Among the news this week were a lot of reports, and some product news. Three things got our attention. John Petrie, Counsellor to the Global CISO at NTT, talked about how you look after, manage and grow your CISOs when you have an organisation with multiple business units.
Qualys has opened up its Enterprise TruRisk Platform to give organisations a 30-day free trial to evaluate the product. Cobalt Iron was awarded an EU Patent for its Cyber Event Responsiveness work.
Bugcrowd
Bugcrowd has launched a private bug bounty program with Portnox. The program is designed to make it easier for security researchers to submit security vulnerabilities in Portnox’s production services through Bugcrowd. It will act as a clearing house to ensure that all reports are handled correctly and reported to the right team inside Portnox.
Denny LeCompte, CEO of Portnox, said, “This bug bounty program is part of our ongoing efforts to ensure that we provide customers with best-in-class security for their enterprise networks and applications. Bugcrowd helps close the gap between security and development, so that we can continue to safely innovate.”
Egress
Egress and KnowBe4 have announced a definitive agreement where KnowBe4 will acquire Egress. Timings and the value of the agreement have not been made public. The acquisition is expected to complete quickly, as the two companies have been integration partners for over a year. KnowBe4 sees the acquisition as enabling it to deliver a single platform that offers AI-based email security and training.
Stu Sjouwerman, CEO, KnowBe4, said, “The future of security is personalized AI-driven controls and real-time coaching. By providing a single platform from KnowBe4 and Egress, our customers will benefit from differentiated aggregate threat detection to stay ahead of evolving cyber threats and foster a strong security culture.”
Europol
European Police Chiefs believe that privacy measures such as end-to-end encryption will stop tech companies from seeing any offending that occurs on their platforms. They also believe that it will prevent them from gathering and using evidence. What they are asking is for the tech industry and governments to take action to stop this happening.
Europol and the European Police Chiefs have issued a joint declaration detailing their concerns. In it, they say, “We call on our democratic governments to put in place frameworks that give us the information we need to keep our publics safe.”
Forescout
Forescout research warns that security threats to critical infrastructure go ignored. The warnings come in a 17-page report entitled Better Safe Than Sorry that analyses seven years of data on Internet exposed Operational Technology and industrial Control Systems (OT/ICS).
The report does have some positive notes. The US and Canada significantly reduced the number of exposed devices by 47%. Unfortunately, other countries increased there. Spain saw an increase of 82%, Italy 58% and France 26%.
Elisa Costante, VP of Research at Forescout Research – Vedere Labs, said, “If these warnings sound familiar, it’s because they are. The looming potential for a mass target scenario is high. Forescout calls on vendors, service providers, and regulatory agencies to work collectively to prevent attacks on critical infrastructure that will spare no one.”
ManageEngine
ManageEngine has released more country-focused data from its State of Cybersecurity in Latin America 2024 report. This week, it focused on Argentina and Brazil. Companies in both countries reported an increase in cybersecurity breaches, with Argentina up 68% and Brazil up 54%.
Interestingly, respondents in both countries saw a significant increase in the use of AI in those attacks. However, those same respondents believe that AI also has a part to play in defending against attacks.
NCSC
The National Cyber Security Centre in the UK has warned that malicious actors are exploiting vulnerabilities in devices from both Cisco and Palo Alto. The warnings call out specific products and list the CVEs that detail the attacks. Importantly, it goes on to say that there is a public Proof of Concept (PoC) code to exploit the vulnerabilities.
It advises organisations to download patches and apply them as soon as they become available and to take action to mitigate any risk.
NOYB
NOYB has published its response to the opinion of the Attorney General (AG) at the Court of Justice for the European Union (CJEU). The opinion refers to a case brought by founder Max Schrems against Meta. It makes it clear that Meta cannot continue to use all the data it has ever collected for advertising.
In his ruling, Advocate General Athanasios Rantos proposes that the Court should rule that the GDPR precludes the processing of personal data for the purposes of targeted advertising without restriction as to time. This would mean that Meta would not be allowed to use the vast amount of data it has gathered on individuals to target advertising.
A second part of this ruling looked at whether making something public rendered it fair game for advertising. The AG ruled that just because someone made something public does not in itself permit the processing of those data for the purposes of personalised advertising.
The CJEU will now rule on the case once it has considered the AG’s opinion. It is rare for the CJEU to go against such opinions, and it will be interesting to see when it rules and what its final decision is.
Praxis Security Labs
Praxis has announced a new head of engineering, former Amazon DevSecOps engineer Kim Engebretsen. The appointment comes as Praxis looks to add new functionality to its Praxis Navigator solution. It uses behavioral data to help organizations optimize their cyber resilience against social engineering-style cyberattacks.
Engebretsen has over 10 years of experience spanning the full spectrum of cybersecurity management. He is a DevSecOps specialist, focusing on the integration and automation of security tools and processes.
Engebretsen said: “I’ve been putting cybersecurity theory into practice for many years, but it’s rare that the opportunity comes up to do something truly new – in any field, really. But Praxis is creating something that’s truly new and exciting in cybersecurity, and it’s terrific to become part of the team that’s doing it.
“My role is to ensure we build a secure-by-default product on top of a secure-by-default infrastructure using Secure Software Development LifeCycle (S-SDLC), with true DevSecOps and rigid built-in Application Security Posture Management. Customers rightfully need that assurance, and they’ll get it from Praxis.”
US Department of Justice
Four Iranian nationals have been charged over a multi-year cyber campaign against US companies and US government departments. The individuals have been named as Hossein Harooni, Reza Kazemifar, Komeil Baradaran Salmani, and Alireza Shafie Nasab.
The US Department of State is offering a reward of up to $10 million for information leading to the identification or location of the group and the defendants.
Attorney General Merrick B. Garland said, “Criminal activity originating from Iran poses a grave threat to America’s national security and economic stability.
“These defendants are alleged to have engaged in a coordinated, multi-year hacking campaign from Iran targeting more than a dozen American companies and the U.S. Treasury and State Departments. This case represents just one part of the U.S. government’s effort to counter the range of threats originating from Iran that endanger the American people.”