CrowdSecWisdom #5
OffSec insights for CISOs
Welcome to the fifth edition of CrowdSecWisdom from YesWeHack – curating offensive security insights from our own blog and elsewhere for CISOs, security teams and security-conscious devs. 🛡️
Halloween 🎃, Oktoberfest 🍺, and World Smile Day 😊 are not the only notable events happening next month… 17 October is another date to mark in your calendar if you have a security role in an organisation providing critical services within the EU. 🇪🇺
That’s the deadline by which member states must transpose the Network and Information Security (NIS) 2 Directive into national law. We’ve compiled 10 need-to-know facts for organisations that might be affected by NIS 2, which is designed to achieve “a high common level of security of network and information systems across the Union” more effectively than its 2016 predecessor, NIS 1. Or for a more in-depth explainer of NIS 2 and the implications for your SecOps strategy read our article on the subject. 🔐
We’d also like to flag the (fairly) recent publication of Gartner’s latest Hype Cycle for Security Operations, which IT leaders can use to assess the maturity and value of a given security innovation, whether it’s cyber AI assistants or pentesting-as-a-service, and their capability to adopt it. 🛠️ The Hype Cycle (to which no technology is seemingly immune) is visualised on two axes – mapping rising, falling then stabilising expectations of a given technology over time as reality outruns hype. The cycle always runs through five phases: innovation trigger, peak of inflated expectations, trough of disillusionment, slope of enlightenment, and plateau of productivity. It’s an interesting and valuable read from an independent, data-driven and respected market research firm. 📈
Our latest Bug Bounty hunter interview 🕵️♂️, meanwhile, stars Gal Nagli, widely considered to be one of the most talented and effective ethical hackers in the world. 👇 Nagli was speaking during his participation at our live hacking event with Louis Vuitton. 👜
Can a non-technical CISO be a good CISO?
The CISO of Reddit recently shared his thoughts on the impressive CISO Series podcast, with Fredrick Lee joining co-hosts David Spark and Andy Ellis for the latest, beautifully-named episode, ‘I Said I Was Technically a CISO, Not a Technical CISO’ (they have form for great titles, with the previous instalment called ‘Everyone Has a Zero-Trust Plan Until They Get Punched in the Face’. Bravo 👏).🎙️
Among other CISO-focused content we’ve browsed this week, notable highlights include a Just Drinks interview with Sailaja Kotra-Turner, CISO and director of global infrastructure at Brown-Forman (owner of Jack Daniel’s whiskey 🥃), and a piece exploring why the CFO-CISO relationship is key to mitigating cyber risk in Raconteur, for which journalist Sam Birchall spoke to a CISO and cyber firm CEO. 🤝
CVEnormous
The continuing rise in the volume of new vulnerabilities is unsurprising, we admit – but we’ll flag it anyway! A report from Forescout reveals that the number of new CVEs rose 43% year-on-year between H1 2023 and H1 2024, continuing the inexorable surge that began in 2017. The report also investigates trends in state-sponsored activity, new threat actor groups and why VPNs and network appliances are being targeted at an accelerated rate. 🧐
In other vulnerability management news, CSO has reported on another all-too-common “clash of interpretations surrounding who reported a flaw, when it was discovered, how severe it is, and whether the resulting patch is adequate”, when it comes to coordinated vulnerability disclosure. This particular episode pertains to a ‘spoofing’ flaw fixed as a “defence-in-depth” issue in Trident, Microsoft’s proprietary browser engine for Internet Explorer, which Trend Micro’s Zero Day Initiative (ZDI) team claims was an RCE that warranted a higher CVSS. 🔒
Other new content in our wheelhouse that might be worth a peek is a Cloud Security Alliance (CSA) report on the use of AI in offensive security. 🤖
Inside the three billion people data breach
Troy Hunt, founder of data breach notification site Have I Been Pwned and Microsoft regional director, has documented one of the largest-ever data breaches. Called ‘Inside the 3 billion people data breach’, his blog post centres on National Public Data, “a data aggregator most people had never heard of where a 'threat actor' has published various partial sets of data with no clear way to attribute it back to the source. And they're already the subject of a class action”. The vendor is apparently claiming that only 1.3 million people were affected, although Hunt discovered 134 million unique email addresses in the related data dump – which would amount to around 100 emails per individual if both of these numbers are accurate, noted The Register. 🧐
First-ever live Bug Bounty in Italy
We’re super-excited to break new ground later this month when we run Italy’s first-ever live hacking event, taking place at Romhack 2024 in Rome on 28 September. The identity of the organisation involved will, as usual, be kept under wraps until the event is about to begin. Learn about the benefits of live bug bounties here. 🐞
Just in case you happen to be in the countries in question at the time, YesWeHack will also be showcasing our vulnerability management solutions at Indosec (Jakarta, Indonesia; 24-25 September), Assises de la Cybersécurité 2024 (Monaco; 9-12 October), GITEX (Dubai; 14-18 October) and IT-SA, (Nuremburg, Germany; 22-24 October). 📅🌍
PS. Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.