Cyber Risk Governance Insights | December 23, 2024

WEEK IN HEADLINES

NATION STATE - Hackers Target Nuclear Workers

North Korean hacking group, Lazarus, is targeting IT professionals in the nuclear sector with fake job offers. This is a continuation of their Operation DreamJob campaign which began in 2020. The attackers use social media to reach out to potential victims and conduct multiple rounds of interviews before deploying malware. Their goal is to steal sensitive information or cryptocurrency.

INSIGHT:  This is Critical Infrastructure! Multi-factor Authentication should have been implemented.  But CISA only strongly encourages MFA in critical infrastructure, there is not currently a blanket federal mandate requiring it.  Perhaps this should change for national security reasons.  Even if you're not critical infrastructure - you should have MFA for your own organization.

CRITICAL INFRASTRUCTURE - Country Hit By Largest in Its History

 Ukraine has been hit by a significant cyber-attack targeting critical government databases, with suspicions pointing towards Russian involvement. The attack has disrupted essential services and raised concerns about the country's cybersecurity resilience. Authorities are working to restore systems and enhance defenses against future threats.

INSIGHT: This is why Zero Trust Architecture (ZTA) and MFA are so critical for critical infrastructure.  We believe that organizations should always "never trust, always verify," meaning that they must verify every person and device attempting to access resources and data on their network.

RANSOMWARE - Gang Issues New Attack Warning

A notorious ransomware group has issued a warning of impending attacks set for February 3, 2025. The gang, known for its sophisticated cyber assaults, has targeted various sectors, causing significant disruptions and financial losses. Security experts urge organizations to bolster their defenses and remain vigilant against potential threats.

INSIGHT: The proactive defense of an EDR system to continuously monitor and analyze endpoint activities in real-time. If you have an EDR it should find suspicious behavior and isolate a compromised system and can prevent ransomware from spreading across your network infecting other devices.

PRIVACY - Italy Says "Nope!", Here's a $15.6M Fine

Italy's data protection authority, Garante, has fined OpenAI €15 million ($15.6 million) for violations related to the collection and processing of personal data by its AI chatbot, ChatGPT. The investigation revealed that OpenAI lacked a legal basis for data processing and failed to provide adequate transparency and age verification measures. OpenAI plans to appeal the decision, asserting its commitment to privacy and collaboration with global authorities.

INSIGHT: Given the increasing complexity of state-level data privacy regulations, has your organization implemented a robust Data Protection Impact Assessment (DPIA) process? Data regulatory compliance and data minimization are critical for all organizations. DPIAs are essential tools to assess the data collected on consumers and employees, ensuring that only necessary data is retained.

(Looking at you AT&T)

QUANTUM COMPUTING - Legacy Cryptography Phased Out by 2030

Australia's chief cybersecurity agency, the Australian Signals Directorate (ASD), has announced plans to phase out widely used cryptographic algorithms, including SHA-256, RSA, ECDSA, and ECDH, by 2030. This decision is driven by concerns that advances in quantum computing could render these algorithms insecure. The ASD's guidance aims to transition to quantum-resistant cryptographic standards to protect sensitive information and maintain cybersecurity integrity.

INSIGHT: We've talked about this before, but it's important for all companies to start thinking about Post-Quantum Cryptography (PQC).  Those powerful quantum computers are on the horizon. The QCs will likely be capable of cracking our current encryption, putting your data at risk.  If you switch to PQC now, you'll know that you're future-proofing your organization, staying ahead of the curve, and it demonstrates to your customers and auditors that you're serious about security and compliance.

GOOD NEWS - Ransomware Developer Arrested in Israel

Rostislav Panev, a dual Russian-Israeli national and key developer for the LockBit ransomware group, was arrested in Israel and faces extradition to the US. Panev is accused of developing ransomware and tools used by affiliates, contributing to LockBit's global cyberattacks. The arrest is part of ongoing efforts by US law enforcement to dismantle the ransomware-as-a-service operation and bring its perpetrators to justice.

INSIGHTS & EXPERT PERSPECTIVES

Understand AI Risk Management and Standards

The National Institute of Standards and Technology (NIST) recently held a symposium to discuss advancements in AI risk management and standard-setting. Key takeaways include the need for comprehensive governance beyond developer-deployer relationships, the impending influx of international AI standards, and the challenges of tailoring effective AI regulations. The symposium emphasized the importance of systemic governance, the complexity of the AI value chain, and the necessity for adaptable risk management frameworks.

Key Insights

• Expanded Risk Management in AI Value Chain: Risk management should extend beyond developers and deployers to include all actors in the AI ecosystem, such as data curators, model trainers, and application developers. Organizations should adopt comprehensive governance plans and oversight frameworks to manage these diverse risks effectively.
• Impending International AI Standards: A wave of international AI standards is expected, focusing on areas such as terminology, measurement methods, transparency, and security. Companies must prepare to integrate these standards into their governance, risk management, and procurement processes.
• Challenges in AI Regulation: Traditional regulatory approaches may not be effective for AI due to its fluidity and versatility. Policymakers need to develop new regulatory frameworks that address the unique characteristics of AI technologies and their applications across various sectors.

INSIGHTS: For any organization, particularly SMBs, with limited resources, it may be prudent to start small, with manageable AI projects, or leverage AI tools that require minimal investment. This could allow you to gradually build expertise and operational infrastructure while evaluating the benefits.

If your organization is not ready for AI deployment, focusing on understanding the AI landscape and preparing for future integration can still provide valuable strategic insights.

AI can significantly enhance operational efficiency, improve decision-making, and provide a competitive advantage - particularly for SMBs.

However, if you lack the resources, expertise, or infrastructure, AI deployments may lead to more challenges than benefits. 

Netswitch Sharpen Your Cyber Edge with Netswitch

Master Compliance & Minimize Risks:

1. Independent Security Audit: Identify network risks with our automated Security And Risk Assessment (SARA). Get a clear picture, prioritize improvements, and optimize resource allocation. Contact Netswitch.
2. Free "Quick Start" Program: Gain a free cyber risk and governance health check. Enroll now and start building resilience.

Deepen Your Knowledge:

• Join Our LinkedIn Group: Collaborate with industry leaders in the CyberRisk Governance Community on LinkedIn. Share insights and stay ahead of the curve.
• Live Events: Participate in interactive LinkedIn Live sessions. Explore cyber risk topics with executives, technologists, and governance professionals.

Don't wait.

Contact Netswitch Technology Management today to take control of your cyber risk.

Disclaimer: The information and links provided in this newsletter are for informational purposes only. Netswitch does not warrant the accuracy or completeness of such information and is not liable for any damages arising from its use.