A spate of devastating cyber-attacks against UK retailers that has led to empty shelves has been described as a “wake-up call to all organisations” by the UK National Cyber Security Centre. 🚨
Harrods, the luxury London department store has just become the latest victim after Marks & Spencer and the Co-op supermarket were also targeted. Marks & Spencer (or M&S) has suffered the most calamitous consequences. A suspected ransomware infection, which has been linked to the hacking collective Scattered Spider, has forced M&S to pause online orders and led to gaps on store shelves as well as disruption to loyalty scheme and gift card payments. The clothing, homeware and food retailer’s stock value has plummeted by around £650 million. Cybersecurity expert Graham Cluley told ITV News that “attacks involving the DragonForce ransomware” – the suspected virus involved – “usually start with exploitation of known vulnerabilities” – illustrating the importance once again of robust vulnerability identification and management and the prompt application of security patches. 🔒
SaaS systems ‘dismantle essential security boundaries’
An overreliance on the software-as-a-service (SaaS) model is “creating single points of failure with potentially catastrophic system-wide consequences”, according to the CISO of JPMorganChase. ⚠️
In an open letter to third-party suppliers, Patrick Opet also warned that “fierce competition among software providers” has incentivised “rushed product releases without comprehensive security built in”. In an excoriating critique, Opet said strict segmentation between internal resources and untrusted external interactions had been abandoned in favour of “unchecked interactions between third-party services and firms’ sensitive internal resources”. The security exec suggests rejecting “these integration models without better solutions” – or at least providing “continuous, demonstrable evidence that controls are working effectively, not simply relying on annual compliance checks.” 🛡️
CVE database rescued
In the third story of our latest monthly roundup of news of interest to CISOs and security teams, the cybersecurity industry recently breathed a collective sigh of relief after an 11th hour reprieve for the CVE database. 🙌
Many industry figures expressed alarm when MITRE, the not-for-profit, revealed that its government contract to operate the CVE program had not been renewed – sparking fears that it had fallen prey to Elon Musk’s cost-cutting drive. ✂️ Thankfully, funding for this index of known security flaws, such an invaluable resource for security teams, was reinstated by the Trump Administration once it expired on 16 April. Phew. 😌
CISOs of the world unite!
A coalition of blue-chip CISOs has called for greater harmonisation of global cybersecurity regulations. 🌍 Some 43 security execs – including CISOs from GitHub, Microsoft, AWS, Mastercard and Siemens – sent a letter (PDF) to the G7 and OECD urging them to take steps to address “growing fragmentation” that “is adding complexity to our companies’ operational cyber defense and ability to defend against growing cyber threats”. 🚨
The rapid digitisation of the modern economy has left civilisation increasingly vulnerable to cyber-attacks and prompted the US, UK, EU, Australia, Singapore and others to overhaul ageing cyber laws. However, the CISO signatories believe current regulatory divergence – across borders and sectors – is intolerable as they contend with fundamentally supranational cyber threats. 🌐
Their call to action argues that increasing regulatory misalignment “creates difficulty in implementing consistent security measures across different jurisdictions, complexity to time-sensitive incident response activities, potential negative impact on reporting due to conflicting requirements, delays in cybersecurity regulatory implementation due to the need of managing multiple regulatory landscapes and exacerbates the cybersecurity talent shortage.” 🧠
Trailer for UK NIS 1 sequel
Presumably these CISOs were no fans of Brexit given the regulatory divergence entailed by the UK-EU divorce. Perhaps slightly reassuringly for them, a UK government policy statement has indicated that the UK Cyber Security and Resilience Bill – the UK revamp of NIS 1 – will align with the EU’s NIS 2 regulation “where appropriate”. While the statement hints at a lighter touch approach (referencing the need for “agile, pro-innovation regulation”), the need to minimise compliance burdens and facilitate cross-border information-sharing will hopefully ensure significant convergence with NIS 2. 🇬🇧
Patchy bug-fix ratios
Perhaps it’s unsurprising that organisations are only managing to remediate one in five (21%) AI-related vulnerabilities uncovered by pentests, as revealed by a report from OffSec services firm Cobalt. As we’ve explained in our article on mitigating AI cybersecurity risks with Bug Bounty Programs, the ‘black-box’ nature of AI models and their non-deterministic behaviour makes it particularly difficult to distinguish intended/benign behaviour from unintended/insecure outputs, as well as to fashion workable fixes for validated vulnerabilities. 🤖
Nearly three in four security leaders polled by Cobalt (72%) ranked AI attacks as their primary worry, eclipsing risks associated with third-party software, insider threats and nation state threat actors. Only 64% professed to be “well equipped to address all security implications of genAI.”
The report also revealed that organisations are fixing 48% of all types of exploitable vulnerabilities that they’re aware of, although this number rises to 69% for high and critical severity findings. Perhaps reflecting the success of the software development industry’s ‘shift left’, the median time to remediate serious vulnerabilities has plummeted since 2017 – from 112 days down to 37 days last year. 🐛
Cert scheme highlights value of VDPs and Bug Bounty
Back to compliance now: a new EU certification programme demonstrates that Bug Bounty Programs and vulnerability disclosure policies (VDPs) are invaluable for showing customers that you take security seriously. Vulnerability management and disclosure guidelines for the EU Common Criteria (EUCC) scheme, which certifies digital products that adhere to stringent security standards, are based on ISO standards that prescribe the implementation of VDPs. Moreover, Bug Bounty Programs are cited by these guidelines among best-practice methods for obtaining information about potential vulnerabilities 🛡️
Bug Bounty in the telco trade
What’s the best way to scale up security testing for fast-evolving telco services used by 121 million customers? And how can you do this without slowing software deployment down? 🤔 Our latest customer story reviews a presentation delivered by a security executive at Ooredoo, which outlined why the Qatari multinational embraced Bug Bounty and whether the model had lived up to its promise so far. 📶
A code of practice designed to tackle the proliferation and irresponsible use of cyber intrusion tools has so far been adopted by 22 nations. Fortunately, the accord, a British-French initiative, urges governments to clearly define their lawful use – helping to protect our hunters’ efforts to strengthen digital security. Our CEO, Guillaume Vassault-Houlière, represented the ethical hacking and Bug Bounty industry at a Paris conference where the accord was signed earlier this month. 🐱💻
🤘 Meet the YesWeHack team
With Springtime now in full swing, the InfoSec conferences are coming thick and fast. Here’s where you can meet the YesWeHack team and learn about our Bug Bounty and vulnerability management platform in the coming weeks:
📍GISEC Global – Dubai, 6-8 May, booth B180
📍SINCON – Singapore, 22-23 May, Bug Bounty Kampung (Village)
📍Vietnam Security Summit – Ho Chi Minh, 23 May, booth 23
📍Infosecurity Europe – London, 3-5 June, booth F130
More conferences and live hacking events will be announced in due course! 📅
Read this monthly roundup even sooner by subscribing to CrowdSecWisdom – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.
Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.