Brewing Cybersecurity Insights

Category: Cybersec.cafe

Holding Software Vendors Accountable for Security Breaches

A Call for Vendor Accountability

Sixteen years ago I just started my career in Information Security (cyber was not a thing yet) and I remember that Bruce Schneier, a renowned security expert, was arguing that software vendors should be held liable for the security flaws in their products. In a 2008 article, Schneier highlighted the economic inefficiencies stemming from insecure software, noting that the costs of these insecurities are unfairly borne by users and organizations rather than the vendors themselves.

Despite the passage of time, the landscape has not significantly changed. So many vendors continue to transfer (yes transfer as in a Risk Management Strategy) the risk of security breaches to their clients, leaving them to deal with the eventual fallout. Schneier’s argument remains compelling today.

By making vendors financially responsible for security breaches, we can realign incentives to prioritize secure software development. This shift is crucial in an era where data breaches are increasingly common and costly.

Something changed with the California Consumer Privacy Act back in 2018. It was a good beginning (I know it wasn’t enough but we have to start somewhere). The introduction of the Cyber Resilience Act (CRA) is another step in the right direction.

The SSO Tax: A Barrier to Security

One issue that exemplifies the misalignment of incentives in the software industry is the so-called Single Sign-On (SSO) tax. The SSO tax refers to the additional charges that software vendors impose for providing SSO functionality, a feature that enhances security by allowing users to access multiple applications with a single set of credentials. While SSO can significantly improve security and streamline user experience, many vendors place it behind expensive paywalls.
You can find some examples in the SSO Wall of Shame. Increases range from +10% to 49900%. I really like their example: “Imagine buying a car and the manufacturer asks for an extra payment to unlock 100% of the braking power. Not offering security features if they already exist in your product means a vendor doesn’t care about your security.”
Sadly, the result is that this pricing strategy not only hinders the adoption of essential security features but also exacerbates the economic burden on smaller organizations, which are often the least equipped to handle security breaches.

The Privacy by Design and Privacy by Default Principles

The European General Data Protection Regulation (GDPR) introduced 8 years ago the principles of Privacy by Design and Privacy by Default, which mandate that data protection measures should be integrated into the development of business processes and systems from the outset. In particular, Privacy by Default mandates that the highest privacy settings should be the default configuration, which includes robust authentication mechanisms.

In short, these principles aim to ensure that personal data is adequately protected throughout its lifecycle, minimizing risks and enhancing user trust.
Am I the only one seeing this, or could charging these kinds of fees for basic security features like SSO or MFA be seen as contrary to these principles?

The Cyber Resilience Act: Another Step Forward

The European Union’s Cyber Resilience Act (CRA) is a recent legislative effort aimed at improving cybersecurity for products with digital components. The CRA introduces mandatory cybersecurity requirements for manufacturers and retailers, ensuring that products are secure throughout their lifecycle. This includes harmonized rules for bringing products to market, obligations for planning, design, development, and maintenance, and a duty of care for the entire lifecycle of such products.While the CRA is a significant step in the right direction, it is not enough on its own. The Act addresses many issues, such as the low level of cybersecurity in many products and the lack of adequate security updates. However, it does not fully resolve the problem of vendor accountability. The CRA mandates that products must meet certain cybersecurity standards, but it does not go far enough in holding vendors accountable for breaches caused by their products.

Conclusion: Aligning Incentives for Better Security

The call for vendor liability in the event of security breaches is more relevant than ever.
The current economic model does not incentivize vendors to prioritize security. By imposing liability, we can ensure that vendors take the necessary steps to secure their products, ultimately benefiting consumers and the broader market. Moreover, the SSO tax and similar practices undermine the principles of Security/Privacy by Design and by Default.
In conclusion, holding vendors accountable will force them to eliminate additional costs for essential security features. This would be a critical step towards a safer digital environment.
It is time for policymakers, industry leaders, and Data Protection Authorities to create a framework that prioritizes security and fairness for all users.

Is the CIA Triad Enough for Today’s Cybersecurity Challenges?

The Parkerian Hexad

Yesterday, the first of May, Fabrizio Cilli and I engaged in a deep discussion about the adequacy of the CIA triad in today’s cybersecurity practices, particularly in the context of AI, OT, and connected devices, where safety is a significant concern. Our conversation was sparked by a thought-provoking post, which suggested to dust off the Parkerian Hexad that foresee the addition of three dimensions to the traditional CIA Triad, emphasizing the need to expand our security models to ensure AI systems are also safe for human use.

CIA-S

Tom Cornelius’ alternative model, the CIAS, incorporates Safety into the traditional CIA Triad. This model acknowledges the limitations of the CIA Triad in the era of AI, IoT, and OT, where the safety component becomes essential for guiding risk management decisions. Also this model reflects a growing recognition that cybersecurity Risk Assessment frameworks must evolve to address the complexities of modern technology.

Different dimensions

In my humble opinion, Safety and the CIA components may indeed operate on different dimensions. A breach in integrity, for example, could have direct implications for safety, showing that these aspects are intertwined yet distinct. When considering risk, it’s clear that cyber risk and safety risk are two interlinked concerns that must be assessed together.

An integrated multidimensional Physical-Cyber security approach

Today, I had the opportunity to read Enrico Frumento’s work, which presents an integrated IT-OT assessment and governance model for improved holistic cybersecurity
This approach considers the IT and the physical world as separate with an overlap, – and this resonates with our discussion

Areas of IT-OT security. Source: Ghaznavi, 2017.

Moreover this approach also introduces the idea of evaluating a different dimension of safety, as well as another dimension of trust, which is becoming increasingly relevant in the AI field.

This leads us to a multi-layered cyber risk analysis framework, such as the one depicted in the image below. This framework calls for a comprehensive approach to cybersecurity, covering layers from the geographic and physical levels up to the government layer. Each layer represents a domain of existence and a potential vector for cyber threats, requiring a thorough analysis to secure all fronts.

Cyber-Terrain Model layers. Source: Riley, 2014.
Cyber-Terrain Model layers. Source: Riley, 2014.


Incorporating Safety and Trust into this multi-layered model is a logical step, as it allows us to address the nuanced ways in which different layers can impact human safety.

For instance, a vulnerability at the network layer could compromise the safety of an OT system, leading to real-world consequences. By adding Safety as an explicit layer or dimension to this framework, we ensure that risk analyses account for potential physical harm to individuals and society, not just data and system integrity.

Conclusion

In conclusion, while the CIA Triad has served as a foundational model for cybersecurity and has stood the test of time, the evolution of technology demands that we expand our frameworks to include Safety and Trust.

A multi-layered approach might provide a logical structure for such an expansion, ensuring that we can protect against both digital and physical threats in an increasingly interconnected world.

IS Artificial Intelligence now closer to Human Intelligence?

My buddy Fabrizio Cilli (previously a guest on my blog) just shared this with me

Researchers have implemented an “inner monologue” to AI, enabling it to reason through problems much like humans, particularly in complex areas like math.

This innovation marks a significant leap towards bridging the gap between AI and human intelligence, promising a future where AI understands and solves problems on a deeper level. A truly groundbreaking moment in AI development!

Sources:

  • https://www.livescience.com/technology/artificial-intelligence/researchers-gave-ai-an-inner-monologue-and-it-massively-improved-its-performance
  • https://arxiv.org/pdf/2403.09629.pdfhttps://cybersec.cafe/23andme-and-us/

Exciting Collaborations on the Horizon: Gear Up for Cyber Insights!

Greetings, fellow cyber enthusiast! I’m back!

For those who missed me the reason is to be ascribed to my recent job change.

I’m thrilled to announce that in the next months I will be speaker to a couple of interesting events in Milan. The next one is the 12th of March and of course I’ll talk about AI Cybersecurity.

Back to the main news: in just a few days, I’ll be embarking on a series of captivating collaborations with some esteemed minds in the cybersecurity field in Cybersec.cafe and I’ll be guest of another blog that will be revealed in due time.

Buckle up, because we’re diving deep into valuable insights you won’t want to miss. While I can’t reveal all the surprises just yet, let me assure you that these partnerships will bring together diverse perspectives and a wealth of experience. We’ll be tackling some pressing issues in the world of cyber.

The next guest will be Fabrizio Cilli and he will discuss the 23andMe breach and its implications in terms of shared responsibility in cybersecurity – sorry I won’t disclose more as spoiler is a capital crime nowadays but trust me, you won’t want to miss this!

Stay tuned for further details future announcements.

See you soon!

P.S. Want to be the first to know when the collaborations kick off? Follow me on linkedin and keep an eye out for updates!

Unveiling the OWASP Top 10 for Large Language Models

I am proud to announce the release of the OWASP Top 10 for Large Language Models (LLM) Applications.

This noteworthy initiative, to which I’ve contributed, is dedicated to outlining a list of vulnerabilities specifically applicable to applications leveraging LLMs.

This document, developed under the umbrella of the OWASP Foundation, targets developers, security experts, and even citizen developers who are building applications using LLM technologies. It aims to provide them with actionable, practical, and concise security guidance.

While acknowledging the potential vulnerabilities inherent to LLMs, this Top 10 guide dives deep into each security risk, discussing their potential impacts, their prevalence, and offering effective mitigation strategies. Each risk is ranked based on its exploitability, prevalence, detectability, and potential harm, providing a comprehensive understanding of the LLM application security landscape.

As a contributor to this significant initiative, I’m extending my heartfelt appreciation to my fellow contributors and the entire OWASP community.

This project could not have been possible without the invaluable expertise and relentless dedication of nearly 475 professionals.

I invite everyone to delve into, share, and apply the OWASP LLM Applications Top 10 in your AI ventures. Let’s ensure the secure and robust deployment of applications that include LLMs.

Here is the link: https://owasp.org/www-project-top-10-for-large-language-model-applications/

© 2024 CyberSec.Cafe