Welcome to CISO Corner, the weekly collection of Dark Reading articles designed specifically for readers and security leaders involved in security operations. Each week we offer articles collected from our news operations, The Edge, DR Technology, DR Global and our Comments section. We are committed to bringing you a diverse set of perspectives to support the work of operationalizing cybersecurity strategies, for leaders of organizations of all shapes and sizes.
In this issue of CISO Corner:
-
Companies with cyber governance create almost 4 times more value
-
Even IT professionals get scammed: Inside a real-life vishing attack
-
Mitigating third-party risk requires a collaborative and in-depth approach
-
Global: Australian government doubles down on cybersecurity following major attacks
-
A CISO guide to determining materiality and risk
-
Zero-Day Bonanza encourages further exploits against businesses
-
Put security measures on the board of directors’ agenda
Companies with cyber governance create almost 4 times more value
By David Strom, Contributing Writer, Dark Reading
Those with special committees that include an IT expert rather than relying on the entire board are more likely to improve security and financial performance.
Companies that made an effort to follow guidelines for better cybersecurity governance created nearly four times more shareholder value than those that did not.
That’s the conclusion of a new survey conducted jointly by Bitsight and the Diligent Institute, which measured cybersecurity skills against 23 different risk factors, such as presence of botnet infectionsservers hosting malware, outdated encryption certificates for web and email communications, and open network ports on public servers.
The report also found that having separate board committees focused on specialized risk and audit compliance produces the best results. “Boards that exercise cyber oversight through specialized committees with a cyber-savvy member rather than relying on the full board are more likely to improve their overall security posture and financial performance,” agrees Ladi Adefala, cybersecurity consultant and CEO of Omega315.
To know more: Companies with cyber governance create almost 4 times more value
Related: With TikTok bans, it’s time for operational governance
Even IT professionals get scammed: Inside a real-life vishing attack
By Elizabeth Montalbano, Contributing Writer, Dark Reading
Successful attackers focus on the psychological manipulation of human emotions, which is why anyone, even a cyber professional or tech expert, can become a victim.
It all started with a phone call around 10.30am on a Tuesday from an unknown mobile number. I was working on the computer at home and usually don’t answer phone calls from people I don’t know. For some reason, I decided to stop what I was doing and answer that call.
That was my first mistake of a series of others I would make over the next four hours, during which I was the victim of a vishing or voice-phishing campaign. By the end of the story, I had transferred almost €5,000 in funds from my bank account and in Bitcoin to the scammers. My bank was able to cancel most of the transfers; however, I lost 1,000 euros that I had sent to the attackers’ Bitcoin wallet.
Experts say it doesn’t matter how much experience you have in knowing the tactics attackers use or experience spotting scams. The key to attackers’ success is something older than technology, as it lies in the manipulation of what makes us human: our emotions.
To know more: Don’t answer the phone: Inside a real-life Vishing attack
Related: North Korean Hackers Target Security Researchers: Again
Mitigating third-party risk requires a collaborative and in-depth approach
Commentary by Matt Mettenheimer, Associate Director of Cyber Advisory, Cybersecurity Practice, S-RM
This may seem daunting, but most organizations have more freedom and flexibility to manage third-party risk than they think.
Third-party risk presents a unique challenge for organizations. On the surface, a third party may seem trustworthy. But without complete transparency into the inner workings of that third-party vendor, how can an organization ensure that the data entrusted to it is secure?
Organizations often downplay this pressing question due to the long-standing relationships they have with their third-party vendors. But the emergence of fourth- and even fifth-party vendors should incentivize organizations to protect their external data. Doing adequate security due diligence on a third-party vendor must now include discovery whether the third party outsources private customer data to entities further downstream, which they likely do, thanks to the pervasiveness of SaaS services.
Fortunately, there are five simple, pre-defined steps that provide organizations with an initial roadmap to successfully mitigate third-party risk.
To know more: Mitigating third-party risk requires a collaborative and in-depth approach
Related: Cl0p claims MOVEit attack; Here’s how the gang did it
Australian government doubles down on cybersecurity following major attacks
By John Leyden, Contributing Writer, Dark Reading Global
The Government is proposing more modern and comprehensive cybersecurity regulations for Australia’s business, government and critical infrastructure providers.
Weaknesses in Australia’s cyber incident response capabilities were laid bare in September 2022 cyber attack on telecommunications provider Optusfollowed in October by a ransomware-based attack against health insurance company Medibank.
As a result, the Australian government is drawing up plans to revamp cybersecurity laws and regulations, with a proclaimed strategy to position the nation as a world leader in cybersecurity by 2030.
As well as closing gaps in existing cybercrime laws, Australian lawmakers hope to amend the country’s Security of Critical Infrastructure (SOCI) Act 2018 to place greater emphasis on threat prevention, information sharing and cyber incident response.
To know more: Australian government doubles down on cybersecurity following major attacks
Related: Australian ports resume operations after crippling cyber outage
A CISO guide to determining materiality and risk
Commentary by Peter Dyson, Head of Data Analytics, Kovrr
For many CISOs, “materiality” remains an ambiguous term. Even so, they must be able to discuss materiality and risk with their boards.
The SEC now requires public companies to do so evaluate whether cyber incidents are “material”, as a threshold for reporting them. But for many CISOs, materiality remains an ambiguous term, open to interpretation based on an organization’s unique cybersecurity environment.
The crux of the confusion over materiality is determining what constitutes a “material loss.” Some view materiality as an impact of 0.01% of prior year revenue, equal to approximately one basis point of revenue (which is equivalent to one hour of revenue for Fortune 1000 companies).
By testing different thresholds against industry benchmarks, organizations can gain a clearer understanding of their vulnerability to material cyber attacks.
To know more: A CISO guide to determining materiality and risk
Related: Notice of Willful Violation of Prudential Files to the SEC
Zero-Day Bonanza encourages further exploits against businesses
By Becky Bracken, senior editor, Dark Reading
According to Google, advanced adversaries are increasingly focused on enterprise technologies and their vendors, while end-user platforms are finding success in stifling zero-day exploits with investments in cybersecurity.
50% more zero-day vulnerabilities were exploited in 2023 than in 2022. Enterprises are particularly hard hit.
Sophisticated nation-state-backed adversaries are taking advantage of a vast enterprise attack surface, according to research from Mandiant and Google Threat Analysis Group (TAG). Footprints consisting of multi-vendor software, third-party components, and extensive libraries provide a rich hunting ground for those with the ability to develop zero-day exploits.
Cybercrime groups have particularly focused on security software, including Barracuda Email Security Gateway; Cisco Adaptive Safety Appliance; Ivanti Endpoint Manager, Mobile and Sentry; and Trend Micro Apex One, added research.
To know more: Zero-Day Bonanza encourages further exploits against businesses
Related: Attackers exploit Microsoft Security zero-day bugs to bypass them
Put security measures on the board of directors’ agenda
Comment by Matt Middleton-Leal, managing director, EMEA North, Qualys
IT teams can better withstand scrutiny by helping the board understand risks and how they are addressed, as well as explaining their long-term vision for risk management.
CEOs of the past may not have lost sleep over how their security team is approaching specific CVEs, but with CVE for dangerous bugs like Apache Log4j remaining unpatched in many organizations, security fixes are now on the agenda in a broader way. This means that more and more security leaders are being asked to provide insights into how they are managing risk from a business perspective.
This leads to difficult questions, particularly about budgets and how they are used.
Most CISOs are tempted to use information related to IT security fundamentals (number of issues resolved, updates deployed, critical issues resolved), but without comparison to other business risks and issues, it can be difficult to maintain focus and demonstrate that a CISO is delivering results.
To overcome these problems, we must use comparisons and contextual data to tell a story about risk. Providing basic numbers on the number of patches deployed does not describe the enormous effort that went into fixing a critical issue that jeopardized a revenue-generating application. It also doesn’t show how your team performs compared to others. Essentially, you want to demonstrate what the board looks like and how you continue to deliver over time.
To know more: Put security measures on the board of directors’ agenda
Related: What the board is missing: CISOs