Table of Content

1. What is OWASP? 
2. Mitigation of the OWASP Top 10 

The OWASP Top 10 is a well-known list of web application security risks that has been a prominent reference for many years. However, effectively addressing these threats within your organization can be a challenge. 

Fortunately, six industry experts joined forces to tackle the OWASP Top 10. In their session, they discussed crucial topics such as implementing secure coding practices and integrating DevSecOps methodologies. They also explored various strategies aimed at enhancing authentication and access control measures.

By drawing insights from these experts, you can gain valuable guidance on mitigating the risks outlined in the OWASP Top 10 and fortify your application security framework. 

What is OWASP? 

OWASP stands for the Open Web Application Security Project. It’s a valuable resource catering to individuals from both technical and non-technical backgrounds, providing knowledge about security issues that can arise in applications. One of OWASP’s notable contributions is the OWASP Top 10, which highlights the ten most frequently occurring application security risks. This list serves as a valuable reference for developers, security professionals, and organizations to prioritize their security efforts. Additionally, OWASP offers local chapters and contributes to the community through various tools and projects aimed at improving application security.

However, it’s important to note that while the OWASP Top 10 is a valuable resource, it’s not the definitive answer to all security challenges. Staying informed about new risks, utilizing appropriate tools, and leveraging evolving frameworks are key strategies for effectively managing security challenges. 

Let’s dive into how to mitigate the risks outlined in the OWASP Top 10. 

Mitigation of the OWASP Top 10 

Implementing Secure Coding Practices 

To effectively mitigate the OWASP Top 10, Implementing secure coding practices is a crucial step. To help developers code more securely, it’s important to start with the basics and ensure a clear understanding of what security entails. While security is often viewed as a burden, developers need to comprehend the long-term implications and consequences of overlooking threats that could have been addressed earlier. Emphasizing that prioritizing security benefits everyone in the long run is essential.

Education plays a critical role in promoting secure coding practices. Developers learn best through hands-on experience, so the “learning by doing” principle is a powerful tool. By encouraging developers to apply secure coding principles in practice, they can gain valuable experience and improve their skills. Emphasizing a “secure by design, secure by default” approach helps build a solid foundation for secure software development. 

Additionally, threat modeling is an effective technique for identifying potential vulnerabilities and assessing their impact on the system. It involves analyzing the various components and interactions within the system to determine potential security risks and their impact. Resources such as the Threat Modeling Manifesto and  Threat Modeling: Designing for Security by Adam Shostack can provide valuable guidance in this area. 

By establishing a solid foundation of secure coding principles, emphasizing education and hands-on learning, and integrating threat modeling into the development process, organizations can empower developers to code more securely and build robust software systems.

Integrating DevSecOps Methodologies

DevSecOps is a cultural shift that integrates security into the entire software development life cycle (SDLC). While implementing DevSecOps may seem overwhelming, starting small with a team-by-team approach is recommended. This gradual implementation allows for a more manageable transition, considering the complexity of integrating security into the development process. By fostering collaboration between security and development teams, organizations can maximize the benefits of DevSecOps and avoid conflicts and delays.

To demonstrate the value of DevSecOps and gain stakeholder support, it is important to focus on clear metrics. Overcoming the perception that security is solely a policing function requires emphasizing its ongoing commitment and integrating it into the organizational culture. Compliance plays a crucial role in driving the adoption of DevSecOps, ensuring regulatory requirements are met and attracting customers who value strong security practices. Embracing DevSecOps leads to enhanced security, improved efficiency, faster time-to-market, increased customer trust, and a competitive edge.

Strengthening Authentication and Access Control

Authentication and Access Control pose a significant challenge for organizations. To effectively tackle this issue, organizations should focus on best practices and avoid reinventing the wheel. It is crucial for everyone involved to understand the implications and possess foundational knowledge, including proper user authentication and the use of features like two-factor or multi-factor authentication for heightened security.

Simplicity is key in authentication and authorization. Implementing multiple different mechanisms for authentication and authorization should be avoided. Instead, organizations should strive to standardize their approach and select a single, robust method that aligns with industry best practices. This approach streamlines processes, reduces complexity, and enhances overall security. By adhering to these principles, organizations can strengthen their authentication and access control measures, creating a more secure environment for their users.

A Proactive Approach to Application Security 

The rapid advancement of technology and the growing interconnectedness of systems have led to a constantly evolving application security landscape. This dynamic environment brings forth new challenges and threats that organizations need to address. Cybercriminals, taking advantage of vulnerabilities, continuously develop innovative methods to breach security measures.

To effectively tackle these risks, it is crucial to stay informed about the OWASP Top 10, which provides insights into the most common vulnerabilities impacting application security today. By understanding these risks, organizations can implement robust security measures and make informed decisions during application development and release. Embracing this proactive approach to application security enables the release of more secure applications, the safeguarding of critical data, and the maintenance of stakeholder trust.

Table of Content

1. Importance of Education
2. Fantasy… AppSec? 
3. Looking For Security Champions
4. Conclusion

If you’ve been keeping up with the AppSec world recently, you’ll have noticed that it’s all a bit in a frenzy between the AI wreaking havoc and the legacy tools struggling to keep up with the demands. 

The sudden emergence of ChatGPT created an amazing tool for developers to speed up their processes. Still, with that, it also amplified the secure coding practices issues as it proved that the AI tools don’t really keep security in mind when generating their code. 

It’s in this exact environment where you need to amp up the focus of your employees on security because the pitfalls are everywhere. 

Importance of Education

Even though most employees would be reluctant to complete those somewhat boring and time-demanding educational tasks, it’s something that has to have a priority in 2023. And it’s not just the developers that have to go through this, either. The chain is only as strong as its weakest link – and this rings especially true in the cybersecurity world – implying that you cannot put any single one of your employees aside and have them ignore the safety measures. 

This is where gamification of the educational AppSec content comes in. It allows for a fun experience and competition, creating an environment where educating and learning come naturally, without a lot of added effort and pressure. 

Fantasy… AppSec? 

If you’ve ever played fantasy sports with your friends or colleagues – as I sure have – you’ll know that it amplifies the match-watching experience. Well, the same rings true with AppSec. If you had means of poking fun at each other, competing, and creating a flourishing atmosphere, all while actually learning and making your company safer by the day, that would be a nice combo, wouldn’t it?

We at Bright looked at this issue and found that learning while having fun is a way more attractive proposition than just staring at the content without stakes or rewards at hand. This approach allowed us to develop our cybersecurity skills and create bondings within the teams as a direct result of competing and working together.

Looking For Security Champions

Gamification of educational AppSec content can generate amazing opportunities, including potentially finding hidden gems within your companies. As we all know, the role of a security champion still isn’t a very refined one, and you may have a few potential candidates “hiding” in plain sight. By introducing a competition-and-award system, you might just find that someone you didn’t expect is a master of solving security-related issues, thus giving you a long-term in-house solution for cybersecurity problems.

Conclusion

We should all thrive to make our working environment a more fun and engaging place each day. Education through gamification hits an excellent balance between the things you could utilize for the long-term security of your company, while avoiding antagonizing your employees and colleagues by making them go through exhausting, and quite often, create a counter-effect of people just going through the motions without actually paying attention.

Table of Content

1. Visit our Booth 
2. DAST Patrol: Snapping the Cyber Suspect
3. Evolution Equity Partners Portfolio Showcase and Cocktail Reception 
4. Israel Lounge 
5. Cyber Fangs Lunch
6. ProjectDiscovery Happy Hour 
7. Netskope Partner Mixer 
8. The Cyber Breakfast Club
9. Giants VS Cardinals Luxury Suite 
10. YL Ventures & Portfolio Cocktail Party 
11. Networking opportunities 
12. Unofficial Guide to Activities and Vendor Parties

RSA conference is fast approaching and we want you to stay informed about everything that’s happening. As we gear up for this exciting event, we want you to be in the know of the range of activities designed to explore the fascinating world of AppSec. From 1:1 demos and giveaways to cocktail hours, we’ll be offering a variety of opportunities to learn about the latest trends and techniques in application security. 

Below is a quick overview of the activities happening at RSA. Get ready to connect with other professionals in your field, share knowledge, and gain new insights. Whether you’re looking to expand your professional network or deepen your understanding of the latest trends in the industry, this event has it all. We hope you’ll join us for this unforgettable experience and take advantage of all the opportunities available to you. 

Visit our Booth 

Are you looking to take Application Security to the next level with DAST? Stop by our booth #28 to engage with our team and discuss how you can take the first steps towards automating security testing in your development pipelines. Our experts are on hand to provide valuable insights and guidance on how you can leverage DAST to enhance your application security. Additionally, book some 1:1 time with our team to get a personalized experience and explore how DAST can work best for your specific needs. 

DAST Patrol: Snapping the Cyber Suspect

Come to our mini-booth at 814 Mission Street (Filipino Cultural Center), 94103 San Francisco anytime during business hours between Tuesday, April 25th and Thursday, April 27th to become the cyber suspect of our fun photo display, and win a $25 gift card. 

We also have plenty of swag and other giveaways available for all visitors to our booth as well as at the mini-booth at the Mission Street location. Don’t miss out on the opportunity to win big and take home some cool prizes. Come join in the fun!

Evolution Equity Partners Portfolio Showcase and Cocktail Reception 

Join Evolution Equity Partners on Wednesday, April 26th from 4:00- 6:30 pm for an unforgettable evening of networking and celebration. The event will feature a portfolio showcase, providing a unique opportunity to meet with cybersecurity leaders and learn about the next generation of companies that are working to safeguard our digital world. After the showcase, stick around for a fun and engaging cocktail reception, where you can enjoy a tasting tour of whiskey from around the world, as well as a selection of delicious canapes and other beverages and cocktails. 

Israel Lounge 

Join us at the Israel Lounge reception on Thursday, April 27th, from 9:00 am to 3:00 pm. The reception will showcase 25 of the leading Israeli cyber security companies, offering you the opportunity to network with industry experts and explore innovative tech solutions. There will be food and drinks available for you to enjoy throughout the event. Sign up to discover cutting-edge technology and meet the key players in the Israeli cyber security scene.

Cyber Fangs Lunch

On Monday, April 24th, Cyber Fangs will be hosting an exclusive lunch event from 12:00-2:00 pm. This event is specifically for Chief Marketing Officers (CMOs) and marketing leads in the cyber security industry, with a cap of no more than 50 attendees. The focus of the event is to facilitate constructive discussions on the future of PR and marketing in the industry. 

ProjectDiscovery Happy Hour 

ProjectDiscovery invites you to join their happy hour event during the conference. Taking place on Tuesday, April 25th from 4:45-7:00 pm, this event promises to be an excellent opportunity to mingle with other cybersecurity professionals while enjoying some drinks, demos, and community building. Come and network with other industry experts who share your passion for cybersecurity. 

Netskope Partner Mixer 

Netskope is extending an invitation to join them at their annual partner mixer on April 25th from 5:00 – 7:30 pm. This event provides an opportunity for partners to meet the leadership team and learn more about how they can protect their customers while making money with Netskope. The annual partner mixer is an excellent way to stay up to date with the latest innovations in cloud security and gain a competitive edge in the market. 

The Cyber Breakfast Club

The Cyber Breakfast Club is a private group that connects cybersecurity executives and leaders over breakfast. Join them on April 26th from 8:00 – 9:30 am to network with other cybersecurity professionals, share your experiences, and learn from your peers. Sign up for breakfast, networking, and peer-to-peer discussion that promises to be both informative and enjoyable.

Giants VS Cardinals Luxury Suite 

Netskope, Stellar Cyber, and Illumio are inviting you to be their honored guest at a baseball game in their luxury suite on April 26th at 6:00 pm. Join other industry peers to unwind after a busy day at the RSA event. This is an excellent opportunity to network and socialize with other professionals while enjoying a baseball game in a relaxed and comfortable environment. Take a break from the hustle and bustle of the RSA event and enjoy some leisure time while still expanding your network. 

YL Ventures & Portfolio Cocktail Party 

YL Ventures and their portfolio companies, Cycode, Enso, Opus, Satori, Valence, Vulcan, and Spera, invite you to a networking event like no other. Taking place on Wednesday, April 26th at 6:00 pm, this event promises great food, drinks, and outstanding company. Join them and network with a distinguished group of cybersecurity leaders, while also getting to know the exciting and innovative companies that make up YL Ventures’ impressive portfolio. 

Networking opportunities 

RSA offers multiple opportunities for you to network with your peers and experience hands-on activities. From the welcome reception to the Expo pub crawl, women’s networking reception, and more, there’s something for everyone. We encourage you to check out all the opportunities available throughout the week and take advantage of as many as possible. 

Unofficial Guide to Activities and Vendor Parties

Are you looking for some extra excitement at RSA? Look no further! Check out the unofficial list of activities and vendor parties to make the most of your time at the conference. There are a ton of things happening each day, so you’ll have plenty of options to choose from. With so much going on, it’s going to be a jam-packed week!

Table of Content

1. Adapting to development velocity: Seamless Integration in the Development Pipeline
2. Minimizing False Positives
3. Detecting Business Logic Vulnerabilities
4. Language-Agnostic Testing
5. Empowering Security Champions

A recent post on Boring AppSec touted the diminishing value of Dynamic Application Security Testing tools.

However, contrary to this post and despite the rapid pace of technological advancements that often renders many solutions obsolete, some DAST solutions have adapted and remain more relevant than ever in 2023.

Adapting to development velocity: Seamless Integration in the Development Pipeline

To meet the increasing demand for faster deployment, developer-centric DAST has adapted by integrating itself seamlessly into the software development lifecycle (SDLC). Shifting left and testing earlier in the pipeline offers significant time and cost savings through timely detection and remediation. Solutions like Bright go even a step further – we’ve integrated our scanner into the unit testing phase, revolutionizing the whole process by testing applications very early in the SDLC. 

Indeed, AppSec professionals, regardless of how good they are, cannot scale nearly at the rate of dev-centric DAST due to the very high ratio of developers to AppSec professionals and the increased demand due to frequent deployments by development. 

Therefore, instead of AppSec professionals testing each and every scan, with a dev-centric DAST, AppSec can provide governance, guidance and validation while developers can manage incremental scans early in the dev lifecycle, analyze the results presented in a dev-friendly way and remediate vulnerabilities based on clear remediation guidelines. Developers can also self-onboard with minimal AppSec assistance and immediately deliver comprehensive results. 

This enables organizations to scale their application testing endlessly across different platforms without skipping a beat. This saves countless hours of work, and with it, money – plus, it allows for AppSec professionals to focus on more pressing issues beyond analyzing each and every deployment.

Minimizing False Positives

One challenge DAST (and many other AppSec solutions)faced is the prevalence of false positives. Many tools have been designed with only the AppSec professional in mind and without regard for minimizing false positives, which easily overwhelm developers and puts additional pressure on AppSec professionals to triage them. However, modern DAST solutions are purpose built for both AppSec and developers minimizing false positives, enabling developers to focus on building and developing instead of sifting through misleading information.

Detecting Business Logic Vulnerabilities

As demand for detecting business logic vulnerabilities increases, many application security testing tools struggle to meet this challenge. Modern DAST, however, is capable of identifying these vulnerabilities across both WebApps and APIs by emulating a hacker’s behavior and testing every possible user flow until it uncovers the vulnerability. This advanced capability sets solutions such as Bright apart from other DAST solutions, allowing for a more thorough security analysis.

Language-Agnostic Testing

Unlike other application security testing tools, DAST is not language-dependent. This versatility allows it to accommodate diverse and dynamic development teams, keeping track of security features regardless of programming language differences. This ensures that no application is left untested, providing comprehensive protection across the organization.

Empowering Security Champions

The concept of security champions is still relatively new and underdeveloped. As the industry continues to grow and more security champions emerge, their role in supporting developers and bridging the gap between AppSec and development becomes increasingly important. By providing training and resources for these champions, organizations can further enhance their security posture and streamline the integration of DAST into the development process.

In conclusion, DAST’s ability to adapt and provide a simple, developer and AppSec friendly solution that effectively detects vulnerabilities without false positives ensures its continued relevance in the cybersecurity landscape. As organizations recognize the value of robust and flexible security testing tools, the resurgence of DAST will only continue to gain momentum.

Key Benefits of Modern DAST:

1. Fast, seamless integration into the development pipeline through early SDLC integration (SecTester)
2. Capable of detecting business logic vulnerabilities
3. User-friendly, low-maintenance, and developer-centric approach
4. Security champions can bridge the gap between AppSec and development
5. Minimizes false positives, avoiding unnecessary distractions for developers
6. Language-agnostic, accommodating diverse programming languages
7. Efficiently tests APIs, ensuring comprehensive security coverage

Legacy DAST is dead, LONG LIVE MODERN DAST!

Table of Content

1. What is ChatGPT
2. ChatGPT in Cybersecurity
3. Phishing Attack
4. Conclusion

What is ChatGPT

Unless you’ve been living under a rock, you’ve heard of the breakthrough technology that is ChatGPT. However, ChatGPT in itself is just the tip of the iceberg. What lies underneath is GPT-3 (Generative Pre-trained Transformer 3), a large language model with an unseen amount of processing power and computing capability. 

The arms race for the best AI out there is in full force. Google already announced Google Bard, a tool that they hope would challenge OpenAI with the ability to scour the internet, which is one of the pain points of ChatGPT. Chatsonic is another challenger – an AI tool built on top of ChatGPT inherits the might of its sibling, but with the added benefit of accessing Google’s search engine. It makes up for an interesting battle that will surely rapidly develop into some miraculous solutions in the years to come.

However, as things stand, GPT-3 is firmly on the throne.

To even try and grasp the might of GPT-3, let’s take a look at some data. According to Sigmoid, GPT-3 has more than 175 billion machine learning parameters, thus thwarting Microsoft’s Turing NLG which had ‘just’ 17 billion parameters. As time goes on, ChatGPT will only become more powerful, as its founders, OpenAI, are also utilizing reinforcement training, where they employ trainers specifically tasked with talking to their engine and giving it human feedback which then rolls into the insurmountable data, creating a mighty product for us to use. 

ChatGPT in Cybersecurity

You’ll often find that the barrier to entering the cybersecurity world can be pretty high. There’s so much knowledge you need to consume before getting started on your journey to become a cybersecurity expert, that for most people, it’s not worth it. 

However, that changes with ChatGPT. With its ability to instantly generate code, it enables even just curious enthusiasts to give cybersecurity a shot. This could very well result in a dramatic rise of cybersecurity attacks across the globe, as the number of potential hackers will rise up like never before due to the simplicity of using a tool such as ChatGPT. Suddenly, the barrier to entering the cybersecurity world went down. No more dark terminals, lengthy books, and frustrations – now you just have to fire up the good ol’ AI and you’re good to go, right?

Well, not so fast.

While it is true that ChatGPT is indeed capable of writing malware, apparently the quality isn’t up to the standard. This is clearly some good news, but it’s not all roses; there are plenty of ways clever hackers could use ChatGPT, even if their prompts don’t look ominous on the surface. 

BlackBerry conducted a survey that returned some alarming results. On a scale of 1500, more than half of them (51%) predicted there would be a cybersecurity attack credited to ChatGPT in the upcoming year. While it’s hard to expect large-scale cybersecurity attacks to go raving immediately, smaller-scale stuff might go off the rails, and there’s a good reason why. 

Phishing Attack

It’s globally the most common and frowned upon method of hacking – the phishing attack. Why it made its way into a ChatGPT article, you ask? Well, the answer is quite simple, yet scary. 

Phishing attacks could run riot in the upcoming months. 

For those who don’t know, a phishing attack is scamming a person into giving their sensitive data by pretending to be someone else. It could be an email that looks just like a legit company’s would, but with slight changes that an end-user wouldn’t notice, or it could be a full-fledged clone of an existing website, where the victim would enter their data thinking it was a normal website, thus giving away the sensitive info. 

With ChatGPT being able to create code to build websites, cloning existing websites and writing convincing emails has never been easier. This is why you must be extra careful these days – always double-check the URL of the website you’re visiting & make sure that the emails you exchange are coming from the right sources. 

It’s not only visuals either; ChatGPT enables hackers to easily generate convincing emails in any language they want. This used to be a big barrier for a lot of non-English hackers as people would quickly recognize broken grammar, but the game has changed now and nobody is off limits. 

Conclusion

The time of artificial intelligence has come and it’s not going away anytime soon. With that, we must adapt rather than find a way to get around it. The reality is that machine learning models will only get powerful as they rapidly gather more data and build up to an already fascinating structure. 

It’s not just the cybersecurity world that’s in danger. ChatGPT could also be used for some criminal actions as some authors already found a way of getting the program to explain how to create an explosive or hand out practical tips for shoplifting. 

While we can’t help you with protecting your physical goods, we certainly can do something about your digital security. Bright allows you to create a safe environment for your apps by finding vulnerabilities early in the SDLC, which allows you to reach quickly and remediate on time. Just like ChatGPT simplifies cybersecurity attacks, we at Bright simplify protection as you’ll find that our dev-centric solution could be the very thing that successfully protects your applications from ominous intents. 

Table of Content

1. The Case of LastPass 
2. Let’s talk about the timeline
3. What Does This Mean For Users? 
4. How to Protect Yourself 
5. What does this mean for LastPass’ future?

So, you recently decided to purchase a password manager. It is time to say goodbye to remembering an endless number of passwords or storing your passwords in unsafe locations (please, not on a post-it note on your desk!). Your passwords are safe, and you no longer need to worry about your data becoming compromised. Life just got a whole lot easier, right? Not necessarily. Although password managers are beneficial tools for keeping your passwords organized and encrypted in a single place, no solution is perfect. 

The Case of LastPass 

Password management service, LastPass, reported a data breach of their system in August 2022. The attacker obtained source code and technical information from the development environment, which was leveraged to target a specific employee. Once the employee had authenticated using multi-factor authentication, the actor utilized their persistent access to impersonate the employee. 

Gaining access to the employee’s device, the attacker lifted the employee’s credentials and security keys to gain access to files from the company’s cloud-based storage services. In December 2022, the company reported that the attacker obtained a backup of the customer vault data through the third-party cloud-based storage service. 

Let’s talk about the timeline

LastPass’ issues started back in August of 2022. In this incident, attackers had gained access to portions of a development environment due to a compromised developer account and stole technical and proprietary information. LastPass initially claimed that no evidence existed that the incident involved any access to customer data or encrypted password vaults. And that appeared to be the end of the issue. 

However, in a LastPass blog by Karim Toubba updated in December 2022, it was revealed that a “threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022.” What does this mean? It means that someone was able to break into a storage vault, using information they had gained during the August incident. But what happened once they got into that vault? Were they able to take the passwords and information right out of the vault? Well, technically, no. The passwords themselves were encrypted, however, it doesn’t mean that LastPass was out of hot water.  The attacker had obtained basic customer information, including email addresses, billing addresses, IP addresses of where LastPass was accessed, and telephone numbers. And, as other sources have suggested, a LastPass password is not difficult to decrypt with the right resources, mainly due to the fact that entropy in password creation does not prevail when it comes to users choosing any type of password. As such, these passwords are crackable, encryption or not. 

What Does This Mean For Users? 

Although the stolen vault remains protected with 256-bit AES encryption, users with weak master passwords could be at risk. To successfully decrypt the data, the attacker would need access to a unique encryption key derived from each user’s master password. Lastpass utilizes an industry-standard Zero Knowledge architecture, which ensures the company can never gain access to the customer’s master password. Without knowledge of this password, no one other than the vault owner can decrypt the data. 

However, the hacker could access the vault through brute force if password best practices aren’t followed. Additionally, the attacker could leverage the customer’s basic information to target individual users through various attack methods, such as phishing. 

How to Protect Yourself 

While password managers are a great tool, best practices must still be followed to protect yourself from becoming vulnerable to an attack. In the case of Lastpass, users with weak master passwords are the ones at risk. Luckily, there are steps you can take to protect your passwords and ensure your data is secure in 2023. 

1. Use a minimum of 12 characters 
2. Combine upper case, lower case, numeric, and special character values 
3. Ensure your password is easy to remember; but not easy to guess! 
4. Never use personal information 
5. Ensure your password is unique; don’t share it with other accounts! 
6. For extra layers of security (better safe than sorry!), change all of the passwords you have saved in your LastPass accounts. This will take some time, but add an extra layer of protection for your sensitive information. 

What does this mean for LastPass’ future?

We of course don’t know for sure. However, even for security professionals, going through and rotating entire swaths of passwords for extra security after this breach will take quite some time, leaving a bad taste in these customers’ mouths. For a layman, it is safe to say that taking this extra layer of security precaution may not enter their minds, or will take months to complete. So, the severity of this breach cannot be underestimated, and consumer trust has certainly been broken. It remains to be seen if trust and transparency on the part of LastPass can be regained in the coming months.  

Table of Content

1. AI’s offensive capabilities
2. Examples of AI-enabled cyberattacks
3. How to protect yourself
4. Protect your organizational assets with Bright 

The term “artificial intelligence” (AI) describes a machine’s capacity to carry out operations traditionally performed by intelligent entities like humans or animals. Artificial intelligence (AI) systems are capable of reasoning, problem-solving, generalization, planning, and experience-based learning. 

AI is still developing in terms of practical applications and yet, despite this, organizations have been using it in recent years to modify their processes to become ready for opportunities and problems in advance. However, cybercriminals are now also using this technology to increase the effectiveness of their cyberattacks and hacks.

They achieve this by utilizing the intelligent automation offered by AI systems to enhance traditional cyberattacks by accelerating their speed, expanding their coverage, and raising their level of sophistication. Thus, the disruption of AI-enabled cyberattacks is three-fold. AI can assist a variety of attacker strategies and offers fresh methods to better accomplish the attackers’ objectives.

AI’s offensive capabilities

AI’s offensive capabilities are expressed in the following ways:

1. Automation
   • boosts the autonomy of cyberattacks and decreases the manual effort needed by an attacker
   • makes it possible to coordinate attacks to determine the optimal attack vector, the most vulnerable target, and the most effective attack window
2. Stealth
   • capacity to develop content that resembles the distribution from which it learned and can therefore hide malicious behavior
   • offers ways to get beyond security measures including email filters and malware detectors
3. Social engineering
   • can study humans to better understand how to manipulate their trust and emotions and offers methods for choosing and tracking targets
   • can automate and personalize interactions with people both offline and online, i.e. chatbots and spear phishing emails
   • can be employed to create fake online personas and impersonate real individuals in order to connect with selected victims, i.e. deepfakes and voice cloning
4. Credential theft
   • can mimic human behavior to replicate authentication procedures and guess credentials and is used for both initial access and credential access tactics
   • offers methods for fooling biometric identification systems by imitating a user’s voice and face, keystroke patterns and eye movements
   • can guess passwords with low entropy or personal details

Examples of AI-enabled cyberattacks

In Spear phishing with target selection, AI can assist in the selection of phishing victims via user profiling to detect and target particular traits. The attacker initially gathers online profiles from social media networks in order to profile people. Then, sensible traits like friends, interests, and hobbies are used to categorize possible victims into groups with similar traits. The last step involves locating and classifying clusters of interest, such as those that are “very gullible” or “high value,” which later become the target of spear phishing attacks. 

The interests of targets are usually fed into a natural language generation (NLG) model, many of which are publicly accessible online, i.e. GPT3. The model is then used to create customized emails or social media postings that mimic the target’s hobbies and writing style, boosting the likelihood that the attack will be successful. In fact, a tool that generates phishing tweets, called SNAP_R, proved to be more successful at triggering victim click-through than human written tweets.

Deep learning techniques are used by a technology known as deep voice to mimic a target’s voice and create speech from text. Audio samples of a person’s voice are necessary for training a deep voice model. The audio of public appearances or recorded online meetings, both of which are widely accessible online, can be used to gather this information. This technology enables vishing (voice phishing) attacks, many of which are successful and some have already been made public. In July 2019, a vishing call that pretended to be the CEO of a UK-based energy company resulted in a fraudulent $243,000 money transfer.

Deepfakes, which allow an attacker to simulate a target’s face and behavior, can take impersonation to a new level, as no prior technology was able to convincingly mimic voices, facial structure and gestures of targets.

How to protect yourself

At large, automation and artificial intelligence have made organizations more innovative and efficient than ever before. However, they can also be a ruthless enemy when put into the wrong hands. As humans, we know playing against a computer rarely ends in victory. Have you ever played online chess or checkers against a machine? Chances are, you lost. In this situation, the odds are stacked against you. Similarly, leaving the burden to the cyber experts in your organization to prevent AI-based attacks will leave your team feeling defeated and burnt out. 

The best way to protect yourself against these attacks is to use common sense, spread awareness and fact-check using multiple sources. It’s crucial for an organization to be aware of the risks and to develop a skeptical eye among its employees, as they are the biggest vulnerability in AI-enabled cyberattacks. By reporting suspicious emails, posts and other business related activities, you can help your organization act quickly and protect others from similar attacks. 

Beyond educating and monitoring your employees, additional measures can be taken to increase overall security. In recent years, artificial intelligence has enabled malicious actors to become more sophisticated in their attack strategies. As a result, organizations are being tasked with finding sophisticated solutions to defend their assets and keep their data safe. Luckily, solutions are available that can assist in reaching this goal. 

Through adopting an automated solution, your organization can reap the benefits of faster analysis and mitigation of threats through vulnerability management, network security, and application security. Equip your organization with proper tools, and reduce the risk to your organization from malicious actors. 

Protect your organizational assets with Bright 

Bright’s Dynamic Application Security Scanner enables you to secure your applications and APIs for both technical and business logic vulnerabilities at the speed of DevOps, with minimal false positives. Avoid security becoming an afterthought, and ensure proper measures are taken to prevent attacks before they happen. 

Malicious actors are out there, and although there is no one perfect solution to protect your organization from an attack, with proper security measures in place, you can reduce your organizational risk and rest easy! 

Table of Content

1. Intro
2. What is SASE
3. Where is SASE going
4. Why does this matter?
5. Conclusion
6. Additional Resources

Intro

With the COVID-19 pandemic, organizations found themselves facing brand new problems  with security and the cloud— namely, the trouble of securely moving away from data centers and into the cloud, all while protecting the ‘edge’ of their networks in a secure manner. (By edge, I mean the boundary of wherever your network ends — wherever the employees are). The old paradigm of networking in company-specific data centers tied to offices is no longer viable in today’s cloud-based, IoT-heavy, distributed workforce, and as such, SASE was born.

What is SASE

SASE is a framework for a network architecture that bundles cloud-native security technologies and Wide Area Network (WAN) capabilities. Put more simply, it’s the intersection of networking and security in a cloud-based environment. It is not a single technology, but a conglomerate of many different technologies, such as Software-defined WAN (SD-WAN), Cloud Access Security Broker (CASB), NGFW and Firewall-as-a-Service (FWaaS), Zero Trust Network Access (ZTNA), and Secure Web Gateways (SWG).

You can learn more about the different components of SASE here.

Where is SASE going

Gartner’s projections of top trends in infrastructure and operations (IO) puts SASE at the top of the list for a significant impact in 2023. With a total worldwide end-user spending of up to $9.2 billion dollars forecasted, we can see a growing trend of SASE adaptation; up 39% from 2022. There is a significant market for single-vendor SASEs, and while the market is still immature, there are a number of options for single-vendor SASEs.

Dell’Oro group, a market research firm, forecasts that the SASE market will triple by 2026, topping $13 billion. Gartner is even more bullish, predicting that the SASE market will grow at a 36% compound annual growth rate (CAGR) between 2020 and 2025, reaching $14.7 billion by 2025.

Also of note from the Gartner report is a prediction that by 2024, 40% of organizations will have strategies in place to adopt SASE, up from a mere 1% in 2018.

Lastly, there is a movement to standardize SASE. A nonprofit called MEF seeks to lead the way in SASE standardization. From the MEF website, we can see the purpose of the standardization is as follows:

‘MEF’s industry-first SASE standard defines a Secure Access Service Edge (SASE) Service framework and specifies service attributes that need to be agreed upon between a service provider and a subscriber for SASE services, including security functions, policies, and connectivity services. The standard aligns stakeholders on common terminology and service attributes when buying, selling, and delivering SASE services, and makes it easier to interface policy with security functions for cloud-based cybersecurity from anywhere.’ —  https://tinyurl.com/226d8pw2

You can find MEF’s standardization document here.

Why does this matter?

The old paradigm of networking for in-house data centers and in-office employees are dying. In the mad rush to adopt cloud-based services, adequate security tooling is ever more important to protect company assets. Tool consolidation is also becoming an ever more appealing option for organizations, as the ‘bits-and-pieces approach to tooling covered by SASE is quickly becoming overwhelming for customers. With reduced complexity and security being available no matter where the user is, SASE streamlines networking and security for a remote-first world.

Conclusion

SASE, while still in a nascent stage as far as standardization of services, is projected by Gartner and many others to be the networking solution of the future. With significant money to be made, and single-store solutions paving the way for adaptation, SASE deserves a second look from anyone as a promising emerging technology.

Additional Resources

What is SASE (Secure Access Service Edge)? | Versa Networks

SASE is an entire package of technologies that embeds security into the global fabric of the network. Major components…versa-networks.com

Secure access service edge: What is SASE?

The Software-as-a-Service (SaaS) industry is forecast to generate $157 billion by 2022, as more and more organizations…www.polymerhq.io

Invest Implications: ‘The Future of Network Security Is in the Cloud’

What is Gartner research? Gartner research, which includes in-depth proprietary studies, peer and industry best…www.gartner.com

Table of Content

1. The Biggest Breaches
2. Security Starts at Your Own Home

With global events happening all around us, it’s time to reflect on how the year before us affected the cybersecurity world, and the lessons we learned during this period. It’s been a very turbulent time in cybersecurity, with the technology sector going through financial turmoil, which in turn caused some critical vulnerabilities to occur.

This is part of a series of articles about Data Breach.

The Biggest Breaches

Some of the biggest breaches involved some of the biggest tech companies! Twitter & WhatsApp are just top-of-the-shelf examples of how even the richest and most powerful organizations constantly have to keep up in order to keep their data safe. 

Optus Data Breach

It sounds bad when you first learn that a giant telecommunications company suffered a data breach. But it’s only when you learn that no less than 11 million people had their data leaked does it go to the next level. 

The hackers accessed all sorts of personal data after which they supposedly contacted all the users with a $1300 offer to keep their data private. Not only that, but those users started becoming a target of recurring phishing attacks. Some journalists reported that the hackers gained access to the data by accessing an unauthenticated API endpoint, although the details of the attack are yet to be published online.

Medibank Data Breach

Another company from The Land Down Under took over the unfortunate headlines in the twilight of this year as Medibank suffered a huge cybersecurity breach. To be more specific, an anonymous hacker collected  9.7 million records of Medibank’s customers. 

After the company refused to give in to hackers’ requests, the cybercriminals dumped more than 5GB of compressed data online. All the analysis indicates that the data dump, indeed, contains the Medibank customer information. 

DoorDash Data Breach

The summer of ‘22 won’t be remembered as a particularly happy one for DoorDash users. Perhaps the biggest food delivery company suffered an enormous leak where almost 5 million of their users had their data stolen. 

What’s really interesting is that the attack happened via a very sophisticated phishing campaign, ultimately causing big damage to DoorDash in terms of customer trust.

Luckily, hackers only accessed some credit card data from a smaller group of people, but even in those cases, it was mostly the last four digits of their card number – still a big risk, but not as threatening as some other data leaks out there.

Security Starts at Your Own Home

When talking about big security breaches, a lot of companies focus their defense mechanisms solely on technical details. They make sure that the system they’re using is impenetrable. However, there’s a big gap that often occurs, resulting in some of the biggest data leaks – and it’s human error.

Making sure that your employees are the first line of defense is crucial in maintaining safe environment, protected from outside breaches. This means constant education of your employees, enrolling and encouraging them to take up security courses, and raising the overall level of cybersecurity awareness in your company. 

Creating a safe environment isn’t, and never has been an individual effort of a few people specialized in cybersecurity. It’s always about the whole group that has to stay organized and aware of all the outside threats in order to make sure that costly slip-ups don’t happen. Ultimately, the chain is as strong as its weakest link, and that theory perfectly applies to cybersecurity.

From all the lessons we’ve learned in 2022, it’s time for all of us to take action, broaden our knowledge, and work on our cybersecurity awareness. These are the steps necessary in going to the next level and raising our security levels online.