Experts Warn of Risks in Memory-Safe Programming Overhauls
Memory-safety vulnerabilities can allow hackers, cybercriminals and foreign adversaries to gain unauthorized access to federal systems, they said. But the experts also warned that the challenge of migrating legacy code and information technology written in non-memory-safe languages could be too unrealistic and risky for most organizations to undertake. "Strategically focusing on eradicating memory-corruption vulnerabilities is crucial, due to their prevalence," said Chris Wysopal, co-founder and chief technology officer of Veracode. "However, completely rewriting existing software in memory-safe languages is impractical, expensive and could introduce new vulnerabilities." The report says experts have identified programming languages such as C and C++ in critical systems "that both lack traits associated with memory safety and also have high proliferation." While most enterprise software and mobile apps are already written in memory-safe languages, developers still prioritize performance over security under some scenarios, according to Jeff Williams, co-founder and chief technology officer of the security firm Contrast Security.
Hackers exploited Windows 0-day for 6 months after Microsoft knew of it
The vulnerability Lazarus exploited, tracked as CVE-2024-21338, offered considerably more stealth than BYOVD because it exploited appid.sys, a driver enabling the Windows AppLocker service, which comes pre-installed in the Microsoft OS. Avast said such vulnerabilities represent the “holy grail,” as compared to BYOVD. In August, Avast researchers sent Microsoft a description of the zero-day, along with proof-of-concept code that demonstrated what it did when exploited. Microsoft didn’t patch the vulnerability until last month. Even then, the disclosure of the active exploitation of CVE-2024-21338 and details of the Lazarus rootkit came not from Microsoft in February but from Avast 15 days later. A day later, Microsoft updated its patch bulletin to note the exploitation. It’s unclear what caused the delay or the initial lack of disclosure. Microsoft didn’t immediately have answers to questions sent by email. ... Once in place, the rootkit allowed Lazarus to bypass key Windows defenses such as Endpoint Detection and Response, Protected Process Light—which is designed to prevent endpoint protection processes from being tampered with—and the prevention of reading memory and code injection by unprotected processes.
How GenAI helps entry-level SOC analysts improve their skills
“There’s a specific set of analysts who can open it at any point in the user
experience, with the context of the selected customer and all the data on their
alerts and with access to our proprietary data sets,” he says. “Then the
analysts can interact with it and ask questions about the investigation, such as
what the next action should be.” As part of the staged rollout process for the
GenAI features, Secureworks has built feedback loops that allow analysts to rate
the results that the AI provides. Then the results go back to the data
scientists and prompt engineers, who revise the prompts and the contextual
information provided to the AI. Integrating generative AI revolutionized the way
Secureworks’ junior analysts approach security operations, says Radu Leonte, the
company’s VP of security operations. Instead of focusing exclusively on
repetitive triage tasks, they can now handle comprehensive triage,
investigation, and response. They can now triage alerts faster because all the
supplementary data is brought into the platform, together with summaries and
explanations, Leonte says. The accuracy and quality of triage increases as well
because of fewer human comprehension errors and fewer missed detections.
Singapore reviews ways to boost digital infrastructures after big outage
The impending Digital Infrastructure Act is among the measures being
developed, with the intent to complement existing regulations that focus on
mitigating cyber-related risks. The ministry added that the Cybersecurity Act
soon will be expanded to include "foundational digital infrastructures", such
as cloud service providers and data centers as well as key entities that hold
sensitive data and carry out essential public functions. The new digital
infrastructure bill also will go beyond cybersecurity to encompass other
resilience risks, spanning misconfigurations in technical architectures and
physical hazards, such as fires, water leaks, and cooling system failures. The
task force will identify digital infrastructures and services that, if
disrupted, have a "systemic impact" on Singapore's economy and society. These
include cloud services that facilitate the availability of widely-used digital
services, such as digital identities, ride-hailing, and payments. The task
force also is establishing requirements that regulated entities will be
subject to under the Digital Infrastructure Act, which will consider the
country's operating landscape and international developments.
Why we need both cloud engineers and cloud architects
Cloud engineers collaborate extensively with software developers and maybe do
some ad hoc development. I would, however, not go so far as calling them
developers since they do have other duties that are just as important and
don’t require coding. What’s critical to being a cloud engineer is being
“hands-on” in dealing with the complexities of cloud systems, databases, AI,
governance, and security. In many cases, there are special engineering
disciplines around these subtechnologies, and certainly certifications that
address specifics, such as certified cloud database engineer. On the other
hand, a cloud architect plays a strategic role in orchestrating the cloud
computing strategy of an organization. They are responsible for designing the
overarching cloud environment and ensuring its alignment with business
objectives. They are not typically hands-on. They may have specializations as
well, such as cloud database architect or cloud security architect. Cloud
architects assess business and application requirements to craft scalable
cloud solutions using the right mix of technologies. This can entail both
cloud and non-cloud platforms.
Why cyber maturity assessment should become standard practice
There are other clear benefits to the business in determining cyber maturity.
By identifying gaps to security controls (and thus potential risks to the
organization), it can help with reporting to the board on cyber security
posture, while for the C-suite, amid a recession and skills crisis, need to be
laser-focused when it comes to invest, being able to pinpoint where and how to
dedicate spend is also invaluable. Moreover, as measuring maturity is a
proactive risk-based process that seeks to bring about continuous improvement
it can also reduce the likelihood and cost of an impact: Kroll’s State of
Cyber Defense 2023 report found that those with a high level of cyber maturity
experience less security incidents. And being as it is focused on process,
cyber maturity can help to embed a security culture within the business. ...
But there are also marked differences depending on the size of the business:
SMEs will sometimes have less governance such as effective data protection or
risk management processes, whereas larger enterprises, while they have the
manpower and may even have a dedicated internal audit team, may be stretched
or in some cases, inexperienced.
OpenAI’s Defense in Copyright Lawsuit: New York Times “Hacked ChatGPT” To Create Evidence
The “NYT hacked ChatGPT” defense directly addresses claims of damages due to
the chatbot being used as a potential substitute for a subscription to the
paper, much in the same way that many less sophisticated tools allow for
bypassing its paywall. But the defense does not address the broader question
of whether OpenAI and others have an inherent right to use a copyrighted work
to train an AI model, something that will rely on court interpretations of
fair use law. The US fair use doctrine has never had entirely clear terms to
cover every circumstance, and is largely built on precedent established by
prior court decisions as examples of alleged unauthorized use come up. That is
why the outcome of this copyright lawsuit potentially carries a lot of weight.
This will be the first direct test of AI use of training materials in this
way. How the courts interpret this use will be absolutely vital to the futures
of OpenAI and similar companies; OpenAI has already publicly stated that it is
impossible to train these types of LLMs without scraping publicly accessible
materials from the internet.
Generative AI Enthusiasm Versus Expertise: A Boardroom Disconnect
Educating business leaders and stakeholders -- including those who
self-identify as experts -- will be key for companies in the coming months and
years. Analytics and AI experts will need to find better ways to inform key
decision-makers about generative AI. That means going beyond the surface to
convey an understanding of the underlying technologies, too. Companies that
are serious about adopting generative AI across their entire organization must
ensure they have the mechanisms to manage risk and adopt the technology
responsibly. It isn’t enough for companies to create and implement a
governance plan -- they must then expend the energy to enforce the guidelines
they have implemented. Otherwise, companies can fall into the trap of making
these and other IT policies pointless, opening the door to even greater
vulnerabilities and exposure. ... In the meantime, leaders can capitalize on
this board enthusiasm to help spread awareness of generative AI's importance
and influence funding sources within the company. One key message to convey
will be the importance of democratizing the technology’s place within the
organization so as many people as possible can unlock its value.
Why your best IT managers quit
“The boss is the classic reason why managers leave,” says Greg Barrett, a
senior executive advisor and senior consultant, noting that he has seen this
factor, more than money, prompt top talent to resign. Such bosses tend to
micromanage and keep tight control on their direct reports, rather than
allowing managers the autonomy they want and need to be good leaders
themselves, Kozlo says. Bev Kaye, founder and CEO of employee development,
engagement, and retention consultancy BevKaye&Co, has heard from plenty of
promising professionals who quit their jobs because of a bad boss. “They’d
say, ‘My boss was a jerk and I couldn’t stand it anymore.’ "Bosses who are
arrogant, condescending, and disrespectful are displaying “jerk behaviors,"
Kay says. Moreover, top performers complain when their bosses don’t cultivate
personal connections that help demonstrate that they, as bosses, have a
genuine interest in helping their managers succeed and advance, she says. “We
ask people why they leave, and they answer, ‘My boss never really knew me,
never really knew the things I loved doing and working on,’” explains Kaye,
who points to the complaints she once heard workers voice as they were
traveling to an event, a trip they had been given as a reward for their great
performance yet they didn’t want.
Defending Operational Technology Environments: Basics Matter
"The idea that you're going to have an air gap or completely segmented or
separated OT network is lunacy in this world, outside of nuclear pipelines,"
Lee said. "But you still don't want it to be where you can open up an email
and hit a controller on your network." One test of whether an organization has
an adequate focus on the basics is to see how it would fare against an
already-seen threat, such as the Stuxnet malware designed to infect OT
environments, which first appeared in 2010. "There are still a significant
portion of infrastructure asset owners and operators that could not detect
that capability today, 13 years later," Lee said. Beyond network segmentation,
he said, essential security controls include monitoring ICS networks - less
than 5% of which are currently being monitored - as well as requiring
multifactor authentication and taking a risk-based approach to managing OT
vulnerabilities. All of this remains age-old advice for protecting against
current and future cybersecurity risks. "If you do the knowns, if you actually
defend against the things that we know how to defend against, you get a lot of
value out of the things you may not know about," he said.
Quote for the day:
"Accomplishing goals is not success.
How much you expand in the process is." -- Brianna Wiest
No comments:
Post a Comment