The Javits Center in NYC opened its doors to hundreds of security experts from all around the world on November 15th and 16th, 2022. Over those two info-packed days attendees participated in panels and presentations and shared their knowledge about enterprise security. Here are just some of the highlights from CyberTech NYC 2022
The Larger The Organization, The More Turtles To Corral
Early in the conference, CyberTech Co-Founder Amir Rapaport shared a very good analogy for how large enterprises have transformed, corralling turtles.
Turtles move slowly, akin to how fast we adopt new tech or modify existing systems. If you only have a few turtles, keeping up with them and making sure they are safe is pretty straightforward. But when you add more and more turtles, it becomes increasingly difficult to manage them. When you get to hundreds or thousands of turtles, or IT services, manually chasing them and keeping them safe becomes overwhelming.
Unfortunately, there is no silver bullet to this problem of herding turtles, it just takes staying vigilant and aware of newly emerging threats. This introductory session set the tone of the event and his message of staying on top of new trends was echoed throughout the rest of CyberTech.
SBOMs Can Help Know What You Are Securing
One of the tools that enterprises and projects have recently started to adopt in the fight to keep their "turtles" safe is the software bill of materials, SBOMs.
According to Nir Peleg from Scribe Security, SBOMs can keep your code safe at every phase of the software development lifecycle. He also cautioned that this means you do need to consider the SBOMs at different stages of the software development lifecycle, SDLF, as a business. He summed it up into 3 software events:
- Produce Software - Are you accounting for all tools through the toolchain? Are you producing documentation that is easy to read for both humans and machines?
- Choosing Software - Is the SBOM clear? Is it up to date?
- Operating Software - Are you keeping up with updates and the changes they can bring to the SBOM?
SBOMs are important to security from multiple angles and I think this simple framework can help any business frame the needed security conversations around software composition.
Securing The Supply Chain Takes Diligence
Jossef Kadouri, Head of Engineering at Checkmarx, talked about another important element of corralling "turtles", fighting supply chain attacks. As we move away from applications as stand-alone monolithic code bases and towards a world where our apps are produced via software factories with many open source code dependencies, keeping our applications safe requires careful investigation and vigilance before inviting new dependencies into our stack.
Jossef outlined 3 common attacks that they see and fight constantly in his organization.
1. StarJacking
2. Look-alike Names
3. Typosquatting
Starjacking, Popular Does Not Equal Safe
StarJacking is the process of taking a link for a real GitHub repo with a lot of stars, the mark of excellence for a code project, and attaching it to the listings for malicious code libraries. This can result in the real GitHub stars being shown for these totally different projects. If someone is just quickly looking for social validation that the package is popular, the listing will supply that, even though the code it actually downloads will be different and potentially dangerous. One of the benefits of open source is that you can and should validate that the code you call is the code you expect.
Look-alike Names
Jossef reiterated how critical it is to ensure that you are looking at the right package. He gave the real-world example of the packages `pampy.io` vs `pampy`. Only one of those is the correct name, but without doing due diligence and investigating the code it is very confusing and hard to know which is correct. The incorrect one, `pampy.io` in this case, looked identical to `pampy` on the project's listing page, however, it contained 3 extra lines that downloaded and executed malicious code. Look-alike name exploits go hand-in-hand with StarJacking, making it extra critical to actually examine the code.
Typosquatting
We all make typoos sometimes. Malicious actors know this and are attempting to use this to their advantage. It is common to type letters in the wrong order when in a hurry. This can be especially true for package names, which tend to be acronyms or abbreviations, like `urllib3` or `idna` for example. Being one letter off, or shifting the position of a single character, might in the best case return an error that it can not be found. But in the worst case, malicious code can be injected into your application unleashing untold damage.
The big takeaway from this session is: when in doubt, always look at the code before adding it to your application's codebase.
Software Supply Line Trust Goes Beyond Software
One of the more enlightening panels at the event was "How To Build Trust In your Software Supply Chain". Jason Manar, CISO at Kaseya stressed the importance of planning and communication. He made the point that unless you feel confident that you could call your operations and IT teams and tell them to roll back to the last backups and not worry this will seriously impact users or other systems, then you can not really trust your plans. Trust means being able to make that call at any time, day or night, as incidents don't wait for a convenient time or give you warnings.
Jason also stated it is vital to talk to your vendors and partners as early as possible to negotiate remediation and processes. Paraphrasing him here, he said, "No one wants to negotiate for services or hours at 3:00 AM on Thanksgiving." The earlier you plan, the more trust you can place in the whole system.
Jason also applauded the three-strikes policy at Mastercard, where Ulises Galeano, is the Director of Information Security Engineering. Ulises explained that they, and most security teams, know specific individuals who have repeatedly caused security issues. They are given only a few chances to remedy their behavior before they are removed from the organization. While it might sound heavy-handed, if education and training have not solved individual actors from creating security risks for the business, everyone will be better served by removing them from the role.
Don't Boil The Ocean
Ulises also gave some very sound advice about how to tackle the ever-expanding world of application security: "You can not boil the ocean." Trying to secure all possible attack surfaces at once is just going to burn you out and leave your enterprise insecure overall. Instead, identify and prioritize the most critical applications and spend your focus there, leveling them up one at a time. Start with analysis and form working groups to gather best practices and rewrite internal standards. When you can finally feel confident about the associated KPIs and metrics for the security of a particular system, then you know you are ready to find the next area to level up.
Finally from this panel, Rubu Arbel, CEO of Scribe Security laid out his "Three levels of integrity" model for software:
1. Integrity of the code - SBOMs play a role, but verifying the integrity of your code is critical.
2. Integrity of the tools - Config files and CI/CD tooling fall outside of source code, but are just as critical to secure for any application.
3. Integrity of the process - Is your governance and posture up to date? Are you reviewing code in a regular cadence and methodically? Attackers do not like code reviews.
Follow That Data And Secure Its Path
Reiterating Ulises' point from earlier in the event, Jonathan Roizin, CEO and Co-Founder of Flow Security, talked about how securing the entire enterprise at once is an insurmountable challenge in his talk "Data Liquidity: Presenting a new approach to data security". One of the biggest challenges comes from the fact modern applications are not in one place anymore, they are spread out among many services, machines, and locations.
Taking a siloed approach where you only secure one system, such as all your DBs or cloud services, will always become a rabbit hole. Emphasizing securing any particular system or part of the infrastructure deeply can mean you are not spending time securing other areas that can expose data. Instead, Jonathan said the key is to find what data is the most sensitive and valuable, both to you and the end user, and follow the path it can take throughout the development pipeline and in production. After identifying sensitive data flow, prioritize securing everything along that path.
Jonathan cited Social Security Numbers, SSNs, as a good example of a sensitive data type. They are not likely all in one "SSNs DB" or specific labeled storage, instead they flow through internal systems, eventually to and from end users. He stressed creating a map of data flow is a very good exercise whenever adding new services or importing new types of data. Follow the data and keep that path safe.
Balancing CISO And Marketing KPIs
In his session "All's Quiet On The Go-To-Market Font? How GTM became the enterprise's largest attack surface" Guy Tytunovich, CEO of Cheq, highlighted an issue almost every company faces, the balancing act of marketing teams wanting to go very fast and the Chief Information Security Officer's, CISO's, mission to make sure everything is very secure throughout the organization. While security teams do not want to add any unneeded friction to any other team's processes, the reality is the ever-growing toolchains of marketing departments present an ever-increasing attack surface that needs to be secured. This friction unfortunately means a lot of marketing departments try to avoid getting in a CISO's line of sight, as they are trying to work quickly and respond to any shifts in the market.
One attack surface Guy highlighted as an example was Google Tag Manager. As teams continue to integrate tag manager with other systems, it provides a direct path for attackers to exploit, compromising the whole enterprise if not secured properly. At the same time, most marketing teams are not consulting with the CISO's office to make sure all proper precautions are in place, as that can add hours, days, or maybe weeks to the project. In the fast-paced world of marketing, waiting for a security team's review can mean missing a momentary opportunity to seize a news cycle or capitalize on an event.
Echoing advice from Jason Manar earlier in the event, Guy suggests talking to your CISO as early as possible and getting to an agreement on best practices and policies everyone can be happy about. Having standards and processes in place early can help your CISO keep all the proper boxes checked, while still giving the marketing teams the leeway to act quickly in order to drive the business forward.
The Future Will See More Solutions To New Threats
One of the biggest takeaways from CyberTech 2022 was securing your organization is an ever-evolving endeavor. Investors from all over the world pointed to the landscape changing with technologies like artificial intelligence, Web 3.0, and decentralized manufacturing, and the new attack surfaces and exploits these technology shits mean for the enterprise. The only way to truly stay safe is to stay vigilant and educated about the landscape.
Staying secure in the future also means having a good security posture today. No matter how sophisticated future attacks will be, all malicious actors will continue to look for any low-hanging fruit, namely hardcoded credentials, and misconfigurations, in their attempts to gain access to sensitive data and systems. Make sure you are leveraging tools like GitGuardians's Internal Monitoring to ensure you are making it as hard as possible for bad actors to impact your business.