The infosecurity world got here collectively in Las Vegas this week for Black Hat USA 2024, providing shows and product bulletins that can give CISOs loads to contemplate.
Listed below are the highest takeaways CISOs ought to have in mind when adapting their cybersecurity methods going ahead.
Cloud security underneath scrutiny
Safety researchers from Aqua Safety used a presentation at Black Hat to stipulate how they uncovered security flaws involving the automated provisioning of AWS S3 storage buckets.
The assault vector — dubbed Shadow Useful resource — created a possible mechanism for AWS account takeover, data breaches, and even distant code execution.
Predictable naming conventions of buckets created a possible mechanism for attackers to attend for focused customers to allow weak providers, probably leading to delicate information and configurations been scooped up into attacker-controlled buckets.
Six AWS cloud providers have been probably weak: CodeStar, CloudFormation, EMR, Glue, ServiceCatalog, and SageMaker.
The issues have been responsibly disclosed to Amazon Internet Providers previous to Aqua Safety’s presentation, permitting AWS to resolve the vulnerabilities, which it has carried out.
CSO’s Lucian Constantin dives into the main points of the shadow bucket assault and potential remediation steps right here.
Individually, Symantec warned that an rising variety of hacking teams are abusing cloud-based providers from Microsoft and Google for command and management and information extraction. Abusing extensively used providers akin to Google Drive and Microsoft OneDrive provides attackers better stealth as a result of it makes malign communications tougher to detect.
The tactic will not be new, however it’s evolving to develop into a much bigger menace. And when seen along side the AWS vulnerabilities, in addition to shows on the cloud because the seat of preliminary entry and a possible for privilege escalation, it’s clear that cloud security stays a key concern for enterprises as we speak.
CrowdStrike meltdown emphasizes cyber-resilience
The July CrowdStrike-Microsoft meltdown was recent within the thoughts of delegates to Black Hat this week.
Through the opening keynote roundtable Hans de Vries, COO of the European Union Company for Cybersecurity, warned delegates that the business must be ready for extra provide chain assaults, which just like the CrowdStrike validation failure, put CISO’s resiliency plans to the check.
Jen Easterly, director of the US Cybersecurity and Infrastructure Safety Company, mentioned the incident emphasizes the significance of security distributors growing a safe by design method. Organizations must bolster their cyber resilience, Easterly mentioned, in response to Safe Computing, including that adversarial nations akin to China or North Korea would doubtless exploit any weaknesses.
Through the convention, CSO On-line caught up with CrowdStrike’s counter adversary workforce to speak in regards to the newest ways of North Korean state-sponsored hackers and others.
Patching isn’t any panacea
The comforting notion that merely retaining methods patched and updated was sufficient to safeguard security took a critical knock with the discharge of a presentation from SafeBreach at Black Hat.
SafeBreach security researcher Alon Leviev defined the way it could be attainable to downgrade methods by way of Home windows Replace, exposing them to previous vulnerabilities, by a type of model rollback assault.
The so-called Home windows Downdate assault depends on hijacking the Home windows Replace course of to craft customized downgrades on important OS elements, elevate privileges, and bypass security options.
In an announcement, Microsoft mentioned it isn’t conscious of any makes an attempt to use this vulnerability. The software program large has revealed two advisories (together with CVE-2024-21302) providing advisable actions and detection whereas it really works on delivering extra complete mitigations.
CSO’s Gyana Swain has extra on the Home windows Downdate assault right here.
AI is a double-edged sword
AI, notably generative AI and enormous language fashions (LLMs), was a big focus at Black Hat.
Many classes explored the dangers and vulnerabilities related to AI applied sciences.
For instance, security researchers from Wiz outlined their analysis into hacking AI infrastructure suppliers. The work uncovered novel assault strategies to interrupt into AI-as-a-service suppliers, together with Hugging Face and Replicate.
“On every platform, we utilized malicious fashions to interrupt security boundaries and transfer laterally throughout the underlying infrastructure of the service,” in response to the researchers. The analysis opened the door to accessing clients’ non-public information, together with non-public fashions, weights, datasets, and even person prompts.
In one other session, a security architect from chip large Nvidia’s Purple Group provided sensible findings round LLM security, together with the best offensive and defensive security methods and methodologies.
Black Hat additionally provided an area for cybersecurity distributors to launch new services and products. Many distributors have added AI-based capabilities to their applied sciences, as detailed in CSO’s roundup of product releases.
CISOs face private jeopardy from company breach dealing with
A session titled “Skirting the Twister: Important Methods for CISOs to Sidestep Authorities Fallout within the Wake of Main Cyberattacks” highlighted methods that CISOs ought to apply to remain on the fitting aspect of regulators within the occasion on security breaches.
Current instances, akin to that of SolarWinds’ Tim Brown, have highlighted how senior security employees face particular person regulatory and prison legal responsibility for alleged company reporting failures
The session lined sensible methods to mitigate harm, guarantee IT compliance, and preserve stakeholder belief in an setting of accelerating regulatory strain.
