Category: Cybersecurity

Cybersecurity, Data & Artificial Intelligence

Air Force DCIO: Modernizing is ‘Biggest Thing’ to Improve Cybersecurity

Source: www.meritalk.com.

Many Federal agencies are looking to use AI as a key cybersecurity tool, but before agencies get too far ahead of themselves, U.S. Air Force Deputy Chief Information Officer (DCIO) Winston Beauchamp said on Tuesday that the number one thing agencies can do to improve their cybersecurity posture is to modernize their IT architecture.

“I continue to say that the single biggest thing we can do to improve our cybersecurity is modernize our architecture, get rid of our tech debt,” Beauchamp said at the Google Public Sector Summit, presented by Scoop News Group, on Oct. 17. “Because our decrepit, older systems that are out of service by the vendors that built them can’t provide the cybersecurity that we need to survive in today’s environment.”

The deputy CIO said that cybersecurity and AI have something in common, which is that they are both “strapped on after the fact” to legacy systems. This means that cybersecurity and AI capabilities are “really limited” by their infrastructure and the data they have access to, he explained.

However, Beauchamp said that “another thing that they both have in common is that both cybersecurity and artificial intelligence are baked in.” According to Beauchamp, these capabilities are baked into the tools, infrastructure, and basic internet appliances that we use to modernize our networks.

For this reason, he said that “modernizing is number one,” when it comes to improving agencies’ cybersecurity.

“When you modernize, you bring in capabilities that for cybersecurity and artificial intelligence that are baked in, they’re inherent to what you’re delivering,” Beauchamp said. “So, we’re very optimistic about what that future brings.”

“And then the nice thing about it is from an infrastructure perspective, we don’t have to think about designing it. It comes out of the box,” he added. “We’ll tailor it, and we’ll customize it for the mission.”

Nevertheless, Beauchamp said that AI also needs to be on the list of cybersecurity to-dos in order to keep up with our adversaries, who are using AI to tailor their attacks to “basically work around our signature management approach.”

“They can do so at speed faster than we can update our signatures, so we have to run faster,” he said. “And that means using AI to try a different approach other than signature management … I think there’s going to be a ‘guns versus armor’ back and forth for some time on AI’s use in cybersecurity, and we just have to be better and faster than our adversaries.”

 

Cybersecurity

CISA Releases New Identity and Access Management Guidance

Source: www.securityweek.com.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released new guidance on how federal agencies can integrate identity and access management (IDAM) capabilities into their identity, credential, and access management (ICAM) architectures.

The new document (PDF) was released as part of CISA’s Continuous Diagnostics and Mitigation (CDM) program, which provides information security continuous monitoring (ISCM) capabilities to help federal agencies improve the security of their networks.

“There is no singular, authoritative, recognized way to architect an ICAM capability across an enterprise, which results in many U.S. government agencies approaching this from different directions with different priorities. Compounding this issue, agency Identity Management maturities vary, especially those related to tool expertise and ICAM-related policies, which may complicate the ongoing CDM integration efforts and lead to incomplete or ineffective ICAM deployments,” CISA notes.

To address this issue, CISA’s new guidance clarifies the CDM program’s IDAM scope, CDM IDAM capabilities, and federal agencies’ ICAM practice areas, and provides a CDM ICAM reference architecture that can be used to deploy a robust and effective ICAM capability with CDM functionality, the agency explains.

CDM IDAM capabilities, CISA notes, include sub-capabilities for privileged access management (PAM), identity lifecycle management (ILM), and mobile identity management (MIM). Non-person entities (NPE) and other non-PKI authenticators are also included, under manage credentials and authentication (CRED).

PAM focuses on the management of privileged human and non-person entities and includes tools for ensuring strong authentication, ILM focuses on the lifecycle management of user identity and associated privileges, while MIM focuses on securing the use of mobile devices.

The CDM ICAM reference architecture, which also includes federation services (this includes additional service endpoints, the identity provider, and the service provider), is also meant to help agencies enable Zero Trust Architecture (ZTA).

The new guidance also details a notional CDM ICAM physical architecture, provides an overview of challenges that CDM ICAM faces, describes how ICAM use cases are implemented in ICAM services and components, and provides a series of recommendations for federal agencies to advance the development of the Identity Pillar of a ZTA.

Federal agencies are encouraged to review CISA’s new guidance and use it for implementing ICAM capabilities.

Cybersecurity

Can Federal Agencies Meet the 2024 Zero Trust Deadline?

Source: www.federalnewsnetwork.com.

In the realm of federal cybersecurity, change is both inevitable and necessary. The urgency of President Biden’s 2021 Executive Order to implement a zero trust architecture by September 2024 has set the stage for a pivotal transformation. Yet, as the deadline draws near, it’s apparent that while the directive’s intent is clear, the path to its realization is fraught with complexity and challenges.

The zero trust paradigm is a response to escalating threats faced by our nation’s digital infrastructure. However, translating this strategic vision into tangible operational realities is proving to be a formidable challenge. While agency directors and IT leaders alike are championing the cause, the reality is that those responsible for building and maintaining these systems are wrestling with difficult, multifaceted issues and progress is moving slower than anticipated.

That raises an important question: Is the September 2024 deadline still feasible?

In theory, the time frame appears adequate. Yet, it’s crucial to acknowledge the intricate dynamics that arise when integrating a zero trust framework into pre-existing federal IT systems. Federal agencies often operate on a massive scale and their networks have evolved over time, resulting in layers of legacy architecture and technical debt. As these agencies seek to transition to a zero trust architecture, they are confronted with the monumental task of reconfiguring their digital foundations while simultaneously ensuring seamless operations.

Data governance is another central challenge that demands attention. Federal agencies handle an extraordinary volume of sensitive information and establishing a comprehensive data governance framework is paramount. The zero trust model necessitates granular visibility into data flows, user behaviors and system interactions. Achieving this level of visibility requires not only the implementation of sophisticated tools but also a cultural shift in how data is managed and accessed.

The journey to zero trust is further impeded by operational hurdles that are characteristic of large-scale enterprises. The federal landscape encompasses a diverse array of systems, applications and endpoints, all of which need to be evaluated and aligned with the zero trust framework. Legacy systems may lack native support for the security measures mandated by zero trust, requiring complex workarounds or even complete overhauls.

Despite these challenges, it is still possible to meet the 2024 deadline. Here are some best practices that agencies can use to help their teams accelerate the path to zero trust:

  • Secure leadership’s commitment. While senior agency leadership is usually aware of zero trust’s importance, they may not always understand the breadth and depth of IT capabilities required to implement it. That’s why agency leaders must take ownership of assessing and prioritizing the investments required to address IT and security gaps.
  • Get identity management right. While zero trust depends on executing prescribed security practices on multiple dimensions, agency leaders must ensure IT departments have the necessary resources to focus on user identity and access management. Identity is applied to networking, devices, data access, workloads and automation. As a result, getting identity right is foundational to the rest of the zero trust pillars.
  • Modernize data governance. A strong data governance strategy is at the heart of zero trust. Now is the time to invest in data classification, encryption and access controls, while ensuring that data handling policies are well-communicated and consistently enforced.

 

  • Embrace incremental progress. Achieving zero trust won’t happen overnight. Federal agencies should adopt an incremental approach, focusing on securing critical assets and expanding the scope. This allows for measured implementation, minimizes disruptions, and ensures that security improvements are continuous.
  • Prioritize training and education throughout the entire agency. Zero trust isn’t just a journey for security teams. It’s a journey for an entire federal agency and its implementation affects everyone. That’s why leaders must recognize the importance of allocating resources for training and education throughout the entire agency.

The journey to zero trust is undoubtedly complex, but with the right strategies in place it’s one that federal agencies can navigate successfully. While the September 2024 deadline remains a challenge, it can serve as a catalyst for lasting cybersecurity resilience. By acknowledging the unique intricacies of federal agencies and their respective systems, understanding the challenges they face, and implementing thoughtful solutions, agencies can meet the 2024 zero trust deadline and pave the way toward a more secure digital future.

Cybersecurity

Artificial Intelligence: DOD Needs Department-Wide Guidance to Inform Acquisitions

Source: www.gao.gov.

The Department of Defense is developing artificial intelligence capabilities—computer systems that can do tasks that normally require human intellect.

The private sector has been acquiring AI for years. Thirteen private companies told us about their AI acquisition practices. For example, some companies mentioned the importance of considering intellectual property and data rights when negotiating contracts for AI projects.

Although parts of DOD are already using AI, DOD hasn’t issued department-wide AI acquisitions guidance needed to ensure consistency. We recommended it develop such guidance—considering private company practices as appropriate.

What GAO Found

The Department of Defense (DOD) designated artificial intelligence (AI) a top modernization area and is allocating considerable spending to develop AI tools and capabilities. AI refers to computer systems designed to replicate a range of human functions and continually get better at their assigned tasks. DOD AI capabilities could be used in various ways, for example in identifying potential threats or targets on the battlefield.

GAO obtained information from 13 private sector companies about how they successfully acquire AI capabilities. Elements of these categories, shown below, are also reflected in GAO’s June 2021 AI Accountability Framework report (GAO-21-519SP).

Categories of Factors Selected Companies Reported Considering When Acquiring Artificial Intelligence Capabilities

Categories of Factors Selected Companies Reported Considering When Acquiring Artificial Intelligence Capabilities

Although numerous entities across DOD are acquiring, developing, or already using AI, DOD has not issued department-wide guidance for how its components should approach acquiring AI. DOD is in the process of planning to develop such guidance, but it has not defined concrete plans and has no timeline to do so. The military services also lack AI acquisition-specific guidance, though military officials noted that such guidance would be helpful to navigate the AI acquisition process. Without department-wide and tailored service-level guidance, DOD is missing an opportunity to ensure that it is consistently acquiring AI capabilities in a manner that accounts for the unique challenges associated with AI.

Various DOD components and military services have individually developed or plan to develop their own informal AI acquisition resources. Some of these resources reflect key factors identified by private companies for AI acquisition. For example, DOD’s Chief Digital and AI Officer oversees an AI marketplace known as Tradewind, which is designed to expedite the procurement of AI capabilities. Several Tradewind resources emphasize the need to consider intellectual property and data rights concerns when negotiating contracts for AI capabilities, a key factor identified by the companies GAO interviewed.

Why GAO Did This Study

DOD has begun to pursue increasingly advanced AI capabilities. DOD has historically struggled to acquire weapon systems software, and AI acquisitions pose additional challenges. In February 2022, GAO described the status of DOD’s efforts to develop and acquire AI for weapon systems.

Senate Report 116-236 accompanying the National Defense Authorization Act for Fiscal Year 2021 includes a provision for GAO to review DOD’s AI acquisition efforts. This is the second report in response to that provision. This report examines (1) key factors that selected private companies reported considering when acquiring AI capabilities, and (2) the extent to which DOD has department-wide AI acquisition guidance and how, if at all, this guidance reflects key factors identified by private sector companies.

GAO analyzed information provided by 13 private companies with expertise in designing, developing, and deploying AI systems in various sectors to determine the key factors. GAO also analyzed DOD documentation and compared it with the key factors, and interviewed DOD officials.

Recommendations

GAO is making four recommendations for DOD and the three military departments to develop guidance on acquiring AI capabilities, leveraging private company factors as appropriate. DOD concurred with the recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense The Secretary of Defense should ensure that the Chief Digital and AI Officer, in conjunction with other DOD acquisition policy offices as appropriate, prioritize establishing department-wide AI acquisition guidance, including leveraging key private company factors, as appropriate. (Recommendation 1)
Open 
 
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Army After DOD issues department-wide AI acquisition guidance, the Secretary of the Army should establish service-specific AI acquisition guidance that includes oversight processes and clear goals for these acquisitions, and leverages key private company factors, as appropriate. (Recommendation 2)
Open 
 
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Navy After DOD issues department-wide AI acquisition guidance, the Secretary of the Navy should establish service-specific AI acquisition guidance that includes oversight processes and clear goals for these acquisitions, and leverages key private company factors, as appropriate. (Recommendation 3)
Open 
 
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Air Force After DOD issues department-wide AI acquisition guidance, the Secretary of the Air Force should establish service-specific AI acquisition guidance that includes oversight processes and clear goals for these acquisitions, and leverages key private company factors, as appropriate. (Recommendation 4)
Open 
 
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

 

Cybersecurity

Major Cyber Attack Could Cost the World $3.5 Trillion -Lloyd’s of London

Source: www.reuters.com

LONDON, Oct 18 (Reuters) – A major cyber attack on a financial services payments system could lead to global losses of $3.5 trillion, with much of it not covered by insurance, commercial insurance market Lloyd’s of London (SOLYD.UL) said on Wednesday.

The United States would suffer losses of $1.1 trillion over a five-year period from such an attack, which would cause widespread disruption to global business, according to a systemic risk scenario developed by Lloyd’s and the Cambridge Centre for Risk Studies.

China would face $470 billion in losses and Japan $200 billion over the same period, Lloyd’s said.

“The global interconnectedness of cyber means it is too substantial a risk for one sector to face alone and therefore we must continue to share knowledge, expertise and innovative ideas across government, industry and the insurance market to ensure we build society’s resilience against the potential scale of this risk,” Lloyd’s chairman Bruce Carnegie-Brown said.

Cyber insurance saw over $9 billion in gross written premiums in 2022 and is forecast to grow to $13 billion to $25 billion by 2025, Lloyd’s said.

Concern about the cost of such insurance and whether it will provide cover in the case of war are deterring some potential customers, brokers say.

Over 20% of the world’s cyber premium is placed in the Lloyd’s market, Lloyd’s said.

Major cyber insurers Beazley (BEZG.L) and Hiscox (HSX.L) are among more than 50 insurance companies in the Lloyd’s market.

 

Cybersecurity

U.S. Government Issues Stark Warning, Calling Firmware Security a ‘Single Point of Failure’

Source: www.securityweek.com

The U.S. government, at the very highest levels, is calling attention to major weaknesses in the firmware supply chain, warning that the layer below the operating system is fertile ground for devastating hacker attacks.

A new joint draft report issued by leadership of the U.S. Department of Homeland Security (DHS) and Department of Commerce said firmware presented “a large and ever-expanding attack surface” for malicious hackers to subvert the core of modern computing.

“Securing the firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale.”

“Attackers can subvert OS and hypervisor visibility and bypass most security systems, hide, and persist in networks and devices for extended periods of time while conducting attack operations, and inflict irrevocable damage,” the two agencies said following a one-year assessment of the supply chains for critical IT infrastructure deployed in the United States.

“Firmware can also be a lucrative target with a relatively low cost of attack. Over the past few years, hackers have increasingly targeted firmware to launch devastating attacks.”

The 96-page report (PDF), published to support the Biden Executive Order on securing America’s supply chains, warned that firmware’s privileged position in the computing stack gives stealthy attackers a major advantage.

Despite its essential role in electronic devices, the agencies insisted that firmware security “has not traditionally been a high priority for manufacturers or users and is not always well protected.” 

During the assessment, the agencies found that firmware on items such as network cards, Wi-Fi adapters, and USB hubs are often not properly signed with public or private keys. 

“These devices have no way to verify that the operating firmware is authentic and can be trusted.”

Even worse, the agencies called special attention to the fact that OEMs and computer makers outsource firmware development to third party suppliers.  “[This] introduces risks related to the lack of transparency into suppliers’ programming and cybersecurity standards.”

The government’s warning comes as threat hunters spot signs that nation-state APT actors are using UEFI firmware implants to maintain stealthy infections and survive reboots and OS reinstallations.  The notorious FinSpy surveillance spyware toolkit was also fitted with a bootkit to conduct stealthy infections.

In the report, the agencies also warned of “complex supply chains” that compound the problems securing firmware deployments.

“In PC production, for example, the OEMs are typically responsible for firmware and the rest of the PC platform elements. However, many OEMs outsource firmware development to third-party suppliers where OEMs may not have visibility into their cybersecurity hygiene. Even if OEMs establish security standards, they may not be able to enforce supplier security protocols across a wide range of components and sub-suppliers,” the government agencies warned.

The report also noted that individual OEM vendors may modify the firmware based on device needs once the firmware has been delivered to the OEM. “This can lead to confusion about what party is ultimately responsible for firmware integrity and who is to supply customer updates.” 

“In addition, as devices and firmware change, OEMs often contract with different firmware developers, which can lead to delays or a lack of any update when older devices require updating and the original developer is not available. All of these factors can leave firmware open to malicious attacks,” the report said.

The agencies also called attention to the pain-point of applying firmware updates. “A firmware’s update process and capability vary by device. Some devices receive regular firmware updates. Some may only receive one update over their lifetimes, while others may never receive an update.”

Even worse, the process to install firmware updates is not simple, leading to skipped patches for critical-level vulnerabilities. 

“Firmware updates present a major logistical challenge for many enterprises,” the agences said. “In many instances, device firmware is never updated or may only be updated in an emergency. In addition, vendors may only supply firmware updates if driven by an incident or identified vulnerability.”

 

Cybersecurity

Why Personal Cyber Coverage is Becoming a Must-Have

Source: www.insurancebusinessmag.com.

Cyber attacks against businesses, including some of America’s largest companies, regularly fill the headlines. But it’s not just businesses, it’s also individuals who are affected by cyber attacks and looking for insurance coverage.

Nearly half (47%) of American adults have had their personal information exposed by cyber criminals, while one in three homes with computers are infected with malicious software, according to the Cybersecurity & Infrastructure Security Agency (CISA).

For Kareen Boyadjian, the growing cyber threat has made personal coverage a must-have.

“Attacks will happen to individuals, it’s a matter of whether they can sustain the impact of when they happen,” she said.

“Having cyber insurance is as important as an auto or homeowners’ policy. If things happen, you have the protection you need.”

Pandemic played a role in personal cyber coverage

Interest in cyber insurance policies for individuals started growing during the COVID-19 pandemic, according to Boyadjian. This period coincided with a huge surge in ransomware attacks and extortion claims in commercial cyber worldwide.

“When commercial cyber losses started coming with frequency and severity, it wasn’t just the businesses who were hit by extortion demands and suffered business interruption costs, but the consumers whose information was compromised in the process. Boyadjian said.

“It got people thinking, ‘how does this affect me? How do I protect myself if my information is at risk of being corrupted, stolen, or sold on the dark web?’ Since 2020 and 2021, that concern has continued to increase substantially.”

The collective shift to working from home also kickstarted interest in personal cyber coverage.

“All of a sudden, we were all in a position where the lines between an individual’s business exposure and personal exposure started to get a little blurry,” said Boyadjian.

Cyber criminals getting more sophisticated

Cybercrime is the most common cause of claims in personal cyber, followed by cyber extortion, according to Boyadjian.

Cyber criminals have become increasingly sophisticated in their tactics, particularly in social engineering schemes, to prey on individuals, making personal cyber coverage much more relevant.

“In the past, they would send one generic spoof email out to thousands of people in hopes a few would fall victim, which inevitably would happen,” Boyadjian said.

“But now we’re seeing that hackers are getting much more creative about how they target their victims. They’re studying what kind of language you use, who you email most frequently, who has authorization to wire money, who your money manager or attorney are, even what kind of emojis you send out.”

Comprehensive personal cyber coverage

To help individuals safeguard themselves and their loved ones from cyber threats, Tokio Marine HCC – Cyber & Professional Lines Group has created the a comprehensive standalone cyber solution in the marketplace.

NetGuard® Select is designed to protect individuals from emerging cyber threats, including cyber extortion, ransomware, cybercrime, breach event costs, data recovery, cyber bullying, and identity and privacy theft.

“Individuals may have some semblance of cyber coverage in their homeowners’ policy or in a related group policy, but it often doesn’t extend coverage to cybercrime, data recovery or other significant exposures. Additionally, the cyber endorsement coverage shares a limit with the homeowner’s policy, and if that carrier decides to non-renew or exit a state, it can leave that policyholder without cyber coverage,” said Boyadjian.

In contrast, NetGuard® Select offers extensive protection and also extends coverage to the insured’s family members.

But what makes the offering truly special is that it gives policyholders access to expert services in identity protection, fraud detection, and dark web monitoring services.

“It’s not just the comprehensive insurance solution, 24/7 claims services, and the decades of cyber claims experience we offer, it’s also proactive cyber monitoring services that comes with the policy for no additional premium that makes this product unique. It’s truly the full package,” Boyadjian said.

Though NetGuard® Select is targeted towards high-net-worth individuals, anyone can apply for coverage.

“Most people think that because they’re not a celebrity or a professional athlete, no one is going to benefit stealing their personal information and selling it on the dark web,” said Boyadjian.

“That’s precisely what the hackers are preying on. They’re relying on you to think that way so your guard will be down. Having this important coverage in place will help keep peace of mind for our policyholders and get them back up and running when they need it most.”