Cyber Expertise at the Board Level; SEC’s Proposed Cybersecurity Rules for the Financial Sector; Pixel Markup Tool Vulnerability Allows Unmasking of Redacted and Cropped Images

The reality is that most cybersecurity incidents are enabled by IT operations failures (slow patching and misconfigurations) and tactical choices to continue to use reusable passwords years after everyone knew they were the major success factor for breaches and ransomware. While the SEC requiring information on board expertise in cyber security is a good thing, remember: boards approve all mergers and acquisitions and 70% of M&A deals fail and boards are supposed to be focused on strategic issues (like M&A) vs. tactical issues like IT and security operations hygiene.

The value of cyber expertise at the board level depends on the business. The board is focused on strategy, hiring the CEO, selecting a chairman, and sustaining/growing the business. Having board members with a cyber background doesn't guarantee that they have the current expertise to weigh in on cyber initiatives. The operational team, including the CISO, needs to remain prepared to brief up, including background, in a context that aligns with the board focus. Board members need to make sure they are asking for the cyber briefing on new initiatives, including mergers, then empower their employee, the CEO, to act appropriately.

Whilst it is important to talk about cyber risks at the board, the root cause usually comes down to a lack of focus on people, process, and technology (i.e., configuration, patch management, active monitoring) by IT operations. Board responsibility is rightly focused on business operations (costs, revenue targets, business growth, brand awareness). These are different professional skill sets. Cybersecurity expertise can be obtained as independent officers or experts that augment board deliberations.

I’m very surprised to have seen this high a number of executive boards filled with Cybersecurity Expertise. This is encouraging as more traction stories like this will further board requests for members to have cybersecurity expertise. This is a rather positive news story, even if it is trying to be shocking.

The primary role of the Board in cybersecurity is to set the organization's tolerance for risk. This is an application of the knowledge, skills, abilities, and experience that one expects of directors. The role of the security staff is to help the Board express the intended risk tolerance in such a way that all levels and functions of management understand what that means that they are expected and authorized to do. While this articulation is not easy, it is what we are expected to have the knowledge, skills, abilities, and experience to do.

It seems as though every department and agency is now into cybersecurity—a good thing. Yes, cyber incidents should be reported in a timely manner. Yes, victims should be notified that their personal data may have been compromised in a timely manner. Yes, every organization should have a minimum set of cybersecurity requirements for which they’re measured against. Instead of departments and agencies deciding, the administration (National Cyber Director) should establish cybersecurity and reporting requirements once, for every industry sector. Just remember, every sector has more in common than not when it comes to IT operations.

Last year, India attempted to propose similar regulations. There are some differences here. In the US we have a lot more experience with reporting than in other countries. We have been slowly moving the reporting windows up until this point. The other item here that is the SEC is opening this up for a comment review window of 60 days instead of just coming down with this regulation and no requests for comment.

Having consistent incident notification windows is a good idea. It would be nice if this was consistent with CISA’s 72-hour notification window. Regardless of 48 or 72-hour later notification, it's unlikely a business will be ready to report significant details at that point. The comment period is open for 60 days; you'll want to be sure that you're satisfied with not only the reporting requirements but the protection of that reported information. Additionally. make sure you understand what's required for assessing systems for risks and reporting them.

Of all security mechanisms, few are less effective and efficient than reporting. Only for regulators is it the first and most important.

This vulnerability existed unnoticed for six years. And it isn't the first time that tools used to crop or obscure images have had issues like this. In most cases, it is safer to use a screen shot of the edited image, instead of posting an edited image itself. This will also reduce the meta data carried over from the original image. Just make sure nothing else is visible on the screen, even if you screen shot only the region of interest.

While the flaw has been around since 2018, Google's recent magic eraser campaign likely prioritized addressing this. So far, this update is just for Pixel devices running Android 13. Fixes have been ported to AOSP 13 as well, so you may see related updates on other devices soon. If you're using the on-device redaction capabilities, it's not a bad idea to take the altered image and look at the metadata which remains. When in doubt, take a screenshot or photo of the redacted screenshot, so none of the redacted data is present for recovery.

Given how much we use our camera phone and redaction features, this could be a very serious flaw for Android. There may be fallout from this discovery. Anyone that has placed an Android backdoor on a phone, or has remote control access to an Android may have access to previously redacted images.

What's new here is that these attacks are leveraging a greater percentage of UDP traffic when compared to 2022. Also we are seeing layer 7 attacks, where connections are made, consuming resources, until the system (typically memory) is exhausted. These changes are in attempt to bypass your existing DDoS protections. These attacks are targeting Azure hosted services, which means you can leverage Microsoft's Azure DDoS Network Protection solution. Don't stop there, make sure that your other environments are covered as well.

An interesting report from MSFT on the use of DDoS to target potential victims. The blog post cleverly points out the benefits of moving to the cloud and centralizing security services managed by experts.

This is important. It's being exploited in the wild, and is a zero-day. Per the CISA KEV, updates are due 4/4/23. Outlook is really good at saving any draft messages when you push the update, so you may want to just pick an evening to finish getting it everywhere.

As reported in a recent SANS NewsBites, this batch includes a number of remote code execution as well as two ‘zero days’ being actively used. Exercise your patch process and remediate these vulnerabilities first—you’re in a race against a very agile cybercriminal network.

If you have General Bytes Bitcoin ATMs, leverage the IOCs in the blog to make sure that you're clean. Regardless, read their solution carefully, there is not yet a patch, and you'll need to set up a local standalone server, protected by a firewall and VPN, require access terminals to use a VPN. Consider all your user's passwords, and API keys to exchanges and hot wallets to be compromised. You're going to need to invalidate these and generate new keys & passwords. Even if you already had a standalone server, there is work to be done. Read carefully.

Kinda what you would expect, no? Virtual “currencies” are not currencies so would expect virtual “currency” ATM machines to be “secure” not secure.

While wallets, exchanges, and point of sale devices (including ATMs) are necessary to the popularization of digital assets, they have proven to be the weak point. They demonstrate the maxim that the hardest part of cryptography is not codes and ciphers but systems and implementations.

The suspect appeared to be targeting credentials which could be used to steal funds. It's not clear if he was targeting crypto or fiat currency. The RAT was positioned as applications for computer games, likely luring victims with promises of game cheats or hacks. As tempting as it is to get the upper hand on a game, loading a third-party module to do so may get you into a completely different interaction, so avoid unless you're equipped to research very carefully, as in reverse engineering/sandbox. The penalty in the Ukraine for this crime is 15 years of imprisonment.

Even in the midst of war, Ukraine is contributing to international law enforcement efforts against cybercriminals. Bravo to Ukrainian law enforcement for their efforts.

This is an odd news story I’m somewhat thinking through for the rest of the day. This is a country in the middle of a war with tanks rolling in on fronts, and yet law enforcement and parts of society are operating somewhat normally. I would imagine if I was the developer of a RAT that was used for criminal activity I would not think that right at this moment in time, Law enforcement would be working on this case. Then again, maybe a story to watch.

In light of what is happening in Ukraine one has to tip their hat to the Ukrainian police continuous efforts to fight cybercrime. This is a difficult task at the best of times but to do so during a war is very impressive.