Spiceworks connected with cybersecurity leaders and experts to highlight the areas organizations need to reassess in Cybersecurity Awareness Month 2023.
Spiceworks connected with cybersecurity leaders and experts to highlight the areas organizations need to reassess in Cybersecurity Awareness Month 2023.
For Cybersecurity Awareness Month 2023 this October, Spiceworks News & Insights brings you two cents from eight cybersecurity experts.
While social engineering, one of the earliest hacking techniques, is still relevant today, experts weigh in on the rise of artificial intelligence (AI), the importance of the right skills in tackling threats, the importance of rapid incident response, and more.
The theme chosen for Cybersecurity Awareness Month 2023 is ‘Secure Our World.’
Each year in October, the cybersecurity and the overarching technology community commemorates the month-long recognition of the necessity of building a robust and consistent cybersecurity strategy and resilience that cuts through industries.
Two decades after the launch of the first Cybersecurity Awareness Month in 2004 by the U.S. Department of Homeland Security and National Cybersecurity Alliance, global cybersecurity still struggles to get the basics right.
“Let’s face it – it may be time to change the name of Cybersecurity Awareness Month to Cybersecurity Action Month. Sadly, individuals and businesses around the globe are already all too aware of the pain and damage that cyberattacks can inflict,” Darren Guccione, CEO and co-founder of Keeper Security, told Spiceworks.
That is probably why Cybersecurity Awareness Month was initiated — to ensure organizations take a step back and reevaluate their cybersecurity practices and strategy for emerging and existing threats and vulnerabilities.
For instance, 2023 is dubbed the year of “digital forest fires” by SecurityScorecard due to software supply chain bugs. The tendency of supply chain vulnerabilities to cut open an organization and its downstream customers has attracted renewed attention from cybercriminals. Vulnerabilities with the potential of having far-reaching impacts discovered in 2023 include those in MOVEit, ChatGPT, PaperCut NG, Fortinet FortiOS, and others.
Meanwhile, the dark side of the emergence of generative artificial intelligence (AI) is becoming apparent with its use in crafting unique attack campaigns. 75% of cybersecurity specialists surveyed by Beyond Identity agreed that the use of AI in cyberattacks is increasing. 64% of respondents said GPT-4, ChatGPT, and DALL-E 2 can be used to create advanced and effective cyber threats.
This is concerning, considering social engineering a human into lowering an organization’s guard is still the weakest link in cybersecurity. Case in point: the hacks of MGM Resorts International and Caesars Entertainment, which fulfilled regulatory compliance and had technology and cybersecurity investments in place, were victimized in separate attacks.
Teenagers and young adults from the outfit Scattered Spider, affiliated with ransomware-as-a-service syndicate BlackCat/ALPHV, are alleged to have carried out the attacks. In the case of MGM, they used simple social engineering to trick a Help Desk executive over the telephone to gain entry. The attack took down several of the hotel chain’s websites and impacted thousands of rooms, ATMs, slot machines, restaurants, and more.
Meanwhile, Caesar’s was breached through an outside vendor. The hotel ended up paying “tens of millions of dollars,” according to Bloomberg.
The theme chosen for Cybersecurity Awareness Month 2023 is Secure Our World. John Gallagher, Vice President of Viakoo Labs, told Spiceworks, “It’s not ‘Secure Our Datacenter’ or ‘Secure Our Computers’ — it’s ‘Secure Our World,’ which means organizations should be looking beyond computers and core applications to every network-connected device, such as IoT, and asking if that device has a plan and means to become and remain secure with the least human effort needed.”
“If I were to add one more word to this year’s theme, it would be ‘Automatically.’ ‘Secure Our World Automatically’ challenges organizations to improve the speed of security operations and relieve humans of tedious tasks like patching, rotating passwords, and screening for phishing attempts. Rapidly closing the window of opportunity that a threat actor can operate in is key to securing our scaled-out, geographically sprawled attack surfaces of IT, IoT, OT, and ICS.”
Spiceworks News & Insights got in touch with cybersecurity leaders and experts to point out the areas organizations need to reassess in Cybersecurity Awareness Month 2023. Here’s what they opined.
Food for Thought From Cybersecurity Leaders
Manu Singh, VP of Risk Engineering at Cowbell, on employee education and awareness — get your basics right
“Bad actors are becoming more sophisticated and clever with their approach to using emerging technologies to launch cyberattacks. The evolving cyber threat landscape is making it more difficult for organizations to defend themselves against convincing phishing emails and malicious code generated by AI.
The most important thing organizations can learn from Cybersecurity Awareness Month is to take a proactive approach to protecting their information assets and IT infrastructure. To do this, organizations should consistently educate and promote awareness of the latest threats and risks they may face. From there, this education should transform into best practices each employee can adopt to reduce exposure to a cyber event. This promotes a culture of security rather than placing the responsibility on IT or security personnel. Organizations as a whole are responsible for securing and protecting against the cyberthreats they face.”
But that’s not enough!
Randy Watkins, CTO of Critical Start, on the need for education beyond employees and consumers
“Cybersecurity Awareness Month has traditionally focused on educating consumers, who are often susceptible as targets of opportunity, where there is a high likelihood of success but a low yield. While some of the typical security reminders and best practices can transcend the workplace to create a culture of security, we should also use this opportunity to highlight additional areas of education:
Board Level — A litany of cyber regulations has been proposed or approved on everything from breach disclosure to board membership. Educating the board on the organization’s current cyber posture, impact on risk, and coming regulations, along with the plans team to accommodate the regulation, can help get buy-in early and show the value of security to the organization.
End Users — Go beyond phishing education and inform your users of the people, procedures, and products used to protect them. With the understanding of the investment made by the organization, others may look to see how they could be good stewards of cyber posture.
The Security Team — It’s time for the teachers to become the students. While cybersecurity education programs target the ‘riskiest attack surface of the organization’ (end users), it is important to obtain feedback from those end users on how security practices and technology could be more effective.”
Georgia Weidman, security architect at Zimperium on cybersecurity professionals
According to the International Information System Security Certification Consortium (ISC)², the cybersecurity workforce gap in 2022 was 3.4 million. However, the people with the right profile must fill these gaps. Weidman has some thoughts on who can capitalize.
“At the beginning of their careers, it’s often the more technically trained people (such as system admins) who get out of the gates the fastest. They know the tools, they often know the techniques, and they have usually been exposed to many of the practices, so picking up a specific environment’s tactics, techniques, and procedures is pretty easy. The more generalist CompSci/CompEng/SoftEng folks have a good understanding of theory but not so much experience in practice, and their initial learning curve is often steeper, and thus they get out of the gate more slowly.
It is often the case that, having spent time in the trenches, some practitioners will realize that their tools do not do all they would like them to do, and they are inspired (or cursed) to attempt to build their tools. Generally speaking, the programmers with those more general CompSci/CompEng/SoftEng degrees will have an easier time ramping up their efforts to actually write software instead of just using it. Writing performant, scalable, secure, relatively bug-free, user-friendly code is an entirely different skill set than cybersecurity, so building cybersecurity tools benefits from the theory and practice afforded by the more general degrees. Again, some folks from the admin path or the cybersecurity degree will excel at this. There’s no one true path, but in general, at a sufficient scale, these principles are useful guides.”
Marcus Fowler, CEO of Darktrace Federal on AI and cybersecurity
“The global threat landscape is always evolving, but AI is poised to have a significant impact on the cybersecurity industry. The tools used by attackers — and the digital environments that need to be protected — are constantly changing and increasingly complex. We expect novel attacks will become the new normal, and we’re entering an era where sophisticated attacks can adapt at machine speed and scale. Luckily, AI is already being used as a powerful tool for defenders — helping to strengthen and empower our existing cyber workers so they can keep pace with increasingly complex environments and the constant onslaught of ever-evolving cyber threats.”
In a recent survey, we found that the top three characteristics that make employees think an email is risky are being invited to click a link or open an attachment, an unknown sender or unexpected content, and poor spelling and grammar. But generative AI is creating a world where ‘bad’ emails may not possess these qualities and are nearly indistinguishable to the human eye. It is becoming unfair to expect employees to identify every phish, and security training, while important, can only go so far. Increasing awareness of and the ability to recognize phishing attempts is an important first step, but an effective path forward lies in a partnership between AI and human beings. AI can determine whether the communication is malicious or benign and take the burden of responsibility off the human.”
Scott Gerlach, CSO and co-founder of StackHawk
“With new technology comes new attack vectors, new attack types, and new problems for security teams to learn, understand, and keep up with. With the speed and deployment of APIs growing insanely fast and the historically unbalanced ratio of AppSec teams to Developers (1:100), to say it’s a challenge for security teams to keep pace with development is an understatement. Utilizing a developer-first philosophy that acknowledges the pivotal role software creators have in cybersecurity efforts and bridging that gap between AppSec and engineering is critical to ensure the safe and secure delivery of APIs and applications to production. Bring the right information to the right people at the right time to help them make decisions!”
Stephen Gorham, COO at OPSWAT, on the attack surface
Visibility: ‘You Can’t Protect What You Can’t See’
“The adage holds in cybersecurity — you can’t protect what you can’t see. It’s imperative to clearly understand what assets and devices are connected to your network, especially with many critical infrastructure organizations dealing with IT and Operational Technology (OT). Without comprehensive visibility and asset management, you are essentially navigating in the dark, leaving your organization susceptible to vulnerabilities you may not even be aware of.”
Insider Threats & Employee Awareness: Cyber Espionage and Social Engineering
“While external threats grab the headlines, insider threats often go unnoticed until it’s too late. Cyber espionage and social engineering attacks can be devastating, with malicious actors exploiting the very people who are supposed to safeguard your organization. As critical infrastructure sectors are increasingly targeted by nation-state threat actors, employee awareness and training — combined with zero-trust security measures — are your first lines of defense against these insidious threats.”
“Organizations heavily rely on web applications for sharing and transferring critical documents essential for daily operations. Yet, these productivity files, such as word-processing documents, spreadsheets, or PDFs, can serve as attack vectors for cybercriminals. They may embed malware within these files and deliver malicious payloads to unsuspecting users.”
Uplevel your threat intelligence
“Threat actors are becoming increasingly sophisticated, leveraging malware as an initial foothold to infiltrate targeted infrastructure and execute their attacks. To combat these threats effectively, organizations must embrace actionable threat intelligence. This intelligence is garnered through advanced technologies and processes, including sandboxes and advanced malware analysis. By staying one step ahead of threat actors, organizations can detect and respond to threats before they escalate into full-blown crises.”
Ricardo Amper, CEO and founder of Incode Technologies on identity verification
“With the rise of deepfakes and fraudsters becoming increasingly sophisticated, verifying identities is more challenging than ever. As verifying identities becomes harder, fraud mounts. Today, passwordless authentication is one of the top methods to deter fraud where identity means everything, for example, in banking, government, and payment processing. We’re seeing industries such as financial enterprises combat spoofing and identity fraud through biometric digital identity verification, which can prevent the use of ‘synthetic identity’ to steal customer profiles and open new accounts.
As a means of digital identification, biometrics prevent fake digital identities by identifying documents that have been tampered with or photoshopped. Companies in various key sectors are introducing digital authentication services and solutions to combat growing levels of fraud and stay ahead of cybercriminals.”
Ariel Parnes, COO and co-founder of Mitiga, on cloud security and managing public relations
“As cybercrime moves to the cloud — as evidenced by recent exploits like Scattered Spider’s ransomware attack on MGM to Storm-0558’s attack targeting Microsoft exchange — there is a whole new level of cyber awareness needed from everyone in organizations. Awareness of this Cybersecurity Awareness Month is especially important for enterprise leaders evolving their tech stacks and updating capabilities to manage risk and grow resilience. To effectively respond to this new breed of incidents — and fast — enterprise leaders need to:
Understand the new and evolving threat landscape and educate their team and peers
Assume a breach, but more importantly, assume a cloud/SaaS breach
Define SMART (Specific, Measurable, Attainable, Relevant, and Time-Bound) KPIs for cloud and SaaS breach readiness
Build a plan to improve the KPIs through people, processes, and technology
Exercise, exercise, exercise!
Especially in light of the SEC’s latest ruling requiring organizations to disclose a material breach within four days following its discovery, this undeniably necessitates organizations to rapidly evaluate the severity of an attack and ensure accurate and timely reporting — a process that demands swift investigation. But there’s an added dimension: potential adversaries might exploit this regulation, heightening pressure on the compromised entity by revealing (real or fake) details of the breach — as in the MGM attack. We have seen this in the past, and with the new regulations, we should expect to see it more. Organizations should prepare for these situations in a multi-layered approach, building, expanding, and exercising capabilities in rapid investigation, negotiation, comms, and PR.”
Image source: Shutterstock
MORE ON CYBERSECURITY