Brief #61: Great CrowdStrike Meltdown, NSA AI security guide, dual-title CISOs, AppSec interviews

Happy week 29!

This week, we're covering the widespread impact of CrowdStrike's faulty update, NSA's new guidelines for secure AI deployment, the evolving role of CISOs, essential AppSec interview strategies, Google's potential acquisition of Wiz, and a tool to protect against brute-force attacks.

CrowdStrike Update Causes Widespread Windows System Crashes and Outages

• CrowdStrike, a cybersecurity company, released a faulty update to its Falcon Sensor product that caused Windows computers to crash and display the blue screen of death, impacting companies across industries worldwide.

• The issue, caused by a logic error in a configuration file update and not a cyberattack, affected critical systems like airports, businesses, and broadcasters, with some organizations unable to reboot their machines.

• CrowdStrike identified and isolated the issue, deploying a fix, but manual intervention is required on each affected system, which could take significant time for organizations with thousands of impacted servers and workstations.

Malvertising Campaign Spreads SYS01 Stealer via Facebook and LinkedIn Ads

• Trustwave researchers discovered an ongoing malvertising campaign that directs Facebook and LinkedIn users to download a ZIP file containing the SYS01 information stealer malware.

• The malware employs various tactics to evade detection, establish persistence, and steal sensitive data such as login credentials and personal information from infected machines.

• The campaign, active since September 2023, constantly evolves its tactics and lures, promoting cracked software, Windows themes, and AI tools to extend its reach and compromise more victims.

Trello Profiles of 15 Million Users Leaked Due to Unsecured API

• Threat actor 'emo' has released 15,115,516 Trello user profiles containing email addresses collected through an unsecured API in January 2023.

• The data was obtained by feeding a list of 500 million email addresses into the API, which returned public account information and the associated email address for each Trello account.

• Atlassian confirmed the API was secured in January, but the leaked data can still be used for targeted phishing attacks and doxxing by linking email addresses to individuals and their aliases.

Judge Dismisses Most SEC Charges Against SolarWinds in 2021 Hack Case

• U.S. District Judge Paul Engelmayer largely dismissed SEC charges against SolarWinds and its CISO Tim Brown related to the high-profile supply chain attack, citing reliance on hindsight and speculation.

• The judge allowed charges to proceed regarding SolarWinds' 2017 Security Statement, deeming claims of strong cybersecurity policies and practices "materially misleading and false".

• The case stems from a two-year attack blamed on Russian hackers, which infected hundreds of companies and government agencies via SolarWinds' Orion software, highlighting growing cyber risks in software supply chains.

Cisco Fixes Critical Vulnerability in Security Email Gateway Appliances

• Cisco has patched a critical severity vulnerability (CVE-2024-20401) in its Security Email Gateway (SEG) appliances that allows attackers to add root users and cause permanent denial of service using malicious email attachments.

• The vulnerability is due to improper handling of email attachments when file analysis and content filters are enabled, allowing attackers to replace any file on the underlying file system and execute arbitrary code.

• To mitigate the vulnerability, affected devices should be updated to Content Scanner Tools package versions 23.3.0.4823 or later, included in Cisco AsyncOS for Cisco Secure Email Software releases 15.5.1-055 and later.

NSA Releases Best Practices for Deploying Secure and Resilient AI Systems

• The National Security Agency (NSA) has published a Cybersecurity Information Sheet (CSI) titled "Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems" to support National Security System owners and Defense Industrial Base companies deploying AI systems designed by external entities.

• The CSI, released by NSA's Artificial Intelligence Security Center (AISC) in partnership with CISA, FBI, and international cybersecurity agencies, builds upon previously released guidelines and has broad applicability for anyone bringing AI capabilities into a managed environment, especially in high-threat, high-value environments.

• The AISC, established in September 2023 as part of the Cybersecurity Collaboration Center (CCC), aims to detect and counter AI vulnerabilities, drive partnerships, develop best practices, and ensure NSA stays ahead of adversaries' tactics and techniques. It plans to work with global partners to develop further guidance on various AI security topics as the field evolves.

Tech Giants Form Coalition for Secure AI to Address Industry Challenges

• Google, OpenAI, Microsoft, Amazon, Nvidia, Intel, and other major tech companies have announced the formation of the Coalition for Secure AI (CoSAI) to tackle the fragmented landscape of AI security by providing access to open-source methodologies, frameworks, and tools.

• CoSAI, which will operate within the nonprofit OASIS (Organization for the Advancement of Structured Information Standards), aims to develop best practices for AI security, address challenges in AI, and secure AI applications.

• Heather Adkins, Google's vice president of security, emphasizes the potential benefits of AI for defenders while acknowledging the risks posed by adversaries, stating that CoSAI will help organizations of all sizes securely and responsibly integrate AI to leverage its benefits while mitigating risks.

AI Accelerating Autonomous Security Operations

• Albert Caballero from SentinelOne discusses the potential impact of AI in accelerating autonomous security operations, drawing parallels to the levels of autonomous driving. He suggests that AI-powered tools and agents will soon enable one security analyst to handle many concurrent investigations or incidents.

• The article outlines key characteristics of security operations automation at each level, from Level 0 (no automation) to Level 5 (full automation). As the levels progress, the system takes over more tasks from the human analyst, with increasing autonomy under certain conditions and the ability to handle complex situations independently.

• While AI is expected to set new benchmarks in speed, expertise, and volume, Caballero emphasizes that the appropriate level of autonomy will vary based on each organization's security goals and business objectives. He also highlights the importance of human analysts mastering security fundamentals to effectively intervene when needed, even in highly autonomous systems.

Dual-Title CISOs Reflect Expanding Role in Managing Business Risk

• Geoff Belknap, CISO and VP of Engineering at LinkedIn, says having his own software engineering team helps drive innovation and solve problems more effectively when working with partner teams.

• Dual-title roles recognize how CISOs are increasingly operating as technology leaders and managers across the organization, according to Adam Ely, Head of Digital Products at Fidelity Investments.

• Trends like cloud computing, DevOps, and automation are blurring the lines between various functions, with security becoming more integrated into these processes.

White House's First Deputy National Cyber Director Discusses Diverse Cyber Workforce

• Camille Stewart Gloster, the first Deputy National Cyber Director for Technology & Ecosystem for the White House, joins Andrew to discuss her career in cyber.

• Camille co-founded the #ShareTheMicInCyber movement and the #NextGenNatSec initiative, both aiming to grow a more diverse cyber workforce.

• She emphasizes the importance of making cybersecurity accessible and not overwhelming, to help people transition their skills from hobbies to concrete careers.

Dual-Title CISOs Reflect Expanding Role in Managing Business Risk

• Geoff Belknap, CISO and VP of engineering at LinkedIn, says having his own team of software engineers puts him in a stronger position when working with partners and enables him to innovate in ways that are closely aligned with security problems.

• Adam Ely, former CISO and current head of digital products at Fidelity Investments, believes CISOs' experience working across organizations and with technology and product groups develops a skill set for them to transition to other roles, especially as companies continue investing in technology and digital products.

• Jay Pasteris, COO at Blue Mantis and former CISO and CIO, cautions that while dual-title roles can provide greater autonomy and help harmonize the mission of driving business efficiencies while keeping the organization secure, CISOs should be careful about taking on too much risk and avoid conflicts within the larger risk management remit.

Asking the Right Questions in an AppSec Interview

• PentesterLab suggests asking specific questions during an AppSec job interview to demonstrate preparedness and learn about the company.

• Questions should focus on the team's approach to problem-solving (build vs. buy), training opportunities, interactions with development and DevOps teams, daily responsibilities, upcoming challenges, and recent successes.

• Asking targeted questions helps determine if the role aligns with the candidate's goals and work style, ensuring a mutually beneficial fit.

VirtualBox Tutorial Demonstrates How to Build and Secure Virtual Machines

• Cyberspatial's tutorial video shows how to use VirtualBox to create and configure virtual machines for free, providing an isolated environment for testing software and files.

• The video covers key VM settings like network configurations (NAT, Bridged, Internal, Host-Only), shared folders, installing Ubuntu on Linux and Windows, taking snapshots, and transferring files between host and guest.

• Using VMs can help achieve security principles like compartmentalization and ephemerality, though there are some cons to consider when using them for learning cybersecurity.

4 Steps to Creating a Powerful Reverse Engineering Lab

• The Hacker News article discusses four ways to create a malware analysis lab for reverse engineering: virtualization, sandbox-as-a-service, dedicated hardware, and a cloud lab.

• Virtualization using software like VirtualBox or VMWare is easy to set up and provides an isolated environment, but has drawbacks like limited scalability and requiring manual configuration of detection rules. Sandbox-as-a-service solutions like ANY.RUN save time, are secure, and have simple configuration, but may not be optimized for your toolset.

• Essential tools for reverse engineering include disassemblers like IDA Pro, Ghidra, and Binary Ninja, decompilers, debuggers like OllyDbg, x64dbg, and WinDbg, HEX editors, and network analysis tools like Wireshark.

CrowdStrike Software Defect Causes Global Business Disruptions

• CrowdStrike CEO George Kurtz attributed the widespread outage affecting businesses worldwide to a defect in a content update for Microsoft Windows hosts.

• The incident impacted various sectors, including airlines, grocery store chains, and emergency services, causing CrowdStrike shares to drop by more than 12% in premarket trading.

• With over 50% of Fortune 500 companies using CrowdStrike's software, the outage highlighted the cybersecurity firm's growing ubiquity across markets and institutions, affecting airports, call centers, news broadcasts, and banking systems.

Google Reportedly in Talks to Acquire Wiz for $23 Billion, Aiming for Security Leadership

• According to the New York Times and Wall Street Journal, Google is deep in talks to buy security startup Wiz for $23 billion, which would be the largest acquisition by its parent company Alphabet.

• Wiz, founded in 2020 by former Microsoft employees, gained attention for discovering critical flaws in Azure, such as the ChaosDB and "OMIGOD" vulnerabilities.

• If the deal goes through, Google would own both Mandiant and Wiz, potentially positioning its cloud division as a leader in security compared to rivals like Microsoft and AWS.

Cybersecurity Startup Funding Surges 144% YoY in Q2 2023

• According to Crunchbase data, cybersecurity startups raised a robust $4.4 billion in Q2 2023, a 144% increase from Q2 2022, despite a lower deal count of 153.

• The surge in funding is mainly attributed to a significant increase in nine-figure rounds, with cloud security startup Wiz raising $1 billion at a $12 billion valuation, the largest cyber round since Securonix's $1 billion+ raise in February 2022.

• Investors remain bullish on the cybersecurity sector, with factors such as increased cyber hacking, threat proliferation due to AI, and enterprises resuming cybersecurity spending contributing to the uptick in investor interest.

SSHGuard

SSHGuard protects hosts from brute-force attacks by monitoring system logs, detecting attacks, and blocking attackers using a firewall.

macOS-Fortress

Firewall, Blackhole, and Privatizing Proxy for macOS with comprehensive security features.

Application Gateway

Load-balancing solution by Microsoft Azure with global infrastructure and financial guidance.

If you found this newsletter useful, I'd really appreciate if you could forward it to your friends and share your feedback below!

Have questions? Let me know in the comments or on LinkedIn and X.

Best, 
Nikoloz