Red Hat Security Advisory 2024-1992-03 - An update for opencryptoki is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1992.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: opencryptoki security updateAdvisory ID:        RHSA-2024:1992-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1992Issue date:         2024-04-23Revision:           03CVE Names:          CVE-2024-0914====================================================================Summary: An update for opencryptoki is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The opencryptoki packages contain version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards, such as IBM 4764 and 4765 crypto cards. These packages includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z). The opencryptoki packages also bring a software token implementation that can be used without any cryptographic hardware. These packages contain the Slot Daemon (pkcsslotd) and general utilities.Security Fix(es):* opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin) (CVE-2024-0914)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0914References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2260407

Red Hat Security Advisory 2024-1992-03

Red Hat Security Advisory 2024-1881-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include null pointer and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1881.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel security and bug fix update  
Advisory ID:        RHSA-2024:1881-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1881  
Issue date:         2024-04-18  
Revision:           03  
CVE Names:          CVE-2023-6240  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: Marvin vulnerability side-channel leakage in the RSA decryption operation (CVE-2023-6240)

* kernel: tls: use-after-free with partial reads and async decrypt (CVE-2024-26582)

* kernel: tls: handle backlogging of crypto requests (CVE-2024-26584)

* kernel: mlxsw: spectrum_acl_tcam: Fix stack corruption (CVE-2024-26586)

Bug Fix(es):

* [Lenovo RHEL9] Realtek patch for P1 G6 Audio (BZ#2208068)

* Please integrate commit b949ee6801f4 (\"powerpc/fadump: invoke ibm,os-term with rtas_call_unlocked()\") (JIRA:RHEL-17106)

* PVT:1050:XM:Nimitz Linux EEH Nimitz - After FATAL Injection BIT 13 on D10 Register, unable to see the htx traffic status after long time (JIRA:RHEL-22413)

* RHEL9.2 - Performance Degradation in the Case of Asymmetric Scheduler Domains in Linux (JIRA:RHEL-24862)

* kernel: mlxsw: spectrum_acl_tcam: Fix stack corruption (JIRA:RHEL-29186)

*  kernel NULL pointer dereference from nvme_fc_io_getuuid+0xc/0x30 [nvme_fc] (JIRA:RHEL-29221)

* sched_setaffinity(2) returns undocumented error ENODEV (JIRA:RHEL-21140)

* kernel: tls: use-after-free with partial reads and async decrypt (JIRA:RHEL-26396)

* kernel: Marvin vulnerability side-channel leakage in the RSA decryption operation (JIRA:RHEL-27840)

* sched_setaffinity(2) doesn't return -1 for an empty mask (JIRA:RHEL-29540)

* [EMR] [TBOOT OS] SUT could not go to S3 state with RHEL 9.2 Tboot OS One CPU return -16 running BUSY (JIRA:RHEL-29665)

* ipoib mcast lockup fix (JIRA:RHEL-29923)

* ice 0000:6f:00.0: PTP failed to get time (JIRA:RHEL-30108)

* blk-mq: don't schedule blk-mq kworkers on isolated CPUs (JIRA:RHEL-30418)

* kernel: tls: handle backlogging of crypto requests (JIRA:RHEL-30450)

* Kernel panic in skb_segment (JIRA:RHEL-30561)

* [IBM 9.4 FEAT] Update IBM vNIC Driver (ibmvnic) (JIRA:RHEL-28648)

* SCTP OOTB scenario in OVS/Netfilter where the SCTP connection can not be recovered by HB_REQ/HB_ACK (JIRA:RHEL-29949)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-6240

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2250843  
https://bugzilla.redhat.com/show_bug.cgi?id=2265518  
https://bugzilla.redhat.com/show_bug.cgi?id=2265519  
https://bugzilla.redhat.com/show_bug.cgi?id=2265645

Red Hat Security Advisory 2024-1881-03

One of Silicon Valley’s most influential lobbying arms joins privacy reformers in a fight against the Biden administration–backed expansion of a major US surveillance program.

A trade organization representing some of the world’s largest information technology companies—Google, Amazon, IBM, and Microsoft among them—say its members are voicing strong opposition to ongoing efforts by the Biden administration to dramatically expand a key US government surveillance authority.

The US Senate is poised to vote Thursday on legislation that would extend a global wiretap program authorized under the Foreign Intelligence Surveillance Act (FISA). Passed by the House of Representatives last week, a provision contained in the bill—known as the Reforming Intelligence and Securing America Act (RISAA)—threatens to significantly expand the scope of the spy program, helping the government to compel the assistance of whole new categories of businesses.

Legal experts argue the provision could enable the government to conscript virtually anyone with access to facilities or equipment housing communications data, forcing “delivery personnel, cleaning contractors, and utilities providers,” among others, to assist US spies in acquiring access to Americans’ emails, phone calls, and text messages—so long as one side of the communication is foreign.

A global tech trade association, the Information Technology Industry Council (ITI), is now urging Congress not to pass RISAA without removing a key provision “dramatically expanding the scope of entities and individuals covered” by the program, known as Section 702. Changes to the 702 program included in the House bill, ITI says, would only serve to send customers in the US and abroad fleeing to foreign competitors, convincing many that technology in the US is far too exposed to government surveillance.

The group’s membership includes several major equipment manufacturers, such as Ericsson, Nokia, and Broadcom, as well as large cloud storage providers like Google, Microsoft, IBM, and Salesforce. “ITI’s position is that the provision should be removed,” the group’s communications director, Janae Washington, tells WIRED. “Our positions are based on member consensus.”

The individual ITI member companies WIRED contacted for their comment on the legislation did not immediately respond or declined to comment.

The provision under fire stems from a ruling handed down by the US government’s secret surveillance court—the FISA court—that oversees the 702 program. The program is designed to target the communications of foreigners, including calls and emails to and from US citizens. To this aim, the federal statute specifies that the government may compel the assistance of businesses that fall into the category of what it calls “electronic communications service providers,” or ECSPs.

Companies like Google and AT&T have typically fallen into this category as direct providers of the services being wiretapped; however, the US government has also moved in recent years to interpret the term more broadly as part of an effort to expand the roster of entities whose assistance it’s allowed to compel.

The FISA court, in a decision backed by its own review body, pushed back against the expanded definition, telling the government that what constitutes an ECSP remains “open to reconsideration by the branches of government whose competence and constitutional authority extend to statutory revision.”

More concisely: The court reminded the government that only Congress has the power to rewrite the law.

The US Intelligence Community (IC) thus began a campaign to ensure that this year’s legislation reauthorizing the 702 program redefines “ECSP” to address what it calls a “collection gap resulting from recent court opinions.”

Internal emails obtained by WIRED show that members of the House Intelligence Committee served as intermediaries for the IC in its campaign to convince Congress to support the provision. An email circulated to House members in February by Michael Calcagni, the intel committee’s deputy staff director, for instance, informed lawmakers that the “collection gap” was both “serious and dangerous” and that “contrary to unsubstantiated assertions, it would not authorize or enable the Government to conduct surveillance of any American who connects to public WiFi at a Starbucks or McDonalds.”

One of the nation’s leading FISA experts, Marc Zwillinger, a private attorney who has twice appeared before the FISA Court of Review, began raising the alarm in December over the provision, pointing to text that would allow the government to compel the assistance of “any service provider” with access to “equipment that is being or may be used to transmit or store” communications, so long as one of the recipients is a foreigner reasonably believed to be overseas.

While rejecting Zwillinger’s analysis publicly, House intel members nevertheless attempted to quietly “narrow” the provision to clamp down on any criticism, excluding a handful of business types such as senior centers, hotels, and coffee shops. In a follow-up last week, Zwillinger and other attorneys who’ve made rare appearances before the FISA court characterized the intel committee’s improvements as “marginal,” saying the need for the exclusions only served to demonstrate the government is overreaching.

The provision, Zwillinger says, continues to ensnare owners and operators of facilities housing equipment used to store and carry data, “such as data centers and buildings owned by commercial landlords, who merely have access to communications equipment in their physical space.” The text could be interpreted to extend to “delivery personnel, cleaning contractors, and utility providers.” And while the new provision excludes businesses like coffee shops, those businesses typically rely on cloud computer services whose equipment remains subject to the 702 program’s expanded scope.

“Although the effects of this provision may be unintentional, its impacts would be very real,” ITI’s senior vice president of policy, John Miller, says. “The language in the provision vastly expands the US government’s warrantless surveillance capabilities, damaging the competitiveness of US technology companies large and small, and arguably imperiling the continued global free flow of data between the US and its allies.”

Should it become apparent to the world that America’s top IT companies—data centers, cloud providers, and security services alike—have been turned into a watering hole for the US Intelligence Community, many customers will “likely look to foreign competitors,” Miller says, companies whose technologies are viewed as less exposed to clandestine government requests.

“There is no greater responsibility of the US government than to provide for the security of the country,” he says, adding it was incumbent upon to craft legislation to address national security concerns “in a focused way.”

_Updated 4/17/2024, 6:30 pm ET: Added additional details clarifying ITI's position on RISAA._

Big Tech Says Spy Bill Turns Its Workers Into Informants

Red Hat Security Advisory 2024-1856-03 - An update for opencryptoki is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1856.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: opencryptoki security updateAdvisory ID:        RHSA-2024:1856-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1856Issue date:         2024-04-16Revision:           03CVE Names:          CVE-2024-0914====================================================================Summary: An update for opencryptoki is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The opencryptoki packages contain version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards, such as IBM 4764 and 4765 crypto cards. These packages includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z). The opencryptoki packages also bring a software token implementation that can be used without any cryptographic hardware. These packages contain the Slot Daemon (pkcsslotd) and general utilities.Security Fix(es):* opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin) (CVE-2024-0914)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0914References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2260407

Red Hat Security Advisory 2024-1856-03

Red Hat Security Advisory 2024-1836-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1836.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel security, bug fix, and enhancement update  
Advisory ID:        RHSA-2024:1836-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1836  
Issue date:         2024-04-16  
Revision:           03  
CVE Names:          CVE-2021-33631  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: Out of boundary write in perf_read_group() as result of overflow a perf_event's read_size (CVE-2023-6931)

* kernel: ext4: kernel bug in ext4_write_inline_data_end() (CVE-2021-33631)

Bug Fix(es):

* Performance drop on Broadcom bnxt_en nic after OCP upgrade from OCP 4.12 to OCP 4.13 (4.18.0-372.32.1.el8_6.x86_64 to 5.14.0-284.32.1.el9_2.x86_64) (JIRA:RHEL-15379)

* High latency with Matrox mgag200 (JIRA:RHEL-16558)

* [regression][ext4][xfstests generic/094] Error reading from file with invalid argument (JIRA:RHEL-25435)

* kernel: Out of boundary write in perf_read_group() as result of overflow a perf_event's read_size (JIRA:RHEL-21646)

* xfs_growfs: XFS_IOC_FSGROWFSDATA xfsctl failed: No space left on device (RHEL9) (JIRA:RHEL-28688)

* Memory corruption when using dm-crypt or dm-verity on RHEL-9 (JIRA:RHEL-26094)

* kernel: ext4: kernel bug in ext4_write_inline_data_end() (JIRA:RHEL-26335)

Enhancement(s):

* [IBM 9.4 FEAT] Upgrade the qeth driver to latest from upstream, e.g. kernel 6.4 (JIRA:RHEL-25812)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-33631

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2252731  
https://bugzilla.redhat.com/show_bug.cgi?id=2261976

Red Hat Security Advisory 2024-1836-03

Quantum computing on the level that poses a threat to current cybersecurity measures is still years off. Here's what enterprises can do now to avoid future disruptions.

Source: DM via Adobe Stock

Quantum computing is being driven by applications that process massive calculations for big data. That includes developing new pharmaceuticals, performing financial modeling, developing next-generation communications capabilities for terrestrial and extraterrestrial applications, optimizing logistics, and running finite element analysis, as well as everyday applications in healthcare, manufacturing, and critical infrastructure.

But when the promise of quantum computing is finally realized, it will disrupt more than just high-performance computer systems (HPCSs); it will turn classical cybersecurity on its head. Today's unbreakable, hardware-based cryptography systems will be child's play for quantum computing algorithms, warn cybersecurity experts, who caution that the level of compute power from quantum computers will dwarf today's.

Here's some of what enterprise executives and board members need to consider when preparing for the upcoming migration to the new computing environment.

**What Is the Quantum Computing Threat?**

Jérémie Guillaud, chief of theory at French quantum computer manufacturer Alice & Bob, says companies should identify which systems and data eventually could be vulnerable to an attack. He suggests planning to have to defend against an attacking machine with 1 million qubits. That provides a starting point: setting a goal to migrate vulnerable systems to a quantum computer with more than 1 million qubits.

To put this in perspective, in December, IBM's Condor quantum computer had 1,121 qubits. That baseline offers organizations somewhere to start their planning. Despite the progress made in the past 15 years of quantum computing development, the threat to enterprises is likely still a decade away, Guillaud estimates.

While qubits, like classical bits, are either positive or negative, superpositioned qubits, called cat qubits, can be both positive and negative, existing in two quantum states concurrently. Today there are no defenses against a cat qubit attack, although various organizations are experimenting with new approaches.

"Things that we don't do today can have a massive impact on the future, particularly around the concept of organizations that are harvesting data today, data that's in transit, with our idea of being able to be decrypted at a later stage," says Trevor Horwitz, founder and CISO of TrustNet, a provider of managed security, consulting, and compliance services. "It's not just about the risk of things happening today; it's being able to predict what risks we're going to be facing."

The effort, commonly called "harvest now, decrypt later," makes current highly secure data not as secure in the long term as the enterprise thinks. Boards need to begin their efforts now to secure data for a future that effectively is still unknown.

**The Board's Role With Quantum Computing**

If boards wait until quantum computers are in commercial production, it will be too late to start planning network and system upgrades, which could take up to a decade to fully implement, says Lisa Edwards, executive chair of Diligent Institute, the governance think tank and global research arm of Diligent Corp.

"The way that I think about it is this has moved from being a physics problem to being an engineering problem, and it's very rapidly becoming an operations problem," she notes. "I do think it's the appropriate time for boards to start becoming more knowledgeable about it, becoming conversant about it. The role of the board is not to tell the CISO which lattice-based encryption they should use. The role of the board is to ask the question: 'What are we doing? Are we prepared if this were announced tomorrow? What would happen?'"

Tom Patterson, managing director of emerging technology security at Accenture, agrees. Corporate boards should recognize that while the threats are real, they do not need to be quantum physicists to develop defenses — although they will need to listen to those who are in order to succeed, he says.

While boards have other cybersecurity concerns, they need to start planning for the future, Patterson adds. For example, boards can require that new infrastructure device purchases, such as routers and firewalls, have quantum-resistant or upgradable firmware. Since these purchases are often already scheduled as part of network maintenance, there are no unanticipated purchases.

As Patterson notes, one major vulnerability of classical computing is that firmware is hard-coded. That means hardware needs to be replaced rather than upgraded, since the firmware is permanent. As attackers find new ways to breach systems, new approaches are needed to improve firmware.

One approach, called cryptographic agility, allows organizations to update and rewrite firmware by automatically rotating algorithms at the press of a button. Such a system was demonstrated on low-Earth orbit satellites in 2023. Crypto agility could kill the need for hardware replacements when firmware is compromised, which would make a board look smart indeed.

**About the Author(s)**

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at \[email protected\].

How Boards Can Prepare for Quantum Computers

Many teams think they're ready for a cyberattack, but events have shown that many don't have an adequate incident response plan.

Chris Crummey, Director, Executive & Board Cyber Services, Sygnia

April 16, 2024

5 Min Read

Source: Yee Xin Tan via Alamy Stock Photo

COMMENTARY

The new Securities and Exchange Commission (SEC) rules on cybersecurity risk management, strategy, governance, and incident disclosure recently went into effect, and organizational approaches to cybersecurity incident response are top of mind for stakeholders at both public and private companies. While most executive leadership teams and corporate board members assume their organizations are ready for a potential cyberattack, recent events have shown that many are ill-prepared to handle what will be their worst day on the job.

A company's response to a crisis is a direct reflection of its preparedness. Rather than focus solely on what happens during and after a cyber incident, executives and leadership teams must first understand that the period preceding an event is most critical. Organizational remediation efforts can and should be developed, tested, and implemented before an attack happens. It is imperative for those at the top to use this time to evaluate how well their teams will respond when thrust into a dire situation and take the necessary steps to ensure cyber readiness.

**Develop and Implement an Incident Response Plan**

Far too many organizations find themselves in the middle of a cyber crisis without a formal response plan in place. Companies make critical errors that can compound the financial and reputational damage associated with a cyber incident due to the simple fact they do not have established roles or responsibilities or a documented chain of command to handle this sort of situation. Within the first hour of the crisis, we see the most instances of job bias emerge and lead to a significant number of mistakes. During that "golden hour," people are unsure of what to do, but they inject themselves into the crisis because they believe it is their job to do something. This lack of understanding ultimately slows down the recovery and remediation process.

There isn't a single blueprint on what an incident response plan should look like, because each crisis is different. However, executives, board members, security teams, and others involved must know who takes the lead in responding, what each person's responsibilities are, and what steps should be taken to communicate internally and externally. The formal incident response plan should include an identified incident commander who works across lines of business and divisions within an organization to ensure each person and department understands the situation and handles their duties as assigned. The incident response commander will also be charged with contacting the company's third-party experts, such as legal, incident response firms, ransom negotiators, and public relations, to ensure they are aware of what has transpired. The cyber incident response protocol should be incorporated into the broader organizational crisis response plan, frequently reviewed and updated as necessary.

**Stress Test the Response Plan in an Active Simulation**

Planned actions can easily be lost in the chaos during a real cyberattack because of the natural psychological response employees have to a crisis. Leaders must understand that those involved in the attack will experience a rush of cortisol, the stress hormone that creates a "fog of war" during turbulent times, and it can lead to additional issues. The most common problem is the inability to validate and verify information. A person's interpretation of what has happened or what has been shared with them can differ significantly from the facts of the incident. The result can escalate a single piece of information about a potential event and turn it into a full-blown crisis.

The best way to evaluate how teams will react to a cyberattack is to put the formal incident response plan to the test. Tabletop and wargame exercises are immersive experiences, conducted in a controlled environment, that prepare enterprises to face and mitigate a potential attack. This gives every person within the organization the opportunity to feel, act, and behave as if they are in the midst of an attack situation. These training exercises allow teams to experience that rush of cortisol, learn how to handle and manage it, and develop the necessary discipline to execute the response plan. This also provides leadership with visibility into how an individual's response impacts the holistic approach to remediation.

**Evaluate the Plan's Efficacy and Improve it **

Once the organization and its cyber incident response plan have been put to the test, the next step is to evaluate the efficacy of the plan and identify opportunities for improvement. It is important to note where the fundamental breakdowns occurred and what can be done to address them. For example, if the communication cadence faltered, why was the team unable to contact the appropriate stakeholders? Was it procedural or did the incident commander not fulfill his or her duties? Leadership should know if it is a matter of committing additional resources to enhance security posture or if they need to incorporate different organizational leaders to spearhead response efforts.

Executives and board members must consider how prepared their team is before the attack happens and how it behaves during the crisis, and understand that the challenges from the wargame exercise are going present themselves when a real attack occurs. It is imperative for leadership to be involved in the evaluation process, as the final decisions will have a widespread impact on key stakeholders. The ability to comprehend how each choice impacts and improves security posture and coverage will boost employee engagement, which is paramount to successfully defending an organization.

Cybersecurity has become a board-level issue in recent years, and it must remain a priority moving forward. It is incumbent on executive leadership to be well-informed about their organization's security response plan and how people respond before, during, and after a cyber crisis. By proactively evaluating their response protocol before an attack begins, board members and executives can shore up their defenses against emerging risks and ensure cyber readiness.

**About the Author(s)**

Director, Executive & Board Cyber Services, Sygnia

Chris Crummey is the Director for Executive and Board Cyber Services globally at Sygnia. For the past eight years, Chris has prepared and advised thousands of companies, SOCs, executives and Boards of Directors on cybersecurity best practices before, during and after a cybersecurity crisis. These best practices focus on the intersection of cybersecurity, risk-based decision making, crisis communications, leadership under pressure and the role human beings play in cybersecurity. As a keynote speaker on these topics, Chris is also a cybersecurity faculty member of “Competent Boards,” which is the original and premier creator of online of ESG training programs for board directors and senior business professionals. Prior to this role, Chris was the Executive Director for the IBM’s X-Force Command Centers globally and specialized in tabletop exercises and cyber wargames.

3 Steps Executives and Boards Should Take to Ensure Cyber Readiness

Ubuntu Security Notice 6730-1 - It was discovered that Apache Maven Shared Utils did not handle double-quoted strings properly, allowing shell injection attacks. This could allow an attacker to run arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

==========================================================================  
Ubuntu Security Notice USN-6730-1  
April 11, 2024

maven-shared-utils vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 22.04 LTS  
- - Ubuntu 20.04 LTS  
- - Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- - Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- - Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

maven-shared-utils could be made to run programs if it received  
specially crafted input.

Software Description:  
- - maven-shared-utils: A collection of Maven utility classes.

Details:

It was discovered that Apache Maven Shared Utils did not handle double-quoted  
strings properly, allowing shell injection attacks. This could allow an  
attacker to run arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  libmaven-shared-utils-java      3.3.0-1ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
  libmaven-shared-utils-java      3.3.0-1ubuntu0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
  libmaven-shared-utils-java      3.3.0-1ubuntu0.18.04.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
  libmaven-shared-utils-java      0.9-1ubuntu0.1~esm1

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
  libmaven-shared-utils-java      0.4-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6730-1  
  CVE-2022-29599

Package Information:  
  https://launchpad.net/ubuntu/+source/maven-shared-utils/3.3.0-1ubuntu0.22.04.1  
  https://launchpad.net/ubuntu/+source/maven-shared-utils/3.3.0-1ubuntu0.20.04.1  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETB/nIDy9nvCSgAUj3gXQmO/Tr3wFAmYYcLwACgkQ3gXQmO/T  
r3yYcRAAgdreHC0o+VtyTJL/jorqqs7vKGZv4qC0XhaP69STRNtlSR4rG4I9wRqm  
BOhmBVLJylEtxfAxiWrnag5N04CBR12nr/Shk+JCm06e/5ROnu9LYiCoMowORZzy  
Nnlu82qRmCwvnL9iSWzI4wnArDehMVniOCMmWNCfpa6/UXoh1gVCjikRAWRlBOAv  
uA0KrR0cNwJ90G5wuB59zqxoUPZBf+AVCkjXYSv5WbWTvLrZbz8zhmKvc8kqu1OL  
0D05mwH5kxXuhapZ8kBqapytjP+GmuRjHFI7kk+3yhPul2J0JDcNGO99lOZ2lUfz  
IXk1S/XQTt2aEhdoanrpI6lVXcVHA0yr5I03bFEDg8D1BwZRm29KBrH2wsHdpN6J  
XWIHfaHR7kYfDVsm9kpc72b7jv/aDD66vPsI/W3A/2QttpwpjwXgZSc2Mtx/WE+T  
O5/b0jtpNrwHHYLigE2PYMPaRPjxtxhQ7qnd6FccNQl9+fOrKw9NHBAu0r5s4jlI  
cU9d47W/mdEcM3y5OuSe8lN6rtHsvnjaQxuuO5lCLKIOpohi7YyyaU5aHGXns34P  
FnImexzC8YxRvbR5ku/4ZgOAcPv9kC0wMDiC7rggqLGlhsohoca1wXG2TRIsinx5  
fRFjffvqcF6bbfyjWIKKZaM4y1QmhX3+Eth77QEqLb0InJAWDp4=  
=P4zw  
-----END PGP SIGNATURE-----

Ubuntu Security Notice USN-6730-1

PRESS RELEASE

SAN JOSE, Calif. – April 11, 2024 – Cohesity today announced a deepening of its cyber resilience collaboration with IBM. The enhanced relationship will accelerate the development of essential cyber resilience capabilities to address organizations' critical need for increased data security and resilience across hybrid cloud environments. With this announcement, Cohesity completes its Series F financing, with IBM joining NVIDIA as a strategic investor.  

The most recent Cost of a Data Breach report sponsored by IBM Security shows the global average cost of a data breach in 2023 was $4.45 million, a 15% increase over the previous three years. To help clients tackle this issue head-on, IBM has delivered Cohesity capabilities into IBM’s end-to-end cyber resilience platform, IBM Storage Defender, strengthening our customers’ ability to recover from data breaches and cyber-attacks.  

“IBM is a powerful partner in the enterprise cloud and IT infrastructure market. They bring decades of expertise to our relationship, in addition to their investment in our business to help fund incremental research and development to offer customers even stronger cyber resilience,” said Sanjay Poonen, CEO and President, Cohesity. “We’re thrilled that IBM is working with us as we continue to help combined customers detect threats rapidly and maintain operations during an attack to avoid business interruptions.”

“Data breaches continue to be one of the biggest threats organizations face to advancing business outcomes,” said Ric Lewis, SVP, Infrastructure at IBM. “We’re excited to deepen our collaboration with Cohesity to bring clients innovative end-to-end software-defined solutions designed to increase their cyber resilience and help avoid business interruptions.”

Cohesity’s collaboration with IBM has brought Cohesity DataProtect together with IBM's Storage Defender Solution to help their joint customers protect, monitor, manage, and recover data. Cohesity DataProtect is a high-performance, secured backup and recovery solution. It is designed to safeguard your data against sophisticated cyber threats and offers comprehensive policy-based protection for your cloud-native, SaaS, and traditional data sources. DataProtect converges multiple-point products into a single multicloud platform deployed on-premises or consumed as a service.

IBM Storage Defender leverages AI and event monitoring across multiple storage platforms through a single pane of glass to help protect organizations' data layer from risks like ransomware, human error, and sabotage. Additionally, IBM Storage Defender is anticipated to include a cyber vault and clean room features with automated recovery functions designed to help companies restore business-critical data in hours or minutes from what used to take days.  
Statements regarding IBM's or Cohesity’s future direction and intent are subject to change or withdrawal without notice and represent goals and objectives only.

About Cohesity  
Cohesity is a leader in AI-powered data security and management. Aided by an extensive ecosystem of partners, Cohesity makes it easier to secure, protect, manage, and get value from data – across the data center, edge, and cloud. Cohesity helps organizations defend against cybersecurity threats with comprehensive data security and management capabilities, including immutable backup snapshots, AI-based threat detection, monitoring for malicious behavior, and rapid recovery at scale. Cohesity solutions can be delivered as a service, self-managed, or provided by a Cohesity-powered partner. Cohesity is headquartered in San Jose, CA, and is trusted by the world’s largest enterprises, including 44 of the Fortune 100.

Cohesity Extends Collaboration to Strengthen Cyber Resilience With IBM Investment in Cohesity

A machine learning bill of materials (MLBOM) framework can bring transparency, auditability, control, and forensic insight into AI and ML supply chains.

Source: Cagkan Sayin via Alamy Stock Photo

COMMENTARY

The days of large, monolithic apps are withering. Today's applications rely on microservices and code reuse, which makes development easier but creates complexity when it comes to tracking and managing the components they use. 

This is why the software bill of materials (SBOM) has emerged as an indispensable tool for identifying what's in a software app, including the components, versions, and dependencies that reside within systems. SBOMs also deliver deep insights into dependencies, vulnerabilities, and risks that factor into cybersecurity.

An SBOM allows CISOs and other enterprise leaders to focus on what really matters by providing an up-to-date inventory of software components. This makes it easier to establish and enforce strong governance and spot potential problems before they spiral out of control.

Yet in the age of artificial intelligence (AI), the classic SBOM has some limitations. Emerging machine learning (ML) frameworks introduce remarkable opportunities, but they also push the envelope on risk and introduce a new asset to organizations: the machine learning model. Without strong oversight and controls over these models, an array of practical, technical, and legal problems can arise. 

That's where machine learning bills of materials (MLBOMs) enter the picture. The framework tracks names, locations, versions, and licensing for assets that comprise an ML model. It also includes overarching information about the nature of the model, training configurations embedded in metadata, who owns it, various feature sets, hardware requirements, and more.

**Why MLBOMs Matter**

CISOs are realizing that AI and ML require a different security model — and the underlying training data and models that run them are frequently not tracked or governed. An MLBOM can help an organization avoid security risks and failures. It addresses critical factors like model and data provenance, safety ratings, and dynamic changes that extend beyond the scope of SBOM.

Because ML environments are in a constant state of flux and changes can take place with little or no human interaction, issues related to data consistency — including where it originated, how it was cleaned, and how it was labeled — are a constant concern.

For example, if a business analyst or data scientist determines that a data set is poisoned, the MLBOM simplifies the task of finding all the various touch points and models that were trained with that data. 

**MLBOMs Can Elevate Protection**

Transparency, auditability, control, and forensic insight are all hallmarks of an MLBOM. With a comprehensive view of the "ingredients" that go into an ML model, an organization is equipped to manage its ML models safely.

Here are some ways to build a best practice framework around an MLBOM:

*   Recognize the need for an MLBOM: It's no secret that ML fuels business innovation and even disruption. Yet it also introduces significant risks that can extend to reputation, regulatory compliance, and legal issues. Having visibility into ML models is critically important.
    

*   Conduct essential due diligence: An MLBOM should integrate with the CI/CD pipeline and deliver a high level of clarity. Support for standard frameworks like JSON or OWASP's CycloneDX can unify SBOM and MLBOM processes.
    

*   Analyze policies, processes, and governance: It's essential to sync an MLBOM with an organization's workflows and business processes. This increases the odds that ML pipelines will work as intended, while minimizing risks related to cybersecurity, data privacy, compliance, and other risk-associated areas.
    

*   Use an MLBOM with machine learning gates: Rigorous controls and gateways lead to essential AI and ML guardrails. In this way, the business and the CSO can build on successes and harness ML to unlock greater cost savings, performance gains, and business value.
    

Machine learning is radically changing the business and IT landscape. By extending proven SBOM methodologies to ML through MLBOMs, it's possible to take a giant step toward boosting machine learning performance and protecting data and assets.

**About the Author(s)**

CISO, Protect AI

Diana Kelley is CISO for Protect AI. She was Cybersecurity Field CTO for Microsoft, Global Executive Security Advisor at IBM Security, GM at Symantec, VP at Burton Group (now Gartner), a Manager at KPMG, CTO and co-founder of SecurityCurve, and Chief vCISO at SaltCybersecurity.

Tag

#ibm