CISOs drive the intersection between cyber maturity and business continuity - Related to drive, business, frontier, 4, trends

4 trends in software supply chain security

Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was probably the most well-known, but it was not alone. Incidents against companies like Equifax and tools like MOVEit also wreaked havoc for organizations and. clients whose sensitive information was compromised.

Expect to see more software supply chain attacks moving forward. ’ The State of Software Supply Chain Security 2024 study, attacks against the software supply chain are getting easier and more ubiquitous.

“For example, Operation Brainleeches, identified by ReversingLabs in July. Showed elements of software supply chain attacks supporting commodity phishing attacks that use malicious email attachments to harvest logins,” the investigation stated.

It is easier to conduct software supply chain attacks, so they are increasing at an alarming rate. The ReversingLabs analysis saw a 1,300% increase in threats coming from open-source package repositories last year. That’s the bad news.

The good news is that cybersecurity teams and government entities recognize the risks coming from the software supply chain, and there is a lot of action toward defending against these attacks and steps to solidify security before the software is released into the wild.

Who controls the software and who controls the device are the game-changers in software supply chain security, . Sr., Director of Security Product Marketing and Management at CommScope. But that’s hyper-focused down to the developers and system engineers creating the software and setting up the systems. The problem is that there is little integration within an organization to enable effective control.

Companies have a lot of tools, but. They are scattered around, says Qiu. Everyone is siloed, doing things in different ways. That approach has to change.

It is the federal government that is taking the lead in tackling software supply chain security with technical regulations and laws.

“To improve your software supply chain security. You need to have a common standard,” says Qiu. “I think this is a good way to fill those gaps.”.

Additionally, the most recognizable action taken by the government entities was the Executive Order(EO) from the Biden administration, which addresses the nation’s cybersecurity but. Especially emphasizes protecting the software supply chain. In conjunction with that EO, a cross-sector group representing different government agencies, the Enduring Security Framework (ESF) Software Supply Chain Working Panel. Put together a comprehensive guide for recommended practices of security in the software supply chain for developers. NIST also has a framework to secure the software supply chain.

4 security solution trends for the software supply chain.

But government guidelines and regulations only go so far, and it is up to organizations to advanced equip themselves with the tools, solutions and. Processes that allow developers, engineers and security and IT teams to address risks within the software supply chain. There are a number of ideas and tools out there, some initiated by the government, that are trending in the battle against vulnerabilities and threats.

At RSAC2024. CISA Director Jen Easterly and a panel of cybersecurity professionals gave a panel on CISA’s Secure by Design initiative. The idea is to build security into products and make it a business feature and. Core technical requirement rather than the more standard approach of treating security as a failure. “During the design phase of a product’s development lifecycle, companies should implement Secure by Design principles to significantly decrease the number of exploitable flaws before introducing them to the market for widespread use or consumption,” the initiative’s website states.

Part of the presentation was the introduction of the initial group of businesses that took the Secure by Design pledge. , “By participating in the pledge, software manufacturers are pledging to make a good-faith effort to work towards the goals listed below over the following year.” The pledge includes a list of goals for developers and. Organizations to work toward. These goals include standards around MFA, reducing default passwords and advanced transparency around vulnerability disclosure and reporting. More than 200 organizations have taken the pledge so far.

SBOMs are a nested inventory of all the components that make up a software application. The components can include open source, third parties, patch status and licenses. SBOMs have become a key part of the software supply chain security structure and are endorsed by CISA as a way for developers to build a community that works together to share ideas and experiences around operationalization, scaling. Technologies, new tools and use cases. To encourage SBOM use and understanding, CISA facilitates regular meetings from those across the software development and design community and also offers a resource library.

SBOMs can help an organization identify risks, especially in third-party and. Proprietary software packages: track vulnerabilities within the different components; ensure compliance and help the team make more effective security decisions by being more aware of the component parts of their software.

3. Supply-chain levels for software artifacts (SLSA) frameworks.

SLSA is a security framework to safeguard the integrity of software artifacts. It is a checklist of standards to enhanced improve the integrity of the software, prevent tampering and exploitation and. Keep the infrastructure and application packages secure. The framework was based on Google’s production workloads and offers a structured approach to evaluating the security posture of software components throughout the supply chain.

4. Governance, risk and compliance (GRC) management.

GRC management is used to mitigate security risks within a software development supply chain while ensuring the software meets required regulatory compliances and. Security standards. Some of the areas that GRC monitors include:

Identifying risks across the entire software supply chain.

Vendor risk management and assessment of third-party security posture before integrating the software into your organization’s system.

Compliance management to meet industry and government standards.

Policy enforcement across the development lifecycle.

Incident response after a cyber incident caused by the software supply chain.

GRC management tools can also be used with SBOM analysis.

Moving to another aspect, the evolving puzzle of software supply chain security.

Furthermore, this is just a sample of the tools and. Solutions used to protect the software supply chain from risk. As security is more consciously built into the software and developers and engineers share information in communities rather than working in silos, there is a fighting chance of slowing the threats against the software supply chain.

A new audit of DeepSeek's mobile app for the Apple iOS operating system has found glaring security issues. The foremost being that it sends sensitive ...

Netzwerkadmins mit BIG-IP-Appliances sollten die weiterführenden Informationen zum Quartalssicherheitsupdates von F5 studieren. Die Entwickler haben d...

Die US-amerikanische IT-Sicherheitsbehörde CISA warnt vor jüngst beobachteten Angriffen in freier Wildbahn auf Schwachstellen in Linux, Apache OFBiz, ...

CISOs drive the intersection between cyber maturity and business continuity

The modern corporate landscape is marked by rapid digital change, heightened cybersecurity threats and an evolving regulatory environment. At the nexus of these pressures sits the chief information security officer (CISO), a role that has gained newfound influence and responsibility.

The recent Deloitte Global Future of Cyber Survey underscores this shift, revealing that “being more cyber mature does not make organizations immune to threats; it makes them more resilient when they occur, enabling critical business continuity.” High-cyber-maturity organizations increasingly integrate cybersecurity risk strategies. Security practices and trust-building approaches into their business and technology transformations. And it’s all enabled by a cyber-savvy C-suite and influential CISOs.

Let’s explore how cyber maturity enhances resilience, why cyber is now being integrated into broader business budgets and what organizations can do to bolster their business continuity.

The expanding role of CISOs in corporate strategy.

Historically, CISOs were typically siloed within the IT department. Focusing on technical and operational aspects of cybersecurity. However, as threats have evolved, so has the role of the CISO. ’s findings, about one-third of organizations have seen a significant increase in CISO involvement in strategic conversations about business-critical technology decisions. Furthermore, approximately one in five CISOs now findings directly to the CEO, marking a shift toward greater business alignment and visibility. This expanded role places CISOs alongside other senior leaders to guide decisions on digital transformation, cloud security, and supply chain resilience.

Emily Mossburg, Deloitte’s global cyber leader, notes that “many boards and C-suites now require or need further knowledge into potential threats, security vulnerabilities, risk scenarios and actions needed for greater resilience.” CISOs are increasingly tasked with not only understanding these complex cyber landscapes but also translating them into language that senior leadership and. Boards can act upon.

Cybersecurity as an integral business strategy.

In high-cyber-maturity organizations, cybersecurity is embedded across operations, facilitating a seamless alignment between risk management and business goals. , these organizations are more resilient when incidents occur, enabling critical business continuity by preparing for and swiftly responding to cyber threats. This proactive integration is not limited to IT. It extends into every function that touches digital infrastructure — from operations and finance to customer experience and product innovation.

In modern digitally interconnected ecosystems. A cyber incident affecting one partner could impact the entire supply chain. High-cyber-maturity organizations anticipate these risks by establishing protocols and response measures that enable them to recover quickly, ensuring continuity across all critical operations. Companies with lower cyber maturity, on the other hand, face longer recovery times and can suffer more severe impacts on their revenue, brand reputation and. Operational capabilities.

Additionally, this integration of cybersecurity into broader strategic goals reflects a more nuanced understanding of cyber resilience. Instead of viewing cybersecurity solely as a cost center, leaders increasingly recognize it as a foundational element of business value and continuity. This understanding translates into improved allocation of resources and a more balanced approach to cyber risk management.

As cybersecurity gains prominence within business strategy. Budget allocations are changing to reflect its importance across multiple areas. Deloitte’s findings indicate that many organizations are beginning to integrate cybersecurity spending with other budgets, such as digital transformation, IT programs and cloud investments. This shift acknowledges the cross-functional impact of cybersecurity, particularly in organizations with complex, interconnected digital ecosystems.

The trend is mirrored by a recent IANS and Artico Search survey. Which reported an 8% increase in cybersecurity spending this year, up from 6% in 2023. While modest, this increase indicates that organizations recognize the need for sustained investment in cyber resilience to keep pace with emerging threats, especially as AI and. Automation reshape the cyber landscape.

Integrating cybersecurity with broader budgets also aligns with the CISO’s role in risk quantification and value communication. Techniques such as the FAIR (Factor Analysis of Information Risk) model allow CISOs to translate cybersecurity risks into financial metrics, making it easier to justify investments and demonstrate ROI to the C-suite.

Navigating regulatory mandates and. Disclosure requirements.

Regulatory mandates are also shaping the evolving role of the CISO and cybersecurity’s integration into corporate strategy. With the Securities and Exchange Commission (SEC) now requiring companies to disclose material cyber incidents and provide insights into their cyber strategy. CISOs are under pressure to ensure regulatory compliance. This disclosure requirement applies to both and foreign companies trading on markets, reinforcing cybersecurity’s critical role across global business operations.

The SEC’s regulatory emphasis on transparency has heightened the importance of cybersecurity within boardrooms, leading senior executives to turn to CISOs for guidance on managing risks and. Compliance. Beyond markets, regulatory authorities worldwide are implementing frameworks and standards that require companies to investigation cyber incidents, particularly as ransomware and. Other cyberattacks have grown more prevalent. In addition to regulatory compliance, the reputation and operational continuity tied to regulatory adherence have pushed CISOs to develop comprehensive cybersecurity strategies that align with overall business goals.

Steps to building a cyber-resilient organization.

High-cyber-maturity organizations demonstrate that integrating cybersecurity into business strategy requires more than technical defenses; it demands a multi-dimensional approach encompassing governance, culture and. Operational resilience. Here are several key areas where organizations can focus to build a cyber-resilient structure:

Leadership and governance: Effective cybersecurity governance starts at the top. Organizations should establish clear reporting structures where CISOs communicate directly with the CEO or board. This positioning emphasizes cybersecurity’s strategic importance and enables informed decision-making at the highest levels. Risk management practices: Proactive risk management means identifying, assessing and mitigating cyber risks in line with business objectives. High-cyber-maturity organizations use both quantitative and qualitative methods to understand and prioritize risks, creating a structured approach to vulnerability management that could impact operations. Incident response and recovery: Resilient organizations are not just prepared for incidents; they are equipped to recover swiftly and minimize impact. Robust incident response plans, regularly tested and updated, are essential for ensuring that organizations can maintain continuity even amid significant cyber events. These plans should involve cross-functional teams and clear communication channels to coordinate an efficient response. Continuous improvement and innovation: Cybersecurity is a dynamic field where continuous improvement is critical. Organizations should prioritize regular evaluations and updates to their cybersecurity measures, allowing them to stay ahead of evolving threats. As AI, automation and other technologies emerge, adopting them to enhance cybersecurity capabilities—such as anomaly detection and automated incident response — can further boost resilience.

In the evolving landscape of cyber threats. The role of the CISO is becoming more integral to organizational resilience and business continuity. High-cyber-maturity organizations are leading the way, integrating cybersecurity into their strategic goals and recognizing that it is not merely an IT function but. A business-critical priority. By aligning cybersecurity spending with broader business budgets, they can enhance resilience and drive long-term value.

Jonathan Reed Freelance Technology Writer.

Der von Sicherheitsexperten, Bürgerrechtlern und Apple selbst kritisierte Investigatory Powers Act (IPA). Den die britische Regierung überarbeitet hat...

Cybersecurity researchers have uncovered two malicious machine learning (ML) models on Hugging Face that leveraged an unusual technique of "broken" pi...

In den Universal-Druckertreibern für PCL6 und Postscript von HP klaffen kritische Sicherheitslücken. Angreifer können dadurch Schadcode einschleusen u...

Stress-testing multimodal AI applications is a new frontier for red teams

Human communication is multimodal. We receive information in many different ways, allowing our brains to see the world from various angles and turn these different “modes” of information into a consolidated picture of reality.

We’ve now reached the point where artificial intelligence (AI) can do the same. At least to a degree. Much like our brains, multimodal AI applications process different types — or modalities — of data. For example, OpenAI’s ChatGPT can reason across text, vision and audio, granting it greater contextual awareness and more humanlike interaction.

However, while these applications are clearly valuable in a business environment that’s laser-focused on efficiency and adaptability. Their inherent complexity also introduces some unique risks.

, CNE Capability Development Lead at IBM: “Attacks against multimodal AI systems are mostly about getting them to create malicious outcomes in end-user applications or bypass content moderation systems. Now imagine these systems in a high-risk environment, such as a computer vision model in a self-driving car. If you could fool a car into thinking it shouldn’t stop even though it should, that could be catastrophic.”.

Multimodal AI risks: An example in finance.

Here’s another possible real-world scenario:

An investment banking firm uses a multimodal AI application to inform its trading decisions, processing both textual and. Visual data. The system uses a sentiment analysis tool to analyze text data, such as earnings reports, analyst insights and. News feeds, to determine how market participants feel about specific financial assets. Then, it conducts a technical analysis of visual data, such as stock charts and trend analysis graphs, to offer insights into stock performance.

An adversary. A fraudulent hedge fund manager, then targets vulnerabilities in the system to manipulate trading decisions. In this case, the attacker launches a data poisoning attack by flooding online news data with fabricated stories about specific markets and financial assets. Next, they launch an adversarial attack by making pixel-level manipulations — known as perturbations — to stock performance charts that are imperceptible to the human eye but. Enough to exploit the AI’s visual analysis abilities.

The result? Due to the manipulated input data and false signals, the system recommends buying orders at artificially inflated stock prices. Unaware of the exploit, the corporation follows the AI’s recommendations, while the attacker, holding shares in the target assets, sells them for an ill-gotten profit.

Now, let’s imagine that the attack wasn’t really carried out by a fraudulent hedge fund manager but was instead a simulated attack by a red team specialist with the goal of discovering the vulnerability before a real-world adversary could.

By simulating these complex, multifaceted attacks in safe. Sandboxed environments, red teams can reveal potential vulnerabilities that traditional security systems are almost certain to miss. This proactive approach is essential for fortifying multimodal AI applications before they end up in a production environment.

. 96% of executives agree that the adoption of generative AI will increase the chances of a security breach in their organizations within the next three years. The rapid proliferation of multimodal AI models will only be a force multiplier of that problem, hence the growing importance of AI-specialized red teaming. These specialists can proactively address the unique risk that comes with multimodal AI: cross-modal attacks.

Cross-modal attacks: Manipulating inputs to generate malicious outputs.

A cross-modal attack involves inputting malicious data in one modality to produce malicious output in another. These can take the form of data poisoning attacks during the model training and development phase or adversarial attacks, which occur during the inference phase once the model has already been deployed.

“When you have multimodal systems, they’re obviously taking input. And there’s going to be some kind of parser that reads that input. For example, if you upload a PDF file or an image, there’s an image-parsing or OCR library that extracts data from it. However, those types of libraries have had issues,” says Boonen.

Cross-modal data poisoning attacks are arguably the most severe since a major vulnerability could necessitate the entire model being retrained on an updated data set. Generative AI uses encoders to transform input data into embeddings — numerical representations of the data that encode relationships and meanings. Multimodal systems use different encoders for each type of data, such as text, image, audio and video. On top of that, they use multimodal encoders to integrate and align data of different types.

In a cross-modal data poisoning attack, an adversary with access to training data and. Systems could manipulate input data to make encoders generate malicious embeddings. For example, they might deliberately add incorrect or misleading text captions to images so that the encoder misclassifies them, resulting in an undesirable output. In cases where the correct classification of data is crucial, as it is in AI systems used for medical diagnoses or autonomous vehicles. This can have dire consequences.

Red teaming is essential for simulating such scenarios before they can have real-world impact. “Let’s say you have an image classifier in a multimodal AI application,” says Boonen. “There are tools that you can use to generate images and have the classifier give you a score. Now, let’s imagine that a red team targets the scoring mechanism to gradually get it to classify an image incorrectly. For images, we don’t necessarily know how the classifier determines what each element of the image is, so you keep modifying it. Such as by adding noise. Eventually, the classifier stops producing accurate results.”.

Vulnerabilities in real-time machine learning models.

Many multimodal models have real-time machine learning capabilities, learning continuously from new data. As is the case in the scenario we explored earlier. This is an example of a cross-modal adversarial attack. In these cases, an adversary could bombard an AI application that’s already in production with manipulated data to trick the system into misclassifying inputs. This can, of course, happen unintentionally, too, hence why it’s sometimes expressed that generative AI is getting “dumber.”.

In any case. The result is that models that are trained and/or retrained by bad data inevitably end up degrading over time — a concept known as AI model drift. Multimodal AI systems only exacerbate this problem due to the added risk of inconsistencies between different data types. That’s why red teaming is essential for detecting vulnerabilities in the way different modalities interact with one another, both during the training and. Inference phases.

Red teams can also detect vulnerabilities in security protocols and how they’re applied across modalities. Different types of data require different security protocols, but they must be aligned to prevent gaps from forming. Consider, for example, an authentication system that lets clients verify themselves either with voice or facial recognition. Let’s imagine that the voice verification element lacks sufficient anti-spoofing measures. Chances are, the attacker will target the less secure modality.

Multimodal AI systems used in surveillance and. Access control systems are also subject to data synchronization risks. Such a system might use video and audio data to detect suspicious activity in real-time by matching lip movements captured on video to a spoken passphrase or name. If an attacker were to tamper with the feeds, resulting in a slight delay between the two, they could mislead the system using pre-recorded video or audio to gain unauthorized access.

Getting started with multimodal AI red teaming.

While it’s admittedly still early days for attacks targeting multimodal AI applications, it always pays to take a proactive stance.

As next-generation AI applications become deeply ingrained in routine business workflows and even security systems themselves, red teaming doesn’t just bring peace of mind — it can uncover vulnerabilities that will almost certainly go unnoticed by conventional, reactive security systems.

Multimodal AI applications present a new frontier for red teaming. And organizations need their expertise to ensure they learn about the vulnerabilities before their adversaries do.

Charles Owen-Jackson Freelance Content Marketing Writer.

, der gemeinnützige Arm des Internetkonzerns Alphabet, gibt jährlich etwa 100 Millionen US-Dollar für nicht kommerzielle Zwecke aus. Bis zu ...

Legaltech-Startups bieten ihren Kunden juristische Dienstleistungen an, die teil- oder vollautomatisiert sind und können so hocheffizient viele Fälle ...

An attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday. Triggering a widespread outage that brought down mu...