- Cyber Pro Club
- Posts
- Security Is A Team Sport!
Security Is A Team Sport!
Security Testing Strategies, AI Security Resources & Democratising Security
Cal J Hudson
April 30, 2024
đź‘‹ Good morning, Cyber Pros!
This week’s issue brings you:
Why security is a team sport
Security testing strategies
AI security resource roundup
What does "democratising security" mean?
Let’s dive in!
Read time: ~6 mins
CAREER
SECURITY IS A TEAM SPORT
Summary: It’s easy to accidentally form siloed capabilities within security teams. We all have our own objectives and priorities. But what I’ve found is that the teams that optimise for collaboration, mature at a much faster rate.
Details:
The above diagram serves as an example of how different security teams interact with new insights, such as a vulnerability and updated industry best practice.
A new vulnerability can be discovered by multiple teams: vulnerability management, security operations, security architecture and more.
The best security capabilities have mechanisms to share this information across teams. Perhaps upon investigation by the threat hunting team, a live threat is discovered. Security operations should inform security architecture and engineering of this, so they can design and implement the appropriate mitigations. This will improve the overall security posture and prevent related reoccurring issues.
The overarching aim of the security function is to reduce risk and improve the security posture. The best way to do this is through working collaboratively. Ensure you security team has the necessary forums, communication channels, and processes to enable this.
This also extends beyond security. The best operations I’ve seen have friction reducing cultures that enable legal, compliance, training and awareness, and technology teams to work together.
Actions:
Perform an analysis of the capabilities that exist within your security function. Evaluate how collaboration is (or isn’t) taking place and consider ways you could improve this.
Process is king. Document a new proposed way of working and share with management. If accepted, present to your function and begin the journey of embedding it into the fabric of the security team.
If you don’t know the other security teams very well, reach out and introduce yourself. Learn about their work, challenges and goals - I guarantee there’s something obvious you could be doing that’s mutually beneficial!
LEARNING
SECURITY TESTING STRATEGIES YOU NEED TO KNOW
Summary: Building secure systems requires a holistic approach to testing and evaluating security posture from many angles. I’ve created a list of 6 essential security testing strategies every organisation should have in their testing arsenal.
Details:
1/ Vulnerability Scanning
Automated tools scan systems, apps, and networks for known vulnerabilities
Effective for quickly identifying and patching low-hanging fruit vulnerabilities
Should be run regularly (weekly or monthly) on all internet-facing assets
Limited by scope of its vulnerability database - can miss zero-days
2/ Penetration Testing
Simulates real-world attack scenarios by ethical hackers
Identifies gaps and blindspots missed by vulnerability scans
Validates security controls and exposes design/logic flaws
Should be performed at least annually and after major changes
Types include network, web app, wireless, social engineering, and more
3/ Static Application Security Testing (SAST)
Examines source code for security defects before deployment
Catches coding flaws like SQL injection, buffer overflows early
Should be integrated into the software development lifecycle
Enables fixing flaws before code is released to production
4/ Dynamic Application Security Testing (DAST)
Tests running application from outside perspective
Identifies vulnerabilities that static testing misses
Useful for web apps, APIs, cloud-native and legacy apps
Finds logic flaws, configuration issues, runtime errors
5/ Security Auditing
In-depth evaluation of systems, applications, processes
Conducted by experienced security professionals
Provides strategic recommendations to improve security posture
Essential for high-risk systems, meeting compliance requirements
6/ Risk Assessment
Identifies threats and potential impacts to the business
Quantifies likelihood and severity of risks
Guides prioritisation of security efforts and investments
Critical first step for building an effective security program
Other important factors to consider:
Other key strategies include threat modelling, security monitoring, incident response testing, and more. No single approach is sufficient - organisations need a blended testing program.
Frequency of testing depends on the risk levels and legislative/compliance requirements.
Internet-facing systems should undergo more frequent vulnerability scans and penetration tests.
Regular, comprehensive testing is vital for uncovering security gaps before attackers exploit them. By combining multiple strategies, businesses can gain fuller visibility and enhance their overall security posture.
AI & SECURITY
RESOURCE ROUNDUP
Tailored Slackbots for Incident Response, SDLC and Triage.
This is a great listen for those interested in the challenges and considerations of integrating LLMs into various applications, the evolution of RAG techniques, and potential LLM vulnerabilities.
The National Security Agency has released a Cybersecurity Information Sheet that provides guidelines for securely deploying AI systems.
Key takeaway 1 - Secure the boundaries between the IT environment and the AI system: Use rules-based access control mechanisms to moderate access for retrieval-augmented generation (RAG).
Key takeaway 2 - Upgrade audit and penetration testing approach to accommodate AI systems: external experts / consultants may be needed to shape your strategy if you don't possess this knowledge in-house.
Key takeaway 3 - Before you onboard, make sure you understand deletion capabilities: consider end-of-life scenarios where the promising AI tool you purchased calls it a day with upgrades, or new versions aren’t compatible with your set-up.
Meta has released CYBERSECEVAL 2, a novel benchmark to quantify LLM security risks and capabilities. They have introduced two new areas for testing: prompt injection and code interpreter abuse.
Learn how to protect against common LLM vulnerabilities with a guide and benchmark test called PINT. The benchmark evaluates prompt defense solutions and aims to improve AI security.
48 security vulnerabilities in the AI/ML supply chain!
This has grown 220% from the 15 vulnerabilities that were first reported in November. This underscores that the scale and velocity of AI/ML Zero Days is accelerating.
LEARNING
WHAT DOES “DEMOCRATISING SECURITY” MEAN?
Source: Wiz
Overview: “Democratising security” is the idea that security should be a shared responsibility across different teams in an organisation.
Key takeaways:
Democratising security means incorporating it into everyone's roles, allowing for maximum impact with minimal added resources.
This idea aligns with Shift Left Security (I last wrote about this here). The goal is give developers and business stakeholders visibility of risks and issues, as well as ways to fix them.
Real-world examples of companies adopting this approach have seen success in identifying and eradicating security vulnerabilities.
Evangelising for the distribution of security work across teams may require a significant change in mindset and strong leadership commitment, which could be a challenge for some organisations.
Incorporating different personas, such as AI engineers and data scientists, into the new security operating model may require additional education and resources.
FEEDBACK
DID YOU ENJOY THIS ONE?
If you’ve got a question or feedback, you can reply to this directly!
I want to create a newsletter that you can’t wait to open every week.
Your feedback will help me do that.
REFERRALS
SHARE CYBER PRO CLUB!
If you found this newsletter valuable, share this link with others: https://www.cyberproclub.com/subscribe
Thanks for reading.
Cal J Hudson