Welcome to CISO Corner, Dark Reading’s weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we’ll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We’re committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.
In this issue of CISO Corner:
-
Apple’s AI Offering Makes Big Privacy Promises
-
Scores of Biometrics Bugs Emerge, Highlighting Authentication Risks
-
DR Global: Governments, Businesses Tighten Cybersecurity Around Hajj Season
-
The CEO Is Next
-
Why CIO & CISO Collaboration Is Key to Organizational Resilience
-
Rockwell’s ICS Directive Comes as Critical Infrastructure Risk Peaks
-
4 Ways to Help a Security Culture Thrive
Don’t miss “Anatomy of a Data Breach: What to Do if It Happens to You,” a free Dark Reading virtual event scheduled for June 20! Speakers include Verizon’s Alex Pinto, plus execs from Snowflake, pharma giant GSK, Salesforce, and more — register today!
Apple’s AI Offering Makes Big Privacy Promises
By Agam Shah, Contributing Writer, Dark Reading
Apple’s guarantee of privacy on every AI transaction — whether on-device or cloud — is ambitious and could influence trustworthy AI deployments on device and in the cloud, analysts say.
Apple’s announcement of Apple Intelligence and plans to integrate AI across its devices and applications comes with a commitment to guarantee privacy on every AI transaction. This sets a high bar on zero-trust infrastructure that competitors may try to match.
Because of Apple’s walled garden model, rival providers don’t have nearly the same level of control over their AI infrastructure. Unlike Apple, they can’t lock down security as queries pass through various hardware and software layers. For example, OpenAI and Microsoft process queries through GPUs from Nvidia, which handles vulnerability discovery and patching.
“If Apple sets the standard, the effect will be ‘why I should buy Android if I don’t care about the privacy,'” says Alex Matrosov, CEO of security company Binarly.io. “The next step will be Google following up and trying to maybe implement or do the similar thing.”
Read more: Apple’s AI Offering Makes Big Privacy Promises
Related: OpenAI Forms Another Safety Committee After Dismantling Prior Team
Scores of Biometrics Bugs Emerge, Highlighting Authentication Risks
By Nate Nelson, Contributing Writer, Dark Reading
Face scans stored like passwords inevitably will be compromised, like passwords are. But there’s a crucial difference between the two that organizations can rely on when their manufacturers fail.
Biometric security is more popular today than ever, with widespread adoption in the public sector — law enforcement, national ID systems, etc. — as well as for commercial industries like travel and personal computing. In Japan, subway riders can “pay by face,” and Singapore’s immigration system relies on face scans and thumbprints to allow travelers into the country. The fact that even burger places are experimenting with face scans suggests something’s brewing here.
But researchers have found two dozen vulnerabilities in a biometric terminal used in critical facilities worldwide could allow hackers to gain unauthorized access, manipulate the device, deploy malware, and steal biometric data, which highlights the risks that come with implementing these systems.
The critical nature of the environments in which these systems are so often deployed necessitates that organizations go above and beyond to ensure their integrity. And that job takes much more than just patching newly discovered vulnerabilities.
Read more: Scores of Biometrics Bugs Emerge, Highlighting Authentication Risks
Related: Biometric Bypass: BrutePrint Makes Short Work of Fingerprint Security
Global: Governments, Businesses Tighten Cybersecurity Around Hajj Season
By Robert Lemos, Contributing Writer, Dark Reading
While cyberattacks drop slightly during the week of the Islamic pilgrimage, organizations in Saudi Arabia and other countries with large Muslim populations see attacks on the rise.
The final month of the Islamic calendar, Dhu al-Hijjah, began on June 7, marking the countdown for millions of Muslims to the Hajj pilgrimage, and also a time when cybercriminals and cyber-espionage actors see increased opportunity amid reduced vigilance and slimmed staffing.
While many of the cyberattacks are focused on pilgrims as consumers of travel services, a variety of businesses — from banks to e-commerce sites — are at greater risk of data theft and denial-of-service attacks, according to experts. On June 3, for example, cyber-threat actors announced a data leak on an underground forum that allegedly contained the personal information of 168 million users from “The Hajj and Pilgrimage Organization in Iran,” according to cybersecurity firm Kaspersky.
The attacks highlight the two aspects of how cyberattackers see the Hajj season: as an opportunity to take advantage of pilgrims, but also as a time of reduced resources for security teams, making business and government agencies vulnerable.
Read more: Governments, Businesses Tighten Cybersecurity Around Hajj Season
Related: ‘DuneQuixote’ Shows Stealth Cyberattack Methods Are Evolving. Can Defenders Keep Up?
The CEO Is Next
Commentary by Joe Sullivan, CEO, Ukraine Friends, & CEO, Joe Sullivan Security LLC
If CEOs want to avoid being the target of government enforcement actions, they need to take a personal interest in ensuring that their corporation invests in cybersecurity.
One day soon, a government agency will very publicly seek to hold a corporate CEO personally liable for a failure to ensure their organization invested sufficiently in cybersecurity. The surprising thing won’t be that it happens, but rather how many people who work for and look up to the CEO will be happy when it does.
We’re experiencing a movement toward regulation by enforcement. Look no further than the National Cybersecurity Strategy, which, at its core, demands that corporate America do more to protect citizens from cyberattacks. There’s also the Securities and Exchange Commission’s (SEC) action against the software company SolarWinds and its head of security. The case has raised eyebrows, specifically because the security leader was held personally responsible.
But with very few exceptions, the CISO or senior-most security leader is simply not the “responsible corporate officer.” It’s the CEO. Security leaders rarely, if ever, get the budget needed to do their job well. CEOs and boards that do control the corporate budget rarely invest the time to understand their cyber-risks, and instead allocate resources in other directions.
Read more: The CEO Is Next
Related: White House Fills in Details of National Cybersecurity Strategy
Why CIO & CISO Collaboration Is Key to Organizational Resilience
Commentary by Robert Grazioli, Chief Information Officer, Ivanti
Alignment between these domains is quickly becoming a strategic imperative.
Gartner forecasts that the world will spend $215 billion on risk management and cybersecurity in 2024. That’s a 14% increase over 2023. But many workers are feeling spread thin, with more data and endpoints than ever and not enough qualified talent to be found. It’s time to finally break down the silos between IT and security.
That starts by fostering alignment between the CIO and chief information security officer (CISO).
Individually, CISOs and CIOs are powerful forces with a lot on their plates — and a lot on the line. Together, they could be unstoppable. However, historically, organizational structures have relegated CISOs and CIOs to separate domains with distinct — and occasionally contradictory — objectives.
Here’s how to foster alignment: Why CIO & CISO Collaboration Is Key to Organizational Resilience
Related: CISO & CIO Convergence: Ready or Not, Here It Comes
Rockwell’s ICS Directive Comes as Critical Infrastructure Risk Peaks
By Tara Seals, Managing Editor, News, Dark Reading
Critical infrastructure is facing increasingly disruptive threats to physical processes, while thousands of devices are online with weak authentication and riddled with exploitable bugs.
Industrial control systems (ICS) giant Rockwell Automation’s recent directive to customers to disconnect their gear from the Internet showcases not just growing cyber risk to critical infrastructure, but the unique challenges that security teams face in the sector, experts say.
CISA is warning that increased threats to could lead to various catastrophic attacks, including denial-of-service (DoS) efforts that take down electrical grids; privilege escalation and lateral movement to burrow deeper into the operational technology (OT) environment in order to control it; modifying settings to, say, change safety thresholds for power generators; remotely compromising programmable logic controllers (PLCs) to halt water sector operations; or even conducting destructive Stuxnet-style attacks that can obliterate a site’s ability to function permanently.
Yet thousands of devices are exposed online with weak authentication and riddled with exploitable bugs; and there’s an endemic lack of security team participation in site design and asset/infrastructure management. All in all, it’s not an ideal situation.
Read more: Rockwell’s ICS Directive Comes as Critical Infrastructure Risk Peaks
Related: Volt Typhoon Hits Multiple Electric Utilities, Expands Cyber Activity
4 Ways to Help a Security Culture Thrive
DR Technology commentary by Ken Deitz, CSO/CISO, Secureworks
Creating and nurturing a corporate environment of proactive cybersecurity means putting people first — their needs, weaknesses, and skills.
A good cybersecurity culture trusts and empowers teammates to make good decisions. In turn, that trust fuels a more productive relationship between cybersecurity and the business. Culture is a living entity that needs to be continuously nurtured. Give it the dedication it needs, and your businesses will be safer as a result.
Here are some core pillars for establishing an effective security culture:
1. Establish the Right Mindset: Focus on the positive actions that people can and should take.
2. Engage with Empathy: A productive and inclusive security culture is one that shuns blame. Instead, focus on what you can collectively learn from the incident to enrich your cyber strategy for the future.
3. Communicate, Communicate, Communicate: When it comes to cybersecurity, there’s no such thing as too much communication. People have a lot going on in their jobs and lives. Meet people where they are, and you’ll have much better results.
4. Stay on Your Toes: New and emerging technologies bring opportunities and challenges. Generative artificial intelligence (AI), for example, can offer teammates productivity gains, but they also need to know the risks.
Read more: 4 Ways to Help a Security Culture Thrive
Related: How to Transform Security Awareness Into Security Culture
Source: www.darkreading.com