What a year 2023 was for cybersecurity!

It was a year the world became obsessed with generative artificial intelligence — and a year that brought new breaches with old exploits, a year that brought significant consolidation in the security tools marketplace, and a year when passkeys finally took hold, at least for consumers.

Are businesses better secured than before? Hardly. Attackers have continued to get more sophisticated, hiding in plain sight and using sneakier ways to penetrate enterprise networks. Ransomware is still a thing, and criminals are getting clever at using multiple tactics to extort funds from their victims.

In this story for SiliconANGLE, I’ve has collected some of the more notable predictions for 2024, and offer my own recommendations for best security practices.

Here are the ones from the first part of the week.

1. I did a video interview for a sponsored virtual event for TheCube here, talking about ransomware, air gapped networks, and other reasons to secure your data. 
2. An analysis of Infrastructure As Code — where it comes from, why it is important, and why it can be both blessing and trouble for IT and devs.
3. An analysis of everyone’s least favorite hacking group, Lazarus of North Korea, and how they are changing tactics and using Telegram as a command channel, and scooping up millions of dollar-equivalents.
4. This week, Ukraine’s largest telecom carrier got hit with a massive cyberattack. They are gradually bringing stuff back on line, including the ordinary (like people’s cell phones and bank’s ATMs) and the war-related stuff to target the people most likely to have originated the attack (you know who they are).
5. A new report from Cloudflare shows their growth in internet traffic along with other interesting stuff such as outages and the percentage of those poor souls who are still using ancient TLS versions.
6. Another report that examines the past year or so of various cyber attacks and other assorted breaches from a very well respected source at MIT.

Here are this week’s stories in SiliconANGLE.  My most interesting story is about one man’s effort to improve the power grid in Ukraine, thanks to a very clever collection of Cisco networking gear that provides backups when the GPS systems are jammed by the Russians.

• Law enforcement in the US and UK have reveals years-long Russian-based cyber espionage campaigns against a wide collection of leaders in and out of government and industry.
• Akamai has figured out a very clever and involved vulnerability involving DNS, Active Directory, and DHCP that can result in major-league DNS spoofing and takeovers of devices. Too bad Microsoft considers this a feature and not a bug that requires some careful patching.
• A very nice treatment of the long history of Outlook email exploits that deserves your attention, given the sweep and scope and longevity of them. And again, with some better-late-than-ever efforts by Microsoft to close their numerous backdoors.
• Wiz acquires Rafft to improve their coverage of serverless and container security pipelines.
• Citrix Bleed ransomware is the gift that keeps on giving, and has been found in a series of credit union attacks that have disabled numerous banks.

Here are four stories that I wrote this week.

• Sporting-related businesses (think professional teams, stadium operators, and related services) have absolutely miserable cybersecurity procedures and practices. Here is a report about the depth of their despair.
• The Swiss encryption software vendor Proton has expanded the feature set of their password manager, which continues lead the way in terms of protecting your password vault, something that 1Password and LastPass could learn a few lessons from.
• Amazon has expanded their palm-reading One service for enterprise use, and also made other identity-related announcements this week. The service has a lot of moving parts and some early customers.I first looked at One a few years back when it was just being installed as part of their JustWalkOut technology in retail stores. Since then it has been deployed at hundreds of stores around the world.
• Various government agencies have gotten together and issued a joint report that outlines the best practices for ensuring safer AI development. The emphasis is on the world “outlines” because the devil is all in the details.

Happy holidays! Here are my stories for the week:

• The group behind LockBit ransomware is now exploting the Citrix Bleed vulnerability, which made big news last month and still at risk for thousands of devices around the world. US and Australian cybersec officials released a security advisory this week that provide the details, and my article follows up with what is going on with this very dangerous and prolific ransomware operation.
• The group behind the Phobos ransomware is also stepping up its game too.
• I examine a series of recent cloud security reports, some surveys of IT managers and some taken from actual network telemetry of customers and public sources, to show a not very rosy picture of the situation. Secondary issues such as security alerts take too much time to resolve, and risky behaviors fester without any real accountability to prevent or change.

Say your company has just been attacked by a ransomware gang, and they are demanding payment or they will do various criminal acts. So whom do you call first?

1. The corporate security manager, to lockdown your network and begin the process of figuring out how they got in, what damage they have caused, and what your company needs to do to get back to normal operations,
2. The chief legal officer, to activate law enforcement solutions,
3. Your insurance agent, to find out the specifics of your cybersecurity policy and to begin the claims process
4. The chief compliance officer, to begin the process of letting the various regulatory authorities know that a breach has occurred.

Ideally, you should make all of these calls in quick succession. But a situation involving a finserv firm’s ransom attack earlier this month has brought about a new wrinkle in what is now called the multipoint extortion games. This term refers to ransomware gangs using more than just encrypting your data as a way to motivate a company to pay up. Now they file a complaint with the SEC.

Say what? You mean that the folks who caused the breach are now letting the feds know? How is this possible? Read this story by Ionut Ilascu in Bleeping Computer for the deets. They have the victim on the record that they were breached, and information from the ransomware group seems to match up with a complaint that was filed with the SEC at about the same time period. So how annoyed were the ransomware gang that they decided on this course of action? The victim says they have contained the attack. The one trouble? Apparently the breach notification law doesn’t come into effect until next month that requires the mandatory disclosure. Someone needs to provide legal assistance to the bad guys and at least let them know their rights. (JK)

But seriously, if you have a corporate culture that prevents breach disclosure to your customers — at a minimum — now is the time to fix that and become more transparent, before you lose your customers along with the data that the ransomware folks supposedly grabbed.

This week on SiliconANGLE, I covered major security announcements adding AI features to the product lines of Microsoft, Palo Alto Networks, and Wiz. All are claiming — incorrectly — to be the first to do so.

I had an unusually productive week here at SA. This is the rundown.

First and foremost is my analysis of kubernetes and container security, which describes the landscape, the challenges, the opportunities for security vendors to fill the numerous gaps, and what else is going on here. There is a lot going on in this particular corner of the infosec universe, and I think you will find this piece interesting and helpful.

There were some shorter pieces that I also wrote:

• APIs have become popular for making authorization exploits easier and more prevalent.
• The EU is stepping into some controversial territory by adding a new regulation that would enable any government in its footprint to add compromised digital certs, making man-in-the-middle attacks easier. As you might imagine, many folks aren’t happy with this.
• Akamai has a new survey that shows the big benefits of network segmentation. While this shouldn’t surprise anyone who has been doing networking for the past five minutes, what is troubling is how infrequently IT admins actually segment their networks.
• New Iranian state-sponsored hacking campaigns also shouldn’t be newsworthy, except that they are getting more tenacious and better at their exploits.
• Russia is hard at work trying to reinvent the Virus Total wheel so they can share their own exploits without having to let anyone outside of their cabal see what is going on.
• Here is my take on Biden’s latest AI-themed executive order. It might be tough to actually pull off, but it is a very detailed plan.
• The Citrix Bleed vulnerability is a nasty one, and requires immediate patching of your NetScaler devices because of that.
• Finally, Cisco Talos’ intel group figured out a new phishing scam that uses Google Forms’ quiz templates to collect email addresses. My guess is that Google will figure out a way to shut this stuff down.

In addition to my AI data leak story, (which you should read) here are several other posts that I wrote this week that might interest you:

— A new kind of hackathon was held last month, which prompted me to talk to several nerds who are working to improve the machinery that runs our elections. Fighting disinformation is sadly an ever-present specter. The hackathon brought together for the first time a group of security researchers and vendor reps who make the equipment, all in search of a common goal to squash bugs before the machines are deployed around the country.

— Managing your software secrets, such as API tokens, enryption keys and the like, has never been a pleasant task. A new tool from GitGuardian is available that kinda works the same way HaveIBeenPwned does for leaked emails, so you can lock these secrets down before you are compromised.

— The FBI has taken down 17 websites that were used to prop up the identities of thousands of North Korean workers, who posed as potential IT job candidates. This crew then funneled their paychecks back to the government, and spied on their employers as an extra added bonus. Thousands of “new hires” were involved in this scheme, dating back years.

This week I got to write a very long piece on the state of current data leak protection specifically designed to protect enterprise AI usage.

Ever since artificial intelligence and large language models became popular earlier this year, organizations have struggled to keep control over accidentally or deliberately exposing their data used as model inputs. They aren’t always succeeding.

Two notable cases have splashed into the news this year that illustrate each of those types of exposure: A huge cache of 38 terabytes’ worth of customer data was accidentally made public by Microsoft via an open GitHub repository, and several Samsung engineers purposely put proprietary code into their ChatGPT queries.

I covered the waterfront of numerous vendors who have added this feature across their security products (or in some cases, startups focusing in this area).

What differentiates DLP between the before AI times and now is a fundamental focus in how this protection works. The DLP of yore involved checking network packets for patterns that matched high-risk elements, such as Social Security numbers, once they were about to leave a secure part of your data infrastructure. But in the new world order of AI, you have to feed the beast up front, and if that diet includes all sorts of private information, you need to be more proactive in your DLP.

I mentioned this to one of my readers, who had this to say about how our infrastructures have evolved over the years since we both began working in IT:

“In the late 90’s we had mostly dedicated business networks and systems, a fairly simple infrastructure setup. Then we went through web hosting and the needs to build DMZ networks. Then came shared web hosting facilities and shared cloud service offerings. Over the years cloud services have built massive API service offerings. Each step introduced an order of magnitude of complexity. Now with AI we’re dealing with massive amounts of data.”

If you are interested in how security vendors are approaching this issue, I would love to hear your comments after reading my post in SA. You can post them here.