Hello, esteemed CISOs and cybersecurity enthusiasts!
Welcome to Secret CISO Newsletter #11, and what an incredible journey it has been so far! We're thrilled to announce that our community has grown to a staggering 5,000 subscribers in just 20 episodes, and we couldn't be more grateful for your unwavering support and enthusiasm. This milestone is a testament to the value and importance of our collective work in the cybersecurity field, and we're excited to keep growing together.
In celebration of our continued success, we're introducing a brand-new section in our newsletter, titled "Top CVEs." Starting from this episode, we'll be highlighting the most critical Common Vulnerabilities and Exposures (CVEs) published in the previous week. Our aim is to keep you informed and prepared, ensuring you stay one step ahead of emerging threats in the ever-evolving cybersecurity landscape.
Once again, thank you for being a part of our vibrant community and for helping us reach new heights. We're committed to bringing you even more valuable content, insights, and resources to help you excel in your role as a CISO. So buckle up and enjoy this week's content-packed edition of the Secret CISO Newsletter!
Stay vigilant and keep securing the digital world,
The Secret CISO Newsletter Team
1. Data Breaches
Ferrari, Skylink and iD tech incidents in just a one week
M7 Group’s Czech and Slovak operator Skylink has fallen victim to a hacker attack.
Skylink, the Czech and Slovak operator owned by M7 Group, has suffered a large-scale cyberattack orchestrated by a Russian hacking group. The hackers employed a DDoS attack to disrupt Skylink's satellite and internet television web services, causing outages to websites, customer systems, and applications. Although the television broadcast remained unaffected, Skylink has since implemented additional security measures to prevent future attacks.
Ferrari's High-Speed Data Breach: Ransomware Attack Exposes Customer Details
Italian luxury car manufacturer Ferrari has confirmed a ransomware attack that exposed customer contact information but did not affect company operations. The ransom demand prompted an investigation in collaboration with a leading cybersecurity firm and notification of relevant authorities. Though Ferrari did not confirm the date of the attack, it may be linked to an October 2022 RansomEXX group claim of stealing and leaking 7 GB of data from the company. Ferrari has informed customers of the potential data exposure and implemented additional security measures with third-party experts.
iD Tech's Silent Treatment: Parents Left in the Dark After Kids Coding Camp Data Breach for 1M entities
Weeks after a data breach at kids' tech coding camp iD Tech, parents are still seeking answers regarding the possible compromise of their children's data. The company has not acknowledged the breach nor notified parents. In February, a hacker claimed to have stolen about 1 million user records, including names, dates of birth, plaintext passwords, and unique email addresses. While some parents discovered the breach through notification services, others remain uninformed. iD Tech CEO Pete Ingram-Cauchi has not provided an explanation for the company's silence, and there is no evidence of iD Tech notifying affected account holders or reporting the breach per data breach notification laws.
2. Top CVEs
Google Chrome, IBM Security Guardium Key Lifecycle Manager, and Adobe ColdFusion critical flows leads to Remote and Arbitrary Code Execution
CVE-2023-26359: Critical Vulnerability in Adobe ColdFusion Allows Arbitrary Code Execution
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability (CVE-2023-26359). This critical flaw could lead to arbitrary code execution without user interaction, potentially compromising the security of the affected systems. Users are urged to update their software to address this vulnerability. CVSSv3: 9.8
Multiple High Severity Out of Bounds Read Vulnerabilities in Google Chrome's
Google Chrome versions prior to 111.0.5563.110 are affected by an out-of-bounds read vulnerability (CVE-2023-1534) in ANGLE, PDF, Password, and other components, which could potentially allow a remote attacker to exploit heap corruption via a crafted HTML page. These high-severity issues require the renderer process to be compromised. Users are advised to update Google Chrome to the latest version to mitigate this vulnerability. There is a set of CVEs for similar issues, all critical and leading to RCE. You can also find bounties amounts granted by Google as high as $10'000 - $8'000 per issue.
IBM Security Guardium Key Lifecycle Manager Affected by Multiple Vulnerabilities
IBM Security Guardium Key Lifecycle Manager has been found to have multiple vulnerabilities, which have been fixed in version 4.2. The issues include directory traversal, improper authorization, sensitive information exposure, and SQL injection. Users are advised to upgrade to IBM Security Guardium Key Lifecycle Manager v4.2 to receive the necessary fixes for these vulnerabilities.
3. Latest Research
ROP exploits, hacking ChatGPT, and GitHub RSA keys replacement
Synthetic Memory Protections: A New Approach to Thwart ROP Attacks
Return Oriented Programming (ROP) attacks continue to evolve, and existing solutions for ROP mitigation are incomplete. Synthetic Memory Protections, the 4th generation of stack smashing mitigations, offers a new approach to tackle these attacks. It involves introducing new synthetic permissions such as immutable mappings, execute-only permissions, stack permissions on mappings, and syscall permissions on mappings. By leveraging these permissions, the security of systems can be enhanced, making it more difficult for attackers to successfully carry out ROP attacks.
InjectGPT: Exploring the Security Implications of Language Model Code Execution
Developers are increasingly integrating large language models (LLMs) into their applications, with some frameworks, like langchain and boxcars.ai, even offering direct code execution from LLMs as a built-in feature. Although convenient, this raises serious security concerns. An investigation of BoxCars, a Ruby-based framework, revealed that simply asking the model to execute arbitrary code led to remote code execution and SQL injection. To mitigate these risks, developers should use allowlist-based validation, run code in a sandbox, and limit the capabilities of the database user. However, even with these precautions, exposing LLM-generated code to user input remains risky and should be handled carefully.
GitHub Replaces RSA SSH Host Key to Enhance Security
GitHub has replaced its RSA SSH host key used for securing Git operations on GitHub.com to protect users from potential security threats. The update came after the RSA SSH private key was briefly exposed in a public GitHub repository. Although no GitHub systems or customer information were compromised, the company took this step as a precaution. The change only impacts Git operations over SSH using RSA, and users need to update their known hosts file to incorporate the new RSA SSH public key.
Security and operations balance, Top-5 CISO hurdles, and CISO values with Geoff Belknap
Balancing Security and Operations: The Emergence of the Chief Product Security Officer
The CISO Stories Podcast discusses the challenging role of a Chief Information Security Officer (CISO) in balancing security and operational needs. It emphasizes the importance of making informed decisions that minimize risk while maintaining a balance between the two objectives. The episode explores different perspectives, requirements, and issues to help CISOs reach optimal decisions that achieve a balance without amplifying risk.
Overcoming the Top 5 Hurdles: Mastering the CISO Mindset
In the "Life of a CISO" podcast episode, Dr. Eric Cole discusses the five challenges that every CISO encounters on their journey to success. While most professionals have a solid grasp on the technical and logistical aspects of their role, the mindset needed to excel in the field is often overlooked. This episode dives into these challenges and offers insights on developing the right mindset for a successful CISO career.
Becoming the Leader Your Company Needs: Make the Case for a CISO Role
In this CISO Series episode, David Spark and Geoff Belknap discuss the importance of having a Chief Information Security Officer (CISO) in an organization and how to make a compelling argument for the role. They also explore the skills and qualifications necessary to become a successful CISO and provide insights on how to demonstrate your potential as a CISO within your company.
5. CISO Jobs
Healthcare needs you!
Join Emergent Holdings as the Director, Chief Information Security Officer
Emergent Holdings is seeking a Director and Chief Information Security Officer (CISO) to oversee the company's information security and risk management functions. The CISO will be responsible for developing and implementing security programs, designing a Security Operations Center, and leading incident response plans. The ideal candidate should have at least ten years of experience in an information security environment and a Bachelor's degree in Computer Science or a related field. Strong leadership, communication, and problem-solving skills are essential for success in this role.
Safeguarding Health: Mercyhealth Seeks a Chief Information Security Officer
Mercyhealth is looking for a Senior Director and Chief Information Security Officer (CISO) to develop and maintain their information security program. Reporting to the VP/Chief Information Officer, the CISO will work on security policies, standards, guidelines, and procedures to ensure the protection of the organization's systems and data. Key responsibilities include developing security programs, managing risk assessments, overseeing security initiatives, and ensuring regulatory compliance. The ideal candidate should have at least 7 years of experience in information systems security and 3 years in security leadership, with relevant certifications such as CISSP, CISA, CHS, and CSCS. Healthcare experience is preferred.
Envisioning Security: VSP Vision Care Seeks a Chief Information Security Officer
VSP Vision Care is hiring a Chief Information Security Officer (CISO) to oversee assurance activities related to the availability, integrity, and confidentiality of their customer, business partner, employee, and business information. The CISO will work with executive management to determine risk levels for the organization and establish a corporate-wide information security management program. Key responsibilities include establishing long-range corporate policies, chairing the Information Security Steering Committee, directing the design and deployment of strategic security controls, and serving as the Incident Leader for cyber incidents. Candidates should have a Bachelor's Degree in Information Systems or a related field and at least 10 years of experience in information security, with a proven track record of developing policies and procedures.
In conclusion, we hope you enjoyed this byte-sized update on the latest CISO opportunities! Remember, securing the digital realm is a bit like playing Whack-a-Mole, but with cyber threats instead of moles. Let's keep knocking those threats down together! As a token of appreciation for reading this in full, please enjoy this cyber hamster 🐹 - your new, adorable digital companion.
Did you like this episode and our new Top CVE section? Let us know by replying to this email. We'd love to hear your thoughts!
Don't forget to share these opportunities across your network, because sharing is caring, especially when it comes to cybersecurity. Good luck on your quest to becoming a better CISO, and may the cyber force be with you!