Intercast January 2025 – Importance of Infosec Resource

Welcome to the January 2025 edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed. In This Issue:

  • Client Insight
  • Healthcare Security Rules May Get Stronger
  • AI Generated Malware Has 88% Evasion Rate
  • Get Ready For These Four Questions
  • Could You Explain Public Key Cryptography?
  • Best of the Rest

Client Insight

‘Never underestimate the importance of having your infosec resources match the company business unit’s culture’

In Surveying Security Executives across the globe throughout 2024, the most common enabler that Intercast was asked for: The ability for Infosec Consultants to be able to communicate risks to diverse Business Units across the Enterprise.


Healthcare Security Rules May Get Stronger

Health officials in the US want tougher rules for securing health data. Among other measures, they want healthcare organizations to have a policy of mandatory multifactor authentication.

The proposals come from the Office of Civil Rights, part of the Health and Human Services. They were tasked with updating HIPPA (the main privacy and security law for healthcare) after a series of high-profile attacks on healthcare businesses.

Other proposals include better segmentation of networks to contain attacks, along with encrypting patient data. The proposals also cover security administration, including more risk analysis and compliance documentation.

There’ll be a 60-day period for public comments before the proposals are finalized. It’s likely healthcare companies may query the cost of complying with the new rules, estimated at $9 billion across the industry in the first year and $6 billion a year after that.


AI Generated Malware Has 88% Evasion Rate

It’s no secret malware creators love the idea of AI tools creating attack code, but now researchers have put some numbers on it. They found artificially generated code is difficult to detect but have suggested ways to harness this for good.

Researchers for Palo Alto Networks Unit 42 used AI to create 10,000 variations of the same attack code without losing functionality. The algorithm combined techniques including renaming variables, adding functionless “junk” code and removing unnecessary whitespaces. The researchers then put it through their own malware classifier, which identified just 12 percent of the generated codesets as malicious.

It’s not all bad news, however. The researchers suggested they could use the same approach to generate malicious code at scale to use for training automated security tools. That could get round the inherent problem that it’s currently hard to train such tools on the most effective malware because, by definition, that malware hasn’t yet been uncovered.


Get Ready For These Four Questions

The Wall Street Journal has suggested four questions for board members to ask information security officers. The idea is to help executives without a tech background keep on top of the topic, but it could be a useful prompt for cybersecurity managers to consider.

The four questions are:

  • Does leadership agree on the top cybersecurity risks?
  • What is the company culture related to cybersecurity?
  • What is the plan for communicating with regulators and shareholders about cyberattacks?
  • What would you do with more money?

The questions intentionally concentrate on uncovering any gaps in the management structure as it relates to cybersecurity, rather than getting bogged down into specific technical detail.

It’s worth being prepared for the questions in case board members at your company read the WSJ, but having the answers – or simply knowing there is no good answer right now – could be useful in any case.


Could You Explain Public Key Cryptography?

Communicating with non-experts is arguably the most underrated skill in cybersecurity, and John Pavlus of Quanta Magazine has set a great example. He’s written a piece explaining the mathematics and logic behind public key cryptography in a way that doesn’t require a tech background.

The article, republished by Wired, uses storytelling and analogies as well as the technical details. People explaining the topic will often liken it to physical locks and keys, but Pavlus digs into how these analogies correspond to the underlying calculations.

Not everyone will agree with his particular balance of accessibility and technical accuracy, and no doubt some will spot what they consider oversimplifications. That said, it should definitely get us thinking about how we explain our work and why it is so important.


Best of the Rest

Here’s our round up of what else you need to know: