Absence of adequate remote access authentication has emerged as the probable cause of the infamous Change Healthcare ransomware attack. Attackers “compromised credentials on an application that allows staff to remotely access systems” before infiltrating Change Healthcare’s networks on or around February 12, an unnamed person “familiar with the ongoing investigation” told the Wall Street Journal. Multi-factor authentication controls were absent on this application — contrary to industry best practice — leaving the vulnerable application exposed. Cybercriminals subsequently loitered on the US ..read more

Russia-linked advanced persistent threat (APT) actor Forest Blizzard had, since June 2020, exploited a now-patched Windows vulnerability to drop previously unknown, custom post-compromise malware, GooseEgg, according to a Microsoft report. Forest Blizzard, linked previously to the Russian intelligence agency General Staff of the Armed Forces of the Russian Federation (GRU), deployed GooseEgg to gain elevated access to target systems and steal credentials and information. “Although Russian threat actors are known to have exploited a set of similar vulnerabilities known as PrintNightmare (CVE ..read more

While chief information security officers (CISOs) are rarely tasked with the full range of health and human safety concerns that facilities teams or chief security officers must act upon, CISOs still have a huge part to play in enterprise physical security strategies from physical security systems that connects to IT systems to physical access to IT assets. What is physical security? Physical security is the protection of people, property, and physical assets from actions and events that could cause damage or loss. Though often overlooked in favor of cybersecurity, physical security is equal ..read more

After the CSRB report, Microsoft must eschew marketing hyperbole while apologizing for its cavalier security practices, communicating its remediation plan, and report honest metrics to the security community as it proceeds. On March 20 of this year, the Cyber Safety Review Board (CSRB), an organization under the Cybersecurity and Infrastructure Security Agency (CISA) that was established pursuant to President Biden’s Executive Order (EO) 14028 on ‘Improving the Nation’s Cybersecurity’, published a report titled: “Review of the summer 2023 Microsoft Exchange Online Intrusion.“ As the title su ..read more

An increasing number of attackers are trying to exploit a critical vulnerability in firewall appliances from Palo Alto Networks after proof-of-concept exploit code was published last week. The flaw was originally reported on April 12th as a zero-day after an APT group was found exploiting it in the wild in limited attacks. As of April 18, there were still about 22,500 devices accessible from the internet that were potentially vulnerable, according to statistics from the Shadowserver Foundation. While the number is significant considering that every such device is a potential gateway into a c ..read more

Modern software has completely transformed the way organizations operate and compete in the market. With the increasing demand for secure and reliable software delivered at scale, the pressure to meet time-to-market deadlines has never been greater. To manage software risk and also increase development velocity and agility, organizations are deploying more and more security tools that promise to meet these challenges head-on.   But this is having the opposite of its desired effect; security tool proliferation has resulted in complexity that has slowed down development teams, decreased o ..read more

It’s been said before—long before. It’s the 18th-century philosopher Voltaire who gets credit for the timeless proverb “Perfect is the enemy of good.” But here we are, centuries later, and it’s still relevant—in this case to modern software development. If you try to make software perfect, not only will you fail at that, but you’ll also fail to get a product out the door. To do what’s good while actually getting things done requires setting priorities: Fix the biggest problems, eliminate the worst threats, and get the product to market. That’s what DevSecOps, done right, can do. But doing it ..read more

“You are what you eat” applies figuratively to humans. But it applies literally to the large language models (LLM) that power generative artificial intelligence (GenAI) tools. They really are what they eat. If the massive datasets fed to LLMs from websites, forums, repositories, and open-source projects are poisoned with bias, errors, propaganda, and other junk, that’s what they will regurgitate. If the datasets are thorough, accurate, and not politicized, you’re much more likely to get useful, reliable results. Not guaranteed, but more likely. Those who are increasingly using GenAI tools to ..read more

Mitre Corporation, a non-profit organization that operates federally funded research and development centers (FFRDCs) on behalf of the US government, has revealed a major breach in its Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network vital for the organization’s research and development activities. “We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well as necessary measures to improve the industry’s current cy ..read more

An AI acceptable use policy (AI AUP) serves as a foundational component of an organization’s security framework, helping to mitigate risks and promote the responsible use of AI technologies. Broadly speaking, an AI acceptable use policy is a set of rules and guidelines that govern the responsible, ethical, and effective use of artificial intelligence technologies. It outlines acceptable behaviors, practices, and procedures related to developing, implementing, and using AI systems. The primary purpose of an AI AUP is to ensure that AI technologies are used in a manner that aligns with the goa ..read more