Platform opens new opportunities for managed service providers to manage, visualize, and secure customer devices from a single pane of glass, including automated maintenance and other operations.

**TEL AVIV, Israel****,** **Feb. 8, 2023** **/PRNewswire/ --** Leading IoTOps solution provider SecuriThings has announced the launch of a new Managed Service Platform for the physical security space that enables managed service providers to manage, visualize and maintain customer environments from a single pane of glass. This new offering comes in addition to SecuriThings' Enterprise solution, which is already used by Fortune 100 companies, including some of the world's largest enterprises across different industries.

Organizations across the globe invest extensively in buying and installing fleets of physical security devices – often across multiple sites, countries and continents. These assets require regular maintenance to stay operational, compliant and secure from cyber attacks: from password rotations and firmware upgrades, to general availability checks and more.          

With SecuriThings' Managed Service Platform, managed service providers (MSPs) can now offer customers the option of outsourcing the management and maintenance of their physical security devices to a dedicated team of experts. This includes automating critical maintenance tasks like firmware upgrades, password rotations, vulnerability detection and more – while leveraging alerts and root cause analysis to detect, diagnose, and resolve operational issues rapidly and efficiently with real-time data.

The platform also enables MSPs to increase their top and bottom lines by introducing additional revenue streams, cutting costs such as truck rolls and maintenance callouts, and providing a competitive, cost-effective service for customers. This new offering is currently only available to select partners, and will become generally available in the coming months.

"Our newly-introduced Managed Service Platform opens an exciting opportunity for our partners," said SecuriThings CEO and Co-Founder Roy Dagan. "They can now offer a remote managed service to maintain and secure their customers' physical security environments throughout their life cycle. And of course, for customers looking to outsource device management operations, it offers a convenient and cost-effective way to ensure their physical security devices are properly maintained, protected from cyber threats, and fully compliant with IT policies and standards."

**ABOUT SECURITHINGS**

Founded by leading security and IoT experts, SecuriThings empowers operations and IT professionals to automate the operational management of physical security devices, while also ensuring full compliance and security within their organization. The solution is trusted by Fortune 100 companies and has been deployed by numerous large enterprises such as technology companies, financial institutions, manufacturing companies, major airports, universities, hospitals and more. SecuriThings partners with key systems integrators and device manufacturers to provide unmatched insights, coverage and reliability.

SOURCE SecuriThings

SecuriThings Brings Managed Service Capabilities to Physical Security, With New Managed Service Platform

Enhanced industrial control systems cybersecurity for energy and communications sector among top recommendations in new GAO cybersecurity assessment.

A new US Government Accountability Office (GAO) assessment of the cybersecurity of the nation's critical infrastructure recommends a more robust role for the federal government in protecting industrial control systems (ICS) — particularly those operating the country's energy grid and communications networks.

The GAO in its report noted that the US Department of Energy's cybersecurity plan does not address vulnerabilities in individual energy grids' distribution systems.

"We recommended that, in developing plans to implement the national cybersecurity strategy for the grid, DOE coordinate with DHS, states, and industry to more fully address risks to the grid’s distribution systems from cyberattacks," the report said.

The GAO's assessment also calls on the Cybersecurity and Infrastructure Agency (CISA) to improve coordination and incident management among all levels of government — local, regional, and national — to protect against ransomware cyberattacks.

CISA is also called out by the GAO for its lack of attention on US communications network cybersecurity. The report added CISA has not updated its Communications Sector-Specific plan since 2015. CISA should also engage with the US Secret Service to respond to ransomware attacks on tribal, state, local, and territorial governments, the GAO report recommends.

This latest audit of infrastructure and industrial control systems is the third from the GAO on the cybersecurity of the nation. In the new report, GAO calls out the federal government for its slow response to previous recommendations by the agency.

"We've made 106 public recommendations in this area since 2010," the report said. "Nearly 57% of those recommendations had not been implemented as of December 2022."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

GAO Calls for Action to Protect Cybersecurity of Critical Energy, Communications Networks

**SAN FRANCISCO, Feb. 8, 2023 --** Corelight, the leader in open network detection and response (NDR), today announced it has expanded its partnership with CrowdStrike, a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data. Under the agreement, CrowdStrike will have the ability to deploy Corelight NDR technology in customer engagements when delivering Incident Response, Compromise Assessment, and Network Security Monitoring services.

"We are honored to enter into this expanded partnership with CrowdStrike, a brand that's trusted and respected throughout the security space," said Brian Dye, CEO of Corelight. "We share a passion for using evidence to help customers find and disrupt advanced attacks, and we are excited about delivering this benefit to customers."

CrowdStrike Services will have the ability to leverage Corelight's NDR solution to enhance visibility, accelerate investigations, expand threat hunting, and understand the mechanism of advanced attacks across the full spectrum of endpoints, cloud platforms and the network – including unmanaged devices.

CrowdStrike Services delivers industry-leading incident response, technical assessments, training, and advisory services that help organizations prepare to defend against advanced threats, respond to widespread attacks, and enhance cybersecurity practices and controls. Harnessing the power of the CrowdStrike Security Cloud and the CrowdStrike Falcon platform, Services help protect critical areas of enterprise risk and hunt for threats using adversary-focused cyber threat intelligence to identify, track and prevent attacks from impacting our customer's business and brand.

"Corelight is a natural and highly complementary technology partner," said Thomas Etheridge, chief global professional services officer at CrowdStrike. "Better security outcomes require world-class and timely data. Because Corelight also seamlessly integrates with a range of CrowdStrike products, including CrowdStrike Falcon XDR and CrowdStrike Falcon LogScale, our mutual customers can hunt for unknown attacks, close visibility gaps, and even disrupt future threats faster by seeing everything that matters on the network – including unmanaged endpoints and IoT devices."

The agreement is the latest evidence of ongoing collaboration between the two companies: CrowdStrike's Falcon Fund is an investor in Corelight, and CrowdStrike was recently named Corelight's Apex Awards Alliance Partner of the Year for Innovation.

**About Corelight**

Corelight transforms network and cloud activity into evidence that security teams use to proactively hunt for threats, accelerate response to incidents, gain complete network visibility and create powerful analytics. Corelight's global customers include Fortune 500 companies, major government agencies, and large universities. Based in San Francisco, Corelight is an open-core security company founded by the creators of Zeek®, the widely-used network security technology. For more information, visit https://corelight.com or follow @corelight\_inc.

Corelight Expands Partnership With CrowdStrike to Provide Network Detection and Response Technology for CrowdStrike Services

**NEW YORK****,** **Feb. 8, 2023** **/PRNewswire/ --** Nearly half (48.8%) of C-suite and other executives expect the number and size of cyber events targeting their organizations' accounting and financial data to increase in the year ahead, according to a new Deloitte Center for Controllership poll. Yet just 20.3% of those polled say their organizations' accounting and finance teams work closely and consistently with their peers in cybersecurity.

During the past 12 months, 34.5% of polled executives report that their organizations' accounting and financial data was targeted by cyber adversaries. Within that group, 22% experienced at least one such cyber event and 12.5% experienced more than one.

"Accounting and financial data is the lifeblood of organizational operations — and often meant to be kept confidential outside of highly regulated public disclosures for publicly traded organizations," said Temano Shurland, a Deloitte Risk & Financial Advisory principal in finance transformation, Deloitte & Touche LLP. "While there may not have been much need for accounting, finance and cyber teams to work closely in the past, recent years have shown that's no longer the case. We strongly recommend that these teams try to 'learn each other's languages' and tighten their working relationships across silos."

Looking to the year ahead, 39.5% of respondents expect to increase the amount of collaboration between their finance and cyber teams. Currently, the majority (42.7%) of polled leaders say their organizations' finance and cyber teams only work together as needed with inconsistent closeness and consistency, while 11.1% do not work together at all.

"As cyber incidents increase in frequency, size and complexity, adversaries target nearly any data obtainable and by leveraging system vulnerabilities," said Daniel Soo, a Deloitte Risk & Financial Advisory principal in cyber and strategic risk, Deloitte & Touche LLP. "Implementing financial security operations — something you could call FinSecOps — means protecting financial data. Asking finance, accounting and security functions to team closely to manage FinSecOps is one preventative step we're seeing leading organizations take, so that they are agile enough to mitigate threats to financial data and help enable business growth."

**About Deloitte**

Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world's most admired brands, including nearly 90% of the Fortune 500® and more than 7,000 private companies. Our people come together for the greater good and work across the industry sectors that drive and shape today's marketplace — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthier society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Building on more than 175 years of service, our network of member firms spans more than 150 countries and territories. Learn how Deloitte's approximately 415,000 people worldwide connect for impact at www.deloitte.com.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

Almost Half of Executives Expect a Rise in Cyber Events Targeting Accounting and Financial Data in Year Ahead

Omdia has learned that Gigamon sold its ThreatInsight NDR business to Fortinet for approximately $31 million. The deal highlights what may be a pivot point for the NDR market.

Gigamon has exited the network detection and response (NDR) business, selling its NDR solution to a former competitor, Omdia has learned.

The Santa Clara, California-based network visibility and IT observability vendor quietly sold its ThreatInsight NDR business to Fortinet at the end of last year. Omdia research indicates the acquisition price was approximately $31 million.

The sale also encompassed the staff dedicated to ThreatInsight, including Gigamon’s former threat intelligence group. Omdia research indicates that approximately 30 to 50 Gigamon employees moved to Fortinet in the transaction.

**Gigamon Shifts to NDR Enabler**

Gigamon entered the NDR market in 2018 when it acquired NDR startup Icebrg. Seen at the time as a strong complement to its portfolio of network visibility solutions, which includes network traffic decryption, ThreatInsight never lived up to Gigamon's commercial expectations, in part because enterprise buying centers for visibility and observability tend to differ from those related to threat detection, investigation, and response (TDIR).

One of the difficulties of selling point products is that they tend to have very specific buying centers. This is highlighted by the position that Gigamon found itself in with NDR. While it continues to have success selling its broader portfolio by targeting CISOs and security architecture teams, NDR sales are typically evaluated and funded within incident response groups, which require a different sales motion.

While security remains an important use case for Gigamon’s visibility portfolio generally, Gigamon increasingly saw itself as better positioned as an ecosystem enabler of NDR solutions through partnership with leading NDR vendors.

By eliminating any competitive conflicts, the deal should immediately make Gigamon a more attractive partner with a variety of NDR vendors with which it formerly competed. Additionally, the company can re-emphasize its renewed focus on network and hybrid cloud observability, this following its recent pivot to relabel its core platform as a Deep Observability Pipeline solution.

**Fortinet Doubles Down on NDR**

Fortinet will rebrand the ThreatInsight technology as FortiNDR Cloud and sell it as a cloud-based addition to its existing on-premises FortiNDR product (formerly known as FortiAI).

Fortinet introduced FortiAI in 2020 as an AI/ML appliance for network detection and response. The company has seen strong demand for NDR as customers shift focus to what Fortinet calls advanced and early detection. The growing adoption of a zero-trust philosophy is also driving additional interest as organizations treat internal east-west traffic with increased scrutiny.

**NDR Market Evolution**

The move also highlights the NDR market’s continuing evolution. As enterprises increasingly seek to unify their TDIR product architectures, interest is growing in NDR solutions that can not only detect and respond to network-specific threats but can also provide insight to and integration with broader solution sets, such as XDR and other security operations platforms.

This evolution is playing out in several ways. For example, NDR vendors are continuing to expand their functional footprint to include additional network security capabilities, such as a broader set of detection capabilities. Of course, the flip side to that trend is network security appliance vendors potentially adding NDR as an additional feature.

Fortinet is a case in point. While FortiNDR Cloud will be available as a stand-alone product, and one that requires no Fortinet hardware, NDR functionality is sure to find its way into broader network security solutions such as next-generation firewalls (NGFWs). This trend will shift the competitive landscape in NDR, which is currently dominated by pure plays such as Darktrace, ExtraHop, and Vectra.

NDR solutions are also increasingly expected to integrate across emerging open XDR ecosystems. This, of course, requires significant investment as the number of integration requests can be large, even if initially just focusing on EDR vendors. Omdia believes success in NDR would have required a significant new investment from Gigamon.

Ironically, given the increased partnership opportunities, Omdia believes this divestiture might well grow Gigamon’s overall share of security dollars, as security teams are either stakeholders or outright buyers of the network observability capabilities that Gigamon offers. More broadly, the company is betting that customers will be shopping for a comprehensive observability platform across hybrid environments.

Omdia's most recent global NDR market outlook indicates the NDR market is worth $0.95 billion as of the end of 2021 and is expected to grow to $1.98 billion by the end of 2027. However, Omdia forecasts that growth in the stand-alone NDR market will slow in 2023 due to macroeconomic headwinds but will rebound and continue to show reasonable growth for the foreseeable future. That said, consolidation of detection and response functionality across digital domains is an important trend.

More broadly, and as importantly, security buyers are looking to consolidate security functionality from a smaller group of larger providers. While best-of-breed security point products will never disappear, suite vendors such as Palo Alto Networks, Fortinet, and Cisco, among others, are well positioned for current vendor consolidation.

Gigamon Exits NDR Market, Sells ThreatInsight Business to Fortinet

The automaker closed a hole that allowed a security researcher to gain system administrator access to more than 14,000 corporate and partner accounts and troves of sensitive data.

An ethical hacker found a backdoor in a Web app used by Toyota employees and suppliers for coordinating tasks related to the automaker's global supply chain, gaining control of the global system merely by knowing the email address of one of its users.

Security researcher Eaton Zveare revealed this week that in October, he found the backdoor login mechanism in the Toyota Global Supplier Preparation Information Management System (GSPIMS) Web portal, a site used by Toyota employees and their suppliers to coordinate various business activities. The backdoor allowed him to log in as any corporate user or supplier.

From there he found a system administrator email and logged in to their account, thus gaining "full control over the entire global system," he explained in a blog post about the hack.

Once acting as an administrator, Zveare said he had "full access" to internal Toyota projects, documents, and user accounts, including some of those that belonged to Toyota external partners and suppliers such as Michelin, Continental, Stanley Black & Decker, and Harman.

All in all, the researcher gained read/write access to Toyota's global user directory of more than 14,000 users. Zveare also could access corporate user account details, confidential documents, projects, supplier rankings/comments, and other sensitive data related to those users, he said.

**Significant Supply Chain Threat**

The hack demonstrates once again how a simple, overlooked flaw in an enterprise system can inadvertently give an attacker access to sensitive data and corporate accounts of a company's supply chain. This, in turn, paves the way for malicious activity that affects not only that organization but its entire ecosystem of partners, security experts noted.

Indeed, had a threat actor discovered the issue before him, "the consequences could have been severe," Zveare observed.

The issue could have allowed attackers to create their own user account with an elevated role to retain access should the issue ever be discovered and fixed, or download and leak all the data to which they had access, he said.

They also could have deleted or modified data in a way to be disruptive to global Toyota operations, or crafted a highly targeted phishing campaign to attempt to capture "real corporate login details, which could have exposed other Toyota systems to attacks," Zveare wrote.

The researcher reported the issue to Toyota on Nov. 3 and the company reported back 20 days later that it had been fixed — a speedy response with which Zveare was "impressed," he said.

"Out of all the security issues I have reported so far to various vendors, Toyota’s response was the fastest and most effective," he said.

Zveare revealed his research nearly a year after Toyota suffered a major supplychain breach that subsequently forced it to halt production of all 28 lines of its 14 plants in Japan. On Feb. 22, the company reported a cyberattack causing a "system failure" at supplier Kojima Industries that created problems with its just-in-time production control system.

Fortunately for Toyota, the latest breach was an ethical one and, thanks to Zveare's responsible disclosure, the company could fix it before there was any impact on the company or its partners' business, notes one security professional.

"Not all 'breachers' are as responsible as in this case!" observes Henning Horst, CTO of data security specialists at Comforte AG.

**How It Was Done**

Zveare's journey to finding the backdoor wasn't completely straightforward, he acknowledged in his post. Initially he wasn't even sure if the portal — which he said is an Angular single-page application created by SHI International Corp-USA on behalf of Toyota — was a very important entity for the company.

To access the system, first he had to patch JavaScript code of an initial login screen that asks a user to click on a button to identify with which Toyota business they are affiliated. In a previous incident in which he hacked into the Jacuzzi SmartTub app, this action was all that was needed to achieve full access to the network due to an improperly secured API.

However, the GSPIMS API appeared to be secure, which inspired Zveare to further dig into the application code to see what else might be cooking. What he eventually found was that JSON Web Tokens — or session tokens representing the users' valid authenticated sessions on the website — were being generated based on a user's email without requiring a password.

Zveare Googled for Toyota supply chain users and made an educated guess to formulate the email of someone who he thought would be a user of the GSPIMS portal. "Then I fired off the _createJWT_ HTTP request, and it returned a valid JWT!" he wrote.

His discovery gave him the ability to generate a valid JWT for any Toyota employee or supplier registered in GSPIMS, "completely bypassing the various corporate login flows, which probably also enforce two-factor authentication options," Zveare wrote.

Though the user whose email he accessed the system with did not have system administrator privileges, he eventually searched within the GSPIMS to find the email of someone who did, and using that he gained full control of the system as an administrator.

**A Big-Picture Security Approach**

Enterprises have work to do to in order to block the issue Zveare found, security experts say. For starters, security administrators must take a more holistic approach to security and realize the wider impact their overall security posture — or lack thereof — can have on all of the partners and customers with whom they do business.

"What are perceived as 'internal systems' to organizations, no longer are," Dror Liwer, co-founder of cybersecurity firm Coro said in an email statement to Dark Reading. "With partners, suppliers, and employees collaborating via the Internet — all systems should be considered external, and as such, protected against malicious intrusion."

Developing this big-picture perspective and security strategy is not so simple, as most enterprises already have their hands full managing their own company's risk, notes Lorri Janssen-Anessi, director of external cyber assessments for BlueVoyant.

However, considering how easy it was for Zveare to gain access to a system that serves Toyota's global supply chain, companies need to get their heads around this risk to maintain security across any third party that touches their network, she says.

"What today's organizations should take from the reported vulnerability in Toyota's supplier management network is a firm reminder to look at their own vendor and supplier cybersecurity," Janssen-Anessi says.

Among the key measures to consider include shoring up access control and user account privileges, ensuring that they only provide employees and third-parties with access to the data needed for their particular role, she notes. "This helps to control what data can be accessed in the event of a breach," Janssen-Anessi says.

Indeed, a more data-centric approach overall to security could help enterprises avoid or mitigate a scenario that Zveare demonstrated, Comforte AG's Horst observes. He advises that organizations find ways to protect data as soon as it enters their corporate data ecosystem, thus protecting "the data itself rather than perimeters and borders around the data."

Toyota Global Supply Chain Portal Flaw Put Hacker in the Driver's Seat

Don't let something that's a decade away distract you from today's cyber threats.

In the cat-and-mouse game of cybersecurity, it's essential to always be thinking ahead about the next big thing. What's next around the corner, and how can I ensure that I don't fall behind? One such emerging technology that's looming is quantum computing. While the positive potential for the technology is enormous, it also brings with it daunting challenges, particularly in the cybersecurity space.

On Dec. 21, 2022, President Biden signed into law the Quantum Computing Cybersecurity Preparedness Act, which encourages federal agencies to adopt technology that is protected from decryption by quantum computing. At a high level, this can make it appear as though the danger of cyberattacks buoyed by the power of quantum computing is imminent, making security professionals across the public and private sectors nervous. But it isn't time to panic just yet. Let's dive a little deeper into what the dangers are and then look at why most organizations, especially those in the private sector, shouldn't be concerned in the immediate future.

**Security Dangers of Quantum Computing**

The biggest fear with quantum computing is its use in decrypting data. The current paradigm of information security is based on five pillars: confidentiality, integrity, availability, authenticity, and nonrepudiation. These all rely (at least to some extent) on public key cryptography, which is built on the fact that it is difficult for classical computers to factor prime numbers. However, one of the things quantum computers are much better at than classical computers is factoring primes — which fundamentally undermines traditional cryptography. This puts not only newly stolen information at risk but also all information that has previously been intercepted and stored by hackers.

The ability to break public key cryptography puts most of our digital economy at risk and requires the adoption of a whole new approach — namely the migration to using quantum resistant algorithms. Although these algorithms already exist, we can't be sure of their real-world efficacy because there isn't yet a quantum computer large enough to validate them. Additionally, utilizing these algorithms will require a time-intensive and tedious process of end-to-end implementation across an entire environment.

**Why Most Organizations Don't Need to Worry — Yet**

The good news is that the best predictions on a quantum computer capable of factoring prime numbers with a low enough error rate to be useful is likely still a decade or more out. Additionally, Western governments and companies currently hold some of the most cutting-edge research in this area, so if things continue along this path, many businesses and most federal agencies will have some runway to prepare for when the threat truly materializes.

That said, this timeline is of little comfort for any organization that has already had critical data with a longer shelf life stolen. While we may have some runway to set up new security approaches to better protect ourselves from quantum-powered cyberattacks in the future, data that is already in the hands of a malicious actor is now on a timeline. While most enterprises don't have data that will still be critical 10 years from now, agencies or organizations dealing with homeland security or other mission-critical information most certainly do.

**What Actions Should We Take Now?**

Right now, it's all about preparation and planning. For some, that involves thinking through how to deal with the fallout of older sensitive data being decrypted, but the most important step is ensuring quantum cryptographic readiness. This involves a complete inventory of existing cryptographic assets and certificates and making sure they are all up to date. This is critical because it not only prepares an organization for a wholesale migration to using quantum resistant algorithms, but it also helps ensure safety in the meantime.

The risk at this moment is that organizations will expend too much energy worrying about how to deal with the threat of quantum computing rather than focusing on the more mundane issues of proper cyber hygiene. Assets that aren't protected with the most up-to-date cryptographic methods or employees that haven't had the necessary training on how to suss out phishing emails are currently a far greater threat to organizations than quantum computing. While it's important to consider the threats of tomorrow, the current risk landscape should be our primary focus.

A decade or so from now, quantum computing will very likely be a top concern as it breaks the foundations that information security is built upon. Information cannot be considered confidential, authentic, accessible (to the right parties), or verifiably created by a specific person if the underlying technology can be circumvented. But at the moment, we still have ample time to prepare. For now, organizations will benefit more from establishing strong cyber-hygiene policies for today's threat landscape. Ten years is a long time in security, so it's unlikely that quantum computing will be the lone emerging technology to challenge the status quo — only time will tell!

It Isn't Time to Worry About Quantum Computing Just Yet

Generative AI combined with user awareness training creates a security alliance that can let organizations work protected from ChatGPT.

ChatGPT has taken the world by storm since late November, sparking legitimate concerns about its potential to amplify the severity and complexity of the cyber-threat landscape. The generative AI tool's meteoric rise marks the latest development in an ongoing cybersecurity arms race between good and evil, where attackers and defenders alike are constantly in search of the next breakthrough AI/ML technologies that can provide a competitive edge.

This time around, however, the stakes have been raised. As a result of ChatGPT, social engineering is now officially democratized — expanding the availability of a dangerous tool that enhances a threat actor's ability to bypass stringent detection measures and cast wider nets across the hybrid attack surface.

**Casting Wide Attack Nets**

Here's why: Most social engineering campaigns are reliant upon generalized templates containing common keywords and text strings that security solutions are programmed to identify and then block. These campaigns, whether carried out via email or collaboration channels like Slack and Microsoft Teams, often take a spray-and-pray approach resulting in a low success rate.

But with generative AIs like ChatGPT, threat actors could theoretically leverage the system's Large Language Model (LLM) to stray away from universal formats, instead automating the creation of entirely unique phishing or spoofing emails with perfect grammar and natural speech patterns tailored to the individual target. This heightened level of sophistication makes any average email-borne attack appear far more credible, in turn making it far more difficult to detect and prevent recipients from clicking a hidden malware link.

However, let's be clear that ChatGPT _doesn't_ signify the death sentence for cyber defenders that some have made it out to be. Rather, it's the latest development in a continuous cycle of evolving threat actor tactics, techniques, and procedures (TTPs) that can be analyzed, addressed, and alleviated. After all, this isn't the first time we've seen generative AIs exploited for malicious intent; what separates ChatGPT from the technologies that came before it is its simplicity of use and free access. With OpenAI likely moving to subscription-based models requiring user authentication coupled with enhanced protections, defending against ChatGPT attacks will ultimately come down to one key variable: fighting fire with fire.

**Beating ChatGPT at Its Own Game**

Security operation teams must leverage their own AI-powered large language models (LLMs) to combat ChatGPT social engineering. Consider it the first _and_ last line of defense, empowering human analysts to improve detection efficiency, streamline workflows, and automate response actions. For example, an LLM integrated within the right enterprise security solution can be programmed to detect highly sophisticated social engineering templates generated by ChatGPT. Within seconds of the LLM identifying and categorizing a suspicious pattern, the solution flags it as an anomaly, notifies a human analyst with prescribed corrective actions, and then shares that threat intelligence in real-time across the organization's security ecosystem.

The benefits are the reason why the rate of AI/ML adoption across cybersecurity has accelerated in recent years. In IBM's 2022 "Cost of a Data Breach" report, companies that leveraged an AI-driven security solution alleviated attacks 28 days faster, on average, and reduced financial damages by more than $3 million. Meanwhile, 92% of those polled in Mimecast's 2022 "State of Email Security" report indicated they were already leveraging AI within their security architectures or planned on doing so in the near future. Building on that progress with a stronger commitment to leveraging AI-driven LLMs should be an immediate focus moving forward, as it's the only way to keep pace with the velocity of ChatGPT attacks.

**Iron Sharpens Iron**

The applied use of AI-driven LLMs like ChatGPT can also enhance the efficiency of black-box, gray-box, and white-box penetration testing, which all require a significant amount of time and manpower that strained IT teams lack amidst widespread labor shortages. Considering time is of the essence, LLMs offer an effective methodology for streamlining pen-testing processes — automating the identification of optimal attack vectors and network gaps without relying on previous exploit models that often become outdated as the threat landscape evolves.

For example, within a simulated environment, a "bad" LLM can generate tailored email text to test the organization's social engineering defenses. If that text bypasses detection and reaches its intended target, the data can be repurposed to train another "good" LLM on how to identify similar patterns in real-world environments. This helps to effectively inform both red and blue teams on the intricacies of combating ChatGPT with generative AI, while also providing an accurate assessment of the organization's security posture that allows analysts to bridge vulnerability gaps before adversaries capitalize on them.

**The Human Error Effect**

It's important to remember that only investing in best-of-breed solutions isn't a magic bullet to safeguard organizations from sophisticated social engineering attacks. Amidst the societal adoption of cloud-based hybrid work structures, human risk has emerged as a critical vulnerability of the modern enterprise. More than 95% of security breaches today, a majority of which are the result of social engineering attacks, involve some degree of human error. And with ChatGPT expected to increase the volume and velocity of such attacks, ensuring hybrid employees follow safe practices regardless of where they work should be considered nonnegotiable.

That reality heightens the importance of implementing user awareness training modules as a core component of their security framework — employees who receive consistent user awareness training are five times more likely to identify and avoid malicious links. However, according to a 2022 Forrester report, "Security Awareness and Training Solutions," many security leaders lack extensive understanding of how to build a culture of security awareness and revert to static, one-size-fits-all employee training to measure engagement and influence behavior. This approach is largely ineffective. For training modules to resonate, they must be scalable and personalized with entertaining content and quizzes that align with employees' areas of interest and learning styles.

Combining generative AI with well-executed user awareness training creates a robust security alliance that can enable organizations to work protected from ChatGPT. Don't worry cyber defenders, the sky isn't falling. Hope remains on the horizon.

Why ChatGPT Isn't a Death Sentence for Cyber Defenders

From prevention and detection processes to how you handle policy information, having strong cyber insurance coverage can help mitigate cybersecurity attacks.

Enterprise cybersecurity is a team sport involving multiple players. It encompasses everything from technology vendors to cyber insurance providers and cyber defense platforms. And while many organizations have implemented plans for prevention and detection, they often fail to consider remediation.

Despite the best preparations, cyberattacks may be inevitable. That's why it's important to have specific remediation policies like cyber insurance in place to mitigate the effect of potential future breaches. Keep reading to learn how enabling certain security features can help obtain favorable cyber insurance coverage.

**Determining Your Risk, Right-Sizing Your Coverage**

While all businesses run the inherent risk of cyberattacks, the scale of your operations and type of industry you operate in will impact the type of threat you experience and, consequently, the rate you will pay for cyber insurance. Organizations must understand their risk profiles if they want to ensure they're getting the best cyber insurance rate possible.

Small businesses, for example, are more likely to be hacked by outside actors. In part, this is because threat actors have scaled their operations to identify vulnerable targets. Small businesses are also less likely to enable basic cyber hygiene practices that can protect against 98% of online attacks. Large businesses, on the other hand, are disproportionately at risk from insider attacks simply due to the size of their attack surface. These kinds of threats can take the shape of phishing attacks, email compromises, stolen credentials, and more.

Another tool that companies can use to improve their cyber insurance rates is the insurance underwriting application itself. Companies can use this application as a blueprint to identify which steps they should take to most effectively protect themselves. Similar services exist in the marketplace, including Microsoft’s zero-trust maturity assessment quiz or built-in tools like Microsoft Secure Score.

**Vulnerability Management Has Evolved**

Much like risk profiles, vulnerability management can change based on the size of your company and the space you work in. For small businesses, it's about making yourself a difficult target by conducting regular security scans and enabling basic security hygiene features to ensure a base level of protection. Larger entities also need to worry about external threats, but they have the added responsibility of monitoring internal threats as well. Ultimately, it comes down to understanding your attack surface and spending the time to identify where you are most vulnerable. If you want to optimize your coverage, cyber insurance providers will want to see that you're taking proactive steps to guard against potential threats.

Vulnerability management has also evolved alongside the growth of technology. In the past, cybersecurity was focused on perimeter defense — locking down network ports and devices. Today, the growth of remote work and expansion of attack surfaces has created a much stronger focus on identity management. Employees can take their work identities — and by extension, their network access credentials — with them wherever they go. So it's important companies use tactics like verifying explicitly, employing least-privileged access, and always assuming abreach to guard against modern threat vectors. Following these security hygiene practices can help ensure that you're getting a competitive insurance rate.

Finally, companies should treat all cyber insurance communications and policy documents as highly sensitive information. If threat actors know how much coverage your company has, they're able to use this information to demand the highest possible ransom payment in exchange for restoring services or releasing data. Companies should not only safeguard their policy documents, but they should also protect any email communications or applications that disclose sensitive information about their insurance policies.

While cybersecurity can seem overwhelming, businesses have a wealth of resources that they can turn to when looking for better ways to protect themselves. From prevention and detection processes to ensuring coverage with things like cyber insurance, organizations can better mitigate the effects of a cybersecurity attack. Microsoft Security has information on emerging threats and the latest security features that defenders can enable to help obtain favorable cyber insurance coverage.

How to Optimize Your Cyber Insurance Coverage

Five months after AWS customers were alerted about three vulnerabilities, nearly none had plugged the holes. The reasons why underline a need for change.

It's a familiar story: A feature designed for convenience is used to sidestep security measures. In this presentation from Black Hat USA 2021, a pair of researchers show how they found three separate ways to hop between accounts on AWS. Even though fixes for those vulnerabilities were released quickly, the holes reveal that cloud services do not offer the level of isolation expected. The long-term solution may mean changing how the cybersecurity sector handles CVEs.

For the first two isolation breaches, Wiz.io CTO Ami Luttwak and head of research Shir Tamari altered the path prefixes on AWS CloudTrail and Config to allow a user to write to another user's S3 bucket. The third method used the AWS command line to download files from another user's account via the serverless repository.

Sending the logs from several S3 buckets to one is intended for the convenience of an admin who runs several instances, Luttwak and Tamari said in their presentation, "Breaking the Isolation: Cross-Account AWS Vulnerabilities."

"I learned from this behavior that CloudTrail can write to resources that are owned and managed in other accounts," Tamari added. "And for me, a security researcher, there is a concern."

**Customers Notified, So What Happened?**

While Amazon did not have the power to fix the configurations for customers itself — because the fixes involved setting the source account you want, which only the user can decide — it contacted all affected customers to explain the potential problem and how to fix it. Yet when Wiz.io went back after five months, it found that 90% of accounts had not applied the fixes.

Luttwak pointed out that the security team AWS messaged often didn't get the warnings because of the sheer number of accounts they run.

"How do you know this is an important fix to do?" he asked. "And the more we thought about it, the more we understood, this is a big, big problem."

Right now, the system of CVEs allows organizations to check on the latest vulnerabilities, complete with a numerical system of classifying severity and links to vendors' fixes. That works pretty well in most areas of IT. However, cloud vulnerabilities may not get assigned CVE numbers.

"This is because cloud services, as we currently understand them, are not customer controlled," wrote Cloud Security Alliance IT director Kurt Seifried and research analyst Victor Chin. "As a result, vulnerabilities in cloud services are generally not assigned CVE IDs."

**The Amazon Exception**

CVEs take pains to point out that cloud services vulns can indeed receive a CVE ID, as long as the owner of the software is the CVE numbering authority (CNA) reporting them. Rule 7.4.4 says the CNA "may" assign a CVE number if it owns the product or service, even if it is not customer controlled and the fix requires customers to take action.

But here's the sticky wicket: Rule 7.4.5 states, "CNAs MUST NOT assign a CVE ID to a vulnerability if the affected product(s) or service(s) are not owned by the CNA, and are not customer controlled."

In short, the real reason why these AWS vulnerabilities were not issued CVEs is that Amazon is not a CNA partner. Microsoft can issue CVEs for its own products and services, as can Google. Whether the appropriate fix is changing the rules to allow any CNA to assign IDs to vulns whose fixes are out of customers' hands or to sign up Amazon as a CNA depends on your perspective. In June 2022, Wiz.io took matters into its own hands by establishing a community database of cloud vulnerabilities to fill the gap.

As Luttwak said, "There's hundreds of services in AWS, and many of them are getting more and more cross account capabilities, because cross account is the main strategy today for organizations using AWS. So the attack surface is just growing."

Source

DARKReading