CISO Corner: NSA Guidelines; a Utility SBOM Case Study; Lava Lamps

  /     /     /  
Publicated : 23/11/2024   Category : security


CISO Corner: NSA Guidelines; a Utility SBOM Case Study; Lava Lamps


Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps.



Welcome to CISO Corner, Dark Readings weekly digest of articles tailored specifically to security operations readers and security leaders. Each week, well offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. Were committed to presenting a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.
NSAs Zero-Trust Guidelines Focus on Segmentation
Creating Security Through Randomness
Southern Company Builds SBOM for Electric Power Substation
What Cybersecurity Chiefs Need From Their CEOs
How to Ensure Open Source Packages Are Not Landmines
DR Global: Middle East Leads in Deployment of DMARC Email Security
Cyber Insurance Strategy Requires CISO-CFO Collaboration
Tips on Managing Diverse Security Teams
By David Strom, Contributing Writer, Dark Reading
Zero-trust architectures are essential protective measures for the modern enterprise. The latest NSA guidance provides detailed recommendations on how to implement the networking angle of the concept.
The US National Security Agency (NSA) delivered its guidelines for zero-trust network security this week, offering a more concrete roadmap toward zero-trust adoption than were used to seeing. Its an important effort to try to bridge the gap between desire for and implementation of the concept.
The NSA document contains loads of recommendations on zero-trust best practices, including, foundationally, segmenting network traffic to
block adversaries from moving around a network
and gaining access to critical systems.
It walks through how network segmentation controls can be accomplished through a series of steps, including mapping and understanding data flows, and implementing software-defined networking (SDN). Each step will take considerable time and effort to understand what parts of a business network are at risk and how to best protect them.
The NSA document also differentiates between macro- and micro-network segmentation. The former controls traffic moving between departments or workgroups, so an IT worker doesnt have access to human resources servers and data, for example.
John Kindervag, who was the first to define the term zero trust back in 2010, when he was an analyst at Forrester Research, welcomed the NSAs move, noting that very few organizations have understood the importance of network security controls in building zero-trust environments, and this document goes a long way toward helping organizations understand their value.
Read more:
NSAs Zero-Trust Guidelines Focus on Segmentation
Related:
NIST Cybersecurity Framework 2.0: 4 Steps to Get Started
By Andrada Fiscutean, Contributing Writer, Dark Reading
How lava lamps, pendulums, and suspended rainbows keep the Internet safe.
When you step inside Cloudflares San Francisco office, the first thing you notice is a wall of lava lamps. Visitors often stop to take selfies, but the peculiar installation is more than an artistic statement; its an ingenious security tool.
The changing patterns created by the lamps floating blobs of wax help Cloudflare encrypt internet traffic by generating random numbers.
Random numbers have a variety of uses in cybersecurity
, and play a crucial role in things such as creating passwords and cryptographic keys.
Cloudflares Wall of Entropy, as its known, uses not one but 100 lamps, their randomness increased by human movement.
Cloudflare also uses additional sources of physical entropy to create randomness for its servers. In London, we have this incredible wall of double pendulums, and in Austin, Texas, we have these incredible mobiles hanging from the ceiling and moving with air currents, Cloudfare CTO John Graham-Cumming says. Cloudflares office in Lisbon will soon feature an installation based on the ocean.
Other organizations have their own sources of entropy. The University of Chile, for instance, has added seismic measurements to the mix, while the Swiss Federal Institute of Technology uses the local randomness generator present on every computer at /dev/urandom, meaning that it relies on things like keyboard presses, mouse clicks, and network traffic to generate randomness. Kudelski Security has used a cryptographic random number generator based on the ChaCha20 stream cipher.
Read more:
Creating Security Through Randomness
By Kelly Jackson Higgins, Editor-in-Chief, Dark Reading
The utilitys software bill of materials (SBOM) experiment aims to establish stronger supply chain security — and tighter defenses against potential cyberattacks.
Energy giant Southern Company kicked off an experiment this year, which began with its cybersecurity team traveling to one of its Mississippi Power substations to physically catalog the equipment there, taking photos and gathering data from network sensors. Then came the most daunting — and at times, frustrating — part: acquiring software supply chain details from the 17 vendors whose 38 devices run the substation.
The mission? To
inventory all of the hardware, software, and firmware in equipment running in the power plant
in an effort to create a software bill of materials (SBOM) for the operational technology (OT) site.
Prior to the project, Southern had visibility into its OT network assets there via its Dragos platform, but software details were an enigma, said Alex Waitkus, principal cybersecurity architect at Southern Company and head of the SBOM project.
We had no idea what the different versions of software we were running, he said. We had multiple business partners who managed different parts of the substation.
Read more:
Southern Company Builds SBOM for Electric Power Substation
Related:
Improved, Stuxnet-Like PLC Malware Aims to Disrupt Critical Infrastructure
Commentary by Michael Mestrovich CISO, Rubrik
By helping CISOs navigate the expectations being placed on their shoulders, CEOs can greatly benefit their companies.
It seems obvious: CEOs and their chief information security officers (CISOs) should be natural partners. And yet, according to a recent PwC report, only 30% of CISOs feel they receive sufficient support from their CEO.
As if defending their organizations from bad actors despite budget constraints and chronic cybersecurity talent shortages wasnt already difficult enough,
CISOs now face criminal charges and regulatory wrath
if they make a mistake in incident response. Small wonder that Gartner predicts nearly half of cybersecurity leaders will change jobs by 2025 due to multiple work-related stressors.
Here are four things CEOs can do to help: Ensure the CISO has a direct line to the CEO; have the CISOs back; work with the CISO on a resilience strategy; and agree on AIs impact.
CEOs who lean into these arent just doing the right thing for their CISOs, theyre greatly benefiting their companies.
Read more:
What Cybersecurity Chiefs Need from Their CEOs
Related:
The CISO Role Undergoes a Major Evolution
By Agam Shah, Contributing Writer, Dark Reading
CISA and OpenSSF jointly published new guidance recommending technical controls to make it harder for developers to bring malicious software components into code.
Open source repositories are critical to running and writing modern applications, but they can also contain
malicious, lurking code bombs
, just waiting to be incorporated into apps and services.
To help avoid those landmines, the Cybersecurity and Infrastructure Security Agency (CISA) and Open Source Security Foundation (OpenSSF) have issued new guidelines for managing the open source ecosystem.
They recommend implementing controls such as enabling multifactor authentication for project maintainers, third-party security reporting capabilities, and warnings for outdated or insecure packages to help reduce exposure to malicious code and packages masquerading as open source code on public repositories.
Organizations ignore the risk at their peril: Talking about malicious packages over the last year, we have seen a twofold increase over previous years, said Ann Barron-DiCamillo, managing director and global head of cyber operations at Citi, at the OSFF conference a few months ago. This is becoming a reality associated with our development community.
Read more:
How to Ensure Open Source Packages Are Not Landmines
Related:
Millions of Malicious Repositories Flood GitHub
By Robert Lemos, Contributing Writer, Dark Reading
Yet challenges remain as many nations policies for the email authentication protocol remain lax and could run afoul of Googles and Yahoos restrictions.
On February 1, both Google and Yahoo started mandating that all email sent to their users have verifiable Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) records, while bulk senders — companies sending out more than 5,000 emails per day — must also have a valid Domain-based Message Authentication Reporting and Conformance (DMARC) record.
Yet,
many organizations lag in the adoption
of these technologies, despite the fact that they arent new. There are two shining exceptions out there though: The Kingdom of Saudi Arabia and the United Arab Emirates (UAE).
Compared to approximately three-quarters (73%) of global organizations, about 90% of organizations in Saudi Arabia and 80% in UAE have implemented the most basic version of DMARC which—along the two other specifications—makes email-based impersonation much more difficult for attackers.
Overall, Middle Eastern nations are ahead in adoption of DMARC. About 80% of the members of the S&Ps Pan Arab Composite Index have a strict DMARC policy, which is higher than the FTSE100s 72%, and higher still than the 61% of France’s CAC40 index, according to Nadim Lahoud, vice president of strategy and operations for Red Sift, a threat intelligence firm.
Read more:
Middle East Leads in Deployment of DMARC Email Security
Related:
DMARC Data Shows 75% Increase in Suspicious Emails Hitting Inboxes
By Fahmida Y. Rashid, Managing Editor, Features, Dark Reading
Cyber-risk quantification brings together the CISOs technical expertise and the CFOs focus on financial impact to develop a stronger and better understanding of whats at stake.
Cyber insurance has become the norm for many organizations, with more than half of the respondents in Dark Readings most recent Strategic Security Survey saying their organizations have some form of coverage. While insurance has typically been the domain of the organizations board of directors and CFOs, the technical nature of cyber-risk means the CISO is increasingly being asked to be part of the conversation.
In the survey, 29% say
cyber insurance coverage
is part of a broader business insurance policy, and 28% say they have a policy specifically for cybersecurity incidents. Nearly half of the organizations (46%) say they have a policy that covers ransomware payments.
How to talk about risk and how to manage and mitigate risks is now becoming much more important for the CISO organization to understand, says Monica Shokrai, head of business risk and insurance at Google Cloud, while noting that communicating risk upward is something the CFO has been doing forever.
Instead of trying to turn CISOs into cyber CFOs, the two organizations should work together to develop a coherent and integrated strategy for the board, she says.
Read more:
Cyber Insurance Strategy Requires CISO-CFO Collaboration
Related
:
Privacy Beats Ransomware as Top Insurance Concern
Commentary by Gourav Nagar, Senior Manager of Security Operations, BILL
The better a security team works together, the bigger the direct impact on how well it can protect the organization.
Building a security team begins with hiring
, but once the team starts working together, its critical to create a common language and a set of expectations and processes. This way, the team can work toward a common goal quickly and avoid miscommunications.
Especially for diverse teams, where the goal is for each person to bring their different experiences, unique perspectives, and distinctive ways of solving problems, having common communications channels to share updates and collaborate ensures team members can spend more time on what they love to do and not worry about team dynamics.
Here are three strategies for achieving that goal: Hire for diversity and quickly align on team culture and processes; create trust for every single person on the team; and help your team members build a career in cybersecurity and stay excited with innovation.
Of course, its up to each of us to take ownership of our own careers. As managers, we may know this well, but not all our team members might. Our role is to remind and encourage each of them to actively learn and pursue roles and responsibilities that will keep them excited and help them in their careers.
Read more:
Tips on Managing Diverse Security Teams
Related:
How Neurodiversity Can Help Fill the Cybersecurity Workforce Shortage

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CISO Corner: NSA Guidelines; a Utility SBOM Case Study; Lava Lamps