I’m Stuffed, I Just Couldn’t Take Another Credential
Credential stuffing attacks can put organizations in a tricky spot. On the one hand, they are dealing with a data breach due to user behavior out of their control. But blaming the victim is rarely the right move. So what kind of reasonable expectations can companies have about how much users will do to protect themselves?
This week’s episode is hosted by me, David Spark , producer of CISO Series and Andy Ellis , operating partner, YL Ventures . Joining us is our sponsored guest, Jay Trinckes , director of compliance, Thoropass .
Taking responsibility for SBOMs
We see supply-chain attacks all the time. Software bill of materials, or SBOMs, are a critical way to defend against them. Similar to data protection, it’s hard to secure an application if you don’t know what components are inside of it. The key is to take SBOMs from a nice to have option into a contractual requirement. Effectively roll it into your security ecosystem. SBOMs are not a panacea to supply-chain risk, but they provide much needed visibility to start securing it, noted Matt Middleton-Leal in a recent piece on Dark Reading . Are we all on board with SBOMs? Andy Ellis isn’t.
The credential stuffing blame game
Suffering a data breach carries reputational damage. But what happens when user behavior leads to a breach that’s entirely outside your control? 23andMe claimed their users are at fault after their recent breach, noted Lorenzo Franceschi-Bicchierai on TechCrunch . Credential stuffing attacks come from bad security hygiene on the part of your users. But organizations that blame users or try to put the onus of security on them are missing the larger point. Credential stuffing only works for organizations not implementing MFA. If organizations won’t take these structural steps to improve their security posture, how can they expect their users to do more?
Self-inflicted regulations
In cybersecurity, many complain of too many regulations. The reality is industry failures to police themselves leads to customer complaints. From there regulations become much easier to enact with an aggrieved constituency. Frustration builds when these regulations come into force without sufficient industry knowledge. This opens the door to lobbyists to whittle away at well-intentioned regulation, and more complaints from those that can’t afford such lobbying.
Is the EU’s AI Act focusing on the right things?
The rapid rise of generative AI also made the need to regulate this disruptive new technology obvious. The European Union is quickly looking to adopt its AI Act, which focuses on massive “foundation models.” While we can’t predict all the uses of AI technology now, the act focuses on concerns about privacy, security, ethics, and trust. For these regulations to be effective, all will need to iterate rapidly as this technology evolves in society, noted Michael Spencer in an article on The Artificial Intelligence Report. The rubric for evaluating AI regulations should be risk-based, something the cybersecurity industry is already familiar with.
Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.
Huge thanks to our sponsor, Thoropass
10-Second Security Tip…
"The internet was never built with security in mind. You can’t blindly accept anything as truth coming from the internet. It’s going to get even worse with advancements in AI. Don’t trust anything you can validate or verify first and make sure it’s from reputable sources." - Jay Trinckes, director of compliance, Thoropass
OPEN AUDITION! Looking for Next Hosts on CISO Series
Your favorite hosts of CISO Series shows are not going anywhere.
BUT, we’re developing a new show and we’re looking for your NEXT favorite CISO Series hosts.
And we’re looking for a pair of them, possibly two pairs!
Submit a recording to be CISO Series hosts
Go to the blog post on details on how to deliver the IDEAL submission.
Recommended by LinkedIn
When Is Data an Asset and When Is It a Liability?
"From the security perspective, I think everyone is coming to the table from a cost benefit analysis or a risk based analysis, and that’s a good thing. And so there are all these different factors that you can kind of use as levers to pull on and off to enhance privacy." - Mario Trujillo, staff attorney, Electronic Frontier Foundation (EFF)
Listen to full episode of "When Is Data an Asset and When Is It a Liability?"
Subscribe to our newsletters on LinkedIn!
We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!
CISO Series Newsletter - Twice every week
Cyber Security Headlines Newsletter - Every weekday
Cyber Security Headlines - Week in Review
Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino . We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Jamil Farshchi , evp and CISO, Equifax . Thanks to Egress, a KnowBe4 company .
Thanks to our Cyber Security Headlines sponsor, Egress
Join us TOMORROW, Friday [03-01-24], for "Super Cyber GAME SHOW Friday"
Join us Friday, March 01, 2024, for “Super Cyber GAME SHOW Friday”, one hour packed with cyber games. We'll be bringing our audience into the show to play some of our favorite games.
We've got the security team of FanDuel (Tyler M. and Jodie Lash) up against the team from AssuredPartners (Hadas Cassorla, JD, MBA, CISSP and Jayakrishnan Krishnakumar).
It all begins at 1 PM ET/10 AM PT on Friday, March 01, 2024. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.
Manager Sales | Customer Relations, New Business Development
9moEngaging topics lined up! Thoughts on fault-based battles in cybersecurity by credential stuffing?