CISO Corner: NSA Guidelines; a Utility SBOM Case Study; Lava Lamps

We Keep you Connected

CISO Corner: NSA Guidelines; a Utility SBOM Case Study; Lava Lamps

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps.
March 8, 2024
Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Each week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to presenting a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.
NSA's Zero-Trust Guidelines Focus on Segmentation
Creating Security Through Randomness
Southern Company Builds SBOM for Electric Power Substation
What Cybersecurity Chiefs Need From Their CEOs
How to Ensure Open Source Packages Are Not Landmines
DR Global: Middle East Leads in Deployment of DMARC Email Security
Cyber Insurance Strategy Requires CISO-CFO Collaboration
Tips on Managing Diverse Security Teams
By David Strom, Contributing Writer, Dark Reading
Zero-trust architectures are essential protective measures for the modern enterprise. The latest NSA guidance provides detailed recommendations on how to implement the networking angle of the concept.
The US National Security Agency (NSA) delivered its guidelines for zero-trust network security this week, offering a more concrete roadmap toward zero-trust adoption than we're used to seeing. It's an important effort to try to bridge the gap between desire for and implementation of the concept.
The NSA document contains loads of recommendations on zero-trust best practices, including, foundationally, segmenting network traffic to block adversaries from moving around a network and gaining access to critical systems.
It walks through how network segmentation controls can be accomplished through a series of steps, including mapping and understanding data flows, and implementing software-defined networking (SDN). Each step will take considerable time and effort to understand what parts of a business network are at risk and how to best protect them.
The NSA document also differentiates between macro- and micro-network segmentation. The former controls traffic moving between departments or workgroups, so an IT worker doesn't have access to human resources servers and data, for example.
John Kindervag, who was the first to define the term "zero trust" back in 2010, when he was an analyst at Forrester Research, welcomed the NSA's move, noting that "very few organizations have understood the importance of network security controls in building zero-trust environments, and this document goes a long way toward helping organizations understand their value."
Read more: NSA's Zero-Trust Guidelines Focus on Segmentation
Related: NIST Cybersecurity Framework 2.0: 4 Steps to Get Started
By Andrada Fiscutean, Contributing Writer, Dark Reading
How lava lamps, pendulums, and suspended rainbows keep the Internet safe.
When you step inside Cloudflare's San Francisco office, the first thing you notice is a wall of lava lamps. Visitors often stop to take selfies, but the peculiar installation is more than an artistic statement; it's an ingenious security tool.
The changing patterns created by the lamps' floating blobs of wax help Cloudflare encrypt internet traffic by generating random numbers. Random numbers have a variety of uses in cybersecurity, and play a crucial role in things such as creating passwords and cryptographic keys.
Cloudflare's Wall of Entropy, as it's known, uses not one but 100 lamps, their randomness increased by human movement.
Cloudflare also uses additional sources of physical entropy to create randomness for its servers. "In London, we have this incredible wall of double pendulums, and in Austin, Texas, we have these incredible mobiles hanging from the ceiling and moving with air currents," Cloudfare CTO John Graham-Cumming says. Cloudflare's office in Lisbon will soon feature an installation "based on the ocean."
Other organizations have their own sources of entropy. The University of Chile, for instance, has added seismic measurements to the mix, while the Swiss Federal Institute of Technology uses the local randomness generator present on every computer at /dev/urandom, meaning that it relies on things like keyboard presses, mouse clicks, and network traffic to generate randomness. Kudelski Security has used a cryptographic random number generator based on the ChaCha20 stream cipher.
Read more: Creating Security Through Randomness
By Kelly Jackson Higgins, Editor-in-Chief, Dark Reading
The utility's software bill of materials (SBOM) experiment aims to establish stronger supply chain security — and tighter defenses against potential cyberattacks.
Energy giant Southern Company kicked off an experiment this year, which began with its cybersecurity team traveling to one of its Mississippi Power substations to physically catalog the equipment there, taking photos and gathering data from network sensors. Then came the most daunting — and at times, frustrating — part: acquiring software supply chain details from the 17 vendors whose 38 devices run the substation.
The mission? To inventory all of the hardware, software, and firmware in equipment running in the power plant in an effort to create a software bill of materials (SBOM) for the operational technology (OT) site.
Prior to the project, Southern had visibility into its OT network assets there via its Dragos platform, but software details were an enigma, said Alex Waitkus, principal cybersecurity architect at Southern Company and head of the SBOM project.
"We had no idea what the different versions of software we were running," he said. "We had multiple business partners who managed different parts of the substation."
Read more: Southern Company Builds SBOM for Electric Power Substation
Related: Improved, Stuxnet-Like PLC Malware Aims to Disrupt Critical Infrastructure
Commentary by Michael Mestrovich CISO, Rubrik
By helping CISOs navigate the expectations being placed on their shoulders, CEOs can greatly benefit their companies.
It seems obvious: CEOs and their chief information security officers (CISOs) should be natural partners. And yet, according to a recent PwC report, only 30% of CISOs feel they receive sufficient support from their CEO.
As if defending their organizations from bad actors despite budget constraints and chronic cybersecurity talent shortages wasn't already difficult enough, CISOs now face criminal charges and regulatory wrath if they make a mistake in incident response. Small wonder that Gartner predicts nearly half of cybersecurity leaders will change jobs by 2025 due to multiple work-related stressors.
Here are four things CEOs can do to help: Ensure the CISO has a direct line to the CEO; have the CISO's back; work with the CISO on a resilience strategy; and agree on AI's impact.
CEOs who lean into these aren't just doing the right thing for their CISOs, they're greatly benefiting their companies.
Read more: What Cybersecurity Chiefs Need from Their CEOs
Related: The CISO Role Undergoes a Major Evolution
By Agam Shah, Contributing Writer, Dark Reading
CISA and OpenSSF jointly published new guidance recommending technical controls to make it harder for developers to bring malicious software components into code.
Open source repositories are critical to running and writing modern applications, but they can also contain malicious, lurking code bombs, just waiting to be incorporated into apps and services.
To help avoid those landmines, the Cybersecurity and Infrastructure Security Agency (CISA) and Open Source Security Foundation (OpenSSF) have issued new guidelines for managing the open source ecosystem.
They recommend implementing controls such as enabling multifactor authentication for project maintainers, third-party security reporting capabilities, and warnings for outdated or insecure packages to help reduce exposure to malicious code and packages masquerading as open source code on public repositories.
Organizations ignore the risk at their peril: "Talking about malicious packages over the last year, we have seen a twofold increase over previous years," said Ann Barron-DiCamillo, managing director and global head of cyber operations at Citi, at the OSFF conference a few months ago. "This is becoming a reality associated with our development community."
Read more: How to Ensure Open Source Packages Are Not Landmines
Related: Millions of Malicious Repositories Flood GitHub
By Robert Lemos, Contributing Writer, Dark Reading
Yet challenges remain as many nation's policies for the email authentication protocol remain lax and could run afoul of Google's and Yahoo's restrictions.
On February 1, both Google and Yahoo started mandating that all email sent to their users have verifiable Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) records, while bulk senders — companies sending out more than 5,000 emails per day — must also have a valid Domain-based Message Authentication Reporting and Conformance (DMARC) record.
Yet, many organizations lag in the adoption of these technologies, despite the fact that they aren't new. There are two shining exceptions out there though: The Kingdom of Saudi Arabia and the United Arab Emirates (UAE).
Compared to approximately three-quarters (73%) of global organizations, about 90% of organizations in Saudi Arabia and 80% in UAE have implemented the most basic version of DMARC which—along the two other specifications—makes email-based impersonation much more difficult for attackers.
Overall, Middle Eastern nations are ahead in adoption of DMARC. About 80% of the members of the S&P's Pan Arab Composite Index have a strict DMARC policy, which is higher than the FTSE100's 72%, and higher still than the 61% of France’s CAC40 index, according to Nadim Lahoud, vice president of strategy and operations for Red Sift, a threat intelligence firm.
Read more: Middle East Leads in Deployment of DMARC Email Security
Related: DMARC Data Shows 75% Increase in Suspicious Emails Hitting Inboxes
By Fahmida Y. Rashid, Managing Editor, Features, Dark Reading
Cyber-risk quantification brings together the CISO's technical expertise and the CFO's focus on financial impact to develop a stronger and better understanding of what's at stake.
Cyber insurance has become the norm for many organizations, with more than half of the respondents in Dark Reading's most recent Strategic Security Survey saying their organizations have some form of coverage. While insurance has typically been the domain of the organization's board of directors and CFOs, the technical nature of cyber-risk means the CISO is increasingly being asked to be part of the conversation.
In the survey, 29% say cyber insurance coverage is part of a broader business insurance policy, and 28% say they have a policy specifically for cybersecurity incidents. Nearly half of the organizations (46%) say they have a policy that covers ransomware payments.
"How to talk about risk and how to manage and mitigate risks is now becoming much more important for the CISO organization to understand," says Monica Shokrai, head of business risk and insurance at Google Cloud, while noting that communicating risk upward is something the CFO has been "doing forever."
Instead of trying to turn CISOs into "cyber CFOs," the two organizations should work together to develop a coherent and integrated strategy for the board, she says.
Read more: Cyber Insurance Strategy Requires CISO-CFO Collaboration
Related: Privacy Beats Ransomware as Top Insurance Concern
Commentary by Gourav Nagar, Senior Manager of Security Operations, BILL
The better a security team works together, the bigger the direct impact on how well it can protect the organization.
Building a security team begins with hiring, but once the team starts working together, it's critical to create a common language and a set of expectations and processes. This way, the team can work toward a common goal quickly and avoid miscommunications.
Especially for diverse teams, where the goal is for each person to bring their different experiences, unique perspectives, and distinctive ways of solving problems, having common communications channels to share updates and collaborate ensures team members can spend more time on what they love to do and not worry about team dynamics.
Here are three strategies for achieving that goal: Hire for diversity and quickly align on team culture and processes; create trust for every single person on the team; and help your team members build a career in cybersecurity and stay excited with innovation.
Of course, it's up to each of us to take ownership of our own careers. As managers, we may know this well, but not all our team members might. Our role is to remind and encourage each of them to actively learn and pursue roles and responsibilities that will keep them excited and help them in their careers.
Read more: Tips on Managing Diverse Security Teams
Related: How Neurodiversity Can Help Fill the Cybersecurity Workforce Shortage
Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
AI-Driven Testing: Bridging the Software Automation Gap
The Rise of the No-Code Economy
The State of Incident Response
A Solution Guide to Operational Technology Cybersecurity
Endpoint Best Practices to Block Ransomware
2023 Snyk AI-Generated Code Security Report
Understanding AI Models to Future-Proof Your AppSec Program
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.