This article was originally published on LinkedIn by The Missing Link's Senior Security Sales Executive, Mali Munasinghe.

What regulation is saying...

We're going mainstream

A year ago to the month, I did my best Paul Revere impression, penning the inaugural Daily Mailware with the promise of change. Whilst November 2023 brought the release of the Australian Government 2023-2030 Australian Cyber Security Strategy, the dawn of a new regulatory age was not without its share of critique.

Among the pillars and horizons, there were some notable (or lacking) tidbits:

  • Directors’ ‘cyber duty’ is still… not really outlined. Governance of cyber risk remains within existing statutory duties. We await still for the watershed moment a board member is held liable for cyber negligence.
  • The Government has not gone as far as prohibiting ransomware payments but instead proposes mandatory no-fault, no-liability ransomware reporting.
  • Data is still a bit of a problem, and guidance on data minimisation is still lacking.

Critique aside, you can’t say Clare isn’t swinging for the fences. ‘Making Australia the most cyber secure nation by 2030’ doesn’t have the same ring as MAGA, but it’s just as ambitious. And as Cyber Crime approaches the $10.5 trillion mark, the timing is well overdue.

What industry is saying...

I like to MOVEit, MOVEit

ASD responded to a cyber incident every 6 minutes last year. This, plus almost every other material metric being worse, begs the question; how low does this limbo bar go.

Whilst it's comforting that ASD and Microsoft both agree on known staples to keep threats out (up to 98% apparently!) i.e:

  • MFA
  • Know your RPO’s/RTO’s, and Back-up
  • Keep Systems up to date

It's disturbing to know that every 1 in 5 critical vulnerabilities sampled by ASD last year, was exploited within 48 hours. How do you sustainability patch faster than 48 hours? I don’t know, you tell me. One for the Risk Register.

This represents a disturbing trend going into 2024. While 26,447 vulnerabilities were discovered in 2023, the highest number ever disclosed in a reporting year; in numerous instances, vulnerabilities had exploits published/available on the very day the CVE was published. #DefenseinDepth

ASD also reported that ransomware, data extortion and business email compromise continue to be the three-headed monster in Australia, and attacks on critical infrastructure increased almost two-fold.

Outside of the multiple kinetic conflicts currently ongoing globally, consider that in 2024, 42% of the global population will be participating in presidential, parliamentary and/or general elections. The prevalence of Cyber Espionage has caused enough concern for ASIO that it considers espionage and foreign interference to be a higher priority than terrorism in Australia today.

What vendors are saying...

This is my favourite part

Remember that limbo bar question? Well turns out Crowdstrike's, Proofpoint's and Fortinet's annual threat reports have some grim news; probably lower. For the scary reason that GenAI is supercharging the Cyber Kill Chain. Apart from enabling attackers to exploit better and faster than before, consider GenAI curated email pretext, now rectifying one of the easiest ways to spot a phish, bad grammar (a scarier prospect when you consider Australian organisations were targeted by spear phishing at a higher rate than any other APJ country last year).

Whilst the majority of Australia CISOs and digital leaders are still grappling with AI in its full glory, according to ADAPT, our adversaries seem quicker on the uptake. CrowdStrike has some brilliant specific examples on GenAI assisted attacks in the wild (pg.33), and for some comedic relief, here is an example of a probable phish using AI, gone wrong.

I had two crystal ball predictions last year, in terms of what would keep me busiest as a generalist Cyber Sales guy; identity security and cloud. The former seems to be in good hands, in terms controls assurance. A plethora of vendors, either through a subject-object or data lens, are now really good at helping you detect, respond and contain highly risky behaviour internally in your network. A very good way to test this is a red team, and if no other reason to see your people, process and technology controls in action, I encourage we have a chat about how TML can help. We have one of Australia’s leading Red Team Practices.

Tooling to secure cloud environments is where it still seems to be the noisiest. As everything goes aaS, cloud environment intrusions increased by 75% from 2022 to 2023: I’m bemused how cyber ops teams can decipher all the cloud security 'acronyms' (SWG,CASB, CWPP, CSPM, SSPM etc.), let alone stitch it all together to make it operationally work. The key word is #Consolidate, and yes if this is something you’re looking at, now would be a great time to chat as well.

Need help with your Cyber Security?


Making sure your cyber security is rock-solid is vital in today's threat landscape. That's why The Missing Link is here to help.  
 

As a leading provider of offensive security services, we offer expert Red Teaming, Penetration Testing, and comprehensive cyber security solutions and managed services. Our experienced professionals and cutting-edge techniques can assess your security posture, identify vulnerabilities, and strengthen your defences.   

Get in touch with The Missing Link today to learn more about our offensive security services and how we can safeguard your organisation against evolving cyber threats. 

 

Author

Mali Munasinghe