Intercast January 2024 – CISO Fallout

Welcome to the January 2024 edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed.  In This Issue:

  • Client Insight: 2024 CISO Forecasts
  • Three Lines Of Defense
  • Spyware Licensing Mirrors Traditional Models
  • FCC Beefs Up Breach Requirements
  • Cyber Pioneers Honored

Client Insight

Each month we ask our clients what’s on their mind to find out more about what’s important in the industry. This month we’ve been discussing predictions for cybersecurity trends in 2024, including this list of CISO forecasts from Wallarm:

  1.   CISO fallout will accelerate
  2.   Resurgence in cyber regulations
  3.   Age of cyber-kinetic warfare
  4.   Third party risk management
  5.   Ransomware continues to dominate
  6.   Digital potato famine
  7.   Cyber security staff development
  8.   Critical infrastructure & supply chain
  9.   Cyber security recovery “resilience”
  10. AI security challenges

While some of these are self-explanatory (and arguably safer bets), others are particularly eye catching. #1 in the list refers to increasing concern that CISOs are being held personally accountable for cybersecurity incidents, perhaps suggesting unrealistic expectations. Meanwhile, “cyber-kinetic warfare” means using cyber attacks to cause physical damage, for example to critical infrastructure, with the potential of physical damage to humans.

As for “digital potato famine”, that’s a deliberately provocative analogy about the monoculture of iPhones. The argument goes that because they have a locked, uniform ecosystem, there’s a risk that a successful attack method could brick millions of devices at once.

Three Lines Of Defense

Our recommended reading of the month is Kezia Farnham of Diligent on the Three Lines Of Defense model for risk management. While it’s from 2021, the content is still highly relevant, and this is a particularly clear explanation of the model and its uses.

It’s all about assigning responsibility for risk, breaking it into three groups:

  • The first line is those that own and manage risk (ie the management team.)
  • The second line is those who oversee risk day-to-day (such as compliance and IT departments.)
  • The third line is those who provide independent assurance (such as internal auditors.)
  • All three lines are overseen by the board and executive level, which sets out the risk strategy.

The big idea is to have clearly defined responsibilities, removing unnecessary duplication or overlap, while reducing the risk of any gaps or shortfalls in risk management.

Spyware Licensing Mirrors Traditional Models

Spyware is big business, and it seems the people behind it are copying tactics from more “legitimate” software models. An in-depth analysis by Cisco Talos of the Predator spyware package finds its creators use the same marketing and upselling tactics as more conventional software firms.

One example involves improvements to the spyware that mean it can now persist on an Android device after a reboot. However, this is only available as an add-on feature under a higher-tier license package from suppliers Intellexa.

Users face another add-on cost if they want to remove a geographic restriction on the license. This has the handy side-effect that developers can’t track where it’s being used and thus can’t comply with any court orders about their customers. Plausibility is a big part of the business model: Intellexa supplies hardware to power the spying operations but will only deliver the equipment to an airport or other terminal. That means they “don’t know” where it’s used.

While Intellexa may borrow from traditional software models, the US government at least does not class it as a legitimate business. It’s placed the company on a blacklist that makes it unlawful for US businesses to transact with Intellexa.

FCC Beefs Up Breach Requirements

The Federal Communications Commission has updated its breach notification rules for VOIP and other telecommunication services for the first time in 16 years. The outdated rules meant customers had less protection than they might have assumed compared with other technologies and businesses.

The new rules expand the definition of breaches to now cover most personally identifiable information about customers. They’ll also cover inadvertent access or disclosure rather than just deliberate breaches from outside.

The FCC has also ditched a previous rule that, perhaps surprisingly, imposed a mandatory waiting period before notifying customers. Instead, companies must tell customers “without unreasonable delay” after reporting a breach to the FCC and law enforcement authorities, with a hard deadline of 30 days.

Cyber Pioneers Honored

The UK’s National Cyber Security Centre has issued commemorative coins marking pioneers in the field. Unlike many such coins, these won’t be on sale or targeted at the collectors market.

Instead, they’ll be issued as a reward to some security researchers who’ve reported vulnerabilities in government computer systems. The limited group of recipients will be “those who have shown themselves to be exemplars of the vulnerability disclosure community.”

The set of four coins depict:

  • Ada Lovelace, a pioneer of computing who wrote what’s widely considered the first computer program.
  • Charles Babbage, who’s credited with conceiving the digital programmable computer.
  • Alan Turing, whose work included the creation of a general-purpose computer that could run any algorithm.
  • The Bombe machine, an electro-mechanical device that helped decrypt German wartime messages encoded by the Enigma machine.

Best of the Rest

Here’s our round up of what else you need to know: