DevOps orchestration platform provider Opsera has announced the launch of GitCustodian, a new Software-as-a-Service (SaaS) product that detects and reports vulnerable data in code repositories including Gitlab, Github, and Bitbucket.
GitCustodian scans the code repositories for vulnerable data and alerts security and DevOps teams so that they can prevent vulnerabilities from leaking into production, protecting software development pipelines. Once vulnerabilities are found, the solution automates the remediation process for any uncovered secrets or other sensitive artifacts, Opsera says.
The release comes at a time of heightened awareness around data leaks in source code repositories. In April, GitHub revealed that attackers had used stolen authorization tokens to download private data stored on the platform.
GitCustodian provides “proactive visibility”
Opsera notes that many software developers unknowingly keep sensitive data (e.g., passwords, certificates, keys) in source code repositories, which, if pushed to production, is at risk of being exposed to cyber attackers. GitCustodian was designed to provide proactive visibility into vulnerable data in source code repositories and help security and DevOps teams address it early in the continuous delivery/continuous integration (CI/CD) process, the company says. Teams receive a centralized snapshot of any vulnerable secrets and other sensitive artifacts at risk across version control systems. According to Opsera, GitCustodian’s key features and benefits include:
- Secrets detection based on multiple algorithms and industry-standard profiles.
- Source code repository scanning.
- Ability to add proactive secrets governance to existing CI/CD workflows.
- Secure storage for secrets and keys via a built-in vault.
- Collaboration enablement that notifies impacted teams.
- Insights and analytics with actionable insights and compliance reporting.
Speaking to CSO, Kumar Chivukula, Co-Founder and CTO of Opsera, explains that GitCustodian works in three main ways. “One, GitCustodian helps companies scan their source code management (SCMs) for catching and watching secrets with a dashboard tracking the violators and highlighting the source of the problem. Two, whether you use an Opsera or existing pipeline, you can add a guardrail to scan the pipeline for secrets before the pipeline continues. Most enterprises need to have an option to catch secrets before they deploy into production or a customer environment. Three, when a secret is exposed, we give you the option to add secrets into our built-in Vault, directly allowing you to add secrets in a vault as a parameter and not disclose them in plain text.”
GitCustodian is available for existing and new customers, with pricing based on the number of repos and number of users.
All software vulnerabilities lead back to insecure code
Industry analysts recognize the security risks and complexities surrounding source code, along with the need for modern businesses to implement effective strategies for detecting and managing source code vulnerabilities. “The way all software vulnerabilities make their way into the world is through source code,” Fernando Montenegro, Senior Principal Analyst at Omdia, tells CSO. “The possible issues with vulnerable code in production run the gamut from simple denial of service through to full-blown data breaches. The moment vulnerable software is exposed in production, it creates not only a new attack surface for a potential attacker, but adds to the “technical debt” that organizations accumulate over time.” The impact can be significant for companies, up to and including public disclosures and regulatory fallout such as fines, he adds.
“Making efforts to remove vulnerabilities before they leak into production should be extremely high on any security executive’s priority list,” Montenegro says. Janet Worthington, Senior Analyst at Forrester agrees. “To ensure that code deployed to production is secure, organizations must make use of security scanning tools that look for security weakness in the source code and known vulnerabilities in the open source and third-party libraires that developers pack into their applications,” she tells CSO. “Integrating and automating security scanning tools as part of your CI/CD pipeline provides developers with feedback while the code is still fresh in their mind.” This has taken on greater significance since the outbreak of the COVID-19 pandemic and mass adoption of digital transformation, adds Omdia Senior Principal Analyst Rik Turner. “The rate at which development teams are pushing code into production has accelerated and will continue to do so,” he tells CSO. “With one of the foundations of the agile development process being the reusable componentry that was pioneered by the service-orientated architecture revolution, ever more pre-written and freely available open-source components are being included in the apps developers are writing, so if they come with vulnerabilities, they’re going straight into the apps too.”
The last decade has seen its fair share of watershed moments that have had major implications on the cybersecurity landscape. Severe vulnerabilities, mass exploitations, and widespread cyberattacks have reshaped many aspects of modern security. To take stock of the past 10 years, cybersecurity vendor Trustwave has published the Decade Retrospective: The State of Vulnerabilities blog post featuring a list of what it considers to be the 10 most prominent and notable network security issues and breaches of the last 10 years.
“It is difficult to tell the complete story about the network security landscape from the past decade because security tools and event loggers have evolved so much recently that many of the metrics that we take for granted today simply did not exist 10 years back,” the blog read. “Nevertheless, the data that is available provides enough information to spot some significant trends. The most obvious trend, based on sources like the National Vulnerability Database (NVD), Exploit-DB, VulnIQ, and Trustwave’s own security data, is that security incidents and individual vulnerabilities have been increasing in number and becoming more sophisticated,” it added.
Here are Trustwave’s 10 security incidents that have defined the last decade, in no particular order.
1. SolarWinds hack and FireEye breach
In what Trustwave called the “most crippling and devastating breach of the decade,” a supply chain cyberattack on network monitoring tool SolarWinds Orion in December 2020 sent shockwaves across the globe. Various corporations and U.S. government agencies fell victim to this campaign with cybercriminals exploiting FireEye red teaming tools and internal threat intelligence data to plant a malicious backdoor update (dubbed SUNBURST) that impacted some 18,000 customers and granted attackers the ability to modify, steal, and destroy data on networks. Despite a patch being issued on December 13, 2020, infected servers exist today and attacks still take place due to companies being unaware of dormant vectors set up before patch, Trustwave said.
Speaking to CSO in December last year, David Kennedy, former NSA hacker and founder of security consulting firm TrustedSec said, “When you look at what happened with SolarWinds, it’s a prime example of where an attacker could literally select any target that has their product deployed, which is a large number of companies from around the world, and most organizations would have no ability to incorporate that into how they would respond from a detection and prevention perspective.”
In June 2021, University of Richmond management professor and expert on risk management and industrial and operations engineering, Shital Thekdi, said that the SolarWinds attack was unprecedented because of “its capability to cause significant physical consequences,” impacting “critical infrastructure providers, potentially impacting energy and manufacturing capacities,” and creating an ongoing intrusion that “should be treated as a serious event with potential for great harm.
2. EternalBlue exploit and the WannaCry/NotPetya ransomware attacks
Next on Trustwave’s list is the EternalBlue exploit and subsequent ransomware incidents of 2017. Hacking group Shadow Brokers leaked significant exploits stolen from the U.S. National Security Agency (NSA) which were used to carry out the highly damaging WannaCry and NotPetya ransomware outbreaks which affected many thousands of systems across the globe, causing particular damage to health services in the UK and Ukraine. The most significant exploit, dubbed EternalBlue, targeted vulnerability CVE-2017-0144, which Microsoft had patched one month prior to the Shadow Brokers’ leak. According to Trustwave, the EternalBlue exploit remains active to this day with Shodan, the popular search engine for internet-connected devices, currently listing more than 7,500 vulnerable systems.
In 2017, RiskSense researchers said, “The EternalBlue exploit is highly dangerous in that it can provide instant, remote, and unauthenticated access to almost any unpatched Microsoft Windows system, which is one of the most widely used operating systems in existence for both the home and business world.”
3. Heartbleed flaw in OpenSSL
The Heartbleed vulnerability of 2014 continues to beat on, estimated to threaten more than 200,000 vulnerable systems to this day, as per Shodan, Trustwave’s blog stated. Security researchers discovered the serious flaw (CVE-2014-0160) in OpenSSL, the encryption technology that secures the web. It was dubbed Heartbleed because the bug existed in OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520) and allowed anyone on the internet to read the memory of systems.
Heartbleed caused mass panic and was quickly labelled one of the worst security bugs in the internet’s history with information security pioneer Bruce Schneier stating in his blog, “Catastrophic is the right word. On the scale of 1 to 10, this is an 11.”
In an article written for CSO in 2014, security advisor Roger Grimes set out a three-step plan to help organizations gain control of their OpenSSL environments and mitigate the Heartbleed bug, adding “OpenSSL probably runs on 60% or more of the websites that offer HTTPS connections and is used for many other popular services that use SSL-/TLS-based protocols, like POP/S, IMAP/S, and VPNs. There’s a very good chance that if you can connect to an SSL-/TLS-based service and it’s not running Microsoft Windows or Apple OS X, it’s vulnerable.”
4. Shellshock remote code execution in Bash
Shellshock (CVE-2014-7169) is a bug in the “Bourne Again Shell” (Bash) command-line interface and existed for 30 years before its discovery in 2014, Trustwave wrote. “The vulnerability was considered even more severe than Heartbleed since it allowed an attacker to take complete control of a system without having a username and password,” the firm added. A patch was issued in September 2014 and Shellshock is currently deemed inactive, last scene in the “Sea Turtle” campaign of 2019 where hackers used DNS hijacking to gain access to sensitive systems.
Commenting in 2014, Daniel Ingevaldson, CTO of Easy Solutions said, “The exploitation of this vulnerability relies on bash functionality somehow being accessible from the internet. The problem with bash is that it’s used for everything. On a Linux-based system, bash is the default shell and anytime a web-enabled process needs to call a shell to process input, run a command (such as ping, or sed, or grep, etc.), it will call Bash.”
5. Apache Struts remote command injection and Equifax breach
This critical zero-day vulnerability affects the Jakarta Multipart parser in web application development framework Apache Struts 2, discovered in 2017. “This vulnerability allowed remote command injection attacks by incorrectly parsing an attacker’s invalid Content-Type HTTP header,” it said. Months later, credit reporting giant Equifax announced that hackers had gained access to company data potentially compromising sensitive information belonging to 143 million people in the U.S., UK, and Canada. Further analysis identified that attackers used the vulnerability (CVE-2017-5638) as the initial attack vector.
In September 2017, Adam Meyer, chief security strategist of threat intelligence company SurfWatch Labs said, “This particular data breach will impact a utilized authentication stack that many organizations and federal agencies use to combat their own forms of fraud.” Trustwave deemed this vulnerability to be currently inactive.
6. Speculative execution vulnerabilities Meltdown and Spectre
It what it coined “Chipocalypse” Trustwave cited the significant CPU vulnerabilities known as Meltdown and Spectre from 2018 in its next listing. These belong to a class of flaws called speculative execution vulnerabilities which can be targeted by attackers to exploit the CPUs that run computers to gain access to data stored in the memory of other running programs. “Meltdown (CVE-2017-5754) breaks the mechanism that keeps applications from accessing arbitrary system memory. Spectre (CVE-2017-5753 and CVE-2017-5715) tricks other applications into accessing arbitrary locations within their memory. Both attacks use side channels to obtain the information from the targeted memory location,” the blog read.
7. BlueKeep and remote desktops as an access vector
Years before the move to mass remote working and the security risks that came with it triggered by the COVID-19 pandemic in March 2020, cybercriminals were known to target remote desktops in attacks, exploiting RDP vulnerabilities to steal personal data, login credentials, and install ransomware. However, in 2019, the threat of remote desktops as an attack vector really came to the fore with the discovery of BlueKeep, a remote code execution vulnerability in Microsoft Remote Desktop Services. “Security researchers considered BlueKeep especially severe because it was “wormable,” meaning attackers could use it to spread malware from computer to computer without human intervention,” Trustwave wrote.
Indeed, such was the severity of the issue, the U.S. National Security Agency (NSA) issued its own advisory regarding the issue. “This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation tools are widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”
Trustwave said BlueKeep is still active and found over 30,000 vulnerable instances on Shodan.
8. Drupalgeddon series and CMS vulnerabilities
The Drupalgeddon series consists of two critical vulnerabilities that are still considered active today by the FBI, according to Trustwave. The first, CVE-2014-3704, was discovered in 2014 and takes the form of an SQL injection vulnerability in open-source content management system Drupal Core which threat actors exploited to hack a massive number of websites. Four years later, the Drupal security team disclosed another extremely critical vulnerability nicknamed Drupalgeddon2 (CVE-2018-7600) that resulted from insufficient input validation on the Drupal 7 Form API and allowed an unauthenticated attacker to perform remote code execution on default or common Drupal installations. “Attackers used the Drupalgeddon2 vulnerability to mine for Monero cryptocurrency on servers with compromised Drupal installations,” Trustwave wrote.
In late 2014, Indiana’s Department of Education blamed the first Drupal vulnerability for an attack on its website which forced it to take its site down temporarily while the issue was addressed.
9. Microsoft Windows OLE vulnerability Sandworm
The penultimate vulnerability on Trustwave’s list is the Microsoft Windows Object Linking and Embedding (OLE) vulnerability CVE-2014-4114, detected in 2014. “The flaw was used in Russian cyber-espionage campaigns targeting NATO, Ukrainian, and Western government organizations, and firms in the energy sector,” the blog read. The vulnerability gained the moniker Sandworm due to the group of attackers that launched the campaign – the “Sandworm Team.” The vulnerability was deemed currently inactive by Trustwave.
10. Ripple20 vulnerabilities and the growing IoT landscape
Last on Trustwave’s list are the Ripple20 vulnerabilities that highlight the risks surrounding the expanding IoT landscape. In June 2020, Israeli IoT security company JSOF published 19 vulnerabilities collectively called Ripple20 to illustrate the “ripple effect” they will have on connected devices for years to come. “The vulnerabilities were present in the Treck networking stack, used by more than 50 vendors and millions of devices, including mission-critical devices in healthcare, data centers, power grids and critical infrastructure,” Trustwave stated.
As outlined by CSO in 2020, some of the flaws could allow for remote code execution over the network and lead to a full compromise of affected devices. The Ripple20 vulnerabilities remain active today, Trustwave said.
Vulnerabilities pose risks long after detection if orgs fail to patch
Trustwave cited the fact that several of the vulnerabilities present in its list were detected almost a decade ago, yet many of them continued to pose risks over time even after patches and fixes have been available. This suggests organizations:
- Lack the ability to track and log various services running on a network
- Struggle to vouch for and apply patches to assets without disrupting workflow
- Are slow to react to discovered zero-days.
This is likely to take on greater significance given a sharp increase in zero-day exploits detected in 2021, Trustwave added.
Alex Rothacker, security research director at Trustwave Spiderlabs, tells CSO that organizations are constantly playing catch up to patch the latest vulnerabilities. “This is extremely challenging, especially for smaller organizations with limited or no dedicated staff. Even for larger organizations, there isn’t always a patch readily available. Take Log4j as an example. Most of the vulnerable Log4j versions are part of larger third-party software packages and many of these third-party vendors are still struggling to fully update their complex applications.”
What’s more, as time goes by, focus shifts to the next vulnerability, leading to older patches sometimes falling through the cracks, Rothacker adds. “The older a vulnerability, the more information is available about how to exploit it. This basically makes the vulnerability a low hanging fruit, requiring less skills for the attacker to take advantage of the known vulnerability. For sophisticated attackers, it is an easy target.”
Post-quantum cryptography company QuSecure has announced its debut with the launch of a new post-quantum cybersecurity solution, QuProtect. The firm claimed that QuProtect is the industry’s first end-to-end quantum software-based platform designed to protect encrypted communications and data using a quantum secure channel.
The solution addresses present classical attacks and future quantum computing threats for commercial enterprises and government agencies, QuSecure added. The release comes as increasing numbers of solutions providers are coming to market with quantum-resilient offerings built to withstand quantum computing security risks that threaten traditional public key cryptography.
QuProtect incorporates zero trust, next-gen encryption, active monitoring, attack remediation
In a press release, QuSecure said QuProtect is designed around the entire data lifecycle to work anytime, anywhere and on any device with a focus on adoption, easy upgrade, and modern cyber-protection practices. Key to QuProtect’s post-quantum protections and quantum-resilient cryptographic keys is Quantum Random Number Generation (QRNG), which provides entropy throughout the entire network, the firm added.
“QuSecure’s mission is to provide enterprises and government organizations with a comprehensive cryptographic orchestration platform that addresses today’s conventional and future quantum threats,” commented QuSecure CEO Dave Krauthamer. “Our platform secures networks from current vulnerabilities using zero trust, next-generation encryption, active monitoring, and attack remediation – all cloud-delivered in software to existing devices, over existing infrastructure.”
Krauthamer added that feedback from QuSecure’s early customers indicates that a SaaS, end-to-end post-quantum cryptography approach is key for a practical post-quantum cybersecurity solution.
“Quantum technologies have the potential to represent a platform shift, and platform shifts don’t come around that often,” said Laura Thomas, former CIA chief of base and vice president of corporate strategy at ColdQuanta. “When they do, they bring enormous opportunity coupled with the power for intense disruption, in all arenas, to include national security and economic security.”
National security, public safety, and privacy have already collided in the past several years, added retired United States Navy rear admiral and former senior cybersecurity specialist at the Departments of Defense and Homeland Security, Mike Brown, and quantum is likely to intensity matters moving forward. “Quantum security, with quantum computing and encryption, are foundational to public and private sector efforts to counter nation states, rogue actors, criminals, and others.”
Growing quantum-resilient market reflects future of cybersecurity
QuSecure’s debut launch reflects a growing quantum-resilient cybersecurity market in which technology, solutions, and software providers old and new are coming to trade with quantum-enhanced offerings as new standards surrounding quantum-safe encryption algorithms emerge. Toshiba, PureVPN and BT are just a few organizations that have recently announced new investment in the quantum-resilient security space whilst the National Institute of Standards and Technology (NIST) works toward introducing standards for quantum-resistant public key cryptographic algorithms.
“Gartner is projecting that most of the current asymmetric cryptography will be unsafe to use for securing data by the end of this decade, due to the advancement of quantum computing,” Mark Hovarth, senior director analyst at Gartner, tells CSO. “Securing against a quantum computing attack will become the new normal and is going to be required in just about every product on an ongoing basis.”
Quantum-safe algorithms will be hitting the market for the foreseeable future in a trend that favors modular crypto that can be swapped out relatively invisibly to the end users (and maybe developers), Hovarth adds. “We call this modularity ‘crypto-agility,’ meaning that as new algorithms get adopted, we follow an agile way of updating or changing them. This is probably going to be the standard procedure.”
Beware marketing hype of quantum-secure offerings
With the quantum-resilient trend snowballing, Forrester Vice President, Research Director Merritt Maxim warns organizations to be wary of marketing hype surrounding new products and solutions. “The encryption market has always been an area where there has been some level over-hyped marketing,” he tells CSO. “This may be more marketing speak than actual, serious technological innovation.”
Wider discussion and awareness of quantum security is a good way of getting organizations to think about their long-term plans in the area, but it may be a challenge for them to effectively distinguish genuine technological innovation from sales “snake oil”, Maxim adds. “Validating the efficacy of claims is going to be challenging, and businesses will probably be subjected to a lot of mathematics to prove quantum resistance.”
Cybersecurity buzzwords and buzz phrases are a dime a dozen. Used to simplify complex terminology or boost sales and marketing campaigns, buzzwords are an inescapable reality for an innovative and fast-paced industry like information security. However, such terms are not always helpful and can be inaccurate, outdated, misleading, or even risk causing harm. For example, a buzzword that exploits fear, uncertainty and doubt to maximize a profit-led agenda can be damaging, while a legitimate, once-useful term may become outdated, with continued use and reliance upon it hampering more evolved understandings of the root issue.
Here are the 11 cybersecurity buzzwords and phrases that should be laid to rest in 2021.
- Zero trust
- Whitelist and blacklist
- AI-powered security
- Cyber 9/11
- Digital transformation
- People are the weakest link
- Cybersecurity awareness
- Cyber kill chain
Despite being one of the most used terms in discussions around common cyberattacks, ransomware is technically an inappropriate definition no longer fit for purpose, says Charl van der Walt, head of security research at Orange Cyberdefense. “It’s hard to escape mentions of ransomware in the current news agenda, but while it suffices to describe the overarching subject, it falls short of wholly capturing what is in fact a complex and evolving issue.”
Ransomware’s real meaning is getting lost in translation, and it is now being used to define a far wider set of cyberattacks than its real definition—malware that holds the data of a computer to ransom—encompasses, van der Walt says. “This creates confusion between malware that does encryption, general malware that’s used by ransomware actors, and the ransomware actors themselves. At the center of ransomware is the act of extortion and cybercriminals see companies as easy targets for extortion—you only have to look at data suggesting how many companies now pay ransom demands as proof.”
As this threat evolves, van der Walt proposes a new term: cyber extortion (or Cy-X). He says this better encapsulates the history, current form, and potential future of this crime wave, as well as making the distinction between extortion as the crime and ransomware as the tool used to commit it.
2. Zero trust
Zero trust describes a “trust nothing by default” approach to securing users and devices. It has become one of the biggest marketing buzz terms of the last few years, exacerbated by the mass shift to remote working and subsequent need for more effective methods of security for remote network access. However, for Quentyn Taylor, director of information security at Canon Europe, the term zero trust is too amorphous. “It’s impossible to know if you’ve actually reached it, and indeed I don’t believe anyone has or could do. What annoys me an awful lot about the concept is that a lot of people talk about it as if it’s new, when in reality we’ve been talking about deperimeterization for years. Zero trust is just a new marketing term for what we’ve been attempting to do for a long time.”
Paul Baird, CTSO UK at Qualys, agrees, adding that zero trust is fine as a concept, but as a buzzword, it is overused and under-delivered. “It is constantly used out of context, which has just created confusion within those that are responsible for implementing it. Zero trust is an ideology covering people, process, and technology. It is not a product that you can just buy off the shelf.”
3. Whitelist and blacklist
The terms whitelist and blacklist date back to the some of the earliest days of cybersecurity. Associating “white” with good, safe, or permitted, and “black” with bad, dangerous, or forbidden, the phrases are still commonly applied to allow or deny use or access relating to various elements including passwords, applications, and controls.
Cybersecurity consultant Harman Singh thinks the terms need urgently replacing because of harmful racial overtones associated with them, suggesting allow lists and deny lists serve the same purpose without potentially damaging connotations linked to ethnicity and race. “This is such a small yet significant, change” he tells CSO. “The NCSC made this conscious change last year to avoid racial tone. Still only a handful of companies in the industry have thought about doing this. Why don’t we all follow this example to stamp out such terms?”
In a blog post, Emma W, head of advice and guidance at the NCSC, wrote: “You may not see why this matters. If you’re not adversely affected by racial stereotyping yourself, then please count yourself lucky. For some of your colleagues (and potential future colleagues), this really is a change worth making.”
One of the few companies that has taken this step is Microsoft, addressing non-inclusive language as a barrier to maintaining and developing diversity within cybersecurity. “A recent report published by UK Finance, EY and Microsoft found that making changes to non-inclusive language in cybersecurity and the broader workplace can go a long way in supporting diversity,” says Microsoft chief security advisor Sarah Armstrong-Smith. Microsoft therefore no longer accepts or refers to whitelists/blacklists on technical forums, opting for allow and block lists instead.
4. AI-powered security
Furor surrounding the potential of artificial intelligence (AI) and machine learning technology to transform cybersecurity has been fever-pitch for the best part of a decade. While you’d be hard pressed to find a security leader who does not recognize and acknowledge the growing importance of automation in modern information security, the plethora of security vendor sales pitches waxing lyrical about the latest AI- or machine learning-powered solution are wearing a little thin.
“Nowadays, regardless of the solution, most security vendors are quick to mention that their product is smart and integrates AI and machine learning to power decision-making processes. They seem to believe that’s what we want to hear, when it really sounds like they’re filling a bingo sheet without understanding how their solution actually works,” says Guillaume Ehny, CISO at gohenry. “Unfortunately, the statement never goes beyond that one sentence. When asked for more information about their model, the answer is almost always that ‘it’s a black box in the engine, it works on its own, and we don’t even need to worry about it.’ I understand that an AI/machine learning-assisted product can be an advantage and deserves to be mentioned, but the way it’s communicated is rarely doing any favors.”
5. Cyber 9/11
The term cyber 9/11 was first coined in the wake of the coordinated terrorist attacks against the United States by militant Islamist group al-Qaeda on September 11, 2001. The phrase refers to the hypothetical threat of terror-related cyberattacks that have the potential to cause significant and widespread implications including fear, violence, injury and death.
Predictions of such incidents have yet to materialize baring a small handful of cases, and for Taylor, cyber 9/11 and other similar cybersecurity references to major news events should not be used. “It dishonors the people who were affected by these incidents in real life. In addition to this, these kinds of terms are often bandied around as pure hyperbole. Thankfully, we have not yet seen a cybersecurity incident that had the same level of impact as either this [9/11] or any other event that certain commentators like to attach to. The sooner we can move away from attempting to link cyber incidents to real world incidents that have resulted in significant loss of life the better, and the more seriously our industry will be taken as a result.”
6. Digital transformation
While digital transformation is very much a buzz phrase of the modern cloud-driven era, Matt Rider, vice president of security engineering at Exabeam, thinks any reference to digital transformation is merely describing what organizations have been doing for the last 50 years. “The fact is, transformation is nothing new. Everything is always evolving, continuously transforming. This term isn’t a sudden epiphany that’s taken the industry by storm.”
Flashback to the early 1900s and the industrial revolution, where Henry Ford modernized assembly line production. His knowledge of emerging technology and transformational leadership inspired a new way of working, Rider adds. “This was a technological step-change that had a monumental influence and changed the world of work as they knew it at the time. The organizations I have seen be successful have the right culture, not the right tools. If you’re not ‘digitally transformed’ by now, you’re out of the game. I vote we all hop off the digital transformation bandwagon.”
Security information and event management (SIEM) defines software products and services that combine security information management (SIM) and security event management (SEM). As an acronym and a product offering, SIEM is peddled by seemingly countless cybersecurity vendors.
However, Forrester security and risk analyst Allie Mellen says it has a long legacy in compliance and doesn’t necessarily represent where SIEMs are today. “SIEMs are now focused on threat detection and response, incorporating security user behavior analytics (SUBA) and security orchestration, automation, and response (SOAR) to address each step of the incident response lifecycle. At Forrester, we call them security analytics platforms to better represent what they do: perform security analytics on data and serve as a platform with connections to third-party offerings for response.”
8. People are the weakest link
A concept trotted out at pretty much every security conference around the globe, referring to people as the weakest link in a security chain needs to stop, says Nigel Phair, chair of CREST Australia and director, Cyber Security Institute at the University of New South Wales. “People are the greatest strength to information security and protecting corporate networks and the data which resides on them. Naming and shaming people has not worked and never will. Since there is no technical silver bullet to solving online crime, we need to bring employees along on the journey, explaining to them why certain controls are in place and their role in protecting an enterprise.”
9. Cybersecurity awareness
Improving cybersecurity awareness across an organization is a high-priority goal for many CISOs. But the term is being misused, says Ravi Srinivasan, CEO of Votiro. “The term cybersecurity awareness has created a narrative that users are to blame for security incidents and encourages organizations to build out security strategies rooted in their education and training to detect (and ultimately prevent) cyberthreats,” he tells CSO.
However, today’s attacks are sophisticated and constantly evolving, and even the most security conscious businesses find it difficult to stay ahead of them. Instead, security and IT leaders need to adjust their enterprise security strategies to focus on the business they operate globally. “In lieu of cybersecurity awareness, I would suggest promoting ‘cybersecurity vigilance’ and encourage organizations to enhance collaboration amongst employees and their employers, business and IT leaders, private and public sector entities to work collectively towards thwarting cyberthreats.”
10. Cyber kill chain
As the digital realm becomes ever more entwined with the physical, there has been a growing trend for military-style lexicon in relation to cyber, and none more so than the cyber kill chain. This phrase describes the various stages of a cyberattack and is often linked to advanced persistent threats (APTs). “I’m not sure this is totally appropriate and could lead us into heavier language used to try and make dull topics more interesting,” says Leanne Salisbury, senior manager for threat intelligence at EY. “Plus, I think there is potentially something wrong with this for veterans (especially those who have actually seen live conflict and have actual war stories) when they are asked to share their experiences about a project in a corporate setting with civilians.”
Acronis cybersecurity analyst Topher Tebow says serious thought needs to be put into how the term hacker is used in today’s landscape, and while it does not necessarily need to be eradicated entirely, incorrect usage of it does. “A hacker is simply someone who can find a way around normal applications of a given item, process, or piece of software to achieve a desired result.”
The problem with this word is that it is often used to describe a cybercriminal, when there are thousands of hackers who hack for the greater good, Tebow adds. “Instead, we need to consider the implications of what we are saying, and use terms like attackers, cybercriminals, and malicious actors instead of calling a bad actor a hacker.”
In defense of cybersecurity buzzwords
While experts agree that many cybersecurity buzzwords and buzz phrases should be laid to rest or replaced, Ed Tucker, senior cybersecurity director at Byte and former European CISO of the year, argues that a lot of the problems stem from the way buzzwords are used, rather than the terms themselves. “One of the biggest problems we have is not the buzzwords—they’re just a part of being in a commercialized industry—but lazy usage and the lack of contextual understanding and practical application of buzzwords. This perpetuates the theme that buzzwords are just that.” He concludes that the industry needs to do a better job of seeing beyond the buzzwords that are so often used and delve deeper into the concepts and where, when, and how they become applicable.
New data highlighting fluctuations relating to ransomware attack and payment claims indicates significant shifts in the cyberthreat landscape. Could such variations trigger changes in the cyber insurance market and, if so, how will they impact insurance carriers and organizations?
Shifting ransomware priorities impacting claim costs
The findings come from Corvus Insurance’s Risk Insights Index, which analyzes cyber risk mitigation and claims data, with the commercial insurance firm’s data suggesting that the costs associated with ransomware claims are notably shifting. It discovered that while there was a rise in ransomware claims from Q2 2020 through Q1 2021, they dropped by 50% in Q2 2021, a trend that largely sustained through Q3 2021. Furthermore, ransomware claims resulting in a ransom payment shrank from 44% in Q3 2020 to just 12% by Q3 2021.
The firm surmised that the changes were due to improved focus on preparedness and resiliency by policyholders, with strategies such as effective data backup management allowing for better and more efficient ransomware recovery. The research also suggested that technology vendors with larger customers have more incentive to prevent and recover from a ransomware attack due to the potential legal ramifications of an outage. For example, a company with 250 or more employees is 216% more likely to sue their tech vendor than a company with 10 or fewer employees, and twice as likely as a company with 11-50 employees, the data showed.
Will changing ransomware trends affect cyber insurance?
The findings indicate clear changes in ransomware claim trends, but how could they impact the cyber insurance market moving forward? Might the price of policies alter to reflect the drop in ransomware attack and ransom claims? Likewise, will companies be rewarded with better deals if they put greater focus on ransomware prevention and recovery?
“The overall business continuity strategies associated with these trends will likely be viewed favorably by the cyber insurance market,” says Lori Bailey, chief insurance officer at Corvus Insurance. “Not only does it show that companies are taking proactive measures to mitigate this risk, but it also indicates an overall general trend towards greater cyber resiliency as part of the risk management process which should reduce loss costs in the future,” she tells CSO.
Trent Cooksley, COO at SMB cyber insurance provider Cowbell Cyber, says that cyber insurance is a market in transition, and the cyber risk assessments conducted by insurers are increasingly thorough and innovative to help build better, more flexible, and tailored coverage for policyholders based on their cyber risk posture. “Tighter partnerships between insurance and cybersecurity vendors to incentivize businesses to deploy the most important security controls, not only to obtain insurance coverage, but to also keep organizations secure, is certainly paying off and should continue to reap rewards in the year ahead across the insurance market,” he says.
AI-based continuous risk assessment and risk aggregation techniques are starting to pay off, either by limiting the scope of damages, preventing incidents in the first place, or supporting refined risk selection, Cooksley adds. “The next 12 months will continue to usher in a wave of transformation.”
However, BreachQuest CTO Jake Williams urges consideration of other factors that may be behind some of the data noted by the research. “Given the law enforcement actions against REvil, it’s not surprising that ransomware claims have dropped off in Q2 and into Q3. The statistic that ransomware claims involving payment dropping in Q3 is undoubtedly correct, though there may be some misattribution of the cause,” he tells CSO.
Williams cites advice from the Office of Foreign Assets Control on the risks associated with paying ransoms as one example. “Stakeholders are increasingly asking whether they have potential liability by paying. This undoubtedly is modifying the decision calculus. While better preparation may account for some changes, there are other factors likely at play.”