Newsletter

12.07.2021 | 10'' read

10 things you’ll be bombarded with at RSA 2022

by Ryan Naraine

This edition of the newsletter is presented by Process Unity and SecurityWeek.

* The most clicked link from last week’s newsletter was Dark Reading’s eulogy for its late founding-editor Tim Wilson.

Note.

Monday blues.

The RSA Conference program committee has released a scannable e-book on topics and trends observed during this year’s CFP.  It’s a good early warning about the marketing hype and thought-leadering we’ll see at the conference next February.  Set your filters accordingly 😉

The top-ten things that bubbled up:

  1. What on earth is zero-trust?  “Debate ensued within the Program Committee as we grappled with where we are on the maturity curve, what problems can be uniquely served with a Zero Trust approach, and what, really, Zero Trust even is, despite the fact that the US Federal Government has been talking about “it” since 2009.”
  2. Ripple effects of the SBOM.  “Submissions explored the challenges SBOM creates, concerns around application lifecycle management, the legalities of what it means when partner code fails, and the challenges to really maintaining code, be it commercial or open-source.”
  3. Supply chain challenges. “Submitters explored the challenges relative to NPOs and SMBs in the supply chain and exposure points they can create, as well as providing firsthand accounts of experiences and legal, governance and fiduciary challenges introduced by cyber-insurance policies related to the “pay or not” question.”
  4. Passwordless breaks through.  “Submissions seemed to push past just MFA conversations and explored sustainable operations, interoperability and legacy challenges, and attack vectors and issues specific to passwordless approaches.”
  5. Back to the basics.  “We observed an increase in submissions focused on starting security programs from scratch and the first 90 days in the CISO seat.”
  6. The ever-expanding cloud. “The maturation of submissions this year was significant, with sessions that explored new threat modeling approaches along with a call to action for a common vulnerability database, governance challenges, cloud-focused attacks with systemic consequences, and long-kept secrets from CSPs emerging.”
  7. Artificial intelligence and machine learning. “We saw more submissions around ethics and detecting algorithmic bias, along with guidance on how and when to call BS if you’re not a data scientist. “
  8. Risk takes center stage. “Third-party risk was a key theme, as was the impact of privacy considerations, as proposals put forward concrete studies with tangible takeaways, KPIs and metrics tied to business outcomes.”
  9. What do I really want to be when I grow up?  “We had a myriad of submissions with guidance on how to transition into consulting, being a board member, writing a book, being a CISO, being an advocate…”
  10. There’s a framework for that! “This year the frameworks exploded as we worked on mapping everything to everything, technical and non-technical.”

I’m surprised the word ‘ransomware’ doesn’t take center stage (the vendor booths will probably take care of this) but this is a useful list to see where the content and hype-cycle is trending.

_ryan

On to the newsletter…


Sponsored.

Join this SecurityWeek panel discussion on Aligning Internal Cybersecurity Practices with External Third-Party Risk Management, presented by our friends at Process Unity.  You will learn now to:

  • Map external third-party risk to internal cybersecurity controls
  • Evaluate control effectiveness against both internal and external risks
  • Identify potential fourth-party risk
  • Prioritize cyber/third-party risk projects based on control gaps and domain inefficiencies
  • Build a world-class cybersecurity program that protects against internal and external threats

Here’s the link to register and add to calendar.


Zoho no!

If you have a Zoho product deployed in your organization, pay very, very close attention to the company’s handling of critical vulnerabilities and ongoing zero-day attacks.

These three security defects — CVE-2021-44515CVE-2021-37415 and CVE-2021-44077 — have all been exploited by advanced hacking groups over the last four months, prompting CISA to issue urgent deadlines for mitigation.  Florian Roth isn’t entirely pleased with Zoho’s response.

Two pieces I wrote this week for the SecurityWek audience:

Keeping VPN vendors accountable.

Journalist Yael Grauer (in collaboration with Consumer Reports) looks closely at the security and privacy of consumer VPNs running on Windows 10.  Key takeaways:

  • We found that every VPN company we evaluated could do better when it comes to committing to allow users to obtain the public-facing and private user information that the company holds, including users not covered under CCPA or GDPR.
  • Many of the VPNs we tested could improve by providing specific retention periods for any data they do collect.
  • VPNs would better serve their users by explaining in detail how user data is handled in case of a merger, bankruptcy, or acquisition.
  • The industry could improve by giving specific retention periods for destroying or getting rid of outdated or unnecessary personal information. Almost every VPN, including Mozilla VPN and Mullvad, failed to state in their documentation that they will delete user information immediately and permanently in a reasonable time (in this case, 30 days) if service is terminated or inoperable.
  • We’d like to see VPNs clearly outline in their documentation which information outside parties require, provide options, and host first- and third-party tools on their own servers — something only IVPN has done.

See my previous coverage of eyebrow-raising shenanigans in the consumer VPN space:

Microsoft catches, disrupts Chinese .gov hacking group.

This week has seen a flurry of activity on the nation-state .gov hacking front:

Vuln drops.

Research deep-dives.


Must-read essays.

Watching the SolarWinds hackers.A few items advancing the SolarWinds supply chain mega-hack story as defenders keep watch on Russian hacking group Nobelium:

  • One year after the SolarWinds compromise, Mandiant publishes a report documenting all the tactics used by the two distinct clusters within the Nobelium umbrella. Two things stand out  — the use of credentials likely obtained from an info-stealer malware campaign by a third-party actor to gain initial access to organizations; and the abuse of multi-factor authentication leveraging “push” notifications on smartphones.
  • Microsoft has produced an interesting docu-series on Nobelium, hyping it as “the insider account from the frontline defenders who tracked and responded to the NOBELIUM incident, the most advanced nation-state and supply chain attack in history.”
Hardware/firmware security.

Leftovers.

Tangentially.

P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhoneGoogle/AndroidSpotify and Amazon/Audible.
|

This site uses cookies and may process personal data based on our Privacy Policy