Archive for February 13, 2024

GAO Notifies Employees Of A Breach Of CGI Federal That Affects Them

Posted in Commentary with tags on February 13, 2024 by itnerd

Yesterday, in a breach notification letter seen by Reuters, the U.S. Government Accountability Office said that one of its IT contractors, CGI Federal, notified the agency of a data breach last month affecting the PII of about 6,000 GAO employees that worked between 2007 to 2017.

CGI Group, the information systems and management consultancy, has shifted to cybersecurity in recent years, and said in a congressional testimony that it provides IT protection for “100 participating agencies” including the State, Justice, Commerce, and Labor departments, as well as the FCC and the US Agency for International Development.

The notification letter said that the threat actor exploited a “vulnerability in an externally provided platform” and the data exposed included:

  • Names
  • SSNs
  • Addresses
  • Banking information

A GAO spokesperson said the agency was notified about the breach on Jan. 17 but provided few other details.

Emily Phelps, VP, Cyware had this comment:

   “Public sector breaches facilitated through IT contractors, demonstrate the multifaceted nature of cybersecurity threats that the public sector faces. It highlights the urgent need for a modernized and proactive defense strategy, where collaboration and information sharing between agencies and their partners are paramount. The concept of collective defense becomes particularly relevant here, emphasizing the idea that protecting one agency effectively contributes to the security of the entire public sector network.”


Dave Ratner, CEO, HYAS follows with this comment:

“Criminals will often go after a link in the chain, which means they may extract information about government employees not from the agency directly but from targeted contractor company. It’s just one more reason why everyone should be implementing cyber resiliency strategies immediately as part of their 2024 initiatives as these kinds of breaches, and worse, will continue to occur.”

When a cybersecurity company gets pwned, that’s bad. But when a customer gets pwned, that’s worse. This truly isn’t a great day for CGI Federal.

Leave a comment »

Bank of America Suffers A Data Leak Because A Vendor Of Theirs Got Pwned

Posted in Commentary with tags on February 13, 2024 by itnerd

Bank of America is warning customers of a data breach exposing their personal information after Infosys McCamish Systems (IMS), one of its service providers, was pwned last year:

On or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications. On November 24, 2023, IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America’s systems were not compromised.

In response to the security incident, IMS retained a third-party forensic firm to investigate and assist with IMS’s recovery plan, which included containing and remediating malicious activity, rebuilding systems, and enhancing response capabilities. To date, IMS has found no evidence of continued threat actor access, tooling, or persistence in the IMS environment. 

When someone who clearly has access to the Bank of America network gets pwned, everything downstream is pwned. Or at least it should be. John Gunn, CEO, Token comments on why that appears not to have happened here:

You can be certain that Bank of America has the highest level of security and imposes incredibly stringent cybersecurity requirements on their third-party partners, with the latter being legendary. With large global organizations that have thousands of service providers, these events are nearly impossible to prevent. Cybercriminals have stepped up their attacks on outsource service providers knowing they cannot directly defeat the cybersecurity of a major bank. The silver lining is that this event impacted less than 1/1000th of their customer base.

In this case, Bank of America might have dodged a major bullet. But that doesn’t mean that they will continue to do so. Thus I hope they look at their processes and security and make sure that they give themselves the best chance of avoiding pwnage.

UPDATE: I have additional commentary. Starting with Paul Valente, CEO & Co-Founder, VISO TRUST:

    “Bank of America’s breach involving IMS is a stark reminder that even the strongest security fortresses can be undermined by exploiting the expanded attack surface connected third party ecosystems represent. CISOs know it’s all too common that companies invest millions in top-notch security only to entrust their data to lesser-known vendors with questionable defenses. Questionnaires won’t cut it – we need a thorough understanding of a vendor’s security program maturity. Time for a reality check in the world of data protection.”


Next up is Craig Harber, Security Evangelist: Open Systems:

   “The Bank of America (BoA) data breach highlights the importance of companies implementing third-party risk management. To protect their customers, companies must implement consistent security standards across their entire business ecosystem to help mitigate cyber-attacks originating through partner and supplier systems.

   “Third-party partners like IMS are critical to most modern businesses, including the financial sector. Unfortunately, these partnerships introduce inherent risks because the resulting interconnected IT/business systems do not deliver the critical trust relationship to prevent supply chain attacks, data breaches, and reputation damage. The notorious ransomware gang LockBit, who claimed responsibility for this attack, exploited this known weakness.

   “To prevent further occurrences, security teams must implement consistent security standards across the entire business ecosystem, including all its subsidiaries’ IT/business systems, not just IMS. Consistent security practices include requiring prompt and regular patching of system vulnerabilities, implementing multi-factor authentication to prevent exploitation of weak credentials, and deploying comprehensive monitoring tools to identify and neutralize cybersecurity threats.”


Finally here’s a comment from Jason Keirstead, VP of Collective Threat Defense, Cyware:

   “Because suppliers have access to sensitive or proprietary information that attackers want to exploit, they need effective cybersecurity controls in place to protect their own systems and data as well as those of their customers. A collective defense approach enhances the cybersecurity posture of both large institutions and their third-party vendors by sharing information and best practices across the supply chain. By working together as a team against common threats, both parties can achieve greater resilience and security than they could individually.”


Dave Ratner, CEO, HYAS:
 
   “Criminals will often go after a link in the chain, which means they may extract information and data not from the company directly but from targeted contractor agencies. It’s just one more reason why everyone, from enterprises to MSSP and MSP providers, should be implementing cyber resiliency strategies immediately as part of their 2024 initiatives as these kinds of breaches, and worse, will continue to occur.”

1 Comment »

Cisco Introduces The Observability for Data Security Posture Management (DSPM) Module

Posted in Commentary with tags on February 13, 2024 by itnerd

In a data-driven world, responsible handling and compliance with regulatory standards are more crucial than ever for business growth.

Cisco’s recent introduction of the Observability for Data Security Posture Management (DSPM) module is designed to address these challenges and elevate today’s data security practices. These modules offer: 

  • Discovery and Classification: Easily identify and secure sensitive data across various data stores. 
  • Data Access Control: Manage user, role, and application access with precision.  
  • Exfiltration Attempt Detection: Stop data breaches with GenAI-powered detection. 
  • Identify Security Risks: Spot vulnerabilities like unencrypted data and dormant users.  

The Data Security module, recently announced at Cisco Live 2024 Amsterdam, is currently available in beta and will be available in spring 2024. In today’s evolving digital realm, robust security controls are paramount. This module enhances business risk observability for cloud environments, offering real-time insights to tackle security issues preemptively.  

Leave a comment »

VMware To Kill The Free Version Of vSphere Hypervisor… Here’s Why That’s A Stupid Move By Broadcom

Posted in Commentary with tags on February 13, 2024 by itnerd

Before I get to what’s in the title above. Some background. Last year VMware was sold to Broadcom for at ton of money. Then the first hint that Broadcom was going try to milk every last cent out of VMware that they could was that they took VMware accounts direct with next to zero notice and they terminated VMware’s partner program. All of that made it clear that things with VMware were changing, and not for the better. Today adds another piece to that puzzle with news that the free version of vSphere Hypervisor is being killed:

VMware vSphere Hypervisor (free edition) is no longer available on the VMware website

And:

Along with the termination of perpetual licensing, Broadcom has also decided to discontinue the Free ESXi Hypervisor, marking it as EOGA (End of General Availability).

Regrettably, there is currently no substitute product offered. For further details regarding the affected products and this change, we encourage you to review the following blog post: https://blogs.vmware.com/cloud-foundation/2024/01/22/vmware-end-of-availability-of-perpetual-licensing-and-saas-services/

What this basically means is that Broadcom has pretty much signaled that it is no longer interested in smaller VMware customers. Not only that, the free version was a way for people to become familiar with VMware, especially early in their career. Because once they had them using VMware for free, they’d happily pay for it when they were in a position to recommend it. Now VMware is effectively saying F-U to all those people and the potential revenue that comes from those people. Albeit delayed. And I’m pretty sure that this is going to come back to bite Broadcom at some point and is quite literally a gift from heaven for companies like Nutanix, Scale Computing or Microsoft. Sales reps in those companies must be run off their feet by VMware customers who want to switch to something else other than VMware.

Mark my words, Broadcom has made a major mistake by doing this.

Leave a comment »

2024 CanTrust Index reveals low trust in building affordable housing and falling trust in Artificial Intelligence 

Posted in Commentary with tags on February 13, 2024 by itnerd

The 2024 CanTrust Index – one of the largest annual studies of trust in Canada, which examines trust in sources of information, institutions and more – shows high economic anxiety, little trust in building affordable housing and declining trust in Artificial Intelligence.   

Economic anxiety in 2024 far surpasses pandemic-related concerns even during the height of COVID-19 in 2022. The study found that two-thirds of Canadians, at 67 per cent, say the economy has increased anxiety and stress in their lives compared to 46 per cent of Canadians in 2022 who reported feeling anxiety and stress from the pandemic.  

Housing trust in the basement 

Trust in Prime Minister Trudeau has dropped significantly from 46 per cent in 2018 to 25 per cent in 2024. Trust in Pierre Poilievre and Jagmeet Singh in 2024 is only slightly higher, with both tied at 32 per cent. The overall trust across Canada in Premiers remains flat at 33 per cent, while trust in politicians in general is at a new low of 17 per cent. 

Just two out of 10 (22 per cent) of Canadians have trust in the federal government to deliver affordable housing, a six per cent drop from 2023. Equally low, provinces and municipalities are tied at only 23 per cent trust to operate affordable housing. 

Trust in Artificial Intelligence declines 

As the use of Artificial Intelligence (AI) advances, trust is fragile and falling with roughly two thirds of Canadians now skeptical. When asked if they trust AI to contribute to the Canadian economy, 33 per cent of Canadians said yes, compared to 39 per cent in 2018. Similarly, 35 per cent of Canadians trust AI to improve their consumer experience, on par with 2018 at 37 per cent. By region, trust in AI in the economy peaks in Quebec at 37 per cent and is lowest in BC at 29 per cent. 

The 2024 study also investigated trust levels in AI to support various sectors. Canadians are skeptical across all sectors from government at 33 per cent, financial services at 29 per cent healthcare at 29 per cent and retail at 22 per cent. Each sector has a job to do to build trust as it expands its use of AI. 

Younger generations are more willing to trust AI. When asked if they trust AI to contribute to the economy, 39 per cent of millennials said yes compared to 28 per cent of boomers. Similarly, 43 per cent of millennials trust AI to contribute to the consumer experience compared to 27 per cent of boomers. 

Canadians trust in their inner circle increases 

Anxious about the state of the economy, Canadians are retreating into their inner sphere of trust with the people they are closest to and feel safest with – friends and family. When asked who they trust for reliable information among different categories of people, 76 per cent of Canadians said friends and family, an 11 per cent increase since 2022.   

Leaning on the inner sphere of trust also extends to important issues like climate change. When asked who they trust for reliable information on climate change and its impacts, 54 per cent of Canadians said they trust friends and family, a 14 per cent increase since 2023. 

Trust in doctors, scientists, and educators 

Beyond their immediate circle, Canadians continue to trust professionals for reliable information: doctors at 78 per cent and scientists at 74 per cent (both up five per cent over last year), and educators at 68 per cent (up eight per cent). 

Trust in journalists and the media holds steady 

While some voices continue to decry bias or “fake news,” Canadians’ trust in journalists to deliver reliable information rose three points to 49 per cent in 2024 (higher than many other categories of people including bankers, religious leaders, corporate executives and others), and news on traditional media once again remains the most trusted source of information in general at 56 per cent. 

While charities grow, business is flat 

The charity/NFP sector is steadily building trust, up from 47 per cent in 2022 to 53 per cent in 2024. As examples, the Canadian Red Cross is trusted by 66 per cent and the Nature Conservancy of Canada by 55 per cent. In contrast, trust in large corporations is at 30 per cent and SMBs at 43 per cent. On many urgent issues, the charity sector’s focus on results appears to be building trust. 

Less interest in hearing from business 

The public appetite for business leaders speaking out on issues has declined in the past year. When it comes to important issues like climate change, racism, and social equity, 49 per cent of Canadians believe that business leaders should speak out regularly, compared to 57 per cent in 2022. On topics, 76 per cent of Canadians say that business should speak out on economic matters while only 32 per cent want to hear from them on international conflicts.   

Trust in the election system 

Significant regional and age differences are concerning. In the Prairies, only 36 per cent agree the system is fair, compared to 54 per cent in Ontario and 52 per cent in Quebec. By age, 47 per cent of Gen Z agree the system is fair, compared to 57 per cent of boomers. 

Trust can be grown 

Trust is not binary. While we focus on those who trust, there are large numbers who fall just below our trust threshold (5-7 out of 7) and rate various categories 4 out of 7. These people are a large cross-section of Canada – they trust some and distrust others. These are the swing-vote of trust. This group can be moved to trusting with positive actions and better communication, but if leaders become complacent, it can go in the other direction.

Other survey findings 

  • Trust in Canada’s Central Bank is stable in 2024 at 49 per cent. Trust for the Bank is higher among younger Canadians, with Gen Z at 53 per cent.  
  • Trust in the Canadian military has increased to 59 per cent in 2024 from 52 per cent in 2022. 
  • Trust in the RCMP has increased to 55 per cent in 2024 from 48 per cent in 2022. 
  • For the third year in a row, employees give their employer only a “C” grade for ability to build trust with external audiences. (People employed, including all sectors.) 

About the 2024 Proof Strategies CanTrust Index   

The Proof Strategies CanTrust Index, now in its ninth year, is a leading source of research and understanding of trust in Canada. We study and analyze topics, institutions, events and population segments unique to Canada and surveyed 1,501 Canadians between January 3-13 by online panel. The sample is representative of Canadian population statistics by region, age and gender. Our study uses a 7-point scale with 7 being the highest trust and 1 being the lowest. Respondents choosing 7, 6 or 5 result in the percentages of trust used in this report.    

You can look at the CanTrust Index here.

Leave a comment »

In Depth: Lincoln Digital Experience And The 2024 Lincoln Nautilus

Posted in Products with tags on February 13, 2024 by itnerd

Last night my wife and I attended an event hosted by Lincoln that was intended to showcase their new 2024 Lincoln Nautilus. This is a 5 passenger mid-sized luxury crossover that is intended to play in the same space as the Lexus RX. But it has one thing that in my mind will make it stand out from the Lexus product. I’ll get to that one thing in a moment. But let’s look at the Lincoln Nautilus:

Lincoln had a black and white one on display. Personally I like the white one as it really shows off all the details of the vehicle.

The daytime running lights really stand out from most cars that I see because it really ties in the key elements of the front of the vehicle well.

Even though this is a mid sized crossover, it visually looks bigger because of the long hood. That’s going to give it a lot of presence on the road.

The theme with the lights that you saw at the front continues in the back with a single bar across the back of the vehicle. One thing that I will note is that there’s minimal branding on this vehicle. I am guessing that Lincoln wants to make the design of the vehicle speak for itself.

Now let’s move to the show stopper feature of the Lincoln Nautilus.

Meet Lincoln’s new 48″ 4K panoramic display. This display packs 1000 nits of brightness and insanely high resolution that approaches retina quality. The display is divided up into three parts:

Critical: This is the section of the display in front of the drive. You’ll see your speedometer and other critical driving related info.

Supportive: This is the centre section of the display where mapping and real time traffic info will live.

Glanceable: This is where less important info will live. For example I saw weather, Spotify and Tidal in that section.

This setup is great from a drivers perspective because when I first saw this display, my concern was that there’s so much here it would be distracting. But clearly Lincoln thought the same thing and went though the time and effort to make that less of a concern.

The infotainment system is powered by Google and Google Assistant allows you to do things like change the temperature in the car via your voice as this is intended to be a voice first system. But if Amazon Alexa or Apple’s Siri is your preference, this system supports that.

That brings me to my next point. Unlike a certain member of the big three North American carmakers who dropped support for Android Auto and Apple CarPlay in their electric vehicles, Lincoln is playing nice with everyone and giving them the choice of both, or just using the Lincoln Digital Experience by itself. And Lincoln gets bonus points for the level of integration that they offer. Have a look at this:

If you have. look at this picture, you’ll see that Apple Maps is on the centre of the 48″ display as well as the lower display. I point this out because most manufacturers do the bare minimum to put Apple CarPlay and Android Auto into their cars. Lincoln has gone the extra mile here and need to be commended for doing so as it simply creates a much better user experience.

Another thing to point out is that the Lincoln Digital Experience gets access to the Google Play Store. Which means that it will have its own app ecosystem. At launch, you’ll be able to access the following apps:

  • Spotify
  • Amazon Music
  • Audible
  • Tidal
  • iHeartRadio

On top of that, if you’re not driving you’ll be able to use the following apps:

  • YouTube
  • Prime Video

They didn’t stop there. You can browse the web using the Vivaldi Browser app and a Bluetooth keyboard. Google Chrome is coming soon as well. So are video conferencing apps, though I couldn’t get a list of which ones. But I have to assume that the usual suspects being Zoom, Teams, and WebEx will make an appearance. Finally, this system supports games. And it was demoed to me using a Bluetooth connected Xbox controller which allowed me to play a quick game (badly I might add) of Asphalt Nitro 2 which is exclusive to Lincoln. In terms of the quality of the gameplay, my wife commented that this vehicle had a better graphics card than some gaming PCs as the quality was great. I noted a tiny amount of lag that I suspect is due to the controller being connected via Bluetooth. But I would need more time with this vehicle to confirm or deny my suspicions. But that was the only thing that I noted in terms of lag. The Lincoln Digital Experience was otherwise quick and responsive when doing pretty much anything that I tried.

The next thing that I want to touch on is privacy. You might recall last year that privacy within vehicle infotainment systems blew up in the media when it came to light via Mozilla that cars were “rolling privacy nightmares” as they collected all the data they could and sent it to car companies so that said car companies could monetize it. I am going to go out on a limb here and suggest that Lincoln must of taken note of this because the Lincoln Digital Experience at first glance is not a “rolling privacy nightmare”. I was shown where I could allow or deny individual permissions, such as microphone access on a per app basis, as well as stop the Lincoln Digital Experience from communicating with Lincoln at all, as well as controlling any advertising that may pop up. While this is another one of these things that I would need to dig into more to see how far this extends, I am glad to see Lincoln recognize that there are people out there who really care about their privacy, and build an infotainment system that addresses that need.

Wrapping up here, I want to touch on updates and security. This system will get regular over the air updates in the form of updates that enhance the system, updates to apps, and even the monthly Android security updates that Android users are used to. And it’s all done automatically over the air via 5G. That’s good to know because for someone like me who lives in IT and constantly preaches to people to install all available updates to stay secure, I like to see when companies make that process as easy as possible.

The Lincoln Nautilus is hitting dealerships now and starts at $64,395 CDN with your choice of a gas 2L turbo engine or a 2L turbo hybrid engine. While I haven’t driven it, the tech that the Nautilus alone makes it stand out from the competition. Thus it’s very much worth a look if you’re in the market for a five passenger luxury crossover.

3 Comments »

MixMode Releases the First-Ever State of AI in Cybersecurity Report 2024

Posted in Commentary with tags on February 13, 2024 by itnerd

MixMode has announced the release of its inaugural State of AI in Cybersecurity Report 2024 today. The report is based on a survey conducted by the Ponemon Institute of US cybersecurity professionals who share how AI is used for cybersecurity in their organizations.

The report provides insights into how organizations are leveraging AI to enhance their security posture and effectively detect and respond to cyberattacks. It also highlights the current and future trends, challenges, and best practices of AI adoption in cybersecurity.

Some of the key findings of the report are:

  • 53 percent of organizations are at the early stages of AI adoption, while only 18 percent are at the advanced stages.
  • 45 percent of organizations experienced one or more cyberattacks in the past year.
  • 70 percent of respondents say AI is highly effective in detecting previously undetectable threats, yet 67% use AI mainly to create rules based on known patterns and indicators of cyber threats.
  • Organizations are still feeling the effects of the cybersecurity skills shortage, yet only 50% use AI to address the problem.

The report also offers recommendations and best practices for organizations to successfully implement and optimize AI for cybersecurity, such as:

  • Aligning AI initiatives with business goals and security strategies.
  • Investing in training and upskilling security personnel on AI tools and technologies.
  • Evaluating and selecting AI vendors based on their capabilities, performance, and trustworthiness.
  • Implementing a robust governance framework and ethical principles for AI use and oversight.
  • Collaborating and sharing intelligence with other organizations and stakeholders.

Click here to download the report. 

Leave a comment »

ALPHV Ransomware Group Claims Responsibility For Attacks On Critical Infrastructure In Two Countries

Posted in Commentary with tags on February 13, 2024 by itnerd

The ALPHV ransomware group is saying that they’re behind a pair of attacks on critical infrastructure. One in Spain and one in the US.

If this is true, this is not good news.  Ken Westin, Field CISO, Panther Labs had this to say:

Ransomware groups continue to become more brazen, as organizations and security vendors continue to make ransomware operations more difficult for cybercriminals, we are seeing them target industries they were usually hands-off towards. Targeting critical infrastructure such as the electrical grid may prove to be an error on the ransomware gang’s part as their activities can have an impact on national security which may bring more technical, financial and legal resources to fight the groups conducting these activities.

Everyone needs to protect themselves from these sorts of threat actors. But critical infrastructure requires all the time and effort that’s humanly possible to make sure that they are not easy targets of these threat actors. Because an attack on the wrong piece of infrastructure could cost lives.

Leave a comment »

Legit Security Releases Industry’s First AI Discovery Capabilities

Posted in Commentary with tags on February 13, 2024 by itnerd

Legit Security, the leading application security posture management (ASPM) platform that enables secure application delivery, today announced the availability of the cybersecurity industry’s first AI discovery capabilities. With these new capabilities, Legit helps bridge the gap between security and development by enabling CISOs and AppSec teams to understand where and when AI code is used and take action to ensure proper security controls are in place – without slowing software delivery.

As developers harness the power of AI and large language models (LLMs) to develop and deploy capabilities more quickly, new risks arise. For example, AI-generated code may contain unknown vulnerabilities or flaws that put the entire application at risk. In addition, AI-generated code can introduce legal issues if copyright restrictions are in place. Another risk is improper implementation of AI features, which can lead to data exposure, such as customers bypassing prompt protections and extracting sensitive data. Despite all this, security teams rarely understand how developers use AI-generated code, resulting in security blind spots that impact both the organization and the software supply chain.

Legit’s platform enables security leaders, including CISOs, product security leaders, and security architects, to gain comprehensive visibility into risks across the development pipeline from the infrastructure to the application layer. With a crystal-clear view of the development lifecycle, customers ensure the code deployed is traceable, secure, and compliant. These new AI code discovery capabilities bolster the platform by closing a significant visibility gap that allows security to take preventive actions, decrease the risk of legal exposure, and ensure compliance.

Legit’s AI code discovery capabilities provide a range of benefits to both security and development teams, including:

  • Discovery of AI-generated code: Legit provides a full view of the development environment, including code derived from AI-generated coding tools (e.g., GitHub Copilot).
  • Full visibility of the dev environment: By gaining a full view of the application environment, including repositories using LLM, MLOps services, and code generation tools, Legit’s platform offers the context necessary to understand and manage an application’s security posture.
  • Security policy enforcement: Legit Security detects LLM and GenAI development and enforces organizational security policies, such as ensuring all AI-generated code gets reviewed by a human.
  • Real-time notifications of GenAI code: Legit can immediately notify security teams when users install AI code generation tools, providing greater transparency and accountability. 
  • Protect against releasing vulnerable code:  Legit’s platform provides guardrails to prevent the deployment of vulnerable code to production, including that delivered via AI tools.
  • Alert on LLM risks: Legit scans LLM application’s code for security risks, such as prompt injection and insecure output handling.

Read a new blog from the Legit research team to learn more about important security considerations associated with GenAI applications. For more information on the importance of AI discovery, please visit the company’s blog. To learn more about the broader Legit Security platform, please visit https://www.legitsecurity.com.

Leave a comment »