Daily Tech Digest - October 27, 2023

Quishing is the new phishing: What you need to know

Consider the QR code aired during the Super Bowl. Now, imagine the company behind that commercial had malicious intent (just to be clear, the company behind that commercial did not have malicious intent). Say, for example, the QR code displayed during the ad opened your phone's browser and automatically downloaded and installed a piece of ransomware. Given the number of people who watch the Super Bowl, the outcome of that attack could have been disastrous. That's quishing. ... We've all just accepted the QR code. And, to that end, we trust them. After all, how harmful can a simple QR code be? The answer to that question is…very. And cybercriminals are counting on the idea that most consumers always assume QR codes are harmless. Those same criminals also understand that their easiest targets are those on mobile phones. Why? Because most desktop operating systems include phishing protection. Phones, on the other hand, are far more vulnerable to those attacks. At the moment, most quishing attacks involve criminals sending a QR code via email. 

Boardrooms losing control in generative AI takeover

The theme of people adopting GenAI within their workplaces without oversight from IT and security teams or leadership, a trend we might reasonably term shadow AI, is not a new one as such. Earlier this year, an Imperva report drew similar concerns, stating that an insider breach at a large organisation arising from someone using generative AI in an off-the-books capacity was only a matter of time. However, given the steadily widening scope and ever-growing capability of generative AI tools, organisations can no longer afford not to exert, at the very least, minimal oversight. “Much like bring-your-own-device [BYOD], gen AI offers massive productivity benefits to businesses, but while our findings reveal that boardroom executives are clearly acknowledging its presence in their organisations, the extent of its use and purpose are shrouded in mystery,” said Kaspersky principal security researcher, David Emm. “Given that GenAI’s rapid evolution is currently showing no signs of abating, the longer these applications operate unchecked, the harder they will become to control and secure across major business functions such as HR, finance, marketing or even IT,” said Emm.

Privacy vs convenience – which comes out ahead?

There is a mutual responsibility between employees and employers, so trust and openness are essential. On the one hand, employees must be discerning about the digital tools they employ, understanding the permissions they grant and the third parties that might gain access to their data. They also need to accept that their personal choices can impact the security of the organization too. This requires awareness and a commitment to regular audits of personal digital spaces, ensuring that no unwanted entities are lurking in the shadows. Conversely, organizations bear the responsibility of being forthright about their data practices. Companies that are transparent about the data they access - and, more importantly, why they access it—stand out as beacons of integrity. This transparency extends beyond mere access; it encompasses the entire data lifecycle, from collection to storage, usage, and eventual disposal. By openly communicating these practices, enterprises can foster a culture of trust with their employees – and comply with regulatory standards too.

How to Speed Cyberattack Discovery

A fast and reliable way to identify cyber threats is with proactive threat hunting, which utilizes human defenders armed with advanced detection and proactive response technologies and approaches, says Mike Morris, a Deloitte risk and financial advisory managing director via an email interview. “In particular, threat hunting, during which human defenders actively maneuver through their networks and systems to identify indicators of a network attack and preemptively counter these threats, can speed the discovery of cyberattacks.” Yet he warns that for threat hunting to function optimally, it’s necessary that specific, relevant, and accurate intelligence is coupled with automation to identify and mitigate the adversary’s activities. When deploying human-based threat-hunting capabilities, it’s helpful to think about the parallels to physical security leading practices, Morris says. “For example, human security guards, tasked with protecting critical assets, constantly inspect physical infrastructures and maintain the integrity of their responsible spaces by actively patrolling and investigating,” he explains.

The Financial Consequences of Inadequate Data Governance

Low-quality data can severely impact decision-making and operational efficiency. Inaccurate or incomplete data can lead to flawed strategies, missed opportunities, and ultimately, financial losses. A sales team relying on outdated customer information could waste time on leads that have already been converted or are no longer relevant, leading to lost sales opportunities and financial losses. Similarly, a marketing team using incorrect customer segmentation data could end up targeting the wrong audience, wasting advertising budget, and missing revenue targets. These real-world scenarios further illustrate the cost of poor data quality. The examples highlight the tangible impact of data quality issues on an organization's bottom line. ... Data breaches can have devastating financial consequences for organizations. The direct costs include legal fees, fines, and customer compensation, which can run into millions of dollars. Indirect costs, such as reputational damage and loss of business, can be even more damaging in the long run. 

Change Management for Zero Trust

Change management isn’t any different for Zero Trust than it is for any other big initiative. But most of us aren’t very good at change management. And security and cybersecurity are not sexy. And most people want their security to be minimally invasive and as unnoticeable as possible. And most leaders get no top-line/bottom-line joy from spending money on Zero Trust initiatives. And Zero Trust doesn’t drop new features and functionality for a product at the end of a sprint. ... Three key areas you can focus on as you get started:Get leadership engaged – If the culture of your organization is driven by urgency, craft a message and plan that leverages urgency. If the culture is driven through aspiration, use aspirational vision and goals. Either way, get leadership on board to deliver the message. Create a communications strategy – The strategy must include the rhythm and mode of communications, as well as the context and content of the communications for leadership and sponsors, leads and key centralized players, local mavens, and users. Persuasive communication is what the marketing team does well. Get them involved.

UK Prime Minister announces world’s first AI Safety Institute

"The British people should have peace of mind that we're developing the most advanced protections for AI of any country in the world," Sunak said. "I will always be honest with you about the risks, and you can trust me to make the right long-term decisions." The AI Safety Institute will assess and study these risks — from social harms like bias and misinformation, through to the most extreme risks of all - so that the UK understands what each new AI model is capable of, Sunak added. "Right now, we don't have a shared understanding of the risks that we face. Without that, we cannot hope to work together to address them." The UK will therefore push hard to agree to the first ever international statement about the nature of AI risks to ensure that, as they evolve, so does shared understanding about them, Sunak said. "I will propose that we establish a truly global expert panel to publish a State of AI Science report. Of course, our efforts also depend on collaboration with the AI companies themselves. Uniquely in the world, those companies have already trusted the UK with privileged access to their models. That's why the UK is so well-placed to create the world's first Safety Institute."

DNS Under Siege: Real-World DNS Flood Attacks

During H1 2023 there was a surge in DNS flood attacks affecting multiple organizations around the world. Looking at the DNS attacks and their characteristics we suspect that they belong to one or more global DNS attack campaigns. We were able to identify significant DNS attack activity world-wide and were able to identify correlations between attack events to different DNS servers. ... The organizations that were targeted by these DNS flood attacks all belong to the financial and commercial segment. We detected and mitigated DNS flood attacks targeting banks, retailers, insurance etc. This can hint on the DNS campaign’s agenda, and help similar organizations protect their DNS services. ... There was a single attack vector repeating in all DNS attacks and that is the random subdomain, also known as DNS water torture. Interestingly, we identified different types of invalid subdomains used in the attacks. In some cases, it was purely random with high entropy1 including case randomization and in other cases the attack subdomains were human-readable, but non-existent.

FTC eyes competitive practices for genAI

Generative AI is set to become one of the world’s most dominant industries. One projection puts the market at $76.8 billion by 2030, up from a current valuation at $11.3 billion. Goldman Sachs, for its part, boldly says the technology could drive a 7% (or nearly $7 trillion) increase in global GDP. Amidst all this, the FTC says issues could arise around control over one or more of the “key building blocks” of generative AI: data, talent and computational resources. If a single company or handful of firms controlled one of these essential inputs, “they may be able to leverage their control to dampen or distort competition,” the agency asserts. “And if generative AI itself becomes an increasingly critical tool, then those who control its essential inputs could wield outsized influence over a significant swath of economic activity.” In particular, the agency said firms could bundle and tie products — offering multiple products in a single package or conditioning the sale of one product on the purchase of another, respectively. 

Keys to effective cybersecurity threat monitoring

Over the past few years, attackers have adjusted their tactics, finding success in targeting employees with the intent of stealing their credentials. Social engineering tactics such as phishing often catch individual users out, leading to passwords, financial information and other sensitive data being breached. “In the past, they might have relied on attacking infrastructure directly through vulnerabilities or brute force attacks. While they can still happen, these attacks run a high risk of discovery before the bad actor can get in,” explained Hank Schless, director of global security campaigns at Lookout and host of the Security Soapbox Podcast. “Now, attackers are targeting individuals who likely have access to large sets of valuable cloud data. They do this with the intention of stealing those individuals’ credentials via mobile phishing attacks in order to be able to enter the organisation’s infrastructure discreetly under the guise of being a legitimate user. “This creates massive issues with monitoring for threats, because the threat looks like it’s coming from the inside if an attacker is using stolen credentials.”

Quote for the day:

"It is the capacity to develop and improve their skills that distinguishes leaders from followers." -- Warren G. Bennis

No comments:

Post a Comment