April 2023 Newsletter – Cybersecurity this Month

Welcome to the April edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to make you a better-informed consultant. In this issue:

  • Client Insight
  • US Unveils National Cybersecurity Strategy
  • TikTok Troubles Are Food For Thought
  • Are You Ready For The AI CEO?
  • Multi-Factor Authentication Under Attack
  • Best Of The Rest

Client Insight

Each month we ask our clients what’s on their minds and what it means for security professionals. This month’s food-for-thought comes from a client who is the CISO of a fortune 50 company. They noted: “When it comes to a security program, you could have an unlimited budget and the problem would still exist”.

In other words, cybersecurity is a field where you can’t simply spend your way out of a problem. That’s certainly in line with the way a lot of companies are realizing that simply investing in technology is not enough.

Even with the latest tools – and even with automated features and machine learning – you still need the right people to figure out the best ways to use them. It is the quality of your judgment that is going to be the differentiator in building out a resilient security program.

US Unveils National Cybersecurity Strategy

The US government has released a National Cybersecurity Strategy designed to take a big picture look at protecting against cyber attacks. It’s primary goal is protecting critical infrastructure, particularly the risk of multiple attacks combining to magnify the damage to the nation.

It’s all based around five “pillars”, namely:

  • Defend Critical Infrastructure
  • Disrupt and Dismantle Threat Actors
  • Shape Market Forces to Drive Security and Resilience
  • Invest in a Resilient Future
  • Forge International Partnerships to Pursue Shared Goals

As always, there’s no way to know how grand ideals on the page work out in the real world. That said, some of the key takeaways for cybersecurity professionals are as follows:

  • “Critical sectors” will likely get more minimum cybersecurity requirements, meaning more opportunities for work bringing organizations up to scratch.
  • “Postquantum encryption” and “digital identity solutions” could get research funding and thus become rapid growth areas.
  • Foreign language skills may be a bigger benefit as the US works more to promote international security programs.

TikTok Troubles Are Food For Thought

TikTok continues to make headlines as the worlds of security and politics collide, provoking eyerolls on Capitol Hill as lawmakers revealed their sometimes questionable grasp on technology. The issue of whether (and how) a ban on government officials using the app should be extended to the public is certainly beyond our scope. However, it does raise some questions about security in businesses.

The “bring your own device” model appears to be here to stay and it has understandable appeal to employers and employees alike. The problem remains how to give employees a true sense of ownership over their devices while limiting the risks to company infrastructure and data.

It’s not just a question of whether to ban potentially risky apps on work devices (or personal devices with work access), but how to follow up that decision. Ban apps and you need a way to meaningfully enforce it. Leave it to users and you need to think about mitigation measures.

Either way, cybersecurity professionals need to work in the real world where human behavior is often messy. Knowing how to navigate corporate politics and human resources can be key to making sure the perfect security solution is actually workable.

Are You Ready For The AI CEO?

A Hong Kong online gaming company experimented with using an AI tool as CEO for six months. It’s early days but certainly doesn’t seem to have been a complete disaster: NetDragon Websoft’s stock price rose by 18 percent over a six-month period when the relevant stock exchange as a whole actually fell a couple of points.

It’s likely to remain a thought experiment rather than a serious solution for most companies, not least because it’s uncertain how the human managers at NetDragon adjusted to the automation. We do wonder how such an approach would affect cybersecurity in businesses, though.

For example, would AI make smarter decisions about cybersecurity (including how much autonomy to give the IT and security departments)? Would it make smarter assessments about risk? Would it be easier or harder to target with personalised spear phishing? And would workers be more likely to fall for a fake email supposedly from the “big boss” if they knew it wasn’t a real person?

Multi-Factor Authentication Under Attack

Adenike Cosgrove of Proofpoint posted an interesting take on cyber attackers trying to find weaknesses in multifactor authentication. The most interesting aspect is that they are using a diverse range of tactics.

In some cases, it’s sophisticated, specialized phishing attacks that target authenticator apps on devices, swiping MFA and Oauth tokens in real time to use immediately. In other cases, it’s using tech’s strengths against human weaknesses. Attackers are exploiting the alerts used to request approval on devices. The simple but effective technique is to flood a user’s devices with requests until they get so frustrated they confirm approval to a bogus login attempt.

Cosgrove notes that these tactics don’t yet outweigh the benefits of multifactor authentication. However, she points out that a multifactor approach also works for defense: use technology to reduce the impact of humans being fooled, but also educate staff on the risks of bogus requests just in case.

Best Of The Rest

Here’s our round-up of some of the other stories you need to know about: