Newsletter

Monday blues.

The RSA Conference program committee has released a scannable e-book on topics and trends observed during this year’s CFP.  It’s a good early warning about the marketing hype and thought-leadering we’ll see at the conference next February.  Set your filters accordingly 😉

The top-ten things that bubbled up:

1. What on earth is zero-trust?  “Debate ensued within the Program Committee as we grappled with where we are on the maturity curve, what problems can be uniquely served with a Zero Trust approach, and what, really, Zero Trust even is, despite the fact that the US Federal Government has been talking about “it” since 2009.”
2. Ripple effects of the SBOM.  “Submissions explored the challenges SBOM creates, concerns around application lifecycle management, the legalities of what it means when partner code fails, and the challenges to really maintaining code, be it commercial or open-source.”
3. Supply chain challenges. “Submitters explored the challenges relative to NPOs and SMBs in the supply chain and exposure points they can create, as well as providing firsthand accounts of experiences and legal, governance and fiduciary challenges introduced by cyber-insurance policies related to the “pay or not” question.”
4. Passwordless breaks through.  “Submissions seemed to push past just MFA conversations and explored sustainable operations, interoperability and legacy challenges, and attack vectors and issues specific to passwordless approaches.”
5. Back to the basics.  “We observed an increase in submissions focused on starting security programs from scratch and the first 90 days in the CISO seat.”
6. The ever-expanding cloud. “The maturation of submissions this year was significant, with sessions that explored new threat modeling approaches along with a call to action for a common vulnerability database, governance challenges, cloud-focused attacks with systemic consequences, and long-kept secrets from CSPs emerging.”
7. Artificial intelligence and machine learning. “We saw more submissions around ethics and detecting algorithmic bias, along with guidance on how and when to call BS if you’re not a data scientist. “
8. Risk takes center stage. “Third-party risk was a key theme, as was the impact of privacy considerations, as proposals put forward concrete studies with tangible takeaways, KPIs and metrics tied to business outcomes.”
9. What do I really want to be when I grow up?  “We had a myriad of submissions with guidance on how to transition into consulting, being a board member, writing a book, being a CISO, being an advocate…”
10. There’s a framework for that! “This year the frameworks exploded as we worked on mapping everything to everything, technical and non-technical.”

I’m surprised the word ‘ransomware’ doesn’t take center stage (the vendor booths will probably take care of this) but this is a useful list to see where the content and hype-cycle is trending.

Join this SecurityWeek panel discussion on Aligning Internal Cybersecurity Practices with External Third-Party Risk Management, presented by our friends at Process Unity.  You will learn now to:

• Map external third-party risk to internal cybersecurity controls
• Evaluate control effectiveness against both internal and external risks
• Identify potential fourth-party risk
• Prioritize cyber/third-party risk projects based on control gaps and domain inefficiencies
• Build a world-class cybersecurity program that protects against internal and external threats

Here’s the link to register and add to calendar.

• A scary CVS 10 vulnerability in WebHMI: “Successful exploitation of these vulnerabilities could allow an administrator account login without password authentication and remote code execution with root privileges.”
• A PrintJacking warning from GreyNoise about a single IP address seen mass-transmitting a message to port 9100, a common port for printer connections.
• USB Over Ethernet — SentinelOne researcher Kasif Dekel documents a number of high-severity flaws in driver software affecting AWS and numerous cloud service providers.  Millions are affected.
• Project Zero’s Jann Horn publishes a root cause analysis on CVE-2021-1048, an Android/Linux kernel flaw that was exploited in-the-wild as zero-day.
• Google just paid $15,000 for a high-risk memory safety vuln in the Chrome browser.

Research deep-dives.

• A new research paper from ESET (pdf) that describes how malware frameworks targeting air-gapped networks operate, and provides a side-by-side comparison of their most important TTPs.  The researchers also propose a series of detection and mitigation techniques to protect air-gapped networks from the main techniques used by all the malicious frameworks publicly known to date.
• ​Exploring Container Security – A Storage Deep Dive is a technical analysis of a high-severity vulnerability that allowed workloads to have access to parts of the host filesystem outside the mounted volumes boundaries.
• Google Project Zero’s Tavis Ormandy: “This issue demonstrates that even extremely well-maintained C/C++ can have fatal, trivial mistakes.
• Sam Curry writes about exploiting vulnerabilities in a TLD registrar to take over Tether, Google, and Amazon.
• Kaspersky GReAT’s annual review of APTs observed in 2021 is worth your time.

• Happy trails to one of my favorite managers Larry Dignan, who is leaving ZDNet after an impressive 15-year run as editor-in-chief. Larry covers the six things he learned during his stint as ZDNet editor-in-chief. I’m proud to have played a small part.
• CISO Roadmap: The First 90 Days provides a decent game plan for a new security leader to modernize and strengthen a security program.
• Andy Ellis writes about the hidden costs associated with endpoint agents, inscrutable alerts, complex deployments and organizational friction.
• NSI Visiting Fellow and Crossbeam CISO Chris Castaldo writes about the SBOM tax on smaller businesses.
• Vice Motherboard says U.S. vice president Kamala Harris is right not to trust the security of Bluetooth technology.  It’s in response to this weird Politico article hating on wires.
• Nathaniel Mott writes about hackers finding workarounds for multi-factor authentication (MFA) technology.

• One year after the SolarWinds compromise, Mandiant publishes a report documenting all the tactics used by the two distinct clusters within the Nobelium umbrella. Two things stand out  — the use of credentials likely obtained from an info-stealer malware campaign by a third-party actor to gain initial access to organizations; and the abuse of multi-factor authentication leveraging “push” notifications on smartphones.
• Microsoft has produced an interesting docu-series on Nobelium, hyping it as “the insider account from the frontline defenders who tracked and responded to the NOBELIUM incident, the most advanced nation-state and supply chain attack in history.”