Security Systems Failures & Talent Drain, Data Security Posture Management & Secure by Design Pledge

[00:00:02] It's Friday, May 17th, 2024, and I'm Dave Sobel. Three things to know today. Some critical analysis, who bears responsibility when security systems fail, and a bunch have. Tech companies see senior talent drain amid stricter office return mandates, and

[00:00:19] the tough reality of CISO roles balancing security demands with limited authority. This is the Business of Tech. I'll start with some security stories, as the news today feels like everything is broken. So, DNS is broken. Hackers are using DNS tunneling to track victims and scan networks

[00:00:40] for vulnerabilities. DNS tunneling allows threat actors to encode data in DNS queries, bypass network firewalls, and employ command-and-control operations. Palo Alto Network's Unit 42 research team discovered campaigns named TrickCDN and Sexshow that utilize DNS tunneling for victim tracking and network scanning. Organizations are advised to implement

[00:01:05] DNS monitoring and analysis tools to detect unusual traffic patterns and limit DNS resolvers to reduce the risk of DNS tunneling misuse. Wi-Fi also broken. Researchers have discovered a new Wi-Fi vulnerability, the SSID Confusion attack, that exploits a design flaw in the

[00:01:25] IEEE 802.11 Wi-Fi standard. This attack tricks victims into connecting to a less secure network, allowing attackers to eavesdrop on their network traffic. The vulnerability affects all operating systems and Wi-Fi clients and can impact networks using WEP, WPA3, 802.11xEAP,

[00:01:46] and AMPE protocols. Proposed mitigations include updating the Wi-Fi standard to incorporate the SSID in the four-way handshake and improving beacon protection. Networks can also mitigate the attack by avoiding credential reuse across SSIDs. And voice assistants? Unbroken. A study

[00:02:08] by researchers at Amazon Web Services has revealed significant security flaws in speech-language models used by virtual assistants like Siri and Google Assistant. The study shows these AI systems can be manipulated with carefully designed audio attacks to produce harmful or unethical responses.

[00:02:27] The researchers propose countermeasures, such as adding random noise to the audio input, but emphasize the need for ongoing efforts to make these systems safe and robust against adversarial attacks. Email? Broken too. Hackers connected to the government of North Korea are

[00:02:44] exploiting loopholes in email security systems, specifically targeting improperly configured DMARC record policies. By masquerading as journalists or academics, they send spoofed messages that appear legitimate. The campaign, tracked by federal agencies, aims to collect intelligence on geopolitical events and gain access to private documents and communications.

[00:03:07] Organizations without DMARC policies are particularly vulnerable. Government officials and military members working on North Korea and related matters should be cautious of suspicious emails with strange links or attached documents from different email addresses. So it was within this context I learned from Rich Freeman's Channelholic about

[00:03:28] Data Security Posture Management, or DSPM, in the context of generative AI and the increasing concern over data risks. It highlights the importance of adequately equipped DSPM solutions in mitigating these risks, mentions the deployment of those solutions by organizations worldwide. He also

[00:03:47] touches on the challenges private LLMs pose and the need for human risk management and awareness training. And Rich also covered the Secure by Design pledge and its potential impact on encouraging tech vendors to adopt basic security practices. And speaking of, Huntress has signed Sysa's Secure

[00:04:05] by Design pledge, joining other technology companies and working toward better software and advancing a Secure by Design posture. The company issued a press release to let us all know. Why do we care? Let's take a moment and ask the critical question. Who is responsible when all

[00:04:23] of this stuff is broken? Well, the answer, the customer or maybe the IT provider. It's not the vendor. You signed away their responsibility in the end-user license agreement. And thus, why the push by the Biden administration I covered yesterday on Secure by Design matters.

[00:04:40] Kyle Henseloven, the CEO of Huntress, has spoken on this topic and is pushing for accountability. He made a very salient point. And that point? It's not just a matter of who signs the pledge. It's also who hasn't. Today's episode is supported by

[00:05:00] CoreView. Your customers need your Microsoft 365 expertise and CoreView has the only M365 management platform designed for MSPs. Manage hundreds of tenants, automate manual tasks, and monitor compliance, all while intelligently comparing to the baseline. With a no-code control approach, CoreView revolutionizes your Microsoft 365 administration. This powerful platform enables

[00:05:26] automatic reporting and remediation, ensuring optimal performance and security. The best part? You achieve this high level of service without the need for a large workforce, allowing you to focus on growing your business through efficiency. Want to know more? Visit coreview.com.msp and find out more.

[00:05:46] Meta plans to shut down its Workplace Collaboration Suite by 2026 as it focuses on building AI and the metaverse. Customers can transition to Zoom's WorkVio product, and the platform will be available for use until August 31, 2025, with data access until May 31, 2026. Meta will shift

[00:06:10] attention to other enterprise tools in its portfolio, while Zoom also focuses on AI-powered collaboration platforms. A study analyzing resume data from tech companies such as Microsoft, Apple, and SpaceX found that return-to-office mandates resulted in a significant number of senior employees leaving their jobs. Microsoft's policy requiring employees to

[00:06:33] spend at least half the week in the office led to a 4% increase in sub-senior positions, while Apple saw a similar rise. SpaceX, which abolished remote work altogether, experienced a 15% increase in sub-senior workers' share. The study suggests that

[00:06:51] stricter return-to-office mandates are more likely to drive senior employees to leave. The research also found that departing employees often found new positions at companies that had not yet implemented return-to-office mandates. And there's a Gartner study too. One-third of

[00:07:07] executives and 19% of non-executive employees in that study are considering leaving their roles due to return-to-office mandates. Microsoft introduces Microsoft Places, an app that coordinates flexible work and facilitates employees' return to the office. The app allows workers to share their planned office days, view co-workers' schedules,

[00:07:29] and chat with nearby colleagues. The data integrates with Outlook calendars and will be eventually part of the Teams Premium plan. Microsoft CoPilot will also utilize Places data to help users determine the best days to come into the office.

[00:07:45] Why do we care? Note the irony of Microsoft releasing a product to help with return-to-office yet losing employees because of it. Was Meta ever really in the collaboration game? If you back them, you need to know their product is going away.

[00:08:03] Beyond that, there's more data here on the competitive advantage being good at flexible work will provide as it's here in hiring. And I'll cross-reference with the service leadership data that says most MSPs are not doing it. Time for some big ideas.

[00:08:22] Runtime looks at how challenging the chief information security officer role is. CISOs often need more organizational power and report to CIOs or CFOs, limiting their ability to make changes for better security. Despite this, they are the ones held accountable when incidents occur.

[00:08:40] Legal pressure on CISOs is expected to rise, especially with the increase in ransomware attacks. Governments considering imposing cybersecurity standards on hospitals and entities receiving money from Medicare and Medicaid. CISOs are concerned that their good-faith attempts to secure their corporations could be used against them. Clearer documentation of

[00:09:00] roles and responsibilities, and specifying legal responsibility for cybersecurity incidents, is necessary. And all this AI talk? Well, data needs to come first. From ZDNet, generative AI can potentially transform customer experiences, but its implementation requires focusing on other areas first. Forrester predicts AI-powered tools will

[00:09:23] enhance customer service by providing natural language question-answering capabilities. Businesses like MHR and Simply Health are already leveraging AI to improve the customer experience. However, professionals must carefully consider the purpose and outcomes they aim to achieve with AI-enabled solutions, be aware of the limitations and potential risks associated

[00:09:46] with the technology. And Dark Reading asks, Is CISA's Secure by Design pledge toothless? Although voluntary and lacking legal binding, the Secure by Design pledge aims to incentivize good security practices and investments across industries. The pledge focuses on multi-factor authentication, default passwords, vulnerability

[00:10:07] reduction, security patches, and more. While it may not have direct authority, it sets expectations and could influence public-private partnerships and tech buyers' decisions. The pledge reframes the conversation around fundamental security issues and encourages a more expansive view of

[00:10:26] risk beyond just vulnerabilities. And last week, I mentioned that fun portal between Dublin and New York City. It's been temporarily closed due to inappropriate behavior. While some use the portal to share positive moments and connect with loved ones, others

[00:10:43] engaged in flashing, showing pornographic videos, and mocking 9-11. The proposed solution of blurring images held up to the camera was deemed unsatisfactory, and the team behind the portal is now investigating other technical solutions. Portal will be reopened shortly after the necessary

[00:11:00] changes are implemented. Why do we care? Beyond the quip of, this is why we can't have nice things, it should have been evident that users would abuse the system. But I'll admit, I didn't think of it either. Were you with me? Delivering those CISO

[00:11:18] services is challenging. This is an intensely obvious statement. And essential because many software vendors encourage providers to deliver these services. Do you know what you're getting into? AI too and the opportunity for data management is inherent. I've given you big,

[00:11:37] complex problems to chew on because complicated problems are also profitable ones. Just don't forget, they are hard. support any budget. Podcast listeners are more engaged, have a higher level of brand retention, and are more willing to listen to ads here than any other avenues. Want to know more?

[00:12:21] There's information at mspradio.com slash engage, including a button to book a time to talk. I'm looking forward to that discussion. Thanks for listening. Today, national pizza party day. Do that with friends, not as a reward for your employees.

[00:12:40] This weekend, AI and data protection with Alcyon CEO Neeraj Tolia. And the Wednesday live show will drop in the feed for podcast listeners as well this coming weekend. Have a question you want answered? We do take those listener questions,

[00:12:54] send them in as a voice memo or video ideally to question at mspradio.com. I answer listener questions live each week on our Wednesday live show. Next week, 3pm Easter. Have a great weekend. Enjoy the bonus episodes, and I'll talk to you on Monday.

[00:13:10] The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech. If you like the content, please make sure to hit that like button, follow or subscribe.

[00:13:23] It's free and easy and the best way to support the show and help us grow. You can also check out our Patreon where you can join the Business of Tech community at patreon.com slash mspradio or buy our Why Do We Care merch at businessof.tech.

[00:13:41] Finally, if you're interested in advertising on the show, visit mspradio.com slash engage. Once again, thanks for listening to me. I will talk to you again on our next episode of the Business of Tech.