Les Bell and Associates Pty Ltd

We have long known of the potential for machine learning algorithms to graft celebrity faces onto pornographic images, or to modify the pitch and timbre of a speaker's voice so as to emulate that of another person - a process known as deep faking. For several years now, we have seen examples of deepfaked video in which political identities such as US President Barack Obama, appear to say things they have never said, and such videos are reported to be used increasingly in state-sponsored information warfare.

(Image credit: Sean Pollock, via Unsplash)

For some time now, it has been possible to perform voice modification in real time - the pre-training of the model takes some time, but the subsequent voice modification through the model can be done by an app. However, now comes news of a whaling attack which is notable for at least three reasons:

• The apparent use of real-time voice and video deepfaking to trick a finance worker
• The deepfaking of multiple participants in a video conference
• The scale of the fraud - $HK200 million (approximately $US25.6 million)

An employee of a multinational company was apparently lured into attending a video call with several other staff. The email lure, apparently from the UK-based CFO of the firm, spoke of the need for a secret transaction, which raised the employee's suspicions. However, when he attended the linked video conference, his doubts were assuaged by the presence of several other attendees whom he recognised - all of whom were, in fact, faked.

Consequently, he followed the instructions and transferred the funds as requested. The scam was only discovered when the employee checked with the corporation's head office.

The case was one of several revealed by Hong Kong police in a press conference on Friday. In other cases, stolen HK identity cards were used to make fraudulent loan applications and AI deepfakes were used to trick facial recognition programs.

These cases show the need for increased security controls to be placed around video conferencing software and related email accounts. Organizations have been slow to deploy phishing-resistent multi-factor authentication technologies such as security keys and passkeys, preferring to rely on low-cost solutions such as mTAN's (the six-digit verification codes sent as text messages - these were deprecated by NIST back in 2017!). The result is a continuing high number of credential compromises.

This leads to secondary compromises, especially in systems which use an email address as a single sign-on identifier across multiple services. While the video conferencing system used in the attack above was not identified, all the big players - Zoom, Microsoft Teams/Skype and Google Meet - support federated identity management over protocols such as OAuth2. Consequently, once an email account falls, so do all the related services, including video conferencing.

Furthermore, most video conferencing platforms allow the user to choose their displayed name, so that an attacker need not even use a compromised account - they can just change their name.

Suggested mitigations for these attacks would include:

• Requiring phishing-resistant multi-factor authentication on privileged and influential email accounts (never allow the C-suite to claim they're too busy and important to waste their time - they need to be demonstrating security leadership)
• Configuring video-conferencing accounts to require meeting participants to log in using email accounts within the corporate domain and protected by MFA (although one participant's account may be compromised, it's unlikely all participants could be faked)
• Never allow the person whose identity you want to verify to control or set up the verification mechanism. The verifier should create the meeting and set its controls to be as restrictive as possible, and should initiate it at a time of their choosing - although deepfaking can be performed in real time, it may take the attacker some time to set up their software.

In the long run, organizations need to redesign their payment authorization procedures to incorporate stronger authentication using cryptographic techniques. Until they do, these types of business email compromise and whaling attacks will only increase in both frequency and severity.

(Thanks to Gadi Evron for directing us to this story.)

Chen, Heather and Kathleen Magramo, Finance worker pays out $25 million after video call with deepfake ‘chief financial officer’, CNN Asia, 4 February 2024. Available online at https://edition.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk/index.html.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 15 - 19 January 2024
• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Melbourne, 18 - 22 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

We'll be back early next year with new and updated courses!

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 15 - 19 January 2024
• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Melbourne, 18 - 22 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

The activities of a threat actor affialiated with the Russian Federal Security Service (FSB) have been detailed in a new report prepared by the UK's Nactional Cyber Security Centre and international partners, while the British Foreign Secretary has described their activies as "completely unacceptable", and two individuals have been designated under the UK's cyber sanctions regimen.

According to junior Foreign Office minister Leo Docherty, speaking to the House of Commons, the FSB "is behind a sustained effort to interfere in our democratic processes. They have targeted members of this house and the House of Lords. They have been targeting civil servants, journalists and NGO's. They have been targeting high-profile individuals and entities with a clear intent - using information they obtain to meddle in British politics".

Doherty singled out an FSB unit called Centre 18, which is associated with a threat group tracked by Microsoft as Star Blizzard (previously SEABORGIUM, and also known as Callisto Group, TA446 and COLDRIVER). The group has "selectively leaked and amplified the release of sensitive information in service of Russia's goals of confrontation", including an earlier release of documents related to UK-US trade.

Although today's disclosures in the British Parliament primarily relate to Star Blizzard's efforts against the UK, the group is known to target other countries in the NATO alliance - principally the US, but also the Baltic states, Scandinavia and Eastern Europe - as well as Ukraine in the lead-up to the invasion there. No surprise, then, that a number of international partners have collaborated with the UK's NCSC to prepare a report on the TTP's employed by Star Blizzard.

The group employs a 'low and slow' approach to profiling their targets, who are generally in academia, defence, government organisations, NGO's, think tanks and, of course, politicians, using open-source resources such as social media and professional networking platforms. In particular, they catalogue the targets' interests and their real-world social or professional targets.

This information is used to create email and social media accounts masquerading as known contacts and industry experts. These may be used to lend credence to spoofed invitations to conferences or industry events as a lure in spear phishing emails, but first, Star Blizzard takes time to build trust through an exchange of benign correspondence, and also favours using personal email addresses in order to bypass controls in place on enterprise networks.

The actual attack is accomplished via spear phishing, typically via a link to a malicious web site or document. Access to this will require the victim to enter their account credentials into an actor-controlled web server running the EvilGinx framework, allowing the threat actor to harvest credentials and session cookies, thereby bypassing multi-factor authentication.

The credentials are then used to log into the victim's email account, from which they can harvest emails and attachments, and also set up mail forwarding rules, allowing them to easily monitor all future correspondence. The NCSC report maps all of the tactics and techniques to the MITRE ATT&CK framework. The mitigations are fairly obvious:

• Good password hygiene (strong passphrases, no password re-use across services)
• Use of phishing-resistant multi-factor authentication (security keys, passkeys when available)
• Enabling email providers' advanced email scanning and protection features
• Disabling mail forwarding rules and reviewing this setting periodically to detect changes
• Finally, the tough one: eternal vigilance by users - being alert for subtle differences in email addresses, such as the use of a generic webmail service when previous correspondence has come from an enterprise domain and checking via an alternative channel such as phone if suspicious

Mason, Rowena, Russian spies targeting UK MPs and media with ‘cyber interference’, The Guardian, 7 December 2023. Available online at https://www.theguardian.com/politics/2023/dec/07/russian-spies-targeting-uk-mps-and-media-with-cyber-interference.

Microsoft Digital Threat Analysis Center, Disrupting SEABORGIUM’s ongoing phishing operations, threat intelligence report, 15 August 2022. Available online at https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/.

NCSC, Russian FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns, advisory, 7 December 2023. Available online at https://www.ncsc.gov.uk/files/Advisory-Russian-FSB-cyber-actor-star-blizzard-continues-worldwide-spear-sphishing-campaigns.pdf.

Upcoming Courses

• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

The US Cybersecurity & Infrastructure Security Agency is continuing its campaign for software that is secure by design by releasing a new guide aimed at both developers and their C-suites. While developers using systems programming languages like C, C++ and - most of all - assembler are aware of the problems associated with memory management in those languages, fixing those problems has seemed to be an intractable problem.

We've come up with a range of controls to mitigate memory vulnerabilities, from programmer education through code analysis tools to runtime techniques such as stack offset randomization - and yet memory problems remain with us: just last year, Google reported that use-after-free errors accounted for half of the exploitable bugs in the Chrome browser, while about 70 percent of Microsoft CVE's (over the 2006-2018 timeframe) were memory safety vuln's.

Clearly, many of these techniques are not being applied; either they are seen as speed bumps which will slow development and delay product release, or there is no budget, or they are simply overlooked. The most sure-fire way to achieve memory safety is to switch to the use of modern, memory-safe languages such as Go and Rust, but that is an even greater hurdle, requiring programmer retraining, re-tooling and sourcing new libraries and subsystems. This cannot be achieved without senior management backing, which is why CISA's new guide, The Case for Memory Safe Roadmaps: Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously, is intended for the C-suite as well as developers.

The 23-page guide, which was jointly developed with international partners, provides a comprehensive overview of both current and emerging memory safety techniques, including

• Developer training
• Code coverage
• Secure coding guidelines
• Fuzzing
• SAST/DAST
• Safer language subsets
• Non-executable memory
• Control flow integrity
• Address Space Layout Randomization
• Other compiler mitigations
• Sandboxing
• Hardening memory allocators
• Hardware-based mitigation techniques

It then turns to the case for memory-safe languages, and lays out a strategy for planning the transition to such languages, from language selection through managing staff capabilities and resourcing. It also delves into related issues, such as the requirement for tertiary education in computer science to be updated, and the special considerations for operational technology, low-power and IoT systems.

The Case for Roadmaps

The goal is for software publishers to write and publish their memory safety roadmaps, in line with the secure by design principles of (1) taking ownership of their security outcomes, (2) adopting radical transparency, and (3) taking a top-down approach to developing secure products. Such a roadmap should include:

• Defined phases with dates and outcomes
• A date after which all code will be written solely in a memory-safe language
• Internal developer training and integration plan
• A plan to handle dependencies on libraries - many of them open-source - which are written in C and C++
• A plan to ensure transparency via regular public updates
• A CVE support program plan, with reports that provide detail about coding errors

This is going to require buy-in from senior management and even boards. But this shouldn't be a problem: the widespread publicity associated with breaches attributable to vulnerable software products can be highly damaging. Most security professionals can rattle off a list of brands which have suffered reputation damage in recent months, let alone over the years.

The guide also provides a list of external resources and a brief overview of the major memory-safe languages

CISA, The Case for Memory Safe Roadmaps: Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously, technical report, 6 December 2023. Available online at https://www.cisa.gov/resources-tools/resources/case-memory-safe-roadmaps.

Upcoming Courses

• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

A new report from threat intelligence firm Recorded Future's Insikt Group provides a trove of insights into how the North Korean state has been able to circumvent financial sanctions by simply stealing more than $US3 billion in cryptocurrency. Ironically, although the DPRK is a decidedly low-tech society internally, it is critically dependent on high-tech operations by hacking groups such as Lazarus Group, Kimsuky, Bluenoroff and others to fund its missile development program not to mention the lifestyle of its ruling regime. In 2022 alone, North Korean groups likely stole $US1.7 billion in cryptocurrency - roughly equivalent to 45% of the country's military budget and almost ten times the value of the country's exports for the previous year, showing its importance in sanctions-busting.

Fifteen years ago or so, North Korean hackers became active within massively multi-player online games such as World of Warcraft, amassing modest amounts of the game's "Credits" internal currency, which were then cashed out through early exchanges. However, they quickly realized that this was small change compared to the money flowing through banking networks, causing them to switch their focus to the SWIFT (Society for Worldwide Interbank Financial Telecommunications) banking network. Their successes there forced the financial institutions to quickly improve their defences and the cryptocurrency bubble of 2017 immediately drew the hackers' attention.

State support has allowed North Korean threat actors to expand their operations well beyond those of more traditional cybercriminal groups - to the extent that approximately 44% of cryptocurrency theft in 2022 was attributed to the North Korean groups. From a small start targeting South Korean crypto exchanges, they have broadened their operations to target anyone and everyone involved in cryptocurrency - individual users, exchanges, startups and venture capital firms. But they also target entities in conventional financial markets, as once the cryptocurrency has been converted into fiat currency, they rely on a range of money-laundering techniques to move the funds. In fact, almost anyone could be a useful victim, as they will use stolen personally identifiable information (PII) and altered photos to set up accounts which are then used to move funds, obscuring the original source.

North Korean actors are adept users of phishing attacks, both for general account access, but also spear-phishing attacks targeting the cryptocurrency industry - the latter targeting exchange employees by pretending to be other businesses and soliciting job applications. They have also targeted users with trojaned trading apps and 'permit phishing' attacks which use a malicious script or smart contract requiring the victim's approval to receive tokens - once the permission is granted, the attackers can drain the victim's assets.

During 2021, DPRK activity ramped up significantly; they breached at least 7 organizations, stealing $US400 million of cryptocurrency, and broadening their attacks to cover a variety of alternative coin, especially coins, smart contracts and NFT's based on the Ethereum Request for Comment ERC-20-based tokens. So successful were they that there seemed no urgency to cash out their gains - in January 2022 Chainalysis researchers identified $US170 million in cryptocurrency from breaches dating back to 2017.

The pace quickened further in 2022, with fake crypto job descriptions used as lures in malmail and phishing campaigns. The Bluenoroff (APT 38) group alone scored $US600 million from the Ronin Network cross-chain bridge breach, $US100 million from the Harmony blockchain bridge breach, $US190 million from the Nomad bridge and $US80 million from Qubit Finance (cross-chain bridges allow conversion between cryptocurrency blockchains).

2023 continued the trend, with Bluenoroff causing almost $US200 million in losses, expanding its use of spoofed recruitment emails and LinkedIn messages. In June of this year, Lazarus Group accessed systems belonging to directory-as-a-service firm JumpCloud, with the goal of compromising the company's cryptocurrency clients who rely on it as an Active Directory replacement. Some days after the breach was discovered, unusual activity was detected in the commands framework for a small group of customers, predominantly in the cryptocurrency business.

Stolen assets must be laundered and moved to accounts controlled by the North Korean government, and leaked documents from the US Financial Crimes Enforcement Network show individuals moving tens of millions of dollars through the US financial system to accounts in China, Singapore, Cambodia and elsewhere. These individuals are often employed directly by North Korea's Reconnaisance General Bureau (RGB). The regime also makes use of cryptocurrency mixers to clean and anonymize stolen cryptocurrency.

Only last week, the US Department of the Treasury's Office of Foreign Assets Control - along with international partners including Australia - sanctioned eight DPRK agents for their activities related to cryptocurrency crime, procurement of missile-related technology and weapons sales. Along with the individuals, it also sanctioned the Kimsuky threat group for their intelligence-gathering activities on behalf of the RGB.

Insikt Group, Crypto Country: North Korea's Targeting of Cryptocurrency, threat analysis report, 30 November 2023. Available online at https://go.recordedfuture.com/hubfs/reports/cta-2023-1130.pdf.

US Department of the Treasury, Treasury Targets DPRK’s International Agents and Illicit Cyber Intrusion Group, press release, 30 November 2023. Available online at https://home.treasury.gov/news/press-releases/jy1938.

Upcoming Courses

• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

A "cyber attack" - likely a ransomware attack - has paralysed a Western Sydney radiology clinic, leaving patients with cancelled appointments and no access to results of scans and tests.

Channel 9 News reports that Quantum Radiology, which as 10 practices across Western Sydney and the Central Coast, failed to notify patients, simply cancelling appointments without explanation and closing practices with a posted notice attributing the closure to an "unforeseen IT issue". The firm has called in police and the Australian Cyber Security Centre as it grapples with the issue, which has seen their practices closed for over a week now.

This is a textbook example of how not to deal with a ransomware attack - we know from previous cases that organizations which are open and proactive in notifying stakeholders recover well after such attacks. Affected customers will tend to take a more sympathetic view in such cases, correctly identifying the ransomware gangs as the villains. But keeping customers in the dark - especially when many are doubtless anxious about their health - is now resulting in angry patients appearing on TV; never a good look.

Meanwhile news has leaked of an earlier attack on a Brisbane chain of general practices, Top Health Doctors, which suffered a breach back in September. The breach affected approximately 5,500 patients, but the chain apparently notified them reasonably promptly, containing subsequent publicity. The breach has only come to public attention via the gazetting of a data matching program by Services Australia to identify any subsequent breaches which made use of a patient's Medicare number or Centrelink Reference Number.

I think we can now put to rest any notion that ransomware gangs will give personal health information a wide berth.

Services Australia, NOTICE OF A DATA MATCHING PROGRAM – SERVICES AUSTRALIA AND TOP HEALTH DOCTORS CUSTOMERS AFFECTED BY SEPTEMBER 2023 DATA BREACH, Australian Government Federal Register of Legislation, November 2023. Available online at https://www.legislation.gov.au/Details/C2023G01220.

Theocharous, Mikala, Patients in the dark after cyberattack forces closure of radiology clinic, 9 News, 30 November 2023. Available online at https://www.9news.com.au/national/quantum-radiology-hit-by-cyberattack-patients-in-the-dark/81428039-3254-45d2-94b3-872cb85e3164. Related video at https://www.youtube.com/watch?embed=no&v=-jmaWBKd27Y.

Upcoming Courses

• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

In light of a spate of successful attacks exploiting vulnerabilities in web management interfaces, the US Cybersecurity & Infrastructure Security Agency has issued a "Secure by Design" alert to urge software vendors to adopt two fundamental principles in the design and development of their products:

• Take Ownership of Customer Security Outcomes
  
• Embrace Radical Transparency and Accountability

The first principle requires vendors to invest in key security areas such as application hardening, application features and default configuration settings. For the latter, especially, the alert recommends enforcing best practices - for example, if best practice requires shielding a system from the public internet, then the default configuration should:

• disable the product's web interface by default and provide a "loosening guide" that itemizes - in both technical and non-technical language - the risks that come with overriding the default
• configure the product so that it does not operate while in a vulnerable state, such as when directly exposed on a public IP address
• warn the administrator that overriding the default behaviour may introduce signficant risk to the organization

The alert also suggests conducting field tests to understand how customers actually deploy products in their unique environments, in order to prevent unrealistic expectations of customers' skills and abilities on the part of the developers. And, of course, developers should consistently enforce authentication throughout the product, especially on highly trusted interfaces such as administrator portals.

The second principle requires vendors to lead with transparency when disclosing product vulnerabilities, and to perform thorough investigation of vulnerabilities to correctly document CVE entries and share what they learn across industry.

CISA, Secure by Design Alert: How Software Manufacturers Can Shield Web Management Interfaces From Malicious Cyber Activity, Secure by Design Alert, 29 November 2023. Available online at https://www.cisa.gov/resources-tools/resources/secure-design-alert-how-software-manufacturers-can-shield-web-management-interfaces-malicious-cyber.

Upcoming Courses

• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

The UK's National Cyber Security Centre, in collaboration with 23 international partners and a number of industry organizations, has released the first version of its Guidelines For Secure AI System Development. The document is aimed primarily at providers of AI systems which use models hosted by an organisation, or which make use of external API's, and provides advice for each phase of development, from design through development and deployment to operation.

Secure design starts with raising all participants' awareness of the threats and risks facing AI systems and in particular training developers in secure coding techniques and secure and responsible AI practices. It then proceeds through the modeling of threats, designing for security as well as functionality and performance and considering security benefits and tradeoffs in the selection of the AI model.

Secure development begins with the assessment and monitoring of security of the AI supply chains across the system life cycle, then identifying, tracking and protecting the AI-related assets - the models, data (including user feedback), prompts, software, documentation, logs and assessments. The model itself, along with the data and prompts should be documented, including security-relevant information such as the sources of training data, and guardrails. It's also important to identify, track and manage technical debt, which can be more challenging in this context than for most software because of rapid development cycles and a lack of well-established protocols and interfaces.

Secure deployment depends upon the security of the underlying infrastructure, such as access controls on API's, as well as the models and data, not to mention the training and processing pipelines. The model needs to be protected continuously, against a range of both direct attacks, such as by acquiring the model weights, and indirect attacks such as querying the model via an application or API. Incident response procedures will also need to be developed, and systems will have to be subjected to security evaluation and assessment such as red-teaming. Ideally, the most secure settings will be integrated into the system as the only option, and users must be advised about where and how their data might be used, accessed or stored (e.g. reviewed by employees or contractors, or used for model retraining).

Finally, secure deployment will require monitoring of the system's behaviour to identify not just sudden, but also gradual, changes in behaviour which affect security. The system's inputs will have to be monitored and logged to allow investigation and remediation as well to meet compliance obligations. Updates will also follow a similar process to the original development, e.g. testing and evaluation, reflecting the fact that changes to data, models or prompts can lead to changes in system behaviour. Finally, developers should participate in appropriate sharing of best practices as well as vulnerability disclosure procedures.

The Guidelines themselves are quite short and pitched at a level suitable for all stakeholders, from managers and risk owners down to developers and data scientists. However, a list of additional resources including standards, guidance documents and open-source tools and test frameworks allow architects and developers to delve more deeply into the key concerns and activities.

UK National Cyber Security Centre, Guidelines for secure AI system development, web document, 27 November 2023. Available online at https://www.ncsc.gov.uk/collection/guidelines-secure-ai-system-development.

Upcoming Courses

• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

A recent report released by trust management firm Vanta confirms a gloomy picture of the current state of cybersecurity across businesses in general, with two-thirds of businesses saying they need to improve security and compliance measures and almost one in four (24%) describing their security and compliance strategy as reactive.

Vanta's State of Trust 2023 Report, based on research conducted on their behalf by Sapio Research, surveyed the behaviors and attitudes of 2,500 business leaders across Australia, France, Germany, the UK and U.S. in order to understand the challenges and opportunities they face. In short: the expansion of attack surfaces in a post-pandemic world of hybrid work, coupled with shrinking teams and budgets, not to mention the rapid rise of generative AI, are fueling an urgent need for companies to raise their security posture - and to be able to demonstrate this to customers, investors and suppliers.

For companies of all sizes, limited visibility of risks, coupled with resource constraints, pose a challenge to security improvements. Only four in ten organizations rate their risk visibility as strong. But one in four has downsized IT staff, and 60% have already reduced IT budgets or are planning to do so as they grapple with an increasingly challenging global economic environment.

Two thirds of respondents say that customers, investors and business partners are increasingly seeking assurance of their security capabilities. While 41% provide internal audit reports, 37% supply third party audits, and 36% complete security questionnaires, one in eight (12%) admits they do not or canot provide evidence when it is requested, leading them to miss out on business opportunities. According to the report:

• Businesses spend an average of 7.5 hours per week – more than 9 working weeks a year – on achieving security compliance or staying compliant.
• Over half (54%) are concerned that secure data management is becoming more challenging with AI adoption with 51% saying that using Generative AI could erode customer trust.
• The two biggest barriers to proving and demonstrating security externally are a lack of staffing and lack of automation to replace manual work.
• Only 9% of businesses’ IT budgets are dedicated to security, with 1 in 3 leaders saying their IT budgets are continuing to shrink.
• Identity and access management and data processing that doesn’t comply with regulations are the two biggest blind spots for organizations.

Those who do make efforts on security report positive benefits; a majority 70% of leaders say that a better security and compliance strategy positively impacts their businesses thanks to stronger customer trust, while nearly three in four (72%) agree that a better security and compliance strategy would make them more efficient. Key to achieving this is automation; an overwhelming 83% of businesses have or plan to increase their use of automation, particularly for reducing manual work and streamlining vendor risk reviews and onboarding.

In order to achieve this, they are looking to artificial intelligence and machine learning, with 77% of businesses already or planning to use AI/ML to detect high risk actions. Respondents believe the biggest potential of AI will be improving the accuracy of security questionnaire responses (44%), eliminating manual work (42%), streamlining vendor risk reviews and onboarding (37%), and reducing the need for large teams (34%).

The survey results illustrate the different viewpoints around the world:

• Respondents in Australia are the most concerned about Generative AI’s potential impact on customer trust.
• Organizations in Australia are least likely to be able to provide proof of compliance to customers.
• 76% of leaders in France say they need to improve security and compliance, the highest of all markets.
• UK leaders are more concerned with keeping up to date with evolving regulations than any other market.
• Germany is one of the most likely to say that the volume of standards and regulations is a barrier to maintaining a robust security program.
• Leaders in the U.S. are most likely to delay entering new markets due to compliance requirements, admitting they’re not prioritizing compliance due to the financial investment.
• Companies in the U.S. believe they could save at least 3 hours a week by automating security and compliance tasks – the highest of any country.

While all this paints a somewhat gloomy picture, I'd say there are some important lessons to be gleaned. The first is for companies to focus on security first, and worry about compliance second. Focusing on compliance is putting the cart before the horse, and often leads to a checkbox mentality that does little to actually improve security. (I suspect this might underlie some of the attitudes reflected above from Australia and Germany.)

An insightful comment I saw recently puts it well:

Effective information security programs mitigate the risks that you face to a level that you can accept.
Compliance programs mitigate the risks that you present to others, to a level that they can accept.

You cannot achieve the second without the first. Now, having said that, compliance ultimately is important, especially in enabling new business relationships. The answer is to make use of a security framework - such as the NIST Cybersecurity Framework - which can then be used to cross-reference each control implemented against relevant standards - such as ISO 27001, HIPAA, etc. - in order to demonstrate compliance.

Having gotten this process under way, companies then will be in a much better position to take advantage of the automated reporting, for both internal management and external compliance, offered by Vanta and similar companies.

Uncredited, State of Trust Report 2023, Vanta Inc., 8 November 2023. Available online at https://www.vanta.com/downloads/the-state-of-trust-report-2023.

Upcoming Courses

• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

As we mentioned on Monday, Australia's Minister for Home Affairs and Cyber Security * is expected today to release the Government's long awaited cybersecurity strategy. The strategy adds another $A586.9 million to an existing $A2.3 billion in cybersecurity funding which will run until the year 2030. (See Update, below, for a link to the strategy document.)

Changes for Critical Infrastructure and Telcos

The plan aims to better protect critical infrastructure; following last year's privacy breach at telco Singtel Optus, security regulation of telecommunications providers will be moved from the Telecommunications Act to the Security of Critical Infrastructure Act, "commensurate with the criticality and risk profile of the sector". It seems obvious that virtually all the other sectors of critical infrastructure are dependent on telecommunications - this should have been a no-brainer years ago.

Another likely consequence of the Optus breach is a winding back of laws which require telcos to retain  enormous quantities of customer data. Several breaches have led to affected customers having to obtain new drivers licences and other identity documents because their numbers had been disclosed - but once a new customer has verified their identity, is there any real need to retain the information that was used for that purpose? When it leaks, it weakens the value of such data for verification anyway - so let state and Commonwealth agencies that need to retain that data and provide an API which can be used for verification, then log the fact that verification was provided.

Similarly, the strategy will review Commonwealth data retention requirements and, based upon the outome, will explore options to minimise and simplify data retention requirements. This will doubtless come as a relief to the telcos which have been retaining vast quantities of traffic metadata in response to requirements introduced in 2015.

As we regularly point out, once retained information is no longer of any use, it is no longer an information asset and - from a privacy and risk management perspective - can turn into an information liability.

The healthcare sector is also being prioritized, and will benefit from a new $A9.4 million platform for the sharing of threat intelligence, in a program that could be rolled out to other sectors. Table-top "wargaming" exercises will also be expanded to include the aviation, finance and telco sectors.

Protecting Individuals

In part to reduce the amount of personal information an individual has to disclose in order to verify their identity, the government is aiming to expand its Digital ID program - a smartphone app which, as far as I can tell, seems to use exactly the types of API I posit above to provide an on-device verification of personal identity, based upon government documents like drivers licence, Medicare card and passport, along with email address, data of birth and a photo ID.

There are also plans for new cyber awareness programs to better educate the public, presumably with the goal of reducing personal losses to online scams.

Small and Medium Businesses

However, perhaps the public can be best served by improving the posture of business. The strategy allocates $A290.8 million for this area, via awareness programs, along with the development of an incident response playbook for ransomware, along with a mandatory no-fault reporting scheme for ransomware attacks and payments. Concerns that some businesses were failing to disclose breaches for fear of a backlash from regulators, not to mention customers (think class action) has also led the government to consider the establishment of "safe harbour" legislation to ensure that such disclosures to a reporting scheme could not be used for other purposes.

This approach has worked well in aviation safety for decades, encouraging pilots, other crew and maintenance engineers to come forward with useful information about incidents which fortunately did not result in accidents. As long as such a program provided actionable information - rather than simply telling us what we already know - it could prove useful; perhaps the best use would be providing psychologists and behavioural specialists with insights as to why boards and senior management do not take cybersecurity seriously enough.

Small businesses will also get a new "resilience service" to assist with recovery in the aftermath of an attack, and - as mentioned on Monday - there will be a "cyber health-check" program to offer free, tailored security assessments to business owners. I seriously doubt that this will have much real impact, other than on the bank balances of those providing the "free" assessments.

There are already excellent new technologies available to businesses of all sizes in order to better protect both themselves and their customers - particularly phishing resistant authentication schemes like U2F security keys and FIDO2 authentication via passkeys. What we should be doing is assisting business to adopt them (perhaps via open-source development), rather than relying on long-deprecated techniques like SMS'ed verification codes. Hopefully, this will form part of the new strategy.

Growing the Workforce

As is usual for such strategies, a lot is made of the "skills gap" and a supposed workforce shortage. The government proposes to address this via more education in addition to prioritizing immigration for highly skilled cybersecurity professionals. Based on my conversations with security professionals around the world, this seems likely to miss the mark; bootcamp-style programs and certifications to rapidly train people with no experience are not producing workers of any actual use, while experienced security professionals are reporting that they are being passed over for relatively unskilled candidates seeking much lower salaries. If anything, cybersecurity is suffering something of a 'brain drain' as the necessary skills and experience are undervalued.

Finally - and we've heard this refrain before - the strategy aims to make Australia a "world leader" in cybersecurity by 2030: "We will advance the global frontier of cyber security. We will lead the development of emerging cyber technologies". Doubtless some of the submissions are by companies which dream of a future in which government funding will help them take their products to the next level and export them to an admiring world. Consumers who have had their personal information disclosed in a never-ending stream of breaches might, perhaps, have a more realistic view of Australia's security capabilities.

Grattan, Michelle, New cyber policy to harden defences against our ‘fastest growing threat’, The Conversation, 21 November 2023. Available online at https://theconversation.com/new-cyber-policy-to-harden-defences-against-our-fastest-growing-threat-218255.

Knott, Matthew, Hackers’ honeypot: customer data storage laws set to be wound back, Sydney Morning Herald, 21 November 2023. Available online at https://www.smh.com.au/politics/federal/hackers-honeypot-customer-data-storage-laws-set-to-be-wound-back-20231114-p5ejwt.html.

Manfield, Evelyn, Australian Cyber Security Strategy outlines how government plans to tackle cyber crime, ABC News, 21 November 2023. Available online at https://www.abc.net.au/news/2023-11-21/federal-government-cyber-safety-framework/103132226.

* That really should be "Cybersecurity" - there is no such thing as a "cyber", nor is "cyber" an adjective. The word derives from the ancient Greek κυβερνήτης (kubernetes or kybernetes), which referred to the steersman or pilot of a galley. The same word is the root of "governor" and "governance", but comes to us through the 1947 coinage of "cybernetics" by MIT mathematician Norbert Wiener to refer to the field of control and communication, both in the animal and the machine. So now you know better. Please don't "cyber all the things".

Update

The Strategy document has now been released, and is available at https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/2023-2030-australian-cyber-security-strategy.

Upcoming Courses

• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
• SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
• SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
• SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024

About this Blog

I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.

These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.