Crimson Blog

Security Bytes - Issue 22

Written by Jim Tiller | Mar 3, 2023 1:15:08 PM

Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.

Hi everyone,

I want to start by encouraging you to subscribe to this newsletter on LinkedIn. The good news is it’s getting a lot of positive feedback and expanding in readership. Also, since I’m not sending to the entire company – only about 200 people – encouraging to subscribe will help others across Nash Squared’s family of companies receive it.

Subscribe on LinkedIn https://www.linkedin.com/build-relation/newsletter-follow?entityUrn=6943286067194187776

Enjoy.


That's Rough

One of the roles the CISA has taken on is notifying the industry of vulnerabilities that are known to being actively exploited, especially those that could have broad implications. This week they report on attacks against IBM’s Aspera Faspex (Aspera is Spanish for ‘rough’, hence the silly title) file transfer tool used by, well, everyone. CISA is quoted as saying IBM vulnerability poses “significant risks to the federal enterprise.” Ok, so two things: 1) Is it just me or does it seem like there are a lot more massive holes appearing in places where you don’t want massive holes? You know, like the DoD putting up a Microsoft Azure-based email server without a password? Oh and how is that even possible?, anyway… and 2) If IBM (and the DoD & MS) can make these kind of mistakes, what hope do average companies have?

CISA Alert - https://www.cisa.gov/news-events/alerts/2023/02/21/cisa-adds-three-known-exploited-vulnerabilities-catalog

IBM - https://therecord.media/ibm-aspera-faspex-bug-cisa-known-vulnerability-list/

DoD email - https://techcrunch.com/2023/02/21/sensitive-united-states-military-emails-spill-online/

 

Well, Duh

Given the excitement over ChatGPT – which has dramatically exceeded 100 million users - it’s no surprise that scammers have successfully used the site to infect people’s systems, and not in the way you’re thinking but using one of the oldest and most successful attacks: phishing. They’re basically replicating Open.AI’s real site and created their own look-a-like that installs malware on your PC. Lesson to be learned here is anything that is popular or attracting on-line attention (i.e., hits), scammers are going to jump in with both feet.

Article - https://blog.cyble.com/2023/02/22/the-growing-threat-of-chatgpt-based-phishing-attacks/

 

What Old is Old Again

Ok, so I’m being a bit of a curmudgeon on this one, but in reality, it’s a very good thing! This week the NSA released a nine page “Best Practices for Securing Your Home Network” to help teleworkers, although it’s very good advice for everyone with a computer. Interestingly, for someone like me who has been in cybersecurity for a bit, I recall writing these nearly same guidelines in the 90’s. Look, security is not always rocket science. I know we want it to be, but in reality it’s made possible by hard work dealing with the minutia every day. Actually, security is long streams of painfully boring administrivia interrupted by moments of total panic. This is excellent guidance, but I’m concerned no one will do it because some of these things are not easy for your average person. Next, companies should absorb this and finds ways of implementing it. I’ve always said, your user community can be an asset to security if meaningfully engaged. Also, there are some great nuggets in here I think a lot of people don’t think about enough. For example, recognizing that everything can and is listening to you. And of course, if you don’t secure your wireless network, your home is no different from a coffee shop.

NSA press release - https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3304674/nsa-releases-best-practices-for-securing-your-home-network/

NSA guidance - https://media.defense.gov/2023/Feb/22/2003165170/-1/-1/0/CSI_BEST_PRACTICES_FOR_SECURING_YOUR_HOME_NETWORK.PDF

 

Punching Out

Last year I reported on a survey of roughly 5000 security professionals across more than 20 countries that indicated that nearly 26% of security pros will leave the industry entirely in 2-3 years, with the majority saying within the year. This week Gartner publishes a report stating that half of the CISO community will change jobs by 2025 and – importantly – 25% will change careers! There are a lot of pressures and being under constant threat can have psychological implications. Also, politics, protector mentality, getting 1% or less of the budget you need, and simply being inundated is difficult, and for some just too much. Of course, this doesn’t bode well for the industry, which is already short 3.4m people, according several studies. And, weirdly, another study by ISC2 from last month indicated that companies are still planning on laying off 10% of their security teams. Of course, this is a fraction of other groups, but still.

Gartner article - https://www.gartner.com/en/newsroom/press-releases/2023-02-22-gartner-predicts-nearly-half-of-cybersecurity-leaders-will-change-jobs-by-2025

ISC2 2022 workforce study - https://www.isc2.org//-/media/ISC2/Research/2022-WorkForce-Study/ISC2-Cybersecurity-Workforce-Study.ashx

ISC2 Recession report - https://www.isc2.org/Research/How-the-Cybersecurity-Workforce-Will-Weather-a-Recession