Do You Know What Your AI is Really Doing?; Patch VMware Aria and Citrix NetScaler ASAP; ROI on Cyber Insurance Still Hard to Find

The FTC is not alone in looking at AI privacy and security issues. In 2008, financial markets globally melted down in large part because computer models that created financial derivative packages were labelled as “low risk” but it turned out that many should have been labelled “no one can tell what this model is really doing but these could be low risk, we hope they are.” The SEC put regulations in place that such models must have defined governance and transparency policies and had to be audited. More recently, the SEC is looking at claims in financial filings by companies that claim their product uses AI in some unique way (such as in many cybersecurity products), or by companies that identify a risk and point to their use of AI-based products as mitigation. Ask any vendor of products or tools making claims of using AI to demonstrate results of audits/inspection of claimed use of AI/ML.

While LLM/Generative AI (GenAI) is incredibly powerful, and something we're all keeping an eye on, we also need to fully understand what it does with data we feed it as well as how it is continuing to train and build its model. You should already be developing guidance for users regarding entering proprietary or sensitive data into GenAI systems, make decisions on what data is in a session versus retained based on provider documentation, not hearsay or speculation. As GenAI is showing up in more places, rapidly, get ahead of it by starting to investigate how it changes the results you get, much like we have done in the past.

An interesting line of inquiry by the FTC. Sure, I can see questions concerning copyright and authorized licensing, but an inquiry on personal data using the Consumer Protection Act? Perhaps if this country had a federal privacy law as opposed to the current patchwork of state privacy laws the line of investigation would be welcomed.

ChatGPT is being singled out because it’s the one people know at the tip of their tongue. So many of these platforms are currently in use, and I think we will need to see some regulation around this. Just in the “AI Art” space itself, this is tricky: when is it original content, when is it slightly modified, and how does this impact copyright? There is a lawsuit around software licensing in GPL and other licensing models with code in GitHub, which GitHub CoPilot uses to provide suggestions. That lawsuit may also have implications here—something to watch. Now, I need to take this comment, run it through ChatGPT, and ensure it will be spicy and catchy. Maybe we can create one just for this. SpicyGPT, but don’t Google that because it may be unsafe for work.

CVE-2023-34039, authentication bypass, has a CVSS score of 9.8 and has no workarounds, CVE-2023-20890, arbitrary file write, has a CVSS score of 7.2, also has no workarounds. Feels like a Monday, doesn't it? Good news is Aria Operations for Networks version 6.11 is not impacted, but versions 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 / 6.7 / 6.8 / 6.9 / 6.10 have patches. Be sure to read the notices and caveats displayed during the update and pre-checks.

If you know what product to download in a trial edition you will be able to easily extract the private SSH key that can be used to log into any of these systems. Patch. Now.

If you have one of the affected devices, you need to not only apply the patch, but also check your network for signs of compromise. Sophos X-Ops published the IOC's (https://github.com/sophoslabs/IoCs/blob/master/2023-08-25 Citrix CVE-2023-3519 attacks.csv) Note the ADC and NetScaler Gateway 12.1 is EOL, vulnerable and has no patch, so you'll need to upgrade to a supported version, as well as hunt for signs of compromise.

I can sit here and make judgement calls about the patches that matter within a network, given that there are tens of thousands every year. I cannot sit here and reason with anyone that has not yet patched their Edge systems like Citrix or Forescout against well-known disclosed vulnerabilities that execute code on your system without authentication. If these systems exist 30-60 days after disclosure and patch release, I consider it negligent.

This really shouldn’t be a surprise to anyone. Evil-doers are up against the clock to exploit organizations before the patch has been implemented. The patch has been available for more than 45-days, so no excuse not to have downloaded and implemented the fix.

The survey summarizes what has been a constant with cybersecurity insurance for the past decade: “Even if organizations are able to get or renew cyber insurance policies they can afford, their claim may get denied or reduced because of the fine print.” There aren’t many success stories where such insurance policies showed a positive ROI compared to self-insuring by keeping things secure – which you largely have to do anyway to obtain a policy!

No real surprises in the latest state of cyber insurance report. Claim submissions up – check. Premiums up – check. Policy exclusions up – check. The best thing companies can do is to invest in their cybersecurity program upfront and use that as argument for a premium discount.

With renewals becoming harder to get, increases in premiums, increased cyber security requirements for payment of claims, if paid at all, it may be simpler to implement a high cyber security bar, already required to get insurance in the first place, and set aside a bond to be self-insured. Sharpen your pencil and work that ROI. Remember to include the impact of delays in claims, finding budget for increases in premiums, and changing requirements for eligibility.

A generation ago cyber insurance was profitable for underwriters; claims were rare. Then came ransomware and claims skyrocketed. Many underwriters withdrew from the market and those remaining wrote more restrictive policies with higher deductibles and lower maximum coverage. Premiums must rise until mitigation is cheaper than insurance and underwriters return to profitability.

Well, on the positive side university cybersecurity controls and processes have gotten a lot better over the 20 years since the Slammer/Blaster/Code Red/Nimda Windows worms cause many universities to require students to physically bring their PCs to the IT shop before dorm switch ports would be turned on again!

The impact of disconnection was likely higher to users of UofM systems than to students who likely remained online using hotspots or mobile devices. In a University setting, the need for external collaboration and access has driven a model where research systems are readily accessible, while evolving controls to protect business systems. Even so, the need to cut the campuses off indicates some scenarios remain for compromise. Walk through your incident scenarios to determine if you have any remaining which would drive disconnecting from the Internet, then examine how you could raise the bar to avoid that, keeping in mind you really can't disconnect your cloud and outsourced services, and they still need adequate protections.

If you're operating a small utility, odds are you're tight on budget and face the same threats as the big operators. Utilities that have 1) limited staff and economic resources; 2) limited access to cyber security training and support services; and 3) a low cybersecurity maturity level are strongly encouraged to apply, as are utilities which serve military installations. The Phase 1 (Commitment) submission deadline is November 29th, which really isn't all that long to develop a proposal. Prizes for phases one and two are $50,000, and up to 60 hours of technical assistance (120 for Military) and Phase 3 is $100,000. Those could be game changers.

Federal funding can go a long way in shoring up cybersecurity best practices for historically under-resourced electric utilities. I just wonder how much of the funding will be gobbled up by the ‘technical assistance’ companies and whether the utility will have a sustainable cybersecurity program.

We just had a hurricane come through a very rural part of the US in Florida. You may have seen the coverage of what is happening there and how the flood waters have inundated rural areas. This underscores how people in these areas are impacted but often not given a lot of media attention. These types of programs help these places where they are one of the most vulnerable, if not the most vulnerable to this type of attack. Not because they are a massive target but because they lack the basics of a security program due to their size alone.

This is a good idea as many smaller businesses struggle to justify extra expenditure for security. In many cases small businesses have an expectation when they purchase their IT infrastructure that it is secure and requires no additional investment, similar to buying a car and expecting not to have to pay extra for brakes or seatbelts. This initiative will help those small electric utilities that qualify to improve their security.

The problem is in part a culture in the industry that prefers the ability to respond quickly to routine changes in load or component failures to even essential and efficient cybersecurity controls. This culture is highly resistant to change.

The operation was named "Duck Hunt" By the US DOJ and FBI, who obtained court orders after getting access to a control panel used to control the botnet, to seize the controlling servers and clear the infection from affected devices. Qakbot was implicated in 40 ransomware attacks, with about $58 million in losses over the past 18 months. Note that the uninstall was specific to Qakbot, and didn't uninstall any other malware: it is designed to prevent further installation of Qakbot and untether it from the botnet. Kudos to the FBI and DOJ for releasing the Qackin.

This has to be one of the best news stores for a long time. Well done to all those involved. Qakbot while often classified as a banking trojan is often used by ransomware gangs to gain access to victims’ networks. This takedown will have a significant impact on ransomware gangs.

Qakbot has been around for maybe a decade at this point, and it was proven very difficult to defend against. I’m happy this happened but it also tells us a story that a well-developed botnet can last for a long time.

A continuation of the strong efforts by international law enforcement against ransomware gangs. By targeting malware infrastructure, law enforcement officials impacted multiple ransomware gangs. 2023 continues to be the year of law enforcement action in protecting the global business community.

Great job! Kudos to all. Law enforcement is playing its role. The press release suggested that the recovered funds would be returned to victims to "make them whole." No victim of ransomware will ever be made whole by recovered payments or insurance.

The findings largely show a complete failure of configuration, change and vulnerability management, yet at a webinar in April the TSA CISO talked about TSA’s progress towards “Zero Trust.” Without trustable essential security controls in place, nothing added on top can be trustable – which is the wrong kind of zero trust.

We could argue about 45 days being too long or too short, but the more important point is are you disabling inactive accounts at all, let alone reviewing user lists regularly? Are you taking steps to keep these impactful systems as secure as possible, particularly if you're being told they are too important to disrupt? High Value Assets (HVA) have a unique set of criteria before being designated HVA. HVAs are critical systems but the reverse isn't always true. This designation includes added scrutiny, monitoring and reporting requirements, including account review, deactivation, patch management, vulnerability scanning, MFA, segmentation, encryption at rest and in transit. Irrespective of the HVA designation, you should be these are relevant to all your systems.

In essence, the DHS IG report is saying the TSA has failed in its core responsibility to implement an effective cybersecurity program for its critical systems. A good place to start with such an implementation are the CIS Critical Security Controls, IG1 (commonly referred to as essential cyber hygiene).

We continue to be better at revoking pay of separated employees than revoking IT privileges.