Cybersecurity in 2024:
Are you on target or falling
Are you on target or falling
A DEEP DIVE INTO THE TECHNOLOGY ADVANCES, BEST PRACTICES AND COMPLIANCE RULES SECURITY PROS SHOULD EMBRACE TO COMBAT CYBER THREATS.
Our expertise, your Future advantage
Future B2B merges decades of expertise with the nimbleness of a startup. Our established brands, like SmartBrief, ActualTech, and ITPro deliver expert-led niche newsletters, cuttingedge advertising solutions, pipeline-enhancing lead generation, and unforgettable live and virtual events.
Delivering valuable and reliable content is the smartest way to engage and inform your audience
Future B2B’s qualified audiences spans 16 industries, 200+ newsletter and nearly 10 million leaders.
Optimize your campaign with direct access to your FutureB2B account management team.
Benefit from Future B2B’s proprietary email platform to reach a targeted audience in a brand safe, contextually relevant environment.
Gain access to a secure portal to view campaign results, including company and persona-level engagement.
No industry is safe from a cyberattack. In fact, ransomware remains the top threat across 92% of industries and still represents 32% of all breaches, Verizon’s 2024 Data Breach Investigations Report reveals. Pure extortion attacks are also on the rise. Nearly half (48%) of firms have experienced cyber extortion, according to a Splunk 2024 State of Security report.
As threats increase, security professionals need more than ever to cut them off before they occur, as well as clean up after an attack. Preparation is vital. This ebook will explore the skills needed to combat cyber threats, the cyber tools available and what good AI cybersecurity looks like today.
Our experts also delve into ethical hacking, cloud security, CISA’s Secure by Design pledge, risk management, compliance and the ways that cyber collaboration can ensure a collective defense in security.
Humans will remain at the forefront of our cybersecurity efforts, but the reality is that humans will also continue to be the main source of missteps that lead to cyberattacks. Gartner analysts believe generative AI holds promise when it comes to workforce education, predicting that generative AI use will shrink the skills gap by 2028 and ultimately change the way companies hire and train their cybersecurity workforce. “As we start moving beyond what’s possible with GenAI, solid opportunities are emerging to help solve a number of perennial issues plaguing cybersecurity, particularly the skills shortage and unsecure human behavior,” said Deepti Gopal, Director Analyst at Gartner.
Check out this ebook to learn how security professionals can help prepare an organization, from the C-suite down to every employee, to not only combat cyber threats but also proactively prepare for today’s threats and those that will arrive tomorrow and beyond.
Susan Rush, Director of Content
CONTENT
Director of Content
Susan Rush susan.rush@futurenet.com
Global Content Director, B2B IT Maggie Holland maggie.holland@futurenet.com
Senior Design Director Lisa McIntosh
By Peter Ray Allison
Cybersecurity has become a vital part of any business plan. Even the smallest business needs to have the appropriate policies and methodologies in place to protect their data as best they can.
To achieve this, every business needs access to a variety of cybersecurity skills, whether that’s through hired staff or trusted partners.
Minimizing the threat surface only goes so far, though. As businesses grow, through opening new offices and new staff joining, so too does the potential threat surface, especially with expanding network coverage and new cloud systems being incorporated.
Given the multitude of online threats facing modern businesses, it can be
easy to be overwhelmed by the different types of security approaches required. Cyberattacks are inevitable; but, with the appropriate skill sets in place, it is possible to take advantage of the opportunities offered online whilst protecting data and mitigating the risk of attack.
One of the most effective ways to gain a granular understanding of a business’ threat posture is to use ethical hacking. An ethical hacker’s job is to assume the role of an offensive hacker and probe a business’ IT estate for vulnerabilities and attack paths so these can be fixed or otherwise mitigated.
The skill set of an ethical hacker can prove invaluable to organizations. The value to be had is not just in spotting security issues; the deep understanding of computer systems required to do the job can help when building new products like apps, for example, and they can be built securely from the outset.
It’s important to note that ethical hacking is more than just penetration testing. While penetration testing assesses the technical elements of a system and is a central component of many cybersecurity strategies, ethical hacking considers all parts of a business, including soft skills and the security culture.
Ethical hacking acts as a live-fire training exercise of what could happen
�WITH THREATS INCREASING AND BUDGETS NOT NECESSARILY KEEPING PACE WITH INFLATION, BUSINESSES ARE TURNING TO AUTOMATION TO CUT THE COST OUT OF SIMPLE TASKS, ENABLING STAFF TO PRIORITIZE THEIR ATTENTION ON MORE DIFFICULT ONES.�
during a targeted attack, giving valuable experience to IT teams and identifying potential vulnerabilities in the threat posture. This can involve conducting genuine phishing attempts against staff to see if the organization’s access management rules are robust enough. It can also involve testing the physical security of the office itself.
Ethical hacking can be performed inhouse by your own Red Team – a group of employees tasked with pretending to be adversaries – but for an optimum understanding of the response to a breach, an external testing team can be covertly contracted.
How far you go with ethical hacking will largely be a question of resources,
as there really is no limit to what you can learn about your own systems. That said, ethical hacking does involve misleading employees, and so each business will need to assess what is reasonable.
Modern businesses rely on their networks, which means strong network security is fundamental. With the types of available network tools increasing and more devices being connected to networks, it’s imperative that the appropriate security technologies are in place to protect the flow of data.
Administrating access controls is an essential part of network security. Access rights ensure each user and device has the appropriate level of access and that data are protected against potential threats, both malicious and accidental.
The concept that governs this is the information security principle of “Least Privilege” the idea that employees should only be given access to the data they need to perform their jobs effectively. Anyone who works outside of HR, for example, shouldn’t be able to access HR files, while those who work in the finance department are the only ones who should be able to access payroll data. Administrators will be pleased to know that there are plenty of tools to choose from to help them adopt these policies. This includes firewalls, VPNs (virtual private networks), or even the fancy new machine learning algorithms that can identify when a device or user is acting strangely and automatically cut it off from the network. Machine learning is also being deployed in firewalls to make web application firewall (WAF) tools. WAFs help to create an extra barrier to prevent hackers from targeting your apps, although they aren’t intelligent enough yet to determine whether users are humans or machines.
The cloud has become a ubiquitous part of the modern enterprise environment, whether it is online storage or leasing additional processing power through cloud computing. That said, while insfrastructure-as-a-service
(IaaS) providers take steps to maintain data integrity, looking after your data is your responsibility, not the cloud storage provider’s.
It’s important to remember that not all cloud providers are created equal. Although the core services they offer are broadly the same, they offer different functionalities and levels of protection, based upon the service subscription. Part of the cloud security skill is be-
(response during an incident) and restitution (post-incident actions).
With limited resources, escalating threats and a plethora of security technologies being marketed, businesses need to carefully consider the most effective investments for their IT budget. This requires an innate understanding of the risks facing the core functionality of the business.
A background in risk management
ing able to curate the different cloud services and then choosing which is the most appropriate for the business and its objectives.
Cloud security is a highly technical skill that requires an in-depth understanding of how the cloud operates and remains one of the hardest skill sets to find.
Poor identity management can be a problem, as hackers may mask themselves as legitimate users in order to access, modify and delete data.
Poorly-secured cloud apps represent another issue. Most apps and cloud services use APIs to communicate and transfer data. This means the security of the API directly affects a cloud service’s security. The chance of a data breach increases when third parties are granted access to APIs.
Institutions such as SANS Institute and Cyber Security Agency of Singapore offer cloud security certifications for professionals to increase their skill sets in this area.
Risk management is a necessary part of cybersecurity. Risk is a combination of the likelihood of something happening and the impact it would have.
Having the appropriate strategies and planned response for cyber incidents forms the foundation of any strong risk strategy, which should incorporate prevention (reducing risk), resolution
offers the capacity for in-depth risk analysis for the threats a business is facing and their potential vulnerabilities. This skill set enables businesses to carefully balance the needs of maintaining operations against potential risks within the IT budget.
Ensuring software is up-to-date and secure is vital for maintaining a robust security posture, as known vulnerabilities are quickly exploited by threat actors. It can often be seen as an ever-escalating arms race between hackers and patchers.
The instinctive response when a new patch is released might be to immediately deploy it, but this can negatively impact the business by overloading the network or losing functionality. New products and services that can be used to maintain competitiveness need to be deployed, but without disrupting ongoing business operations.
For networks that incorporate modified, specialist or bespoke systems, it can be prudent to test an update in advance by virtually deploying it in a sandbox environment. Doing so enables administrators to test whether the patch will adversely impact any systems within the network.
Patching and software deployment needs to be considered in association
with maintaining business operations, usually by scheduling them during out-of-normal business hours. However, this can be complicated when there are multiple sites in different time zones. Thus, software management is just as much a collaboration between security and business operations as it is a skill in coordinating updates.
IT teams are bombarded with information generated by a multitude of security systems, which can quickly become overwhelming and potentially lead to valuable insights being missed.
Being able to curate diverse information streams and prioritize critical information is therefore a key skill. A single incident on its own may be negligible, but when the same incident keeps repeating, then action may need to be taken. It’s important security teams are able to effectively analyze the data and provide a rapid response to escalating threats.
Big Data analysis is particularly effective at identifying advanced persistent threats (APTs), as there are often massive amounts of data to analyze for abnormalities. With big data analysis, APTs will be spotted sooner, allowing the mitigation of the potential damage they may cause.
Due to the highly technical nature of IT, there can be a rift between IT departments and the rest of the business. The weakest link within a business’s security posture is often the people, most commonly through unsecured devices and phishing attacks
However, a robust security posture is not just dependent upon technical skills, but also upon communication and collaboration. There needs to be a clear exchange between all stakeholders to ensure an understanding of security needs.
Being able to communicate the need for IT security in an easy-to-understand format is a crucial skill for encouraging a culture of security awareness. This could be through presenting seminars on pro-active security skills or orchestrat-
ing security exercises to educate staff and identify those who may need further training.
Networking with others within the security sphere is also useful for being forewarned of emerging trends and potential threats.
The past few years have witnessed a swathe of security legislation around the world, especially regarding data security. Although the EU’s General Data Protection Regulation has become the default standard for data protection, there are variations between different legislations, which can cause lengthy data-sharing issues for unprepared businesses.
Export control regulations need to be followed, especially for third-party providers that offer services to both sensitive and non-sensitive business sectors.
Knowledge of IT governance enables businesses to have an innate understanding of the legislative requirements that apply to them, thereby ensuring that they can seamlessly exchange information between all the regions they operate in.
The proliferation of regulations being applied not only protects consumer privacy but also protects business data and IT infrastructure. Compliance benefits both the organization and any customers and partners it comes into contact with. It is important to avoid being so focused on compliance that actual cyber risks are forgotten.
One solution being proposed to cover the problem of the cybersecurity skills gap, while also improving security in businesses overall, is the increased use of automation.
With threats increasing and budgets not necessarily keeping pace with inflation, businesses are turning to automation to cut the cost out of simple tasks, enabling staff to prioritize their attention on more difficult ones. The increasing functionality of machine learning enables some of the simpler and repetitive tasks to be automated.
This must be done with care; solely relying on automation could be detrimental, as automation is not always 100% effective. Instead, automation is best used for everyday tasks, such as flagging potential abnormal network behavior, with a human in the loop for decision-making. This means that anything flagged as a potential issue is less likely to be a waste of human time.
AI and machine learning can identify threats by type, such as ransomware or phishing attempts, whether it’s a known malware strain or not. They can also identify errant behavior by users, for example, if a person who works 9-5 becomes active at 3 a.m., or starts trying to access systems and data they don’t
normally or don’t have the appropriate privileges for. This could be indicative of a successful hack or an insider threat and can be investigated by the appropriate members of the IT team.
The most modern enterprise security software offers AI and machine learning capabilities, although what you choose to adopt will depend on the skills already present in your business, and how able you are to balance existing skills.
For example, if there’s no one in your business who knows how to investigate and remedy potential and actual hacks, you will need to train someone up in this area in order to use the software effectively. n
The National Cyber Security Centre (NCSC) has released guidance specifically for CEOs aimed at helping them manage cybersecurity incidents. Resources and learning materials for executives on how to respond to a cyberattack are few and far between, leaving many in the dark in the event of an incident.
This new guidance aims to provide detailed information on how executives can manage a cyber incident, as well as how to engage with staff and relevant authorities to remediate issues.
“If your organization is the victim of a significant cyberattack, the immediate aftermath will be challenging. You may find there is a lot of information in some areas, and none in others,” the NCSC warns.
EXPERTS GIVE THEIR TAKE ON THE ROLE OF AI IN CYBERCRIME AND SECURITY AND REVEAL HOW BUSINESSES CAN PROTECT THEMSELVES
By Jane Hoskyn
Artificial intelligence (AI) is revolutionizing cybercrime, and the security industry is playing catch-up. Defensive AI can help guard against offensive AI, but experts warn that AI crime is evolving so fast that even AI-enabled security software is not enough to stop it – and data-lockdown strategies such as zero trust may be the only way forward.
When we explored the state of AI security in 2022, criminal gangs were
busy embracing AI capabilities to trawl vast troves of data for insights accurate enough to help them devise video deepfakes, spear phishing and other targeted attacks that conventional security tools couldn�t detect. In 2023, generative AI and machine learning became established in cybercrime, and the tools of the trade are no longer limited to the dark web. Gangs use widely available chatbots such as ChatGPT to automate the creation and distribution of personalized attacks on an industrial scale.
Security vendors have responded by ramping up the AI capabilities of their own tools, but business leaders are more fearful than ever. A 2023 BlackBerry survey, a little more than half (51%) of IT decision-makers believed there’d be a successful cyberattack credited to ChatGPT by the end of the year. At a Yale CEO Summit, 42% said AI has the potential to destroy humanity within five to 10 years.
The biggest recent advance in AI is open source generative AI chatbots, based on natural language-learning models (LLMs), which anyone can use to create content. Criminals were quick off the blocks – weeks after ChatGPT was released for public use, software firm CircleCI was breached in an attack that used generative AI to create phishing emails and scan for vulnerabilities. By April 2023, Darktrace was reporting a 135% rise in novel social engineering attacks.
At the most basic level, attackers use LLM chatbots to gather information. “A chatbot could act as a mentor,” IEEE
member and professor of cybersecurity at Ulster University, Kevin Curran says. “There have been instances of AI chatbots being used to analyze smart contract code for any weaknesses or exploits.”
Ambitious attackers, assisted by the growing trade in AI hackers for hire, have used generative AI to refine phishing operations, says Freeform Dynamics analyst Tony Lock. “They’re using chatbots to generate voice sounds and fake imagery and to copy people’s published writing styles. This has all become much more sophisticated and industrialized in 2023.”
Martin Rehak, CEO of security firm Resistant AI and a lecturer at Prague University, says we are already seeing AI-enabled criminals exploiting organizations’ AI-based security systems. “Rather than attacking the security systems, criminals are attacking the automation and AI systems companies rely upon to conduct business online.”
The potential for generative AI to do all this autonomously hasn’t gone unnoticed by the AI industry. None other than Sam Altman, CEO of ChatGPT developer OpenAI, has admitted he’s “worried” about the ability of chatbots to distribute large-scale disinformation and write malicious code, potentially by themselves.
The message from the security industry is that to face down AI threats, you need AI defenses. Brands from CrowdStrike to Google have put AI at the center of their enterprise security systems, and a Freeform Dynamics survey of 50 CIOs found that, of all the vendors encountered by respondents, nearly all (82%) claimed their products used AI. Accordingly, the global AI security market grew from $13.29 billion in 2021 to $16.52 billion in 2022, and is forecast by SkyQuest to reach $94.14 billion by 2030.
Unlike conventional endpoint security, AI can detect the tiniest potential risk before it enters a system. For example, Microsoft Azure’s secure research environment uses smart automation to supervise the user’s business data, with ML ready to leap into action if an anomaly is detected. Response times are continually slashed as the algorithms learn from their
own experiences and from other organizations, via samples shared in the cloud
“AI tools can organize information on a global scale,” says Carlos Morales, senior vice president of solutions at cloud security firm Vercara. “They can draw correlations between data from different defense solutions, and detect and act on new attacks proactively.”
Many AI security services now include elements of deep learning and neural networks, which are effectively artificial brains that learn to automatically and instantly “know” the difference between benign and malicious activity. Deep learning can autonomously detect network intrusions, spot unauthorized access attempts, and highlight unusual behavior that may indicate an attack is afoot, often in near real-time.
Heinemeyer, VP of cyber innovation at Darktrace. “This will turn the tables on bad actors, giving security teams ways to future-proof their organizations against unknown and AI-driven threats.”
Inevitably, security vendors are confident about the AI capabilities of their products. But business leaders remain wary, fearing a level of hype about AI in security products. More than half (54%) of Freeform Dynamics’ respondents said they’re “cautious” or “suspicious” of vendors’ claims about their AI capabilities.
Whether or not this suspicion is warranted, businesses are wise to resist seeing AI-enabled security software as a magic bullet, says Curran.
THE GLOBAL AI SECURITY MARKET IS FORECAST BY SKYQUEST TO REACH $94.14 BILLION BY 2030.
AI can also now help limit the damage an attack can do. “It triggers set defense procedures in response to an incident,” says Simon Bain, CEO of security platform OmniIndex. “If a specific database or blockchain node is attacked, AI can isolate the damage to that single location and stop it spreading into other areas.”
The ability of generative AI to generate advice from huge amounts of chaotic data very quickly also makes it useful to defenders. A security chatbot can inspect a system’s security controls and configurations, pointing out gaps and recommending policies. The next step in this rapid evolution will be for AI systems to autonomously audit, assess and validate our security controls.
Security teams are using generative AI to build models that help them detect malware written by known agents, predict what it will do next, and swing into action automatically when an attack or variant is detected.
Firms including Darktrace have developed smart attack simulations that will autonomously anticipate and block the actions of even the most inventive AI-powered hacker.
“Proactive security and simulations will be incredibly powerful,” says Max
“Like other technical innovations, AI has a tendency to be over-hyped, especially in cybersecurity,” says Curran. “But it does have the potential to significantly impact and influence the way organizations protect themselves in the coming years.”
The criminal exploitation of generative AI extends far beyond writing emails and code. Most LLM chatbots are free to use and exist outside an organization’s tech stack, so security teams have no control over them – and they are replete with data leak risks.
Imagine you’re a product manager drawing up a product proposal, and you use an LLM, say ChatGPT, to check over your document for readability and clarity. This exchange will likely involve highly confidential business details. This example is far from just theoretical, however. In July 2023, Deloitte reported 4 million UK workers using generative AI tools for work, and this number continues to grow. Data leaks and generative AI are a reality we must already contend with. One such glitch exposed users’ chat histories and titles on ChatGPT’s sidebar. OpenAI supposedly patched the bugs, but despite this Apple banned ChatGPT for all employees as an extra security precaution. Security specialists Group-IB, discovered stolen ChatGPT credentials in
over 100,000 malware logs, last summer. Security solutions leverage AI to prevent the use of stolen credentials by threat actors. For instance, Human Security’s offering aims to identify and block compromised credentials on platforms in real-time. However, many experts, including analysts at Forrester and Google Cloud, believe the sole effective defense against attacks like these is to implement a zero trust security model. A zero trust approach treats all data as untrustworthy and enforces rigorous access controls across all devices, including personal phones.
Notably, of the UK-based experts we spoke to for this article, none specifically advocated zero trust, which Gartner suggests has stronger adoption rates in the US compared to the privacy-focused UK. Most analysts stressed the importance of improved employee training on data sharing and verification, especially for remote work.
“The best defense against AI-generated phishing is a strong policy,” says Ron Culler, vice president of cyber development programs at professional IT body CompTIA.
“Take spear phishing, where a bad actor attempts to steal credential information. An organization can safeguard against these attempted attacks by implementing dual authentication policies that require a second person to verify requests, or require the use of PIN codes to verify identity.”
Just as driverless cars are set to transform transport, autonomous AI security systems may one day render human supervision unnecessary. Businesses can now use AI and ML to help fill the skills gap, and minimize the types of human mistakes that lead to massive security flaws. For example, the AI Navigator “copilot� tool from D2iQ intelligently detects problems such as poor security configuration. It�s important to remember that human input is still crucial to any AI-enhanced defense strategy. Generative AI trained on bad data can deliver poor decisions and inaccurate information which, if unchecked, may do more harm than good to a business’s security.
Often when AI was initially mentioned outside of IT circles, “Blade Runner” and its replicants or the “Terminator” franchise often shared the same sentencew. But outside pop culture, AI is having a profound impact on every aspect of our lives and shaping how businesses connect with their customers. But what is AI and how does it work?
AI is an umbrella term that includes a range of different technologies, approaches, and architectures. Machine learning (ML) is a subset of AI that forms the basis for many AI systems in use today.
Like any technology, AI has pros and cons. First and foremost, the technology allows for the automation of menial tasks so that employees can focus on more important and enriching activities.
Workers can save up to a month of work per year using AI tools, according to a Slack State of Work report. The study took in responses from over 18,000 global workers, with many of those who regularly use generative AI tools reporting improved productivity through the technology.
Outside of automating tasks that humans would normally do, AI can be used to perform jobs at a speed or precision that humans could never achieve. For example, AI can carry out Big Data analytics on a firm’s unstructured data, to identify trends or flag anomalous results.
In short, AI is a vital technology when it comes to noticing the unnoticeable. It excels at drawing connections between data points. This is why AI cybersecurity has great potential to help businesses defend themselves, with AI security systems able to proactively identify threats based on suspicious activity and recommend courses of remedial action.
Cybersecurity powered by AI will also be necessary to counter the wave of AI threats businesses face. This includes the use of AI for deepfakes and social engineering campaigns.
It’s telling that, like many AI-enabled systems, AI Navigator comes with 24/7 human support teams.
“These systems are good enough at separating the wheat from the chaff as far as security indicators are concerned, but we still need human incident responders to investigate the remaining highlights,” says Corey Nachreiner, CSO of WatchGuard. “They can also make
very bad decisions – hallucinations, as they’re called – if the data they pull from is inaccurate or bad. They are not actually cogitating.”
“We have to be realistic about AI’s limitations,” says Mark Stockley, cybersecurity evangelist at Malwarebytes. “It can potentially lighten the load, but there will be a role for specialized human threat hunters for a while yet.” n
Through the power of well-known brands, Future B2B delivers an unparalleled client and audience experience across newsletters, advertising, lead generation, content creation, webinars and live events.
Future B2B is a global platform for specialist media with scalable, diversified brands. We connect people to their passions through the high-quality content we create, the innovative technology we pioneer and the engaging experiences we deliver.
n IT/Tech
n Healthcare
n Finance
n Infrastructure
n Education
n Business
n Food & Bev
n AV
n Marketing, Advertising, Media Tech
n Retail/Supply Chain
n Telecom
n Energy & Chemicals
n Life Science & Tech
n Travel & Hospitality
n Aviation & Aerospace
Our established brands, like SmartBrief, ActualTech, and ITPro deliver expert-led niche newsletters, cuttingedge advertising solutions, pipeline-enhancing lead generation, and unforgettable live and virtual events.
Our turnkey services are crafted to expand your market reach, supercharge your lead nurturing efforts, and captivate your clients. Future B2B’s hyper-focused brands such as Mix, Twice, Radio World and others offer uniquely authoritative advertising opportunities to engage niche audiences with specialized content.
See how we can take your business to the next level. Learn more at: https://www.futureb2b.com/#get-in-touch
By Emma Woollacott
Nearly two-thirds of large organizations globally were hit by software supply chain attacks in the last two years, according to new research from Checkmarx.
Checkmarx’s 2024 State of Software Supply Chain Security report, which surveyed 900 application security professionals from the US, Europe, and Asia-Pacific, found that 63% had been the victim of such an attack within the past two years, with 18% having been hit in the last year.
Similarly, with 56% of respondents’ organizational applications comprising open source code packages, three-quarters said they were either very concerned or concerned about software supply chain security.
“‘Malicious’ is much more than vulnerable,” said Amit Daniel, chief marketing officer at Checkmarx.
“We have seen more attacks on the open source ecosystem in the last two
years than ever before with over 385,000 malicious packages detected to date by our own Checkmarx security research team.”
However, the report found while enterprise AppSec leaders surveyed are prioritizing software supply chain security, progress is slow.
Nearly six-in-ten respondents said that software supply chain security was a top or significant area of focus, with 54% planning to use or investigating the use of a solution. Eight-in-ten said that finding a solution was a top priority.
But while half are actively requesting software bills of materials (SBOMs) from their vendors, fewer than half of those seeking these said they knew how to leverage them effectively if needed, and only 7% said they have proper security tools in place.
“Software supply chain security has become an active target of government regulatory and cybersecurity agencies and is top of mind for over half of global
enterprises we surveyed,” Daniel said.
“It’s critical for CISOs and security leaders to make it easier for developers to understand the new risks and secure their entire software supply chain.”
Recent research from BlackBerry revealed three-quarters of UK IT decision-makers have been notified of a software supply chain vulnerability or attack in the last twelve months, with 38% taking up to a month to recover.
The US National Institute of Standards and Technology (NIST) recently issued new guidance on software supply chain risks, advising the use of endpoint protection software, network security controls, access control policies and physical security measures.
The guidance says developers should download open source as source code rather than pre-compiled libraries or binaries and should verify digital signatures, run vulnerability scans, and check for recent updates on newly downloaded source code. n
Not doing so could cost you customers. Achieve software supply chain security with a trusted open source management partner.
ActiveState automatically builds your open source securely from vetted source code, gives you visibility of all open source deployed across your organization, and helps you quickly remediate vulnerabilities, so that you can meet SSDF and CISA guidelines, focus on innovation, and win more deals.
Prove You’re Following Best Practices
Attestations validating that your software is built securely and has not been tampered with.
Leverage Software Bill of Materials (SBOMs)
Comprehensive SBOMs for the open source packages you use, right down to transitive dependencies. Remediate Vulnerabilities
Automate vulnerability detection and remediation and reduce your MTTD and MTTR.
Trusted by Leading Enterprises
www.activestate.com/software-supply-chain-security-for-ISVs
By James Stanger
I remember the first time I connected a production router to the internet. I quickly discovered that it wasn’t ready for prime time. It provided two ways for anyone to log in from anywhere in the world with no password at all. I’ll just say that things didn’t go well, but I did learn a lot. That was 25 years ago.
A small-business owner recently asked me to test the attack surface that her business presented to the world. I found that things had (sort of) changed. The brand new router her company was using still had the same password problem from all those years ago. But now, the router presented two new-and-improved ways for remote users to connect without specifying a password. No two-factor authentication, no nothing. Ah, progress!
Why does this continue to happen?
There is a long-standing assumption that you should be knowledgeable and responsible enough to use staging networks, change default settings, and generally get their act together before placing anything on a network. This is all well and good to a certain extent; I’m all for responsible use of tools. But the internet is based on a shared-risk model; you can’t have one element of the risk equation – the vendors – acting as if it was still 1999.
That’s why governments around the world have asked vendors to contribute to the Secure by Design movement by signing pledges. In their news release, the US Cybersecurity Infrastructure Security Agency (CISA) announced it is attempting to shift “the cybersecurity burden away from end-users and individuals to technology manufacturers who are most able to bear it.” In short, vendors who have signed the pledge promise to
ship software and tools that have more acceptable default security settings.
This is a long-overdue shift, or disturbance, in the cybersecurity force. Managing risk requires collective responsibility and consistent, iterative effort.
While Secure by Design represents an interesting seismic shift, it’s vital that we don’t collectively delude ourselves into thinking that this one disturbance will somehow bring complete balance to our risk equation force.
The IT and cybersecurity industry has witnessed multiple attempts over the past few years to shift where risk is managed. Zero trust promises to shove risk from the perimeter (e.g., the firewall) to the status of an endpoint. Security analytics relocates risk from signature-based monitoring models to automation and AI-driven heuristic detection. The US Securities and Exchange Commission disclosure rules that went into effect in December 2023 displace risk management for public companies from any one individual to
the processes of that company. These shifts make sense, as long as we remember one thing.
We need to constantly iterate. The only way to create resilient networks is to rethink and improve our processes. This way, we can manage and eliminate technical debt, shadow IT and poor communication. Skipping critical steps while deploying vendor tools incurs technical debt. So does avoiding the upskilling of our workers. Those problems are the fault of any vendor; those are on us as technicians and business leaders. Iteration is the only way to keep us on track.
Let’s avoid what I call the risk avoidance two-step. This is a particularly popular cybersecurity dance move that involves two steps: Pointing your finger at a magic solution, and then kicking the risk management can down the road. That’s a move that has been popular for far too long.
It’s important that we don’t get “shifty” here. You can’t manage risk by hoping that devices ship more securely, and then collectively saying, “Mission
7 goals of CISA’s Secure by Design pledge
Companies signing the pledge should demonstrate actions taken toward meeting the following seven goals:
accomplished.” That will only lead to shiftlessness; we can’t get lazy. These attitudes won’t shift risk. That’s just being irresponsible and, frankly, delusional. As we use technology more deeply than ever before in our organizations, there is no room for irresponsible behavior from any of us. Yes, vendors need to clean up their default cybersecurity act. But so do the entities that skip steps and release vendor tools on an unsuspecting internet. This means that we’ve got to start with a good secure by default foundation, and then iterate.
To learn more about how organizations are using iteration to manage risk in useful ways, check out CompTIA’s State of Cybersecurity 2024 and Industry Outlook 2024 reports. In there, you can discover best practices that can help your organization avoid shifty risk management solutions and avoid any delusions when it comes to cybersecurity. n
Dr. James Stanger is an award-winning author, blogger and educator. He has published technical titles with O’Reilly Media, RSA Journal, AFCEA Signal Mag-
azine, McGraw Hill, Sybex, Elsevier and Linux Magazine, among many others. He is an in-demand C-level consultant and engages in public speaking and thought leadership around the world. In addition to his work in the IT industry, he has helped create globally recognized education and certification programs in topics as diverse as cybersecurity analytics, Linux administration, Web development, cloud migration, kayaking and British Romantic literature. James is Chief Technology Evangelist at CompTIA. Email James The next one won’t be a fair
Wednesday, August 21 * 1:00 - 3:00 PM Eastern
Augusta, GA
Augusta Marriott at the Convention Center
In keeping with this year’s theme, industry leaders such as IBM and Elastic will join us to provide you with practical case studies about how leading organizations have transformed, accelerated, and aligned their daily cybersecurity operations to support the needs of soldiers and workers in various asymmetric environments. Join us to learn more about the unique and indispensable skills, technologies, and approaches needed to support today’s exponential technologies, such as multi-modal AI, post-quantum encryption, and the “compute” necessary to support long-term cyber effects operations. We don’t want the next conflict to be a fair fight: So, how are organizations balancing short-term needs and long-term strategies is essential to keep pace with long-term threats? Join us to learn more.
By Michael Domingo
Threat actors are everywhere, looking for a way into your systems, whether via phishing, planting malware or breaching via social engineering. Just two examples in recent hacking history show the sheer amount of exposed data:
• The size of the Real Estate Wealth Network breach was 1.16 terabytes of data and included 1.5 billion records, with some famous names like Elon Musk and Kylie Jenner easily identified in the records.
• UnitedHealth Group paid a ransom on a breach that included data on “a substantial proportion of people in America”; while the exact number isn’t known, imagine what a “substantial proportion” means when talking about the whole of the US population (currently headed toward around 342 million).
The IT Governance site keeps a running list of some of the larger global attacks on companies and the more notorious perpetrators. It’s likely you or someone you know has data in one of those breaches. Essentially, it means
programming languages tuned to their work to squeeze out efficiencies. It’s not a stretch of the imagination to think AI is being used by them to code – and develop attack vectors – faster and with more efficiency.
While AI might be improving the more common brute-force attacks, ransom-
WHILE AI MIGHT BE IMPROVING THE MORE COMMON BRUTE-FORCE ATTACKS, RANSOMWARE AND PHISHING, AI ALSO IS IMPROVING BREACHES VIA SOCIAL ENGINEERING.
the role of cybersecurity professionals is secure as long as there are threat actors looking for a way in.
Whether there’s any element of AI in any of those attacks isn’t fully known without conducting forensics on the code. Hackers and scammers are coders who know how to use developer tools and
ware and phishing, AI also is improving breaches via social engineering. One type of hack is voice cloning, which seems like it comes right out of the movies, and it’s improving over time. A couple who were tricked into believing a relative was being held ransom through voice cloning is detailed in The New Yorker.
Even enterprise companies have no
immunity, if this story is true. According to reports in Hong Kong, authorities said a financial firm was tricked into transferring $25 million to hackers, who used an AI deepfake video of the firm’s CEO to authorize the transfer.
Several companies are developing voice-cloning software with AI improvements, and even OpenAI said it has recently developed some improvements to its technology but is holding back on releasing an update as it assesses the risks of doing so.
And just recently, Microsoft’s release of VASA-1 shows proof-of-concept wherein it uses sophisticated generative AI technology to turn a still image into a video. The sample shows videos that have audio voices embedded, so that it seems as though the still image is now animated and speaks. The possibilities for using it to create deepfakes are mind-boggling.
• Cybersecurity professionals have their work cut out for them. If there’s anything that can be done, it’s to be proactive with cybersecurity to try to stay ahead of attacks and use due diligence to maintain sound security practices from top to bottom. Already, AI is helping in a number of ways. Here are a few:
• Cybersecurity analysis tools are using AI to streamline the methods for pinpointing weak points in security. With that, many companies follow guidelines laid down by the Cybersecurity and Infrastructure Security Agency’s tool and the National Institute of Standards and Technology’s cybersecurity framework, which specifically has a component that takes AI into account. Tools from major companies like IBM, Microsoft and Amazon follow many of the suggestions, and many companies are using AI to create custom apps
that follow those guidelines to build internal cybersecurity policies.
• One of the more common methods of exposure is through the sharing –whether it’s intentional or accidental – of private information within enterprise systems. Here’s where good data governance comes into play, and companies are starting to use AI to gain insight and streamline data governance policies into the software and data connectors. Amazon, IBM, Microsoft and Salesforce have a variety of tools that use AI to enable data sharing with governance policies in place.
• At the code level, there are a number of application security testing tools now using AI to speed up code vulnerability identification. Companies like Acunetix, CrowdStrike and Snyk offer AI-flavored tools for dynamic and static application testing. Cybersecurity professionals don’t have to go it alone. AI is on your side, too. n
OpenAI unveiled a grant program that provides the outline for a new program for developing new AI-based cybersecurity technology. The company seeks out applicants for the program, which they’re funding with $1 million, and that includes grants of $10,000 in awards in the form of “API credits, direct funding and/or equivalents” for defensive (not offensive ones, for now) AI cybersecurity solutions proposals.
HOW TO MEASURE YOUR SUCCESS WHEN IT COMES TO COMPLIANCE.
By Susan Rush
One area that can keep IT professionals up at night is compliance. Questions to consider: Are your systems up to the challenge? How should your company approach compliance management? Can AI help or hinder your efforts? The answers to these questions and more were explored in the webinar: “Are you in compliance?” The event featured Terra Cooke, security engineer at Lacework, and Dom Wells, alliances manager at DNSFilter. Cooke kicked off the webinar reminding us that “Good compliance is not
good security,” but noted, “Good compliance can help enforce good security.” Cooke said compliance work is about getting a pulse check on what is working and what is not in your security framework. Wells reiterated that compliance tools give businesses an easy-to-follow roadmap and “a way for them to understand their own security posture and internal practices to see where there might be some gaps.”
When it comes to beefing up a company’s compliance efforts some hurdles that likely need to be cleared are having needed available resources and getting buy-in from leadership and employees.
Sometimes it is tough to get company buy-in to support compliance because it can be costly. Wells pointed out though that “some of the costly upfront costs may actually save you if you actually do get hacked,” adding, “it is like an insurance policy; it helps you sleep.”
There are several components that are needed to help support the build out of an effective compliance framework. The four key focus areas for a business should be: people, processes, technologies and data. “Compliance is very much a human aspect of security because it touches the entirety of the business,” Cooke said. Wells emphasized the im-
“AI CAN DO A GOOD JOB OF JUST PROTECTING US, BUT DON’T LEAN ON IT TO DO THE HARD WORK FOR YOU.”
Dom Wells, alliances manager at DNSFilter
portance of documenting everything for traceability, monitoring for changes in vulnerabilities, identifying points of risk and emphasizing training.
Hacking is a whole business and is forever changing. One of the hurdles Cooke’s sees is overcoming the shame culture that is present in the overall security culture. Companies need to reframe the narrative around security and bolster the idea and importance of compliance
through such things as a security champions program. “Companies need to do a better job of bringing security into performance evaluations so employees understand its importance,” Cooke said. It can be a non-financial company incentive for employees to make security and compliance part of their mindset.
A good compliance framework consists of stages, which all take time and education.
Logs, identity and access management ensure the appropriate users have access to what they need to see or work on. Good email and web security also help, as does a solid cyber stack that aligns with your compliance goals.
Where does AI fit into compliance? There is no silver bullet that keeps you 100% protected. DNSFilter does use AI and large language models and AI can help make your life easier when it comes to compliance. “One thing AI is really good at protecting specific things,� said Wells. AI used to just look at past behaviors but now is looking at behavior processes. “AI can do a good job of just protecting us, but don’t lean on it to do the hard work for you,” said Wells, “Adding for compliance specifically, it is going to take a lot of humans to achieve good compliance and good security.”
Cooke said one of the biggest areas she sees AI impacting is risk. “We now have so much more data for AI to plow through and ultimately provide more bad ‘stuff’ for us to review.” The tech can help delineate vendor questionnaires, for example, when a company is looking to pick a new vendor by providing quantitative data to decide which vendors to reach out to initially.
• Build a culture of compliance from within.
• Find resources to continually education yourself.
• Have a good compliance story to tell.
• Be able to explain the explain the “why” behind your efforts.
It boils down to all cybersecurity professionals need to be current about compliance, or at least be working toward getting into compliance. Of course, IT pros need buy in from all aspects of the company, from the C-suite down to every employee. It is important to remember that compliance is not just about checking the boxes, it is about if you are out of compliance, what you are going to do to improve it. “It is a process and a journey,” Cooke concludes. n
By Solomon Klappholz
The communication gap between executives, board members and security professionals is leaving security businesses vulnerable, according to research.
The importance of having a robust security strategy means cyber is a board-level issue, but a study from Dynatrace found executive engagement in security is limited by an apparent lack of understanding.
The majority (70%) of C-suite executives polled by the firm said security teams often talk about security issues using overly technical language without providing a clear business context. This, the study noted, is exacerbating traditional communication gaps between board-level executives and the security function.
But it works both ways, the study noted. From the security professional’s perspective, it is difficult to translate the insights generated by security tools into digestible information.
For example, three-quarters of CISOs said their security tools are limited in their ability to generate insights the CEO
and board can use to understand business risk and prevent threats.
Dynatrace’s findings clearly show CISOs feel their fellow executives need to invest more time in understanding their security strategy, and not leave them to shoulder the entire security and compliance burden.
Some 83% of CISOs said their board of directors and CEO all need to understand their organization’s security posture better so they can assess business risk and compliance requirements
A further 77% said their boards and CEOs focus too heavily on their business’ ability to react to security incidents while disregarding proactive measures to reduce and prevent cyber risk.
CISOs face an uphill battle trying to get their fellow executives to alter their perspective on cybersecurity as a business enabler, rather than simply a drain on company resources, according to Ev Kontsevoy, CEO at Teleport.
“Convincing any C-Suite executives that cybersecurity is a business enabler rather than a resource drain is like con-
“CONVINCING ANY C-SUITE EXECUTIVES THAT CYBERSECURITY IS A BUSINESS ENABLER RATHER THAN A RESOURCE DRAIN IS LIKE CONVINCING PEOPLE THAT VEGETABLES SHOULD BE IN THEIR DIET.”
Ev Kontsevoy, CEO at Teleport
vincing people that vegetables should be in their diet. You want the conversation to be more about how they can maximize their chances at survival – i.e eat your broccoli,” he explained.
“That’s super important for CISOs and security professionals to understand because while plenty of CISOs, for example, might come from more technical backgrounds, the same isn’t necessarily true for your average CEO, CFO or CIO.’
Kontsevoy continued: “They look at the bigger picture, including cost, quality, and time to market. So, you have to understand the business side when navigating relationships with those stakeholders.”
The answer, according to Kontsevoy, is to express these concerns in terms more familiar to C-suites, in terms of profit and loss, and that taking a pro-
active approach to your organization’s security will be a lucrative investment in the long term.
“You have to show them in plain terms the huge expenses that have resulted from past data breaches,” he said. “And, if you’re trying to explain to them what causes data breaches in the first place, it’s a lot more interesting talking about how human error and social engineering - not software vulnerabilitiesare the root cause of that problem, rather than delve into the technical jargon of what various cybersecurity tools do.”
CISOs need to get better at talking business if they want everyone to pull their weight when it comes to security Kai Roer, CEO and co-founder of Praxis Security Labs, suggests that being able to translate security risks into terminology related to business problems is vital
for a functional CISO-board relationship.
“The challenge for CISOs is that they tend to be trained in using technical terms to describe risks, whereas boards and C-suites are educated in using financial and business terms for risk,� Roer said.
“CISOs are usually focused on IT and information security risks, whereas boards and C-suites focus much more broadly.”
CISOs struggle when it comes to articulating security risk because there is a widespread assumption that their audience needs to catch up with the fastpaced world of cybersecurity, according to Roer, who added that this is generating material harm for businesses.
“They look at the bigger picture, including cost, quality, and time to market. So, you have to understand the business
One-third of UK-based CISOs have confessed to paying ransomware groups millions of dollars in recent years in a bid to alleviate the impact of an attack, according to research from security firm Trellix.
The study found 40% of UK CISOs have managed a ransomware attack in the last five years – and in every single case, their organization opted to pay.
What’s more, one-third of CISOs paid between $5 million and $15 million for a ransom demand while 13% paid between $10 and $15 million.
The minimum ransom paid by all UK businesses across a five-year period stood at around $250,000, the study found.
side when navigating relationships with those stakeholders,” Roer stressed.
Roer argued the responsibility is on the CISO to adjust their communication according to the audience to help all parties understand where they fit into an organization’s overall security strategy.
“In my opinion, CISOs must learn to speak business. This will not only help them to get more acceptance for their suggestions and their responsibilities, but it will also help them understand where they fit into the overall risk posture of their company.
“IT and information risk is but one of multiple other risks involved in running a business. By the end of the day, the CISO’s main responsibility is to make sure that risks are managed in a way that ensures there is business to be had tomorrow too.“ n
By Rene Millman
Collective defense will play an essential role in advancing cybersecurity and the fight against current and future threats, according to Hugh Thompson, executive chairman of the RSA Conference.
In a keynote speech to delegates at the 2024 conference, he underscored how the unprecedented pace of technological advancements demands a united front among cybersecurity professionals.
By sharing threat intelligence, best practices, and innovative strategies, the global community can collectively bolster defenses against rapidly evolving cyber threats, he stressed. Thompson also urged attendees to embrace a culture of openness, collaboration, and shared responsibility, emphasizing that collective efforts are pivotal to safeguarding digital ecosystems in an interconnected world.
Thompson illustrated his points by invoking the metaphor of lighthouse keepers from his native Bahamas, who
essential need to ‘shine a light in dark places’ - a philosophy he believes should guide the cybersecurity community.
Further expanding on the theme of collaboration and proactive defense, Thompson said that community was critical when it comes to tackling complex cybersecurity challenges. “Individuals may be smart, but as a community,
“WE ARE FORMIDABLE AS A COMMUNITY. IT IS IMPORTANT TO REMEMBER THAT AS YOU’RE DOING YOUR JOBS EVERY DAY.”
historically played a crucial role in navigating ships safely through treacherous waters. He drew a parallel between the vigilant duty of lighthouse keepers and the role of cybersecurity professionals today.
“The way they thought about their job was a call, a mission,” Thompson explained, highlighting the continuous and
we are wise,” he said.
This wisdom, he argued, comes from the collective experience and shared knowledge that empowers professionals to anticipate and mitigate emerging cyber threats more effectively.
In addition to fostering community engagement, Thompson stressed the importance of embracing new tech-
“AI IS EVERYWHERE. IT’S PRESENT IN EVERY SINGLE SUB-DISCIPLINE NO MATTER WHERE YOU GO.”
nologies and trends. He pointed out the significant rise in discussions and submissions around AI at the conference, demonstrating the cybersecurity community’s intent to integrate AI into their strategies.
“AI is everywhere. It’s present in every single sub-discipline no matter where you go,” he stated, in a nod to the community’s eagerness to leverage new technologies to strengthen the collective security posture.
Thompson’s call to action was very clear - cybersecurity professionals can better protect and secure our digital world by coming together and harnessing collective intelligence and technological advancements.
“We are formidable as a community. It is important to remember that as you’re doing your jobs every day. We have such a terrific community here, and this conference would not be possible without it,” he added. n
$4.45
Enterprises are bogged down with disparate cyber tools — here’s why a “platform security” approach could tackle growing complexity
ADOPTING A PLATFORM SECURITY APPROACH PROMISES TO MAKE MANAGING INCREASINGLY COMPLEX TOOLS A WHOLE LOT EASIER, ACCORDING TO INDUSTRY EXPERTS
By Solomon Klappholz
As enterprises expand their IT estates to drive efficiencies and offer new services, so does their attack surface, increasing their exposure to cyber threats.
In response to new threats, a flood of cyber products have hit the market in recent years to mitigate specific vulnerabilities, all of which promise to bolster operational security.
“YOU CAN’T HAVE ONE PLATFORM THAT DOES EVERYTHING.”
But CISOs are concerned about the level of complexity that comes with a sprawling, ever-expanding security ecosystem, with practitioners now forced to manage a long list of disparate tools.
This was a key issue discussed during Check Point Software’s Cyber Leader Summit, held in London in May 2024, where leading industry experts offered their thoughts on how the security leaders can navigate today’s threat landscape.
The answer, according to cybersecurity leaders, is to focus less on a reactive approach to new attack vectors as and when your business is targeted and instead adopt a more holistic approach to managing your organization’s security.
Deryck Mitchelson, head of global CISO and C-suite advisor at Check Point, said businesses have previously been bogged down by a tactical approach to mitigating threats that has prevented them from fleshing out a more holistic security strategy.
“They’re reacting, that’s what the problem is, if they don’t step back and look at a full security program, strategically as to how that affects the business, all they’re going to do is they’re going to react to some of these small tactical problems’,” he explained.
“The problem could be a vulnerability in some of their remote access or network layer, so they upgrade and replace the firewalls. But if they’re doing that in isolation from understanding the business email compromise or phishing risk, or without looking at the risk around their endpoint or their cloud posture management, then they’re missing something.
“They’re going to have lots of different dashboards [and] complexity to manage and that’s going to be their weakness.”
This where a platform security approach is key, according to Mitchelson, who argued that security teams struggling to manage an ever-complex security portfolio should be focused on simplifying this web of tools using a unified security platform.
A security platform is a centralized solution that consolidates the security products across a corporate network. A security platform should provide more than just threat detection and prevention, but also offer users identity and access controls, vulnerability management, and detailed reporting for audits and compliance checks, all through a single ‘pane of glass’.
Another area of concern for Mitchelson is cyber inequality, reflecting a significant disparity in cyber budgets across regions, industries, and business sizes.
For example, in a blog published on 20 February 2024, Mitchelson noted that large enterprises may be able to allocate 12-15% of its budget on security whereas the average healthcare organization can only commit 4-7%.
In addition, 20% of schools can only afford to allocate 1% or less of their total spend on cybersecurity, according to data from the MS-IASC. Organizations such as these typically need to spend 15% or more of their budget to protect against a growing array of threats, but this is simply not a viable option given budgetary restraints.
The efficiencies security platforms can offer could help solve some of these limitations for organizations without the budgets or staff to implement a holistic security strategy from the ground up, Mitchelson detailed.
“A platform approach is something that can help to resolve that cyber inequality issue we’ve got, because it’s very cost-effective to get a huge level of cyber capability and efficiency without having to be an expert in lots and lots of different technologies.”
While a platform approach is an easy choice for larger enterprises with vast IT estates to manage, smaller businesses may have even more to gain from adopting this approach if it means they can overcome the barriers posed by cyber inequality, according to Mitchelson.
“It’s a no-brainer for an enterprise. They want to try and do things the right way, protect that large business, they don’t have that technical capability in smaller businesses and the platform actually takes the complexity out of that”, he explained.
“The goal should still be to simplify, to get much more visibility, to be much more cost effective – and you get that, as Gartner says, through a platform approach”
When asked how businesses should decide which vendor to invest in, Maxine Holt, senior director of Research and Content at Omdia, told ITPro she does not expect organizations to rely on a sole single-vendor platform to manage their entire security posture.
“You can’t have one platform that does everything. Whether it’s Check Point, Microsoft, or Palo Alto, they don’t do everything that’s needed in the security portfolio, so you’re going to need multiple platforms.”
Holt explained that although businesses will need to manage a handful of separate security platforms, this will be vastly superior to juggling 50+ different isolated security tools.
“You will end up with typically multiple security platforms to be able to drive down that complexity and that’s better than 50 disparate products.”
In terms of how businesses should choose the right platform for them, Holt said that not all platforms are equal, and the best will be those that can offer true integration, ensuring all of their products feed their insights back through one management interface.
“A lot of security firms are quite acquisitive and the good platforms are the ones that take the time to integrate that new product that they’ve acquired into their portfolio … so that the outputs are all surfaced through one pane of glass.” n