Brewing Cybersecurity Insights

Author: CyberSec_Cafe (Page 1 of 4)

The Digital Shadow

Shadow and Ghost Data in cloud computing.

It is a pleasure to present an article in collaboration with Fabrizio Saviano.

Fabrizio is a dynamic cybersecurity leader with extensive experience as a Chief Information Security Officer (CISO) for top companies. He also served as an Intrusion Squad Officer at Polizia Postale, bringing a wealth of knowledge in cyber defense and security strategy. Fabrizio is the author of three influential books, including Cybercognitivismo and Come non essere spiati su internet, which explore the nuances of digital privacy and cybersecurity. His work combines practical expertise with a passion for educating others on navigating the digital world safely.

So without further ado…

Shadow Data and Ghost Data in the Era of Cloud Computing

In the era of cloud computing, data security has become a major concern for both individuals and organizations. Beyond the well-known concept of Shadow IT, two lesser-known but equally dangerous phenomena are emerging: Shadow Data and Ghost Data. These represent a new frontier in cybersecurity, bringing unique challenges and significant risks that need to be addressed with care and awareness.

Shadow IT: The Hidden Precursor

Before delving into Shadow Data and Ghost Data, it is important to understand the context in which they emerge. Shadow IT refers to the unauthorized use of cloud services such as WhatsApp, Gmail, WeTransfer, or Dropbox within an organization. These tools can be useful but create security, compliance, and cost control issues when used without IT department supervision.

Shadow Data: The Hidden Threat in the Cloud

Shadow Data is an extension of the concept of Shadow IT. It involves content that is improperly uploaded, saved, and shared on cloud storage platforms like Microsoft OneDrive, Google Drive, or Amazon Web Services. Their elusive nature makes it difficult for corporate IT security teams to monitor and protect this data. Risks associated with Shadow Data include insecure sharing, indexing of sharing URLs by search engines, and exposure of sensitive data.

One of the most evident dangers is vulnerability to online searches. Often, URLs used to share data can be discovered through hacking techniques like Google Dorks, making information potentially accessible to anyone. Additionally, incidents like those involving Amazon’s S3 storage have shown that even the most reliable cloud services can be vulnerable.

Ghost Data: The Phantom of Digital Past

Ghost Data represents an even more insidious risk. These are data that users believe they have deleted from cloud services but actually persist in providers’ storage systems. This phenomenon underscores a fundamental truth: data deletion in the cloud is not always permanent. The origins of Ghost Data can vary from incomplete file deletion to device disposal without proper data erasure, to loss or theft of inadequately protected devices.

The Extent of the Problem: Alarming Data

Recent research has revealed worrying data about the impact of Shadow Data and Ghost Data. It is estimated that 60% of security problems in cloud accounts stem from unprotected sensitive data. Furthermore, about 30% of analyzed cloud data stores contain Ghost Data, with 58% of this data including sensitive or highly sensitive information. These numbers highlight the urgency of addressing the issue of Shadow and Ghost Data seriously and proactively.To mitigate the risks associated with Shadow Data and Ghost Data, a multi-layered approach is essential.

First and foremost, user education and awareness are crucial. Users must be trained on the risks of improper data sharing and correct privacy practices in cloud services. It is also important to promote the use of strong passwords and develop a culture of cybersecurity within the organization.

Monitoring and Control are equally crucial. Companies should implement software for identifying and analyzing Shadow and Ghost Data, establish clear policies for their management, and conduct periodic reviews of data present in cloud systems and company devices.

Proactive protection includes using encryption tools for sensitive data and implementing secure backup systems. Additionally, solutions for secure and permanent data deletion are essential to ensure that deleted data cannot be recovered in the future.

Shadow Data and Ghost Data represent a growing challenge in the cybersecurity landscape. With the continuous evolution of cloud technologies and increasing reliance on these services, it is crucial that individuals and organizations remain vigilant and proactive in managing their digital data. The cybersecurity of the future will not only be a matter of advanced technology but also awareness and responsible behavior. Only through continuous and conscious commitment can we hope to navigate safely through the increasingly deep and complex waters of the digital world.

Holding Software Vendors Accountable for Security Breaches

A Call for Vendor Accountability

Sixteen years ago I just started my career in Information Security (cyber was not a thing yet) and I remember that Bruce Schneier, a renowned security expert, was arguing that software vendors should be held liable for the security flaws in their products. In a 2008 article, Schneier highlighted the economic inefficiencies stemming from insecure software, noting that the costs of these insecurities are unfairly borne by users and organizations rather than the vendors themselves.

Despite the passage of time, the landscape has not significantly changed. So many vendors continue to transfer (yes transfer as in a Risk Management Strategy) the risk of security breaches to their clients, leaving them to deal with the eventual fallout. Schneier’s argument remains compelling today.

By making vendors financially responsible for security breaches, we can realign incentives to prioritize secure software development. This shift is crucial in an era where data breaches are increasingly common and costly.

Something changed with the California Consumer Privacy Act back in 2018. It was a good beginning (I know it wasn’t enough but we have to start somewhere). The introduction of the Cyber Resilience Act (CRA) is another step in the right direction.

The SSO Tax: A Barrier to Security

One issue that exemplifies the misalignment of incentives in the software industry is the so-called Single Sign-On (SSO) tax. The SSO tax refers to the additional charges that software vendors impose for providing SSO functionality, a feature that enhances security by allowing users to access multiple applications with a single set of credentials. While SSO can significantly improve security and streamline user experience, many vendors place it behind expensive paywalls.
You can find some examples in the SSO Wall of Shame. Increases range from +10% to 49900%. I really like their example: “Imagine buying a car and the manufacturer asks for an extra payment to unlock 100% of the braking power. Not offering security features if they already exist in your product means a vendor doesn’t care about your security.”
Sadly, the result is that this pricing strategy not only hinders the adoption of essential security features but also exacerbates the economic burden on smaller organizations, which are often the least equipped to handle security breaches.

The Privacy by Design and Privacy by Default Principles

The European General Data Protection Regulation (GDPR) introduced 8 years ago the principles of Privacy by Design and Privacy by Default, which mandate that data protection measures should be integrated into the development of business processes and systems from the outset. In particular, Privacy by Default mandates that the highest privacy settings should be the default configuration, which includes robust authentication mechanisms.

In short, these principles aim to ensure that personal data is adequately protected throughout its lifecycle, minimizing risks and enhancing user trust.
Am I the only one seeing this, or could charging these kinds of fees for basic security features like SSO or MFA be seen as contrary to these principles?

The Cyber Resilience Act: Another Step Forward

The European Union’s Cyber Resilience Act (CRA) is a recent legislative effort aimed at improving cybersecurity for products with digital components. The CRA introduces mandatory cybersecurity requirements for manufacturers and retailers, ensuring that products are secure throughout their lifecycle. This includes harmonized rules for bringing products to market, obligations for planning, design, development, and maintenance, and a duty of care for the entire lifecycle of such products.While the CRA is a significant step in the right direction, it is not enough on its own. The Act addresses many issues, such as the low level of cybersecurity in many products and the lack of adequate security updates. However, it does not fully resolve the problem of vendor accountability. The CRA mandates that products must meet certain cybersecurity standards, but it does not go far enough in holding vendors accountable for breaches caused by their products.

Conclusion: Aligning Incentives for Better Security

The call for vendor liability in the event of security breaches is more relevant than ever.
The current economic model does not incentivize vendors to prioritize security. By imposing liability, we can ensure that vendors take the necessary steps to secure their products, ultimately benefiting consumers and the broader market. Moreover, the SSO tax and similar practices undermine the principles of Security/Privacy by Design and by Default.
In conclusion, holding vendors accountable will force them to eliminate additional costs for essential security features. This would be a critical step towards a safer digital environment.
It is time for policymakers, industry leaders, and Data Protection Authorities to create a framework that prioritizes security and fairness for all users.

Is the CIA Triad Enough for Today’s Cybersecurity Challenges?

The Parkerian Hexad

Yesterday, the first of May, Fabrizio Cilli and I engaged in a deep discussion about the adequacy of the CIA triad in today’s cybersecurity practices, particularly in the context of AI, OT, and connected devices, where safety is a significant concern. Our conversation was sparked by a thought-provoking post, which suggested to dust off the Parkerian Hexad that foresee the addition of three dimensions to the traditional CIA Triad, emphasizing the need to expand our security models to ensure AI systems are also safe for human use.

CIA-S

Tom Cornelius’ alternative model, the CIAS, incorporates Safety into the traditional CIA Triad. This model acknowledges the limitations of the CIA Triad in the era of AI, IoT, and OT, where the safety component becomes essential for guiding risk management decisions. Also this model reflects a growing recognition that cybersecurity Risk Assessment frameworks must evolve to address the complexities of modern technology.

Different dimensions

In my humble opinion, Safety and the CIA components may indeed operate on different dimensions. A breach in integrity, for example, could have direct implications for safety, showing that these aspects are intertwined yet distinct. When considering risk, it’s clear that cyber risk and safety risk are two interlinked concerns that must be assessed together.

An integrated multidimensional Physical-Cyber security approach

Today, I had the opportunity to read Enrico Frumento’s work, which presents an integrated IT-OT assessment and governance model for improved holistic cybersecurity
This approach considers the IT and the physical world as separate with an overlap, – and this resonates with our discussion

Areas of IT-OT security. Source: Ghaznavi, 2017.

Moreover this approach also introduces the idea of evaluating a different dimension of safety, as well as another dimension of trust, which is becoming increasingly relevant in the AI field.

This leads us to a multi-layered cyber risk analysis framework, such as the one depicted in the image below. This framework calls for a comprehensive approach to cybersecurity, covering layers from the geographic and physical levels up to the government layer. Each layer represents a domain of existence and a potential vector for cyber threats, requiring a thorough analysis to secure all fronts.

Cyber-Terrain Model layers. Source: Riley, 2014.
Cyber-Terrain Model layers. Source: Riley, 2014.


Incorporating Safety and Trust into this multi-layered model is a logical step, as it allows us to address the nuanced ways in which different layers can impact human safety.

For instance, a vulnerability at the network layer could compromise the safety of an OT system, leading to real-world consequences. By adding Safety as an explicit layer or dimension to this framework, we ensure that risk analyses account for potential physical harm to individuals and society, not just data and system integrity.

Conclusion

In conclusion, while the CIA Triad has served as a foundational model for cybersecurity and has stood the test of time, the evolution of technology demands that we expand our frameworks to include Safety and Trust.

A multi-layered approach might provide a logical structure for such an expansion, ensuring that we can protect against both digital and physical threats in an increasingly interconnected world.

IS Artificial Intelligence now closer to Human Intelligence?

My buddy Fabrizio Cilli (previously a guest on my blog) just shared this with me

Researchers have implemented an “inner monologue” to AI, enabling it to reason through problems much like humans, particularly in complex areas like math.

This innovation marks a significant leap towards bridging the gap between AI and human intelligence, promising a future where AI understands and solves problems on a deeper level. A truly groundbreaking moment in AI development!

Sources:

  • https://www.livescience.com/technology/artificial-intelligence/researchers-gave-ai-an-inner-monologue-and-it-massively-improved-its-performance
  • https://arxiv.org/pdf/2403.09629.pdfhttps://cybersec.cafe/23andme-and-us/

Elevating Business Resilience with Identity Threat Detection and Response (ITDR)

It is a pleasure to present a collaboration series of articles with Andrea Licciardi on ITDR.

As Senior Cybersecurity Manager at their Cyber Fusion Center, he spearheads proactive threat management.
Andrea Licciardi is a cybersecurity veteran with over 20 years of experienceand his encompasses security operations, risk identification, and cutting-edge defense tactics. He honed his skills at industry leaders like Leonardo and EY, where he led incident response and CERT/CSIRT services.
Moreover Andrea is a champion for AI integration in cybersecurity – he co-founded CISOs4AI (together with yours truly), a collective that advocates for AI as a game-changer in the fight against cyber threats.
Allow me to say that with Licciardi at the helm, the MAIRE Group is well-positioned for a secure and resilient digital future.

I believe that Andrea’s article will be interesting and valuable both to IT professionals and business leaders, as it offers a holistic perspective on the management of cyber threats, laying the groundwork for a stronger and more aware security culture within organizations. Our hope is that, by sharing this knowledge, we can contribute to creating a safer digital environment for everyone.

So without further ado…

Elevating Business Resilience with Identity Threat Detection and Response (ITDR)

This article stems from the need to address one of the most critical challenges in the field of cybersecurity: the protection of digital identities. Through the analysis of the Identity Threat Detection and Response (ITDR) approach, we aim to provide organizations with a broad overview of cutting-edge strategies and technologies that can be adopted to mitigate the business risk associated with cyber attacks.

The goal is twofold: on one hand, to demystify the concept of ITDR, explaining in accessible terms what it means and what benefits it can bring to companies of every size and sector; on the other hand, to provide a practical guide on how to effectively implement these solutions, highlighting the importance of a proactive approach to identity security.

Mitigating Business Risk Through ITDR: A Strategic Approach to Identity Security

The security of information has ascended to become the linchpin of organizational integrity for enterprises across the globe. As digital footprints expand, so too does the vulnerability to cyber threats that lurk in the shadows, waiting to exploit any weakness. In this dynamic environment, where data breaches are not just a possibility but a prevalent reality, their consequences resonate beyond immediate financial losses, penetrating deeply into the fabric of an organization’s reputation. It is within this context that Identity Threat Detection and Response (ITDR) stands out as a beacon of defense, offering a sophisticated arsenal against the myriad of cyber threats that businesses face today. ITDR doesn’t merely respond to threats; it anticipates them, fostering a security posture that is both proactive and resilient. By safeguarding the most crucial asset in the digital realm—the identity—ITDR empowers organizations to navigate the cybernetic waters with confidence, ensuring that they are not only protected but also positioned to thrive in the face of cyber adversity.

Business Risk in the Digital Age

The landscape of business risk has transformed, becoming inseparably entwined with the realm of information security. The surge of cyber attacks not only poses a direct threat to the continuity of business operations but also strikes at the very heart of customer trust and regulatory compliance, potentially leading to a cascade of consequences that can diminish a company’s market value. The year 2023 has shone a spotlight on a particularly alarming statistic: a staggering 40% of security breaches have been traced back to the misuse of credentials, signaling a clear and present danger to organizations worldwide. This revelation underscores a profound realization – the traditional frameworks of Identity and Access Management (IAM) are being outpaced by the cunning strategies employed by modern cyber adversaries.

In this context, a cyber attack is no longer just an interruption; it’s a significant breach that can unravel the trust painstakingly built between businesses and their customers, expose companies to severe regulatory repercussions, and erode the foundational value that underpins their presence in the market. The reliance on conventional IAM methods is being challenged, revealing vulnerabilities that contemporary cyber threats exploit with alarming efficiency and sophistication. As we navigate this new era, the necessity for advanced protective measures that can adeptly shield against, detect, and neutralize these evolving threats becomes undeniable. The digital age demands a vigilance and a strategic foresight that extends beyond the perimeter of traditional security measures, urging businesses to reevaluate and fortify their defenses in the face of an ever-changing threat landscape.

The Importance of ITDR

ITDR represents a crucial evolution in the approach to cybersecurity, focusing on the detection and response to identity-specific threats. This approach not only strengthens an organization’s ability to prevent attacks but also ensures that response measures are ready to be activated in the event of a breach, thus minimizing damage and accelerating recovery. By implementing ITDR, companies can address detection gaps between IAM and security controls, thereby filling one of the most significant weaknesses in information security.

How ITDR Mitigates Business Risk

Strengthening Preventive Controls: Through the inventory of existing controls and the audit of the IAM infrastructure to detect misconfigurations, vulnerabilities, and exposures, ITDR helps companies bolster their first line of defense against cyber attacks.

  • Improving Detection: By selecting a focal point for identity alert correlation and detection logic that prioritizes identity-specific Tactics, Techniques, and Procedures (TTPs) over other detection mechanisms, ITDR enables companies to promptly identify potential threats before they can cause significant damage.
  • Optimizing Response: By building or updating playbooks and automation to include IAM enforcement within the steps taken to eradicate, recover from, report, and remediate identity threats, ITDR integrates IAM incidents into response and threat-hunting processes using existing security controls in the Security Operations Center (SOC).
  • Reducing Damage Impact: By rapidly implementing effective response measures, organizations can limit the extent of damage caused by a security breach, accelerating the recovery of operations and maintaining customer trust.

Data breach in 60 minutes: Acting Before It’s Too Late

Where a single compromised credential can herald a data breach in as little as an hour, the stakes have never been higher for businesses across the globe. This alarming reality underscores the critical need for organizations to adopt a robust stance against the specter of cyber threats, emphasizing the indispensability of cutting-edge security measures. Enter the realm of Identity Threat Detection and Response (ITDR), a beacon of hope in this turbulent digital sea. ITDR transcends traditional security measures by offering a proactive and strategic defense mechanism, intricately designed to detect and neutralize threats before they can inflict irreversible damage.

Imagine the scenario: the clock starts ticking the moment a cyber attacker breaches a digital perimeter. With each passing minute, the potential for widespread organizational disruption, loss of customer trust, and severe regulatory repercussions grows. In such a high-stakes environment, the speed and efficiency of ITDR systems stand as the vanguard against the relentless advance of cyber adversaries. By swiftly identifying and responding to intrusions, ITDR not only acts as a critical line of defense but also as a strategic asset, significantly mitigating the risk to business continuity and safeguarding the company’s invaluable digital assets.

In a world where digital threats are constantly evolving, becoming more sophisticated and elusive, the adoption of ITDR is not merely a recommendation; it is an imperative for survival. Through its advanced threat detection capabilities and rapid response mechanisms, ITDR equips businesses with the necessary tools to navigate the perilous waters of the digital age. It serves as a testament to the organization’s commitment to safeguarding its digital identity, reinforcing customer trust, and ensuring that operations can withstand the tempests of cyber warfare. As the digital landscape continues to expand, the role of ITDR in shaping resilient and secure business environments has never been more paramount.

Timely Response: Minimizing Financial and Reputation Impact

Speed is everything in the context of security breaches. An organization’s ability to detect and mitigate an attack before the damage spreads can make the difference between a minor inconvenience and a widespread crisis that can have significant financial and reputational repercussions. ITDR allows companies to:

  • Quickly Identify Threats: With attack techniques becoming increasingly sophisticated, ITDR provides the tools to promptly detect threats, reducing exposure time.
  • Respond Promptly: Through predefined playbooks and automation, ITDR facilitates a rapid and effective response, limiting the impact of attacks.
  • Deep Understanding of Threats: Beyond the Surface

ITDR is not limited to mere threat detection. It also provides a deep analysis of the tactics, techniques, and procedures used by attackers, offering security teams the necessary information to:

  • Prevent Future Attacks: Through understanding attack methodologies, organizations can adapt their defense strategies to prevent similar breaches in the future.
  • Train and Inform Personnel: Ongoing education on new attack vectors and security best practices is crucial to maintain a resilient organization.
  • Reducing Costs Associated with Breaches

A security breach can entail significant costs, not just in terms of compensation or sanctions but also regarding productivity loss and the expenses of restoring compromised systems. By implementing ITDR, organizations can:

  • Reduce Direct Costs: By minimizing the impact and duration of attacks, thus reducing recovery and restoration costs.
  • Avoid Indirect Costs: By protecting the company’s reputation and maintaining customer and stakeholder trust.
  • A Business Imperative: Protecting Identities

Protecting the identities is not just a matter of cybersecurity but a fundamental requirement for business continuity. ITDR supports organizations in:

  • Ensuring Operational Continuity: By maintaining the integrity of identity systems, organizations can ensure that critical operations remain uninterrupted.
  • Supporting Compliance: By helping to meet regulatory requirements related to data protection and identity management

What ITDR Is and Is Not

Identity Threat Detection and Response (ITDR) stands as a formidable guardian, dedicated to safeguarding the very essence of digital identity. This discipline, more than a mere set of tools or processes, embodies a comprehensive approach to protecting identity infrastructures against the ever-evolving spectrum of cyber threats. ITDR transcends conventional security measures by harnessing the power of advanced threat intelligence, amalgamating it with industry best practices, a rich repository of knowledge, and a suite of sophisticated tools designed to preemptively identify, meticulously investigate, and decisively respond to any indication of compromise.

Within its operational domain, ITDR’s main function unfurls as a dynamic triad: detect, investigate, and respond. Initially, it deploys an intricate web of detection mechanisms that vigilantly monitor for the faintest whispers of suspicious activities or unauthorized changes within the identity infrastructure. This proactive surveillance is the first line of defense against the insidious attempts of cyber adversaries to undermine digital integrity.

Upon detecting a potential threat, ITDR shifts into a meticulous investigative phase, dissecting and analyzing the nature of the suspicious activity. This investigative process is not a mere cursory glance but a deep dive into the digital ether, unraveling the complexities of the threat landscape to understand the how and why behind the attack vectors.

Finally, armed with a comprehensive understanding of the threat, ITDR orchestrates a targeted response designed to neutralize the threat, mitigate any damage, and restore the sanctity of the identity infrastructure. This response is not a blunt force but a carefully calibrated action, ensuring that the digital identity fabric of the organization remains intact and resilient against future attacks.

Yet, it is crucial to understand what ITDR is not. It is not a responsibility that rests on the shoulders of a single team or department but a collective endeavor that spans the entirety of the organization’s cybersecurity framework. Nor is it limited to the confines of protecting just the Active Directory (AD); ITDR casts a wider net, safeguarding against a broad spectrum of identity threats across various IAM systems and tools. Lastly, ITDR transcends being merely a tool in the Security Operations Center (SOC) arsenal; it represents a strategic, holistic approach to identity security, integrating seamlessly with other security measures to provide a robust defense against the cyber threats of the digital age.

In essence, ITDR is the embodiment of a proactive and strategic commitment to securing the digital identity ecosystem. It is a testament to an organization’s resolve to not just defend against, but to anticipate and neutralize threats, thereby ensuring the digital trust and continuity that are the bedrock of success in the digital age.

What ITDR Is:

  • A proactive and reactive approach to identity security.
  • Complementary to existing solutions like Network Detection and Response (NDR) and Endpoint Detection and Response (EDR), with a specific focus on identity infrastructure.
  • A unifier of tools and best practices to protect the integrity of identity systems, also essential for mature IAM and infrastructure security implementations.

What ITDR Is Not:

  • The responsibility of a single group; ITDR is a shared responsibility among IAM and infrastructure security teams.
  • Limited only to Active Directory (AD) security; ITDR includes detection and response to AD threats but goes beyond, covering a broader set of identity threats across various IAM systems and tools.
  • A SOC tool; tools like SIEM, SOAR, and XDR are active parts of a cohesive ITDR strategy, but most vendors in these markets lack the capability to detect identity threats based on user behavior rather than TTPs.

Prevention, Detection, and Response: Where ITDR Fits

  • PreventionThis is the first line of defense, focused on preventing attacks before they happen. It includes controls such as MFA, vulnerability management, and secure infrastructure configuration. While fundamental, prevention alone is not enough to stop all threats.
  • DetectionWhen preventive measures are bypassed, detection comes into play. Timely threat detection allows organizations to identify and isolate attacks before they can cause significant damage. ITDR positions itself here, offering an identity-focused mechanism to detect threats that might otherwise go unnoticed.
  • ResponseOnce a threat is identified, the response phase aims to mitigate the impact of the attack, eradicate the threat, and restore systems to their normal operational state. ITDR integrates identity threat response into existing response and threat-hunting processes, using security controls present in the Security Operations Center (SOC).

The Importance of ITDR in an Advanced Authentication Context

  1. Advanced Threat Detection: Even the most advanced passwordless and MFA technologies can be vulnerable to sophisticated tactics, such as social engineering or advanced phishing attacks. ITDR enables the detection of these advanced threats by monitoring unusual behaviors or suspicious access attempts.
  2. Prevention Completion: While MFA and passwordless raise the barrier against unauthorized access, ITDR complements this scenario with an additional layer of security, allowing organizations to quickly identify and respond to attacks, potentially reducing damage.
  3. Flexibility in Response: With attack techniques continuously evolving, ITDR provides organizations with the necessary flexibility to quickly adapt their response strategies, ensuring constant protection against new vulnerabilities and attack methods.

Prevention, Detection, and Response in the Passwordless and MFA Context

  • Prevention: MFA and passwordless act as robust preventive mechanisms, significantly increasing the difficulty for an attacker to gain unauthorized access.
  • Detection: ITDR comes into play when preventive measures are not enough, detecting suspicious identity-related activities that could indicate an attempt to bypass security measures.
  • Response: Once a threat is detected, ITDR facilitates a coordinated response, helping to mitigate the attack and restore the security of the identity infrastructure.

ITDR and Artificial Intelligence: A Strategic Alliance for Identity Security

The fusion of Artificial Intelligence (AI) with Identity Threat Detection and Response (ITDR) emerges as a beacon of innovation, casting new light on the battleground of cybersecurity. This era, marked by an explosion of AI-driven technologies, has ushered in transformative changes across myriad sectors, with cybersecurity standing at the forefront of this revolution. The integration of AI into ITDR is not just an addition to the arsenal against cyber threats; it represents a paradigm shift, promising to enhance the effectiveness and efficiency of how digital defenses are orchestrated.

This strategic alliance between AI and ITDR transforms the landscape of digital identity protection. It amplifies an organization’s ability to preempt, detect, and neutralize cyber threats with unparalleled precision, thereby fortifying the bastions safeguarding digital identities. This synergy does more than just augment detection and response mechanisms; it heralds the dawn of new horizons in the realm of digital identity security, promising a future where the sanctity of digital personas is preserved against the ever-evolving threats that roam the cyber ether.

Enhancing Threat Detection with AI

The application of AI in ITDR radically transforms how threats are identified. AI-based solutions are capable of analyzing vast volumes of data in real-time, learning from attack patterns and continuously adapting to identify suspicious behaviors with unprecedented precision. This approach offers significant advantages:

  • Proactive Detection: AI can identify subtle signals of imminent attacks, allowing organizations to act preventively.
  • Minimization of False Positives: Thanks to the ability to learn from data, AI constantly refines its detection criteria, reducing unjustified alarms that can overwhelm security teams.
  • Rapid and Automated Response

Integrating AI into ITDR not only improves threat detection but also the speed and effectiveness of responses. AI solutions can automate many actions required to mitigate a threat, from isolating compromised systems to resetting access credentials, to notifying relevant teams. This allows for an almost instantaneous response that can mean the difference between a contained incident and a disastrous breach.

Predictive Analysis and Continuous Learning

One of the most transformative aspects of using AI in ITDR is its capacity for continuous learning. By constantly analyzing past and present attacks, AI not only improves its detection and response capabilities but can also anticipate future trends and emerging vulnerabilities. This predictive approach enables organizations to:

  • Adapt Defense Strategies: By anticipating attackers’ moves, companies can proactively strengthen defenses in the most critical areas.
  • Targeted Training: With a deeper understanding of the most likely attack techniques, organizations can develop more effective training programs for their staff.
  • Beyond Security: AI as a Strategic Ally

The integration of AI in ITDR goes beyond the technical aspect of security. It supports a broader strategic vision that includes:

Resource Optimization: By automating detection and response functions, AI frees up valuable resources that can be reallocated to broader strategic initiatives.

Data-Driven Decisions: AI provides valuable insights from security data analysis, supporting business decisions with concrete and timely information.

Conclusion

The adoption of ITDR (Identity Threat Detection and Response) solutions represents a fundamental pillar for the security strategies of organizations in the digital age. Through a proactive and reactive approach, ITDR not only strengthens defenses against the continuously evolving cyber threats but also ensures a rapid and effective response in the event of incidents, mitigating business impact.

Summary of Key Points:

  • Mitigating Business Risk: ITDR is essential for addressing the challenges posed by modern threats, offering a holistic approach that protects the integrity of digital identities and maintains the trust of customers and stakeholders.
  • The Importance of Prevention, Detection, and Response: Through the integration of robust preventive controls, advanced detection mechanisms, and agile response strategies, ITDR provides an unprecedented level of protection against security breaches.
  • Synergy with Advanced Technologies: The incorporation of artificial intelligence (AI) into ITDR amplifies detection and response capabilities, allowing organizations to anticipate and neutralize threats before they can cause significant damage.

ITDR is not just a technical response to cyber threats but a critical business strategy that safeguards operations, reputation, and business continuity. Implementing ITDR means adopting a visionary approach to security, recognizing that the protection of digital identities is fundamental for long-term success and growth.

Organizations should therefore consider ITDR not as a cost, but as an investment in their future resilience and sustainability. With the right commitment to implementing and optimizing ITDR solutions, companies can not only navigate safely through today’s complex and rapidly evolving digital landscape but also position themselves to thrive in an increasingly interconnected and technology-dependent future.

But Wait, There’s More!

This dive into ITDR is just the beginning. We’ve got more up our sleeves, so stay tuned for follow-up articles where we’ll explore new strategies, dive deeper into AI’s role in cybersecurity, and share real-world success stories. The world of ITDR is vast and ever-evolving, and we’re here to guide you through it, every step of the way. Keep an eye out—there’s plenty more where this came from!

An Imaginary Discussion Between the Italian DPA and OpenAI’s CTO

In the realm of AI and privacy, transparency isn’t just a buzzword—it’s a cornerstone.

Following my recent dive into the Italian Data Protection Authority’s actions, a new question emerges, spotlighting the foggy waters of AI transparency.

Garante: “What are the sources of the training data for SORA?”

OpenAI CTO: “We don’t know.”

And there it is. The quest for clarity meets a wall of uncertainty. This response from OpenAI’s CTO underlines a pivotal challenge in AI governance: ensuring transparency. As Europe navigates the GDPR’s stringent demands for personal data protection, one can’t help but ponder: how will this lack of transparency fare in the European legal landscape?

Yeah, I hear you. I know, I know that OpenAI won’t probably answer that to the Italian DPA, but still…

To be continued…

23andMe, and Us?

It is a pleasure to present a collaboration article with Fabrizio Cilli.

As a dedicated cybersecurity enthusiast and pioneer, Fabrizio’s journey has been marked by global experiences, from Rome to the most advanced innovation hubs of North America and Asia, and through historical transformative projects in the Middle East. At Telecom Italia, he played a key role in the early days of Security Operations Centers (SOC), setting the stage for leadership positions that influenced cybersecurity advancements across sectors.

Leading as the Chief Information Security Officer (CISO) at Open Fiber, Fabrizio was pivotal in building a robust cybersecurity framework from scratch, marking achievements like the formation of XIRT (Any Incident Response Team) and striving for ISO 27001 certification. His work extended globally with renowned firms such as Datamat, Accenture, RESI/IPS, and EMC, where he focused on integrating cloud security, managing mergers and acquisitions, conducting due diligence, and safeguarding critical infrastructure.

A passionate advocate for the integration of artificial intelligence in cybersecurity, Fabrizio collaborated with the Italian Digitalization Team (Team Digitale) and co-founded the collective CISOs4AI (together with yours truly) and other great minds, underlining his commitment to harnessing AI for overcoming security challenges. His career is a testament to overcoming challenges, pushing boundaries, and fostering innovation, with a clear mission to cultivate a security-first mindset, drive technological empowerment, and ensure cybersecurity serves as a foundation of trust and resilience in our digital age.

So without further ado…

23andMe, and Us?

It all started from a response letter by 23andMe legal department, after CISO and some other directors had sold their stock options before the incident disclosure.

Facing an onslaught of lawsuits, 23andMe is denying liability for millions of users’ genetic records leaked last fall.In a letter sent to a group of users suing the company obtained by TechCrunch, lawyers representing the biotech company laid out a case that users were to blame for any data that may have been exposed.

It would be fantastic to have oversight and complexity requirements in place. Requiring multiple authentication factors has always been a key tool to prevent breaches from occurring. Companies like Microsoft, Google, Amazon, telecoms, banks, insurers, and healthcare providers all carefully control account access. They do this not just for prevention, but also to demonstrate maximum diligence. This is in a context where co-responsibility between companies and users is inevitable.

And if the responsibility of the external user is passed on as a “charter of rights and duties” (perhaps in terms and conditions between company and user), should we then consider that in a company, if it is discovered that a breach originated from a weak password (one of those in the annual most common lists) of an employee user, the latter falls into a scope of “bad faith” such as to stimulate an investigation for administrative liability? 

I mean, how much can responsibility be shifted to the user, given current standards for verifying the suitability of access control and administration measures (even more so for administrative accesses)?

Let’s talk about it, but if I think about Uber and SolarWinds, and then focus on 23andMe, and all the hospital ransomwares lately…I get a headache.

So if at the italian occurrence of attack to ASL1 L’Aquila, we understand that “it all started from a user with a weak password” or in the attack to MediBank Australia, a “user” propagated the attack, do we charge the 5 billion AUS Dollars to them and just move on? 👀😅

Such cases and similar situations, which we all know too well (and some scenarios we have experienced together, with some fellow CISO), where a user just leaves the doors open, what happens to these? Do we chase/investigate our own users? Could they be held responsible for the resulting damage? And on what rule and norm?

I want to clarify: full and robust user responsibility would be a breath of fresh air for most colleagues with millions users, but does this possibility even exist in current practice, that you are aware of? 👀

It is clear that the user who allows an attacker to use a “native” function is not ideal, but every low and slow attack and every APT we fight stems from the fact that we consider the user (I’m getting close to zero “user” trust theory) as potentially malicious or compromised.

So if a Sino-Russian-North Korean or Italo American criminal, with fake documents enters, and with that function manages to view data from thousands of other people, would we not notice? Is the system designed to prevent repeated abuse? Would GDPR minimization, applied to this processing, have required that it not be possible for example to “accumulate” sensitive data like this, but maybe only view genetic closeness, and then request direct contact? How did they design the registry at 23andMe?

When I say data is the lifeblood of a company I mean it seriously. If the lifeblood becomes poisoned, or too much comes out, the plant dies. 🌵🏜️

And then the dilemma: if one of “our” internal users blatantly violates a policy, procedure, and playbook, and leaves admin admin, while doing the ceremonial of an HSM, and we basically lose all our secrets?

Are we (the company) or is the user (colleague) administratively responsible? (And here the insurance systems on AdS come into play…)

It is certainly a good debate.

But in the end I believe there are various safe passes, both for users and colleagues, when it comes to access and management of technologies and privileges imposed on them.

The “good family man” remains the company, the multitude of individuals who manage the systems are its own, with its procedures and internal and external regulations. It is not a 1-to-1 relationship with the user, it is a many-to-1 or many-to-many relationship.

The Regulations we advertise, and for which we request flags, signatures etc., exist precisely to ensure they are not violated, due to boredom and lack of reading or reconciliation.

The Countermeasures we implement guarantee controls, and verify that the healthy behaviors we ask to assume are assumed, by those who use our systems and services, preventing them from circumventing them to facilitate the user experience.

Of course it is true that if we do not solve the problem of “passwords”, it is like having a low cipher forced by incompatibility, and not being able to apply a patch for life…

Perhaps this is what Sam Altman is aiming for with his WorldCoin startup: the full and unequivocal recognizability of the user… Will he make it?

And how will 23andMe end up?

There is very much at stake and an ongoing court case, that didn’t really start on the best terms.

Now, I don’t mean to make light of this situation, but the reality is that: Cybersecurity maturity needs to be embedded in a company’s very DNA. It requires integration, communication, and transparency primarily between the business itself and its clients.

Or it won’t work. In a fully digital world, you need fully digital cyber protection. Your business doesn’t sleep, crooks do not sleep, your clients are cycling around the world and guess what? They are not sleeping at the moment.

If it was enough to have “security” across the company, and “secure by design” software, today it’s about having a “secure by design company” and “software security” in place.

Word games? No, it’s the real deal.

You can get wiped out from the market.

And now the bombshell that will make you think: in such a scenario, even your competition can harm your core business by means of criminal hackers.

Resilience, and security by design with zero-trust: it’s worth it.

Exciting Collaborations on the Horizon: Gear Up for Cyber Insights!

Greetings, fellow cyber enthusiast! I’m back!

For those who missed me the reason is to be ascribed to my recent job change.

I’m thrilled to announce that in the next months I will be speaker to a couple of interesting events in Milan. The next one is the 12th of March and of course I’ll talk about AI Cybersecurity.

Back to the main news: in just a few days, I’ll be embarking on a series of captivating collaborations with some esteemed minds in the cybersecurity field in Cybersec.cafe and I’ll be guest of another blog that will be revealed in due time.

Buckle up, because we’re diving deep into valuable insights you won’t want to miss. While I can’t reveal all the surprises just yet, let me assure you that these partnerships will bring together diverse perspectives and a wealth of experience. We’ll be tackling some pressing issues in the world of cyber.

The next guest will be Fabrizio Cilli and he will discuss the 23andMe breach and its implications in terms of shared responsibility in cybersecurity – sorry I won’t disclose more as spoiler is a capital crime nowadays but trust me, you won’t want to miss this!

Stay tuned for further details future announcements.

See you soon!

P.S. Want to be the first to know when the collaborations kick off? Follow me on linkedin and keep an eye out for updates!

How to Keep You Safe Online

Proactive Measures for Cyber Safety

Over the years, many have approached me with questions about online security, reflecting a growing concern in our digital age. The importance of safeguarding one’s personal identity online truly cannot be overstated. Not only does good cyber hygiene benefit individuals, but it also extends to the organizations where they work. When people grasp the basics of cybersecurity, they’re better equipped to apply these principles in their professional environments, fortifying the digital defenses of their companies. With cyber threats becoming more frequent and increasingly sophisticated, it’s imperative for everyone to adopt proactive measures to protect their digital identities.

Here are some guidelines to ensure your online safety:

  1. Think Before You Click: More than 90% of successful cyber-attacks start with a phishing email. If you encounter a link you don’t recognize, trust your instincts and think before you click.
  2. Use Strong Passwords and change default ones: Until we can move to passwordless avoid common passwords like “password” or “123456”. Ensure your password is long (at least 14 characters especially if MFA is not enabled), unique, and randomly generated. Consider using a password manager to generate and store unique passwords. Many devices, including modems and routers, come with default passwords. Always change these to unique, strong passwords to prevent unauthorized access. This applies also to your mobile device, use a PIN/passcode (not your date of birth or “0000” or “1234”)
  3. Use Multi-Factor Authentication (MFA): MFA provides an additional layer of security by requiring two or more verification methods. We already discussed how to choose one method, for instance here. This applies also to your mobile device, secure it with biometric feature (e.g. fingerprint or face recognition).
  4. Stay Updated: Ensure all your software, including the operating system, is up-to-date. Cybercriminals often exploit vulnerabilities in outdated software. Whenever you receive notifications for software updates, install them promptly. Even better, turn on automatic updates.  
  5. Be Cautious with Software: If you didn’t actively seek out a software, an app or browser add-on, don’t install it. Conversely, uninstall software or applications you no longer use. This approach not only declutters your system but also reduces potential entry points for cyber threats.
  6. Avoid public or untrusted WIFIs: avoid those WIFIs especially when accessing or providing sensitive information, such as bank accounts, online shopping, etc. The same applies also for and unknown or untrusted storage devices, such as USBs, that can be used to transfer malware on to your device. Avoid those as well.
  7. Consider Using a VPN: Virtual Private Networks (VPNs) encrypt data transmitted between your device and the server. This ensures that your online activities remain private and secure, especially if you really need to use public Wi-Fi networks. However, not all VPNs are created equal. It’s essential to choose a trusted provider, as VPNs are entirely based on trust. You must be aware of the data protection laws of the VPN provider’s home country and any potential extra-legal pressures they might face.
  8. Ensure your valuable data is stored in an appropriate location and backed up regularly. Cybercriminals may encrypt your data so they can extort money from you. If you do become a victim of this, it is often impossible to decrypt the data, so you will have to rely on backups. To avoid this ensure valuable data is stored on approved secure storage services (not shared widely and encrypted) and backed up in the event of loss or damage.
  9. Bookmark Important Sites: Instead of clicking on email links that seem to come from trusted organizations, use bookmarks in your web browser to access important sites. This reduces the risk of landing on a phishing site.
  10. Don’t overshare on social media: Scammers often use social media to gather information about people. They may use this information to guess your passwords, use it in a social engineering scam, or impersonate you when applying for credit cards, bank loans, or even commit crimes. Also regularly review your social media access settings to understand who can see information you share and ensure it is restricted appropriately.

What do you think? Are these all the steps we should take to ensure our online safety?

Do you follow all these best practices? Share your thoughts and experiences in the comments below!


Sources:

« Older posts

© 2024 CyberSec.Cafe