This week:

3 – Why Microsoft needs to listen to its own security advice,

2 – Why AI will make phishing even more dangerous, and

1 – What an ETF ticker can tell us about cyber security.

 

3 – Microsoft security guidance: Do as I say, not as I do.

The email accounts of senior executives in Microsoft were accessed by cyber attackers.. because MFA (Multi-Factor Authentication) was not enforced.

According to a recent blog post by Microsoft, and shared by Tom Lawrence on LinkedIn: “Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account [..] and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.” Following the attack, Microsoft has stated that “We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes.”

So what?

  1. Enforce MFA on all internet-accessible accounts.
  2. Go to step 1.

 

2 – Before AI takes over the world, it will certainly take over social engineering.

“All types of cyber threat actor—state and non-state, skilled and less skilled—are already using AI. [..] AI will primarily offer threat actors capability uplift in social engineering. [..] Generative AI (GenAI) can already be used to enable convincing interaction with victims [..] without the translation, spelling and grammatical mistakes that often reveal phishing. This will highly likely increase over the next two years as models evolve and uptake increases.”

This is according to the UK’s National Cyber Security Centre (NCSC), which recently published a report on the risks posed by AI over the next two years. (Analysis of the report was recently published by PC Magazine, and shared by ISACA).

Alongside the impact on phishing & social engineering, the NCSC believes “AI will almost certainly make cyberattacks [..] more impactful because threat actors will be able to analyze exfiltrated data faster and more effectively.”

So what?

At every one of my cyber security awareness session over the last 12 months, I have been asked about AI’s impact on cyber security. The NCSC provides 2 clear answers:

  1. Phishing & social engineering will get be harder for us to spot.
  2. Attackers will get better at figuring out the value of any data they have stolen.

 

1 – Even the stock market understands the value of software patching.

What is the most appropriate ticker for an ETF (Exchange Traded Fund) that focuses on cyber security companies? BUG!

This is according to this listing on the Global X ETF platform, and sent my way by Simon O’Sullivan.

So what?

Every organisation needs a secure foundation, and keeping software up-to-date is a key element of that foundation.

Bugs (e.g. security holes in a piece of software) are frequently used by cyber attackers to gain access into an organisation’s computer systems. If you don’t “patch” the security “hole” by installing the latest software updates, that “hole” could be the reason why you become the next attack victim.

If you don’t believe me, believe the people who named this ETF!