Table of Contents
- How to Improve Cybersecurity Compliance With Real-Time Data and Automation
- Cybersecurity Threats in Europe: What You Need to Know and What to Do About Them
- Evolving Cyber Insurance To Examine An Organization’s DNA
- Insights from an external incident response team: Strategies to reduce the impact of cybersecurity attacks
- Developing meaningful stakeholder engagement to successfully manage risk
- Risk vs Threat: The Fatal Mistake You’re Making in Your Security Strategies
- Microsoft pushes OOB security updates for Windows Snipping tool flaw
- US cyber officials make urgent push to warn businesses about vulnerabilities to hackers
- Who You Gonna Call (For DataSec)?
- The Gartner Top Cybersecurity Predictions: For 2023 & Beyond
How to Improve Cybersecurity Compliance With Real-Time Data and Automation
Bill Doerrfeld
Acceleration Economy
Igor Volovich, VP of Compliance Strategy for cybersecurity compliance firm Qmulos
These days, organizations must comply with many types of standards and regulations.
Organizations must audit their technology processes to ensure their data-handling practices are up to snuff.
Yet historically, meeting compliance requirements has been viewed negatively, says Volovich.
Furthermore, Volovich notices many hurdles when conducting compliance reviews.
How to Fix Broken Compliance Processes
Don’t Rely on the Best-of-Breed Perspective
First off, higher spending on niche tools doesn’t always equate to a greater security posture.
Use Real-Time Data
it’s important to evaluate a compliance footing based on real-time data produced by application systems, whenever possible.
Data-driven evidence is infallible.
Introduce Compliance Automation
Things like authorization issues, token reissuances, or recycling passwords are verifiable and can be checked with data produced by software systems.
Avoid the Swivel Chair
Volovich recommends centralizing on a shared platform to avoid friction and constant context switching.
Collect and Store Data Relevant to You
Yet at the same time, generating unnecessary data lakes can incur a high cost.
Link: https://accelerationeconomy.com/cybersecurity/how-to-improve-cybersecurity-compliance-with-real-time-data-and-automation/
Cybersecurity Threats in Europe: What You Need to Know and What to Do About Them
Tripwire Blog – Fortra
European businesses face four distinct regional threats
The top targets of cyber-attacks are the manufacturing and engineering industries.
Companies with operations located in areas with geopolitical tensions are more likely to be targeted by state actors for various political reasons.
Over a quarter (28%) of intrusion attempts on European organizations were successful.
Ransomware gangs threaten to sell stolen data to interested parties using double-extortion practices.
These groups also have “collectives” to foster collaboration.
It is no longer a lone actor but rather a business.
Link: https://www.tripwire.com/state-of-security/cybersecurity-threats-europe-what-you-need-know-and-what-do-about-them
Evolving Cyber Insurance To Examine An Organization’s DNA
Rohyt Belani
Forbes
Currently, the way cyber insurance policies are underwritten highlights a lack from a technical evaluation standpoint.
Insurers will look at revenue, number of employees and global footprint, but that’s not an accurate measure of an organization’s security posture.
An organization can have a small headcount but still have a lot to protect like a hedge fund, or can have a very large headcount, which may be a bloated startup that took on way too much funding.
o set up what an organization’s DNA should look like, cyber insurers should consider creating policies based on meaningful metrics that are demonstrative of the maturity and resilience of an organization’s cybersecurity posture.
There are a few areas in particular that should be examined:
Email Security Posture
Endpoint Security Controls
Maturity Of Security Operation Centers (SOCs)
Link: https://www.forbes.com/sites/forbestechcouncil/2023/03/13/evolving-cyber-insurance-to-examine-an-organizations-dna/?sh=37660c2a4d85
Insights from an external incident response team: Strategies to reduce the impact of cybersecurity attacks
Alex Vakulov
ATT Cybersecurity Blog
Lessons learned
It may seem that the incident response team’s main task is to restore everything to its previous state, but this is a simplification.
The response team is invited for a different purpose.
Its tasks are to understand:
The attack vector used by the hackers.
The specific entry point used to gain unauthorized access to the IT systems.
A detailed timeline of how the attack progressed.
Identification of potential prevention measures that could have been implemented at different stages.
Recommendations for addressing the root cause of the incident to prevent future attacks.
The answers help give better recommendations.
For example:
If the attack started with phishing, it is advised to set up an email sandbox, adjust spam filters, and train employees.
If a vulnerability is to blame, changing the update\patch and network monitoring procedures is recommended.
How to improve security
There are a lot of organizations that have already done all the basic things.
However, it does not guarantee the complete absence of incidents.
They can be recommended to run penetration tests.
However, you need to “grow up” to this kind of thing.
It makes no sense to conduct penetration testing when only 20% of the infrastructure is covered with Intrusion Detection and Response (IDR\IDS) solutions.
Follow trends and industry reports
The reports often provide specific recommendations on how to protect from a particular attack.
One of the best sources for such information is MITRE ATT&CK Matrix.
Do not panic, and do not do rash things
In general, do not act impulsively.
Contacting the experts
when it is essential to stop the attack promptly, determine the exact nature of the incident, understand who is to blame, and chart an effective course of action – there are no alternatives – call the external response team.
Link: https://cybersecurity.att.com/blogs/security-essentials/insights-from-an-external-incident-response-team-strategies-to-reduce-the-impact-of-cybersecurity-attacks
Developing meaningful stakeholder engagement to successfully manage risk
Michael Volkov
Gain Integrity
A crucial aspect to risk management is not only recognizing the problem, but also communicating those risks to the key stakeholders.
Oftentimes organizations do not actively engage stakeholders until forced to because of a crisis.
The resulting interaction is often defensive, antagonistic, and damaging of trust.
Communication is key
Engagement generates mutual understanding and sharing of responsibility if things go wrong.
Although the “tone from the top” and the role that leaders play is fundamental in building meaningful engagement, getting middle management to embrace a new risk program is the most crucial step leadership can achieve towards its adoption.
The manner in which the tone from the top is reinforced is often just as crucial to implementing change in corporate culture.
Relationship-building for risk management
At the enterprise level, building a risk-management program calls for a unique set of skills, none more important than relationship-building.
Success will be dependent upon multiple factors, perhaps none more important than emotional intelligence.
Understanding the interrelationships between people and processes can have a vital impact — positive or negative — on the success of your risk management program, hence why middle management buy-in is vital.
The communication skills required for persuading stakeholders, convincing conflicting stakeholder interests, and reaching compromises and satisfaction of those stakeholders, are fundamental to effective risk communication.
One of the biggest challenges facing organizations today is the ability to motivate, persuade or influence stakeholders on matters of risks.
Organizations continue to face both internal and external challenges because of negative emotions associated with third-party risk management, which generally feels forced.
Critical elements of an effective third party risk management program
Share, engage and continuously communicate with supply chain stakeholders to identify, monitor, and mitigate risks rapidly and as a team, saving time and reducing costs.
Gain increased transparency through first-hand insight into the partner’s attitude towards an investment in cybersecurity controls.
An integrated supply chain risk management approach can deliver significant financial benefits to the organization, support organizational goals and objectives, and provide ongoing assurance about overall resiliency and compliance to stakeholders across multiple areas.
Continuous, comprehensive monitoring of third parties remains essential, with or without collaboration.
Leverage technology for accessible, intuitive tools that reduce your organization’s unmanaged risk while greatly enhancing user experience.
Link: https://ganintegrity.com/blog/developing-meaningful-stakeholder-engagement-to-manage-risk/
Risk vs Threat: The Fatal Mistake You’re Making in Your Security Strategies
Cybersec_Sai
Info Sec Writeups – Medium
Risk and Threat are two terms that are often used interchangeably.
In this article, we will see why it’s a blunder mistake to do that.
Risk is a measure of the likelihood that an event will occur and the potential impact it could have.
To determine the consequences, you must consider the combination of Asset Type (type of asset data, i.e., crown jewels, confidential, important, informational, etc.), number of assets, and vulnerability.
A threat is an event or activity that could cause harm or damage to an organization.
A threat can be either intentional or unintentional, and it can come from a variety of sources, such as natural disasters, cyber-attacks, terrorism, or even a disgruntled employee.
Likelihood of a Threats is usually evaluated by assessing the intent, capability, and opportunity of the threat actor.
While risk and threat levels are often used interchangeably, it is essential to distinguish between the two.
Failing to do so can lead to inadequate risk management and mitigation strategies, resulting in severe consequences.
Here are some reasons why it’s important to distinguish between risk and threat levels:
Risk and threat levels require different approaches to mitigation.
Risk and threat levels use different metrics for assessment.
Risk and threat levels apply to different types of hazards.
Risks apply to hazards that may occur naturally or as a result of human error, while threats apply to hazards that are intentional and carried out by individuals or groups with malicious intent.
Failing to distinguish between these two types of hazards can result in inadequate risk management strategies that fail to address the unique characteristics of each type of hazard.
Link: https://infosecwriteups.com/risk-vs-threat-the-fatal-mistake-youre-making-in-your-security-strategies-978b142006a
Microsoft pushes OOB security updates for Windows Snipping tool flaw
Lawrence Abrams
Bleeping Computer
Microsoft released an emergency security update for the Windows 10 and Windows 11 Snipping tool to fix the Acropalypse privacy vulnerability.
Now tracked as CVE-2023-28303, the Acropalypse vulnerability is caused by image editors not properly removing cropped image data when overwriting the original file.
However, with this bug, both the Google Pixel’s Markup Tool and the Windows Snipping Tool were found to be leaving the cropped data within the original file.
Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-pushes-oob-security-updates-for-windows-snipping-tool-flaw/
US cyber officials make urgent push to warn businesses about vulnerabilities to hackers
Sean Lyngaas
CNN
US cybersecurity officials are unveiling a new program to warn critical American companies that their systems are vulnerable to ransomware attacks before the hackers can successfully strike.
The new federal program – details of which were shared exclusively with CNN – is needed because “the pace and the impact of (ransomware) intrusions are still unacceptable,” said Eric Goldstein, a senior official at the US Cybersecurity and Infrastructure Security Agency.
The program is straightforward and relies on backchannels between researchers, government officials and potential victims.
Link: https://www.cnn.com/2023/03/23/politics/cyber-officials-business-hacking-warning/index.html
Who You Gonna Call (For DataSec)?
Ravi Ithal
Cloud Security Alliance
So, before we boogie down, let’s seriously consider the question: Who You Gonna Call…for DataSec.
In most organizations, this person is a ghost themself—there’s no one to call because they aren’t there or don’t know what to do.
DataSec Is a Huge, New Challenge
To be clear, DataSec is about securing sensitive, regulated, or proprietary data in modern environments that have “shifted left” to cloud-native apps built with microservices.
I doubt any organization has planned for a dearth of DataSec professionals, much less being without anyone to lead the charge.
If you’re all in on the modern approach, your organization’s next InfoSec hire really should focus on DataSec.
Before you look outside the organization, consider who’s already on board.
ome InfoSec professionals are well positioned to quickly learn about DataSec and leverage what they know in this new world.
In order to find and protect cloud data, they need to understand cloud architecture, how data flows, what kind of data is there, who has access to the data, and so forth.
People with skills that let them think like a hacker (e.g., penetration testing) will do fine with DataSec.
DataSec leadership (or lack thereof) is soon to be even more prominent with cybersecurity disclosures required of public companies by the U.S.
Securities & Exchange Commission.
A proposed rule will require disclosure of a company’s policies and procedures to identify and manage cybersecurity risks; management’s role in implementing cybersecurity policies and procedures; board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and updates about previously reported material cybersecurity incidents.
And no more hiding details behind obscure language: All disclosures must be done with Inline eXtensible Business Reporting Language.
Link: https://cloudsecurityalliance.org/blog/2023/03/10/who-you-gonna-call-for-datasec/
The Gartner Top Cybersecurity Predictions: For 2023 & Beyond
Live Webinar March 21st, 2023, 10:00 am – 11:00 am EDT
Activity Type: Education – Course or Training 1 Hour 1 PDU
Provider: Gartner Webinars
Each year, Gartner security and risk experts assess and produce the top cybersecurity predictions impacting Chief Information Security Officers (CISOs.)
Tisha Bhambry (LinkedIn profile) Gartner Directory Advisory revealed these predictions at Gartner Security & Risk Management Summit, and now Gartner is
Link: https://www.pduotd.com/2023/03/15/the-gartner-top-cybersecurity-predictions-for-2023-beyond/