The Top CISO Stories From Around the Web: July

Jul 26

Preparing for the month ahead, we put together the most strategically elite, teamwork-oriented, and resilience-coded CISO stories about CISOs and digital fitness. Whether it be studying if the risk of AI is better than the reward or watching to see if a gymnast will succeed at performing an extremely risky feat, our favorite leaders are surely going to have a fantastic and critical month. Here are our top 6 CISO stories of July.

1. Olympics will increase exposure to cyber threats

Source: Intelligent CISO

Bashar Bashaireh is the Managing Director and Head of Middle East and Türkiye at Cloudflare. He explains how the Paris 2024 Summer Olympic Games’ complex, cloud-native system, with billions of data items, will make IT architecture security challenging. 57% of Internet traffic is made up of API requests representing an attack surface that often goes unattended.

Challenge 1: API Inventory Is Questionable

Based on actual traffic data, Cloudflare found its customers to lack visibility in public API exposure. Machine Learning and heuristics identified an average of 30.7% of public APIs not referenced by organizations. (The story details the Cloudflare’s tool’s dual approach)

Undetected APIs are a prime target because the security team is not aware of the lack of security. API documentation is important for this reason.

Challenge 2: Beyond inventory, securing APIs is also challenging.

Rate limiting, a common practice, is not always the most effective. APIs also remain vulnerable to SQL injection or DDoS attacks. Risks come from authentication and authorization issues.

Cloudflare recommends these security measures:

Authentication on all public APIs
Maintain elaborate rules to limit throughput
Block abnormal volumes of sensitive data
prevent breaches of valid API sequences

Challenge 3: API traffic increased by human activity.

All major events affect API traffic due to the increase in general public use. Spectators, tourists, journalists or professionals can all be contributors to this phenomenon. Machine-to-machine API traffic is an outdated scheme.

A holistic view is integral for preserving visibility and control of exposed resources. “...combining API protection with protection of all Internet exposures appears to be an essential prerequisite for the applications of companies involved in the Olympic Games, whether in the strict sense as partners or in the broader sense, such as players in the transport, tourism or hotel industries.”

2. Does the AI risk outweigh the AI reward? Cybersecurity leaders still aren’t sure.

Source: DIGIT NEWS

Maintaining a foot in both camps, AI has been strengthening threat-actors and security professionals in unison. According to a new report from Bugcrowd, security leaders are perplexed by this, especially in regard to policy planning.

The “Inside the Mind of a CISO'' report from Bugcrowd has 209 respondents. When discussing cyber-threats in general, 89% report that there are more threats and that they are more serious. Consequently (and 88% confirmed) security roles are increasing in difficulty, contributing to burnout and the need for automation—70% of the respondents plan to replace some of their security team with AI. This is because most of them (91%) believe that AI already does, or will soon, outperform team members.

Additionally, three-quarters report that AI threats are growing too fast for security teams to secure responsibly. And, despite all automation is capable of, about half believe that the risks of AI threats outweigh its potential to aid security. The lack of a clear consensus (only “about half” agreed to this statement) further highlights the confusion CISOs and security leaders are facing when it comes to AI, but it also shows that there is still hope for the cybersecurity agenda. For example, many companies are utilizing AI for defense in crowdsourced testing (70%), pen testing (55%), and color teaming (36%).

3. 5 Key Questions CISOs Must Ask Themselves About Their Cybersecurity Strategy

Source: The Hacker News

The recent massive CDK ransomware attack affected car dealerships across the U.S., but it wasn't viewed as a big deal by the public because intense attacks are becoming routine news stories. In contrast to the public’s nonchalance, or maybe partly because of it, businesses and leaders are nervous. They are expressing this through their demands for answers and security-certainty from their CISOs. Additionally, CISOs are often disconnected from the board leading to misunderstanding and bad decisions.

Concise information focused on business goals improves the communication gap between the CISO and the board. No technical details are necessary.

Tips from the story:

Show how cybersecurity protects financial health and is a business enabler.

Quantify risks. Use data beyond metrics.

Celebrate security achievements.

Collaborate and coordinate throughout the organization

Prioritize what truly matters — high-impact initiatives!

“By framing cybersecurity as a business issue, CISOs can secure buy-in from the board for essential security investments.”

4. Can Health Systems Afford to Overlook the CISO Role?

Source: MedCity News

Cybersecurity threats to the healthcare system are constant and growing in number. Ann Arbor-based Michigan Medicine recently reported on health system experiences—-about 500,000 hacking attempts were recorded each day! These possible events and real-world attacks are influencing health systems to prioritize the CISO role. According to Zach Durst, a consultant at leadership advisory firm WittKieffer, Most health systems have a CISO or leader who is responsible for information security. A recent survey was run by Witt Kieffer. They found about 65% of healthcare information security executives to be at the vice president or senior vice president level.

Durst gave some insights into the CISO role: In order to be effective, “The modern CISO can’t hide behind their desk,” Durst said. “They have to be visible and capable of driving consensus across broad stakeholder groups.” Additionally, adding more investment into cybersecurity is not as important as thoughtfully investing the resources that health systems already have; CISOs are pragmatic. Despite return on investment being hard to show, most organizations completely understand the value cybersecurity can bring to a health system.

5. Supreme Court Ruling Threatens the Framework of Cybersecurity Regulation

Source: Security Week

The Chevron Doctrine has been struck down by the US Supreme Court. Determination and enforcement of cyber regulation in the US hangs in the balance. The consequential shift of regulatory enforcement from the federal agencies to the judicial system takes the power away from federal agencies and gives it to the courts to exercise independent judgment.

The Chevron Doctrine established the system where agency rules, intended to clarify and implement statutory intentions, could be enforced by the agencies themselves. This change will have a major effect on the determination and enforcement of cyber regulation in the US. “This landmark decision from the US Supreme Court will likely have tectonic and long-lasting consequences for administrative rulemaking in the US,” comments Ilia Kolochenko, attorney-at-law with Platt Law LLP and CEO at Immuniweb. The courts won’t defer to the agency’s opinion. This will lead to more appeals and a pattern of well-funded companies treating US regulations “in the same way they treat EU regulations: masses of paperwork, dozens of lawyers, and appeal after appeal.”

Rules and regulations may become invalidated by the court. This can be good because it forces Congress to work on having better-defined legislation. It could slow down the implementation of necessary measures, leaving gaps for hackers. Written by politicians, interpreted by judges, driven by SCOTUS, and all non-technology experts, this development can be viewed as slightly concerning.

6. The Sweeping Danger of the AT&T Phone Records Breach

Source: Wired

AT&T announced a breach of records of “nearly all” its customers. About 110 million were affected.

In a US Securities and Exchange Commission filing (#the_new_SEC_cyber_disclosure_rules_at_work!!!) AT&T reported that they learned of a data breach on April 19. The data was stolen between April 14 and April 25. The US Justice Department allowed for a delayed disclosure on May 9 and June 5, pending investigation.

”...essentially call data records. These are a gold mine in intelligence analysis because they allow someone to understand networks—who is talking to whom and when. And threat actors have data from previous compromises to map phone numbers to identities. But even without identifying data for a phone number, closed networks—where numbers only communicate with others in the same network—are almost always interesting.”

The latest in a collection of data thefts that resulted from attackers compromising organizations’ Snowflake cloud accounts, the data includes phone numbers and “metadata” about calls and texts, (who contacted whom, call durations, and a customer’s total calls and texts).

This breach exposed people who have no relationship with AT&T if they communicated with an AT&T customer during this time. The Google-owned cybersecurity firm Mandiant said in June that hackers under the name UNC5537 are responsible.

AT&T does not believe that the data is publicly available. The US Cybersecurity and Infrastructure Security Agency released an alert about the situation on Friday. Few victims have identified themselves yet the hackers are advertising and demanding ransoms over data from the breached Snowflake accounts.