Cybersecurity changes faster than you can read about it.
This page covers and comments on around 10 of the monthly 7000+ news items.

Updated May 20th, 2024.

May 2024HeadlineNews
#055RSA & ONUG Show Impact of AI on Networks and CybersecurityForbes Interviews with companies at RSA in San Francisco reveal the progress being made by security companies on the use of AI to detect threats and protect users. Similarly at the ONUG Spring AI Networking Summit in Dallas revealed the potential for AI to make significant inroads into threats to the entire network ecosystem. For now, the focus is on protection of the larger enterprises. The challenge is to make that progress available to all organizations irrespective of size. Until it does, the threats will continue to increase.

Note that news on Critical Infrastructure incidents is also tracked on the Critical Infrastucture page.

In Depth

Some stories need a closer, sometimes controversial look.

How and why the Securities and Exchange Commission is bringing discipline and accountability globally, helping everyone in cybersecurity.
NIST’s Cybersecurity Framework “brings organization to cybersecurity implementation.” We explain why we have a very different view from others.
The now infamous breach of the MGM hotel and casino chain has become a poster child of how not to implement holistic cybersecurity. But what was the real unreported reason behind the attack?
May 2024HeadlineNews
#054SEC Ammends RulesOn May 16th, the SEC announced Rule Amendments to Regulation S-P to Enhance Protection of Customer Information.  These covered incident response programs, customer notifications of data breaches, service provider oversight, scope of the safeguards and disposal rules,  record keeping and an exception to the annual privacy notice requirement. Smaller organizations will have 2 years to comply , large organizations 18 months. For interesting commentary see the Debvoise and Plimton site.
#053Arup Hit With Deep Fake.CNN covered this attack on a UK multinational design and engineering organization, Arup. The deep fake scam led to one of its Hong Kong employees being duped out of $25m when video and voice fakes were used to impersonate a known colleagues. Lesson to be learned: Identity verfication and multi-level authentication need to be implemented and training is sorely needed – especially when large sums live this are involved.
#052Life and Death Impact.Top of the list of critical infrastructure targets is stiil healthcare – the most at risk to life and therefore the most likely to pay up. Following the recent ransomware on United Healthcase’s subsidiary, Ascension Healthcare with 140 hosptials in 19 states is the latest to have patient treatment and  information severely compromised. BlackBlasta is the malware being blamed but the real cuplrit is surely lack of competent defense. In an update by CybersecurityDive,  it was revealed how a hacker used Microsoft “Quick Assist, ” Vishing,etc. to create social engineer attacks. A sobering read.
#051The old ones are the bad ones.Reported by many including Wired magazine, CISA’s Kevin Briggs, confirmed to the FCC that multiple cases of Americans trackedand penetrated via SS7 or Diameter (Cell Phone Protocol). This follows similar reports of German cell phone users having their bank accounts drained. This is a very long-standing vulnerability apparently.
#05068 Sign the Pledge… the CISA Security by Design Pledge that is. By signing the voluntary pledge, 68 companies producing software, services and software as a service pledge to, well ... and there in the detail it becomes not so strong. All basic stuff but words like “within 12 months developing a transition plan to use memory safe languages.” Great but that transition could take a decade. “Within a year to provide functionality to allow automated installation of patches.” Really, why wasn’t that mandated five years ago and even this does doesn’t make it a default that the user must override if they refuse it. It’s not a legally enforceable pledge so there appear to be no consequences if companies sign but don’t follow it … and so it goes on. Good intention but no doubt watered down by the signing participant companies. No mention of Zero Trust or secure management of products, Physical products and IoT devices are excluded. Maybe that excuses Apple, VMware and Intel but Cisco, Google, Microsoft, Lenovo and the main security companies have signed. Shame it’s so weak. Good news is that most are only signing up for what they already have in place today – and CISA does encourage companies to state that. All the details are in the link to the CISA page.
#049$10m anyone?Time to look under the floorboards and see if Russian national Dmitry Yuryevich Khoroshev, LockBit creator/developer is hiding there. If he is, drag him down to your local DOJ office where you will find $10m in cash waiting for you. The story was covered everywhere.
#048Chinese attacks on undefended network devicesSpeaking at this month’s annual RSA conference in San Francisco,  Brandon Wales, executive director at the Cybersecurity and Infrastructure Security Agency, said “The Chinese threat absolutely is the one that is keeping us awake every night.”  More coverage of the story is on the  Cybersecurity Dive web site. Volt Typhoon has embedded itself in unsecure network devices that are typically not protected in the same way as end systems. The plea is for network device providers and their service provider users to properly delegate the kind of best practices highlighted on this site.
#047U.S. NCSIP version 2 publishedThis month the US Government published its revised National Cybersecurity
Strategy Implementation Plan. The 69 page PDF can be found here. The substance behind behind grandiose language covers (1) Defending Critical Infrastructure, (2) Disrupting and Dismantling Threat Actors, (3) Shaping Market Forces to Drive Security and Resilience, (4) Investing in a Resilient Future and (5) Forging International Partnerships to Pursue Shared Goals (getting international buy-in). further commentary to follow but its good to see the administration itaking leadership n the subject so earnestly.
#046Microsoft: Lessons being learned.Microsoft’s response to CISA’s Cyber Safety Review Board scathing, across-the-board critism of their penetration by last year’s Advanced Persistant Threat attack immediately exposed the real problem for other companies. Yes it was good to see both Board Chair and CEO Satya Nadella and Security head Charlie Bell responded that cybersecurity would be a prirority. While the review shows that so much needs attention at Microsoft, it strikes me that (finally) others might copy Microsoft in having the security chief report directly to the CEO. Now, if they would only adopt holist cybersecurity.
#045Pass on Passkeys?The day after the UK legislated to end weak passwords (in story #044 below), the reaction might have been “nice idea, 10 years too late and who needs them anyway – thank goodness we have Passkeys now” – that’s being adopted by many of the main players. Well that didn’t last for long. The very next day in a long and complex discussion, Passkeys were brought into question. The story unfolds describing the many technical issues being uncovered and issues with browsers.  More on this to follow but for now catch up on the breaking story on page 12 of  Steve Gibson’ latest podcast PDF.
April 2024HeadlineNews
#044UK makes use of weak passwords illegal!The Product Security and Telecommunications Infrastructure (PSTI) Act came into effect on April 29th.,  requiring manufacturers of consumer-grade IoT products sold in the UK to stop using guessable default passwords and have a vulnerability disclosure policy. Really, why isn’t that the law everywhere? But wait, does this mean that ancient IoT devices that can’t be upgraded are likely illegal? Much more than that. It impacts wearable health trackers, cameras, TVs, speakers smoke detectors, door locks, kitchen appliances, etc. The details are available in a PDF found on the European Telecommunications Standards
Institute (ETSI)
web site. More to follow on this story.
#043ChatGPT-4 Excels at CVE ExploitsCoverage of Generative AI (e.g. ChatGPT variants) is made with caution here. However, when ChatGPT-4 was fed the CVE* database, its success at creating exploits that crack these vulnerabilities was at a staggering 87% as opposed to 7% without the data. Previous versions of ChatGPT and others scored 0%.
*CVEs (Common Vulnerability and Exposure) can be found in CISA’s catalog of KEVs (Known Exploited Vulnerabilities). The article covered by Tech Radar goes into the sobering details discovered by the University of Illinois.
#042VMware RansomwareAccording to an FBI advisory, the Akira ransomware group has breached over 250 organizations and has gained approximately $42 million in ransom payments since March 2023. Full story covered in many places including Spiceworks.  These attacks exploited vulnerabilities in VMware ESXI virtual machines.
#041Water, water EverywhereAccording to a CNN Report, an attack the water systems in Mulshoe, Texas cause water to overflow from their water tower. While that caused local issues, what’s more interesting from a wider perspective is that the linked report generated by security company Mandiant goes into great details of the Russian linked APT44 group and how they go about such threats.
#040Ransom-war Plague?Last month’s report on Change Healthcare (#29) below looks like its going to cost its parent company United Healthcare upward of $1bn! Unsurprisingly despite paying millions in ransoms the threat actor is revealing its stolen information. In Tarrant County, Tx, 300 residents had all of their personal info: SS, DLs etc. put on the dark web in a ransomware attack. There are now well over 1000 articles on the ransomware plague each month. Perhaps it should better be termed RANSOMWAR. 
#039It’s that easyIn a Forbes article, Jay Chaudhry, CEO and Chair of Zscaler, describes how easy it is for threat actors to use Generative AI and their Large Language Models to ask for vulnerabilities of specific organizations and then to write code to exploit them including it seems Advance Persistent Threats. We are living in the beginnings of the Skynet world of Terminator movies but unfortunately there’s no travelling backwards in time to remove the AI. He goes on to cover how Zscaler’s strategy and products use AI, firewall and VPN replacement, hide data and provide Zero Trust SD-WANs. This is not an endorsement of any Zscaler product but the article makes a very interesting/sobering read.
#038Critical Infrastructure Protection: Water SystemsOne of the most targeted critical infrastructure sectors has become water systems with many reports and warnings regarding threat actors from government and other resources. A new bill to establish a Water Risk and Resilience Organization has been introduced in the U.S to strengthen and enforce cybersecurity. Further details are in this Statescoop article.
#037Who is protecting the protectors?The problem when leading security software companies (such as Palo Alto Networks self-reporting a critical vulnerability updated 4/13) are (a) what are the development processes that were not in place that resulted in the vulnerability? (b) How can others learn from the mistakes when users are not safe until the problem is fixed (fixes are under-development*), (c) How can others learn from the mistakes even when the problem is fixed, the likelihood of the cause is either too risky or just bad business to reveal? (d) As soon as the problem is fixed will all systems be updated (probably ok in this instance but mostly not) (e) and lastly, if you can’t trust the market leaders then who can you trust?
*Update 4/15: Palo Alto says it has fixed the problem and updates will be rolled out shortly.
#036Ransomware hits home – if you still have oneThe Jackson County, Missouri ransomware attack has caused chaos for people buying and selling homes after the ransomware attack disabled the systems and caused offices to close for days. What makes it is a big deal is that with the offices closed, house sales can’t register or be closed, offers expire and loans can’t be enacted, people have moved out and new owners can’t move in. i.e. chaos.
#035CISA Initiative will have big impactAn initiative by CISA this week will bring regulatory focus on cybersecurity to several hundred thousand business organizations. It follows rules brought by the SEC to publicly traded and regulated companies last December. This process, known as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements was initially introduced in 2022. This CISA update will require compliance to incident reporting and will likely, when complete, require companies to show that they have been taking documented, prudent, preventative steps. This document completes its comment phase June 3rd of 2024 and publication will follow. We will no doubt comment to CISA after carefully reading the draft document as we did with previous initiatives. Click here for the link that introduces the work that will apply to more than 20x the number of companies as the SEC.
The impact on companies will hopefully be profound since it will become a legal requirement for businesses that continue to be oblivious of the cyberwar to finally take it seriously
#034The Big PictureSometimes we lose track of the big picture. In the first few days of April a fascinating presentation by a key member of the US Government catalogued that big picture. It covered the global economic, population decline impact, climate change and even water and crop shortage forces that make state-sponsored cybersecurity attacking the soft underbelly of first-world economies. It’s such a compelling and chilling reminder that there is a war going on and we are the targets. As it’s become a necessary part of those economies, it’s going to persist. It’s why every small business and large organization must strengthen its weak links and be vigilant permanently.
March 2024HeadlineNews
#033AT&T Breached againNow the hackers are repeating themselves. “Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders,” Bleeping Computer and others reported on the latest AT&T breach. With so many credential breaches it’s easy to see why we are becoming immune to them.
#032How can they get it so wrong?As an indication of the influence of form over function or hype over reality, this article from SDXCentral is an example what happens when market leader influence can get in the way of enterprise choice. I seriously doubt that Forrester said anything like what was reported. According to the article, the SSE market is the market of today and Zero Trust is of the past. and SASE is the way of the future. Since Zero Trust is at the heart of all such Gartner inspired derivatives, that SASE was superseded by SSE because supplier and market influence and none of it has any industry technical definition then it’s not difficult to see how journalists get confused. What began as I believe a good intention by Gartner to create an integration between networking and security has descended into a confusing mess for the enterprise. (End of rant).
#031Water, Water EverywhereThe latest missive from the U.S. Environmental Protection Agency (EPA) is more than hinting that water may be everywhere but there might not “be a drop to drink” unless action is taken to combat cybersecurity threats. The story in Cyberscoop, explains that there are 150,000 water utilities in the U.S. The staggering number is difficult to comprehend until you understand that there are 90,000 dams in the U.S. “Disabling cyberattacks are striking water and wastewater systems throughout the United States. These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.” The EPA is setting up a water sector cybersecurity task force to outline some of the biggest challenges the sector faces and develop strategies to defend against the threats.
#030One small stepGood Grief. Having spent the best part of a year and a half on a requirement for software companies to self-attest their secure development, CISA just published the work. If you do not conform then you can’t sell to the U.S. government.  A very nice idea! However, it gives me no comfort to say that I think they missed critical elements including: (1) use of memory safe languages, (1) use of self-attested third party software elements, (3) requirement for Software Bill of Materials and (4) implementation of secure APIs. I personally submitted all of these to CISA but received no response and wrote an article that covered all the elements. What a missed opportunity. Oh, and if the software you sell was developed before September 2022 and hasn’t had a “major version update” then you don’t have to comply no matter how vulnerable it might be. In addition, also exempt are open source code publicly available. (what could possibly go wrong with that?) Good Grief!
#029Change NeededThe much-reported breach at Change Healthcare by Blackcat resulted in a staggering $22m ransomware payment. The outage in the billing and prescription arm of United Healthcare that processes 15bn transactions a year touches 1 in 3 patient records. First discovered on Feb 21, Change reports it will not be back online till the middle of this month. This is another Blackcat (RaaS) exploit, though the actual attack was claimed to be performed by “Nochy” – but maybe it’s all a scam? More on this from Cybersecurity Dive.
#028$12.5bnOr to put it another way, that’s about $40 per person in the U.S. alone was lost in 2023 to cybercrime. There have been a plethora of reports looking back at last year but this one is an important reality check. According to the FBI as reported by news, 880,000+ complaints were made – a 22% increase on the previous year. Ransomware jumped 74% to $59m  – and that was just what was reported! Investment frauds were the largest proportion followed by business email compromise.
#027Catch 22While it’s probably embarrassing that the US Department of Homeland Security (actually, even worse it was CISA) were breached, it does highlight a general problem. It’s not just that that “if they have been breached what hope is there for the rest of us?” The real issue is that the organization being breached does not want to disclose how it was breached since it reveals possibly systemic weaknesses that others may exploit. This makes it really difficult for others to learn from mistakes. Even disclosures to the SEC likely will not go into such detail publicly. The catch-22 is therefore: “we want you to learn from our experience – but we can’t tell you how!” Update: compounding this was the fact that CISA was using an Ivanti VPN (supposedly) secure gateway rather than ZTNA products and that CISA’s own “self-attestation” initiative can’t have been in place with Ivanti. Apparently the Zero Day vulnerability was breached by an APT(Advanced Persistent Threat) attack and even then the fix was not immediately implemented. Oh dear! (I don’t think I have an egg on the face emoji?)
#026White House ReviewWhile it is not surprising that the White House is pleased with the progress it is making in cybersecurity, the “one year later” progress report is a useful reminder of the initiatives in play (69 of them apparently). Here’s the update from director Harry Coker.
#025The first cut is the deepestLast year, this column covered the report: Escalating Global Risk Environment for Submarine Cables by the Insikt division of intelligence company Recorded Future, showing the vulnerability of the global economy to attacks on the 529+ submarine cables that transmit 99% of intercontinental communications. Today, 9 months later, CNN reported that several cables in the Red Sea have been cut impacting 25% of Internet traffic between Asia and Europe. A statement from HGC Communications says it has already mitigated the problem. However, other than a blame game, there is no public statement of who was responsible, or how the cuts had been made or whether it was deliberate or accidental!
#024CloudFollowing the re-emergence of Lockbit there are indicators of increasing threats aimed out cloud services, the U.K.’s National Cyber Security Centre warned this week. It underlines the importance of understanding the many methodologies required for protection when services and workloads are delegated to multiple clouds providers, application and security suppliers.
#023CSF 2.0 In-depthIt seems that the points raised in the previous entry covering CSF 2.0 are worthy of in-depth analysis on our Hot Topics Page.
February 2024HeadlineNews
#022CSF 2.0 PublishedIn January, this column made remarks in entry #004 about the draft of NIST’s Cybersecurity Framework 2.0, published mid 2023. The final version of CSF 2.0 is now published. I just don’t know what actions that could be taken from it. I don’t know if anyone from CISA provided oversight. Oh dear! 
#021White House Ports SecurityThe White House Announced an Initiative to Bolster Cybersecurity of U.S. Ports. Supporting $5.4 trillion dollars of trade, the investment of $20bn will require the protection of systems, including cranes, 80% of which are of Chinese manufacture. Penalties for non-compliance are yet to be established.
#020DNS  (=Dangerous Narrow Shave?)A Group of German researchers discovered a very long-standing vulnerability (codenamed “KeyTrap”) in secure DNS, that if it had been exploited could have disabled the entire Internet. Fortunately, this has been responsibility mitigated. Full details are in Feb 20’s Security Now show notes (See page 12).
#019LockBit Lockdown (or was it?)When one of the biggest threats of the last 18 months gets disabled by a coalition of 11 countries led by the US and UK, then it’s a big deal. All that’s left of Lockbit is a notice saying the site has been seized! But wait, just a few days later, there are still Lockbit sightings explained either by employees who took the work home with them, a remnant of a persistent threat attack or the use of a Lockbit type tool kit. We shall see. Feb 26th update: Well, that didn’t last for long, Lockbit has brazenly re-emerged – as noted in CybersecurityDive. (Cute graphic)
#018Weaponizing AIJust as my daily use of Co-Pilot becomes an accelerator of my work, it gives some comfort that OpenAI (one of Microsoft’s Co-Piot’s AI engines) is shutting down accounts used to generate phishing and malware attacks (article). Dark Reading‘s “proceed with caution” seems prudent but is tempered by the level of sophistication being used by Korean threat actors as they make it difficult to spot phishing attacks from the genuine article and use AI to scale up their activities.  This month, Google have announced their own AI Cyber Defense Initiative covered by Silicon Angle.
#017Clientless and CluelessNext up in Microsoft’s 2024 woes is the news from Proofpoint that 200 Azure accounts have been compromised. Once the threat actors gain access to an Azure environment they carry out a host of malicious activity, according to Proofpoint, including manipulating MFA, data theft, follow-on phishing attacks and financial fraud. It seems that once you give up your envirnoment to a clientless reliance to Cloud providers such as Microsoft you are in the headlights of attacks. It makes you wonder if relying on unverifiable Microsoft security methodologies and relying on clientless IT, is a viable strategy. More on this from Cybersecurity Dive.
#016Mixed BagAfter a monster January in terms of important cybersecurity news, February is relatively quiet. However, the stories regarding Critical Infrastructure are hopefully raising awareness. Sentinel One and others are carrying stories regarding CISA, FBI and NSA warning of Volt Typhoon attacks on US, Canadian, UK, Australian Targets. Also, LastPass is back in the news after Apple somehow enabled duplicate postings of the once vaunted security app in their app store.
#015Big security staff shortages – big cybersecurity layoffsThis doesn’t seem to make sense. Report after report follows massive shortages of cybersecurity staff. At the same time SC Media Magazine is reporting on 110 cybersecurity firms laying off significant numbers of staff since the beginning of last year. Tech Crunch’s end-of-year summary called 2023 “the year of the Layoff.” Most of the tech layoffs are put down to overstaffing during the  Covid years – but is there another reason? It may be an indicator that companies are still in denial about cybersecurity and would rather put their head in the sand rather then their hands in their pockets to pay for cybersecurity staff or solutions.
#014Zero Trust Brings a New Way of thinkingMy latest article on Zero Trust in this month’s ISE Magazine takes a different twist on the topic which I hope you find interesting.
#013SEC creating board level impactAs now widely known, the SEC requires reporting of significant cybersecurity incidents within four days. What’s less well known is that it requires “most” public companies to disclose, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance. This, according to a posting by Blackberry, applies to foreign companies seeking funding and listing in the U.S. This is a great step forward since it focuses the executive team on preventative measures and processes.
January 2024 Headline News
#012 Too many articles January had so many big stories and articles on cybersecurity. This page deliberately does not cover every Bitcoin, healthcare, ransomware story. However, this month I’ve posted a list of 130 or so articles that were considered and almost made it that may be of interest.
#011 One to watch Newly discovered malware covered by Bleeping Computer known as NSPX30 is spread by corrupted versions of update mechanisms of the very widely used WPS Office software. (This is not Microsoft Office). Automatic updating is encouraged as an important defense in cybersecurity. It begs the question of when the exploit is fixed how is the update effected if the update mechanism itself is compromised?
#010 Hey, we’re here too! Not to be upstaged by Microsoft, HP Enterprise also had their email hacked by the same Midnight Blizzard Advanced Persistent Threat attack. Although first noticed on December 12th, it took till the end of January to make it public. So much for the SEC’s 4-day reporting rule. It also makes you wonder if the compromised emails contained details of the then pending HPE purchase of Juniper. I guess the SEC can track suspicious purchases of Juniper stocks.
#009 Microsoft Sprayed In the second recent instance of Password Spraying, Microsoft CEO’s email was compromised. Covered by various sources such as Hacker News it’s concerning that executives in one of the leading security companies ignored best practices and makes you question the organizations own attitude. The article calls it a sophisticated attack but it isn’t sophisticated. Password Spraying is where an attacker scans accounts looking for weak passwords to access accounts. It beggars belief that Microsoft executives would have elevated privilege to access mission critical secure applications, that they are using non-MFA access and worse still that they are using passwords that are so weak that they can be guessed. I hope I’m wrong about this but it’s another instance of lack of holistic cybersecurity. Oh dear! Now, according to Security Dive Microsoft has announced that it is to review its security practices. (Embarrassment complete!)
#008 CISA Despite being stuck with a  slightly odd name, the US Cybersecurity and Infrastructure Security Agency (CISA) continues to do excellent work. In addition to doing groundbreaking work on self-attestation for software development it tracks new threats and promote updates to avoid Zero Day threats that cause damage, publishes the Common Vulnerabilities and Exposures (CVE) List and issues emergency directives. This week it published directives for Ivanti Endpoint Manager Mobile following new directives on Citrix and NetScaler products. It also issued guidance of the danger to critical infrastructure systems from unmanned Chinese drones.
#007 Fight, Fly or Freeze? According to Malwarebytes (the Malware detection company) in their recent survey of 1000 users, everyone is scared of the Internet but little is being done in terms of basic protection. You can’t fly to escape the Internet, people do not fight with only 35% using anti-virus software, 27% using VPNs, 24% and less in 8 other categories, so the answer is freeze and hope it all goes away. Bear in mind that many of those interviewed may be working from home using non-corporate devices.
#006 FBI and SEC increase pressure on reporting Some updates on the SEC and FBI activities. There has been several iterations of the news that the FBI will rarely grant extensions to the four-day disclosure deadline in the SEC’s rule that came into effect in December. At the same time the enforcement re the Solar Winds exploits raises the bar should a company not take cybersecurity precautions seriously. At the same time, SEC Chair Gary Gensler was acknowledging the seriousness of the SEC hack of their Xtwit (my name for this marketing disaster) account that falsely claimed that they had approved a spot bitcoin exchange but claiming that none of their other accounts were impacted. (They received my headless chicken of the month award.)
#005 Don’t Drop It! Publicly reported on CNN, CBS, with more analysis from TechTarget, a Beijing Forensic Institute says it has “cracked” Apple’s Air Drop encryption. This is in response to protestors sharing information/”propaganda” to obtain the identify the ID of the sender, etc. Interestingly, about a year ago Apple restricted Airdrop to 10 minute sessions to avoid unsolicited information being sent to nearby iPhone users. The questions are: (1) It appears that an unfixed known vulnerability exposed senders ID and key information that led to decryption – this is just supposition. (2) Did they just get sender information and was the claimed encryption just a scare tactic? (3) Did they find a way of using stored keys to effect encryption, was it a real brute-force decryption and has the exploit been known for some time by others and in use elsewhere in the world. This is scary as it comes hot on the heels of the item below regarding Apple vulnerabilities.
#004 Cybersecurity Framework? Given the plethora “Top 3 tips to ensure your cybersecurity in 2024,” I remembered the NIST Cybersecurity Framework 2.0 issued last August which started with 5 or six categories and then sensibly broke these down into 106 individual subcategories. At least someone got across the complexity of it all. It was only when I started rereading the details that I realized that it’s not really a “Framework” at all. It is a list actions you have taken, or the outcome actions you are taking all in vague terms such as “Systems, hardware, software, and services are managed throughout their life cycle” or “Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded,” and “Cyber threat intelligence is received from information sharing forums and sources.” It goes on in this fashion. Yes it’s good as a reminder not to miss important links in the chain, but there is nothing about the actions to take or how to take them. “A” for effort and getting across the scope of the topic but really “no pass.” Oh, and Zero Trust, Microsegmentation, Critical Infrastructure, Phishing and IoT don’t get a mention. Just a very strange document.
#003 Advance Persistent Threat Problems (2) Kaspersky, has reported an attack that circumvents/bypasses Apple’s iPhone hardware security by writing to undocumented locations. This is a Zero Touch attack (i.e. no user action is required) that has been reported as NISTs  CVE-2023-38606 with extensive commentary by Steve Gibson in the show notes of January 2nd’s Security Now podcast. It seems that only an Apple insider would have knowledge of these undocumented locations since the vulnerability is not externally discoverable. The result being that an attacker can control all aspects of the device and the user is not aware of the incursion. While the origins of the information is not known it has been patched by Apple for those who upgrade their phones. The explanation and the reason for this backdoor remains unanswered. It does beg the question of who instigated the back door, when did first happen, who knew about it and are their similar back doors in other manufacturers devices?
#002 Advance Persistent Threat Problems (1) This category is the hardest to defend because of its diversity. The latest malware to pry open the door is JinxLoader used as an element of Hacking as a Service. Advance Persistent Threat is the collection of elements that begins with intrusion via phishing or identity theft and then loads malware, Elevates Privilege and explores weaknesses inside a network or system, then uses Lateral Movement to deploy malware at those vulnerable places and then instigates attacks in due course. JinxLoader is the vehicle that hackers can but to begin the process. Further Coverage in this month’s Hacker News article. More coverage on addressing APTs is planned.
#001 My aspirations for 2024
  • Executives in many large enterprises and in almost all SMB companies will no longer be in denial re cybersecurity – and “it won’t happen to us” will be a memory.
  • Companies will no longer be negligent on automatic patching, anti-phishing training and will implement proper delegation to software companies.
  • I will get across the importance of Holistic Cybersecurity resulting in significantly reduced risk.
  • People will get that security is only as strong as the weakest link. All publications, software companies, CISA, NIST etc., will stop listing “the top 3, 4 or 5 things to ensure cybersecurity” because they believe that no-one will read anything that covers the real the real number of 30, 40, 50, 100+ actions.
  • The SEC, CISA and NIST will continue their good work and not succumb to corporate political lobbyists to water down their innovative work.

Last Year on Breaking News