Blog entry by Les Bell

Les Bell
by Les Bell - Friday, October 20, 2023, 10:05 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


CISA Updates Its #StopRansomware Guide

The US Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the NSA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) has released an updated version of the joint #StopRansomware Guide.

The Guide, which is developed through the US Joint Ransomware Task Force, is intended to be a one-stop resource to help organizations mitigate the risks of ransomware through good practices and step-by-step approaches to detect, prevent, respond and recover from attacks. The update includes new tips for prevention, such as hardening the SMB protocol, a revision of the response approaches and additional threat hunting insights.

CISA, #StopRansomware Guide, resource, 19 October 2023. Available online at https://www.cisa.gov/resources-tools/resources/stopransomware-guide. Direct PDF download at https://www.cisa.gov/sites/default/files/2023-10/StopRansomware-Guide-508C-v3_0.pdf.

How Not to Get Hooked by Phishing

Phishing, leading to credential compromise, continues to be a huge problem and, in fact, is getting worse as threat actors take advantage of generative AI to eliminate almost all of the clues, such as grammatical errors and off-pitch phraseology, that would previous alert users to a fake email.

An additional difficulty is the appearance of many new variants:

  • Spear phishing: targeted email phishing
  • Whaling: Executive email phishing
  • Harpoon Whaling: Highly-targeted executive phishing
  • BEC: Business email compromise (CEO fraud)
  • Smishing: Text message (SMS) phishing
  • Vishing: Voice (phone call) phishing
  • Quishing: QR code phishing
  • Angler phishing: Social media phishing

A rather nice piece from Trend Micro examines the current trends in phishing attacks, such as the use of the new top-level domains like .zip (what was Google thinking, there?), the use of multiple phishing variants in tandem to lend credibility and create a sense of urgency, not to mention the use of tools like ChatGPT to research a victim in a so-called AI-enabled harpooning attack.

Although Trend Micro still recommends security education, training and awareness and in particular, phishing simulations to test employees, they also recommend more sophisticated technical approaches, such as authorship analysis on the email gateway, along with the use of cloud access security brokers and secure web gateways - all of which increasingly incorporate AI techniques to escalate the arms race with the attackers.

Clay, Jon, Email Security Best Practices for Phishing Prevention, blog post, 17 October 2023. Available online at https://www.trendmicro.com/en_us/ciso/22/k/email-security-best-practices.html.

AI Comes to Access Control

While the fundamentals of access control still - for good and sound reasons - depend upon decades-old research into security models such as Bell-LaPadula, Clark-Wilson and Role-Based Access Control, in practice many of these (although not BLP) devolve into an access control matrix represented by access control lists - a model that dates back to the early 1970's. Each object in a system - be that a file, API, database table, transformational procedure or something else - carries a list of subjects (users - often aggregated into groups for simplicity), and the types of access each user is granted.

However, attempting to map a high-level access control policy for a complex business application which may have hundreds of objects and thousands of subjects down to a set of ACL entries and their related rules (e.g. if a user is a member of two groups, one allowed access and one denied, how is this resolved?) can be mind-numbingly complex. Generally, this has been done using a policy language like XACML, requiring the policy developer to have a good understanding of application requirements, the security model and the syntax of the specific policy language - not to mention underlying principles like the principle of least privilege and segregation of duties.

People who can do all of that are in short supply.

Now a small team from the Enterprise Security and Access Security organizations at Google have developed a tool, based on the company's PaLM2 large language model, which allows developers to create and modify security policies using plain English instructions. The tool significantly reduces the difficulty of defining access control policies that comply with Google's BeyondCorp zero trust architecture and its identity aware proxy.

The SpeakACL tool can not only generate ACL's, but can also verify the access policies and sports additional safeguards for sensitive information disclosure, data leaking, prompt injections, and supply chain vulnerabilities. Although this is only a prototype, it shows another aspect of the trend towards utilizing AI in security services.

Khandelwal, Ayush, Michael Torres, Hemil Patel and Sameer Ladiwala, Scaling BeyondCorp with AI-Assisted Access Control Policies, blog post, 10 October 2023. Available online at https://security.googleblog.com/2023/10/scaling-beyondcorp-with-ai-assisted.html.


Upcoming Courses


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.