The Cloud Security Alliance has released its list of top cloud threats for 2024. Plus, CISA and the FBI published a guide for determining if a software product was built "secure by design." Meanwhile, find out how AI can transform offensive security. And get the latest on the Royal ransomware gang, the CIS Benchmarks and TikTok’s legal troubles!

Dive into six things that are top of mind for the week ending August 9.

1 - Report: Top cloud security threats for 2024

Misconfigurations. Identity weaknesses. Insecure APIs. Incomplete security strategies.

Those are the top four dangers impacting cloud environments today, according to the Cloud Security Alliance’s “Top Threats to Cloud Computing 2024” report, based on a survey of 500-plus cloud security experts.

“By bringing attention to those threats, vulnerabilities, and risks that are top-of-mind across the industry, organizations can better focus their resources,” Sean Heide, Technical Research Director at the CSA, said in a statement.

The report lists a total of 11 major cloud-computing threats, describes and analyzes them, identifies their business impacts, offers key takeaways, provides real-world examples and more. 

Here’s the full list:

• Misconfiguration and inadequate change control
• Identity and access management
• Insecure interfaces and APIs
• Inadequate selection/implementation of cloud security strategy
• Insecure third-party resources
• Insecure software development
• Accidental cloud disclosure
• System vulnerabilities
• Limited cloud visibility/observability
• Unauthenticated resource sharing
• Advanced persistent threats

The report also outlines four critical trends that will make cloud security more challenging in the future:

• Increasingly sophisticated attacks, thanks to cybercriminals’ use of technologies like AI
• Deeper supply chain risk, caused by the growing complexity of cloud ecosystems
• Stricter regulations for data privacy and security
• A democratization of cyberattack capabilities due to the prevalence of ransomware-as-a-service alternatives

So, what can security teams do? Recommendations include:

• Leverage AI throughout the software development lifecycle (SDLC) to improve code reviews and vulnerability scanning, and thus reduce security issues in released software.
• Use AI tools that simulate cyberattacks to detect security gaps in cloud configurations, IAM systems and APIs.
• Use cloud-native security tools that have been designed specifically for cloud environments.
• Adopt a Zero Trust security model.
• Incorporate security automation and orchestration technologies to tackle cloud complexity.
• Close your organization’s security skills gap by investing in cloud security training and awareness.

To get more details, check out:

• The report’s announcement, “Cloud Security Alliance Releases Top‌ ‌Threats‌ ‌to‌ ‌Cloud‌ ‌Computing 2024 Report”
• The full report “Top Threats to Cloud Computing 2024”

For more information about cloud security, check out these Tenable resources:

• “Empower Your Cloud: Mastering CNAPP Security” (eBook)
• “Improving Your Cloud Security Using JIT Access for Sensitive SaaS Applications” (blog)
• “Tenable Cloud Security Outlook 2024” (on-demand webinar)
• “Understanding Customer Managed Encryption Keys (CMKs) in AWS, Azure and GCP: A Comparative Insight” (blog)
• “Secure Your Cloud-Native Applications: 5 Key Considerations” (on-demand webinar)

2 - New guide helps orgs assess the security of software products

During your organization’s software-procurement process, a critical evaluation criteria should be whether the products under consideration are secure by design. But how do you make that assessment?

Check out new guidance to help organizations make sure that they buy secure-by-design software, which is software whose security was prioritized by its manufacturer throughout the product’s development process.

“Ensuring that the products they use and procure are secure by design is essential for organizations to be resilient against ransomware and other forms of malicious cyber activity,” reads the guidance, titled “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem.”

Published this week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, the guidance includes:

• Security-related questions to ask software manufacturers
• Ways to assess a software product’s security throughout the procurement process
• Resources to determine product-security maturity

Among the topics covered are:

• Does the product offer secure authentication, such as by supporting phishing-resistant forms of authentication?
• Has the manufacturer eliminated well-known classes of vulnerabilities and defects from its software by, for example, using memory-safe languages and enforcing parameterized queries?
• Does the manufacturer make security logs available to customers?
• Does the manufacturer keep and share provenance data of the third-party components it uses in its software?
• Does the manufacturer quickly and transparently disclose vulnerabilities found in its software?

Ultimately, a key goal is to empower organizations to leverage their purchasing power to procure secure software products, turning the “secure by design” principle into “secure by demand,” CISA Director Jen Easterly said in a statement.

To get more details:

• Check out the announcement “CISA Releases Secure by Demand Guide”
• Read the full guide “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem”

3 - Study: AI has potential to transform offensive security

Although challenges remain, AI holds great promise for offensive-security teams, especially those involved with vulnerability assessments, penetration testing and red teaming.

That’s the conclusion from the Cloud Security Alliance’s “Using AI for Offensive Security” study, published this week.

Offensive-security teams, tasked with identifying their organizations’ cybersecurity weak spots, are already benefiting from AI in general, and from large language models (LLMs) and LLM-powered AI agents in particular. Specifically, these teams are seeing increased speed, automation, data analysis, scalability and productivity.

“This improvement boosts efficiency, allows for more sophisticated and extensive assessments, and enables security teams to focus on process improvement and strategic work,” the 29-page study reads.

An added bonus: AI helps understaffed cybersecurity teams because it lowers the barriers to entry to offensive-security teams and democratizes security testing, according to the CSA. In fact, the cybersecurity skills shortage is one of the challenges the study highlights.

The study explores how AI can help teams across the five phases of offensive-security testing:

• Reconnaissance: Gathering as much information as possible about the IT environment
• Scanning: Probing for details such as live hosts, open ports and running services
• Vulnerability analysis: Identifying security weaknesses in the IT environment
• Exploitation: Exploiting identified vulnerabilities to gain initial access or move deeper into the IT environment
• Reporting: Compiling all findings into a detailed report

How AI can augment or automate an existing offensive-security testing process

^{(Source: Cloud Security Alliance’s “Using AI for Offensive Security” report, August 2024)}

Recommendations include:

• Incorporate AI for task automation and for augmenting human capabilities, and leverage it for data analysis, tool orchestration, generating actionable insights and more.
• Adopt robust governance, risk and compliance (GRC) frameworks to ensure you’re using AI securely and responsibly.

To get more details, check out:

• The study’s announcement “Cloud Security Alliance Addresses Using Artificial Intelligence (AI) for Offensive Security in New Report”
• The full study “Using AI for Offensive Security”

To learn more about some of the ways in which AI and cybersecurity intersect, check out these Tenable blogs:

• “How to Discover, Analyze and Respond to Threats Faster with Generative AI”
• “Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach”
• “AI Is About To Take Cybersecurity By Storm: Here's What You Can Expect”
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood”
• “Do You Think You Have No AI Exposures? Think Again”

4 - Advisory: Royal ransomware gang now goes by BlackSuit

The Royal ransomware group has changed its name to BlackSuit and revamped its tactics, techniques and procedures (TTPs) to sharpen its attacks, CISA and the FBI announced this week in an updated advisory about this cybercrime posse.

The joint advisory, first published in March 2023, is now titled “#StopRansomware: BlackSuit (Royal) Ransomware” and also includes new indicators of compromise (IOCs), as well as new detection methods. The advisory’s most recent data was obtained as recently as July 2024.

Here’s a sampling of new and updated information:

• Before encrypting victims’ data, BlackSuit exfiltrates the data and engages in extortion tactics. If victims don’t pay the ransom, BlackSuit publishes their data to a leak site.
• Phishing emails are one of BlackSuit’s preferred methods for gaining initial access to a victim’s network. 
• BlackSuit’s ransom demands range from $1 million to $10 million. It requires that payment be made using Bitcoin. 
• To date, BlackSuit attackers have demanded $500 million-plus in ransoms, and have shown a willingness to negotiate payment amounts. Attackers prefer to communicate ransom demands via telephone calls and email messages.

Mitigation recommendations include:

• Make it a priority to patch known vulnerabilities that have been exploited.
• Teach users how to recognize phishing attacks.
• Protect admin accounts with phishing-resistant multi-factor authentication and with time-based access.
• Segment networks to prevent ransomware infections from spreading.
• Back up data offline and encrypt it.

To get more details, check out:

• CISA’s alert “Royal Ransomware Actors Rebrand as “BlackSuit,” FBI and CISA Release Update to Advisory”
• The updated joint advisory “#StopRansomware: BlackSuit (Royal) Ransomware”

5 - U.S. DoJ sues TikTok over children’s privacy

The U.S. government has sued TikTok and its parent company ByteDance for allegedly violating the Children’s Online Privacy Protection Act (COPPA).

In a civil lawsuit filed last week in district court, the U.S. government alleges that TikTok has knowingly allowed children under 13 to create regular accounts and use the social media service to create and share videos, and to exchange messages with adults.

The complaint, filed in U.S. District Court for the Central District of California by the Department of Justice and the Federal Trade Commission, further alleges that TikTok and ByteDance:

• Collected and stored personal information from these children without alerting nor getting consent from their parents
• Frequently failed to honor parents’ requests to delete their children’s accounts and information
• Had “deficient and ineffectual” policies and processes for identifying and deleting accounts created by children
• Unlawfully collected and retained children's personal information even in "Kids Mode" accounts, which are tailored for users under 13

TikTok and ByteDance have been under a court order barring them from violating COPPA since 2019, when TikTok’s predecessor Musical.ly settled a lawsuit with the U.S. government. This new lawsuit seeks civil penalties and injunctive relief.

“With this action, the Department seeks to ensure that TikTok honors its obligation to protect children’s privacy rights and parents’ efforts to protect their children,” Acting Associate Attorney General Benjamin C. Mizer said in a statement.

In comments to the media, TikTok disputed the U.S. government’s claims. “We disagree with these allegations, many of which relate to past events and practices that are factually inaccurate or have been addressed,” TikTok spokesperson Michael Hughes said in a statement sent to CNN.com.

President Biden signed a bill into law that requires ByteDance to sell its U.S. TikTok operations by January 19, 2025. If it doesn’t, TikTok would be banned in the U.S. ByteDance is challenging the law in a U.S. appeals court.

For more information about privacy and security concerns around TikTok:

• “Is TikTok a National Security Risk?” (The New York Times)
• “Majority of Americans say TikTok is a threat to national security” (Pew Research Center)
• “TikTok Ban Raises Data Security, Control Questions” (Dark Reading)
• “FTC investigating TikTok over privacy and security” (CNN)
• “How TikTok Grew From a Fun App for Teens Into a Potential National Security Threat” (Associated Press)

VIDEOS

DOJ suing TikTok (ABC News)

The data security concerns surrounding social media app TikTok (The Financial Times)

6 - CIS releases new or updated Benchmarks for Microsoft, Google and Mozilla products

The Center for Internet Security issued new and updated CIS Benchmarks for various products, including Microsoft Office Enterprise, Google Kubernetes Engine (GKE) Autopilot and Mozilla Firefox Extended Support Release (ESR) Group Policy (GPO).

Here’s the full list of updated and new CIS Benchmarks for July.

Updated

• CIS Apache HTTP Server 2.4 Benchmark v2.2.0
• CIS Docker Benchmark v1.7.0
• CIS Microsoft Edge Benchmark v3.0.0
• CIS Microsoft Office Enterprise Benchmark v1.2.0

New

• CIS Google Kubernetes Engine (GKE) Autopilot Benchmark v1.0.0
• CIS Mozilla Firefox ESR GPO Benchmark v1.0.0
• CIS Talos Linux Benchmark v1.0.0

Organizations use the CIS Benchmarks’ secure-configuration guidelines to harden products against attacks. Currently, CIS offers 100-plus Benchmarks for 25-plus vendor product families. Categories of products include cloud platforms; desktop and server software; mobile devices; operating systems; and more.

To get more details, read the CIS blog “CIS Benchmarks August 2024 Update.” For more information about the CIS Benchmarks list, check out its home page, as well as:

• “How to use CIS benchmarks to improve public cloud security” (TechTarget)
• “How to Unlock the Security Benefits of the CIS Benchmarks” (Tenable)
• “Getting to Know the CIS Benchmarks” (CIS)
• “CIS Benchmarks Communities: Where configurations meet consensus” (HelpNet Security)
• “CIS Benchmarks: DevOps Guide to Hardening the Cloud” (DevOps)

VIDEO

CIS Benchmarks (CIS)

###