The State of Cybersecurity – Year in Review
Summary
TLDRKevin Mandia,作为Mandiant的CEO,在一次演讲中分享了基于1100多次调查、数百次红队测试、威胁情报分析和咨询服务得出的五大结论。他指出,目前对攻击者来说,攻击企业似乎没有太多风险或后果,攻击手段不断创新,勒索软件已经演变为数据盗窃、敲诈勒索,甚至可能包括骚扰等行为。他还强调了董事会对网络安全的参与度提高,以及政府与私营部门之间合作的重要性。Mandia讨论了攻击者创新的速度、零日漏洞的增加、针对边缘设备的定制恶意软件、以及攻击者如何利用现有基础设施进行攻击。他还提到了多因素认证(MFA)的挑战、更好的操作安全和逃避技术,以及如何通过改进安全运营来检测攻击。最后,他提到了检测攻击的时间缩短,以及如何通过准备和响应来减少勒索软件的破坏。
Takeaways
- 📈 **攻击者创新加速**:过去一年中,攻击者在攻击手段上的创新加速,包括勒索软件的演变和数据盗窃等行为。
- 💡 **企业面临的风险和后果**:全球企业面临的网络攻击风险和后果似乎没有显著增加,导致攻击者更加肆无忌惮。
- 🔒 **零日漏洞利用增加**:2023年发现的零日漏洞数量显著增加,攻击者利用这些漏洞进行攻击。
- 📘 **董事会对网络安全的关注增加**:由于法规和媒体报道,董事会对网络安全的关注度达到历史新高。
- 🤝 **公私合作伙伴关系加强**:政府和私营部门之间的合作在网络安全领域达到了前所未有的水平。
- 🔐 **多因素认证(MFA)的重要性**:尽管MFA已经广泛使用,但攻击者通过社会工程学手段绕过MFA的案例在增加。
- 🚨 **安全运营的提升**:为了检测攻击者在入侵后的行动,需要更好的安全运营和事件响应策略。
- 📉 **检测时间缩短**:组织发现和响应安全事件的时间(dwell time)正在减少,表明安全防御能力的提升。
- 🛡️ **防御措施的演进**:企业正在采取更全面的措施来准备和应对潜在的勒索软件攻击。
- 🌐 **云服务提供商的安全实践**:云服务提供商被建议提高透明度,每年向客户报告其安全实践和改进措施。
- 📚 **CISO的关注点**:CISO们在面对安全挑战时,关注的关键议题包括安全运营、事件响应、威胁情报和合规性等。
Q & A
根据Kevin Mandia的演讲,过去一年中网络攻击的主要趋势是什么?
-过去一年中网络攻击的主要趋势包括攻击者创新的加速,特别是零日攻击的增加,勒索软件的演化,以及董事会对网络安全的更多参与。攻击者面临的风险或后果似乎不多,这导致了对企业的攻击增多,并且攻击手段更加先进和隐蔽。
演讲中提到的网络攻击对企业造成的损害有多大?
-演讲中提到,网络攻击对企业造成的损害非常严重,有的损害甚至达到了数亿美元,并且这些数字还只是下限。
Kevin Mandia认为我们应该如何对抗零日攻击?
-Kevin Mandia认为我们应该采取假设已经被入侵的心态,进行攻击面管理和补丁管理,并制定良好的规则来应对这些情况。即使存在零日攻击,也需要有应对措施。
演讲中提到了哪些对抗网络攻击的策略或建议?
-演讲中提到的对抗网络攻击的策略包括加强防御、改进对加密货币的追踪、更新现有的国际条约以加强归因和风险施加,以及提高安全运营能力来检测攻击后的行动。
如何理解演讲中提到的'living off the land'技术?
-“Living off the land”是一种攻击技术,攻击者利用目标网络中已经存在和运行的合法工具和程序来进行攻击,这样做可以更有效地隐藏攻击行为,减少被发现的风险。
演讲中提到的网络攻击手段有哪些变化?
-演讲中提到,从2020年开始,网络攻击手段从利用钓鱼邮件和人际关系信任的方式,变回了利用漏洞利用的方式,这与1993年到1998年间的趋势相似。
演讲中提到的多因素认证(MFA)存在哪些弱点?
-演讲中提到多因素认证(MFA)存在的弱点包括一次性密码的安全性问题,帮助台可能无意中泄露一次性密码,以及SIM卡交换攻击等,这些都需要通过改进MFA来克服。
演讲中提到了哪些网络攻击后的常见行为(TTPs)?
-演讲中提到的网络攻击后的常见行为包括异常使用PowerShell、异常的HTTP或HTTPS流量、通过RDP的横向移动、远程RDP的使用,以及服务执行和文件删除。
演讲中提到的网络攻击的'dwell time'是什么?
-“Dwell time”指的是网络攻击者在未被发现的情况下在被攻击网络中潜伏的平均时间。演讲中提到,这个时间已经从2011年的416天减少到了10天。
演讲中提到的董事会对网络安全的参与度如何?
-演讲中提到,董事会对网络安全的参与度比以往任何时候都要高,这主要是由于网络安全事件的频繁报道、监管要求以及与网络安全相关的法律法规的增加。
演讲中提到的'secure by design'是什么?
-“Secure by design”是一种软件开发方法,它要求从设计阶段就将安全性考虑进去,以减少软件漏洞和提高软件的安全性。演讲中提到,政府和法律诉讼都在推动软件供应商采取这种方法。
演讲中提到的云服务提供商的安全实践有哪些建议?
-演讲中提到的云服务提供商的安全实践建议包括进行受害者通知、提供与服务费用相匹配的优质日志记录、改进身份和访问管理以及提高透明度,例如每年向政府报告安全实践和改进情况。
Outlines
📈 网络威胁与创新:Kevin Mandia的年度回顾
Kevin Mandia,Mandiant的CEO,分享了基于1100多起调查、数百次红队测试、威胁分析和咨询服务的结论。他强调了网络攻击的增长趋势,特别是勒索软件的演变,以及政府与私营部门之间合作的加强。Mandia还讨论了对企业构成威胁的低风险和后果,以及如何通过法律执行、情报社区和私营部门的合作来提高对犯罪分子的风险。
🔍 零日攻击与防御策略:不断演变的网络威胁
Mandia讨论了零日攻击的增加,以及攻击者如何利用这些漏洞。他提到了攻击者利用VPN、电子邮件网关和其他网络设备来绕过端点保护。此外,他还谈到了钓鱼邮件的演变,以及攻击者如何通过不同的通信渠道进行攻击。Mandia强调了多因素认证(MFA)的重要性,以及如何提高其抵抗社会工程攻击的能力。
🚨 网络攻击的新趋势:从零日到持久性威胁
演讲中提到了网络攻击的新趋势,包括攻击者如何利用现有基础设施和“本地生存”技术来隐藏其活动。Mandia强调了需要更好的安全运营来检测攻击的后续阶段。他还讨论了检测攻击的关键技术,包括异常的PowerShell使用、HTTP/HTTPS流量、远程桌面协议(RDP)的横向移动和文件删除。
⏱️ 攻击检测时间的缩短:安全防御的进步
Mandia展示了从2011年以来,攻击被检测到的平均时间(即“居住时间”)如何显著减少。他指出,现在公司比以往更早地检测到攻击,这表明安全防御正在取得进展。他还提到了第三方发现攻击的减少,这意味着公司更倾向于自己发现并处理安全事件。
🛡️ 勒索软件的演变与董事会的参与
Mandia讨论了勒索软件的演变,以及公司如何准备应对这种威胁,包括备份重要资产、进行桌面演练和减少身份访问。他提到,尽管攻击者的技术在进步,但公司在防御措施上也取得了进步。此外,他还强调了董事会在网络安全问题上的参与度增加,以及政府和私营部门在安全最佳实践和透明度方面的合作。
🌟 CISOs的关注点:网络安全的关键议题
最后,Mandia总结了在与CISOs的对话中经常出现的七到八个主题,表明CISOs在网络安全方面的关注点。他强调了CISOs在应对网络威胁时的共同挑战和考虑因素,并列出了一些关键议题,但没有具体说明这些议题的细节。
Mindmap
Keywords
💡网络攻击
💡零日漏洞
💡勒索软件
💡多方利益相关者
💡数据泄露
💡网络钓鱼
💡多重身份验证(MFA)
💡操作安全(OPSEC)
💡网络隔离
💡安全运营
💡董事会参与
Highlights
过去一年中,全球企业面临的网络攻击风险和后果似乎没有显著增加。
攻击者的创新速度加快,勒索软件已经从单纯的数据加密发展到数据盗窃、敲诈勒索,甚至可能包括骚扰等行为。
企业董事会对网络安全的关注度提升,政府与私营部门之间的合作达到历史最佳水平。
网络攻击的犯罪成本较低,导致了攻击者行为的增加,特别是勒索软件和敲诈行为。
对攻击者施加风险是减少网络犯罪的关键,需要通过法律和技术手段提高攻击成本。
零日漏洞(Zero Day)的数量显著增加,2022年发现了97个,涉及31个不同的供应商。
攻击者利用零日漏洞的手法正在变化,从利用社会工程学(如鱼叉式钓鱼)转向直接利用软件漏洞。
需要假设网络已经被渗透,并采取相应的防御措施,如攻击面管理和补丁管理。
中国网络间谍活动在2023年有所增强,特别是在零日漏洞利用方面。
攻击者越来越多地使用“Living off the Land”(利用现有工具)技术,以更难被检测的方式隐藏在正常网络活动中。
鱼叉式钓鱼(Spearphishing)的演变,攻击者开始通过其他通信渠道进行攻击,以规避传统的电子邮件安全防护。
多因素认证(MFA)的挑战,攻击者通过社会工程学手段绕过MFA,如通过帮助台获取一次性密码。
更好的操作安全(OPSEC)和逃避技术,攻击者利用定制化的恶意软件和现有基础设施进行攻击。
需要更好的安全运营来检测攻击者在MITRE攻击链的第二、第三和第四阶段的活动。
检测攻击的时效性提高,从2011年的平均416天缩短到10天。
勒索软件的演变,攻击者在成功渗透后通过数据共享和敲诈增加受害者的痛苦。
企业董事会对网络安全的参与度前所未有地提高,部分原因是监管要求和媒体报道。
公共和私营部门之间的合作在防御措施上取得了显著进展,特别是在安全设计和信息共享方面。
云服务提供商被建议每年公开其安全实践,并根据政府的建议进行改进。
CISO们在压力下经常考虑的七个主题,包括安全设计、事故响应、威胁情报等。
Transcripts
>> ANNOUNCER: Please welcome CEO Mandiant, Google
Cloud, Kevin Mandia
>> KEVIN MANDIA: Good afternoon.
I'm your second to last speaker today and then we
all have dinner to go to.
I've got about nineteen and a half minutes.
What I want to do is kind of brief you on the conclusions, at
least part of the conclusions that I have based on over 1,100
investigations we did during the year, based on several hundred
red teams we did during the year, the threat intelligence
that came from the threat analysis group, as well as
Mandiant's threat intelligence group, and then all the advisory
services that we did.
So, I did my best to collect those conclusions.
We will go through them very quickly.
And it's not just admiring the offense.
We are also going to do some things because we all
came here to learn how to defend our network, so
we're going to do that.
This is five of the conclusions that we have based on all of our
observations really right up until a few minutes ago.
I changed a few while I was backstage.
The reality is first and foremost, the conclusion when
looking at the last twelve months of incidents, it doesn't
feel like there's a lot of risks or repercussions to
compromising the enterprises that we see globally.
We see an acceleration on the innovation on offense.
I don't know if it's really accelerated but we saw good
innovation by offensive attackers and threat actors.
Ransomware has evolved to data theft, to extortion, to
potentially even now harassment and other things.
The board is more engaged.
And then I think we had the best year ever between the privacy –
or I mean the partnership between the government
and the private sector.
So, it's worked really well.
So, I will drill down on each one of these.
First and foremost, the few risks or repercussions
to the threat actors.
When we look at this, I think every modern nation understands
there is going to be spying and that you probably can't prevent
espionage and it's hard to come up with rules for espionage.
So, my theme here of imposing risk is on the criminal actors,
the folks that may have come to a height or a threshold where it
feels almost intolerable.
So, when you look at the slide behind me, I wanted you to see
the numbers, and these represent the lowest bounds
of the criminal enterprise compromising and doing
ransomware and extortion.
You get the chain analysis slide on the Bitcoin paid.
That seems to be tied to extortion or ransomware.
But more importantly, just the impact on private companies or
publicly traded companies that are just doing their jobs, and
we are seeing damages equating to 100 million, 800 million, and
these are the lower bounds.
The damages from this tends to go up and to the right.
So, the question that we always have is what do we do about it?
You know, and when you look at the ransomware problem, there is
a lot of folks in the camp of we have to do better defense.
I get that, and that's why we're all here.
We all want to do better defense.
The second thing we probably have to look at is
cryptocurrency and the means and ways in which we
can track cryptocurrency.
Some people think it's not always a great idea to have an
anonymous currency that can be paid thousands of miles
apart from one another.
The third thing we have to do is we have to look at the treaties
we have and modernize some of these treaties.
We need to have attribution and impose risk.
So, I would ask that all of the folks in law enforcement, in the
intelligence community, and in the private sector revisit some
of the ways we do attribution; and for the folks in different
governments globally, to look at what are the safe harbors and
safe havens for the criminal actors and can we modernize
treaties with those nations so that we can impose
more risks or costs?
I think the time has come where we have to continue to think it.
I know we have lots of task forces globally and we have lots
of groups working on this problem and we all look
forward to progress being made in that regard.
We have seen the acceleration of innovation and I will go
through each one of these categories individually, so
let's hop right into it.
And it's not necessarily bad news.
When you see innovation on offense, you really go right to
the zero day account, and we had a long run of tracking this from
1998 right up until now.
And it used to be between ten to fifteen zero days
a year were found.
And a zero day, of course, attack with no patch.
Now you're looking at we found ninety-seven zero days in the
last year in the wild, about a third of them found
by Mandiant and Google.
What I found most interesting about these zero days is really
shown on this slide, and I know there's a bunch of numbers here
but focus in on the amount of vendors impacted, and that also
includes like freeware.
I guess we just call it different libraries, a vendor.
But when you look at this, thirty-one vendors impacted, and
there's always the big three.
You're going to have Microsoft, you're going to have Google,
you're going to have Apple.
But then in addition to those, we have got twenty-eight other
organizations that there were zero day attacks against them.
To put that in perspective, there were about four companies
impacted outside of the big three in 2018.
So, the number of vendors being attacked is phenomenal.
Now, why are there this many zero days?
There is a whole bunch of rampant theories on it.
Maybe we got better at defense and so you have to
break in with zero days.
Maybe the offense is so well funded now they just
come up with them more.
Maybe AI is helping the offense find vulnerabilities faster.
Maybe we are all just shipping really bad software and not
trying hard enough to patch it.
I actually think maybe it's a combination of some of that, but
it's actually because the impact of the breach if you do
espionage, you get what you want, and if you do crime, you
get what you want.
Cyber intrusions are paying off.
That's why I think you are seeing this happen.
But again, what this means is you have got to have a way to
respond to the zero day.
This slide shows that globally, when we looked at every incident
we responded to, the number one way people broke in
was in fact an exploit.
What this means is all of us have to think – assume breach.
Do attack surface management, do patch management, and then
really have great rules for what happens post those things.
The assumed breach mentality.
I just saw Jeetu say segmentation is hard, updating
is hard, and patching is hard.
That's okay.
We've got to do them.
There will always be a zero day.
And you hear people say we are going to do secure by design and
get it down to zero, but zero day is not just software.
At some point in time when you assume breach, you also make the
assumption maybe you have an insider that can create
havoc on the network.
So, the bottom line: this trend is different.
From 1998 to approximately 2019, the number one way people were
breaking in is spearphishing and exploiting human trust.
It has changed since 2020 back to what it was like from 1993 to
1998, which is exploitation.
For those who just need to see what are they
exploiting, there you go.
There's the top three things that were exploited
in 2023 for us.
Chinese Nexus espionage improved during the year.
And I think the biggest improvement here I could dive
into, they had twelve zero days and the next nation we could do
attribution for had only two.
In my career, I usually saw Russia was number one with the
zero day exploitation and China started making that list around
2005, 2006, but now they are leading in that list.
When we look at the majority of the zero days that we
see for espionage, we cannot attribute them to the nation
behind them, which means maybe the espionage is being
surreptitious when they do it.
When you look at that go from the zero days, I can combine the
next two bullet points that you need custom code
when you hack edge devises.
When you hack edge devices, you are
circumventing EDR space.
You're circumventing the end point protections that we have.
We've seen Chinese cyber espionage do this two years ago.
They did it again throughout 2023, specifically compromising
things like VPNs, email gateways, and other network
devices that we rely on to defend our networks.
So – and then whenever you see LOTL, that stands
for living off the land.
That is a technique that I think every red team aspires to and
every offense or threat actor aspires to.
That is simply breaking in and accessing your networks the way
your people do because that is the most effective way
to remain surreptitious and hide in the noise.
So, the Chinese Nexus Espionage improved throughout the year.
I would argue all trade craft did and I'll have another
slide on that shortly.
The evolution of spearphishing is interesting to me.
Part of it was driven by, I think, Microsoft disabled the
default running of macros in documents in Office containers.
That was a great step.
We all got better at end user training.
Our secure email gateways got better.
We went to more multifactor authentication.
So, it's my opinion that attackers now are spearphishing
through other coms channels.
That simple.
What I would tell you, probably the fastest way to cut through
this because I have eleven minutes and I have a lot I want
to cover, is the attacks that I saw successful, you could detect
all of them if you have web proxy logs, because
what you need to detect is the downloading.
Like nobody knows how much inspection your
secure email gateway does.
If you get a document with a link in it, you don't know how
deep the secure email gateway is going to go tracking
what you link to.
So, you want to make sure you are not downloading .EXEs,
.BATs, .COM, .VS, all the different executable files.
The other technique was to have compressed archives that were
password protected, different secure email gateways.
We really don't publish how to handle some of those things so
you want to go to your web proxy logs and set up rules for that.
And the third most effective rule, and we gave you twelve in
our M-Trends Report, twelve different rules to use to detect
the new techniques of spearphishing, is if you don't
normally use third party storage like OneDrive or SharePoint or
Google Drive, drive.Google.com, set up rules to look for what
you're downloading from these places.
Attackers are circumventing the secure email gateway with links
and trying to get you to download and execute things.
So, we can catch that and everybody has gotten a lot
better at that.
Overcoming MFA.
We have seen this happen enough that I wanted to put
a slide in here on this.
It's really the first two things on this slide.
It's the push notification fatigue where, and that's
happened in cases we responded to, where we just keep jamming,
if you are an attacker, jam a bunch of push notifications to
somebody until they just hit yes, I will take
that push negotiation.
Most of us don't have that problem anymore because we're
aware of ways to circumvent it.
Second thing is one-time passwords are timed
one-time passwords.
That's been overcome as well.
And the other three is where you want to go.
So, it's not good enough to say, yes, we do
multifactor authentication.
We have to do multifactor authentication that prevents
help desks from giving away one-time passwords or to prevent
the SIM swaps, because I'll tell you two things I can't fix with
rules and alerts, SIM swapping and your help desk is designed
to help people.
We are responding to some of the most devastating breaches
because bold, aggressive English native speakers are calling help
desks and helpers are trying to help them.
And they are getting one-time passwords set to access networks
and wreak havoc afterward.
So, make sure your MFA can withstand the social engineering
attacks that have gotten way better than in the past.
Better OPSEC and evasion.
I really just want to go to probably the infrastructure.
You know, I can tell you when people write malware, they don't
write malware that logs.
Fine.
And then the customized malware that we are seeing is starting
to leverage the – when they compromise edge devices,
it's leveraging code that's already there.
It's actually like appending Python to other, pre-existing
code so you can create a new URI to download to or something.
I would focus on the infrastructure.
We are seeing modern espionage groups and even criminal
elements recognize it is best to compromise your victim/target
from local IP addresses or same nation IP addresses.
And then another problem that we're seeing is really
compromising people when they are outside the enterprise.
And we all need to figure out a way to make sure we can protect
our employees when they are accessing enterprise resources
from outside the enterprise, from non-enterprise resources.
Compromising their homes, getting the key logger in there,
seeing the account information posted on different telegram
sites, is a real problem.
But when I look at this, the infrastructure is creating a lot
more difficult attribution, difficult rule sets.
And then living off the land techniques, almost every threat
group is starting to go to this.
Long story made short, we need better security operations
because we are going to have to be able to detect after the zero
day, after the exploit, what the attackers are doing the second,
third, and fourth stages of the MITRE attack chain.
Which brings me to this slide, which is to what are the top
five things we are seeing used or the TTPs after the breach.
You see them right here.
Detecting anomalous use of power shell, very important.
Detecting HTTP traffic or HTTPS traffic that's anomalous on your
network, very important.
Knowing lateral movement via RDP or noticing remote RDP from
outside your network, very important as well.
And service execution.
I haven't figured out a good one and maybe one of my folks will
catch them in the hallway on noticing file deletion,
but it is the fifth one.
And – but you need rules to detect, if you assume breach,
these things without a doubt.
So, that was a lot of bad news, right?
It's like attackers are innovating faster,
there's no risks or repercussions to attackers.
The reality is we are detecting attacks sooner than ever before.
We started recording dwell time – well, you can see it here.
In 2011, on every case that we responded to, and Mandiant
traditionally gets hired for the cases that are out of the scale
and scope where people do need our help.
So, we don't respond when people are five minutes
behind the problem.
Dwell time went all the way from 416 down to ten.
I think part of the reason the dwell time went from sixteen
days days down to ten is we did respond a little
bit more to ransomware.
People tend to notice when they have been ransomed.
Then the detection by source – I showed this slide to somebody
and they were like, is that good or bad?
I want to make this unequivocal.
You'd rather detect your own incidents than have a third
party detect it because they you can handle it
discreetly and on your terms.
Usually when you know from a third party, you've got to
wonder how many third parties know what happened to you.
But this is a great trend and you can see.
It was amazing to me.
When we first started responding to breaches in 2004, 2005, it
was basically 100% third party notification of
the breach to people.
You get down to 54%, I think that's real good.
I think that defense operations has improved about as well as
the offense is innovating.
So, not a bad year for either side.
Ransomware has evolved, no question about it.
There's a lot of reasons for this.
Every company has heard of ransomware.
Most companies, even including going from the 1A
enterprises down to small to medium businesses, are
preparing for it.
You have companies that have said we've identified
our assets that matter.
We have backed up those assets.
Those assets include active directory and configuration
files for critical components of our business.
We have made sure our backups are safe.
We have done tabletop exercises with the board that has us
literally simulate having the worst ransomware we could ever
have happen to us.
We have gone to our identities and looked at creep and scope
and we've shrunk our identity access for a lot
of different accounts.
And you get the idea.
We network segmented.
And you go through all the things.
I can tell you where people are at.
Not many companies have now dry runned how do we operate the
business if we get ransomed and we don't have
these 10,000 servers?
And I can tell you the number one question every board has and
every executive has once ransomware does hit you, how
long before we're up?
It's hard to answer that question until you have to but I
think almost every company that we work with, and 1A enterprise,
has gotten to that stage of we know what we'll do when there's
a ransomware attack and we've done our best to
reduce the blast radius.
So, we've gotten good.
However, the TTPs have evolved and it's creating more pain
through dealing with if they do get in and do get data, sharing
data with reporters, making it so that the pain for executives
is exceptionally high.
I don't want to give too many examples of this because it's
too many good ideas for threat actors but it's just amazing to
me now when you have been ransomed, it's more likely than
not you will be extorted and it's more likely than not you
will start getting other activities and communications
from the ransomware actors.
Boards are definitely more engaged than ever
before in cybersecurity.
That's a trend that's been going like this all along.
I think there's a couple of reasons but very
first and foremost, boards read the headlines.
There's a lot of headlines right now.
Second thing is boards go where sometimes there is regulation.
When you see the US government's Security and Exchange Commission
saying to every publicly traded company, over 4,500 companies,
you have to have the following reporting requirements annually
on your risk management for cyber and your governance for
cyber, you get the board's attention.
Boards are there to provide oversight to companies.
And we are seeing that that oversight has been mandated and
we have to communicate it.
But there's just a lot of reasons why globally, between
sovereign data laws, privacy laws, and cybersecurity
standards, legislation, and regulations that are emerging,
boards are very engaged.
And I think this has been the best year in my career, I
started working in cybersecurity in 1993, that I saw the defense
accelerate with public and private sharing.
And I will go through two examples.
I can only pick one to elaborate on.
Probably the second one.
First one is secure by design.
Every nation, when you are a software vendor, you are
thinking about this.
There is a lot of reasons for it.
One, the government is saying, hey, here is secure by design.
It's signed by many different agencies.
The second reason for it actually is a civil complaint
filed against SolarWinds where they kind of say your software
development lifecycle was below the line period.
So, when you see those sort of things, companies take notice
and decide we are going to take it seriously.
But one of the things that happened within the last month,
month and a half, is the Cyber Safety Review Board here in the
United States under the Department of Homeland Security
issued a report on a breach that occurred in 2023 to a cloud
provider that – where there was a key, a token signing cert that
was seven years old used to mint tokens and one-time
authentication for a really, really big scope for
the access of email.
But what I want to focus in on is the twenty-five
recommendations that was done in that report for all of the cloud
service providers as well as the US government.
And I can kind of sum them up but one of the things
was do victim notification.
If you are a cloud service provider, tell people
when you believe they have been compromised.
Find a method to do that.
There is another one called how about great logging that comes
with what you are paying for so that you can audit security
events in your network.
Better identity and access management was
throughout the report.
And then transparency.
The thought that if you have a vulnerability as a cloud service
provider, you've got to provide it, and you should share with
all of your customers what your security practices are.
So, I put recommendation seven in the report right in the slide
so you can see it because when I read it, I went,
wow, that's something.
That is a recommendation that says every year, the major cloud
providers that provide services to the government are going to
say here is our security practices and here is how we are
doing on your recommendations, so that all of us can make
choices based not just on availability, but make choices
based on security.
And very quickly because I'm over time, we get to talk to
CISOs when they are under duress.
For all the CISOs in the room, this is only seven or eight of
the constant themes that come up every time.
And I didn't put them in any particular order at all.
So, if these are the things you are thinking about as a CISO,
you are right on par with thousands of CISOs.
With that, I would like to thank all of you for your time.
5.0 / 5 (0 votes)
Lesson 5 – Cybersecurity and Hacking
SharpTongue pwning your foreign policy, one interview request at a time - Tom Lancaster (Volexity)
Risk-Based Alerting (RBA) for Splunk Enterprise Security Explained—Bite-Size Webinar Series (Part 3)
Java 17 to 21: A Showcase of JDK Security Enhancements
The BEST 4-2-3-1 CUSTOM TACTICS - 4-2-3-1 20-0 Instructions & Tips for FC24
Doing History with Zotero and Obsidian: Archival Research