Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Company Security. Show all posts
Risk Management
AI Attacks AI Policy AI Risks Company Security Cyber Safety Cyber Security Cybersecurity Crisis Risk Management

Addressing AI Risks: Best Practices for Proactive Crisis Management

 

An essential element of effective crisis management is preparing for both visible and hidden risks. A recent report by Riskonnect, a risk management software provider, warns that companies often overlook the potential threats associated with AI. Although AI offers tremendous benefits, it also carries significant risks, especially in cybersecurity, which many organizations are not yet prepared to address. The survey conducted by Riskonnect shows that nearly 80% of companies lack specific plans to mitigate AI risks, despite a high awareness of threats like fraud and data misuse. 

Out of 218 surveyed compliance professionals, 24% identified AI-driven cybersecurity threats—like ransomware, phishing, and deepfakes — as significant risks. An alarming 72% of respondents noted that cybersecurity threats now severely impact their companies, up from 47% the previous year. Despite this, 65% of organizations have no guidelines on AI use for third-party partners, often an entry point for hackers, which increases vulnerability to data breaches. Riskonnect’s report highlights growing concerns about AI ethics, privacy, and security. Hackers are exploiting AI’s rapid evolution, posing ever-greater challenges to companies that are unprepared. 

Although awareness has improved, many companies still lag in adapting their risk management strategies, leaving critical gaps that could lead to unmitigated crises. Internal risks can also impact companies, especially when they use generative AI for content creation. Anthony Miyazaki, a marketing professor, emphasizes that while AI-generated content can be useful, it needs oversight to prevent unintended consequences. For example, companies relying on AI alone for SEO-based content could risk penalties if search engines detect attempts to manipulate rankings. 

Recognizing these risks, some companies are implementing strict internal standards. Dell Technologies, for instance, has established AI governance principles prioritizing transparency and accountability. Dell’s governance model includes appointing a chief AI officer and creating an AI review board that evaluates projects for compliance with its principles. This approach is intended to minimize risk while maximizing the benefits of AI. Empathy First Media, a digital marketing agency, has also taken precautions. It prohibits the use of sensitive client data in generative AI tools and requires all AI-generated content to be reviewed by human editors. Such measures help ensure accuracy and alignment with client expectations, building trust and credibility. 

As AI’s influence grows, companies can no longer afford to overlook the risks associated with its adoption. Riskonnect’s report underscores an urgent need for corporate policies that address AI security, privacy, and ethical considerations. In today’s rapidly changing technological landscape, robust preparations are necessary for protecting companies and stakeholders. Developing proactive, comprehensive AI safeguards is not just a best practice but a critical step in avoiding crises that could damage reputations and financial stability.
Read more »
Vulnerabilties and Exploits
CISA Company Security FBI Path Traversal Vulnerabilties and Exploits

CISA Ask Companies to Fix Path Traversal Vulnerabilities


CISA and FBI urge companies to take patch actions 

CISA and the FBI recommended software companies today to assess their products and fix route traversal security flaws before selling.

Attackers can leverage path traversal vulnerabilities (also known as directory traversal) to create or overwrite important files used to execute malware or circumvent security systems such as authentication. 

“Additionally, this Alert highlights the prevalence, and continued threat actor exploitation of, directory traversal defects. Currently, CISA has listed 55 directory traversal vulnerabilities in our Known Exploited Vulnerabilities (KEV) catalog,” says the CISA and FBI joint report.

Impact of these security loops

Such security holes can also allow threat actors to acquire sensitive data, such as credentials, which can then be used to brute-force existing accounts and compromise the targeted systems.

Another option is to disable or limit access to vulnerable systems by overwriting, destroying, or altering critical authentication files (which would lock out all users).

CISA and the FBI propose that software buyers ask vendors if they completed formal directory traversal testing. 

To eliminate this type of problem from all goods, manufacturers should ensure that their software developers immediately install the necessary mitigations. Integrating security into products from the start can eliminate directory traversal issues.

About directory traversal vulnerabilities

Directory traversal vulnerabilities occur when users manipulate inputs, such as file paths, to gain unauthorized access to application files and directories. Malicious cyber actors can use these exploits to access restricted directories and read, change, or write arbitrary files, which can have adverse effects.

How Can Software Vendors Avoid Directory Traversal Risks?

To minimize directory traversal vulnerabilities in software products, developers should apply proven mitigations such as:

  • Use random identification and store metadata independently (e.g., in a database) instead of relying on user input for a file name.
  • If the previous strategy is not followed, restrict file names to alphanumeric characters. Please ensure that submitted files do not have executable permissions.

Path vulnerabilities ranked eighth on MITRE's list of the 25 dangerous software issues, trailing only out-of-bounds write, cross-site scripting, SQL injection, use-after-free, OS command injection, and out-of-bounds read flaws.

In March, CISA and the FBI released another "Secure by Design" alert, advising executives of software manufacturing companies to develop mitigations to prevent SQL injection (SQLi) security risks.

SQLi vulnerabilities were listed third among MITRE's top 25 most hazardous software vulnerabilities between 2021 and 2022, trailing only out-of-bounds writes and cross-site scripting.

Read more »
Safety
Company Security Cyber Security Data Ransomware Safety

DDoS is Emerging as the Most Important Business Concern for Edge Networks

 

Businesses are particularly concerned about distributed denial-of-service (DDoS) attacks because they believe they will have the most impact on their operations. This was one of the key conclusions of AT&T's "2023 Cybersecurity Insights Report," which was based on a poll of 1,418 people. AT&T Business's head of cybersecurity evangelism, Theresa Lanowitz, describes the perceived risk and surge in concern about DDoS assaults as "surprising."

She adds, "With edge, the attack surface is changing, and taking down a large number of Internet of Things (IoT) devices can have a significant impact on the business, The near real-time data created and consumed by most edge use cases make DDoS attacks attractive. By its definition, a DDoS attack will degrade a network and response time. Those who have not invested in DDoS protection are indicating the timing is right to do so."

According to the report, ransomware dropped to eighth place out of eight in terms of perceived likelihood of attack type. Nonetheless, Lanowitz observes that over the last 24 months, organizations of all sizes have invested in ransomware prevention.

"However, ransomware criminals and their attacks are relentless," she warns. 

According to another research, cyber adversaries may cycle with the rise and decline of different sorts of attacks. Operating systems embedded in edge IoT devices make it more expensive for a financially motivated adversary to target the device with ransomware, explains Lanowitz.  

She further noted, "It is far more time intensive to write and deploy destructive code for an IoT device running a derivative of a version of Linux than to target a Windows-based laptop."

One of the most pleasantly surprising results in the report, she says, is how organizations are investing in security for an edge: security funds have grown to 22% of overall project costs, allocated evenly with strategy.

"We asked survey participants how they were allocating their budgets for primary edge use cases. The results show that security is clearly an integral part of the edge, and that security is being planned for proactively, " she explained.

She cited survey results indicating that apps, as well as much-needed security for ephemeral edge applications, are included in the overall plan for edge project funding. The expected outcome of what the edge delivers is shifting how organizations budget, plan, and think about focusing on a digital-first business, Lanowitz continues.

Another surprising finding from the survey is that globally, the likelihood of a compromise and impact to the business decreased by 28% and 26%, respectively.

She added, "Perhaps this is a case of irrational exuberance, but our qualitative analysis proves that with the edge there is far more communication and collaboration. Communication, cross-functional work, the line of business leading edge investments, and the use of trusted advisors all play a role in more optimism regarding catastrophic security events."

"Edge computing, with its changing attack surface, means the adversaries are seeing things differently," Lanowitz says. "Likewise, businesses must take that same view of an expanded attack surface, potential new threats, or potential increases in existing threats."

The report comes as DDoS attacks continue to make headlines, with the German government reporting that the Killnet DDoS knocked German websites offline temporarily, and the Serbian government reporting that it prevented five attempts aimed at destroying Serbian infrastructure.

KillNet, a pro-Russian hacktivist group that runs campaigns against countries that support Ukraine, has recently increased its daily DDoS attacks targeting healthcare organizations. In November 2022, over 50 of the most popular platforms available for hire to execute distributed DDoS assaults against important Internet infrastructure were shut down and their operators were arrested as part of Operation Power Off, a large multinational law enforcement sweep.

Read more »
Subscribe to: Posts (Atom)