Cybersecurity (IT, OT, AI/LLMS, Open source) Insights from Q1 2024

[Securing Things by M. Yousuf Faisal]

Disclaimer: All views presented here, in this newsletter, are my own.

Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.

M. Yousuf Faisal

Table of Contents

Hi Securing Things Community,

Hope all had a good start and having even a greater finish to Q1 2024 in style. Stepping into Q2 2024, I am excited to present the second newsletter of the year.

Before we begin, do me a favor and make sure you hit the “Subscribe” button to let me know that you care and keep me motivated to publish more. Thanks!

Special Message to Existing Newsletter Subscribers:

To all subscribed & verified (approx. 63%) and filled short survey form - I’d like to sincerely thank you for your time and interest. What was commonly requested can be summarized or grouped in 3 categories:

  • IT/OT Cybersecurity (smart factory/home/city, Strategy, Architecture, Pen-test to SOC and incident response)

  • Cyber Threats & Trends (Emerging threats, technology, & technologies)

  • AI related risks, regulations and threats.

For the rest of 37% subscribers who have not validated their email addresses - do verify your email at your earliest convenience to avoid missing out future newsletter post not reaching your mailbox (make sure to whitelist the email address to get timely notification).

As a thank you; for this newsletter edition we’ll be covering some elements of the above 3 requests type to confirm that i’ve read each of the responses.

  1. Cybersecurity (IT, OT, AI/LLMS, Open source) Insights from Q1 2024

  2. Insights from my recent engagements and posts.

For upcoming newsletter edition Poll:

Poll - Next Newsletter Topic

What's the next newsletter topic you'd like to see? Choose one

Login or Subscribe to participate in polls.

Cybersecurity Insights from Q1 2024

Personal Security & Hygiene

Cybersecurity starts from best practices for personal cyber hygiene. Australian Cybersecurity Center (ACSC) released a “Personal Security Guides” for protecting - yourself, family, kids and seniors. Guides are divided into first steps, next steps and advance steps to take digital citizens through a progressive pathway in securing their and their families digital lives.

Cyber Incidents, Ransomware Attacks & Data breaches

Just like 2022, 2023 was no short of news related to ransomware attacks and data breaches with millions of records stolen or leaked from all over the world.

Here’s a link to website that maintains the list of World's Biggest Data Breaches & Hacks.

  • Probably the biggest news this quarter for open source software security is the Xz Backdoor. Taken the OSS community by surprise and detected this coincidently by AndresFreundTec: "I was doing some micro-benchma…" - Mastodon. To follow the story and read in more details go here and here.

  • CISA released advisory on Zeek - Network Security Monitoring Tool with two critical and one high-severity vulnerabilities impacting Ethercat plugin. With 10K deployments worldwide per Zeek’s website, could expose networks and threat actors could leverage these vulnerabilities in attacks aimed at CII IT and OT environments.

  • Dragos identified three new OT Threat Groups:

    • VOLTZITE (targets electric power generation, transmission and distribution and has been observed targeting research, technology, defense industrial bases, satellite services, telecommunications, and educational organizations),

    • GANANITE (targets critical infrastructure and government entities in the Commonwealth of Independent States and Central Asian nations), and

    • LAURIONITE (targets and exploits Oracle E-Business Suite iSupplier web services and assets across aviation, automotive, and manufacturing industries).

  • Microsoft announced in Jan 2024, that they have been a victim of a password spray attack.

  • List of significant cyber incidents provided by CSIS.

  • Crowdstrike Global Threat Report 2024 - present some interesting insights on how adversaries are operating with unprecedented stealth and speed using living of the land attack techniques using legitimate tools, bypassing existing and legacy cybersecurity detection solutions. Combining generative AI, attackers are executing a well crafted playbook using social engineering and interactive intrusion campaigns, and attacking cloud identities and vulnerabilities and identities to exploit weaknesses.

  • Blog posts by Neil C Hughes - Biggest Data Breaches And Cyber Hacks of 2023 And 2024 and 10 Biggest Cyber Espionage Cases: Undercover Campaigns of the Last 12 Months are both an interesting read and good for stats.

Q1 2024, continued to see a number of layoffs, tech moves and several mergers & acquisitions, continued skills shortage, and more. Interested in knowing what happened in cybersec industry in 2023 - check-out:

  1. 2024 Cisco Cybersecurity Readiness Index, by Cisco suggests that five pillars of cybersecurity readiness that are most relevant to securing today’s organizations are Identity Intelligence, Network Resilience, Machine Trustworthiness, Cloud Reinforcement, and Artificial Intelligence (AI) Fortification.

  2. Gartner Identifies the Top Cybersecurity Trends for 2024 to be:

    • Generative AI,

    • Cybersecurity Outcome-Driven Metrics-Bridging Boardroom Communication Gap,

    • Security Behavior and Culture Programs Gain Increasing Traction to Reduce Human Risks,

    • Resilience-Driven, Resource-Efficient Third-Party Cybersecurity Risk Management,

    • Continuous Threat Exposure Management Programs Gain Momentum, and

    • Extending the Role of Identity & Access Management (IAM) to Improve Cybersecurity Outcomes.

  3. Gartner Unveils Top Eight Cybersecurity Predictions for 2024, with some bold predictions e.g., by 2028, the adoption of GenAI will collapse the skills gap, removing the need for specialized education from 50% of entry-level cybersecurity positions.

What was your best reads? type in comments below.

Guidance, Standards & Regulations - Notable Updates!

2024 also saw governments globally, announcing new laws, regulations around critical infrastructure. Similarly, several new cybersecurity industry best practices guidelines, and standards were published. Below is a just a sample list (in no particular order / classification):

  • NSA Releases Maturity Guidance for the Zero Trust Network and Environment Pillar and emphasis data flow mapping, macro-segmentation, mico-segmentation and software defined networks (SDN) as four network and environmental networking capabilities.

  • Members of European Parliament (MEP) has taken a significant step forward in the adoption of the 𝐂𝐲𝐛𝐞𝐫 𝐑𝐞𝐬𝐢𝐥𝐢𝐞𝐧𝐜𝐞 𝐀𝐜𝐭 #CRA, and is now moving to the Council for formal adoption. It aims to ensure that products with digital features are secure to use, resilient against cyber threats and provide enough information about their security properties.

  • UK NSCS released OT guidance for Cloud-Hosted SCADA, as per the growing trends to highlight benefits and challenges and help organizations make risk-based decisions before moving OT services to Cloud.

  • Governing Through a Cyber Crisis - Cyber Incident Response and Recovery for Australian Directors provides valuable guidance for those responsible for IR.

  • Amendments to Singapore CSA Act 2018 issued draft bill on 15th Dec 2023 and concluded the amendments on 15th Jan 2024. CCOP v2 and upcoming enforcement deadlines from Singapore CSA.

  • SOCI legislations and CIRMP guidelines for critical infrastructure from CISC Australia. Key deadlines for 2024 are:

    • 30 June and 28 September 2024 - the first board-approved annual CIRMP report is due (must be submitted within 90 days after the end of the financial year).

    • 18 AUGUST 2024 - Annual CIRMP review and commencement of the cyber security component of the CIRMP Rules against a recognised framework (ISO27001, AESCSF, NIST, E8, or equivalent)

  • The NIS2 Directive: A EU-wide legislation on cybersecurity, with specific aim was to achieve a high common level of cybersecurity across the member states with deadline of 17 October 2024, after which member states have to transpose NIS2 into National Legislative System. ENISA published guidance and a visual NIS Directive tool. NCSC also released a good quick reference guide for NIS2.

  • PCI DSS v 4.0 will be the only option as PCI DSS v 3.2.1 retires on 31st March 2024. Many organization may not be adequately prepared.

What other important regulations you’ve seen in 2023? comment below.

Artificial Intelligence (AI), Guidance & Regulations

In Q1 2024, generative AI or LLMs offerings have had explosive expansion globally and remains undoubtedly the most talked about topic. And we all are baffled with the accelerated growth for generative AI based softwares or platforms for text-to-text/images/docs/presentations/voice/videos/software code and their usage steadily increasing in all walks of life with several new businesses entirely built upon (and or exclusively for) Generative AI or LLMs or chatbots.

Besides the previously shared important Cybersecurity & AI risk insights; I came across some great reads, listed below:

2. Insights from My Recent Engagements:

In IT Cybersecurity

Got to do a security cyber hygiene review and apply fixes for an SMB hybrid (IT & Cloud) environment, with some bespoke cybersecurity concerns in terms of their current cyber risk state (unknown) on a tight budget. Part of the review was to help them secure their day-to-day operations within a week’s time. Here’s a quick summary of the approach I took for reviewing and applying fixes to improve their current state (note: this was not a vulnerability assessment, pen-test, security assessment and or standards based review exercise per say):

  • People

    • Identify - global admins, admins, users and contractors.

    • Removing unnecessary access privileges for key staff.

    • Enrolling staff on STL’s Security Awareness Training & Phishing Simulation platform.

  • Processes

    • On-boarding / Off-boarding staff and contractors.

    • NDA and Policy acceptance or sign-off.

    • Data Retention policies.

  • Technology 

    • OSINT (basic search)

    • Fix settings for DNS, Email and Web:

      • DNS security - buy/enable additional domain protection services e.g. DNSSec from DNS registrar.

      • Email security - enabling DKIM, SPF & DMARC.

    • Enabled MFA for all staff and contractors with resource access.

    • Endpoint protection configuration review - enabling missing policies around firewall, ransomware protection, HIPS, USB controls and other controls.

    • Enable Wireless Access Control, WPA3 and other console access restrictions on routing/firewall devices. Disabling

    • MS 365 configuration review - identifying wrong licensing and changing the licensing for key staff, with controlled access and configuring basic policies in Entra ID and InTune, around device and conditional access control. Improve Microsoft security scores using built-in compliance purview. Refer to CISA guidelines and tools, CIS benchmarks and or MS 365 purview - also go through each service admin portal and enable minimum best practice requirements e.g. audit logging, timeouts, etc..

    • Workaround for backups from MS 365.

  • Suggested remaining controls to be put in place (e.g. IR table-top exercise with their insurer, Cloud backup etc.) in next sprint - when there’s budget in place.

Anything I missed that was critical - thoughts?

In OT Cybersecurity

Got to provide some consulting on a couple of small engagements e.g. to a CI owner and an asset owner (global manufacturer) on approach for planning an OT Security review of greenfield System under Consideration (SuC), OT security awareness recommendations and OT Security Solutions evaluation and selection and also got to work on a sample IT & OT cybersecurity strategy presentation besides few RFP responses (yeah who likes RFPs) and proposals via trusted partners (thanks for the opportunity - you know who you are).

Suggested a 3 step process for evaluating OT Anomaly detection solutions as below and checkout my earlier LinkedIn post here.

STL’s approach to Vendor Evaluation

See my previous week post on OT Cybersecurity Management System here - OT CSMS and OT security awareness as critical part of the overall CSMS. Checkout #CySEAT teaser intro below.

Please DM or reach out to me if you are an asset owner and interested to participate in the discounted beta offer coming soon. Or know any asset owners that may be planning (starting or struggling with) OT Cybersecurity program journey and or simply looking to uplift staff skills sets?, without breaking the budget, please share this post, it’ll be of an enormous help. . 

Ideal candidates for CySEAT training program are practitioners both from IT/ICT Team (CISO/CIO/CDO orgs) and OT/ICS production or plant teams (industrial IT, engineering, operations etc.) that are responsible for building, managing and or part of executing OT cybersecurity program activities designed to improve OT/ICS cybersecurity hygiene for SMB/SME asset owners.

Status: As of writing this, the beta version of CySEAT is 75% ready, slides for 1st modules are ready and recording will begin in the coming week. If you want to engage in live workshop session in May onwar(discounted fee apply) please feel free to reach out via DM on LinkedIn and or on below address.

info[@]securingthings[.]com

Had other interesting professional discussions around OT Cybersecurity in railway and airport sector and a couple of OT security solution providers (more on this in future edition).

If you are just starting out in OT Cybersecurity journey checkout - OT Cybersecurity Best Practices Requirements Specification OTCBPRS Toolkit with limited free IT & OT CySEAT (launch offer only).

- Security Awareness Training✅ (Free, Lite and Pro offerings)

- Awareness Material Posters✅ (free added value as subscriber)

- Phishing Simulation✅ (part of pro offerings, not included in free/Lite)

- Security Policy Templates✅(free added value as subscriber)

- Cyber Health Checks/Reviews✅(free added value as subscriber). Get a free health check.

My Ask

I invite #Securing Things community to share their insights, feedback, and wish list for the year on:

  • any industry specific pain points & potential resolutions of keen interest?

  • what did you like about this and or previous edition?

  • what could be improved?

  • what you’d like to see in future editions?

Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer digital future. Thank you for your trust and continued support.

Here's to Securing Things in 2024! Take care and Best Regards,

M. Yousuf Faisal (Founder Securing Things).

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Follow: #securingthings on linkedin and or @securingthings on X/Twitter.

#securingthings #itotstrategy #otsecuritydozen #cybersecuritystrategy #digitaltransformation #ot #ics #otsecurity #otsecuritydozen #otcybersecurity  #icssecurity #isa #icscybersecurity #securedigitaltransformation #iiot #operationaltechnology #industry40 #iec62443 #criticalinfrastructure #NIST #ISO #criticalinfrastructureprotection  #criticalinformationinfrastructure #sgcii  #securityawareness  #otsecurityawareness #icssecurityawareness #otstrategy  #icscybersecurityprogram #otcybersecurityprogram #manufacturing  #industrialcontrolsystems #industrialautomation #strategypresentation #security

How do you stay up-to-date with the insane pace of AI? Join The Rundown – the world’s fastest-growing AI newsletter with over 500,000+ readers learning how to become more productive using AI every morning.

1. Our team spends all day researching and talking with industry experts.

2. We send you updates on the latest AI news and how to apply it in 5 minutes a day.

3. You learn how to become 2x more productive by leveraging AI.

The Newsletter Platform Built for Growth

When starting a newsletter, there are plenty of choices. But there’s only one publishing tool built to help you grow your publications as quickly and sustainably as possible.

Beehiiv was founded by some of the earliest employees of the Morning Brew, and they know what it takes to grow a newsletter from zero to millions.

The all-in-one publishing suite comes with built-in growth tools, customization, and best-in-class analytics that actually move the needle - all in an easy-to-use interface.

Not to mention—responsive audience polls, a custom referral program, SEO-optimized webpage’s, and so much more.

If you’ve considered starting a newsletter, there’s no better place to get started and no better time than now.

Reply

or to participate.