The infosecurity world got here collectively in Las Vegas this week for Black Hat USA 2024, providing displays and product bulletins that may give CISOs a lot to think about.
Listed here are the highest takeaways CISOs ought to take note when adapting their cybersecurity methods going ahead.
[For more Black Hat USA coverage, see “Black Hat: Latest news and insights.”]
Cloud safety underneath scrutiny
Safety researchers from Aqua Safety used a presentation at Black Hat to stipulate how they uncovered safety flaws involving the automated provisioning of AWS S3 storage buckets.
The assault vector — dubbed Shadow Useful resource — created a possible mechanism for AWS account takeover, information breaches, and even distant code execution.
Predictable naming conventions of buckets created a possible mechanism for attackers to attend for focused customers to allow weak companies, probably leading to delicate information and configurations been scooped up into attacker-controlled buckets.
Six AWS cloud companies had been probably weak: CodeStar, CloudFormation, EMR, Glue, ServiceCatalog, and SageMaker.
The issues had been responsibly disclosed to Amazon Internet Companies previous to Aqua Safety’s presentation, permitting AWS to resolve the vulnerabilities, which it has completed.
CSO’s Lucian Constantin dives into the main points of the shadow bucket assault and potential remediation steps right here.
Individually, Symantec warned that an rising variety of hacking teams are abusing cloud-based companies from Microsoft and Google for command and management and information extraction. Abusing extensively used companies akin to Google Drive and Microsoft OneDrive offers attackers better stealth as a result of it makes malign communications tougher to detect.
The tactic is just not new, however it’s evolving to change into an even bigger risk. And when considered at the side of the AWS vulnerabilities, in addition to displays on the cloud because the seat of preliminary entry and a possible for privilege escalation, it’s clear that cloud safety stays a key concern for enterprises right now.
CrowdStrike meltdown emphasizes cyber-resilience
The July CrowdStrike-Microsoft meltdown was contemporary within the thoughts of delegates to Black Hat this week.
Throughout the opening keynote roundtable Hans de Vries, COO of the European Union Company for Cybersecurity, warned delegates that the trade must be ready for extra provide chain assaults, which just like the CrowdStrike validation failure, put CISO’s resiliency plans to the take a look at.
Jen Easterly, director of the US Cybersecurity and Infrastructure Safety Company, stated the incident emphasizes the significance of safety distributors creating a safe by design method. Organizations must bolster their cyber resilience, Easterly stated, in keeping with Safe Computing, including that adversarial nations akin to China or North Korea would possible exploit any weaknesses.
Throughout the convention, CSO On-line caught up with CrowdStrike’s counter adversary group to speak in regards to the newest ways of North Korean state-sponsored hackers and others.
Patching isn’t any panacea
The comforting notion that merely retaining methods patched and updated was sufficient to safeguard safety took a critical knock with the discharge of a presentation from SafeBreach at Black Hat.
SafeBreach safety researcher Alon Leviev defined the way it could be potential to downgrade methods through Home windows Replace, exposing them to outdated vulnerabilities, via a type of model rollback assault.
The so-called Home windows Downdate assault depends on hijacking the Home windows Replace course of to craft customized downgrades on crucial OS parts, elevate privileges, and bypass security measures.
In an announcement, Microsoft stated it isn’t conscious of any makes an attempt to take advantage of this vulnerability. The software program big has printed two advisories (together with CVE-2024-21302) providing advisable actions and detection whereas it really works on delivering extra complete mitigations.
CSO’s Gyana Swain has extra on the Home windows Downdate assault right here.
AI is a double-edged sword
AI, notably generative AI and enormous language fashions (LLMs), was a big focus at Black Hat.
Many classes explored the dangers and vulnerabilities related to AI applied sciences.
For instance, safety researchers from Wiz outlined their analysis into hacking AI infrastructure suppliers. The work uncovered novel assault methods to interrupt into AI-as-a-service suppliers, together with Hugging Face and Replicate.
“On every platform, we utilized malicious fashions to interrupt safety boundaries and transfer laterally throughout the underlying infrastructure of the service,” in keeping with the researchers. The analysis opened the door to accessing prospects’ non-public information, together with non-public fashions, weights, datasets, and even consumer prompts.
In one other session, a safety architect from chip big Nvidia’s Pink Workforce provided sensible findings round LLM safety, together with the best offensive and defensive safety methods and methodologies.
Black Hat additionally provided an area for cybersecurity distributors to launch new services. Many distributors have added AI-based capabilities to their applied sciences, as detailed in CSO’s roundup of product releases.
CISOs face private jeopardy from company breach dealing with
A session titled “Skirting the Twister: Important Methods for CISOs to Sidestep Authorities Fallout within the Wake of Main Cyberattacks” highlighted methods that CISOs ought to apply to keep on the best facet of regulators within the occasion on safety breaches.
Latest instances, akin to that of SolarWinds’ Tim Brown, have highlighted how senior safety workers face particular person regulatory and prison legal responsibility for alleged company reporting failures
The session lined sensible methods to mitigate injury, guarantee IT compliance, and keep stakeholder belief in an atmosphere of accelerating regulatory stress.
[For more Black Hat USA coverage, see “Black Hat: Latest news and insights.”]
