CISO Corner: Apples AI Privacy Promises; CEOs in the Hot Seat

  /     /     /  
Publicated : 23/11/2024   Category : security


CISO Corner: Apples AI Privacy Promises; CEOs in the Hot Seat


Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: Rockwells dire ICS warning; a red alert on biometrics; cybersecurity for the Hajj season.



Welcome to CISO Corner, Dark Readings weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, well offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. Were committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.
Apples AI Offering Makes Big Privacy Promises
Scores of Biometrics Bugs Emerge, Highlighting Authentication Risks
DR Global: Governments, Businesses Tighten Cybersecurity Around Hajj Season
The CEO Is Next
Why CIO & CISO Collaboration Is Key to Organizational Resilience
Rockwells ICS Directive Comes as Critical Infrastructure Risk Peaks
4 Ways to Help a Security Culture Thrive
Dont miss
Anatomy of a Data Breach: What to Do if It Happens to You
, a free Dark Reading virtual event scheduled for June 20! 
Speakers include Verizons Alex Pinto, plus execs from Snowflake, pharma giant GSK, Salesforce, and more — register today!
By Agam Shah, Contributing Writer, Dark Reading
Apples guarantee of privacy on every AI transaction — whether on-device or cloud — is ambitious and could influence trustworthy AI deployments on device and in the cloud, analysts say.
Apples announcement of Apple Intelligence and plans to integrate AI across its devices and applications comes with a commitment to guarantee privacy on every AI transaction. This sets a high bar on
zero-trust infrastructure
that competitors may try to match.
Because of Apples walled garden model, rival providers don’t have nearly the same level of control over their AI infrastructure. Unlike Apple, they can’t lock down security as queries pass through various hardware and software layers. For example, OpenAI and Microsoft process queries through GPUs from Nvidia, which handles vulnerability discovery and patching.
“If Apple sets the standard, the effect will be why I should buy Android if I don’t care about the privacy, says Alex Matrosov, CEO of security company Binarly.io. The next step will be Google following up and trying to maybe implement or do the similar thing.
Read more:
Apples AI Offering Makes Big Privacy Promises
Related:

OpenAI Forms Another Safety Committee After Dismantling Prior Team
By Nate Nelson, Contributing Writer, Dark Reading
Face scans stored like passwords inevitably will be compromised, like passwords are. But theres a crucial difference between the two that organizations can rely on when their manufacturers fail.
Biometric security is more popular today than ever, with widespread adoption in the public sector —
law enforcement
, national ID systems, etc. — as well as for commercial industries like travel and personal computing. In Japan, subway riders can pay by face, and Singapores immigration system relies on face scans and thumbprints to allow travelers into the country. The fact that even burger places are experimenting with face scans suggests somethings brewing here.
But researchers have found two dozen vulnerabilities in a biometric terminal used in critical facilities worldwide could allow hackers to gain unauthorized access, manipulate the device, deploy malware, and steal biometric data, which highlights the risks that come with implementing these systems.
The critical nature of the environments in which these systems are so often deployed necessitates that organizations go above and beyond to ensure their integrity. And that job takes much more than just patching newly discovered vulnerabilities.
Read more:
Scores of Biometrics Bugs Emerge, Highlighting Authentication Risks
Related:
Biometric Bypass: BrutePrint Makes Short Work of Fingerprint Security
By Robert Lemos, Contributing Writer, Dark Reading
While cyberattacks drop slightly during the week of the Islamic pilgrimage, organizations in Saudi Arabia and other countries with large Muslim populations see attacks on the rise.
The final month of the Islamic calendar, Dhu al-Hijjah, began on June 7, marking the countdown for millions of Muslims to the Hajj pilgrimage, and also a time when cybercriminals and cyber-espionage actors see increased opportunity amid reduced vigilance and slimmed staffing.
While many of the
cyberattacks
are focused on pilgrims as consumers of travel services, a variety of businesses — from banks to e-commerce sites — are at greater risk of data theft and denial-of-service attacks, according to experts. On June 3, for example, cyber-threat actors announced a data leak on an underground forum that allegedly contained the personal information of 168 million users from The Hajj and Pilgrimage Organization in Iran, according to cybersecurity firm Kaspersky.
The attacks highlight the two aspects of how cyberattackers see the Hajj season: as an opportunity to take advantage of pilgrims, but also as a time of reduced resources for security teams, making business and government agencies vulnerable.
Read more:
Governments, Businesses Tighten Cybersecurity Around Hajj Season
Related:
DuneQuixote Shows Stealth Cyberattack Methods Are Evolving. Can Defenders Keep Up?
Commentary by Joe Sullivan, CEO, Ukraine Friends, & CEO, Joe Sullivan Security LLC
If CEOs want to avoid being the target of government enforcement actions, they need to take a personal interest in ensuring that their corporation invests in cybersecurity.
One day soon, a government agency will very publicly seek to hold a corporate CEO personally liable for a failure to ensure their organization invested sufficiently in cybersecurity. The surprising thing wont be that it happens, but rather how many people who work for and look up to the CEO will be happy when it does.
Were experiencing a movement toward regulation by enforcement. Look no further than the National Cybersecurity Strategy, which, at its core, demands that corporate America do more to protect citizens from cyberattacks. Theres also the Securities and Exchange Commissions (SEC) action against the software company SolarWinds and its head of security. The case has raised eyebrows, specifically because the
security leader was held personally responsible
.
But with very few exceptions, the CISO or senior-most security leader is simply not the responsible corporate officer.” Its the CEO. Security leaders rarely, if ever, get the budget needed to do their job well. CEOs and boards that do control the corporate budget rarely invest the time to understand their cyber-risks, and instead allocate resources in other directions.
Read more:
The CEO Is Next
Related:
White House Fills in Details of National Cybersecurity Strategy
Commentary by Robert Grazioli, Chief Information Officer, Ivanti
Alignment between these domains is quickly becoming a strategic imperative.
Gartner forecasts that the world will spend $215 billion on risk management and cybersecurity in 2024. Thats a 14% increase over 2023. But
many workers are feeling spread thin
, with more data and endpoints than ever and not enough qualified talent to be found. Its time to finally break down the silos between IT and security.
That starts by fostering alignment between the CIO and chief information security officer (CISO).
Individually, CISOs and CIOs are powerful forces with a lot on their plates — and a lot on the line. Together, they could be unstoppable. However, historically, organizational structures have relegated CISOs and CIOs to separate domains with distinct — and occasionally contradictory — objectives.
Heres how to foster alignment:
Why CIO & CISO Collaboration Is Key to Organizational Resilience
Related:
CISO & CIO Convergence: Ready or Not, Here It Comes
By Tara Seals, Managing Editor, News, Dark Reading
Critical infrastructure is facing increasingly disruptive threats to physical processes, while thousands of devices are online with weak authentication and riddled with exploitable bugs.
Industrial control systems (ICS) giant Rockwell Automations recent directive to customers to disconnect their gear from the Internet showcases not just growing cyber risk to critical infrastructure, but the unique challenges that security teams face in the sector, experts say.
CISA is warning that increased threats to could lead to various catastrophic attacks, including denial-of-service (DoS) efforts that take down electrical grids; privilege escalation and lateral movement to burrow deeper into the operational technology (OT) environment in order to control it; modifying settings to, say, change safety thresholds for power generators; remotely compromising programmable logic controllers (PLCs) to halt water sector operations; or even conducting
destructive Stuxnet-style attacks
that can obliterate a sites ability to function permanently.
Yet thousands of devices are exposed online with weak authentication and riddled with exploitable bugs; and theres an endemic lack of security team participation in site design and asset/infrastructure management. All in all, its not an ideal situation.
Read more:
Rockwells ICS Directive Comes as Critical Infrastructure Risk Peaks
Related:
Volt Typhoon Hits Multiple Electric Utilities, Expands Cyber Activity
DR Technology commentary by Ken Deitz, CSO/CISO, Secureworks
Creating and nurturing a corporate environment of proactive cybersecurity means putting people first — their needs, weaknesses, and skills.
A good cybersecurity culture trusts and empowers teammates to make good decisions. In turn, that trust fuels a more productive relationship between cybersecurity and the business. Culture is a living entity that needs to be continuously nurtured. Give it the dedication it needs, and your businesses will be safer as a result.
Here are some core pillars for establishing an effective security culture:
1.
Establish the Right Mindset:
Focus on the positive actions that people can and should take.
2.
Engage with Empathy:
A productive and inclusive security culture is one that shuns blame. Instead, focus on what you can collectively learn from the incident to enrich your cyber strategy for the future.
3.
Communicate, Communicate, Communicate:
When it comes to cybersecurity, theres no such thing as too much communication. People have a lot going on in their jobs and lives. Meet people where they are, and youll have much better results.
4. Stay on Your Toes:
New and emerging technologies bring opportunities and challenges.
Generative artificial intelligence (AI)
, for example, can offer teammates productivity gains, but they also need to know the risks.
Read more:
4 Ways to Help a Security Culture Thrive
Related:
How to Transform Security Awareness Into Security Culture

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CISO Corner: Apples AI Privacy Promises; CEOs in the Hot Seat