network monitoring system includes both hardware and software tools to track different aspects of a<br />

network’s operation. This may include monitoring traffic, bandwidth use, and uptime, among other<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 81<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


metrics. <strong>The</strong>y allow network administrators to quickly detect device and connection failures that could<br />

cause issues <strong>for</strong> employees or consumers.<br />

Real-time network monitoring can catch issues as they happen, allowing you to react quickly to any<br />

problems that arise, while historical monitoring will give you data on events that have already occurred.<br />

Both types of monitoring are helpful, as they can alert you to repetitive issues that may represent an<br />

underlying problem. This can give you insights into ways to improve or adapt your network.<br />

Proactive Problem Detection and Resolution<br />

Network monitoring systems can help you detect potential issues be<strong>for</strong>e they become critical. By<br />

leveraging real-time, automated alerts, you can be updated about a situation as soon as it’s detected,<br />

allowing you to respond just as quickly. This allows problems to be dealt with more easily be<strong>for</strong>e they<br />

create major interruptions <strong>for</strong> employees and customers.<br />

Enhanced Network Security<br />

Automated alerts on real-time monitoring can help to identify security breaches by in<strong>for</strong>ming you of<br />

anyone attempting to get unauthorized access to secure in<strong>for</strong>mation. This helps to keep sensitive data<br />

safe and can also ensure that you meet regulatory compliance requirements <strong>for</strong> data protection. <strong>The</strong><br />

landscape of regulatory compliance is constantly evolving, but a network monitoring system can help<br />

ensure your operations meet the strictest regulations.<br />

Improved Network Per<strong>for</strong>mance and Efficiency<br />

Both real-time and historical network monitoring can give you a better understanding of how bandwidth<br />

and other resources are allocated throughout your system. By checking these logs, you can see if<br />

resources need to be reallocated or optimized to help manage and improve your networks’ per<strong>for</strong>mance<br />

and efficiency.<br />

Cost Savings<br />

With proactive problem detection and resolution, you can effectively reduce your network downtime and<br />

create a preventative maintenance schedule based on network usage and other requirements.<br />

<strong>The</strong> initial effects of unplanned downtime are twofold as it can have immediate negative financial impacts<br />

on your business, as potential customers may be turned away and never come back and reduced<br />

employee productivity. Similarly, postponing system maintenance until the last moment can lead to<br />

suboptimal network per<strong>for</strong>mance <strong>for</strong> extended periods, thereby decreasing operational efficiency,<br />

consuming valuable employee time, and adversely affecting morale.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 82<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


In<strong>for</strong>med Decision-Making<br />

Network monitoring systems can provide you with valuable in<strong>for</strong>mation <strong>for</strong> data-driven decision-making.<br />

By using both the real-time and historical data that it’s gathered, you can see repetitive patterns and<br />

potential trends <strong>for</strong> the future, allowing you to address resolved issues while also planning ahead.<br />

Identifying data trends can help you with strategic IT planning and development, as it may point to areas<br />

where your team may need additional training or support be<strong>for</strong>e a similar issue arises.<br />

Scalability and Flexibility<br />

Having tools that can fit your business as it is and scale as it grows is vital <strong>for</strong> success. Network monitoring<br />

systems can expand alongside your network, allowing you to take on new partners and more customers<br />

and employees with ease. This sets your operations up with a customizable solution, allowing you to<br />

choose which services will most benefit your business.<br />

Implementing Network Monitoring Systems<br />

Implementing a robust network monitoring system is crucial <strong>for</strong> maintaining a resilient, secure, and<br />

efficient network infrastructure. <strong>The</strong>se systems provide real-time and historical insights that enable<br />

proactive problem detection and resolution, enhance network security, improve per<strong>for</strong>mance and<br />

efficiency, and facilitate cost savings through reduced downtime and optimized resource allocation. By<br />

leveraging the data-driven insights offered by network monitoring systems, businesses can make<br />

in<strong>for</strong>med decisions that support strategic IT planning and development. Additionally, the scalability and<br />

flexibility of these systems ensure they can grow and adapt alongside your business, making them an<br />

invaluable tool <strong>for</strong> sustaining long-term success.<br />

Investing in a comprehensive network monitoring solution is not just a technical necessity but a strategic<br />

move to future-proof your organization against the evolving demands of the digital age.<br />

About the Author<br />

Eddy Abou-Nehme is the Owner and Director of Operations at RevNet. Eddy's<br />

journey into the world of IT began at Carleton University, where he graduated<br />

in 2002 with a Bachelor of Science in Computer Mathematics. As the demand<br />

<strong>for</strong> Ottawa IT services grew, Revolution Networks has increased its service<br />

offerings accordingly to include Managed IT Services, IT Consulting, IT<br />

Assessments, Network Cabling & Wiring, Remote Backups, and much more to<br />

provide the most comprehensive and detail-focused managed IT services and<br />

network support. Eddy can be reached online at sales@revnet.ca and at our<br />

company website https://www.revnet.ca.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 83<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Beyond Encryption: Advancing Data-in-Use Protection<br />

By David Close, Chief Solutions Architect at Futurex<br />

In the ever-evolving landscape of cryptography, traditional encryption methods safeguarding data at rest<br />

and in transit remain foundational to cybersecurity strategies. However, the security of decrypted data<br />

actively used within applications continues to be a pressing concern, exposing vulnerabilities to cyberattacks,<br />

including malicious redirects and malware intrusions. This critical issue has driven the<br />

development of data-in-use protection technologies, which secure data during active processing,<br />

ensuring a <strong>for</strong>tified environment even when data is decrypted and most susceptible to threats.<br />

<strong>The</strong> Rising Challenge of Data Breaches<br />

Data breaches are escalating both in frequency and severity. A significant breach in <strong>2024</strong> compromised<br />

over 26 billion records, underscoring the increasing threat landscape. Decrypted data, being more<br />

accessible during active use, presents an attractive target <strong>for</strong> cybercriminals compared to encrypted data<br />

at rest or in transit. For example, a massive data breach in April 2019 involving a prominent social media<br />

plat<strong>for</strong>m resulted in the leakage of over 540 million user records, including sensitive details such as<br />

account names and phone numbers. This incident highlights the urgent necessity <strong>for</strong> robust measures to<br />

protect data-in-use.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 84<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Understanding Privacy Enhancing Technologies (PETs)<br />

Privacy Enhancing Technologies (PETs) have emerged as vital tools in the encryption domain, aimed at<br />

securing decrypted data. <strong>The</strong>se technologies encompass a range of tools and strategies designed to<br />

prevent unauthorized data access and ensure data privacy and integrity.<br />

Key Components of PETs<br />

1. Hardware Security Modules (HSMs) and Key Management Servers: HSMs provide a secure<br />

enclave <strong>for</strong> storing and managing encryption keys, ensuring that keys remain isolated and<br />

protected from unauthorized access even if the data is compromised. Key management servers<br />

complement HSMs by securely managing the lifecycle of cryptographic keys.<br />

2. Cryptographic Management Plat<strong>for</strong>ms: <strong>The</strong>se plat<strong>for</strong>ms automate and streamline the<br />

management of encryption keys throughout their lifecycle, minimizing risks associated with<br />

human error and unauthorized access. <strong>The</strong>y ensure that keys are generated, distributed, stored,<br />

and destroyed in a secure manner.<br />

3. Public Key Infrastructure (PKI) and Certificate Authorities (CAs): PKI systems establish a<br />

framework <strong>for</strong> secure communications, ensuring that only authorized entities can access sensitive<br />

data. Certificate authorities issue digital certificates that authenticate the identities of entities<br />

involved in electronic transactions.<br />

4. Point-to-Point Encryption (P2PE): P2PE encrypts data directly between communication<br />

devices, protecting it from interception during transit. This technology is crucial <strong>for</strong> securing<br />

sensitive in<strong>for</strong>mation such as payment card data.<br />

5. Vaultless Tokenization: This approach replaces sensitive data with secure tokens that have no<br />

meaningful value without the corresponding decryption keys. Vaultless tokenization ensures data<br />

security even if unauthorized access occurs.<br />

Real-World Applications of PETs<br />

PETs are not merely theoretical constructs; their practical applications span various sectors, offering<br />

significant benefits to businesses, governments, researchers, and the general public.<br />

Healthcare<br />

In the healthcare industry, PETs are employed to securely share patient data among researchers,<br />

enhancing privacy and compliance with regulations such as the Health Insurance Portability and<br />

Accountability Act (HIPAA). By using PETs, healthcare organizations can collaborate on research<br />

initiatives without compromising patient confidentiality.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 85<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Collaborative Innovation<br />

PETs facilitate secure data sharing among companies, fostering innovation while safeguarding sensitive<br />

in<strong>for</strong>mation from competitors. By enabling collaborative ef<strong>for</strong>ts without risking data breaches, PETs help<br />

businesses leverage collective knowledge and drive technological advancements.<br />

Financial Transaction Anonymization<br />

In the financial sector, PETs enable the tokenization of sensitive data, such as credit card numbers,<br />

enhancing transaction security and reducing fraud risks. Tokenization ensures that actual data is never<br />

exposed during transactions, thereby protecting customer in<strong>for</strong>mation.<br />

Advanced Cryptographic Methods <strong>for</strong> Data-in-Use Protection<br />

<strong>The</strong> introduction of data-in-use protection technologies represents a significant shift in cryptographic and<br />

encryption strategies. <strong>The</strong>se advanced technologies employ sophisticated cryptographic methods to<br />

protect data during active processing, allowing secure computations on encrypted data while preserving<br />

privacy and integrity.<br />

Secure Multi-Party Computation (SMPC)<br />

Secure multi-party computation enables multiple parties to collaboratively compute a function over their<br />

inputs while keeping those inputs private. This method is particularly useful <strong>for</strong> collaborative data analysis<br />

and shared research projects, where participants can gain insights from combined data sets without<br />

revealing their individual data.<br />

Balancing Per<strong>for</strong>mance and Security<br />

While the benefits of data-in-use protection technologies are substantial, their deployment is not without<br />

challenges. Key concerns include potential per<strong>for</strong>mance overheads, increased system complexity, and<br />

user experience issues. Achieving a balanced approach that maximizes security without compromising<br />

per<strong>for</strong>mance or usability is critical to the successful adoption of these technologies.<br />

Per<strong>for</strong>mance Overheads<br />

Implementing advanced cryptographic methods such as homomorphic encryption and SMPC can<br />

introduce per<strong>for</strong>mance overheads due to the computational complexity of these processes. Organizations<br />

must carefully evaluate the trade-offs between enhanced security and system per<strong>for</strong>mance to ensure<br />

that their applications remain efficient and responsive.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 86<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


System Complexity<br />

<strong>The</strong> integration of data-in-use protection technologies can increase system complexity, necessitating<br />

additional resources <strong>for</strong> implementation, maintenance, and monitoring. Organizations must invest in<br />

training and infrastructure to manage this complexity effectively and ensure the seamless operation of<br />

their security measures.<br />

User Experience<br />

Ensuring a positive user experience while maintaining robust security is a delicate balance. Organizations<br />

must design their systems to minimize any negative impact on usability, ensuring that security measures<br />

do not hinder productivity or user satisfaction.<br />

<strong>The</strong> Future of Data-in-Use Protection<br />

As digital threats continue to evolve, the role of PETs in the cybersecurity landscape becomes<br />

increasingly crucial. Organizations seeking to enhance their data security measures and ensure<br />

regulatory compliance must consider adopting PETs as part of their overall strategy. By improving their<br />

security posture, companies can protect their data assets, build trust with customers, and maintain a<br />

competitive edge in the market.<br />

<strong>The</strong> evolution of cryptographic methods and the introduction of data-in-use protection technologies mark<br />

a significant advancement in cybersecurity. By employing PETs and advanced cryptographic techniques,<br />

organizations can secure data during active processing, preserving privacy and integrity. While<br />

challenges such as per<strong>for</strong>mance overheads, system complexity, and user experience concerns must be<br />

addressed, the benefits of enhanced security and compliance are undeniable.<br />

For organizations looking to stay ahead in the cybersecurity landscape, adopting data-in-use protection<br />

technologies is becoming indispensable. By leveraging these advanced solutions, companies can<br />

safeguard their data, ensure regulatory compliance, and build a foundation of trust and credibility in the<br />

market.<br />

About the Author<br />

David Close is Futurex’s Chief Solutions Architect and leads the Solutions Architect<br />

team where he uses his industry knowledge and cryptographic expertise to develop<br />

enterprise architectures <strong>for</strong> applications related to PKI, symmetric key management,<br />

cryptographic processing, and payment cryptographic environments. His leadership<br />

has been key in expanding the Solutions Architect team at Futurex and driving client<br />

success globally.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 87<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Big Faces, Big Spend, Low ROI: Why Ad Fraud is Increasingly<br />

Damaging Brands<br />

By Chad Kinlay, Chief Marketing Officer, TrafficGuard<br />

Brands are increasingly seen to be employing familiar and expensive faces to ambassador ad campaigns<br />

and new products. However, with an estimated 26% of ad spend lost to ad fraud, businesses are wasting<br />

big money on big faces instead of targeting pain points.<br />

Simply put, you can’t get the ROI you deserve if you aren’t protecting budgets when investing heavily in<br />

famous faces.<br />

<strong>The</strong> disconnect between big brand campaigns and the realities of digital marketing in the AI-era is growing<br />

unmanageable. Too many companies are spending big on building brands but not seeing that turn into<br />

new users, customers, or ROI.<br />

In a 2023 Statista survey, 26% of respondents said they spend more than 40% of their marketing budget<br />

on influencer marketing. With companies spending such an enormous chunk of their profits on marketing<br />

products through famous faces, they must be implementing rock-solid fraud protections to keep hold of<br />

that hard-earned cash, right? Wrong.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 88<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> Risk in Advertising<br />

A report published by Juniper Research reveals 22% of all digital advertising spend in 2023 was attributed<br />

to fraud, which is a huge $84 billion. If nothing is done to halt fraudsters, the trend will continue and is<br />

projected to reach $172 billion by 2028.<br />

In today's tough economic landscape, businesses must maximize the impact of every click. <strong>The</strong>y can no<br />

longer take <strong>for</strong> granted that all traffic from their pay-per-click (PPC) campaigns or new AI-based ads<br />

comes from genuine leads. <strong>The</strong> increasing prevalence of fraudulent traffic is undermining campaign<br />

effectiveness and causing significant revenue losses. As consumers become more cautious with their<br />

spending, it is crucial <strong>for</strong> advertisers to connect with real potential customers and avoid wasting their<br />

budgets on hefty influencer costs.<br />

Invalid traffic (IVT) and ad fraud can severely affect campaign ROI while creating the illusion of generating<br />

legitimate traffic. This situation is particularly frustrating <strong>for</strong> digital marketers, as they struggle to assess<br />

the quality of the traffic they attract. Meanwhile, fraudsters continue to exploit campaigns and distort traffic<br />

data.<br />

With businesses putting more and more budget into influencer branding, ads are becoming heightened<br />

targets <strong>for</strong> fraudsters. However, instead of cutting budgets, organizations should delve deeper into<br />

analyzing the effectiveness and efficiency of their campaigns.<br />

Unlocking Ad Potential<br />

Be<strong>for</strong>e launching costly ad campaigns, organizations must evaluate their ad fraud protection services.<br />

Invalid traffic (IVT) is non-human traffic or traffic that doesn’t contribute to growth. Fraudsters exploit<br />

campaigns with IVT, often going unnoticed. AI-driven campaigns like Google’s Per<strong>for</strong>mance Max (PMax)<br />

aim to enhance marketing efficiency but struggle to identify fraudulent activity. AI assumes all user<br />

engagement is positive, allowing fraudsters to bypass detection and skew campaign data.<br />

This unfiltered traffic undermines the effectiveness of campaigns like PMax, providing unreliable data<br />

that hampers organizational growth. IVT causes campaigns to optimize <strong>for</strong> fraudulent sources with no<br />

intention of converting, rather than legitimate ones. Consequently, marketers lose potential profit and<br />

misdirect future ef<strong>for</strong>ts, compounding losses over time.<br />

Without proper traffic analysis, advertisers risk depleting their budgets unknowingly, diverting funds from<br />

more effective strategies such as influencer campaigns. By filtering out fraudulent activity, businesses<br />

can unlock the full potential of their digital ad campaigns and achieve increased revenue.<br />

Protecting Campaign Profits<br />

Return on Advertising Spend (ROAS) is crucial <strong>for</strong> assessing the success of paid campaigns, especially<br />

influencer-led ones. To maximize ROAS, it's essential to optimize advertising budgets fully, making fraud<br />

prevention solutions critical.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 89<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Here are some steps to enhance preventative measures and achieve a higher ROI:<br />

• Analyze and Optimize Campaign Traffic: Fraudsters use bots to generate IVT, which AI<br />

plat<strong>for</strong>ms struggle to detect. By leveraging analytics and reporting tools, organizations can spot<br />

irregular patterns caused by fraudulent activity. Exposing and blocking false engagement allows<br />

<strong>for</strong> better optimization of ad spend toward legitimate sources.<br />

• Improve Audience Signals: Targeting the correct audience is vital <strong>for</strong> conversion success.<br />

Audience signals help identify appropriate groups based on behavior and demographics. Refining<br />

these signals by excluding IVT enables AI ad campaigns to tailor ads more effectively to the right<br />

audience.<br />

• Enhance Initial Security Measures: Implementing security measures be<strong>for</strong>e launching costly<br />

ad campaigns ensures that advertising spend is directed towards attracting genuine customers<br />

and legitimate spenders.<br />

Organizations can protect against fraudulent tactics by taking a proactive stance. <strong>The</strong> right solutions can<br />

enable real-time data scanning and identification of fraudulent engagement. This proactive approach<br />

allows organizations to counter fraud effectively and safeguard their investments, providing bigger<br />

budgets <strong>for</strong> bigger stars going <strong>for</strong>ward.<br />

Maximizing Campaign Value<br />

<strong>The</strong> prevalence of influencer campaigns and the success they can achieve make them increasingly<br />

tempting targets <strong>for</strong> fraudsters. Bad actors are constantly evolving their methods to infiltrate systems<br />

undetected, and if it continues, marketing and advertising teams won’t be able to reap the full benefits of<br />

their campaigns.<br />

<strong>The</strong>re is time, however, to stop bad actors and preserve the integrity of campaigns. Taking an active<br />

stance against fraud will allow organizations to stop interference with their data, ultimately protecting their<br />

advertising budgets. This way, they can capture revenue in the long term with their attractive, fame-filled<br />

campaigns.<br />

About the Author<br />

Chad Kinlay, Chief Marketing Officer, TrafficGuard is a driven, open-minded,<br />

creative senior marketer with a strong sense of dedication and commitment. With<br />

over 15 years of progressive international experience in marketing and<br />

communications management, Kinlay has a credible history of commercial<br />

success.<br />

Chad can be reached online at our company website https://www.trafficguard.ai.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 90<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Breaking Up with Your Password: Why It’s Time to Move On<br />

By Zarik Megerdichian, Founder and CEO, Loop8<br />

Data breaches impacted more than 1 billion users in the first half of <strong>2024</strong>, up 409% from this time last<br />

year, emphasizing the importance of maintaining stealth cyber hygiene. <strong>The</strong> truth is, as long as there are<br />

passwords, there will be breaches. Even passkeys offer insufficient data protection, essentially giving<br />

hackers a master key that unlocks all the user’s data.<br />

With advancements in technology and increasing cybersecurity threats, it’s time <strong>for</strong> users to embrace<br />

more secure, efficient alternatives including biometric identity authentication or multi-factor<br />

authentication. <strong>The</strong>se solutions will enhance security, improve user experience and save businesses<br />

money.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 91<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> Problems with Traditional Passwords<br />

Almost every day we read about a new data breach that has affected millions – and sometimes billions<br />

– of people, putting their personal in<strong>for</strong>mation at risk. Bad actors are easily gaining access to millions of<br />

passwords. Yahoo was subject to the largest known data breach in history with names, email addresses,<br />

phone numbers, birth dates and security questions of its three billion users compromised. And this breach<br />

went undetected <strong>for</strong> three years.<br />

Most users choose passwords that are easy to remember and most of the time, those are the weakest<br />

ones. Weak passwords open the door to unwanted access by cybercriminals who can steal in<strong>for</strong>mation,<br />

impersonate the user or disrupt operations. Many users also reuse the same password across all<br />

accounts, increasing the risk of cybercriminals easily gaining access to multiple accounts.<br />

<strong>The</strong> very best passwords are complex, making them hard <strong>for</strong> the user to remember. This leads to frequent<br />

password resets which can be time consuming and frustrating. This daunting and time-consuming task<br />

can create resistance among users that ultimately leads to the creation of less secure or repetitive<br />

passwords. Additionally, managing multiple passwords without a password manager can be a<br />

cumbersome task and the password management plat<strong>for</strong>m will require a password of its own, making it<br />

just as vulnerable.<br />

A solution to manage accounts that is both convenient and secure is necessary as security continues to<br />

evolve.<br />

Alternatives to Passwords<br />

<strong>The</strong> use of biometric authentication can enhance security, provide user convenience and speed up the<br />

time it takes to log in to accounts. Biometric authentication verifies a user's identity using their unique<br />

biological characteristics. Fingerprints and facial recognition are already becoming more widely used to<br />

log in to smartphones, laptops and apps. Voice recognition is an emerging technology that analyzes<br />

various features of a user’s voice such as pitch, tone, frequency and speech patterns.<br />

Another alternative that is even more popular is multi-factor authentication, combining something you<br />

know with something you have or something you are. For example, a user could enter their password to<br />

log in and be prompted to then receive a code from a separate authenticator app on a secondary device,<br />

enter a code that was sent to their mobile device via text or phone call or using hardwire tokens. <strong>The</strong>se<br />

security tokens can provide one-time passwords. <strong>The</strong>y can also be USB or smart cards that interact<br />

directly with the device.<br />

<strong>The</strong> most secure alternative are completely passwordless authentication solutions, like single sign-on<br />

(SSO) which provides one set of credentials to access multiple applications. Users can also incorporate<br />

magic links or email-based one-time login links.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 92<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Benefits of Moving Beyond Passwords<br />

Regular passwords are no longer sufficient to thwart bad actors. Account security must become more<br />

complex to enhance the safeguarding of user in<strong>for</strong>mation. Passwordless solutions reduce the risk of<br />

phishing attacks as it is harder <strong>for</strong> hackers to obtain biometrics or intercept MFA or SSO tokens.<br />

Passwordless solutions can also eliminate brute <strong>for</strong>ce attacks as there would be no password to crack.<br />

Businesses are a prime target <strong>for</strong> this type of attacks as usernames and passwords <strong>for</strong> new employees,<br />

shared plat<strong>for</strong>ms and other administrative attacks are often generic credentials, such as, “admin” or<br />

“123456.” <strong>The</strong>se administrative accounts will often hold employee and client in<strong>for</strong>mation and confidential<br />

company in<strong>for</strong>mation including names, banking in<strong>for</strong>mation and more.<br />

With the adoption of passwordless solutions also comes improved user experience. Authenticating and<br />

logging into accounts becomes seamless without the need to remember complex passwords. Accounts<br />

are safe and the login process is efficient, reducing friction <strong>for</strong> users.<br />

On a global scale, the average cost of a data breach is $4.45 million, which is a 15% increase over the<br />

last year, according to IBM’s 2023 report. IBM also reports that it takes an average of 204 days to identify<br />

a data breach and an additional 73 days to contain. Breaches are resource intensive and without them,<br />

the time and money spent to manage them could be reallocated. On an operational level, businesses will<br />

see cost savings benefits once a passwordless solution is incorporated. Password resets will be<br />

eliminated there<strong>for</strong>e lessening the burden on IT support. Without the interruption of password<br />

management, employees will be able to seamlessly move from task to task, increasing productivity.<br />

Addressing Concerns and Challenges<br />

With any type of stored data, there will always be concerns <strong>for</strong> privacy and security. It is imperative <strong>for</strong><br />

those using biometrics in lieu of passwords to securely store the data to ensure there is as little chance<br />

of misuse as possible. It is best practice to store biometric data on the user’s device, lessening the chance<br />

of a mass data breach where all an organization’s customers become victims of a bad actor. This practice<br />

makes targeting the organization less attractive to bad actors as they will not receive much data and will<br />

look put their ef<strong>for</strong>ts elsewhere.<br />

If an organization does decide to use biometrics as a passwordless solution, they should provide clear<br />

explanations and obtain consent from users. <strong>The</strong> misuse of biometrics can have catastrophic impacts on<br />

a user and an organization. Users must be clear on how and why an organization is asking <strong>for</strong> this data,<br />

how they will be using it and where it will be stored.<br />

Organizations must also address accessibility issues be<strong>for</strong>e implementing biometrics as a passwordless<br />

solution. Users who suffer from impairments like loss of vision, voice tremors or dexterity challenges may<br />

struggle to use biometrics. Organizations should implement alternative passwordless solutions <strong>for</strong> those<br />

who are unable to use biometrics.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 93<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> Future of Data Protection<br />

Just as hackers evolve their tactics, businesses and users have to remain nimble and on the cutting<br />

edge. Investing in research and development in the cybersecurity sector is worthwhile, especially if it<br />

helps you skirt emerging threats and spot new, safer authentication options. Staying up to date on data<br />

regulations and compliance as well as unofficial industry standards will enable you to be the example of<br />

best practices versus the victim.<br />

In tandem with going passwordless, businesses need to redefine what in<strong>for</strong>mation is – and is not –<br />

essential to their business. For example, a streaming service does not need your social security number<br />

to provide its service. Hackers can’t steal data from businesses that they don’t store on their servers.<br />

A Risk Worth Taking<br />

Change is hard but when it comes to data security, you have to choose your hard. Would you rather<br />

report you’ve been breached and have it been one of the first things people see when they search <strong>for</strong><br />

your business? Or go through a transition period where you learn and adopt a new way of signing into<br />

your devices and accounts? It’s a no brainer that the latter is the best approach. One of the first and<br />

easiest steps to test out a passwordless digital footprint is to use readily available features on your<br />

smartphone such as facial identification and the alternate identification options.<br />

By adopting more secure, user-friendly authentication methods, we can enhance security, improve user<br />

experience and streamline processes both <strong>for</strong> individuals and businesses.<br />

About the Author<br />

Zarik Megerdichian is the CEO and Founder of Loop8, a cutting-edge solution that<br />

protects personal data and privacy using advanced biometric technology and strong<br />

encryption protocols to ensure data security without the need <strong>for</strong> conventional<br />

passwords. A self-proclaimed passwordless crusader, Zarik sees Loop8 as a tool<br />

<strong>for</strong> the masses that gives users complete control of their personal in<strong>for</strong>mation while<br />

eliminating human error. Zarik can be reached online on LinkedIn and at our<br />

company website https://l8p8.com.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 94<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>Cyber</strong>security At the Crossroads: <strong>The</strong> Role of Private<br />

Companies in Safeguarding U.S. Critical Infrastructure<br />

By Chris Storey, Director of Business Development, Qriar <strong>Cyber</strong>security<br />

In an era where we are completely reliant on digital connectivity, the security of our critical infrastructure<br />

is paramount. CISA defines 16 sectors of US critical infrastructure; each unique and yet each deeply<br />

interconnected. Most believe that it is safe because, after all, the government controls most of it and thus<br />

it must be well protected. Leaving aside the false assumption that if it were controlled by the government,<br />

that it would be protected, the reality is that a staggering 65% of the U.S. infrastructure is privately owned<br />

while state and local governments own 30%, and the federal government just 5%. This means that the<br />

security of the complex web of goods and services that our country sits atop is almost entirely dependent<br />

on the cybersecurity practices and investments of these private companies.<br />

If we take our national security seriously, we should acknowledge the deep vulnerabilities of this privately<br />

kept infrastructure to our country. We have seen the repercussions of cyberattacks on private companies<br />

like these; the millions of lives that are affected, the panic, the price surges, etc. <strong>The</strong> ransomware attack<br />

on Colonial Pipeline was one of the most prominent examples of this with fuel supply shortages, price<br />

increases, and a significant geographic impact. This was despite the warnings by the Director of National<br />

Intelligence back in 2019 that pipelines were particularly vulnerable to cyberattacks and that they could<br />

cause lengthy shutdowns. In the healthcare sector, the ransomware attack on Change Healthcare not<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 95<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


only exposed the personal health, identity and financial in<strong>for</strong>mation of possibly one-third of all Americans,<br />

but the life-threatening impact prevented healthcare providers from delivering care, filling prescriptions,<br />

and processing insurance claims.<br />

Each of these attacks was on a single sector, but the obvious what-if questions concern the fear that a<br />

similar attack would occur simultaneously across multiple organizations within a sector, across sectors,<br />

or both. We are seeing an increase in coordination among cyber criminal organizations. <strong>The</strong> logical<br />

conclusion is that this cooperation will lead to larger scale attacks. Due to the interconnectedness of our<br />

critical infrastructure and our supply chains, a coordinated, multi-org, cross-sector attack would mean<br />

cascading, widespread detriment across the country. To date, the average person has had little in the<br />

way of personal impact from cyberattacks compared to the very personal impact this type of attack would<br />

cause.<br />

Disrupting multiple sectors is increasingly being done via supply-chain attacks. We saw with the COVID<br />

outbreak how delicate our supply chains are, and how even a small interruption or delay causes large<br />

ripples. We assume that our supply chains are made up of large companies with big budgets <strong>for</strong> security,<br />

but small companies, whether it be a software or a product supply chain, are often involved all along the<br />

way. <strong>The</strong>se small organizations, small municipalities, etc., lack the skills and ability to adequately defend<br />

themselves and lack the resources necessary to outsource it. <strong>The</strong>y usually have one or two IT people,<br />

zero dedicated cybersecurity staff, and subpar tools.<br />

<strong>The</strong> situation is further complicated by geo-political issues. We have nation-state threat actors, funded,<br />

staffed, and in some cases housed within <strong>for</strong>eign military branches, targeting US corporations. Imagine<br />

a <strong>for</strong>eign military landing on the shores of Virginia with the intent of invading the capital and taking control<br />

of the state. It seems so far-fetched. Our military would intercept the threat long be<strong>for</strong>e they were<br />

anywhere near US soil. Now imagine the same threat, but the adversaries make it to the Virginia<br />

shorelines, and when the governor calls <strong>for</strong> help the federal government says, “we are sorry, but we do<br />

not have the resources to defend you, you are on your own.” This is unimaginable, but this is basically<br />

the state of cybersecurity in the US. <strong>The</strong> Director of the FBI, Christopher Wray, recently said that FBI<br />

cyber staff is outnumbered 50 to 1 by just the hackers from China. <strong>The</strong>re is no other scenario in which a<br />

private US organization would be alone in direct conflict with <strong>for</strong>eign attackers. Our companies,<br />

specifically the IT and cybersecurity staff within these companies, are serving on the frontlines. When an<br />

attack happens, these men and women become active combatants in cyber warfare. Most of them fail or<br />

fail to start because they do not know where to begin. <strong>The</strong>y are not trained and are not battle-tested. <strong>The</strong><br />

same can be said <strong>for</strong> many within larger organizations as well. Given the gravity of the situation and the<br />

depth of the vulnerability, increased regulatory intervention along with federal investment seems<br />

unavoidable.<br />

Regulation alone is not a solution, but it does establish baseline security standards and provide muchneeded<br />

funding to support defenses. Standards have come a long way and are relatively mature. Though<br />

there is still a tremendous amount of gray area, and a lack of relevance or attainability <strong>for</strong> certain<br />

industries and smaller organizations. <strong>The</strong> federal government must prioritize injecting funds into<br />

cybersecurity initiatives, ensuring that even the smallest entities managing critical infrastructure can<br />

implement strong security measures. With this funding, we must build a strong defense posture and cyber<br />

resiliency within these private sector organizations. This involves more than deploying advanced tools; it<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 96<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


equires developing skilled personnel capable of responding to incidents and defending against attacks.<br />

Upskilling programs should focus on blue teaming and incident response, ensuring that organizations<br />

have the expertise to manage their security proactively.<br />

A critical component of effective cybersecurity is understanding and applying the standard risk <strong>for</strong>mula:<br />

Risk = Threat x Vulnerability x Consequence. This <strong>for</strong>mula emphasizes that risk is determined by<br />

evaluating the likelihood of an attack (Threat), the weaknesses in defenses (Vulnerability), and the<br />

potential impact of a breach (Consequence). By focusing on this risk assessment approach,<br />

organizations are better positioned to recognize and respond to attacks more quickly.<br />

During this training period and beyond, maintaining a relationship with a battle-tested incident response<br />

team who also aids in the development and management of a strong incident response plan is essential.<br />

Consulting organizations and service providers must enhance the focus on in-depth security automation<br />

and dispense with the profit-driven cafeteria menu of vendors. Managed detection and response (as well<br />

as automation to this end), cyber threat intelligence, attack surface analysis, and risk-driven threat<br />

consulting should be standard operating procedure <strong>for</strong> organizations of all sizes involved in US critical<br />

infrastructure.<br />

While the situation seems dire, hope must remain ever-present. Our national security, from a cyber<br />

perspective, hinges on the cybersecurity capabilities of private sector entities. <strong>The</strong> stakes are high, but<br />

failure is not an option. By honestly recognizing the vulnerabilities, investing in cybersecurity, and uniting<br />

and upskilling our cyber personnel to serve on the frontlines, we can build a resilient defense against the<br />

ever-evolving landscape of threats. All industries and sectors, both private and public, must work in<br />

tandem and become radically open to in<strong>for</strong>mation sharing. This fight can only be won together. <strong>The</strong> time<br />

to act is now, ensuring that our essential services are secure in the face of growing digital dangers.<br />

About the Author<br />

Chris Storey currently serves as the Director of Business Development at<br />

Qriar, a company known <strong>for</strong> its expertise in implementing, integrating, and<br />

customizing cybersecurity products and services, spanning EDR, Attack<br />

Surface Management, Privileged Access Management, Identity<br />

Governance and Administration, SIEM, and Secure API Management. He<br />

brings over eight years of experience in business development, sales, and<br />

account management, with a specialized focus on cybersecurity solutions.<br />

His passion is rooted in delivering exceptional customer service and<br />

cultivating enduring client relationships. Chris possesses a knack <strong>for</strong><br />

unraveling complex issues and fashioning tailored solutions. Certified in Identity and Access<br />

Management, Privileged Access Management, and Threat and Vulnerability Management, he blends<br />

innovation with time-tested approaches. Chris's ultimate aim is to be a dedicated cybersecurity partner<br />

and advocate, helping companies fulfill their security and business objectives.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 97<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Ditch <strong>The</strong> Cloud Security Labels to Nail Detection and<br />

Response<br />

By Jimmy Mesta, Co-Founder and CTO, RAD Security<br />

Today’s cloud security categories don’t do practitioners any favors when it comes to identifying the key<br />

requirements <strong>for</strong> detection and response in the cloud. This is because various detection and response<br />

capabilities cut across other cloud security categories like Kubernetes Security Posture Management<br />

(KSPM), Identity Threat Detection and Response (ITDR), Cloud Workload Protection (CWPP), Cloud<br />

Native Application Protection Plat<strong>for</strong>ms (CNAPP) and more.<br />

But, despite a projected 95% of new application workloads being deployed on cloud-native plat<strong>for</strong>ms by<br />

2025, 90% of organizations running containers and Kubernetes report recent breaches. Meanwhile, 95%<br />

of IT security leaders feel the skills gap is affecting their teams. With the rise of zero-day threats like the<br />

XZ Backdoor, shoring up the ability to detect and respond to cloud attacks has never been more<br />

important.<br />

So how can you navigate the evolving threat landscape? <strong>The</strong> first step is to look beyond the traditional<br />

categories to understand what truly matters in detection and responding to cloud attacks.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 98<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


What Do the Attacks Tell Us?<br />

In February <strong>2024</strong>, the <strong>Cyber</strong>security and Critical Infrastructure Agency CISA issued a warning about new<br />

tactics by SolarWinds attackers targeting cloud infrastructure and non-human identities. <strong>The</strong> Scarleteel<br />

attack of 2023 showcased how attackers exploit cloud environments, moving fluidly from workloads<br />

through Kubernetes to steal credentials and use valid programs <strong>for</strong> malicious purposes. In the entire<br />

attack killchain, only botnet installation and data exfiltration were clearly malicious.<br />

In 2023, attacks like Dero, Monero, and RBAC-Buster exploited Kubernetes RBAC misconfigurations and<br />

gained anonymous authentication. <strong>The</strong> XZ Backdoor supply chain attack in March <strong>2024</strong> further<br />

emphasizes the rising threat that software supply chain attacks pose to cloud environments.<br />

Together, these incidents underscore three criteria:<br />

1. <strong>The</strong> need <strong>for</strong> robust detection and response strategies that address normal processes that are<br />

used in malicious ways, instead of just looking <strong>for</strong> overtly malicious activities in cloud<br />

environments.<br />

2. <strong>The</strong> need to include identity as critical context <strong>for</strong> investigation and response.<br />

3. Cloud Detection and Response (CDR) must detect software supply chain attacks.<br />

What CDR Is Not<br />

Categories overlap, there is no way around this. So, it is helpful to clearly delineate what CDR is not.<br />

First, a CDR tool is not a Security In<strong>for</strong>mation and Event Management (SIEM) solution. When was the<br />

last time you expected your SIEM tool to detect a zero day, in and of itself?<br />

A CDR is also not a Security Operations Center (SOC), though they are 100% complementary. Your<br />

SOC will NEVER be focused exclusively on the cloud . . . while CDR provides the very nuanced, specific<br />

tactics and detection methods <strong>for</strong> the cloud. <strong>The</strong> purpose of your SOC is broader and takes into account<br />

cloud plus on-premises environments.<br />

A CDR is also not a Cloud Native Application Protection Plat<strong>for</strong>m (CNAPP) or a Cloud Security Posture<br />

Management (CSPM) solution because those solutions can’t determine effective responses to cloud<br />

attacks. At best, a CNAPP combines real-time, signature-based runtime alerts with static Kubernetes and<br />

cloud configurations. And at best, this gives teams reactive detections to known attacks (that are easy to<br />

bypass), and inactionable configuration recommendations <strong>for</strong> ephemeral workloads. You can’t detect and<br />

respond to novel cloud attacks without real-time insight and signature-less, behavioral detection.<br />

<strong>The</strong> categories tell us that a CDR is not a CNAPP, SIEM or SOC. A CDR requires real-time insight and<br />

technology that can detect zero days (aka not signatures).<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 99<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Should a CDR Be Focused on Applications?<br />

Cloud use-cases are broad, but top attention must go to applications, which are central to all cloud<br />

functions. With Kubernetes increasingly managing tasks like messaging and observability—showing a<br />

211% usage increase from 2021 to 2022—security teams must prioritize adapting to cloud-native tools<br />

used in application development <strong>for</strong> effective cloud detection and response. <strong>The</strong>re is probably room <strong>for</strong><br />

the CDR capability to be further defined as CADR—Cloud Application Detection and Response.<br />

<strong>The</strong> usage of the cloud tells us that a CDR must have the nuanced detection and response capabilities<br />

required <strong>for</strong> Kubernetes and cloud native environments.<br />

Criteria <strong>for</strong> Detecting and Responding to Cloud Attacks<br />

Now that we know what is in and out <strong>for</strong> effective CDR, what are some examples of actual technical<br />

criteria under each criteria?<br />

What’s In:<br />

• Techniques that can detect zero days; not signature-based<br />

o Detection goes beyond syscalls and attackers’ known techniques: Attacks that are<br />

completed within the application layer don’t make syscalls. For example, an attacker<br />

writing in<strong>for</strong>mation to a different file than usual will have hidden among existing syscalls<br />

and gone undetected. Also, many times, a clustering of non-malicious syscalls might<br />

denote an issue, whereas looking at those syscalls individually will not show anything<br />

malicious.<br />

• Applies to software supply chain attacks<br />

o Immediately search <strong>for</strong> a workload with a log4j vulnerability, or any other new Kubernetes<br />

3rd party vulnerability, across running clusters: A software supply chain security attack<br />

could be caused by exploiting a zero day CVE, like log4j. It's important to know where the<br />

CVE exists in your running workloads, not just in your pre-deployment code, because your<br />

running deployments should guide your priorities.<br />

• Effective with Kubernetes and containers<br />

o Admission control policies that can limit both the RBAC policy factor as well as Kubernetes<br />

policy configurations: Admission control is the method by which response actions would<br />

stop malicious activities in a Kubernetes environment, so they are a critical requirement<br />

of any cloud detection and response solution.<br />

• Includes Cloud Identity Context<br />

o Identity Risk score that takes into account usage: Identity risk score that includes context<br />

from actual usage and other relationships with runtime, the cloud, image CVEs and K8s<br />

misconfigurations<br />

• Can determine valid processes used as part of a malicious campaign<br />

o Implements drift or anomaly detection: <strong>The</strong> lightest, easiest way to per<strong>for</strong>m threat<br />

detection is via drift from a behavioral baseline of runtime behavior. Detecting drift<br />

between container images prior to deployment, and runtime behavior, compared to<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 100<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


detecting drift from a baseline of ‘good’ in your environment, is hugely inefficient. Container<br />

images contain a fair amount of bloat, and many of the pieces in that bloat contain a<br />

vulnerable attack surface. Tying drift from a container image to what should be happening<br />

in runtime is not the right comparison (though immutability is appealing as a concept!).<br />

What’s Out:<br />

• SIEM<br />

• CNAPP<br />

• CSPM<br />

• SOC<br />

Conclusion<br />

<strong>The</strong> truth is, there are more items, and more levels to dive when it comes to determining what is in and<br />

out of CDR. But by now, we should know that there is more than meets the eye when it comes to using<br />

tools in the classic categories of cloud security <strong>for</strong> detection and response. Navigating the cloud security<br />

landscape requires a clear understanding of what truly matters <strong>for</strong> effective detection and response.<br />

To combat the evolving threat landscape, organizations must prioritize robust detection and response<br />

strategies that go beyond surface-level classifications. This includes focusing on real-time, signature-less<br />

detection techniques, understanding the critical role of identity context, and addressing software supply<br />

chain attacks (not just vulnerabilities in open source software). By cutting through the clutter of cloud<br />

security categories and honing in on these essential criteria, practitioners can better protect their cloud<br />

environments from sophisticated attacks and ensure a more secure future in the cloud.<br />

About the Author<br />

Jimmy Mesta is the Founder and Chief Technology Officer at RAD Security. He is<br />

responsible <strong>for</strong> the technological vision <strong>for</strong> the RAD Security plat<strong>for</strong>m. A veteran<br />

security engineering leader focused on building cloud-native security solutions,<br />

Jimmy has held various leadership positions with enterprises navigating the growth<br />

of cloud services and containerization. Previously, Jimmy was an independent<br />

consultant focused on building large-scale cloud security programs, delivering<br />

technical security training, producing research and securing some of the largest<br />

containerized environments in the world.<br />

You can connect with Jimmy on Linkedin https://www.linkedin.com/in/jimmymesta/ or by visiting<br />

https://rad.security/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 101<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Is <strong>The</strong>re a DDoS Attack Ceiling?<br />

By Gary Sockrider, Director, Security Solutions, NETSCOUT<br />

Today, it’s rare <strong>for</strong> a month to pass without reports of new distributed denial-of-service (DDoS) attacks.<br />

Lately, geopolitical instability and hacktivist groups (e.g., Anonymous Sudan and NoName057(16)) have<br />

driven attacks, and these types of attacks show no sign of stopping anytime soon. One thing is sure:<br />

businesses need to implement safeguards into their overall cybersecurity posture to mitigate an evolving<br />

array of DDoS attacks. <strong>The</strong> relentless barrage of attacks may also make IT practitioners consider whether<br />

there will be a ceiling at some point and whether DDoS attacks will indeed level off.<br />

While there isn't a predefined ceiling <strong>for</strong> DDoS attacks, the practical limitations and risks of launching<br />

such attacks mean that they're typically constrained within certain bounds. However, the evolution of<br />

technology and tactics means that attackers continually adapt, and defenses must evolve accordingly to<br />

mitigate the impact of DDoS attacks. Let’s dive deeper into how some hacktivist groups work to engineer<br />

new DDoS attacks.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 102<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Unpacking Hacktivist Groups to Understand Increasing DDoS Threats<br />

Infamous <strong>for</strong> its widespread cyber operations, NoName057(16) garnered notoriety <strong>for</strong> developing and<br />

distributing custom malware, notably the DDoSia attack tool, the successor to the Bobik DDoS botnet.<br />

<strong>The</strong> group strategically concentrates its ef<strong>for</strong>ts on targeting European nations. NoName057(16)'s<br />

motives are geopolitical, aligning closely with pro-Kremlin interests.<br />

NoName057(16) relies on free or low-cost public cloud and web services as a launchpad <strong>for</strong> DDoS<br />

botnets that flood target web servers. In addition, the attacks are almost exclusively HTTP/HTTPS floods<br />

meant to consume targets' bandwidth and resources. NoName057(16) gamifies DDoS by offering digital<br />

currency payments via Project DDoSia to crowd-sourced participants who conduct attacks and rack up<br />

"points" as incentivized top per<strong>for</strong>mers. So, not only is it straight<strong>for</strong>ward <strong>for</strong> groups such as<br />

NoName057(16) to orchestrate DDoS attacks, but they also incentivize bad actors to join their exploits.<br />

By encouraging ideologically motivated volunteers to deliberately provision cloud computing and VPN<br />

nodes with their multi-plat<strong>for</strong>m DDoS-capable botnets, NoName057(16) has essentially outsourced the<br />

growth and maintenance of their attack infrastructure while at the same time seeking to make it more<br />

challenging <strong>for</strong> defenders to successfully mitigate attacks due to the presence of these botnet nodes on<br />

the networks of well-known computing, content, and networking services.<br />

Similarly, Anonymous Sudan is a highly prolific threat actor conducting DDoS attacks to support its pro-<br />

Russian, anti-Western agenda. Although the attacks attributed to this adversary are of political and<br />

(ostensibly) religious motivation, this group also retaliates against messaging plat<strong>for</strong>ms that restrict its<br />

communications.<br />

Staying Ahead of <strong>The</strong> Hacktivists<br />

Furthermore, Anonymous Sudan appears to use standard DDoS-<strong>for</strong>-hire services and botnet rentals,<br />

breaking from the traditional hacktivist mentality and capabilities and behaving more like an organization<br />

with substantial financial backing. <strong>The</strong>ir DDoS attacks are predominantly multi-vector—a combination of<br />

TCP-based direct-path and various UDP reflection/amplification vectors.<br />

Anonymous Sudan and NoName057(16) are just the latest in a long line of hacktivist groups engineering<br />

new attacks. Although these threat actors often use well-known DDoS attack vectors and methodologies,<br />

their propensity to follow through on threatened occurrences, combined with unpreparedness on the part<br />

of targeted organizations, ensures that they have achieved a relatively high attack success rate to date.<br />

How can the IT department help organizations mitigate this new onslaught of attacks?<br />

Real-time threat intelligence's role in an actual DDoS defense strategy can’t be stressed enough. Attacks<br />

are now more adaptive and continue to change course to evade defenses. Today, threat intelligence<br />

solutions exist <strong>for</strong> businesses to use machine learning (ML) from rich data lakes of known DDoS attack<br />

vectors, sources, and behavioral patterns. Additionally, DDoS defenses are now sophisticated enough to<br />

identify changing attack vectors. This analysis is continuously updated as characteristics of the atypical<br />

traffic change. All of that means that the value of having better visibility tools with actionable threat<br />

intelligence to remediate attack vectors is a step in the right direction <strong>for</strong> any organization. Having better<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 103<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


visibility means an improved ability to contend with shifting DDoS attacks from highly sophisticated<br />

hacktivist groups and other bad actors.<br />

In theory, there is a maximum throughput <strong>for</strong> DDoS attacks based on a variety of internet and<br />

infrastructure constraints. <strong>The</strong>re is also no way to fully eradicate these types of attacks, and it’s more so<br />

a matter of when they will happen, and how organizations choose to protect themselves. Bad actors will<br />

continue to conduct meticulous research to get past even the most astute security teams. Despite this<br />

inconvenient reality, enterprises can stay one step ahead of hacktivist groups and other threat actors. By<br />

leveraging decades of attack mitigation experience combined with ML algorithms, IT departments can<br />

ensure that business-critical services don’t fall prey to future attacks that will persist in the years to come.<br />

About the Author<br />

Gary Sockrider, Director, Security Solutions, NETSCOUT, is an industry veteran<br />

bringing over 20 years of broad technology experience including routing and<br />

switching, data center, wireless, mobility and collaboration but always with a focus on<br />

security. His previous roles include security SME, consultancy, product management,<br />

technical marketing, and customer support. Gary seeks to understand and convey the<br />

constantly evolving threat landscape, as well as the techniques and solutions that<br />

address the challenges they present. Prior to joining Netscout in 2012, he spent 12<br />

years at Cisco Systems and held previous positions with Avaya and Cable & Wireless.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 104<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Four Ways to Harden Your Code Against Security Vulnerabilities<br />

and Weaknesses<br />

By Olga Kundzich, CTO and Co-Founder, Moderne<br />

<strong>The</strong> specter of security vulnerabilities is a constant concern in today's digital landscape. <strong>The</strong>y're the<br />

hidden pitfalls that can undermine even the most meticulously crafted code. But what if you could turn<br />

the tables on these threats? <strong>The</strong>re’s a way to harden your code to stand tall against these attacks without<br />

developers having to become cybersecurity experts themselves.<br />

This article provides an overview of the four ways you can <strong>for</strong>tify your code against some of the toughest<br />

application security problems—even the OWASP Top 10—using automated code refactoring,<br />

remediation, and analysis recipes available from the open source OpenRewrite ecosystem.<br />

#1: Code analysis to find exposed secrets and API insecurities<br />

Too often, an organization’s codebase is a black box. (Not something a security pro wants to hear!) It’s<br />

hard to visualize and understand all the intricate dependent relationships of code managed through a<br />

growing assortment of application programming interfaces (APIs).<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 105<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


It’s important to have a detailed view of all direct and transitive dependencies across a codebase,<br />

enabling users to extract rich, meaningful insights that help improve application security. Examples of the<br />

type of data you can retrieve include:<br />

• Find API endpoints — Identify all the API endpoints that an application exposes to more readily<br />

analyze impact and risk.<br />

• Find sensitive API endpoints — Find data models exposed by REST APIs that contain sensitive<br />

in<strong>for</strong>mation like PII and secrets.<br />

• Find secrets — Locate secrets that are stored in plain text in code <strong>for</strong> a large assortment of tools<br />

and technology. This includes data used to authenticate, authorize, or encrypt communication<br />

between various components of an application or between the application and external services.<br />

#2: Static Application Security Testing (SAST) with automated source code fixes<br />

Static code analysis is critical to a comprehensive application security practice. It enables you to build<br />

more secure source code by identifying security weaknesses and compliance issues early in the<br />

development process, as well as to continually improve your security posture.<br />

OpenRewrite recipes provide robust static code analysis and take SAST to another level by also fixing<br />

security weaknesses in the source code your team develops. It’s like having a security expert <strong>for</strong><br />

developers who not only discovers issues and shares security knowledge but also automates the manual<br />

work of fixing them. Developers only have to review and accept the changes.<br />

It’s important to use both control flow and data flow analysis when you are assessing code <strong>for</strong> both<br />

insecure operational order per<strong>for</strong>mance, as well as looking <strong>for</strong> issues by understanding how data values<br />

propagate through a program (great <strong>for</strong> finding injection and encoding problems).<br />

Examples of auto-remediation that are important to address include:<br />

• Common static analysis issues — Find and resolve the common static analysis issues that are<br />

typically reported by traditional SAST tools. It’s essential to have a consistent code style to make<br />

code easier <strong>for</strong> everyone on the team to read. Engineers naturally pick up and internalize best<br />

practices when followed ubiquitously, making good code easier <strong>for</strong> everyone on the team to write.<br />

Teams will benefit from fewer operational disruptions from bugs and increases in per<strong>for</strong>mance.<br />

• Remediate vulnerabilities from the OWASP Top 10 — Identify and remediate vulnerabilities found<br />

in the OWASP Top Ten list, such as broken access control, cryptographic failures, and security<br />

misconfigurations.<br />

• Partial path traversal vulnerability — Fix the code to prevent a common directory traversal attack.<br />

• Zip slip—Find and fix the Zip Slip vulnerabilities in your codebase. Zip slip is a specific <strong>for</strong>m of<br />

directory traversal whereby an attacker can overwrite executable files, invoke them remotely (or<br />

wait <strong>for</strong> the system or user to call them), and achieve remote command execution on the victim’s<br />

machine.<br />

• Enable CSRF attack prevention — Guard against Cross-Site Request Forgery (CSRF) attacks, a<br />

type of attack that occurs when a malicious website, email, blog, instant message, or program<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 106<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


causes a user’s web browser to per<strong>for</strong>m an unwanted action on a trusted site when the user is<br />

authenticated.<br />

#3: Software composition analysis with automated dependency upgrades<br />

Third-party and open-source dependencies, which change and evolve at their own pace, create a larger<br />

attack surface <strong>for</strong> teams to manage. Software vulnerabilities can be introduced by anyone at any time,<br />

and vulnerabilities can be dormant until they are exploited. That’s why software composition analysis<br />

(SCA) is vital to managing the security of today’s complex, assembled codebases—to more proactively<br />

manage security concerns from open-source and third-party components.<br />

It's possible to accelerate third-party code security through comprehensive visibility into dependencies—<br />

direct and transitive—across your entire codebase. Teams can then take steps to mitigate risks when<br />

armed with SCA capabilities, such as updating vulnerable dependencies, replacing components with<br />

more secure alternatives, or ensuring that licensing requirements are met. Here are a few examples of<br />

best practices:<br />

• Find and fix vulnerable dependencies — Analyze and upgrade dependencies with publicly<br />

disclosed vulnerabilities, leveraging the GitHub Security Advisory Database.<br />

• Exclude unused dependencies — Exclude a specified dependency from any dependency that<br />

transitively includes it, which is useful if a dependency is known to have security vulnerabilities<br />

that cannot be easily patched or mitigated.<br />

• Find licenses in use in third-party dependencies — Locate and report on all licenses in use to<br />

ensure your existing codebase (or even a codebase involved in a merger or acquisition) is<br />

compliant.<br />

#4: Automated migration of third-party software to eliminate known vulnerabilities<br />

While some vulnerabilities can be closed by upgrading dependency versions with available patches, all<br />

too often resolving a security vulnerability requires changes to the application's source code. Some fixes<br />

are straight<strong>for</strong>ward, like changing an API signature. Others are more complex, involving multiple major<br />

lifts and requiring the expertise of migration engineers.<br />

Code migration work is labor-intensive, chaotic, and clerical. It typically involves migrating not just one<br />

framework but a collection of cascading dependencies that must also be updated across the codebase.<br />

Examples of automating code migrations include:<br />

• Migrate to Spring Boot 3.3 — Modify an application's build files, make changes to<br />

deprecated/preferred APIs, and migrate configuration settings that have changed between<br />

versions (plus additional framework migrations).<br />

• Migrate to Java 21 — Upgrade to Java 21 by updating and/or adding dependencies, replacing<br />

deprecated APIs, updating build files and plugins, etc.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 107<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


• Migrate from Log4j to SLF4J — Migrate usage of Apache Log4j to use Simple Logging Facade<br />

<strong>for</strong> Java (SLF4J) directly to eliminate the potential <strong>for</strong> exposure.<br />

• Marshaling (e.g., SnakeYAML constructor, Jackson default typing): Configure common<br />

serialization libraries to prevent the deserialization of maliciously crafted data, preventing the<br />

execution of hidden malicious code.<br />

<strong>The</strong> journey to harden your code against security vulnerabilities involves balancing the urgency of fixing<br />

issues with the continuous delivery of business value. Security scans often interrupt the developer's<br />

workflow, highlighting vulnerabilities that must be rapidly resolved to prevent deployment blocks. This<br />

remediation work, while critical, can divert resources from other valuable projects. That’s why<br />

automation—and tools like the open source OpenRewrite project that automate code refactoring—are<br />

critical <strong>for</strong> analyzing and addressing security vulnerabilities quickly.<br />

<strong>The</strong> ultimate goal is to ensure that application security improvements and business objectives advance<br />

harmoniously, creating a resilient and productive development environment. How is your organization<br />

balancing these demands?<br />

About the Author<br />

Olga Kundzich, CTO & Co-Founder of Moderne, has extensive experience<br />

building enterprise software solutions. Previously, she worked as a technical<br />

product manager at Pivotal focused on application delivery and management<br />

solutions (e.g., Spinnaker). She was also a lead software engineer and<br />

manager at Dell EMC, working closely with enterprise users on implementing<br />

data protection practices. Olga is a co-author of “Automated Code<br />

Remediation: How to Refactor and Secure the Modern Software Supply<br />

Chain” (O’Reilly).<br />

Olga can be reached online at olga@moderne.io and at our company website https://www.moderne.ai/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 108<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> Urgent Need <strong>for</strong> Data Minimization Standards<br />

Establishing Clear Standards <strong>for</strong> Data Minimization to Foster Confidence, Innovation, and Privacy<br />

Protection<br />

By Kathrin Gardhouse, Privacy Evangelist, Private AI and Patricia Thaine, CEO & Co-Founder,<br />

Private AI<br />

A central principle in many data protection laws around the globe is data minimization. But we are<br />

currently facing a serious issue: we don’t have legal clarity on what exactly the laws require when they<br />

demand data minimization. Lack of specificity directly affects organizations' lack of confidence that the<br />

products they are building are responsible and truly comply with regulatory requirements. As a result,<br />

apprehension can often surround the process of bringing innovative technologies into production.<br />

It is clear that data minimization will have different requirements <strong>for</strong> different use cases. On one side of<br />

the spectrum is the redaction of direct identifiers such as names, or payment card in<strong>for</strong>mation such as<br />

credit card numbers. On the other side of the spectrum lies anonymization, where re-identification of<br />

individuals is extremely unlikely. Within the spectrum, we also find pseudonymization, which, depending<br />

on the jurisdiction, often means something like reversible de-identification<br />

Many organizations are keen to anonymize their data because, if anonymization is achieved, the data<br />

falls outside of the scope of data protection laws as they are no longer considered personal in<strong>for</strong>mation.<br />

But that’s a big if. Some argue that anonymization is not possible. We hold that the claim that data<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 109<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


anonymization is impossible is based on a lack of clarity around what is required <strong>for</strong> anonymization, with<br />

organizations often either wittingly or unwittingly misusing the term <strong>for</strong> what is actually a redaction of<br />

direct identifiers. Furthermore, another common claim is that data minimization is in irresolvable tension<br />

with the use of data at a large scale in the machine learning context. This claim is not only based on a<br />

lack of clarity around data minimization but also a lack of understanding around the extremely valuable<br />

data that often surrounds identifiable in<strong>for</strong>mation, such as data about products, conversation flows,<br />

document topics, and more.<br />

Years of research in structured data de-identification have contributed to much of what is understood<br />

about the balance of data minimization and data utility.<br />

Given the stark differences in how structured and unstructured data are processed and anonymized, a<br />

one-size-fits-all approach to privacy standards and re-identification risk thresholds may not be<br />

appropriate. Each type of data presents unique challenges and risks that need tailored approaches.<br />

Without that clarity, even organizations with the best intentions will not consistently get it right and will be<br />

left to their best guesses. Many people misinterpret anonymizing data to mean removing names and<br />

social security numbers but ignoring quasi-identifiers like religion, approximate location, rare disease,<br />

etc.<br />

Why we need data minimization standards<br />

Why is not having clear data minimization standards a problem? For one, in the absence of clear<br />

standards, organizations disclosing data can do a poor job of de-identifying the data and then still claim<br />

that they have been anonymized. Inevitably, this will lead to the re-identification of some individuals, even<br />

if only by hacktivists trying to prove a point. In a worse scenario, poor de-identification practices can lead<br />

to data breaches, which are costly both financially and reputationally.<br />

Secondly, a common refrain among critics is that "true" data anonymization is a myth. <strong>The</strong>se criticisms<br />

frequently stem from well-publicized incidents where supposedly "anonymized" data was re-identified.<br />

But a closer look at these instances often reveals a salient point: the data in question was not properly<br />

anonymized in the first place or anonymization was simply not the right privacy-preserving technique to<br />

use <strong>for</strong> the task at hand.<br />

<strong>The</strong>se ill-in<strong>for</strong>med claims diminish the trust in the kinds of capable technologies that are currently being<br />

developed and can effectively and reliably identify personally identifiable in<strong>for</strong>mation, redact it, add noise<br />

and permutations, generalize values, aggregate data, and compute data accuracy and re-identification<br />

risks. Such claims may also lead to resistance to data minimization as a whole given a perceived futility<br />

of the ef<strong>for</strong>t, or an unwarranted hesitancy to share in<strong>for</strong>mation that has been de-identified in light of the<br />

uncertainty of whether it’s good enough.<br />

Either way, current technological capabilities will not be used to their full potential due to unwarranted<br />

distrust that is very hard to disprove without certifying bodies <strong>for</strong> the resulting datasets or technologies.<br />

This will negatively impact the availability of securely de-identified or anonymized data <strong>for</strong> beneficial<br />

secondary purposes, e.g., <strong>for</strong> the development and training of generative AI models.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 110<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


How we know clear standards can (responsibly) accelerate innovation<br />

HIPAA (Health Insurance Portability and Accountability Act) in the U.S., <strong>for</strong> instance, is an example of a<br />

law that contains a clear de-identification standard. It has provisions that require health data to meet<br />

certain criteria to be considered “de-identified” and even provides two distinct methods: Expert<br />

Determination and Safe Harbor.<br />

<strong>The</strong> Expert Determination method hinges on a knowledgeable individual's analysis that the risk of reidentification<br />

is “very small” (§164.514(b)(2) HIPAA Privacy Rule). Safe Harbor, on the other hand,<br />

prescribes specific identifiers that must be removed <strong>for</strong> health data to no longer be deemed personal<br />

in<strong>for</strong>mation. <strong>The</strong>se methods are illustrative of a flexible, and in the case of expert determination, rigorous<br />

approach to data de-identification—one that can inspire other industries. For small organizations that do<br />

not have the resources to employ a privacy technology expert to ensure secure de-identification, there<br />

can still be clear guidance on what is required in terms of removing direct and indirect identifiers be<strong>for</strong>e<br />

the data can be considered safe <strong>for</strong> disclosing it to third parties to enable innovative products and<br />

research.<br />

<strong>The</strong> Safe Harbor rule has rightly been criticized as insufficient <strong>for</strong> anonymization of data as understood<br />

under the GDPR, <strong>for</strong> example. It is questionable whether unrestricted publication of data sets that fall<br />

under the Safe Harbor rule is the right approach. More on that below.<br />

<strong>The</strong> Data De-Identification Framework – ISO/IEC 27559:2022 developed by the International Standards<br />

Organization is another example of helpful, yet non-mandatory, guidance on how to properly de-identify<br />

data. We have summarized this framework here. This framework offers an advantage over HIPAA by<br />

including an appendix that establishes specific numerical thresholds <strong>for</strong> identifiability.<br />

Another example of a successful application of a judicially set standard supplemented by expert guidance<br />

is revealed by the Office of the Privacy Commissioner of Canada’s investigation of complaints against<br />

the Public Health Agency of Canada (“PHAC”) and Health Canada (“HC”) under the Privacy Act. Mobility<br />

data obtained from TELUS and other data providers was properly de-identified beyond the "serious<br />

possibility" <strong>for</strong> re-identification threshold be<strong>for</strong>e using it in the fight against the COVID-19 pandemic. This<br />

standard was decided upon in Gordon v. Canada (Health), 2008 FC 258 by the Federal Court and the<br />

Treasury Board Secretariat and other experts have since provided more actionable guidance down to<br />

the range of acceptable cell sizes.<br />

Following this guidance, stripping data of personal identifiers alone was by no means all the parties<br />

involved did in this case. Rather, they:<br />

• Hashed each identifier more than once using SHA 256 hashing<br />

• Limited access to the data to a limited number of individuals<br />

• Monitored access and use<br />

• Implemented permitted use restrictions<br />

• Restricted access and export via the enclave model<br />

• Allowed only import of data that was aggregated in accordance with accepted standards<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 111<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


To reiterate what access controls and use restrictions have to do with data de-identification: Since<br />

determining proper de-identification or even anonymization is a statistical calculation, the likelihood of reidentification<br />

is an important factor. This likelihood is generally considered in the context of the risk to the<br />

data itself, namely, who has access to it and which security controls are put in place.<br />

In addition to anonymization, data minimization in the <strong>for</strong>m of redaction has shown to benefit from specific<br />

standards that take into account not only the in<strong>for</strong>mation to be removed but also the security infrastructure<br />

surrounding the data. For example, data minimization is a risk mitigator under PCI DSS where in<strong>for</strong>mation<br />

like account numbers and cardholder names need to be removed from call and contact center<br />

in<strong>for</strong>mation. Especially when used appropriately and in conjunction with cybersecurity safeguards,<br />

redaction in this context prevents crimes like identity theft.<br />

<strong>The</strong> work that still needs to be done<br />

While we have seen huge improvements in the capabilities of tools that can help with the de-identification<br />

of data, even unstructured data, it is possible that in parallel with the advance of de-identification tools,<br />

the technologies enabling re-identification advance as well, and more data becomes publicly available<br />

against which records can be compared, increasing the risk of re-identification.<br />

Moreover, while HIPAA Safe Harbor brings clarity, it does not take into account several pieces of<br />

in<strong>for</strong>mation that may be used to re-identify an individual. As Khaled El Emam in “Methods <strong>for</strong> the deidentification<br />

of electronic health records <strong>for</strong> genomic research” argued in 2011, not requiring the removal<br />

of longitudinal data, such as length of stay and time since the last visit, can mean a much higher risk of<br />

patient re-identification. For reasons like this, HIPAA Expert Determination, where an expert determines<br />

whether the likelihood of re-identification is low enough to be considered de-identified, is the method of<br />

choice <strong>for</strong> many healthcare organizations.<br />

We must also pay more attention to unstructured data when having a dialogue about data deidentification<br />

and anonymization. Unstructured data, according to estimates, make up 80 percent of all<br />

recorded data. As we explained, unstructured data comes with the unique difficulty of identifying where<br />

personal data are. This is not terribly hard in a table with columns labelled “SSN” or “name.” However, it<br />

is a more complicated problem with unstructured data given the disfluencies, complicated contexts,<br />

different <strong>for</strong>mats, and multilinguality of unstructured data. However, similar to lacking in data minimization<br />

standards, there likewise exists no accepted standard of how accurate the identification of personal<br />

in<strong>for</strong>mation should be. Organizations there<strong>for</strong>e have little guidance regarding the required level of<br />

accuracy of identification of identifiable in<strong>for</strong>mation, often opting <strong>for</strong> a band-aid solution made up of<br />

regular expressions and inaccurate machine learning models which may even be built <strong>for</strong> a different task.<br />

Note that not only does getting this step wrong prevent an accurate assessment of risk with the data, but<br />

also prevents the reliable redaction of the data, let alone the anonymization of it. Identifying the data<br />

elements in the unstructured data is the difficult but essential groundwork required be<strong>for</strong>e re-identification<br />

risk can be tackled automatically.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 112<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


What we can already do today<br />

With the recent advances in machine learning (ML), we can now teach machines to do the identification<br />

work <strong>for</strong> us, and much more reliably than regular expressions (regexes) - the technique most commonly<br />

used <strong>for</strong> data identification, but which often fails in particular with unstructured data. For example, using<br />

ML, we are able to use the context of a conversation to determine whether something constitutes personal<br />

in<strong>for</strong>mation or not. Instead of searching <strong>for</strong> set patterns, the ML model can learn from exposure to training<br />

data prepared by privacy experts. By annotating the data elements that are personal identifiers, privacy<br />

experts can effectively train the model to identify highly complex, natural language patterns based on<br />

which it can detect personal in<strong>for</strong>mation in data it hasn’t seen be<strong>for</strong>e.<br />

While we don’t have a set standard <strong>for</strong> personal in<strong>for</strong>mation detection tools, Private AI builds AI-driven<br />

de-identification software that meets and exceeds industry standards. Refer to our Whitepaper <strong>for</strong> details<br />

on how we compare to our competitors or request a sample report on how the output data from our<br />

system has passed HIPAA Expert Determination. Anything lower than what the best technology in the<br />

industry has to offer in terms of personal data identification will, as it necessarily carries through to the<br />

de-identification stage, increase the re-identification risk intolerably. With accurately identified and<br />

categorized personal in<strong>for</strong>mation, these identifiers can then be removed or replaced as needed <strong>for</strong> the<br />

use case, maximizing data privacy and utility.<br />

Conclusion<br />

Embracing rigorous data minimization protocols isn't just a compliance requirement; it's a pledge to<br />

protect individual privacy while harnessing the full potential of data <strong>for</strong> the collective good. <strong>The</strong> current<br />

ambiguity surrounding data de-identification, anonymization, and personal in<strong>for</strong>mation identification<br />

standards poses significant challenges. While we have examples in HIPAA and ISO/IEC 27559:2022 and<br />

other sources, more comprehensive and universally accepted standards are imperative. Otherwise, we<br />

are at risk of falling behind our current capabilities of making safe data available <strong>for</strong> responsible innovation<br />

and other beneficial purposes.<br />

About the Author<br />

Kathrin Gardhouse is Private AI's Privacy Evangelist and a German- and<br />

Ontario-trained lawyer specializing in data and AI governance. Her experience<br />

includes developing comprehensive privacy and data governance programs<br />

<strong>for</strong> a Toronto-based financial institution and data and AI governance<br />

consulting <strong>for</strong> several boutique firms.<br />

Kathrin’s influence in data and AI governance spans multiple domains. She<br />

actively shapes responsible AI policy at a national level while simultaneously<br />

offering thought leadership to innovators in privacy-enhancing technologies and advising start-up<br />

founders in privacy and AI governance matters. Kathrin can be reached through her LinkedIn and our<br />

company website https://www.private-ai.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 113<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Patricia Thaine is the Co-Founder & CEO of Private AI, a Microsoft-backed<br />

startup that raised their Series A led by the BDC. Private AI was named a<br />

2023 Technology Pioneer by the World Economic Forum and a Gartner Cool<br />

Vendor. Patricia was on Maclean’s magazine Power List <strong>2024</strong> <strong>for</strong> being one<br />

of the top 100 Canadians shaping the country. She is also a Computer<br />

Science PhD Candidate at the University of Toronto (on leave) and a Vector<br />

Institute alumna. Patricia is a recipient of the NSERC Postgraduate<br />

Scholarship, the RBC Graduate Fellowship, and the Ontario Graduate<br />

Scholarship. She is the co-inventor of one U.S. patent and has 10 years of<br />

research and software development experience, including at the McGill<br />

Language Development Lab, the University of Toronto’s Computational<br />

Linguistics Lab and Department of Linguistics, and the Public Health Agency of Canada. Patricia can be<br />

reached through her LinkedIn and our company website: https://www.private-ai.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 114<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Securing the OT Stage: NIS2, CRA, and IEC62443 Take Center<br />

Spotlight<br />

Ensuring <strong>Cyber</strong> Resilience in Critical Infrastructure<br />

By Vinny Sagar, Solution Architect, swIDch<br />

In the dynamic landscape of Operational Technology (OT),<br />

robust cybersecurity measures are paramount. As the digital<br />

trans<strong>for</strong>mation accelerates, protecting critical infrastructure<br />

becomes more challenging. Fortunately, three key<br />

standards—NIS2, CRA, and IEC 62443—have emerged to<br />

<strong>for</strong>tify the OT sector against cyber threats. In this article, we<br />

explore how these standards synergize to create a unified<br />

front in OT cybersecurity.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 115<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


NIS2 (Network and In<strong>for</strong>mation Systems Directive 2)<br />

NIS2 expands upon the original NIS legislation, broadening its scope to include vital sectors such as<br />

energy, water, and transportation. Here’s what you need to know:<br />

• Stricter Regulations: NIS2 introduces stronger security requirements and incident reporting<br />

obligations. It emphasizes supply chain security, recognizing that vulnerabilities often stem from<br />

interconnected systems.<br />

• EU-Wide Cooperation: NIS2 encourages collaboration and in<strong>for</strong>mation exchange across the<br />

European Union. Non-compliance now carries steeper penalties.<br />

• OT Relevance: NIS2 mandates that entities ensure an appropriate level of security, particularly<br />

relevant <strong>for</strong> OT systems.<br />

CRA (<strong>Cyber</strong> Resilience Act)<br />

CRA focuses on safeguarding consumers and businesses using products or software with digital<br />

components—common scenarios in OT environments:<br />

• Mandatory Requirements: Manufacturers and retailers must adhere to CRA’s cybersecurity<br />

requirements throughout a product’s life cycle.<br />

• Complementing NIS2: CRA ensures that network-connected products meet elevated security<br />

standards, complementing NIS2’s ef<strong>for</strong>ts.<br />

IEC 62443: A Global Best Practice<br />

Unlike NIS2 and CRA, which carry EU-specific mandates, IEC 62443 transcends borders. It provides<br />

tailored cybersecurity standards <strong>for</strong> Industrial Automation and Control Systems (IACS) and OT:<br />

• Industrial Context: IEC 62443 addresses unique security challenges in industrial environments.<br />

It balances data confidentiality and productivity.<br />

• <strong>Defense</strong>-in-Depth: <strong>The</strong> standard outlines a defense-in-depth model, guiding organizations in<br />

building robust cybersecurity management systems (CSMS).<br />

• Risk Assessment: IEC 62443 assists in risk assessments, helping organizations choose security<br />

products and service providers effectively.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 116<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Unpacking the impact on OT?<br />

Imagine a medieval kingdom as an organization. <strong>The</strong> kingdom is the “Operational Technology” (OT)<br />

environment, and needs to be protected from various threats.<br />

NIS2 is like the kingdom’s laws and policies, established by the king (the governing body). <strong>The</strong>se laws<br />

mandate that every village (critical infrastructure) within the kingdom must have defenses (cybersecurity<br />

measures) appropriate to the threats they face, and they must report any attacks (cyber incidents) to the<br />

king’s council (regulatory authority) to help protect the entire realm.<br />

CRA is akin to the blacksmiths’ guild (product manufacturers). <strong>The</strong>y are required to <strong>for</strong>ge weapons and<br />

armor (digital products and software) that meet certain standards of quality and durability be<strong>for</strong>e they can<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 117<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


e used by the kingdom’s warriors (end-users). This ensures that the frontline defenders are equipped<br />

with reliable gear from the start.<br />

IEC62443 is comparable to the master builders and engineers (cybersecurity professionals) who design<br />

and construct the kingdom’s <strong>for</strong>tifications (security controls and measures). <strong>The</strong>y follow a set of blueprints<br />

and guidelines (technical standards) to ensure that every castle and wall is built to withstand sieges and<br />

protect the inhabitants effectively.<br />

Together, these three elements create a robust defense system <strong>for</strong> the kingdom:<br />

• <strong>The</strong> laws and policies (NIS2) ensure that everyone is aware of the threats and knows how to<br />

respond.<br />

• <strong>The</strong> quality equipment (CRA) means that defenders are well-prepared to face any adversary.<br />

• <strong>The</strong> strong <strong>for</strong>tifications (IEC62443) provide a secure environment that can withstand attacks.<br />

This analogy illustrates how NIS2, CRA, and IEC62443 work in concert to provide a comprehensive<br />

cybersecurity strategy, safeguarding the organization from potential threats at every level.<br />

Timelines<br />

CRA<br />

<strong>The</strong> CRA agreement received <strong>for</strong>mal approval by the European Parliament in March <strong>2024</strong>. As of writing<br />

this article, it still requires <strong>for</strong>mal adoption by the Council be<strong>for</strong>e being en<strong>for</strong>ced. Much of the CRA<br />

becomes en<strong>for</strong>ceable approximately three years after enactment, around 2027<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 118<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


NIS2<br />

By 17 October <strong>2024</strong>, Member States must adopt and publish the measures necessary to comply with the<br />

NIS2 Directive. <strong>The</strong>y shall apply those measures from 18 October <strong>2024</strong>.<br />

IEC62443<br />

In 2021, the IEC approved the IEC62443 family of standards as 'horizontal standards'. This means that<br />

when sector specific standards <strong>for</strong> operational technology are being developed by subject matter experts,<br />

the IEC62443 standards must be used at the foundation <strong>for</strong> requirements addressing cybersecurity in<br />

those standards.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 119<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Enhancing OT <strong>Cyber</strong>security: <strong>The</strong> Triad of NIS2, CRA, and IEC62443<br />

In the intricate dance of securing Operational Technology (OT), three key players—NIS2, CRA, and<br />

IEC62443—take the stage. Together, they harmonize their ef<strong>for</strong>ts, covering different facets of security<br />

across the product life cycle.<br />

NIS2 focuses on the operational aspect and resilience of critical infrastructure. It sets out requirements<br />

<strong>for</strong> risk management, reporting, and security measures, which are essential <strong>for</strong> the OT sector’s day-today<br />

operations.<br />

CRA targets the product aspect, ensuring that digital products and software entering the market have<br />

robust cybersecurity measures in place from the design phase. This act ensures that the hardware and<br />

software used in OT environments are secure by default.<br />

IEC62443 provides a technical framework with specific standards and practices <strong>for</strong> securing industrial<br />

control systems. It offers detailed guidance on how to implement security controls and manage<br />

cybersecurity risks in OT environments.<br />

Together, they create a comprehensive cybersecurity ecosystem:<br />

• NIS2 ensures that operators of essential services maintain high levels of security and report<br />

incidents, which is crucial <strong>for</strong> the OT sector’s overall resilience.<br />

• CRA complements this by making sure that the products used in these sectors are secure from<br />

the start, reducing the risk of vulnerabilities.<br />

• IEC62443 bridges the gap by offering technical standards that apply to the specific needs of OT<br />

systems, providing a common language and set of practices <strong>for</strong> industry stakeholders.<br />

Together, NIS2, CRA, and IEC62443 <strong>for</strong>m a <strong>for</strong>midable alliance. <strong>The</strong>y strengthen the resilience of the<br />

OT sector against cyber adversaries. By adopting these standards, organizations gain a structured<br />

approach to managing cyber risks. So, whether you’re safeguarding a power plant, a smart grid, or an<br />

autonomous vehicle fleet, remember: <strong>Cyber</strong>security is our collective shield!<br />

About the Author<br />

Vinny Sagar is a Solution Architect at swIDch. With over 15 years of<br />

experience in pre-sales, consulting, and software development in the<br />

identity and cybersecurity space, Vinny has helped many clients across<br />

various industries and regions design and deploy Zero Trust solutions that<br />

meet their specific needs and challenges. Vinny can be reached online at<br />

vinny@swidch.com, on LinkedIn or through the swIDch website<br />

https://www.swidch.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 120<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Best Practices in <strong>Cyber</strong>security with Exhaustive Static Analysis<br />

to Secure Software Integrity<br />

Utilizing Rigorous Analysis Techniques to Detect and Eliminate Software Vulnerabilities<br />

By Gavin Hill, CMO, TrustInSoft<br />

Introduction<br />

<strong>The</strong> complexity of modern software systems, coupled with the increasing sophistication of cyber threats,<br />

underscores the critical need <strong>for</strong> robust security measures. Ensuring software integrity is not merely a<br />

technical necessity but a business imperative, as vulnerabilities and runtime errors can lead to severe<br />

financial, operational, and reputational damage. <strong>The</strong> Crowdstrike outage on July 19, <strong>2024</strong>, that impacted<br />

over 8.5 million Windows devices and a 13 percent drop in share prices shows the importance of software<br />

integrity and testing.<br />

TrustInSoft, a leader in application security testing tools and services, addresses these challenges<br />

through the innovative application of exhaustive static analysis. This technique offers a comprehensive<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 121<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


approach to detecting and eliminating vulnerabilities and runtime errors within software code, ensuring<br />

that applications are both reliable and secure. By leveraging exhaustive static analysis, organizations can<br />

significantly enhance their cybersecurity and operational posture, safeguarding their systems against a<br />

myriad of potential threats.<br />

Key Points:<br />

• Exhaustive static analysis rigorously examines software to detect and eliminate undefined<br />

behaviors, significantly reducing vulnerabilities that can lead to severe operational disruptions and<br />

security breaches.<br />

• By ensuring the integrity of embedded systems, exhaustive static analysis helps prevent runtime<br />

errors and operational interruptions, which are critical in industries such as automotive and<br />

aerospace.<br />

• TrustInSoft Analyzer helps organizations meet stringent industry standards like ISO 26262 and<br />

ISO 21434, ensuring their software meets functional requirements while achieving high security<br />

and reliability standards.<br />

<strong>The</strong> Challenge of Undefined Behaviors in Software<br />

Undefined behaviors (UBs) in software, particularly in languages like C and C++, present a significant<br />

cybersecurity challenge. UBs are code constructs that the language standard does not define, leading to<br />

unpredictable and often hazardous software behavior. <strong>The</strong>se behaviors can result in software crashes,<br />

data corruption, or vulnerabilities that attackers can exploit, making their identification and elimination<br />

crucial <strong>for</strong> software security.<br />

Consider the infamous case of the Ariane 5 rocket failure in 1996. <strong>The</strong> rocket, one of the most advanced<br />

of its time, exploded merely 37 seconds after launch due to a software error. <strong>The</strong> issue stemmed from<br />

an unhandled arithmetic overflow, an example of UB, during the conversion of a 64-bit floating-point<br />

number to a 16-bit integer. <strong>The</strong> failure resulted in a loss of over $370 million which was one of the most<br />

expensive software bugs of its time.<br />

Similarly, the Boeing 787 Dreamliner faced a critical software vulnerability related to an integer overflow.<br />

<strong>The</strong> software managing the aircraft's electrical systems contained a UB that could lead to a complete<br />

loss of power after 248 days of continuous operation. <strong>The</strong> potential risks associated with the UB could<br />

result in loss of life. This itself emphasizes the need <strong>for</strong> rigorous testing and validation processes to<br />

ensure software reliability and safety with <strong>for</strong>mal verification.<br />

<strong>The</strong> global outage caused by a CrowdStrike faulty update on July 19, <strong>2024</strong> was triggered by invalid<br />

memory usage, specifically a NULL pointer dereference in the C++ code. This resulted in widespread<br />

disruptions across various sectors, including banking, airlines, and media outlets. This type of runtime<br />

error, which is common in C++ applications, could have been detected and prevented through exhaustive<br />

static analysis with tools like TrustInSoft Analyzer.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 122<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Undefined behaviors often lie dormant within software, escaping detection during conventional testing<br />

phases. <strong>The</strong>se hidden vulnerabilities can be exploited by attackers to gain unauthorized access, execute<br />

arbitrary code, or disrupt normal operations. As software systems grow more complex, the likelihood of<br />

encountering UBs increases, posing a significant threat to both security and functionality.<br />

To mitigate these risks, exhaustive static analysis offers a powerful solution. This technique involves a<br />

thorough examination of the software code, identifying all possible states and behaviors to guarantee<br />

that no UB remains undetected. By systematically addressing these vulnerabilities, organizations can<br />

prevent potential exploits and enhance the overall security of their software applications.<br />

TrustInSoft's approach to exhaustive static analysis demonstrates best practices in addressing UBs. By<br />

integrating this method into their development workflows, organizations can achieve a higher level of<br />

assurance in their software's reliability and security. This proactive measure not only mitigates risks but<br />

also supports compliance with industry standards and regulations, further strengthening the cybersecurity<br />

framework of the organization.<br />

Importance of Exhaustive Static Analysis<br />

Exhaustive static analysis is a critical technique in ensuring software security and reliability. This method<br />

involves a thorough and comprehensive examination of the software code, utilizing abstract interpretation<br />

to evaluate all possible states and paths of a program. Unlike traditional static analysis, exhaustive static<br />

analysis guarantees the identification of all undefined behaviors (UBs), offering a higher level of<br />

assurance in detecting potential vulnerabilities.<br />

By leveraging abstract interpretation, exhaustive static analysis provides a mathematical guarantee of<br />

software correctness. This rigorous approach is essential in detecting and mitigating runtime errors that<br />

could lead to operational interruptions. For embedded systems, where software malfunctions can have<br />

severe consequences, exhaustive static analysis ensures the highest levels of safety and security.<br />

TrustInSoft Analyzer systematically explores every possible execution path and input combination in the<br />

software, identifying vulnerabilities that might be missed by other methods. This ensures that the software<br />

operates reliably and securely under all conditions, significantly reducing the risk of runtime errors and<br />

enhancing overall system stability.<br />

Best Practices <strong>for</strong> Implementing Exhaustive Static Analysis<br />

To maximize the benefits of exhaustive static analysis, organizations should adopt several best practices.<br />

<strong>The</strong>se guidelines will ensure effective integration of this powerful technique into the software<br />

development lifecycle.<br />

• Early Integration: Incorporate exhaustive static analysis early in the development lifecycle. By<br />

integrating this method at the initial stages, developers can detect and address vulnerabilities<br />

be<strong>for</strong>e they become deeply embedded in the software. Early detection reduces the cost and<br />

complexity of fixing bugs later in the process. For example, the average recall cost per vehicle is<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 123<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


about $500 in the automotive industry. With most modern cars containing up to 100 million lines<br />

of code there is a lot that can go wrong.<br />

• Continuous Integration and Deployment (CI/CD): Embed exhaustive static analysis tools into your<br />

CI/CD pipeline. Automated analysis during each build ensures that new code does not introduce<br />

new vulnerabilities. Continuous integration allows <strong>for</strong> regular checks, maintaining high standards<br />

of code quality and security.<br />

• Comprehensive Training: Provide thorough training <strong>for</strong> development teams on the use of<br />

exhaustive static analysis tools. Understanding how to effectively utilize these tools is crucial <strong>for</strong><br />

identifying and addressing vulnerabilities. TrustInSoft offers extensive support and resources to<br />

help teams master these techniques.<br />

• Regular Code Audits and Reviews: Conduct regular code audits and reviews using exhaustive<br />

static analysis. Continuous monitoring and analysis help maintain high standards of code quality<br />

and security. Regular reviews ensure that any new vulnerabilities introduced during development<br />

are promptly identified and addressed.<br />

• Focus on Critical Code Paths: Prioritize the analysis of critical code paths, especially in embedded<br />

systems where operational interruptions can have severe consequences. Ensuring the reliability<br />

of these paths is key <strong>for</strong> system stability and security. By focusing on high-risk areas, developers<br />

can mitigate the most significant threats to software integrity.<br />

By following these best practices, organizations can effectively integrate exhaustive static analysis into<br />

their development workflows, ensuring robust and secure software.<br />

Addressing Common <strong>Cyber</strong>security Challenges with Static Analysis<br />

Exhaustive static analysis addresses numerous cybersecurity challenges by employing abstract<br />

interpretation, a technique that evaluates all possible states and paths of a program, namely:<br />

• Managing Software Complexity: As software systems become more complex, the risk of<br />

introducing UBs and runtime errors increases. Exhaustive static analysis, using abstract<br />

interpretation, provides a thorough solution by evaluating all possible states and paths, ensuring<br />

that no UB goes undetected. This meticulous approach is crucial <strong>for</strong> maintaining the integrity and<br />

security of complex software systems, especially in industries like automotive and aerospace,<br />

where embedded systems play a critical role.<br />

• Ensuring Continuous Feature Updates: Continuous updates are necessary to maintain software<br />

relevance and functionality. However, these updates can introduce new vulnerabilities. By<br />

integrating exhaustive static analysis into the development workflow, organizations can<br />

confidently release updates without compromising security, thus preventing operational<br />

interruptions.<br />

• Mitigating Internal and External Threats: By detecting vulnerabilities early, exhaustive static<br />

analysis mitigates the risk of both internal and external threats. This proactive approach prevents<br />

potential exploits that could lead to data breaches or system failures. TrustInSoft Analyzer’s ability<br />

to identify runtime errors and UBs is crucial <strong>for</strong> protecting software from both malicious attacks<br />

and accidental errors, which can be particularly damaging in embedded systems.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 124<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


• Embedded Systems Security: For embedded systems, which are often critical in applications such<br />

as automotive, aerospace, and telecommunications, ensuring software security is paramount.<br />

Exhaustive static analysis helps identify and eliminate vulnerabilities that could lead to operational<br />

interruptions or safety hazards.<br />

Compliance with Industry Standards<br />

Adhering to industry standards is crucial <strong>for</strong> ensuring software safety and security. Exhaustive static<br />

analysis helps organizations meet compliance requirements such as ISO 26262 <strong>for</strong> automotive safety<br />

and ISO 21434 <strong>for</strong> cybersecurity in road vehicles. By providing a mathematical guarantee of software<br />

correctness, TrustInSoft Analyzer supports the rigorous verification needed to achieve and maintain<br />

these standards.<br />

• Automotive Industry Compliance: <strong>The</strong> ISO 26262 standard outlines the requirements <strong>for</strong><br />

functional safety in automotive systems. TrustInSoft Analyzer helps automotive companies<br />

comply with this standard by ensuring that their software is free from UBs and runtime errors. This<br />

rigorous analysis supports the development of safe and reliable automotive systems, reducing<br />

the risk of operational interruptions and safety incidents.<br />

• Aerospace Industry Compliance: In the aerospace industry, software must comply with standards<br />

such as DO-178C, which sets the guidelines <strong>for</strong> software used in airborne systems. TrustInSoft’s<br />

exhaustive static analysis ensures that aerospace software meets these stringent requirements,<br />

providing a high level of assurance in the software’s reliability and safety.<br />

• <strong>Cyber</strong>security Standards: For cybersecurity compliance, standards like ISO 21434 focus on the<br />

security of road vehicles. TrustInSoft Analyzer’s ability to detect and eliminate vulnerabilities<br />

supports compliance with these standards, ensuring that automotive software is secure against<br />

potential cyber threats. This compliance is essential <strong>for</strong> maintaining the trust and safety of<br />

automotive systems in an increasingly connected world.<br />

By adopting exhaustive static analysis and leveraging tools like TrustInSoft Analyzer, organizations can<br />

ensure that their software meets the highest standards of safety and security. This proactive approach<br />

not only mitigates risks but also supports compliance with industry standards, strengthening the<br />

cybersecurity framework of the organization.<br />

Guaranteeing Software Integrity with Mathematical Precision<br />

Exhaustive static analysis, with its comprehensive and rigorous approach, provides a robust solution to<br />

the complex challenges of software security. By adopting best practices <strong>for</strong> implementation and<br />

leveraging advanced tools like TrustInSoft Analyzer, organizations can safeguard their systems against<br />

vulnerabilities and achieve compliance with industry standards. As the cybersecurity landscape continues<br />

to evolve, the importance of rigorous software verification through exhaustive static analysis will only<br />

increase, securing the future of software development. As we look to the future, the integration of such<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 125<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


igorous methods will be paramount in defending against the complexities and dangers of an increasingly<br />

connected world.<br />

About the Author<br />

Gavin Hill is the Chief Marketing Officer at TrustInSoft where he is<br />

responsible <strong>for</strong> go-to-market strategy and execution of products and<br />

services. He has held leadership positions in Product Management, Product<br />

Marketing and Marketing at Human Security, Secureworks, Bitdefender,<br />

Bromium (HP), Venafi and Trend Micro. With 25 years’ experience in cyber<br />

security, he has a broad range of knowledge, including Application Security,<br />

Email Security, Cloud Security, Encryption, PKI, Keys & Certificates,<br />

Endpoint Security, EDR, Network Traffic Analytics, Isolation, Hypervisor<br />

Security, Sandboxing, and VDI Security.<br />

Gavin can be reached online at gavin.hill@trust-in-soft.com and at our<br />

company website https://www.trust-in-soft.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 126<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Embracing <strong>The</strong> Intersection of Ethics and Digital Trust<br />

In today's rapidly evolving technological landscape, the intersection of ethics and digital trust is<br />

becoming increasingly critical.<br />

By Pablo Ballarín, ISACA Emerging Trends Working Group, ISACA<br />

<strong>The</strong> Ethical Dimension of Emerging Technologies<br />

Ethics, fundamentally, deals with moral values and codes of conduct within societies and social groups.<br />

Traditionally, ethical considerations have permeated various human domains such as politics and<br />

business. However, in the 1970s, this influence expanded significantly into healthcare, medicine,<br />

biological research, biotechnology, and environmental issues. This expansion gave birth to bioethics,<br />

which addresses critical concerns like organ donation and transplantation, genetic research, assisted<br />

dying, and environmental conservation.<br />

Today, as we confront the challenges posed by emerging technologies, we face new ethical risks such<br />

as various <strong>for</strong>ms of bias, lack of transparency, addiction, in<strong>for</strong>mation bubbles, social manipulation, and<br />

threats to democracies, which are evident in elections worldwide.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 127<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Addressing Ethical Challenges in AI and Emerging Technologies<br />

Recent years have seen the development of ethical frameworks and legislation specifically tailored to AI<br />

and other emerging technologies. <strong>The</strong>se frameworks aim to translate ethical theories into actionable<br />

steps <strong>for</strong> creating responsible technologies. However, the key questions now arise: What are the<br />

fundamental principles of these frameworks? How can we effectively implement them, and what types of<br />

competencies are required to do so?<br />

<strong>The</strong>se questions are crucial as we endeavor to balance technological advancement with ethical<br />

responsibility. Ensuring that progress benefits society while safeguarding fundamental values and rights<br />

is a delicate balancing act.<br />

European Business and IT Professionals Utilise AI with Limited Organisational Training<br />

A recent ISACA study highlights a critical issue: European business and IT professionals are increasingly<br />

utilizing AI with limited organizational training. This gap in training can lead to significant ethical and<br />

cybersecurity challenges. Without proper training, professionals may inadvertently deploy AI systems<br />

that are biased, lack transparency, or are vulnerable to cyber threats. <strong>The</strong> study emphasizes the need<br />

<strong>for</strong> comprehensive training programs that encompass both technical and ethical dimensions of AI. This<br />

aligns with the importance of integrating ethical and trust considerations into the development and<br />

deployment of AI technologies. A professional way to handle these issues is offered by auditing tools<br />

such as the AI Audit Toolkit by ISACA. It provides a structured approach to evaluate the ethical and<br />

technical aspects of AI implementations including guidelines <strong>for</strong> assessing compliance with ethical<br />

frameworks, identifying biases, and ensuring transparency.<br />

<strong>The</strong> Trust Gap: Companies Value Digital Trust but Little Progress is Being Made to Implement It<br />

Another significant issue is the trust gap in digital technologies. According to an ISACA report, while<br />

companies value digital trust, there is little progress in implementing it. This gap can undermine the<br />

effectiveness of both cybersecurity measures and ethical frameworks. Building digital trust requires a<br />

holistic approach that integrates ethical principles into all aspects of technology development and<br />

deployment, as stated in the ISACA paper "Using the Digital Trust Ecosystem Framework to Achieve<br />

Trustworthy AI." This includes transparent communication, robust security measures, and a commitment<br />

to ethical standards.<br />

As we navigate an era where technology profoundly impacts every aspect of life, it is essential to integrate<br />

ethical considerations into our approach to cybersecurity. In this context, the upcoming ISACA Europe<br />

Conference <strong>2024</strong> on October 23 - 25 will explore these issues in depth, providing a plat<strong>for</strong>m <strong>for</strong> experts<br />

and practitioners to share insights and strategies. Presentations will explore how digital trust and ethical<br />

frameworks can in<strong>for</strong>m the development and deployment of emerging technologies, drawing on lessons<br />

from bioethics and recent developments in AI ethics. Among the speakers, author Pablo Ballarin will be<br />

presenting a session titled "Ethics, Dilemmas, and Digital Trust with AI."<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 128<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


For more in<strong>for</strong>mation on the ISACA Europe Conference <strong>2024</strong> and to register, visit ISACA Europe<br />

Conference.<br />

About the Author<br />

Pablo Ballarín, who is active in the ISACA Emerging Trends Working Group,<br />

is an experienced cybersecurity professional with over 25 years in the field,<br />

specializing in in<strong>for</strong>mation security, risk management, and compliance.<br />

Pablo has extensive experience in working with global organizations,<br />

including telecommunications companies, public agencies, retailers and<br />

financial institutions. He is a recognized speaker and educator in<br />

cybersecurity, holding different industry certifications, and frequently<br />

appears on different Spanish media discussing the challenges of technology<br />

and its impact on society.<br />

Website: www.isaca.org<br />

Twitter: www.twitter.com/ISACANews<br />

LinkedIn: www.linkedin.com/company/isaca<br />

Facebook: www.facebook.com/ISACAGlobal<br />

Instagram: www.instagram.com/isacanews<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 129<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Driving Security Forward: How Automakers Can Stay Ahead of<br />

<strong>Cyber</strong> Threats and Compliance Challenge<br />

By Oron Lavi, Chief Technology Officer and Co-Founder, Argus <strong>Cyber</strong> Security<br />

As technology revolutionizes the way OEMs build cars, this software-powered shift has also introduced<br />

new risks and challenges. As cars become more connected, they are exposed to more cyber security<br />

threats. Software vulnerabilities and open-source code can be exploited by hackers to compromise<br />

safety-critical systems, access personal data, or even start a car from a remote location. In addition, due<br />

to the increasing complexity of the vehicle software ecosystem, integration and maintaining code quality<br />

have also become more difficult.<br />

Let's examine some practical steps that OEMs and Tier 1 suppliers can take to reduce security risks,<br />

achieve regulatory compliance, and streamline the automotive software development cycle.<br />

Meeting regulatory expectations<br />

Over the last few years, we have seen dramatic changes in standardization and regulation of cyber<br />

security practices in automotive. Some notable ones are ISO 21434, ASPICE cybersecurity extension<br />

and UNR155, which have become a de-facto way of ensuring a cyber security-minded development<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 130<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


process and product. While UNR155 is mostly applicable in the EU, many other countries follow it or<br />

have similar guidelines or regulations in place. Moreover, due to the global nature of the automotive<br />

market, EU regulation has a tremendous impact on non-EU manufacturers as well.<br />

With the introduction of such expectations, the industry is slowly shaping itself to comply and meet these<br />

new requirements. This is a slow process, which has an impact on many different departments of all<br />

automotive manufacturers and their suppliers. It also has an impact on auditors and assessors who need<br />

to learn how to inspect that the new regulatory expectations are met.<br />

<strong>The</strong>se changes introduce new steps into the development cycle, and throughout the rest of the vehicle<br />

lifecycle (production, post-production, etc.). New ef<strong>for</strong>ts mean additional work and increased costs <strong>for</strong><br />

manufacturers.<br />

So how are OEMs and Tier 1s coping with these new ef<strong>for</strong>ts, which require the investment of more time<br />

and materials into an already extremely tight project framework?<br />

Shift left and automation<br />

<strong>The</strong> answer is doing what all industries have always done. If you consider how automotive manufacturers<br />

and suppliers deal with quality aspects, you’ll see there is an ongoing ef<strong>for</strong>t to per<strong>for</strong>m verification and<br />

validation as early in the process as possible (“shift left”) <strong>for</strong> each phase. By doing so, manufacturers<br />

reduce the impact of a potential mistake and the time it takes to fix it.<br />

<strong>The</strong> other key element is automation. This is especially true <strong>for</strong> situations that require large scale. By<br />

automating the processes of requirement tracing, deployment, per<strong>for</strong>mance analysis, functional testing<br />

and others, each small change can be tested and undesired impacts on the project and product can be<br />

immediately reported and addressed.<br />

As the industry implements tools and processes to meet the new cyber security regulatory requirements,<br />

it’s becoming clear that the same principles still hold. Slowly, we are seeing an emerging landscape of<br />

tools and methods <strong>for</strong> automating and “shifting left” the necessary cyber security phases that help reduce<br />

the ef<strong>for</strong>t and time required to meet compliance.<br />

Working smarter, not harder (in practice!)<br />

Part of what we do at Argus is supporting automotive companies with their processes related to cyber<br />

security and regulatory compliance. Through these interactions, we’ve identified some useful actions an<br />

OEM/supplier can take to become more efficient in implementing cyber security. For example, using<br />

internal expertise more effectively and relying less on outsourcing certain activities.<br />

In this context, two important activities mandated by these new regulations that can help OEMs and Tier<br />

1 suppliers detect and resolve security issues early in the development process are penetration testing<br />

(fuzz testing) and vulnerability management.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 131<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Automated fuzz testing<br />

Fuzz testing is a software testing technique that involves feeding invalid, unexpected, or random data<br />

inputs to a program in order to uncover vulnerabilities, bugs, or unexpected behaviors. In the context of<br />

the automotive industry, fuzzing is used to assess the security and robustness of automotive software<br />

systems. For fuzzing to be effective, it must take into account automotive protocols, use cases and<br />

automated testing procedures. If implemented correctly, such tests will reveal flaws and vulnerabilities<br />

with minimal ef<strong>for</strong>t in the early project stages and beyond.<br />

Most manufacturers today rely heavily on simulation systems to check the end product <strong>for</strong> functionality<br />

and safety. While there are many different implementations and vendors of such simulation and testing<br />

products, some are beginning to offer “cyber security” suites or tools as part of their solution. By deploying<br />

an automated Fuzzing test into your HIL/SIL setup, you can automatically increase the level of security<br />

in the system. Some products even provide automated reports referencing regulatory requirements<br />

tested by specific tests, so these can be easily used as evidence to achieve compliance.<br />

Not just fuzzing<br />

<strong>The</strong>re are many other tools which can be used by the development or testing team to more easily detect<br />

security issues that are not necessarily part of a heavy-duty Hardware-in-the-Loop/Software-in-the-Loop)<br />

(HIL/SIL) system. Some tools are open source and completely free. One such example is “pythonudsoncan”.<br />

This utility can be used by an engineer to interact with a UDS server in different ways and<br />

detect security flaws. Taking this one step further, an engineer with sufficient security expertise could<br />

create automated tests to ensure the correctness of the UDS functionality from a security perspective,<br />

and have these tests executed with every new software version.<br />

Vulnerability Management<br />

As vehicles become more and more software based, with more software libraries from different sources<br />

being integrated together, the risk of one of these pieces of code containing a vulnerability increases.<br />

What happens if two years after a vehicle hits the road, a vulnerability is published which affects one of<br />

the software libraries used in the vehicle? How do you know which vehicles are affected? How do you<br />

assess the potential impact and how do you respond?<br />

This issue has been addressed by regulations and standards such as UNR 155 and ISO 21434 which<br />

directly require that a Software Bill Of Materials (SBOM) be kept and tracked throughout the vehicle<br />

lifetime. <strong>The</strong> SBOM should be continuously monitored, so newly published vulnerabilities are quickly<br />

identified and addressed. This activity must be done at an early stage of a project. By scanning your<br />

software early, automatically and with every new version, any known vulnerabilities that were introduced<br />

into the product are detected immediately, and can be addressed by the responsible engineer or<br />

supplier.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 132<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Per<strong>for</strong>ming this kind of scan only at a late release stage can create delays and/or a situation where risky<br />

compromises must be taken. A proper Vulnerability Management solution - one that automatically<br />

generates the SBOM from each new software release and provides a report of known vulnerabilities that<br />

affect it - dramatically reduces manual ef<strong>for</strong>ts involved in identifying and treating these issues.<br />

Bottom Line<br />

In today's complex software-driven ecosystem, vehicle manufacturers have come to realize the<br />

importance of integrating security measures early in the development process. This "shift left" security<br />

approach enables automotive software developers to improve the overall quality and security of their<br />

products, while at the same time accelerating time-to-market and reducing development costs.<br />

Incorporating advanced cyber security tools and processes, such as fuzz testing and vulnerability<br />

management, as an integral part of the software development process can help OEMs and Tier 1s to<br />

streamline product development and meet their compliance objectives.<br />

About the Author<br />

Oron Lavi is the Chief Technology Officer and Co-Founder of Argus <strong>Cyber</strong> Security,<br />

a pioneering company established in 2014. With a wealth of experience in the tech<br />

industry, Oron previously served as a senior software engineer at Sales<strong>for</strong>ce.com<br />

and as the CTO at CBVW. He holds a Bachelor of Science degree in Computer<br />

Engineering, graduating magna cum laude from Tel Aviv University.<br />

Oron can be reached online at https://www.linkedin.com/in/oron-lavi-10777b3/ and<br />

at our company website https://argus-sec.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 133<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Best Practices <strong>for</strong> Effective Privileged Access Management<br />

(PAM)<br />

By Marcus Scharra, CEO at senhasegura<br />

Privileged accounts are highly coveted targets <strong>for</strong> malicious attackers due to the extensive access they<br />

provide. According to the <strong>2024</strong> Verizon Data Breach Investigation Report, nearly 40% of data breaches<br />

involve privileged accounts. Additionally, breaches involving these accounts incur higher costs. Research<br />

from IBM and the Ponemon Institute indicates that while the average cost of a data breach is $4.35<br />

million, breaches involving privileged accounts average $4.50 million.<br />

<strong>The</strong>se accounts, often referred to as "keys to the kingdom," enable critical actions such as modifying<br />

system settings or transferring financial resources. <strong>The</strong> proliferation of privileged accounts, driven by<br />

digital trans<strong>for</strong>mation initiatives like 5G, cloud computing, and IoT, has compounded the challenge. With<br />

stringent regulatory requirements such as GDPR (Europe), LGPD (Brazil), and CCPA (Cali<strong>for</strong>nia),<br />

protecting privileged credentials is essential <strong>for</strong> reducing cyber risks, avoiding hefty fines, and ensuring<br />

business continuity.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 134<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Challenges in Privileged Access Management<br />

• Discovery and Management: Identifying and managing all privileged access is a significant<br />

challenge, especially with the shift to cloud environments (IaaS and PaaS) and development<br />

settings.<br />

• Third-Party Access: <strong>The</strong> rise in third-party consultants, vendors, and experts necessitates<br />

temporary privileged access. <strong>The</strong> Ponemon Institute found that 66% of companies are unaware<br />

of the number of third-party relationships they have or how they are managed. Furthermore, 61%<br />

have experienced breaches associated with third parties.<br />

• Privilege Abuse: Implementing the Principle of Least Privilege (PoLP) is difficult due to the<br />

complexity of determining necessary privileges and the time required to assign them. Excessive<br />

permissions can be exploited by attackers if not revoked timely.<br />

• Insider Threats: Traditional security models based on perimeter defense are inadequate as<br />

threats increasingly come from within. <strong>The</strong> <strong>2024</strong> Verizon Data Breach Investigation Report states<br />

that 40% of data breaches are caused by internal actors.<br />

• Stolen Credentials: Phishing and social engineering attacks lead to credential theft. Verizon’s<br />

DBIR report indicates that nearly 40% of breaches occur through stolen credentials.<br />

Customer Preferences and Requirements <strong>for</strong> PAM Adoption<br />

• Flexibility: PAM solutions must adapt to various deployment topologies and integrate seamlessly<br />

with existing methodologies and infrastructure, including support <strong>for</strong> different configurations <strong>for</strong><br />

high availability and disaster recovery.<br />

• Scalability: Essential <strong>for</strong> accommodating a range of organizational sizes and workloads, including<br />

managing multiple deployment locations and supporting numerous concurrent users.<br />

• Usability: A user-friendly PAM solution reduces training ef<strong>for</strong>ts and minimizes disruption to daily<br />

operations.<br />

• Integration: Compatibility with multiple assets, including legacy systems, is critical <strong>for</strong> a smooth<br />

adoption process.<br />

• Compliance and Reporting: With growing regulatory requirements, PAM solutions must offer<br />

comprehensive auditing and reporting features to help organizations comply with regulations like<br />

LGPD, GDPR, HIPAA, and SOX. This includes detailed logs of privileged access and actions<br />

taken during those sessions.<br />

• Cost-Effectiveness: Balancing advanced security features with cost-efficiency is crucial <strong>for</strong><br />

organizations seeking the best value <strong>for</strong> their investment.<br />

Best Practices <strong>for</strong> Implementing a PAM Program<br />

• Stakeholder Mapping and Requirements: Identify stakeholders and key PAM requirements across<br />

different organizational areas. Define roles and responsibilities, and establish groups <strong>for</strong> access<br />

segregation. Securing top management support is critical from the project's inception.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 135<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


• Milestone-Based Implementation: Implement PAM in stages, starting with basic use cases be<strong>for</strong>e<br />

advancing to more complex ones. This phased approach ensures steady progress and minimizes<br />

disruption.<br />

• Mapping Use Cases to PAM Functionalities: Align identified use cases with appropriate PAM<br />

functionalities. Deploy specialized PAM tools like senhasegura to address specific needs. Select<br />

vendors based on availability, compliance, and support capabilities, and conduct a Proof of<br />

Concept (PoC) to determine the best fit.<br />

• User Training: Ensure that users understand the benefits of PAM and are adequately trained to<br />

operate the deployed tools. Effective training fosters better adoption and compliance.<br />

• Continuous Monitoring and Improvement: Regularly review and update PAM policies and<br />

practices to adapt to evolving threats and organizational changes. Continuous monitoring ensures<br />

that privileged access remains secure.<br />

Conclusion<br />

<strong>Cyber</strong>attacks are inevitable, and their impact can be devastating. Privileged credentials are often at the<br />

center of these attacks, making a robust PAM program essential. By following these best practices and<br />

considering key customer preferences, organizations can significantly enhance their cybersecurity<br />

posture and reduce the risks associated with privileged access. Implementing a comprehensive PAM<br />

strategy should be a top priority <strong>for</strong> in<strong>for</strong>mation security leaders across all industries.<br />

By focusing on these critical areas, organizations can better protect their sensitive assets, comply with<br />

regulatory requirements, and ensure long-term business resilience.<br />

About the Author<br />

Marcus Scharra, Co-Founder and CEO at senhasegura, a computer<br />

engineer and has a master’s degree from São Paulo’s University in<br />

In<strong>for</strong>mation Security and Artificial Intelligence <strong>for</strong> pattern recognition in<br />

corporate environments using artificial neural networks.<br />

With a series of articles and published works, he’s been an entrepreneur <strong>for</strong><br />

over twenty years, as the founder of six tech companies. senhasegura is one<br />

of the solutions developed by the first of its companies, MT4 Technology,<br />

currently present in more than 60 countries. In the last few years,<br />

senhasegura was placed as a Leader by many analysts, such as KuppingerCole and Software Reviews,<br />

and considered by Gartner as a Challenger technology in the 2021 Magic Quadrant report <strong>for</strong> PAM. His<br />

companies have received several renowned recognitions, such as the ISC² Annual Americas In<strong>for</strong>mation<br />

Security Leadership Awards.<br />

LinkedIn Profile: www.linkedin.com/in/marcusscharra/<br />

Company Profile: https://senhasegura.com/<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 136<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Is Plat<strong>for</strong>m Engineering a Step Towards Better Governed DevOps?<br />

By Kapil Tandon, VP of Product Management <strong>for</strong> Per<strong>for</strong>ce<br />

Since 2010, Puppet’s annual State of DevOps Report has tracked trends in IT, including security and,<br />

more recently, the growth of plat<strong>for</strong>m engineering. <strong>2024</strong>’s edition, which includes the results of a survey<br />

of over 600 IT professionals worldwide, shows that security and plat<strong>for</strong>m engineering are now closely<br />

intertwined, with plat<strong>for</strong>m engineering teams now taking on more responsibility <strong>for</strong> security. Plus, the<br />

results show that these teams are making a tangible difference.<br />

Be<strong>for</strong>e diving into more details, it is crucial to understand what plat<strong>for</strong>m engineering provides. Plat<strong>for</strong>ms<br />

aim to give end users — especially software developers within organizations — fast and simplified selfservice<br />

access to the technologies they need to do their jobs. <strong>The</strong>se plat<strong>for</strong>ms are managed by plat<strong>for</strong>m<br />

engineering teams, who provision and manage all workflows, tools, and plat<strong>for</strong>ms involved. Plat<strong>for</strong>m<br />

engineers typically come under operations or engineering as part of teams or separate ones. <strong>The</strong>y could<br />

even be part of product teams. <strong>The</strong>ir area of focus is ensuring that their primary customer, the developers,<br />

get what they need to deliver at speed on the organizational needs.<br />

Plat<strong>for</strong>m engineering is not just some fad. Gartner has predicted that 80% of global organizations plan to<br />

have a team dedicated to plat<strong>for</strong>m engineering by 2026. <strong>The</strong> State of DevOps Report found that 43% of<br />

respondents have had a plat<strong>for</strong>m team <strong>for</strong> at least three years and a quarter <strong>for</strong> six to nine years. 65%<br />

said that plat<strong>for</strong>m engineering teams will receive continued investment.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 137<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Plat<strong>for</strong>m engineering offers multiple benefits to businesses and their employees. First, it reduces the<br />

volume of support requests to IT operations teams, allowing them to focus on tasks other than firefighting.<br />

Second, developers can concentrate on their core work, knowing that what they need is being provided<br />

without the need to search <strong>for</strong> it or verify its accuracy.<br />

<strong>The</strong> value of all this cannot be underestimated, given the growing complexity and scale of many software<br />

development environments today. Software development is the point at which vulnerabilities can occur,<br />

leaving the door open <strong>for</strong> future exploitation. Think of plat<strong>for</strong>m engineering teams as the protective barrier<br />

between developers and potential chaos.<br />

And it is working. When asked about the benefits of plat<strong>for</strong>m engineering, 31% of respondents in the<br />

State of DevOps survey reported a reduced risk of security breaches. Improved compliance and security<br />

was also the third-highest use case (49%), surpassed only by improved productivity and automated,<br />

standardized processes.<br />

This demonstrates a significant shift in DevOps: security is being integrated up-front and considered right<br />

at the start of plat<strong>for</strong>m strategies. 70% claim that security was built into their plat<strong>for</strong>ms from the beginning.<br />

A further 60% cite security and compliance as the leading benefit of plat<strong>for</strong>m engineers. This is a sea<br />

change. Previously, while security may have been acknowledged as necessary, implementation was<br />

typically left to individual teams to implement.<br />

With plat<strong>for</strong>m engineering, security management can become controlled and consistent across<br />

organizations. In addition, they are increasingly likely to have a plat<strong>for</strong>m dedicated to security (and other<br />

plat<strong>for</strong>ms <strong>for</strong> other functions). Having specialized plat<strong>for</strong>ms allows teams to focus on the excellence of<br />

what they do rather than over-centralizing and <strong>for</strong>cing people to potentially use tools and take on<br />

responsibilities they don’t want or need. <strong>The</strong> survey found that 56% have five or more plat<strong>for</strong>ms, with<br />

almost 10% reporting they have at least 10.<br />

Plat<strong>for</strong>m engineering has evolved significantly in just a few years, and its value is now well understood<br />

by many organizations. We see it as a crucial stepping stone in creating more governed DevOps.<br />

Embracing plat<strong>for</strong>m engineering’s contributions to better security and compliance is important, as is<br />

managing an estate that is continuously patched to ensure uptime. <strong>The</strong> trend of delivering patches to the<br />

estate automatically, rather than through manual patch management, is growing and is expected to<br />

continue throughout <strong>2024</strong> and beyond.<br />

About the Author<br />

Kapil Tandon is the VP of Product Management <strong>for</strong> Per<strong>for</strong>ce Software. He has more<br />

than 25 years of experience in product roles within tech, and has previously served<br />

as the VP of product growth <strong>for</strong> Tricentis and as a principal PM lead <strong>for</strong> Microsoft.<br />

Tandon holds a master’s in marketing from Pace University. Kapil Tandon can be<br />

reached online at kapil.tandon@per<strong>for</strong>ce.com, https://x.com/kapilt,<br />

https://www.linkedin.com/in/kapilt/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 138<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Russia, Apple, And the New Front Line in <strong>The</strong> Fight <strong>for</strong> Internet<br />

Freedom<br />

By Sebastian Schaub, CEO, hide.me<br />

Russia's reputation <strong>for</strong> suppressing internet freedom and free expression is well documented. VPNs have<br />

long had a contentious relationship with the Russian state, and in recent years they have been permitted<br />

only if they are approved by the government. Earlier this year, the Russian government went a step<br />

further, turning the screw on internet freedom by making it illegal to provide public instructions <strong>for</strong> setting<br />

up a VPN.<br />

At the time, it was clear that this escalation would mark a steady and insidious move towards total online<br />

censorship, with the end goal of dismantling the very frameworks that support the existence of VPNs and<br />

their continued development.<br />

And then last week, the Kremlin's internet regulator, Roskomnadzor, went even further. In a striking move,<br />

Apple – the $3.6 trillion market cap tech giant – has removed 25 VPN services from the Russian App<br />

Store at Roskomnadzor's request. Our app, hide.me, is one of them.<br />

<strong>The</strong>re are two key issues here that are deeply worrying and pose a grave threat to internet freedom.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 139<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Firstly, when state bodies <strong>for</strong>ce private companies to remove or change their services or products, it’s a<br />

serious problem. This is true in repressive regimes and liberal democracies alike. You might argue,<br />

"Apple Inc. is a multi-trillion-dollar company with immense power, surely it can handle some government<br />

pressure?"<br />

However, the Russian VPN ban illustrates why this argument is fundamentally flawed and even<br />

dangerous. Most would agree that Roskomnadzor pressuring Apple to remove 25 VPNs from the App<br />

Store is bad. It’s the people – us, you, those advocating <strong>for</strong> a freer world – who suffer. Limiting the power<br />

of a tech giant like Apple only strengthens the state's hand.<br />

In this case, hostility to internet freedom looks like an obviously authoritarian state coercing a private<br />

company into restricting its citizens' internet access. It's easy to see Russia's actions as wrong and<br />

harmful. But remember, whenever any government – whether ‘good’ or ‘bad’ – tries to control the tech<br />

we access, there are significant risks.<br />

What’s particularly frustrating about this case is that many of these VPNs are developed by people who<br />

understand Russia’s censorship machine intimately, designing their products to bypass state restrictions.<br />

<strong>The</strong> fact that Apple felt enough pressure to ban these apps outright, something the Russian authorities<br />

haven’t always achieved effectively themselves, is deeply disappointing.<br />

This brings me to the second, bigger issue: the state of internet freedom.<br />

It is terrifying that free and uninhibited internet access can be so easily taken away from individuals in<br />

authoritarian regimes. Governments that control what citizens can see and access feed the oppression<br />

machine. At hide.me, one of our core principles is universal access to a free and open internet. We<br />

believe fiercely in the power of in<strong>for</strong>mation to break free from oppression, and we believe in VPNs as a<br />

vehicle <strong>for</strong> accessing this in<strong>for</strong>mation, protecting user privacy, and freeing communities from statecontrolled<br />

narratives. A free world needs access to a free and open internet.<br />

So, what can be done?<br />

Sadly, hostility to VPNs isn’t new <strong>for</strong> Russia, and hide.me won’t be the last VPN to face the wrath of<br />

Russia’s internet regulators.<br />

But if Apple wants to be bold, to stand <strong>for</strong> internet freedom and the rights of users everywhere – not just<br />

in America or the Western world – then it should take a page from Mozilla Firefox’s book. Just last month,<br />

several of Mozilla’s browser extensions were suddenly made unavailable in Russia at Roskomnadzor's<br />

request. Mozilla initially complied, considering regulatory implications and the safety of their staff and<br />

community, but then they did something remarkable: they reinstated the extensions.<br />

This bold move should be championed. Internet freedom won’t die overnight; if we lose it, it’ll be because<br />

we stood by and watched as it was gradually chipped away. And while it’s true that individuals will always<br />

find ways to push back against state control, it’s a dark day when the tools to do so are taken away. This<br />

demonstrates a clear intent from these states to control the flow of in<strong>for</strong>mation completely.<br />

All of us who care about internet freedom – tech giants included – must push back against oppressive<br />

regulators and make a stand <strong>for</strong> freedom of expression and access to a free internet. Companies like<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 140<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Apple ultimately have the power and responsibility to resist these state pressures and set a precedent<br />

<strong>for</strong> defending digital rights. <strong>The</strong> stakes are high, and the cost of inaction is the erosion of our fundamental<br />

freedoms.<br />

What’s next? Well, it’ll be interesting to watch how Apple plays its cards now. Will they capitulate to<br />

authoritarian demands, or will they champion the cause of internet freedom?<br />

<strong>The</strong> world is watching, and the future of a free and open internet hangs in the balance.<br />

About the Author<br />

Sebastian Schaub is the CEO and founder of hide.me VPN and he has been<br />

working in the internet security industry <strong>for</strong> over a decade. He started hide.me<br />

VPN to make internet security and privacy accessible to everybody.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 141<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> Traditional Advocates of the Security Perimeter Don't Want<br />

You to Know about Data-Centric Security<br />

<strong>The</strong> Crucial Role of Data-Centric Security in Today's Enterprises<br />

By Luis Ángel del Valle, CEO, SealPath Technologies<br />

In an era defined by continuous media announcements of organizations that have suffered both<br />

government and private data breaches and thefts, the security of this invaluable asset has never been<br />

more of prime importance. Every day, enterprises face the daunting task of safeguarding sensitive<br />

in<strong>for</strong>mation against an ever-evolving array of threats. As someone who has navigated the complexities<br />

of data security <strong>for</strong> over a decade, I have witnessed firsthand the shifting paradigms and challenges that<br />

organizations encounter. This article aims to illuminate the path <strong>for</strong>ward, proposing a fundamental<br />

realignment towards data-centric security as a robust approach to the pressing concerns of today. Join<br />

me in exploring why adopting this strategy is not only strategic but essential <strong>for</strong> enterprises aiming to<br />

thrive in this context.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 142<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Data Security Concerns in the Modern Enterprise Context<br />

Today's businesses operate in an environment where traditional security perimeters have all but<br />

dissolved. <strong>The</strong> transition to remote work and ‘Bring-Your-Own-Device’ (BYOD) policies, a direct<br />

consequence of recent global events, has further exacerbated this trend. <strong>The</strong>se blurred lines, combined<br />

with the sophistication of modern cyber threats, have significantly heightened the risks of data breaches,<br />

reputation damage, and regulatory penalties.<br />

Data breaches rose by 72% between 2021 and 2023 according to the 2023 Data Breach Report by <strong>The</strong><br />

Identity <strong>The</strong>ft Resource Center (ITRC), which has underscored the importance of robust data security.<br />

<strong>The</strong> main risks include phishing attacks, Zero-Day vulnerabilities, malware infections such as<br />

ransomware, insider threats, and insufficient encryption, all of which can result in significant financial loss,<br />

$4.45 million on average according to IBM Cost of a Data Breach Report 2023. Since 2020, the average<br />

cost of a data breach has increased 15.3% from $3.86 million. <strong>The</strong> costs are expected to reach $5 million<br />

within the next few years based on this trend.<br />

Since <strong>Cyber</strong>criminals have discovered new ways to profit, they have not stopped evolving, and they know<br />

that data is a gold mine. <strong>The</strong>ir main motivation is to gain access to the most critical documents and data<br />

of companies to make a profit.<br />

At the heart of these concerns lies the challenge of controlling who can access data, under what<br />

conditions, and ensuring that it remains protected – regardless of its location. <strong>The</strong> stakes are higher than<br />

ever, as data exfiltration can mortally wound an organization's standing, not to mention the severe<br />

implications imposed by ever-tightening regulations across the globe.<br />

Towards a Data-Centric Security Approach<br />

To address these growing concerns, a paradigm shift<br />

is essential. Moving toward a data-centric security<br />

approach ensures that the focus is placed squarely on<br />

protecting the data itself, irrespective of where it<br />

resides. This strategy offers a solution that aligns with<br />

the current organizational landscape, where data flows<br />

freely beyond the confines of traditional network<br />

borders. By encrypting the data and controlling access<br />

directly, we create a resilient protective layer that<br />

moves with the in<strong>for</strong>mation. This alignment not only<br />

enhances security but also offers greater flexibility, an<br />

indispensable trait in today's fluid work environments.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 143<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong>re are different key elements <strong>for</strong> an effective data-centric security approach:<br />

• Identification of sensitive in<strong>for</strong>mation: <strong>The</strong> target of an attacker, whether internal or external, is<br />

usually the most sensitive and valuable in<strong>for</strong>mation: data through which he can directly or<br />

indirectly obtain benefits. On the other hand, there are also data related to some type of regulation<br />

such as EU-GDPR, PCI, or others. In some organizations this is stored in certain repositories<br />

known to the teams, however, it can also be distributed.<br />

• Data-centric protection: Data-centric security controls focus on securing the organization’s<br />

valuable content so that it can be protected from potential unauthorized egress from the network,<br />

cloud, or data leakage. We can know where the sensitive in<strong>for</strong>mation of the organization is, but it<br />

will be of little use, if we don’t apply measures to protect this in<strong>for</strong>mation wherever it travels.<br />

• Audit and monitoring of access to data: To determine the level of risk on corporate data, it is<br />

important to be able to analyze its use and determine if the behavior patterns of users on the data<br />

are outside a certain standard.<br />

• Administration and management of data policies: Who should or shouldn’t have permissions to<br />

access the data isn’t something that is established in a static and lasting way. You must be able<br />

to apply dynamic policies on the data so that if you stop collaborating with someone or if it is<br />

detected that a certain person may be at risk, we can revoke access to it or try to prevent it from<br />

leaving the corporate network.<br />

<strong>The</strong> Crucial First Steps<br />

Be<strong>for</strong>e diving headlong into the implementation of data-centric solutions, it is vital to conduct a thorough<br />

analysis to identify the most at-risk in<strong>for</strong>mation within an organization. Understanding what data is being<br />

generated, how it's used, and most importantly, how it's shared, <strong>for</strong>ms the bedrock of a successful datacentric<br />

security strategy. An exhaustive examination of data flows within an organization will reveal the<br />

critical assets that demand the highest protection. This prioritization not only ensures that resources are<br />

allocated efficiently but also significantly improves the return on investment in data security technologies<br />

by safeguarding the most vulnerable in<strong>for</strong>mation first.<br />

Many organizations haven't conducted a thorough analysis of the in<strong>for</strong>mation they handle, generate, and<br />

share. SealPath has been recommending that <strong>for</strong> the past 10 years. As experts in data-centric security,<br />

we know that having a report that identifies the most vulnerable in<strong>for</strong>mation is crucial to apply the most<br />

effective measures, tailored to the nature of each type in<strong>for</strong>mation. This can only be done with an<br />

analytical method.<br />

In the past, we noticed that when helping organizations to establish different types of policies or rules to<br />

protect their in<strong>for</strong>mation, they hardly knew how to differentiate the level of sensitivity of each type of<br />

in<strong>for</strong>mation, the context in which it is handled and even the different categories of in<strong>for</strong>mation. This made<br />

it very difficult to advise them on the best security policies or rules, as these must be adapted to the<br />

nature of each type of in<strong>for</strong>mation in order to be effective.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 144<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


After deep documentation of the company data and flows, I recommend to calculate general risks by type<br />

of in<strong>for</strong>mation, such as legal, financial, reputational or operational. <strong>The</strong> objective is to obtain the level of<br />

risk to which a type of in<strong>for</strong>mation, such as strategic data, is exposed.<br />

Once we know the general risks, I recommend to calculate the risks by typology, to quantify the risk by<br />

type of file and impact on the 5 dimensions of in<strong>for</strong>mation security: Confidentiality, Integrity, Availability,<br />

Traceability and Authenticity. As a result, we will identify which specific files are most at risk. An example<br />

could be, <strong>for</strong> example, designs with intellectual property.<br />

SealPath is distributed by its certified integrator, BNS UEP, a data solutions provider that enables<br />

organizations to establish and strengthen their Data Lifecycle Management and Security Posture. <strong>The</strong><br />

starting point in the lifecycle is a clean, accurate and current data inventory, where compliant (e.g., PII,<br />

CCPA, other US Data Privacy Acts, GDPR, HIPAA), non-compliant, and critical (e.g., IP, Trade Secrets,<br />

Classified) data can be identified, delineated, isolated, accurately tagged, labeled, and classified. This<br />

combined with Access Governance including role and attribute-based access controls, least privileged,<br />

the ability to revoke access and encrypt data at rest, in use, and in transit is essential <strong>for</strong> any organization.<br />

<strong>The</strong> SealPath and BNS unified services solution delivers quick, relevant insights into reducing data &<br />

access risks (financial, legal & regulatory compliance, operational) while providing en<strong>for</strong>cement <strong>for</strong> File<br />

& Data Integrity with Enterprise Rights Management & DLP.<br />

Conclusion<br />

<strong>The</strong> journey toward robust data security is both complex and ongoing. However, by shifting our<br />

perspective towards a data-centric approach, we position ourselves to better combat the multifaceted<br />

threats of the current era. It is imperative that we do not rush into deploying solutions without first gaining<br />

a profound understanding of our data landscape. <strong>The</strong> insights garnered from such an analysis are<br />

invaluable, guiding our strategic decisions and ensuring that we invest wisely in technologies that provide<br />

tangible results.<br />

Ultimately, I know that finding the right time to conduct such an analysis and putting the ef<strong>for</strong>t into it is<br />

difficult <strong>for</strong> many CISOs. But doing so has an unquestionable long-term benefit: knowledge is power, and<br />

in this case, it is profitability. Having a real and detailed vision of the data assets that your organization<br />

manages, as well as their risks, will not only avoid the worst consequences in cases of data breaches,<br />

but will also minimize their impact on your organization.<br />

<strong>The</strong> world of data security is at a crossroads, and the direction we choose now will define the safety and<br />

resilience of enterprises <strong>for</strong> years to come. Let's embark on this path towards data-centric security, armed<br />

with the knowledge and strategies that will safeguard our future.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 145<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


About the Author<br />

Luis Ángel, CEO and Founder of SealPath, has more than 20 years of<br />

experience in leading technology and cybersecurity companies such as<br />

the multinational Motorola or the Spanish Panda Security. As a<br />

telecommunications engineer, he has a privileged vision in the<br />

development of innovative products and their commercialization, being<br />

able to get involved in depth to an unusual technical level. After 13 years<br />

leading SealPath and taking its data protection technology to more than<br />

30 countries and 100 partners around the world, del Valle is positioned as<br />

one of the relevant voices in the field of data security, with in-depth<br />

knowledge of current and emerging threats, as well as the needs most in<br />

demand by the main organizations, both public and private.<br />

Luis Ángel can be reached online at https://www.linkedin.com/in/ladve/ and at our company website<br />

https://www.sealpath.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 146<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Protect SAP Supply Chains by Preventing <strong>Cyber</strong> Attacks<br />

By Christoph Nagy, CEO, SecurityBridge<br />

Highly advanced and extremely dangerous cyberattacks are targeting SAP (from the company originally<br />

called “System Analysis Program” Development) software supply chains with an alarming increase in<br />

frequency. By taking advantage of vulnerabilities within SAP's infrastructure, particularly during the<br />

software implementation phase, these attacks jeopardize critical operations of enterprises worldwide.<br />

This article will examine the nature, impacts, and measures SAP administrators and IT security personnel<br />

can take to prevent these attacks.<br />

Where Do the Vulnerabilities Lay?<br />

No system, including SAP systems, is immune from supply chain attacks. <strong>The</strong> defense needs to focus<br />

on third-party vendors and the deployment process. <strong>The</strong> weak spots are SAP transport requests, which<br />

implement code changes.<br />

A little-known feature in SAP programs is that transport requests allow <strong>for</strong> changes, and malicious actors<br />

find this allowance their point of attack. Transport requests are vehicles <strong>for</strong> source code deployment and<br />

are vulnerable to attack because they allow <strong>for</strong> modifications. With proper authorization, third-party<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 147<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


coders and rogue employees can affix payloads to transport requests that get around the defensive<br />

barriers and activate malicious scripts when imported into the production system.<br />

Attack Vectors<br />

Malicious code can be hidden in legitimate SAP code. Attackers can inject their codes via third-party<br />

software packages. Digital signatures will not secure the packages because third-party vendors are not<br />

allowed to sign them. Ironically, the signature process leaves a window of vulnerability in the verification<br />

process. This weakness is where hackers can use relied-upon software packages to deliver damaging<br />

payloads.<br />

Another vector of attack can occur with the change management process. This process can be altered<br />

to reverse the release status of a transport request from "Released" to "Modifiable," thus allowing the<br />

injection of malicious objects that execute upon deployment. If the attackers understand an organization's<br />

internal processes and protocols, this manipulation can be tricky to detect and mitigate.<br />

In addition, threats to SAP systems can come from inside and outside; employees with proper access<br />

can also be the bad guys. Those with official clearance can change transport requests after export. This<br />

authorized ability to modify requests requires rigid security protocols to protect the deployment process.<br />

Steps For Protection<br />

A varied and sophisticated approach is needed to secure SAP supply chains. Routine patch management<br />

can handle known vulnerabilities. SAP announces its updates on the second Tuesday of every month,<br />

and organizations must pay attention to this date. For example, SAP's security advisory SNOTE 3097887,<br />

which fixes the vulnerability CVE-2021-38178, is critical <strong>for</strong> guarding file systems and preventing<br />

manipulation.<br />

• Real-time monitoring is another significant detection mode <strong>for</strong> abnormalities in the SAP<br />

landscape. Any deviations from baseline configurations can be set to trigger automated alerts in<br />

real-time <strong>for</strong> swift defensive reaction. Implementing extensive patching and vulnerability<br />

management strategies to bolster infrastructure and applications is also crucial. To complement<br />

that, routine security audits and implementing advanced threat detection systems can significantly<br />

assist security.<br />

• Code security must be assured during the implementation and deployment phases. Automated<br />

code scanners and manual review processes can be significant measures <strong>for</strong> detecting and<br />

mitigating vulnerabilities be<strong>for</strong>e they enter production environments. Intensified change<br />

management controls that include extra checks and verifications can prevent unauthorized<br />

changes and ensure that only vetted changes are deployed.<br />

• Protect the SAP supply chain by checking vendor security practices. Be sure to require the same<br />

level of security from third-party vendors as your organization and verify the integrity of third-party<br />

software packages be<strong>for</strong>e deployment.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 148<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


• Build a security foundation <strong>for</strong> DevSecOps from initial coding to final deployment. This foundation<br />

will ensure security is embedded in every development lifecycle stage. By taking this tact,<br />

organizations can identify and mitigate risks early in the development process, thus lessening the<br />

chances of unleashing vulnerabilities into the production environment.<br />

• Implement routine audits and reviews of transport logs to detect tampering be<strong>for</strong>e production<br />

imports. This proactive step will help address potential threats be<strong>for</strong>e they hit the system. Regular<br />

security training will educate employees about current threats and introduce them to best<br />

practices <strong>for</strong> securing SAP systems.<br />

Conclusion<br />

<strong>The</strong> SAP software supply chain is a prime target <strong>for</strong> cyberattacks due to its critical role in global enterprise<br />

operations. Organizations can protect themselves from supply chain attacks if the vulnerabilities are<br />

understood and robust security measures are taken. Regular patch management, real-time monitoring,<br />

hardened infrastructure, secure code implementation, enhanced change management, vendor security<br />

practices, and DevSecOps are all excellent steps <strong>for</strong> safeguarding SAP environments. Remaining vigilant<br />

and instilling a proactive posture will go a long way toward ensuring the integrity and security of SAP<br />

systems, thus allowing reliability and efficiency of operation.<br />

About the Author<br />

Christoph Nagy is a founding member and CEO at SecurityBridge–a global<br />

SAP security provider, serving many of the world's leading brands and now<br />

operating in the U.S. Christoph has 20 years of working experience within<br />

the SAP industry. Through his ef<strong>for</strong>ts, the SecurityBridge Plat<strong>for</strong>m <strong>for</strong> SAP<br />

has become renowned as a strategic security solution <strong>for</strong> automated<br />

analysis of SAP security settings, and detection of cyber-attacks in real-time.<br />

Be<strong>for</strong>e SecurityBridge, Christph applied his skills as a SAP technology<br />

consultant at Adidas and Audi. He can be reached online at<br />

christoph.nagy@securitybridge.com and at https://securitybridge.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 149<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


How To Navigate Certification Authority Distrust: Preventing<br />

Critical Incidents by Switching to A New Vendor<br />

In the fast-paced world of enterprise security, choosing the right partner <strong>for</strong> your digital security<br />

needs is critical<br />

By Debbie Hayes, Director of Product Marketing, GMO GlobalSign<br />

In the ever-evolving landscape of digital security, maintaining trust is paramount. When a Certification<br />

Authority (CA) is no longer trusted by browsers like Google, as was demonstrated on June 27th, it can<br />

lead to significant disruptions <strong>for</strong> businesses relying on their services. This article explores the<br />

implications of such a scenario and demonstrates how a Certification Authority can seamlessly issue new<br />

certificates, preventing any short-term critical incidents and ensuring continued trust and compliance.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 150<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Understanding CA Distrust and Its Implications<br />

Google, like other major tech companies, regularly assesses and en<strong>for</strong>ces stringent security standards<br />

<strong>for</strong> Certification Authorities. When a CA fails to meet these standards, it can result in browsers no longer<br />

trusting certificates issued by that CA. <strong>The</strong> consequences of this distrust include:<br />

• Website Inaccessibility: Users may be greeted with alarming security warnings, leading to loss of<br />

traffic and trust<br />

• Data Security Risks: Without a trusted certificate, data transmitted between your website and its<br />

users could be vulnerable to interception and tampering<br />

• Compliance Issues: Organizations might fall out of compliance with industry regulations, risking<br />

fines and reputational damage<br />

Immediate Action: Issuing New Certificates with a CA<br />

When businesses are faced with the need to switch from a distrusted CA, a Certification Authority<br />

provides a reliable and trusted solution. Here’s how they can assist in issuing new certificates to prevent<br />

any short-term critical incidents:<br />

1.Rapid Certificate Issuance<br />

• Immediate Response: A team should be ready to act quickly, ensuring that new certificates are<br />

issued without delay<br />

• Automated Tools: Look <strong>for</strong> automated tools to expedite the issuance process, minimizing<br />

downtime and ensuring a smooth transition<br />

• Bulk Certificate Issuance: For organizations with multiple certificates, seek out a CA with bulk<br />

issuance capabilities that streamline the replacement process<br />

2.Trusted Security Solutions: What to Look For<br />

• Robust PKI Infrastructure: Be sure to work with a CA that operates a highly secure and scalable<br />

PKI infrastructure, and one that is trusted by major browsers and plat<strong>for</strong>ms worldwide<br />

• High-Assurance Certificates: Also, be looking <strong>for</strong> a company that offers a range of certificates,<br />

including Extended Validation (EV), Organization Validation (OV), and Domain Validation (DV),<br />

ensuring you get the right level of assurance <strong>for</strong> your needs<br />

3.Proactive Certificate Management<br />

• Discovery and Inventory: helps you discover and manage all certificates across your network,<br />

providing visibility and control<br />

• Automated Renewal: prevent lapses in security, our automated renewal service ACME, ensures<br />

that your certificates are always up to date<br />

• Centralized Management: allows you to oversee all certificates from a single interface, simplifying<br />

administration and reducing risk<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 151<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Partnering with a Certification Authority: Beyond Certificates<br />

Working with trusted CA offers more than just a switch in providers—it’s a partnership <strong>for</strong> enhanced<br />

security and operational efficiency.<br />

• Expert Support: Seek out a CA with a team of security experts who are available to provide<br />

guidance and<br />

• Scalable Services: Whether you’re a small business or a large enterprise, consider a CA that can<br />

scale to meet your needs<br />

Losing trust in your CA can be a daunting experience, but it also presents an opportunity to strengthen<br />

your security posture. By switching to new CA and issuing new certificates immediately, you can prevent<br />

short-term critical incidents and maintain the trust and security of your digital assets. Discover, manage,<br />

and design your security infrastructure with a provider that’s trusted by leading organizations worldwide.<br />

Make the switch today and ensure your digital trust remains uncompromised.<br />

About the Author<br />

Debbie Hayes currently serves as the Director of Product Marketing at<br />

GlobalSign. She stands as a driving <strong>for</strong>ce behind the company's<br />

strategic initiatives, bringing a wealth of expertise and a proven track<br />

record to the table. Debbie is a seasoned professional with over 30<br />

years of invaluable experience in the dynamic realms of the IT industry<br />

and cybersecurity. Throughout her extensive career, Debbie has honed<br />

her skills and is a results-driven individual, demonstrating a deep<br />

understanding of business management and marketing. Her proficiency<br />

in project management and communication has consistently positioned<br />

her as a key player in shaping successful marketing campaigns and<br />

fostering collaborative, cross-functional ef<strong>for</strong>ts.<br />

Debbie can be reached at debbie.hayes@globalsign.com and at GlobalSign’s website<br />

https://www.globalsign.com/en.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 152<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> Common Goods and Shared Threats of the Software Supply<br />

Chain<br />

By Frank Catucci, CTO and Head of Security Research, Invicti<br />

Perhaps the defining quality of the software supply chain is complexity. Amid the countless lines of code<br />

that the modern world runs on there is potentially infinite scope <strong>for</strong> mistakes, vulnerabilities and malicious<br />

manipulation.<br />

<strong>The</strong> nature of software development also means that code and tools are constantly being re-used, which<br />

in turn are being used to build other applications. From there, the vulnerabilities that might be embedded<br />

within one application or code repository - spread quickly out to everywhere else it is used.<br />

In this complex, fast moving supply chain - security debt builds up quickly. Bugs, problems and<br />

vulnerabilities get embedded deeply within the software that finally comes to market. From there all it<br />

takes is a failure in the right place, or a particularly capable adversary to bring about catastrophe.<br />

Pressures on software development<br />

Our entire world runs on software. That has only become more apparent in recent years and demands<br />

<strong>for</strong> new applications, tools, products and services have exploded. That is reflected in the growing demand<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 153<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>for</strong> software developers <strong>for</strong> whose world population is expected to reach 28.7 million by the end of this<br />

year, growing by 3.2 million over the last four years.<br />

That said, problems scale along with everything else. That explosion in demand has resulted in a massive<br />

increase of pressure on software developers. <strong>The</strong>y’re being asked to develop quicker, do more and<br />

release to ever tighter deadlines. Of course, this comes with huge potential <strong>for</strong> deleterious effects on the<br />

final quality of the product.<br />

Our 2022 Fall AppSec Indicator revealed that nearly half - 45% - of developers will in fact skip crucial<br />

security steps in order to make those ever tightening deadlines. It’s not hard to see why - 80% of those<br />

developers agreed that even those crucial security processes delay delivery. <strong>The</strong> AppSec indicator found<br />

that 74% of respondents admitted to regularly releasing insecure applications. On top of that, 1 in 3 issues<br />

under remediation apparently make it to production without being caught in testing or development.<br />

Furthermore, the sheer amount of code being pushed through to production puts pressure on the code<br />

review process. This is a stage which requires meticulous concentration and focus, and the specialists<br />

who conduct it can and do suffer from overwork and burnout. <strong>The</strong>se pressures can become risky in a<br />

single application or service, but they can also spring up at any time throughout the software supply chain<br />

as one release goes out to customers or as other developers build upon it. As those releases get passed<br />

onto the next link in the chain, so do the errors and bugs that come with them.<br />

That’s just what can happen in a single link, but if we zoom out to the buzzing morass of actors in this<br />

supply chain, it’s almost impossible to miss the glaring structural problems too.<br />

Open Source<br />

Make no mistake, modern software development relies on the communal philosophy of Open Source.<br />

This is a design philosophy in which people make their code publicly available - thus allowing anyone to<br />

use, change and distribute that software. This has become a bedrock resource <strong>for</strong> software developers<br />

in both open-source and private sectors.<br />

<strong>The</strong> numbers bear it out too. A report from the <strong>2024</strong> Open Source Security and Risk Analysis Report<br />

found that open source components are nearly everywhere. Literally. <strong>The</strong> report found that 96% of all the<br />

codebases it reviewed contained open source components. It’s not just that it’s found in nearly all<br />

applications - there’s a lot of it too. <strong>The</strong> report adds that over three quarters - 77% - of the code in those<br />

reviewed codebases was open source. It goes further to reveal that “every industry codebase scanned<br />

contained open source - most at percentages <strong>for</strong> 99% to 100%.”<br />

Yet as well-meaning as the philosophy of open source might be - its openness allows <strong>for</strong> all kinds of<br />

errors and the trust that software developers place in it makes those errors particularly dangerous.<br />

That danger emanates from two areas - both perfectly innocent as well as malicious. <strong>The</strong> first simple<br />

point is that the sheer scale of open source components used all along the software supply chain opens<br />

up huge scope <strong>for</strong> vulnerabilities. In fact, given the exponential growth of software, that scope is<br />

expanding.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 154<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


In fact, new vulnerabilities in this huge category open up every single day. A quick Google search will<br />

reveal new vulnerabilities cropping up in open source tools almost every day. Recently, <strong>for</strong> example,<br />

security researchers found four vulnerabilities in the widely popular GOGs Git Service, with three of them<br />

rated as critical severity.<br />

Of course, vulnerabilities here make their way into the hands of consumers and businesses regularly.<br />

Security researchers at EVAsec recently discovered three vulnerabilities - one of which was a decade<br />

old - in CocoaPods, an open source tool used to incorporate software libraries into existing applications.<br />

CocoaPods - the researchers added - can be found in over three million applications: “Such an attack on<br />

the mobile app ecosystem could infect almost every Apple device, leaving thousands of organizations<br />

vulnerable to catastrophic financial and reputational damage.”<br />

<strong>The</strong>se were quickly patched by CocoaPods, but only because they were discovered by security<br />

researchers - tellingly known as “ethical hackers” - first. Had they been discovered by a malicious party -<br />

then the outcome could have been destructive <strong>for</strong> users of Apple products everywhere.<br />

<strong>The</strong>n again, attackers know this and are constantly trying to abuse and corrupt open source components<br />

to get a foothold into that shared stream of resources that eventually make their way into every sector.<br />

Introducing a vulnerability in one of these components, could provide a vulnerability everywhere else it is<br />

used.<br />

In fact, attacks on the open source supply chain have skyrocketed in recent years. In 2023, Sonatype<br />

revealed that they had seen over 245 thousand attacks against the open source supply chain, showing<br />

a 280 percent growth from the previous year.<br />

One particularly destructive example of this is happening right now - Polyfill.io is an enormously popular<br />

javascript CDN which thousands of other websites use to nullify the differences that emerge from different<br />

versions of a given browser. After a new firm took over the domain early in <strong>2024</strong>, the Polyfill.io CDN<br />

started delivering malicious javascript to the over 100,000 websites that have embedded cdn.polyfill.io<br />

which include jstor and the World Economic Forum.<br />

Supply chain invasion<br />

Of course, attackers don’t actually need to abuse the baseline trust of open source components in order<br />

to infect the supply chain and multiply the effectiveness of a given attack. In fact, a <strong>2024</strong> survey from<br />

Enterprise Strategy Group has found that 91% of organizations had experienced a software supply chain<br />

incident in the previous 12 months. <strong>The</strong> top vector <strong>for</strong> those incidents was zero-day exploits from<br />

vulnerabilities within third party code.<br />

Software companies that provide widely used applications are also a major target. In the 2020<br />

SUNBURST attacks, attackers inserted malicious code into the update mechanic of Orion - Solarwinds’<br />

flagship infrastructure monitoring and management plat<strong>for</strong>m - potentially spreading that malicious code<br />

to all the customers who updated - including international businesses, governments and many more.<br />

Thankfully, that attack was stopped but only months after it attackers had initially made the initial<br />

compromise.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 155<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Artificial Intelligence<br />

Looking ahead, Artificial Intelligence may be a game-changer - <strong>for</strong> good or ill.<br />

Even basic publicly available LLMs - like ChatGPT - have become indispensable tools <strong>for</strong> software<br />

developers. Given the above-mentioned pressures, these tools are now allowing developers to write code<br />

even faster. <strong>The</strong>se tools, however, are not infallible and there are plenty of recorded cases of them<br />

introducing bugs into the code they generate. Yet another risk emerges when we consider how the ability<br />

of these tools to scale code output, will likely result in a scaling of those vulnerabilities within that code.<br />

In fact, a recent study from Stan<strong>for</strong>d University has actually shown that code written without AI-assistance<br />

was generally more secure. Those study participants that did use AI-tools to help them write code, turned<br />

up significantly more vulnerabilities. Crucially, however, those that used those AI tools imagined that the<br />

code they had written was actually more secure than their counterparts. <strong>The</strong> authors of the paper note -<br />

“participants who had access to the AI assistant were more likely to introduce security vulnerabilities <strong>for</strong><br />

the majority of programming tasks, yet were also more likely to rate their insecure answers as secure<br />

compared to those in our control group.”<br />

Feeling dizzy yet?<br />

It’s a headache-inducing amount of complexity to deal with, especially when we consider that these are<br />

the supply chains on which we all rely to create and use safe software. In some sense the problem boils<br />

down to how hard it is to actually see into these long and complex supply chains. In fact, these are<br />

invisible to most. A <strong>2024</strong> survey from Cycode revealed that 72% of IT pros labeled software supply chain<br />

security as their biggest blind spot.<br />

It’s also important to realize that these problems don’t just do damage at the end of the supply chain,<br />

when it’s finally in users hands. In fact, these problems can emerge and wreak destruction at any part<br />

throughout it - especially because different links on that chain can also be characterized as users as well.<br />

Businesses need to think of themselves both as potential victims as well as potential origins of new<br />

problems.<br />

<strong>The</strong>re is a limited amount an individual business can do to combat this problem on an systemic level -<br />

it’s a function of the incredible demand <strong>for</strong> software and the lack of broader guardrails across borders,<br />

sectors and businesses. That said, making sure that they don’t become a victim or originator of software<br />

supply chain insecurity is a comparatively simple task.<br />

It can start with a robust AppSec programme which can provide an accurate picture of the entire threat<br />

landscape with continuous automated scanning which is integrated in CI/CD workflow so it can pick up<br />

on vulnerabilities as they emerge in the software development process. On top of that, a Zero Trust<br />

approach will help enormously in mitigating supply chain risk, making sure that entities assets and third<br />

party components are examined thoroughly throughout development and treated with the correct amount<br />

of suspicion to offset risks.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 156<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> price of not dealing with these risks are well known. However, even if the threat of cyberattack,<br />

reputational damage, lost revenue or customer flight don’t prompt businesses to action, then regulation<br />

just might. <strong>The</strong> European Union’s NIS2 is on the horizon, coming into en<strong>for</strong>cement by October <strong>2024</strong>.<br />

Much like the General Data Protection Regulation, NIS2 comes with heavy fines <strong>for</strong> the non-compliant.<br />

Unlike the GDPR, however, it makes compliant organizations account <strong>for</strong> the security of their supply<br />

chains. This should underline the need <strong>for</strong> each individual business and organization to take account <strong>for</strong><br />

the underlying security of their software providers and partner organizations.<br />

<strong>The</strong> software supply chain is a channel on which we all rely. As a result, each link in that chain is only as<br />

good as the links it connects to. It is incumbent upon every party within it to thoroughly assess the security<br />

of the software they both produce and receive. This is not merely a matter of personal interest <strong>for</strong><br />

businesses, but personal integrity too.<br />

About the Author<br />

Frank Catucci is CTO and Head of Security Research at Invicti. He is a Global<br />

Application Security Technical Leader with over 20 years of experience,<br />

designing scalable application security specific architecture, partnering with<br />

cross-functional engineering and product teams. Frank is a past OWASP<br />

Chapter President and contributor to the OWASP bug bounty initiative and<br />

most recently was the Head of Application & Product Security at Data Robot.<br />

Prior to that role, Frank was the Sr. Director of Application Security &<br />

DevSecOps and Security Researcher at Gartner, and was also the Director of<br />

Application Security <strong>for</strong> Qualys. Outside of work and hacking things, Frank<br />

and his wife maintain a family farm. He is an avid outdoors fan and loves all<br />

types of fishing, boating, watersports, hiking, camping and especially dirt bikes<br />

and motorcycles.<br />

Frank can be reached online at frank.catucci@invicti.com and at our company website<br />

https://www.invicti.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 157<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Fight Fire with Fire: 3 Strategies to Defeat Deepfakes<br />

By Hal Lonas, Chief Technology Officer, Trulioo<br />

Generative AI deepfakes represent another skirmish in the ongoing clash between two <strong>for</strong>ces that never<br />

stop innovating<br />

I was there when AI and machine learning entered the battlefield. I started a cybersecurity company in<br />

the early 2000s that used machine learning to classify the internet long be<strong>for</strong>e that technology was<br />

commonplace.<br />

When I moved to the identity space, the parallels were obvious. <strong>The</strong>re are bad actors constantly looking<br />

<strong>for</strong> attack vectors to compromise a system and an opposing team trying to shore up the defenses and<br />

stay ahead of the threat.<br />

Deepfakes are another attack vector and illustrate tremendous strides in AI in the past decade. We see<br />

the world based on visual presentation, and when people create faces or videos that can pass <strong>for</strong> us, it<br />

poses a threat to identity at its core.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 158<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


But sophisticated AI can detect sophisticated AI. We can use AI in mathematical ways to spot details that<br />

are too flawless or that have artificially injected imperfections. It’s an ability that’s becoming more<br />

prevalent among AI plat<strong>for</strong>m capabilities, including selfies, image detection and pictures of pictures.<br />

Bad actors, though, won’t stop innovating. So how do you defend against the latest state-of-the-art<br />

attacks and prepare <strong>for</strong> whatever comes next? <strong>The</strong>re are three key strategies.<br />

1. Use a Layered <strong>Defense</strong><br />

Many identity verification providers are either in the data-only category or focus just on document or<br />

biometric verification, and they tend to be firm about which way is better.<br />

But when you bring all those techniques together and apply different technologies <strong>for</strong> different use cases,<br />

you’re essentially killing the concept of verification categories. That’s how you beat the bad actors’ AI,<br />

which might be able to defeat a single technology.<br />

We’re going to see that layered defense becoming more prevalent in identity.<br />

Document verification, <strong>for</strong> instance, already applies layered tactics. A person takes a photo of the ID and<br />

takes a selfie to match the document’s picture. Liveness detection, which can measure aspect ratios and<br />

pixelation, then shows the image wasn’t taken from a screen.<br />

As organizations layer on verification capabilities, they gain more assurance in a customer’s identity, and<br />

the in<strong>for</strong>mation starts to line up and match across databases. That assurance doesn’t have to come with<br />

higher costs, longer verification times or a more complicated mix of vendors.<br />

Just as fraudsters continue to innovate, so too do those who stop them. Cutting-edge technology driven<br />

by AI and machine learning can deliver every verification layer across one plat<strong>for</strong>m.<br />

2. Raise <strong>Defense</strong>s to the Network Level<br />

A network capability takes layered defenses to a higher level. It’s a way to see patterns across a broad<br />

spectrum of data to identify a class of attack and stop it.<br />

Bad actors, <strong>for</strong> instance, try to use the same synthetic identities in different environments and contexts.<br />

<strong>The</strong>y might blend real and fake data or get a good photo and put it on different government-issued IDs<br />

to see what gets through.<br />

<strong>The</strong> network has the ability to see that photo or data multiple times and build a defense.<br />

<strong>The</strong> network effect also can apply to industries. Bad actors trying to access a particular industry will work<br />

their way down the list of organizations trying to get in. A network model allows the industry to<br />

cooperatively stop fraud.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 159<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Is there interest in an industry network model now? <strong>The</strong>re is to some degree. Would that grow stronger<br />

if fraud becomes a bigger problem? It could.<br />

3. Evolve With Identity<br />

As fraudsters get more sophisticated, organizations will face the choice of either applying more friction to<br />

users to identify themselves or evolving with identity technologies.<br />

<strong>The</strong> future of identity is that we’ll likely become more reliant on a digital assistant or personal device that<br />

we present when challenged <strong>for</strong> verification. We certainly trust the security features on our phones to<br />

protect everything from bank accounts to travel data, so it’s not a big leap to identity.<br />

People, <strong>for</strong> example, can own proven self-sovereign identities and present them in a secure exchange<br />

medium through their phones.<br />

Of course, a new class of bad actors will follow. <strong>The</strong>y’ll double-down on breaking into phones, or they’ll<br />

get more sophisticated about inserting themselves into the conversations between the self-sovereign<br />

identity and authentication authority.<br />

But self-sovereign identity likely will remain a complicated, fragmented space <strong>for</strong> the <strong>for</strong>eseeable future<br />

because many different entities, public and private, want to be involved.<br />

Reasons <strong>for</strong> Hope in a Perilous Digital World<br />

Fraudsters are great innovators. <strong>The</strong>y’re creative at uncovering holes in a digital system and quickly<br />

exploiting them.<br />

<strong>The</strong>y help each other. People can buy kits to carry out attacks. <strong>The</strong>y have access to computing power<br />

and tools that were never be<strong>for</strong>e available.<br />

That could keep anyone up at night. But there are two sides to this duel, and that should give us hope.<br />

<strong>The</strong> computing power and AI fraudsters use can also stop them. For every innovation that gives them an<br />

edge, there’s another that dulls their blade.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 160<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


About the Author<br />

Hal Lonas is the Chief Technology Officer <strong>for</strong> Trulioo. Hal brings more than 25<br />

years of technology leadership to his role guiding the Trulioo product and<br />

technology vision. He is a recognized innovator in cloud security and machine<br />

learning and a long-standing champion of automation technology. Prior to<br />

joining Trulioo, Hal was senior vice president and chief technology officer <strong>for</strong> the<br />

SMB and Consumer business unit at OpenText, where he oversaw the<br />

organization’s technology and product strategy. Hal also was chief technology<br />

officer at Webroot and Carbonite, where he led the creation of the first cloudnative<br />

security plat<strong>for</strong>m. He co-founded and was vice president of engineering <strong>for</strong> BrightCloud and has<br />

held key engineering management positions with Websense and ADP. Hal also co-authored several<br />

patents and holds a degree in aeronautics and astronautics from the Massachusetts Institute of<br />

Technology.<br />

Hal can be reached online at https://www.linkedin.com/in/hal-lonas-4555b1/ and at the company website<br />

https://www.trulioo.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 161<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Navigating the Security Risks and Efficiency Gains of GenAI in<br />

Healthcare<br />

By Lior Yaari, CEO, Grip Security<br />

SaaS technology and artificial intelligence (AI) are revolutionizing patient care, drug development, and<br />

health and wellness practices. Today, AI processes massive datasets of biological and chemical<br />

in<strong>for</strong>mation to identify potential drug candidates, and machine learning algorithms analyze diverse data<br />

sources to predict the efficacy and safety of new compounds. Yet, the healthcare and BioTech industries<br />

are cautious towards employees using GenAI tools—and rightly so.<br />

From administrative to marketing to medical teams and support staff, GenAI tools boost productivity and<br />

drive outcomes. But while technology is fueling innovation, it’s also introducing new risks and expanding<br />

the organization’s attack surface. Previously, IT departments had control over software procurement and<br />

deployment, ensuring security measures were firmly in place. Now, SaaS and GenAI technology have<br />

changed the game.<br />

<strong>The</strong> Growth of SaaS, Identities, and Risks<br />

In the past, IT environments were closely managed, with IT departments controlling software<br />

procurement and deployment. <strong>The</strong> rise of SaaS (Software as a Service) has significantly changed this<br />

dynamic. While core SaaS applications usually go through a <strong>for</strong>mal purchase and security review<br />

process, many SaaS tools are now being adopted by individual employees on their own. SaaS<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 162<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


applications are easy to acquire and deploy—employees can sign up and start using them with just an<br />

email and a few clicks, often bypassing traditional IT oversight.<br />

When employees independently adopt SaaS tools, IT departments lose visibility into which applications<br />

are used, how they are used, and by whom. This occurrence, known as shadow IT, increases the risk of<br />

data breaches, as unvetted applications may not meet the organization's security standards or regulatory<br />

requirements.<br />

Each new SaaS application expands the organization's attack surface. Identity risks grow because each<br />

account can become a target <strong>for</strong> cybercriminals, who can use it to gain access to other corporate<br />

resources, leading to unauthorized access, data exfiltration, and other malicious activities. Recent highprofile<br />

breaches like Change Healthcare, Broward Health, and L’Assurance Maladie highlight the<br />

importance of protecting and securing identities and the costly consequences when compromised.<br />

SaaS Identity Risk Management: A More Modern Approach <strong>for</strong> Healthcare<br />

<strong>The</strong> shift from a closely governed IT environment to one where every employee can independently adopt<br />

technology requires rethinking SaaS security. To safeguard biotech and healthcare organizations<br />

effectively, the focus must be on enhancing visibility, control, and security compliance across all<br />

applications used within the organization. Enter SaaS identity risk management (SIRM), a strategic<br />

approach tailored to address the unique challenges posed by the widespread adoption of SaaS.<br />

Traditional IT security frameworks fall short in a decentralized IT environment; however, SIRM provides<br />

a comprehensive framework designed to secure access, maintain compliance, and protect data within a<br />

decentralized and rapidly evolving IT ecosystem, ensuring that an organization can safely leverage the<br />

benefits of SaaS while mitigating the associated risks. A SIRM framework addresses the entire lifecycle<br />

of a SaaS and GenAI tool:<br />

Image by Grip Security; all rights reserved<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 163<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> foundational elements of a SIRM program include:<br />

• Identity Lifecycle Risk Governance: Establish and en<strong>for</strong>ce policies <strong>for</strong> managing the digital<br />

identity lifecycle, including discovering and revoking user access to SaaS applications as<br />

necessary.<br />

• Access Management: Involves implementing and managing secure access controls such as<br />

single sign-on (SSO), multi-factor authentication (MFA), and robotic process automation (RPA) to<br />

ensure that only authorized users can access SaaS applications.<br />

• Compliance Management: Ensure adherence to relevant regulatory and industry standards,<br />

such as HITECH, HIPAA, NIST, SOC2, ISO27001, ISO/IEC 2382:2015, and others, particularly<br />

concerning securing access to applications and data.<br />

• Security Incident Management and Response: Establishes comprehensive procedures <strong>for</strong><br />

detecting, analyzing, and responding to security incidents affecting SaaS applications.<br />

• Enterprise Risk Management: Evaluate and control risks posed by a SaaS application to the<br />

enterprise, distinct from assessing the risk profile of the SaaS vendor.<br />

SaaS Identity Risk Management Outcomes<br />

<strong>The</strong> objectives of a SIRM program are designed to address the unique challenges and risks associated<br />

with using SaaS and GenAI applications in an organization. <strong>The</strong>se goals are critical <strong>for</strong> ensuring the<br />

security, compliance, and efficient management of identity-related aspects in a SaaS environment. <strong>The</strong><br />

primary outcomes typically include:<br />

• Implementing Robust Access and Identity Risk Management: En<strong>for</strong>ce strong access control<br />

mechanisms such as Multi-Factor Authentication (MFA) and Single Sign-On (SSO) to manage<br />

user access to SaaS applications securely. Efficiently manage the lifecycle of user identities from<br />

onboarding to offboarding.<br />

• Mitigating Risks Associated with SaaS Usage: Identify and address security risks unique to<br />

SaaS environments, including those stemming from shadow IT, where employees use<br />

unapproved but tolerated SaaS applications.<br />

• Ensuring Regulatory Compliance: Align SaaS usage with regulatory and compliance<br />

requirements, ensuring organizational adherence to relevant standards and legal mandates.<br />

• Improving Visibility and Control: Gain comprehensive visibility into SaaS application usage<br />

across the organization. Establish control over who accesses what applications, when, and how.<br />

• Adapting to Evolving Threat Landscape: Develop the agility to quickly adapt to new threats<br />

and changes in the SaaS ecosystem to ensure ongoing protection and risk management.<br />

• Enhancing Operational Efficiency: Streamline identity risk and access management processes<br />

<strong>for</strong> SaaS applications to improve operational efficiency and reduce administrative overhead.<br />

SIRM takes a programmatic approach to discovering and managing risks from Gen AI services and SaaS<br />

applications. By focusing on identifying and mitigating threats related to identity sprawl, shadow IT, and<br />

shadow AI, SIRM supports regulatory compliance and ensures effective management of identity-related<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 164<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


isks, providing the most comprehensive approach <strong>for</strong> securing SaaS applications in today’s rapidly<br />

shifting technology environment.<br />

About the Author<br />

Lior Yaari is one of Israel's most esteemed cybersecurity experts. Be<strong>for</strong>e founding<br />

Grip Security, he served as CTO <strong>for</strong> YL Ventures and was a member of the YL<br />

Ventures Insiders Network. Lior also led as the Chief of <strong>Cyber</strong> Training <strong>for</strong> the Israeli<br />

Intelligence Corps, Unit 8200. Learn more about Grip Security.<br />

Lior can be reached at our company website https://www.grip.security.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 165<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


A Guide <strong>for</strong> SMB <strong>Defense</strong> Contractors to Achieve CMMC<br />

Compliance<br />

CMMC Timelines, Requirements, and Ways to Reduce Costs<br />

By Seth Steinman, Vice President, PreVeil<br />

<strong>The</strong> Department of <strong>Defense</strong> (DoD) created the <strong>Cyber</strong>security Maturity Model Certification (CMMC)<br />

program to defend the vast attack surface of the <strong>Defense</strong> Industrial Base (DIB). CMMC is expected to<br />

become law by the end of <strong>2024</strong> and start appearing in contracts by Q1 2025.<br />

For Small and Medium-Sized businesses (SMBs) operating within the DIB, CMMC compliance can seem<br />

like a daunting task. However, with proper preparation, the right partners, and a strategic approach,<br />

achieving compliance can be manageable and even beneficial. This article will explore the requirements<br />

of CMMC, outline the roadmap to compliance, and discuss how companies can save money & expedite<br />

compliance.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 166<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


CMMC Compliance Levels<br />

CMMC establishes three compliance levels, based on the type of in<strong>for</strong>mation DIB organizations are<br />

working with.<br />

• Level 1 is <strong>for</strong> organizations working with Federal Contract In<strong>for</strong>mation (FCI) only<br />

• Level 2 is <strong>for</strong> organizations working with Controlled Unclassified In<strong>for</strong>mation (CUI)<br />

• Level 3 is <strong>for</strong> organizations working with CUI and subject to Advanced Persistent Threats (APTs)<br />

Third Party Assessment Requirements<br />

Importantly, CMMC doesn’t change existing cybersecurity requirements— it just steps up en<strong>for</strong>cement.<br />

Until now, organizations have been permitted to self-assess their compliance, but under CMMC, the vast<br />

majority of defense contractors handling CUI will need to pass independent third-party assessments.<br />

CMMC Timeline<br />

CMMC is on track to become law by the end of <strong>2024</strong> and is expected to start to appear in DoD contracts<br />

in early 2025, as shown below:<br />

SOURCE: https://www.preveil.com/blog/cmmc-timeline/<br />

It’s important <strong>for</strong> contractors to understand that even though CMMC will be phased in over time, it does<br />

not necessarily follow that you have more time to achieve certification. Your organization, <strong>for</strong> example,<br />

could be far down the supply chain from a contractor subject to CMMC early on, in which case that<br />

contractor must flow down CMMC requirements to your organization at that point.<br />

It takes typical SMBs between 12-18 months to meet CMMC Level 2 requirements, which is past the date<br />

in which CMMC requirements are expected to appear in DoD contracts. Now is the time to get started on<br />

CMMC certification.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 167<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Preparing <strong>for</strong> CMMC Level 2 Compliance: Key Steps <strong>for</strong> SMBs<br />

While CMMC compliance may seem like a major undertaking, taking a proactive approach can make the<br />

process faster and more cost-effective. Here are some key steps SMB defense contractors should take<br />

to prepare:<br />

1. Familiarize Yourself with the CMMC Framework: Reading this article is a great first step;<br />

PreVeil also offers a CMMC whitepaper that’s been downloaded by over 5,000 defense<br />

contractors outlining all the details you need to know.<br />

2. Scope your compliance Boundary: Determine the people, devices, and processes that access,<br />

process, and store CUI. <strong>The</strong> smaller you can make your CUI enclave, the cheaper, faster, and<br />

easier compliance will be to achieve because you will have fewer endpoints to secure and fewer<br />

people to train on CMMC compliance protocols.<br />

3. Adopt a Plat<strong>for</strong>m to secure CUI: If you’re using Microsoft 365 Commercial or Google<br />

Workspace, you cannot support CMMC compliance and you’ll need to make a switch. You must<br />

ensure any Cloud Service Provider or technology vendor meets the following:<br />

o Meets FedRAMP Moderate Baseline or Equivalent<br />

o FIPS 140-2 certificate <strong>for</strong> encryption<br />

o Meets DFARS 252.203-7012 c-g <strong>for</strong> incident reporting<br />

4. Develop robust documentation: Achieving CMMC compliance requires more than just<br />

safeguarding CUI. <strong>The</strong> DoD estimates that generating the necessary documentation like a<br />

System Security Plan and Standard Operating Procedures will take 168 hours at a cost of<br />

$40,000.<br />

5. Conduct a self-assessment against NIST 800-171A and execute POA&MS: <strong>The</strong> selfassessment<br />

should be conducted according to the DoD’s Assessment Methodology, which is<br />

spelled out in NIST 800-171A. It specifies 320 objectives spread across the 110 security<br />

requirements. Know that perfect scores of 110 are quite rare <strong>for</strong> self-assessments done early in<br />

your compliance journey; Your organization likely will have some controls that are unmet. Create<br />

POA&Ms <strong>for</strong> those items and specify the technologies and procedures you will use to close those<br />

gaps and by when a score of 110 will be achieved.<br />

6. Schedule your C3PAO assessment: CMMC Level 2 assessments are conducted by CMMC<br />

Third Party Assessment Organization (C3PAOs), who will start with their own review of your<br />

readiness, then check your documentation and assess your compliance with NIST 800-171. <strong>The</strong>y<br />

will also conduct employee interviews, and spot checks <strong>for</strong> artifacts such as records of training<br />

sessions, that prove compliance.<br />

Ways to Reduce Costs<br />

1. Reduce your compliance boundary: If only a portion of your organization handles CUI, then it makes<br />

sense to narrow the scope of the security requirements by creating a separate enclave. This translates<br />

into a simpler assessment process that saves you time and money. Some solutions like Microsoft GCC<br />

High often need to be deployed across entire organizations, adding significant costs and complexity.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 168<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


2. Choose a plat<strong>for</strong>m that’s easy to use and deploy: Plat<strong>for</strong>ms like Microsoft GCC High often require<br />

expensive consultants, separate email addresses, and a full rip-and-replace. Look <strong>for</strong> a solution that can<br />

be deployed in hours, uses your existing email addresses, and integrates directly with the tools you’re<br />

already using, like Outlook, Gmail, File Explorer and MacFinder.<br />

3. Deploy a solution with proven CMMC credentials: If your organization has migrated to the cloud,<br />

know that standard commercial cloud services such as Microsoft 365 Commercial do not meet CMMC<br />

requirements <strong>for</strong> storing, processing and transmitting CUI. You want to verify that it has FIPS 140-2<br />

encryption modules, meets DFARS c-g, is FedRAMP Moderate or Equivalent, and has been used to pass<br />

multiple DoD assessments.<br />

4. Use pre-filled compliance documentation to save you time and money<br />

To pass an assessment, contractors will need detailed, evidence-based documentation clarifying how<br />

the controls are addressed within their company. This can be a daunting, time-consuming and costly task<br />

so look <strong>for</strong> a solution that offers pre-filled documentation including a System Security Plan (SSP) and<br />

Standard Operating Procedures.<br />

Conclusion<br />

CMMC is on track to become law by the end of <strong>2024</strong>. Even today, if your organization handles CUI, you<br />

have a DFARS 252.204-7012 clause in your contract that requires you to comply with NIST 800-171.<br />

Now is the time to get started on CMMC compliance and protect your business from penalties and<br />

contract loss.<br />

While CMMC may seem overwhelming, find a proven partner who can help you achieve CMMC Level 2<br />

faster and more af<strong>for</strong>dably. To learn more about how PreVeil can help your organization achieve CMMC<br />

Level 2 compliance, visit preveil.com <strong>for</strong> a free 15-minute consultation with our compliance team.<br />

About the Author<br />

Seth Steinman is the Vice President of Marketing at PreVeil. He is a recognized<br />

thought leader with over 15 years of experience in technology and security. He is a<br />

regular speaker at the <strong>Cyber</strong>security Marketing Conference, an advisor to leading<br />

companies like UserGems and Archilogic, and has published articles in respected<br />

publications like Security Boulevard, Security Clearance Jobs, and Digital Guardian.<br />

Seth can be reached online at ssteinman@preveil.com and at our company website<br />

https://www.preveil.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 169<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> Role of AI in Evolving <strong>Cyber</strong>security Attacks<br />

Exploring the Rise of AI and Its Impact on Evolving <strong>Cyber</strong>security Threats<br />

By Will Poole, Head of Incident Response, CYFOR Secure | <strong>Cyber</strong> Security<br />

In the ever-expanding digital landscape, cybersecurity remains a critical concern <strong>for</strong> individuals,<br />

businesses, and governments alike. As technology advances, so do the tactics of cybercriminals. One of<br />

the most significant developments in recent years has been the integration of Artificial Intelligence (AI)<br />

into cyber attacks, leading to a new wave of threats that challenge traditional security measures.<br />

But how exactly is AI aiding cybercriminals, and what implications does this have <strong>for</strong> the future of<br />

cybersecurity?<br />

Sophistication Meets Efficiency<br />

<strong>The</strong> landscape of cyber threats is constantly evolving, with attackers leveraging technological<br />

advancements, including AI, to launch more sophisticated attacks. By harnessing AI capabilities,<br />

cybercriminals can cause greater damage with less ef<strong>for</strong>t and a reduced risk of detection. This shift<br />

towards AI-driven attacks requires a heightened level of awareness among cybersecurity professionals<br />

to detect and mitigate these threats effectively.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 170<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> cost of cyber-attacks is staggering, with data breaches alone estimated to have cost businesses 59<br />

trillion dollars globally in 2023, with the average cost of a singular breach in the US estimated to cost 4.45<br />

million dollars (IBM.com). As attacks become more tactically significant, organisations must invest in AIdriven<br />

cybersecurity infrastructure to safeguard against these risks.<br />

<strong>The</strong> Rise of AI-Driven <strong>Cyber</strong> Attacks<br />

AI-driven cyber-attacks have been steadily increasing in recent years and are projected to continue<br />

growing in the future. <strong>The</strong>se attacks outwit traditional security measures by leveraging machine efficiency<br />

against human ef<strong>for</strong>t. With AI, attackers can identify vulnerabilities, craft targeted attacks, and execute<br />

them with unprecedented speed and sophistication.<br />

<strong>The</strong> tools <strong>for</strong> launching AI-driven cyber-attacks already exist, presenting a <strong>for</strong>midable challenge to<br />

cybersecurity professionals. <strong>The</strong>se attacks are not only faster and more unpredictable but also more<br />

difficult to detect and defend against.<br />

Mitigating AI-Driven Threats<br />

In the face of these evolving threats, it’s crucial to understand the risks associated with AI in cybersecurity<br />

and take proactive measures to protect against them. Some of the strategies <strong>for</strong> defending against AIdriven<br />

attacks include:<br />

o<br />

o<br />

o<br />

o<br />

o<br />

Limiting In<strong>for</strong>mation Sharing – Be cautious about sharing personal in<strong>for</strong>mation, especially<br />

through automated systems.<br />

Enhancing Data Security – Implement robust data security measures to safeguard sensitive<br />

in<strong>for</strong>mation.<br />

Employee Training – Provide comprehensive training to your employees to enhance awareness<br />

of cybersecurity threats and best practices.<br />

AI Incident Response – Develop a clear plan <strong>for</strong> responding to AI-driven cyber-attacks, including<br />

steps <strong>for</strong> remediation and recovery.<br />

Vulnerability Management – Stay vigilant against emerging threats and promptly address any<br />

vulnerabilities in systems and networks as soon as possible.<br />

Leveraging AI <strong>for</strong> <strong>Cyber</strong> Defence<br />

While AI presents new challenges in cybersecurity, it also offers powerful tools <strong>for</strong> defending against<br />

evolving threats. By harnessing AI capabilities, organisations can improve cyber threat detection, predict,<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 171<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


and prevent attacks, and strengthen overall security posture. From phishing detection to incident<br />

response, AI-driven solutions play a vital role in safeguarding against cyber threats.<br />

In conclusion, the integration of AI into cyber attacks represents a significant challenge <strong>for</strong> cybersecurity<br />

professionals. However, by understanding the nature of these threats and implementing robust defence<br />

strategies, organisations can effectively mitigate the risks posed by AI-driven cyber-attacks and protect<br />

against emerging threats in the digital landscape.<br />

About the Author<br />

Will Poole is Head of Incident Response, CYFOR Secure. At CYFOR, Will<br />

serves as our Head of Incident Response <strong>for</strong> <strong>Cyber</strong> and Corporate. In his<br />

nearly one year with us, he has proven to be an invaluable asset to the<br />

entire team. With over six years of experience in cybersecurity and a<br />

background in software engineering focused on website and application<br />

development, Will brings a deep well of knowledge and expertise to his<br />

role. His passion <strong>for</strong> problem-solving and his fascination with seeing<br />

projects "come to life" inspired his transition into cybersecurity early in his<br />

career. Will's dedication and skill have made a significant impact on both<br />

our team and our clients.<br />

Will can be reached online at LinkedIn and at our company website https://cy<strong>for</strong>secure.co.uk/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 172<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> Fundamental Components to Achieving Shift-Left Success<br />

By Scott Gerlach, CSO and Co-Founder at StackHawk<br />

“Shift-left” is a familiar concept to CISOs and security practitioners across the globe. A term coined to<br />

promote the integration of security practices earlier in the software development lifecycle (SDLC) in a bid<br />

to dwindle escalating application security risks. Boasting the ability to deliver more efficient and secure<br />

software, scale responsibilities and empower developers to fix security bugs, it’s no surprise that the<br />

concept has garnered significant industry attention in recent years. However, despite its proliferated<br />

awareness, security teams continue to face challenges with shift-left buy in and its implementation.<br />

<strong>The</strong>re are several obstacles to shifting security left. <strong>The</strong> first, and perhaps most prevalent, is a lack of<br />

understanding within organizations about their current locality on the shift-left journey. This challenge is<br />

closely coupled with insufficient resources available to actually shift-left, both monetary and personnel.<br />

Identifying and understanding the stages of shift-left adoption is key to its successful implementation, and<br />

being able to depict the resource allocations required at each stage. Yet, it remains an untapped<br />

phenomenon amongst industry peers, creating obstacles and roadblocks throughout the shift-left<br />

journey.<br />

<strong>The</strong> shift-left journey comprises four fundamental stages: box-checking basics, shift-left curious, shift-left<br />

committed, and continuously secure. A core component of this process is the seamless integration of<br />

people, processes, and tools. Building and nurturing a culture that integrates security, instituting robust<br />

processes, and leveraging the right tools, organizations will possess the means to proceed through every<br />

stage, bolstering security posture throughout their entire software development lifecycle.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 173<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Bye Bye Basics<br />

Many organizations’ shift-left journey begins with basic box checking activities. Organizations are fixated<br />

on reactively adhering to compliance regulations, in lieu of proactively enhancing their security posture.<br />

At the ‘box checking basics’ stage, application security teams’ ef<strong>for</strong>ts are often solely focused on testing<br />

applications in production, creating tickets, and leaving developers to independently resolve issues as<br />

they prove to audit teams that they have a process. <strong>The</strong>re is zero collaboration between those developing<br />

applications and the security team at this stage, resulting in the belated discovery of security flaws,<br />

inflated mitigation costs, and setbacks in timelines <strong>for</strong> product releases. However, shift-left success<br />

hinges on deep collaboration between security teams and developers.<br />

With expediting release cycles, and heightened security risks, simple box-checking basics initiatives are<br />

insufficient to protect organizations from modern bad actors. With an urgent need <strong>for</strong> change,<br />

organizations can start their shift-left journey by starting with small, controlled implementations of shiftleft<br />

practices, specifically initiatives that demonstrate its value to ease the transition and avoid resistance.<br />

Successful pilot programs can serve as proof of concept, encouraging broader adoption and fostering a<br />

more integrated approach to security.<br />

Shift-Left Curious<br />

As an enterprise makes the shift from box checking basics and evolves into a shift-left curious phase,<br />

where there is inherently more desire to re<strong>for</strong>m security practices, oftentimes organizations will have a<br />

dedicated security champion who can drive these ef<strong>for</strong>ts. However, without a comprehensive strategy,<br />

and key initiatives driving shift-left adoption, such leaders and their organization will ultimately encounter<br />

roadblocks and lack of buy-in. While many dive head first, and try to scale shift-left practices rapidly,<br />

starting small is the key to success, along with <strong>for</strong>ging deep collaboration between AppSec and<br />

engineering teams.<br />

Organizations should strive to cultivate a culture that encourages the sharing of knowledge between<br />

these two important teams, aligning security objectives and value delivery. This practice will lead to a<br />

clearer understanding of security risks and where they persist and the steps required <strong>for</strong> successful<br />

mitigation. This phase is a great place to go and sit with delivery teams and listen to how they work and<br />

the tools and processes they use to understand an effective adoption of shift-left methodologies.<br />

shift-left Committed<br />

Once organizations have fostered a culture of collaboration, and determined the required tools and<br />

processes <strong>for</strong> shift-left success, organizations will start to affirm their commitment to the practice. This<br />

phase will see organizations beginning to integrate security processes throughout all stages of<br />

development workflows. <strong>The</strong>re are some challenges that can manifest throughout this process.<br />

Oftentimes, organizations will encounter issues with technical tooling, especially when trying to scale<br />

testing processes.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 174<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Similar to the shift-left curious stage, it is essential to maintain a deep collaborative relationship between<br />

security teams and developers in this phase to nurture a security-conscious culture and embed<br />

automated security checks within CI/CD pipelines. This will ensure uninterrupted security throughout the<br />

development process. It is also important to regularly evaluate shift-left tools and processes to ensure<br />

that they meet industry compliance requirements and can withstand evolving security risks.<br />

Consistent Security<br />

<strong>The</strong> ideal outcome of shift-left is to attain a state of "continuously secure," whereby AppSec and<br />

development teams jointly take responsibility <strong>for</strong> the security of applications and fully commit to a shiftleft<br />

mindset. A deep cultural shift that empowers teams to proactively identify and address potential<br />

vulnerabilities early on, minimizing the attack surface and reducing the risk of costly breaches. At this<br />

stage, organizations have, in most instances, tried and tested various security tooling and have adopted<br />

a suite of solutions that fit their unique needs and that automate tasks to streamline many processes.<br />

This <strong>for</strong>ward-thinking strategy not only strengthens an organization's overall security posture, but also<br />

builds trust with users by showcasing a dedication to protecting their in<strong>for</strong>mation and privacy.<br />

Walk Be<strong>for</strong>e You Run<br />

Depending on the nature of an organization's business operations, as well as their size and industry,<br />

shift-left adoption techniques and processes will ultimately vary. Un<strong>for</strong>tunately, there is no one cohesive<br />

<strong>for</strong>mula to its success. However, understanding each stage of the journey and the people, processes and<br />

tooling required at every phase will enable organizations to craft a strategy that will improve their security<br />

posture and create more secure applications. shift-left is a continuous journey, one that takes some trial<br />

and ef<strong>for</strong>t. By deeply integrating security processes across the entire development lifecycle,<br />

organizations can <strong>for</strong>ge a more secure path <strong>for</strong>ward.<br />

About the Author<br />

Scott Gerlach, CSO at StackHawk, has more than 20 years of experience in<br />

in<strong>for</strong>mation security. Scott is a passionate Security Officer with expertise in<br />

identifying security gaps and working with companies to develop safe and<br />

effective policies and procedures to mitigate those risks. His expertise spans<br />

developing, implementing, and managing IT security strategy and policy, risk<br />

management, intrusion detection, vulnerability assessment, network security<br />

design, application security and incident response. Prior to founding<br />

StackHawk, he was CSO at Twilio. He also spent nearly a decade in security<br />

at GoDaddy. LinkedIn and company website: https://www.stackhawk.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 175<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


AT&T Breach <strong>2024</strong>: Customer Data Exposed in Massive <strong>Cyber</strong><br />

Attack<br />

By Elena Thomas, Digital Content Strategist, SafeAeon Inc.<br />

In a shocking breach of customer privacy, AT&T said in April <strong>2024</strong> that almost all the data of its cell<br />

customers had been stolen. Records of most of AT&T's customers' call and text conversations were<br />

stolen during the cyberattack, which happened between April 14 and April 25, <strong>2024</strong>. <strong>The</strong> in<strong>for</strong>mation that<br />

was stolen is from May 1, 2022, to October 31, 2022, with a few records from January 2, 2023.<br />

<strong>The</strong> event, which has been connected to a larger attack aimed at Snowflake customers, shows how even<br />

the biggest companies can be hit by clever cyber threats. Even though AT&T has told the public that the<br />

stolen data does not include call or text content or private in<strong>for</strong>mation like Social Security numbers, the<br />

sheer amount of data that was made public is very worrying about how it might affect people's privacy.<br />

<strong>The</strong> breach has caused a lot of controversy and calls <strong>for</strong> all kinds of industries to take more security<br />

steps. As the attack is still being looked into, it is still not clear how bad the harm was. This event is a<br />

stark reminder of how important it is to have strong data security plans to keep private consumer data<br />

safe.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 176<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


How Big the Breach Was<br />

It's hard to believe how big the AT&T data breach is. <strong>The</strong> in<strong>for</strong>mation that was stolen is from May 1, 2022,<br />

to October 31, 2022, with a few records from January 2, 2023. This means that the call and text data of<br />

at least 10 million Americans was made public. AT&T has said that the stolen data does not include the<br />

content of calls or texts or private in<strong>for</strong>mation like Social Security numbers. However, the huge amount<br />

of data that has been made public is very worrying <strong>for</strong> privacy. <strong>The</strong> records show who users called or<br />

texted, how long the conversations lasted, and sometimes even where the cell towers from which the<br />

calls were made.<br />

What Will Happen to Customers<br />

<strong>The</strong>re are many effects of this breach. If someone gets their hands on this much info, they could use it in<br />

a lot of bad ways. This in<strong>for</strong>mation could be used by cybercriminals to target phishing attacks, steal your<br />

name, or even demand money. <strong>Cyber</strong>criminals can make more effective phishing schemes if they know<br />

specific details about people, like their phone numbers and how often they call. <strong>The</strong> data could also be<br />

used to figure out personal things about people, like their relationships, health, or finances, which could<br />

then be used <strong>for</strong> bad things.<br />

People no longer trust AT&T to keep their customer info safe after the breach. A lot of customers aren't<br />

sure about the company's security methods and whether their personal in<strong>for</strong>mation is really safe. This<br />

breach shows how important it is to have stricter rules on data protection and <strong>for</strong> businesses to put a lot<br />

of money into defense. Because of this breach, there is less trust in AT&T, which could cost them<br />

customers and make officials look more closely at their business.<br />

What Came Next<br />

Because of the breach, regulators, politicians, and the public have been very close to AT&T. <strong>The</strong> business<br />

said it is working closely with the police to look into what happened and bring the criminals to justice. At<br />

the same time, AT&T has put in place stronger security steps to stop similar breaches from happening<br />

again. <strong>The</strong>se steps include tighter controls on access, better encryption protocols, and closer tracking of<br />

network activity.<br />

A bad name <strong>for</strong> AT&T is expected to last <strong>for</strong> a long time, though. <strong>The</strong> business will have to put in a lot of<br />

work to earn back its customers' trust and show that it cares about data security. As a stark warning, this<br />

breach shows that even the biggest and most well-known companies can be hacked. To fix its image,<br />

AT&T will need to do more than just improve its technology. It will also need to be open and honest with<br />

its customers about the steps it is taking to keep their data safe.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 177<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


More Than One Issue<br />

<strong>The</strong> AT&T breach is not the only one that has happened. In the past few years, there have been a lot<br />

more data hacks affecting big businesses in a lot of different fields. A scary amount of private in<strong>for</strong>mation<br />

is being leaked in all kinds of fields, from healthcare to business. For example, 147 million people's<br />

personal in<strong>for</strong>mation was made public when Equifax was hacked in 2017, and about 500 million guests'<br />

in<strong>for</strong>mation was made public when Marriott was hacked in 2018. <strong>The</strong>se events make it clear that<br />

cybersecurity needs to be tackled thoroughly, with the government and businesses working together.<br />

Keeping Yourself Safe<br />

Some people may not be affected by the AT&T breach right away, but it's still important to protect your<br />

personal in<strong>for</strong>mation. Here are some ideas:<br />

Watch out <strong>for</strong> phishing attacks: Phishing emails are a common way <strong>for</strong> hackers to get people to give<br />

up personal in<strong>for</strong>mation. Watch out <strong>for</strong> emails you didn't ask <strong>for</strong>, and don't click on links or download files<br />

from people you don't know. If you get an email from someone you don't know or one that asks <strong>for</strong><br />

personal in<strong>for</strong>mation right away, this could be a sign of a scam.<br />

Keep an eye on your credit reports: Check your credit reports often <strong>for</strong> any strange behavior. This<br />

could help you catch identity theft early. Through AnnualCreditReport.com, you can get a free credit<br />

report from each of the three big credit bureaus once a year. <strong>The</strong>se are Equifax, Experian, and<br />

TransUnion.<br />

Strong, unique passwords are important: Make sure all of your online accounts have complicated<br />

passwords, and use a password manager if you need to keep track of them. Don't use in<strong>for</strong>mation that<br />

is easy to figure out, like dates or everyday words. A good password generator can make complicated<br />

passwords <strong>for</strong> you and keep them safe.<br />

Turn on two-factor authentication: This makes your accounts safer by needing a second way to prove<br />

who you are, like a code sent to your phone. Two-factor authentication (2FA) can make it much less likely<br />

that someone will get into your accounts without your permission.<br />

When you share personal in<strong>for</strong>mation online, be careful: You shouldn't share too much personal<br />

in<strong>for</strong>mation on social media and other websites. Keep in mind that in<strong>for</strong>mation that seems harmless can<br />

be used to figure out private things about you. Check the protection settings on your social media<br />

accounts to limit who can see your stuff.<br />

Conclusion<br />

<strong>The</strong>re have been a lot of effects from the AT&T breach, not just on the customers who were affected but<br />

also on the company's image and finances. People are more careful with their personal in<strong>for</strong>mation now,<br />

and they don't trust AT&T as much as they used to. It's clear from this event how important it is to be<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 178<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


open and move quickly after a breach. Companies should not only work to stop cyberattacks, but they<br />

should also have a strong plan <strong>for</strong> what to do after an attack to limit the damage and rebuild trust.<br />

To fix the problems caused by the AT&T breach, every business needs to look at its security plans again.<br />

Important steps include using cutting-edge security technologies, conducting regular security audits, and<br />

giving workers ongoing cybersecurity training. A safety net in case of a breach can also be bought by<br />

purchasing complete cyber insurance. Businesses can make their defenses stronger and better protect<br />

their customers' info in the future by learning from this event.<br />

About the Author<br />

Elena Thomas is the Digital Content Strategist at SafeAeon, a leading cybersecurity company, where<br />

she combines her passion <strong>for</strong> digital marketing with her unwavering dedication to<br />

enhancing online security. With a career spanning over a decade in the<br />

cybersecurity realm, Elena has emerged as a prominent figure in the industry.<br />

Her expertise lies in crafting innovative digital strategies that empower individuals<br />

and organizations to safeguard their digital assets.<br />

Beyond her professional life, Elena is a true cybersecurity enthusiast. She<br />

devotes her spare time to educating the public about the ever-evolving cyber<br />

threats and how to stay protected in the digital age. Elena's commitment to a safer<br />

digital world shines through in her in<strong>for</strong>mative and engaging writing, making her<br />

a sought-after contributor to blogs and publications in the cybersecurity space.<br />

When she's not immersed in the world of cybersecurity, Elena enjoys outdoor adventures and exploring<br />

new cuisines.<br />

Elena can be reached via email at elena.thomas@safeaeon.com and at our company website<br />

http://www.safeaeon.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 179<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> Key to AI-Enabled Multi-Coalition Warfare<br />

By George Kamis, CTO, Everfox<br />

In February, the top artificial intelligence (AI) official at the Department of <strong>Defense</strong> (DoD) laid out his<br />

vision <strong>for</strong> AI-enabled warfare. “Imagine a world where combatant commanders can see everything they<br />

need to see to make strategic decisions,” he said, “[and] the turnaround time <strong>for</strong> situational awareness<br />

shrinks from a day or two to 10 minutes.” This level of speed and awareness can be the difference<br />

between life and death on the battlefield.<br />

For AI at the tactical edge to become a reality, though, the DoD must also implement cross-domain<br />

technology—particularly to make the most of collaboration with coalition partners. In Ukraine, <strong>for</strong><br />

example, the U.S. is spearheading a coalition of more than 50 allies. It’s imperative that data from all<br />

partners, networks, and classification levels can be fed into AI engines to in<strong>for</strong>m decision-making without<br />

sacrificing security—which cannot happen without cross-domain solutions.<br />

<strong>The</strong> importance of cross-domain technology<br />

It’s no secret that AI is only as effective as the data it’s fed. For AI-enabled warfare to become a reality,<br />

clean, high-quality data must be brought together from multiple security levels and coalition networks to<br />

<strong>for</strong>m data repositories. But such data sharing must be done with the proper security measures in place.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 180<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


For example, when data from a classified U.S. network is shared with a mission partner, sensitive<br />

in<strong>for</strong>mation—such as how the data was obtained—should be stripped out and only the most pertinent<br />

in<strong>for</strong>mation should remain.<br />

On the flip side, the U.S. and its partners must also be able to take open-source intelligence from<br />

unclassified sources, sanitize it by removing all malicious content, and push it up to higher classification<br />

levels.<br />

Triangulating intel<br />

Securely bringing together disparate data to in<strong>for</strong>m decision-making is only one side of the coin, though.<br />

In addition to working across classification levels and coalition networks, warfighters should also be able<br />

to run the same query on multiple AI engines, including those at the unclassified level, to triangulate intel.<br />

For instance, it could be extremely useful <strong>for</strong> warfighters to leverage standard open-source data on<br />

sentiment or threats, and to then compare that against classified AI engines. Similarly, a query run on a<br />

coalition network could be compared to a U.S. classified network to have a more comprehensive<br />

understanding of the situation.<br />

<strong>The</strong> ability to run the same query on different engines can create a competitive advantage on the<br />

battlefield. But also, it highlights the importance of keeping a human in the loop. AI-enabled warfare<br />

doesn’t mean the AI is making and acting on a decision all on its own. It’s simply another way to collect<br />

and present in<strong>for</strong>mation—in<strong>for</strong>mation that must be vetted by trained personnel be<strong>for</strong>e any action takes<br />

place. Internet AI engines have their own shortcomings, which must be considered in any decisionmaking.<br />

Still, more in<strong>for</strong>mation is always better.<br />

<strong>The</strong> bottom line<br />

To keep pace with its adversaries, the DoD must enable warfighters operating near the tactical edge to<br />

seamlessly leverage data and AI. Personnel must be able to access data whenever and wherever it’s<br />

needed, regardless of network or domain—something that can only be done using cross-domain<br />

technology. Securely and efficiently managing the flow of data across classification levels and networks<br />

ensures algorithms are analyzing as much relevant data as possible.<br />

While the ability to bring together data from disparate domains and networks is integral to collaborative,<br />

AI-enabled warfighting, using a variety of AI engines can further supercharge such ef<strong>for</strong>ts. When<br />

warfighters can quickly and effectively query a variety of AI engines with cross-domain access technology<br />

and triangulate that intel, they have an even greater competitive advantage, as a diversity of perspectives<br />

offers warfighters an even more comprehensive understanding of the situation at hand.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 181<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


About the Author<br />

George Kamis is the Chief Technology Officer (CTO) at Everfox.<br />

He works closely with In<strong>for</strong>mation Assurance and <strong>Cyber</strong> Security<br />

industry leaders, government executives, and Forcepoint<br />

executive management team to help guide their long-term<br />

technology strategy and keeps it aligned with federal and industry<br />

requirements. By leveraging his wealth of over 30 years of<br />

experience in <strong>Cyber</strong> Security, he has helped lead Forcepoint to<br />

become the leader in Cross Domain Solutions (CDS) and cyber<br />

security products.<br />

Prior to his role as CTO, he served as Vice President of Engineering <strong>for</strong> 10 years at Trusted Computer<br />

Solutions and ran both the Professional Services and Development organizations. Raytheon acquired<br />

Trusted Computer Solutions in 2010. Trusted Computer Solutions, along with other Raytheon<br />

acquisitions, <strong>for</strong>med as Forcepoint in January 2016.<br />

Prior to Trusted Computer Solutions, Mr. Kamis worked <strong>for</strong> the US Naval Research Laboratory, Center<br />

<strong>for</strong> High Assurance Computer Systems. In this role, he managed the development of multilevel secure<br />

systems <strong>for</strong> the Navy and lead one of the first multilevel system to be deployed in the Navy. He was also<br />

involved with the testing and deployment of US Navy communication security (COMSEC) devices.<br />

Mr. Kamis is also an active member of the Technology Committee and Supervisory Committee <strong>for</strong> the<br />

NextMark Federal Credit Union and consults on in<strong>for</strong>mation technology and cyber security related<br />

matters.<br />

He holds a degree in Electrical Engineering with honors from West Virginia University and holds active<br />

memberships Armed Forces Communications and Electronics Association (AFCEA).<br />

Mr. Kamis can be reach at everfox@req.co or through our company website https://www.everfox.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 182<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Four Steps Security Teams Can Take to Unlock Resources In<br />

Budget-Constrained Environments<br />

By Jennifer Leggio, Chief Operating Officer, Tidal <strong>Cyber</strong><br />

Imagine walking into a board meeting with a tool that shows your board exactly how protected the<br />

organization is, based on the investment they have allowed you to make.<br />

Or, imagine getting a call from your CEO, who saw something on X (<strong>for</strong>merly Twitter) about the “threat<br />

of the day,” and being able to show immediately how protected the organization is from that threat with<br />

the resources you have in place.<br />

<strong>The</strong>se capabilities can give boards and CEOs confidence, from a governance perspective, that there is<br />

coverage. But more important at this time with security budget constraints, is the ability to see if your<br />

defensive stack is up to the task. And if not, show what steps the team can take to optimize defenses<br />

and the resources needed – people, processes, and technology.<br />

How can you make these scenarios a reality?<br />

Staying Ahead of the Biggest Threats<br />

Gartner talks about continuous threat exposure management (CTEM) as a strategy to prioritize whatever<br />

most threatens your business, and estimates the approach can help organizations reduce breaches by<br />

two-thirds over the next two years. With more than 70% of organizations feeling they’ve wasted 25-100%<br />

of their cybersecurity budget, it makes sense that CTEM is one of the top five cybersecurity trends <strong>for</strong><br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 183<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>2024</strong>. CTEM is comprised of multiple processes and capabilities like Breach and Attack Simulation (BAS)<br />

and Threat-In<strong>for</strong>med <strong>Defense</strong> (TID) that work together to advance your CTEM strategy.<br />

BAS tools provide an important baseline function because they test and validate that your security<br />

controls are working against threat intelligence available in MITRE ATT&CK®. <strong>The</strong>y are higher fidelity<br />

than purely analysis-based evaluation and have broader coverage than human-powered penetration<br />

testing and red teaming. BAS tools automate the process to provide faster, more accurate results and<br />

can be run repeatedly with dashboards and analysis <strong>for</strong> reporting of test results.<br />

Illustrating Security Team Value and Investment Justification<br />

Testing tool efficacy provides a critical function within CTEM, but you can’t stop there. To bring those<br />

boardroom and CEO scenarios to fruition, Threat-In<strong>for</strong>med <strong>Defense</strong> comes into play to help you optimize<br />

defenses and strategically manage exposure to threats.<br />

Here are four steps security leaders can take with a TID approach to show how well the organization is<br />

protected, and what’s needed <strong>for</strong> improvement.<br />

1. Build on testing. Your test results may indicate what you tested is working, but you still may not<br />

have everything you need to secure the organization because threat actor tactics, techniques,<br />

and procedures (TTPs) are changing rapidly. Recent examples include Scattered Spider’s shift<br />

to SaaS and new techniques that came out of left field, the use of APT40 in new campaigns and<br />

new geographic regions, and Black Basta’s adoption of unusual TTPs to trick users into using a<br />

Window feature to compromise the system. And what about the tools you didn’t test and those<br />

that didn’t pass?<br />

2. Keep up with evolving threats. TID tools complement testing to help you assess your threat<br />

exposure across your entire defensive stack, not just select tools. Automatically mapping your<br />

existing security stack against a knowledge base that includes threat intelligence in MITRE<br />

ATT&CK, and other threat intel sources that are updated more frequently, provides a complete<br />

picture of how protected you are against the threat of the day.<br />

3. Understand your optimization options. Using insights derived by continually tracking different<br />

tools’ capabilities and how you have them deployed, coupled with intel on threats that matter most<br />

to your organization, a TID tool will provide recommendations <strong>for</strong> what to do next to optimize your<br />

defensive posture. You may learn that you can optimize what you already have with configuration<br />

changes or by adding internal resources to create a new custom rule or detection. Perhaps<br />

upgrading a security tool to a new version will provide the capabilities you need. Or you may<br />

genuinely have a gap you need to fill by adding a new tool to your arsenal.<br />

4. Complete the picture. As you make changes to your program, go back to testing. Validate that<br />

what you have done to optimize the organization’s defensive posture is working as planned and<br />

delivering the outcomes you want. Closing the loop will build momentum <strong>for</strong> your CTEM program<br />

and confidence in your team.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 184<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Unlocking Resources<br />

When you advance your threat exposure management strategy with a threat-in<strong>for</strong>med defense, you can<br />

walk into that boardroom and easily illustrate how well you are protected – at any given time or against<br />

the threat of the day – and what you can do to improve.<br />

• You can show what you’re already doing to optimize existing investments and how changes made<br />

are reducing threat exposure.<br />

• You get the justification <strong>for</strong> why you need more support to invest in either people, processes, or<br />

technology to fill a gap.<br />

• You may even be able to show that there’s an opportunity to reallocate funds by eliminating<br />

redundancies and retiring tools.<br />

Imagine that.<br />

About the Author<br />

Jennifer Leggio is the Chief Operating Officer of Tidal <strong>Cyber</strong>, the leader in<br />

Threat-In<strong>for</strong>med <strong>Defense</strong>, and has near 24 years of experience in cybersecurity<br />

marketing, operations, strategy, and business development. Her specialties<br />

include build-to-exit, build-to-grow, and rebuild-<strong>for</strong>-strength strategies. She<br />

excels in storytelling and crafting content-driven, integrated programs that drive<br />

brand awareness and revenue generation. Beyond marketing, she has overseen<br />

financial growth strategy, investor relations, change management, supply chain<br />

optimization, sales operations and enablement, and deal desk management. Her<br />

most notable growth and exit ventures include Fortinet, Sourcefire (Cisco),<br />

Flashpoint, Claroty, and Infocyte (Datto).<br />

In 2019, she was recognized by SC Media <strong>for</strong> advocating aggressively <strong>for</strong> ethical<br />

marketing programs and the protection of security researchers. She’s also spoken on these topics at<br />

various industry events and conferences and continues to share my insights through articles and<br />

podcasts, and several speaking opportunities at DEF CON, RSA, Gartner Security Summit, and so on.<br />

As a growth strategist, she advises startups and venture capital firms on achieving rapid and sustainable<br />

growth, earning a reputation as a game-changer in the industry. Jennifer can be reached online at<br />

jennifer.leggio@tidalcyber.com or on LinkedIn at https://www.linkedin.com/in/jenniferleggio/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 185<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Exploring CVSS 4.0’s Impact on Vulnerability and Threat<br />

Management<br />

By Alastair Williams, VP of Worldwide Systems Engineering, Skybox Security<br />

<strong>The</strong> Common Vulnerability Scoring System (CVSS) offers a standardized framework <strong>for</strong> characterizing<br />

and scoring vulnerabilities, helping the ef<strong>for</strong>t <strong>for</strong> vulnerability risk assessment. <strong>The</strong> release of CVSS 4.0<br />

in November 2023 marked a significant milestone in the cybersecurity landscape. With the industry<br />

constantly evolving and threat actors becoming increasingly sophisticated, the long-awaited update to<br />

the CVSS was essential.<br />

<strong>The</strong> new version, CVSS 4.0, was developed by 30 CVSS Special Interest Group (SIG) members. It aims<br />

to provide a more nuanced approach to risk assessment. This updated scoring system addresses the<br />

need <strong>for</strong> greater precision and clarity in determining cybersecurity risks, particularly in light of the dynamic<br />

nature of emerging technologies.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 186<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Despite the advancements offered by CVSS 4.0, the complexity of cybersecurity challenges persists.<br />

<strong>The</strong> rapid pace of technological innovation, coupled with the relentless ef<strong>for</strong>ts of threat actors, creates<br />

the need <strong>for</strong> more nuanced risk assessment.<br />

What’s New with CVSS 4.0<br />

CVSS 4.0 brings significant enhancements to its terminology, granularity, and simplicity, leading to a<br />

more comprehensive risk assessment framework.<br />

One notable change is the refinement of terminology within the scoring system, emphasizing distinct risk<br />

groups to prevent confusion. <strong>The</strong> scoring groups have been rebranded to enhance clarity, with specific<br />

names such as CVSS-B, CVSS-BT, CVSS-BE, and CVSS-BTE, emphasizing the significance of each<br />

metric group in risk assessment.<br />

In terms of granularity, CVSS 4.0 offers enhanced detail, particularly evident in the refinement of the<br />

Attack Complexity metric. This metric has been divided into Attack Complexity (AC) and Attack<br />

Requirements (AT), enabling security teams to gain a better understanding of the conditions necessary<br />

<strong>for</strong> an attack and the factors within their control. <strong>The</strong> Impact metrics have been further segmented into<br />

Vulnerable System Impact and Subsequent System Impact, providing a more thorough evaluation of<br />

potential damages.<br />

To streamline the scoring system and improve clarity, redundancies have been eliminated in CVSS 4.0.<br />

Metrics such as Scope, Remediation Level (RL), and Report Confidence (RC) have been removed,<br />

aiming to eradicate inconsistencies and simplify the assessment process.<br />

In pursuit of improved simplicity, CVSS 4.0 has also consolidated the threat metric group, now comprising<br />

only one metric: Exploit Maturity. This metric offers three options—Functional, High, and Attacked—<br />

streamlining the assessment process and ensuring greater consistency across the industry. <strong>The</strong>se<br />

enhancements in CVSS 4.0 contribute to a more refined and user-friendly risk assessment framework,<br />

empowering security professionals to make in<strong>for</strong>med decisions and prioritize effectively.<br />

Leveraging Opportunities and Addressing Challenges<br />

<strong>The</strong> advent of CVSS 4.0 presents both opportunities and challenges <strong>for</strong> cybersecurity professionals.<br />

While the updated scoring system offers greater precision and granularity in risk assessment, it also<br />

underscores the need <strong>for</strong> organizations to reassess their vulnerability management strategies.<br />

Security teams must leverage the enhanced capabilities of CVSS 4.0 to prioritize remediation ef<strong>for</strong>ts<br />

effectively and bolster their defenses. By embracing a proactive approach to vulnerability management<br />

and leveraging comprehensive risk assessment tools, organizations can enhance their cybersecurity<br />

posture and mitigate potential risks effectively.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 187<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


To optimize vulnerability management, security teams should take the following actions:<br />

1. Familiarize themselves with the nuances of CVSS 4.0 and its updated scoring metrics to<br />

accurately assess cybersecurity risks.<br />

2. Implement comprehensive vulnerability management processes that leverage the granularity<br />

offered by CVSS 4.0 to prioritize remediation ef<strong>for</strong>ts based on the severity and exploitability of<br />

vulnerabilities.<br />

3. Invest in advanced threat intelligence solutions and automation tools to proactively identify and<br />

mitigate emerging threats, ensuring robust defense mechanisms against cyberattacks.<br />

Establishing Modern Day <strong>Defense</strong>s<br />

<strong>The</strong> release of CVSS 4.0 signifies a significant advancement in vulnerability and threat management.<br />

While it introduces complexities, it also provides opportunities <strong>for</strong> organizations to enhance their<br />

cybersecurity defenses. <strong>The</strong> transition will require a concerted ef<strong>for</strong>t from cybersecurity professionals to<br />

fully understand its implications and capitalize on its benefits. As organizations adapt to this updated<br />

scoring system, collaboration, knowledge sharing, and continuous improvement will be key to staying<br />

ahead of cyberthreats.<br />

<strong>Cyber</strong>security professionals must continuously work together to beat cybercriminals. <strong>The</strong> new version of<br />

CVSS offers enhanced risk visibility and prioritization, allowing organizations to focus resources on<br />

addressing the most critical vulnerabilities. CVSS 4.0 also improves resilience against cyber threats,<br />

safeguarding sensitive data and infrastructure from potential breaches and attacks.<br />

By embracing the principles of CVSS 4.0 and adopting proactive vulnerability management strategies,<br />

organizations can achieve greater operational efficiency and effectiveness in vulnerability management,<br />

resulting in cost savings and reduced exposure over time.<br />

About the Author<br />

Alastair Williams is VP of Worldwide Systems Engineering at Skybox Security.<br />

With over 20 years of experience in cybersecurity and enterprise software,<br />

Alastair is responsible <strong>for</strong> helping customers solve their complex cybersecurity<br />

challenges, ranging from Fortune 1000 companies to healthcare<br />

organizations to the world’s largest banks. Prior to Skybox, he spent 11 years<br />

at the cybersecurity company Symantec, where he held technical roles,<br />

including Senior Technical Product Manager, Senior Principal Systems<br />

Engineer, and Security Architect. Based in the U.K., Alastair is a frequent<br />

speaker on cybersecurity topics in Europe and around the world. Alastair can<br />

be reached at Skybox Security’s company website www.skyboxsecurity.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 188<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Guardians of the Grid<br />

How Generative AI is Revolutionizing <strong>Cyber</strong>security<br />

By Rounak Singh, Senior Research Analyst - ICT, Marketsandmarkets Research Private Ltd.<br />

<strong>The</strong> surge in cyberattacks and the emerging role of Generative AI<br />

<strong>The</strong> importance of cyber security tools in protecting sensitive in<strong>for</strong>mation, sustaining organization’s<br />

resilience and enabling business continuity during hostile attempts was testified to by the events of<br />

cybercrime over the previous year:<br />

• In May <strong>2024</strong>, the UK Ministry of <strong>Defense</strong> had a payroll system breach that led to personal<br />

in<strong>for</strong>mation about almost 270,000 employees being exposed.<br />

• In March <strong>2024</strong>, French state services were targeted by a large denial-of-service (DDoS) attack<br />

that affected more than 300 web domains and 177,000 IP addresses linked to government.<br />

• In February <strong>2024</strong>, Change Healthcare, one of the major US health payment processors<br />

experienced a ransomware attack by ALPHV/BlackCat gang with dire consequences. <strong>The</strong><br />

incident stopped payment processing <strong>for</strong> some weeks causing as much as USD 100 million daily<br />

losses and yet again emphasizing the need <strong>for</strong> cyber security.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 189<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Generative AI has shown potential to disrupt the cybersecurity landscape. Although current and future<br />

applications of Gen AI models mainly focus on text, audio video and image-based modalities learning<br />

and replication; these models can also identify threats or vulnerabilities themselves, so they predict<br />

patterns and trends thus helping mitigate cyber threats. According to a report published by<br />

MarketsandMarkets, the market <strong>for</strong> Generative AI <strong>Cyber</strong>security is anticipated to experience substantial<br />

expansion with a compound annual growth rate (CAGR) of 33.4% between <strong>2024</strong> to 2030. This dramatic<br />

surge is being fueled by a number of causes. <strong>The</strong> primary growth driver is the enhancement of existing<br />

cybersecurity tools through generative AI algorithms by improving anomaly detection, automating threat<br />

hunting and penetration testing, and providing complex simulations <strong>for</strong> security testing purposes. <strong>The</strong>se<br />

techniques enable various cyber-attack scenarios that can be simulated using the Generative Adversarial<br />

Networks (GANs), thus enabling the development of better preparedness and response strategies.<br />

Implications of Generative AI within <strong>Cyber</strong>security<br />

Generative AI presents promising applications <strong>for</strong> improving cybersecurity defense strategies.<br />

Generative AI based algorithms can simulate multiple attack scenarios, enabling cybersecurity<br />

professionals to anticipate and mitigate risks be<strong>for</strong>e they become real-world issues. Moreover, generative<br />

AI can automate routine security tasks, enabling security experts to focus on more complex issues.<br />

Like with any rampant technology on the rise, the implementation of Generative AI also poses some stark<br />

questions to consider. While the benefits outweigh the negative implications, the technology also has its<br />

loopholes that can expose the system to new <strong>for</strong>ms of insecurity. <strong>The</strong> most concerning issue is the ability<br />

of malicious actors to utilize generative AI to build sophisticated phishing attacks, create deep fake<br />

messages, and develop malware.<br />

To realize the advantages of generative AI while managing possible misuse, a multifaceted approach<br />

must be adopted. This consists of strengthening the organizational cybersecurity framework to empower<br />

security analysts and experts at the implementation stage and incorporating robust training and<br />

processes to identify potential cybersecurity threats and how to overcome them. However, the principles<br />

of ethics cannot be left out of the picture as modern enterprises embark upon the journey to a<br />

trans<strong>for</strong>mative Gen AI cybersecurity revolution.<br />

Why is Generative AI an imperative <strong>for</strong> cybersecurity teams?<br />

While the use cases are paramount and positive annotations continue to drive deployment and<br />

implementation across the enterprise value chain, potentially, the demands of modern enterprises<br />

typically hinge on the ‘detection’ and ‘remediation’ of cyber threats. To broadly categorize, factors that<br />

continue to drive the adoption of Generative AI based cybersecurity solutions include:<br />

• Generative AI's ability to <strong>for</strong>esee and flag emerging cyber threats drives the future of pre-emptive<br />

cybersecurity measures.<br />

• <strong>The</strong> self-improving nature of generative AI ensures cybersecurity systems evolve alongside new<br />

attack vectors and tactics<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 190<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


• Generative AI excels in correlating vast and diverse data sets to uncover hidden threats that<br />

traditional methods miss<br />

• <strong>The</strong> ease of integrating generative AI with current cybersecurity frameworks accelerates adoption<br />

and enhances overall defense mechanisms<br />

• Generative AI optimizes resource allocation by prioritizing critical security alerts, ensuring that<br />

human and technical resources are used most effectively<br />

Use Cases of Generative AI in <strong>Cyber</strong>security<br />

1. Real-Time Threat Detection and Enhanced Threat Intelligence<br />

Generative AI has the capability to assess and understand a large amount of real time data that is<br />

essential in detecting early possible threats. <strong>The</strong> existing traditional systems find it hard to handle the<br />

velocity and volume of data that results from modern networks. However, generative models can sift<br />

through such data thereby identifying anomalies or patterns indicating cyber threat. <strong>The</strong>se models learn<br />

from new data continuously hence they are able to match up with changes in the cyber criminals’ tactics<br />

thus acting as proactive defense.<br />

A good example is IBM’s QRadar advisor which uses artificial intelligence <strong>for</strong> analyzing both structured<br />

and unstructured in<strong>for</strong>mation coming from various sources. This system combines data drawn from<br />

different events to detect threats that may not be visible under ordinary circumstances. According to IBM,<br />

QRadar Advisor with Watson lowered average response times by 60% which indicated effectiveness of<br />

AI in threat detection.<br />

2. Improved Incident Response Management<br />

<strong>The</strong> speed and response efficiency in the event of cyber incident is crucial to curtail damage. <strong>The</strong><br />

automation of several aspects of the process by generative AI can make incident response better. For<br />

instance, AI models can assist in rapidly recognizing the type of attack, identifying its origin and learning<br />

about the compromised systems. This automated analysis provides security teams with actionable<br />

insights such that their focus is shifted from diagnosis to implementing solutions.<br />

Darktrace is a cybersecurity firm whose technology uses AI to respond to threats autonomously. In UK<br />

city council during ransomware assault, Darktrace’s AI identified and responded the real threat which<br />

prevented spreading the ransomware and reduced impacts of attacks. <strong>The</strong>re was significant disruption<br />

and financial loss associated with this immediate response.<br />

3. Secure Software Development Lifecycle (SSDLC)<br />

Generative AI can help address SSDLC security issues by providing automatic identification of code<br />

vulnerability and configuration errors during a development process. As well as identifying problematic<br />

areas and suggesting possible remedies, AI tools may be used to write secure coding sequences.<br />

A major example of how AI is used in the Security Development Lifecycle (SDL) at Microsoft. Microsoft<br />

has developed AI tools that are capable of checking millions of lines of code <strong>for</strong> vulnerabilities be<strong>for</strong>e<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 191<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


they are deployed. This has greatly reduced the number of weaknesses that their products suffer from<br />

thereby increasing the general security level therein.<br />

4. Supplementing Security Analysts<br />

Security analysts often deal with voluminous amounts of threats and alert notifications, which warrant<br />

quick redressal. Generative AI proves to be helpful in this regard, taking over such tasks as log analysis,<br />

threat hunting, or incident prioritization. For example, generative AI can sieve out false positives, flagging<br />

critical issues and provide detailed context to help analysts concentrate on more intricate and strategic<br />

assignments.<br />

An illustration that demonstrates this is JPMorgan Chase’s application of gen AI-native cybersecurity<br />

across its financial services. <strong>The</strong> COiN (Contract Intelligence) by JP Morgan Chase uses artificial<br />

intelligence systems to extract valuable in<strong>for</strong>mation from legal documents and thereby reducing the<br />

analyst’s workload <strong>for</strong> accurate compliance and risk management purposes. JPMorgan Chase has<br />

optimized their work with artificial intelligence in order to handle security and compliance risks better than<br />

they did earlier with traditional cybersecurity tools.<br />

5. Ensuring Resiliency and Business Continuity Management<br />

Business continuity is of utmost concern to organizations, especially amid cyber threats. In this regard,<br />

Generative AI can help in boosting systems and processes resilience, as generative AI models can<br />

simulate various attack scenarios and assess their impact on business operations. A proactive nature<br />

enables organization’s identification of potential weak points and implementation of measures aimed at<br />

mitigating the risks be<strong>for</strong>e materializing.<br />

FireEye <strong>for</strong> instance uses AI technology to model different kinds of cyber-attacks that may happen; thus<br />

assessing how much it will affect clients. <strong>The</strong> use of such a technology allows organizations to come up<br />

with solid plans <strong>for</strong> business continuity, which means they can handle real-world digital threats more<br />

effectively when these occur. Thus, FireEye's approach based on AI has allowed many companies<br />

enhance their cyber defense posture while still running their businesses during an intrusion.<br />

6. Guard railing of Large Language Models (LLMs)<br />

LLMs such as OpenAI’s GPT-4 and Google’s Gemini have demonstrated impressive abilities in<br />

generating human-like text. However, the same powerful tools can also be misused by unscrupulous<br />

individuals to create very convincing phishing emails, fabricate fake news or even design new strains of<br />

malware. To prevent this, developers implemented strong guardrails.<br />

Content filtering is one of the main means through which the risks are mitigated whereby LLMs’ outputs<br />

are inspected <strong>for</strong> dangerous or unethical contents like hate speech and misin<strong>for</strong>mation be<strong>for</strong>e being<br />

shared with users through algorithms. OpenAI uses content filters that detect and block any violations of<br />

ethics when using these technologies. In this regard, OpenAI has an API that offers its models under<br />

strict usage conditions while being vigilant to activities that may signal some type of dubious activity going<br />

on at their end. User access restrictions and constant surveillance keep LLMs protected against misuse.<br />

To avoid possible abuses, developers may limit model availability by determining who can use them and<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 192<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


how they use them. This implies that they always watch over their technology so as to detect<br />

discrepancies in time, which helps maintain credibility.<br />

Amalgamation of generative AI with cybersecurity: the road ahead<br />

<strong>The</strong> cyber security scene is a battlefield where the stakes have never been higher and the enemies never<br />

wilier. In such an environment, generative AI becomes not only a tool but also an agent of trans<strong>for</strong>mation<br />

that redefines how we approach digital defense. Generative AI enables cyber security teams to outsmart<br />

malicious actors with predictive models that come up with threats be<strong>for</strong>e they occur and automate<br />

monotonous tasks that are however crucial.<br />

Just think about it; imagine a world where cyber threats get neutralized long be<strong>for</strong>e they cause<br />

destruction, where incident responses are fast and definitive, and where software development is in-built<br />

secureness. This is the future that generative AI promises—a future where security becomes proactive<br />

rather than reactive, sophisticated instead of primitive. It’s a future in which human genius combines with<br />

computer precision to provide a wall against the menace of online attacks.<br />

However, we must take great care in the ethical implications and potential abuse of this technology. By<br />

introducing safeguards that are well-designed and encouraging responsible AI culture, generative AI’s<br />

power can be fully harnessed while mitigating against its perils.<br />

Generative AI is the grandmaster in the grand chess game of cybersecurity. Organizations should<br />

leverage this powerful ally to protect their digital strongholds. <strong>The</strong> age of generative AI in cybersecurity<br />

has come and with it a pledge <strong>for</strong> a more secure and resilient digital world.<br />

About the Author<br />

Rounak Singh is a Senior Research Analyst with the ICT team at<br />

Marketsandmarkets Research Private Ltd. He has over 5 years of experience as<br />

a strategic consultant and market research analyst, delivering diverse projects<br />

around Artificial Intelligence (AI) and Analytics. His current role sees him<br />

spearheading several syndicate and bespoke market studies, with special<br />

emphasis around the booming generative AI and Large Language Models<br />

ecosystem. He is also responsible <strong>for</strong> creating synergies with clients operating in<br />

the AI and Analytics domain, assisting them in identifying revenue maximization<br />

opportunities and hot bets.<br />

Rounak can be reached online at LinkedIn and at our company website<br />

https://www.marketsandmarkets.com/.<br />

Download PDF Brochure: https://www.marketsandmarkets.com/pdfdownloadNew.asp?id=164202814<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 193<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Elevating Security: <strong>The</strong> Crucial Role of Effective API<br />

Management in Today's Digital Landscape<br />

By Jens-Philipp Jung, CEO, Link11<br />

In today’s digital landscape, the increasing reliance on Application Programming Interfaces (APIs) brings<br />

significant security challenges that organizations must address. <strong>The</strong> Salt Labs State of API Security<br />

Report, <strong>2024</strong>, reveals that 95% of surveyed IT and security professionals have encountered issues with<br />

production APIs, and 23% have suffered breaches due to security inadequacies. <strong>The</strong> rapid expansion of<br />

APIs has significantly broadened the attack surface, leading to a high number of attacks bypassing<br />

authentication and targeting internal APIs.<br />

Despite these risks, many organizations lack processes to discover APIs, and few consider their API<br />

security programs advanced. <strong>The</strong> rapid proliferation of APIs, including a surge in shadow APIs—<br />

undocumented interfaces created outside of IT governance—has exacerbated the problem. <strong>The</strong>se<br />

hidden APIs are often undetected and offer attackers easy entry points.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 194<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


To address these risks, comprehensive API security strategies are essential. A fundamental step is API<br />

discovery, a process to identify all active APIs within an organization. Research shows that a staggering<br />

90% of organizations have shadow APIs, highlighting the critical need <strong>for</strong> visibility into the API landscape.<br />

By uncovering hidden APIs, organizations can assess vulnerabilities, en<strong>for</strong>ce security policies, and<br />

protect sensitive data. Ultimately, a proactive approach to API security, encompassing discovery,<br />

protection, and governance, is crucial <strong>for</strong> mitigating risks and ensuring business continuity. This makes<br />

comprehensive security measures and posture governance strategies critical to protect against evolving<br />

threats. Robust API security is essential <strong>for</strong> protecting sensitive data and ensuring the integrity of<br />

services.<br />

What is an API?<br />

An API defines the protocols and rules <strong>for</strong> communication between software components. It enables<br />

different software programs to interact, regardless of their location or plat<strong>for</strong>m. APIs can be classified into<br />

three main types based on their accessibility:<br />

1. Private APIs: Designed <strong>for</strong> internal use within an organization, these APIs are not exposed to the<br />

public.<br />

2. Semi-Public APIs: Accessible in a public context but restricted to trusted entities, protecting<br />

internal details.<br />

3. Public APIs: Available to external entities, allowing integration and communication with various<br />

applications and services.<br />

While API security is most critical <strong>for</strong> public APIs, it should not be overlooked <strong>for</strong> private and semi-public<br />

APIs.<br />

API Architecture<br />

©Link11<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 195<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Importance of API Security<br />

API security is crucial due to the significant role APIs play in connecting services and transferring data.<br />

Breaches or vulnerabilities can lead to the exposure of sensitive in<strong>for</strong>mation, including medical, financial,<br />

or personal data. <strong>The</strong> consequences of such exposures can be severe, resulting in financial losses,<br />

reputational damage, and legal ramifications.<br />

Common Threats Against APIs<br />

APIs face a variety of threats today. Some of the most prevalent include:<br />

• DDoS Attacks: Distributed Denial of Service attacks can render API endpoints unavailable or<br />

significantly impair their per<strong>for</strong>mance.<br />

• Data <strong>The</strong>ft: APIs serving valuable in<strong>for</strong>mation may be targeted by competitors or data aggregators<br />

attempting to collect sensitive data.<br />

• Account Takeovers (ATOs): APIs that facilitate user login are often targets <strong>for</strong> credential stuffing<br />

and other brute <strong>for</strong>ce attacks aimed at gaining unauthorized access.<br />

• Inventory Denial Attacks: APIs used <strong>for</strong> online purchasing can be vulnerable to attacks that impact<br />

the availability of products.<br />

API Security vs. Traditional Web Security<br />

Securing APIs presents distinct challenges compared to traditional web security. Conventional<br />

approaches often rely on a "castle and moat" strategy—protecting a well-defined perimeter. In contrast,<br />

APIs have numerous entry points, creating a complex attack surface. Many APIs are accessed by mobile<br />

applications or services, complicating bot detection. Additionally, API requests may appear legitimate,<br />

making it challenging to identify malicious activities. <strong>The</strong> following table will give a short overview:<br />

Comparison of API Security vs. Traditional Web Security<br />

©Link11<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 196<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


API Security Challenges<br />

In today's threat landscape, securing APIs can be challenging. APIs are subjected to many of the same<br />

attacks as traditional web applications (e.g., SQL injection), yet many threat detection methods effective<br />

<strong>for</strong> web apps may not apply to APIs. For instance, browser-based verification cannot distinguish between<br />

bots and humans because API traffic does not originate from web browsers. Additionally, the rise of<br />

microservices and serverless architectures complicates the management and security of APIs within a<br />

complex ecosystem. Practices like DevOps often lead to rapid API development, which can neglect<br />

security considerations.<br />

Best Practices <strong>for</strong> Ensuring API Security<br />

To mitigate API security risks, organizations should implement several key measures:<br />

1. Authentication and Authorization<br />

Implement strong mechanisms to verify client identities and control access to API resources. It’s essential<br />

to encrypt data in transit using secure protocols, such as HTTPS, to protect sensitive in<strong>for</strong>mation from<br />

interception.<br />

2. Rate Limiting<br />

En<strong>for</strong>ce limits on the number of requests from a client to prevent abuse and mitigate the impact of DDoS<br />

attacks. Rate limiting helps ensure that APIs remain available and responsive.<br />

3. Input Validation<br />

Validate and sanitize input to prevent common security vulnerabilities such as code injection and crosssite<br />

scripting (XSS). Rigorous input validation is essential <strong>for</strong> maintaining API integrity.<br />

4. Security Audits and Monitoring<br />

Regularly assess the security posture of APIs through audits and continuous monitoring. Conduct<br />

vulnerability assessments to identify and address potential weaknesses in the system.<br />

5. API Traffic Filtering<br />

Utilize web security solutions tailored to the unique security needs of APIs. Effective filtering can help<br />

protect against hostile traffic and mitigate potential attacks.<br />

Best Practices <strong>for</strong> Enhancing API Security<br />

To effectively secure APIs, organizations should adopt several best practices. First, it is essential to<br />

restrict access from compromised devices, as rooted or jailbroken devices present significant security<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 197<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


isks. Implementing strong authentication measures, such as multi-factor authentication, further helps<br />

reduce the likelihood of unauthorized access.<br />

Additionally, employing obfuscation techniques can deter attempts at reverse engineering by making<br />

client-side code difficult to interpret. It is also crucial to avoid storing sensitive data on client devices; if<br />

necessary, strong encryption and secure authentication protocols should be utilized to protect this<br />

in<strong>for</strong>mation.<br />

Utilizing parameterized queries plays a vital role in preventing injection attacks by treating user input as<br />

data rather than executable code. En<strong>for</strong>cing rate limiting is another important measure to mitigate abuse<br />

from high traffic volumes that may indicate malicious activity.<br />

Finally, implementing comprehensive security solutions, including Web Application Firewalls, DDoS<br />

protection, and continuous monitoring, is essential to defend against various threats. By integrating these<br />

strategies, organizations can significantly enhance their API security posture.<br />

Use Case: Banking API Security<br />

Consider a banking application that relies on a mobile API <strong>for</strong> transaction processing. Protecting this API<br />

is critical to safeguarding sensitive user data. Strong authentication mechanisms, like MFA, are essential<br />

<strong>for</strong> keeping user accounts secure. Rate limiting makes ATO attempts far more costly and difficult <strong>for</strong><br />

attackers. Detection of jailbroken client devices (and an app's refusal to run on them) helps to prevent<br />

reverse-engineering attempts. Minimizing (and of course, encrypting) client-side data protects it from<br />

potential compromise. Robust input validation, perhaps even with parameterization, prevents attackers<br />

from submitting malicious inputs. Continuous monitoring of usage patterns can help identify anomalies<br />

and detect attacks in their earliest stages. By implementing these measures, the banking application can<br />

maintain its integrity and protect sensitive financial in<strong>for</strong>mation.<br />

Conclusion<br />

In summary, protecting against API attacks is essential <strong>for</strong> maintaining the security, availability, and<br />

integrity of modern web applications. Organizations must implement robust security measures, including<br />

strong authentication, encryption of sensitive data, and continuous monitoring <strong>for</strong> suspicious activities.<br />

By adopting a comprehensive approach to API security, organizations can effectively safeguard their<br />

systems, protect sensitive in<strong>for</strong>mation, and ensure a secure user experience in an increasingly<br />

interconnected digital ecosystem.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 198<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


About the Author<br />

Jens-Philipp Jung is Co-Founder and CEO of Link11, a specialized global IT<br />

security provider delivering enterprise-grade cybersecurity solutions. Link11<br />

protects customers worldwide against evolving cyber threats through meticulous<br />

attention to detail and early integration of cutting-edge methods. With a strong<br />

entrepreneurial spirit and deep cybersecurity expertise, he has driven Link11's<br />

growth since 2005. His achievements include pioneering Link11's DDoS protection<br />

technology, successful acquisitions, and a focus on product-led growth, positioning<br />

the company as a global player in IT security.<br />

Jens-Philipp Jung can be reached online at info@link11.com and at our company website<br />

https://www.link11.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 199<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Phishing in <strong>2024</strong>: Navigating the Persistent Threat and AI’s<br />

Double-Edged Sword<br />

By Joe Loomis, Marketing Director <strong>for</strong> CryptoTrust LLC<br />

In <strong>2024</strong>, phishing remains one of the most prevalent and dangerous cybersecurity threats. Despite<br />

advancements in technology and increased awareness, cybercriminals continue to exploit human<br />

vulnerabilities, adapting their tactics to evade detection and maximize impact. This article delves into the<br />

reasons why phishing remains a top threat and explores how use of technology solutions can prevent<br />

successful phishing attacks even when human error occurs.<br />

<strong>The</strong> Evolution of Phishing Attacks<br />

Phishing attacks have evolved significantly since their inception. Early phishing attempts were often crude<br />

and easily identifiable, relying on poorly written emails and generic messages. In this early era of<br />

phishing, security awareness training was highly successful, as teaching users to identify and avoid<br />

attacks was fairly easy to accomplish. However, modern phishing campaigns are highly sophisticated,<br />

employing advanced social engineering techniques and leveraging current events to increase their<br />

success rates.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 200<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


One of the most notable trends in phishing is the use of personalized and targeted attacks, known as<br />

spear phishing. Unlike traditional phishing, which casts a wide net, spear phishing targets specific<br />

individuals or organizations. Attackers conduct thorough research on their victims, gathering in<strong>for</strong>mation<br />

from social media profiles, public records, and other sources to craft convincing and highly tailored<br />

messages. This level of personalization makes it difficult <strong>for</strong> even the most vigilant individuals to<br />

recognize fraudulent emails.<br />

<strong>The</strong> Human Factor<br />

Despite technological advancements in cybersecurity, the human factor remains a critical vulnerability.<br />

<strong>Cyber</strong>criminals exploit human psychology, relying on emotions such as fear, curiosity, and urgency to<br />

prompt action. Training and awareness programs are essential in mitigating this risk, but when all it takes<br />

is one successful phishing email to breach the enterprise this is not enough. Even well-trained individuals<br />

can fall victim to cleverly crafted phishing attempts, highlighting the need <strong>for</strong> technology that can protect<br />

even when humans fail.<br />

Artificial Intelligence and <strong>The</strong> Future of Phishing<br />

<strong>Cyber</strong>criminals are adept at exploiting current events and trends to make their phishing attempts more<br />

convincing. In <strong>2024</strong>, this includes leveraging the ongoing impacts of the COVID-19 pandemic, remote<br />

work trends, and geopolitical tensions. With the addition of AI, these threats will increasingly become<br />

more realistic and harder to detect. While AI does have some built-in safeguards, it will never be possible<br />

to completely prevent AI from being misused <strong>for</strong> things like phishing.<br />

Here is a quick example using ChatGPT. If we ask the AI to just generate a phishing email it correctly<br />

refuses:<br />

However, if we rephrase the request to generate an example of a highly successful phishing email, it<br />

happily generates one that could be used in an actual phishing attack with minimal changes:<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 201<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong>n, once ChatGPT creates the “example” phishing email, we can even have the AI customize it further<br />

to create a targeted spear-phishing email:<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 202<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Mitigating Phishing Threats with Comprehensive <strong>Cyber</strong>security Solutions<br />

Phishing remains a persistent threat that requires a comprehensive, multi-layered cybersecurity<br />

approach. Effective defense involves understanding both the various attack vectors and the appropriate<br />

mitigations to counter them.<br />

Common Phishing Tactics:<br />

• Malicious Links: URLs that host harmful content, often using deceptive techniques like<br />

misspellings or subdomains to appear legitimate (e.g., https://amazon.ssltls.com<br />

or https://amazonn.com).<br />

• Malicious Files: <strong>The</strong>se might be email attachments or files downloaded from a link in a phishing<br />

email, such as from a fake SharePoint site. Files like EXE, HTA, and certain Microsoft Office<br />

documents can establish a command-and-control channel, granting remote access to the<br />

attacker.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 203<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


• Credential <strong>The</strong>ft: Emails that trick users into logging in to a fake website. For instance, an email<br />

might prompt the user to enter their corporate credentials to access an important document, with<br />

the entered in<strong>for</strong>mation then sent to the attacker.<br />

• Credit Card/Invoice Fraud: Emails that request payments, either by soliciting credit card<br />

in<strong>for</strong>mation or by attaching fake invoices that prompt payment.<br />

Phishing <strong>Cyber</strong>security Solutions Checklist:<br />

Phishing-resistant MFA: Ensure the use of a phishing-resistant Multi-Factor Authentication (MFA)<br />

method, such as FIDO2. OnlyKey is a FIDO-certified security key available <strong>for</strong> purchase here.<br />

Protective DNS Service (PDNS): Deploy a PDNS to block access to malicious domains. If a user clicks<br />

on a link from a known malicious site, PDNS will prevent the site from loading.<br />

Cloud Email Security: Implement a robust cloud email security solution that automatically filters out<br />

phishing emails, spam, and other malicious content.<br />

Endpoint and Extended Detection & Response (EDR/XDR): Utilize both EDR and XDR solutions <strong>for</strong><br />

comprehensive threat detection and response.<br />

Regular 3rd-Party Penetration Testing: Conduct regular penetration tests to identify and mitigate<br />

vulnerabilities.<br />

Security Awareness Training: Regularly train employees to recognize and respond to phishing threats.<br />

About the Author<br />

Joe Loomis is the Marketing Director <strong>for</strong> CryptoTrust LLC. He has served in the<br />

U.S. Navy as an In<strong>for</strong>mation Systems Technician running shipboard network<br />

security overseas. Having started and operated several businesses in other<br />

fields, he now takes his entrepreneurial passion to the cybersecurity field through<br />

writing and content creation. Joe can be reached online at joe@onlykey.io and at<br />

our company website https://www.onlykey.io/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 204<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> <strong>Cyber</strong> <strong>Defense</strong> Emergency Room<br />

Prioritizing Vulnerabilities in the Chaos of <strong>Cyber</strong> Security<br />

By Steve Carter, CEO, Nucleus Security<br />

In cybersecurity like in the emergency room, every moment is critical. Much like an emergency room,<br />

where nurses must quickly assess and prioritize patients based on the severity of their conditions,<br />

cybersecurity teams are faced with the daunting task of addressing a constant influx of vulnerabilities.<br />

<strong>The</strong> stakes are high, with approximately one in every three breaches caused by an unpatched<br />

vulnerability.<br />

<strong>The</strong> sheer volume of vulnerabilities is staggering. In 2023 alone, over 28,902 common vulnerabilities and<br />

exposures (CVEs) were published, increasing from 25,801 in 2019. Recent research from Cyentia<br />

Institute found the number of CVEs is increasing by 16% annually. This yearly growth of vulnerability<br />

data, coupled with the complexity of modern IT environments, has created the perfect storm. Faced with<br />

the onslaught of alerts, cybersecurity teams miss critical vulnerabilities.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 205<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


<strong>The</strong> Vulnerability Management Crisis<br />

Many organizations need help with outdated and inefficient vulnerability management (VM) processes.<br />

Research shows that the average mean time to patch (MTTP) ranges from 60 to 150 days, with about<br />

one-quarter of vulnerabilities remaining unpatched <strong>for</strong> over a year.<br />

<strong>The</strong>se statistics paint a jarring picture of the current state of vulnerability management. <strong>The</strong><br />

consequences of the inefficiencies can be severe, as seen by the 2023 MOVEit data breach, which<br />

resulted in the compromise of personal data <strong>for</strong> over 40 million individuals due to the exploitation of a<br />

vulnerability in the MOVEit file transfer software. Consider too, the wide-reaching Log4Shell vulnerability<br />

that originated in 2021. At its peak, 10 million Log4Shell exploitations were attempted every hour, and is<br />

still actively exploited today where it remains unpatched.<br />

<strong>The</strong> Limitations of Traditional Methods<br />

While vulnerability scanners focus discovering vulnerabilities, they fall short in helping organizations<br />

manage and prioritize them. <strong>The</strong>se tools output large volumes of siloed data that often lack a business<br />

context and threat intelligence needed to prioritize the risk.<br />

Many organizations have attempted to address this management issue with various tools and<br />

approaches, each with its limitations:<br />

1. Spreadsheets: While great <strong>for</strong> accounting, spreadsheets are inadequate <strong>for</strong> vulnerability<br />

management at scale. <strong>The</strong>y require manual data entry and lack version history <strong>for</strong> compliance<br />

reporting.<br />

2. SIEMs and BI Tools: <strong>The</strong>se tools provide high-level dashboards <strong>for</strong> monitoring but lack depth<br />

such as incorporating asset metadata <strong>for</strong> custom risk scoring or allowing changes to vulnerability<br />

status.<br />

3. Ticketing Systems: While seemingly logical, ticketing systems integrations are inconsistent<br />

across vendors, leading to inconsistent ticketing, data duplication and clutter.<br />

4. Homegrown Solutions: <strong>The</strong>se will often work well initially. However, over time they fail to scale,<br />

meet the growing demands of the business, and become more expensive to maintain, and less<br />

reliable.<br />

<strong>The</strong> Four Critical Features of Unified VM Tools<br />

To navigate the chaotic "emergency room" of cybersecurity, organizations need a dedicated, scalable<br />

vulnerability management solution that offers these four critical features:<br />

1. Central Repository <strong>for</strong> Vulnerability Data: An effective unified VM tool should provide a single<br />

pane view so that security personnel can monitor the organization's security posture and<br />

vulnerability management. It should integrate with and aggregate results from all scanning tools,<br />

assessments, and penetration tests.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 206<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


2. Automated Vulnerability Management Processes: Automation is key to efficient vulnerability<br />

management. <strong>The</strong> ideal VM tool should automate as many steps of the process as possible,<br />

including normalizing scan result data, prioritizing risk, triaging, creating tickets, assigning them<br />

to owners, and generating reports.<br />

3. Customizable Risk Prioritization Algorithms: Not all vulnerabilities are created equal. An<br />

effective VM tool should help organizations prioritize vulnerabilities and risks using customizable<br />

risk scores. <strong>The</strong>se should be configurable based on the vulnerability and asset attributes that are<br />

most important to the organization.<br />

4. Integrated Response Orchestration Capabilities: Finally, a robust VM tool should automate<br />

and orchestrate response through integration with ticketing systems, issue trackers, SIEMs, and<br />

incident response tools. This integration enables organizations to respond to vulnerabilities up to<br />

10 times faster.<br />

<strong>The</strong> Path Forward: A Streamlined Approach to Vulnerability Management<br />

As the volume and complexity of vulnerabilities continue to grow, organizations must adopt more<br />

sophisticated and efficient vulnerability management processes. By implementing a unified VM tool with<br />

the critical features discussed, cybersecurity teams can effectively triage and address vulnerabilities,<br />

much like skilled nurses in an emergency room, ensuring the most critical issues receive immediate<br />

attention. This approach not only improves an organization's security posture but also frees up valuable<br />

resources to focus on driving the business <strong>for</strong>ward in an increasingly digital world.<br />

About the Author<br />

Steve Carter is the Co-Founder and CEO of Nucleus, having spent nearly two<br />

decades in security helping organizations to automate, accelerate, and optimize<br />

vulnerability management workflows. Prior to founding Nucleus, Steve was a<br />

founding partner of Rampant Technologies, providing security, systems, and<br />

software engineering services to the Federal Government. Steve holds a<br />

Master’s of Computer Science from Florida State University. Steve can be<br />

reached online at https://www.linkedin.com/in/stevecarter1337 and at our<br />

company website https://nucleussec.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 207<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Data Decay and <strong>Cyber</strong>security: Understanding the Risks And<br />

Mitigating <strong>The</strong> Impact On Your Business<br />

By JoAnn Fitzpatrick, COO — RealValidation<br />

Becoming successful in this digital age means your business operations, decision-making, and customer<br />

relationships are primarily powered by your data. Un<strong>for</strong>tunately, the quality of your data diminishes as<br />

time passes. <strong>The</strong> loss of valuable data is bad enough, but decreasing data accuracy also increases your<br />

risk of cybersecurity threats.<br />

Understanding data deterioration<br />

Data decay involves the slow and natural process of data degrading over time, which can be caused by<br />

a variety of factors. Customer contact in<strong>for</strong>mation often changes, and neglecting to update it regularly<br />

causes it to become obsolete. In fact, experts estimate that the integrity of customer data decreases by<br />

approximately 30% every year.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 208<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


As technology advances, more data is lost to outdated <strong>for</strong>mats that become incompatible with modern<br />

systems. Small mistakes you make as you enter data can lead to major inaccuracies as your data sets<br />

become larger and older. Eventually, some of your data naturally becomes obsolete, like outdated market<br />

trends or expired financial in<strong>for</strong>mation.<br />

All of your data follows a predictable lifecycle. <strong>The</strong> process consists of gathering, handling, maintaining,<br />

utilizing, and disposing of items. At every step, there is a possibility <strong>for</strong> data deterioration.<br />

For example, inaccurately handled data can become corrupt data, and data loss can result from failures<br />

in storage media. Recognizing this life cycle is essential <strong>for</strong> pinpointing the locations and methods of data<br />

deterioration.<br />

Recognizing the cybersecurity threats caused by data deterioration<br />

Compromised data integrity is one of the most immediate cybersecurity risks linked to data decay.<br />

Inaccurate data frequently leads to incorrect decisions, misguided strategies, and compromised security<br />

measures.<br />

For example, when credentials are not consistently updated, outdated, or incorrect, user in<strong>for</strong>mation can<br />

result in unauthorized access. Corrupted data also results in security monitoring systems producing false<br />

positives and overlooking potential threats.<br />

When data deteriorates, it opens up opportunities <strong>for</strong> cyber attackers, as failing to update passwords<br />

regularly makes accounts vulnerable to brute-<strong>for</strong>ce attacks. Moreover, systems and software that are not<br />

up to date with the latest patches are at a higher risk of being exploited.<br />

Successful incident response hinges on precise and current data. Data deterioration often leads to<br />

delayed reactions to security breaches. For example, obsolete network maps or incomplete logs can<br />

frequently obstruct threat detection.<br />

Reducing the effects of data decay on cybersecurity<br />

Being proactive in managing data is essential when addressing data decay, which is why you must<br />

consistently review and clean datasets to eliminate old, duplicate, or incorrect data. Create a regular<br />

schedule <strong>for</strong> keeping important data such as customer details, security credentials, and software updates<br />

current. To make this task manageable, utilize automated tools to help pinpoint and fix data anomalies<br />

in a timely manner.<br />

To ensure that these actions happen regularly, robust data governance policies must be en<strong>for</strong>ced. This<br />

involves assigning data stewards to oversee data quality and implement necessary corrections, as well<br />

as per<strong>for</strong>ming regular audits and confirming adherence to governance policies. Effective governance<br />

practices can dramatically decrease the risks linked to data deterioration.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 209<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Implementing extra security measures can also help lessen the effects of data degradation. Encrypt<br />

sensitive in<strong>for</strong>mation while it is being sent and stored to protect it from unauthorized access, especially<br />

in cases where other security precautions might fail due to data corruption. En<strong>for</strong>ce stringent access<br />

controls to restrict data access to authorized individuals exclusively. Frequently check and revise access<br />

permissions.<br />

Modern technologies provide powerful resources to combat data decay and enhance cybersecurity. For<br />

instance, AI and machine learning algorithms can identify patterns of data deterioration and anticipate<br />

possible weaknesses, while blockchain technology can create permanent data records and guarantee<br />

data authenticity and traceability. Additionally, continuous monitoring systems enable immediate<br />

identification of security incidents, with automated response mechanisms swiftly managing these threats.<br />

Because human mistakes frequently contribute to data deterioration and consequent cybersecurity<br />

vulnerabilities, you must train your staff on the significance of accurate data and the consequences of<br />

data deterioration. Organize frequent training workshops on data management best practices,<br />

cybersecurity awareness, and incident response procedures, or conduct phishing simulation exercises<br />

to emphasize the significance of staying alert to social engineering threats.<br />

Efficient backup and recovery options are necessary to reduce the effects of data deterioration. Establish<br />

a routine <strong>for</strong> backing up important data to safe destinations, but be sure to employ both on-premises and<br />

cloud backup solutions <strong>for</strong> added backup redundancy. Creating and evaluating emergency response<br />

strategies can help guarantee quick data recovery in the event of a security breach or data loss situation.<br />

Protecting your data’s integrity is one of the best ways to safeguard your operations in today’s datacentric<br />

landscape. Data deterioration is inevitable, but being proactive reduces your risk of cybersecurity<br />

threats. Maintain strong cybersecurity defenses by recognizing the dangers of data decay and<br />

implementing strategies to mitigate them.<br />

About the Author<br />

JoAnn Fitzpatrick, the COO at RealValidation, shines as a team-centric leader.<br />

With over ten years at the company, she’s been pivotal in streamlining operations and<br />

creating impactful marketing strategies. Her journey from advertising and design to<br />

data analytics at RealValidation highlights her adaptability and her knack <strong>for</strong> blending<br />

creative and analytical skills in a team environment. For more in<strong>for</strong>mation, please visit<br />

https://realphonevalidation.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 210<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Protecting Your Organization Against Advanced, Multi-Stage<br />

<strong>Cyber</strong> Attacks<br />

By Gabrielle Hempel, Customer Solutions Engineer, Exabeam<br />

Threat actors are continuously enhancing their techniques and increasing sophistication to evade cyber<br />

defenses. Consequently, multi-stage ransomware and malware attacks, characterized by heavy<br />

obfuscation are becoming increasingly prevalent. <strong>The</strong> Europol Threat Assessment released in July<br />

underscores the growing prevalence of multi-layered extortion models, which are found across the entire<br />

spectrum of cybercrime threats.<br />

This report represents a broader trend affecting organizations worldwide: these attacks are becoming<br />

increasingly complex, employing a combination of techniques to infiltrate organizations and execute<br />

malicious payloads with devastating efficiency.<br />

Modern ransomware and malware attacks often begin with seemingly harmless phishing emails or by<br />

exploiting vulnerabilities within an organization’s systems. Once inside, these threat actors utilize a range<br />

of methods to circumvent security protocols be<strong>for</strong>e deploying their payloads. <strong>The</strong> complexity and<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 211<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


obfuscation of these multi-stage attacks makes them particularly challenging to detect and mitigate. This<br />

evolution in cybercriminal tactics highlights the critical need <strong>for</strong> organizations to adopt comprehensive<br />

cybersecurity defenses that prioritize visibility.<br />

What do these complex attacks look like?<br />

Multi-stage attacks are sophisticated operations designed to evade detection and inflict maximum<br />

damage, overwhelming traditional security defenses. Typically initiated with an innocuous-looking<br />

executable file, these attacks often exploit system vulnerabilities or human error through phishing tactics.<br />

Once activated, the malicious file connects to a remote command-and-control server to fetch additional<br />

components or instructions <strong>for</strong> subsequent attack phases. To further obscure their activities, attackers<br />

frequently leverage legitimate system files, such as dynamic-link libraries (DLLs), to blend seamlessly<br />

into normal system processes. This abuse of trust hinders security teams from identifying malicious<br />

behavior.<br />

As the attack progresses, adversaries employ advanced techniques like Process Doppelgänging and<br />

Process Hollowing to maintain persistence and evade detection. Process Doppelgänging disguises<br />

malicious code as a legitimate process within an organization’s systems, while Process Hollowing creates<br />

a new process in a suspended state and then injects it with malicious code. <strong>The</strong>se methods enable<br />

attackers to execute their payloads without being detected, significantly challenging security teams in<br />

identifying and mitigating these threats.<br />

Financial and Operational Costs<br />

Multi-stage attacks present significant challenges <strong>for</strong> organizations due to their ability to evade detection,<br />

and their prolonged dwell time within a network. This extended time that an attack goes unnoticed grants<br />

attackers many opportunities to exfiltrate sensitive data and deploy destructive payloads. <strong>The</strong> resulting<br />

damage includes larger financial losses, extended operational disruptions, and reputational damage.<br />

Traditional security measures often fall short in the face of these sophisticated threats, as adversaries<br />

employ legitimate tools and advanced evasion techniques to bypass defenses. Addressing and mitigating<br />

these complex attacks across multiple attack stages requires a considerable time and resource<br />

commitment. Even if security teams can address one part of the attack, other components may remain<br />

active and undetected, leading to persistent vulnerabilities.<br />

Visibility Across the Entire IT Environment<br />

In today’s landscape of sophisticated cyber threats, organizations must adopt a robust, multi-layered<br />

security strategy. This approach should provide comprehensive visibility across the entire IT environment,<br />

including networks, endpoints, and cloud infrastructure.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 212<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


To ensure attackers cannot bypass a single defense mechanism, organizations should deploy a variety<br />

of security tools that work together seamlessly. Starting with Endpoint Detection and Response (EDR)<br />

solutions, which are essential <strong>for</strong> closely monitoring endpoint activities and enabling early identification<br />

of threats. Coupling EDR with up-to-date threat intelligence feeds, which offer insights into the latest<br />

attack techniques and indicators of compromise, enhances an organization's preparedness and ability to<br />

detect threats. Maintaining a diligent patch management process is also crucial. Promptly addressing<br />

vulnerabilities reduces potential entry points <strong>for</strong> attacks, thereby strengthening the overall security<br />

posture.<br />

Comprehensive visibility across the IT environment is vital. Implementing network segmentation, which<br />

involves dividing the network into smaller, isolated segments, helps contain breaches and limit the impact<br />

of potential attacks, especially in the case of multi-stage intrusions. Regular security assessments,<br />

including frequent vulnerability scans and penetration testing, are also indispensable <strong>for</strong> continually<br />

identifying and rectifying security gaps.<br />

Implementing a multi-layered defense facilitates a rapid and effective response, minimizing organizational<br />

damage and reducing the risk of data exfiltration. By enhancing visibility and detection capabilities,<br />

security teams can focus on genuine threats rather than being sidetracked by false positives. This efficient<br />

approach <strong>for</strong>tifies the organization’s defenses and ensures resilient operations, allowing them to navigate<br />

the complexities of modern cyber threats more effectively.<br />

About the Author<br />

Gabrielle Hempel, Customer Solutions Engineer at Exabeam, is renowned<br />

<strong>for</strong> her expertise in Cloud Engineering, Vulnerability Management, and<br />

Network Detection and Response (NDR). With an MS in <strong>Cyber</strong>security and<br />

Global Affairs from NYU, she has contributed significantly to the field,<br />

including a distinguished thesis on Critical Infrastructure Security. Named an<br />

'Emerging Leader' by the National Security Innovation Network in 2022,<br />

Gabrielle is also a prominent speaker at industry-leading conferences like<br />

BlackHat and DefCon. Gabrielle can be reached via LinkedIn at and at our<br />

company website https://exabeam.com/.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 213<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


Air Gap<br />

First Line <strong>Defense</strong> in Multilevel Customer Interface Protection<br />

By Christopher H. Baum, MBA PMP, Chief Compliance Officer, VotRite with Alan Pham, Graduate<br />

Student, Rowan University<br />

In August <strong>2024</strong>, the FBI issued a notice that an Iranian backed team was attempting to hack American<br />

political parties’ campaign in<strong>for</strong>mation. (Miller & Balsamo, <strong>2024</strong>). In that same month, the Trump<br />

campaign revealed that it had been hacked. (Lyngass et al, <strong>2024</strong>). Still later, Google stated that the cyberattacks<br />

were part of an even larger operation to interfere in the American presidential election. (Swenson,<br />

<strong>2024</strong>).<br />

In the 1980s hacking was primarily a prank. By the 1990s, low level criminals began to exploit the growing<br />

network in various scams and identity thefts. In the late 1990s and the early 2000s organized crime<br />

became the largest threat as Internet-based commerce became the norm. State backed hacking teams<br />

launched the early days of cyber interference and cold warfare.<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 214<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


None of the new threats replaced older challenges. <strong>The</strong> culprit is not always an aggressor. One of the<br />

largest cyber outages ever occurred in July <strong>2024</strong> due to a faulty security update by the company<br />

CrowdStrike. (Johnson, <strong>2024</strong>).<br />

Interconnected systems produce interconnected vulnerabilities. <strong>The</strong> assumption has been that all<br />

systems must be interconnected. One of the best defenses against network-based hacking is to<br />

disconnect the systems from the Internet. This process is called “air gapping”. It is widely used by<br />

organizations that require secure communications between and among systems. <strong>The</strong>se systems are<br />

connected by a private network only to each other and to no other outside systems.<br />

Air gapped systems cannot be remotely hacked. A hacker must have physical access. Key sniffers and<br />

similar devices can record keystrokes if in close enough proximity. If the system is encased in a Faraday<br />

cage, even the signals produced by the device are blocked.<br />

A popular use of air gapping is system backup. <strong>The</strong> backup server is kept isolated and only connected<br />

to per<strong>for</strong>m a backup as required. Should the primary server fail or be compromised, the backup server<br />

will be unaffected. <strong>The</strong> primary disadvantage is the same as the primary advantage. Physical access is<br />

required. It may seem obvious but secure systems must be maintained in secure environments.<br />

<strong>The</strong>re are methods to copy data to the air gapped systems. One is called “rafting”, using a USB drive or<br />

some other memory storage device to copy the appropriate data from the donor systems and replicate it<br />

to the quarantined system. Ideally the memory storage device will be <strong>for</strong>matted (“sterilized”) be<strong>for</strong>e<br />

attaching it to the donor system, ensuring that no unwanted code is preloaded on the raft. <strong>The</strong> best<br />

practice is to use a new raft <strong>for</strong> each periodic transfer and to store the rafts in case a particular version<br />

of the data needs to be reconstructed <strong>for</strong> recovery, diagnostic, or <strong>for</strong>ensic reasons.<br />

Another method is “bridging”. <strong>The</strong> quarantined system is connected to a device that handles specific<br />

types of transaction. A credit card payment terminal is a good example. <strong>The</strong> payment terminal is external<br />

to the cash register and is connected to the Internet <strong>for</strong> processing payment in<strong>for</strong>mation. Only specific<br />

data types are permitted between the terminal and cash register, so the risk of infecting the terminal<br />

remains low.<br />

A more flexible configuration is “hub and spoke”. Several quarantined systems are bridged to a single<br />

hub. On each system is an agent to verify each transaction. <strong>The</strong> hub preprocesses and consolidates the<br />

data from the quarantined systems and provides the systems with any required in<strong>for</strong>mation. <strong>The</strong> agent<br />

process confirms each transfer on both sides. An example is a warehouse inventory system. Scanners<br />

would be the quarantined systems. <strong>The</strong> scanner would record items, quantities, location, and operator.<br />

As each section of the warehouse is scanned, the operator would upload the in<strong>for</strong>mation to the hub. <strong>The</strong><br />

scanners have no need to access any other in<strong>for</strong>mation. In fact, there is no need <strong>for</strong> the scanners to<br />

share in<strong>for</strong>mation among themselves. <strong>The</strong> hub would acknowledge the receipt of the in<strong>for</strong>mation. <strong>The</strong><br />

software agents on both sides would ensure that the correct in<strong>for</strong>mation and only the correct in<strong>for</strong>mation<br />

is transferred between the scanners and the hub. <strong>The</strong> hub would consolidate all of the in<strong>for</strong>mation from<br />

the scanners and process it as necessary be<strong>for</strong>e contributing it to the general workflow of the operation.<br />

<strong>The</strong>re is a strong argument <strong>for</strong> the use of air gapping in smaller customer facing systems as well. Many<br />

systems simply do not need access to the entire Internet continuously in order to provide the necessary<br />

<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>September</strong> <strong>2024</strong> <strong>Edition</strong> 215<br />

Copyright © <strong>2024</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.


functions. Alternatively, the security provided by air gapping outweighs the risks involved in connecting<br />

that particular device to the entire Internet.<br />

Grocery store cash registers are good example of systems that could be air gapped with a bridge to<br />

handle payment transactions. Inventory in<strong>for</strong>mation could pass periodically to the main store system<br />

either by rafting the in<strong>for</strong>mation with USB drives <strong>for</strong> a small operation or by using a hub and spoke system<br />

<strong>for</strong> a larger store. Self-serve gas stations could operate similarly. Each pump could have a bridge to the<br />

storage tanks to ensure fuel is available and another bridge to a payment terminal. Such an<br />

implementation would ensure that the local convenience store would have its day-to-day operations<br />

protected from hacking.<br />