Posts

Thoughts on AI and Cybersecurity

Being an CSSLP gives me access to various emails from (ISC)2. One of these announced me that there is a recording of a webinar about AI and Cybersecurity held by Steve Piper from CyberEdge.

Very nice presentation of 1h, and I found out that there is a sequel to that on November 1st.

So, following Steve’s article, I did some research, read a lot and used ChatGPT to summarize some of my findings.

This article explores the multifaceted ways AI is transforming cybersecurity, from threat detection to incident response and beyond. It also looks into What it means actually to use AI in some of these fields. What is the impact on privacy and confidentiality?

Important to keep in mind that any AI must first learn (trained) in order to be able to understand the system and then potentially predict what is happening.

 

  1. Threat Detection

One of the primary applications of AI in cybersecurity is threat detection. Traditional rule-based systems are no longer sufficient to identify and combat sophisticated attacks.

AI-driven technologies, such as machine learning and deep learning, can analyze massive datasets to detect anomalies and potential threats.

Here’s how:

a. Anomaly Detection: AI algorithms can establish a baseline of normal behavior in a network or system. Any deviation from this baseline can trigger an alert, indicating a potential security breach.

b. Behavioral Analysis: AI can analyze user and entity behavior to detect patterns that may indicate malicious activity. This is particularly useful for identifying insider threats.

c. Malware Detection: AI can scan files and code for patterns consistent with known malware or recognize behavioral patterns of malicious software.

We’ll talk more in the future on this topic.

 

  1. Predictive Analysis

AI-driven predictive analysis enhances cybersecurity by identifying potential threats before they become full-blown attacks.

By crunching vast amounts of historical data, AI systems can predict emerging threats, trends, and vulnerabilities. This early warning system allows organizations to preemptively shore up their defenses.

It would have to gather huge amounts of data, crunch them (preprocess, normalize, structure), creating an ML model and then based on the chosen technology train the system.

Here we can think of supervised (pre-categorized data, requiring feature to be defined) and unsupervised learning (non categorized data, basically being restricted to Anomaly detection).

There is a huge warning here, because :

a) such huge amounts of data has to come from somewhere and

b) predictions can be influenced by specially crafted training data, for unsupervised training models.

 

  1. Automation and Orchestration

AI can automate routine cybersecurity tasks and workflows, reducing the workload on human analysts and minimizing response times. AI-driven systems can:

a. Automatically quarantine infected devices or isolate compromised areas of a network to prevent lateral movement by attackers.

b. Investigate and analyze security incidents, rapidly categorizing and prioritizing alerts.

c. Initiate predefined incident response procedures, such as patching vulnerable systems or resetting compromised user accounts.

 

Automation:

Automation involves the use of technology, such as scripts, workflows, or AI-driven systems, to perform routine and repetitive tasks without human intervention. In the context of cybersecurity, automation can significantly improve efficiency and response times by handling various operational and security-related processes automatically. Here’s how it works:

a. Incident Response: When a security incident is detected, automation can trigger predefined actions to contain, investigate, and mitigate the threat. For example, if a system detects a malware infection, an automated response might involve isolating the affected device from the network, blocking the malicious IP address, and initiating a forensic investigation.

b. Vulnerability Patching: Automation can be used to deploy security patches and updates to systems and software as soon as they are released. This reduces the window of vulnerability and helps prevent attacks that target known vulnerabilities.

c. Log Analysis and Alerts: Automation can continuously monitor logs and events from various systems. It can detect and respond to predefined security events, generating alerts or triggering specific actions when unusual or malicious activity is detected.

 

Orchestration:

Orchestration is a broader concept that focuses on integrating and coordinating various security tools, processes, and workflows into a unified and streamlined system. It enables organizations to create end-to-end security workflows by connecting different security solutions and ensuring they work together cohesively. Here’s how it works:

a. Workflow Integration: Orchestration systems allow the creation of predefined security workflows that link multiple tools, such as firewalls, intrusion detection systems, antivirus software, and incident response platforms. For example, when a malware alert is triggered, orchestration can coordinate the response by isolating the affected system, collecting forensic data, and alerting the incident response team.

b. Information Sharing: Orchestration enables the sharing of critical information among security tools. This ensures that all relevant security solutions have access to the latest threat intelligence, allowing for more effective threat detection and mitigation.

 

  1. Phishing Detection

Phishing attacks remain a prevalent threat. AI can help identify phishing attempts by:

a. Analyzing email content and sender behavior to identify suspicious emails.

b. Scanning URLs for malicious domains or suspicious patterns.

c. Inspecting attachments for known malware signatures.

d. Recognizing social engineering techniques and language used in phishing emails.

 

  1. Network Security

AI-driven intrusion detection systems (IDS) and intrusion prevention systems (IPS) monitor network traffic for anomalies and threats.

They can identify and block malicious traffic in real-time, protecting the network from various attacks, including DDoS attacks and data exfiltration.

 

  1. Threat Intelligence

AI can be used to aggregate and analyze threat intelligence from various sources, including open-source feeds, dark web monitoring, and industry-specific data.

This aggregated intelligence can help security teams stay informed about emerging threats and vulnerabilities.

 

  1. Endpoint Security

AI-driven endpoint security solutions provide real-time protection for individual devices.

They can identify and mitigate threats at the device level, even when the device is not connected to the corporate network. This is especially crucial for remote workers and mobile devices.

This raises another red flag for me: complete monitoring of user’s actions on the device. What happens to the data gathered, is the model trained locally on in the cloud? And many other such concerns.

I will write a dedicated post about AI and Privacy very soon.

The post Thoughts on AI and Cybersecurity first appeared on Sorin Mustaca on Cybersecurity.

How to Configure the Most Secure Settings for Microsoft Defender

Microsoft Defender is a comprehensive security solution that protects your Windows devices from various threats, such as malware, ransomware, phishing, and more.

Microsoft Defender includes several features and settings that you can customize to enhance your security and privacy.

In this article, we will show you how to configure the most secure settings for Microsoft Defender, based on the recommendations from Microsoft and other sources.

 

Enable Real-Time Protection and Cloud-Delivered Protection
Real-time protection is a feature that scans your files and programs in real-time and blocks any malicious activity. Cloud-delivered protection is a feature that uses Microsoft’s cloud-based intelligence to detect and respond to new and emerging threats. To enable these features, follow these steps:

• Open Windows Security by selecting Start > Settings > Update & Security > Windows Security or by clicking the shield icon in the taskbar.

• Select Virus & threat protection.

• Under Virus & threat protection settings, select Manage settings.

• Turn on the following options: Real-time protection, Cloud-delivered protection, Automatic sample submission, and Tamper protection https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963.

 

Configure Firewall and Network Protection
Firewall and network protection is a feature that monitors your network connections and blocks unauthorized or malicious traffic. You can configure the firewall settings for different network profiles (domain, private, or public) and allow or block specific apps through the firewall. To configure the firewall settings, follow these steps:

• Open Windows Security and select Firewall & network protection.

• Select the network profile that you are currently using (for example, Private network).

• Turn on Windows Defender Firewall.

• Under Allow an app through firewall, select Change settings.

• Review the list of apps that are allowed or blocked by the firewall. You can uncheck any app that you don’t trust or don’t need to access the internet. You can also add a new app by selecting Allow another app.

• Select OK to save your changes https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide.

 

Enable Microsoft Defender SmartScreen
Microsoft Defender SmartScreen is a feature that helps protect you from malicious websites, downloads, and apps. It checks the reputation of the sites and files you visit or download and warns you if they are potentially dangerous. To enable this feature, follow these steps:

• Open Windows Security and select App & browser control.

• Under Microsoft Defender SmartScreen, turn on the following options: Check apps and files, SmartScreen for Microsoft Edge, SmartScreen for Microsoft Store apps
https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963.

 

Enable Exploit Protection
Exploit protection is a feature that helps protect your device from common exploits that target vulnerabilities in software. It applies mitigations to apps and processes to prevent or reduce the impact of attacks. To enable this feature, follow these steps:

• Open Windows Security and select App & browser control.

• Under Exploit protection settings, select Exploit protection settings.

• Under System settings, turn on all the options that are available (for example, Data Execution Prevention, Force randomization for images, Validate heap integrity, etc.)

https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963.

• Under Program settings, you can also customize the exploit protection settings for specific apps by selecting Add program to customize.

 

Enable Controlled Folder Access
Controlled folder access is a feature that helps protect your important files from ransomware and other unauthorized changes. It allows only trusted apps to access your protected folders and blocks any suspicious or malicious attempts. To enable this feature, follow these steps:

• Open Windows Security and select Virus & threat protection.

• Under Ransomware protection, select Manage ransomware protection.

• Turn on Controlled folder access.

• Under Protected folders, you can see the default folders that are protected by this feature (such as Documents, Pictures, Videos, etc.). You can also add additional folders by selecting Add a protected folder.

• Under Allow an app through Controlled folder access, you can see the list of apps that are allowed to access your protected folders. You can also add a new app by selecting Add an allowed app

https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963.

 

Enable Account Protection
Account protection is a feature that helps you improve your sign-in security and manage your account settings. It encourages you to use strong authentication methods such as Windows Hello or Microsoft Authenticator app and alerts you if there are any issues with your account. To enable this feature, follow these steps:

• Open Windows Security and select Account protection.

• Sign in with your Microsoft account if you haven’t already.

• Under Windows Hello, set up a PIN, fingerprint, or face recognition to sign in to your device without a password.

• Under Dynamic lock, turn on Allow Windows to automatically lock your device when you’re away if you want to use this feature.

• Under Account management, review your account settings and security info

https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963.

 

Update Your Device Regularly
One of the best ways to keep your device secure is to update it regularly with the latest security patches and feature updates. Windows Update automatically downloads and installs updates for your device, but you can also check for updates manually and change some settings. To update your device, follow these steps:

• Open Windows Security and select Device performance & health.

• Under Windows Update, select Check for updates.

• If there are any available updates, select Download and install or Install now.

• You can also select Advanced options to change some settings, such as when to schedule the updates, how to pause the updates, or how to opt in to the Windows Insider Program

https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963.

 

Conclusion
Microsoft Defender is a powerful security solution that can help you protect your Windows devices from various threats. By following the steps in this article, you can configure the most secure settings for Microsoft Defender and enhance your security and privacy. However, you should also remember that no security solution is perfect and you should always be careful and vigilant when using your device online.

References

Stay protected with Windows Security – Microsoft Support

Best practices for configuring Windows Defender Firewall – Microsoft Learn

This article was written by Bing AI client integrated in Skype.

Q: design a picture showing microsoft defender hardening

A:

The post How to Configure the Most Secure Settings for Microsoft Defender first appeared on Sorin Mustaca on Cybersecurity.

ChatGPT and automotive cybersecurity #1/2: About CSMS from ISO 21434

As promised, I played more with ChatGPT and this time I started to dig a bit into cybersecurity for automotive.

Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting offer for automotive I thought maybe I check what ChatGPT things about them.

Unfortunately, nothing dramatically new, a form of what a google search gives you. However, the model answered something interesting about TISAX, which usually I, as a human would probably answer.  ( No, this post is not written by ChatGPT: 🙂   )

 

Here it is:

 

Query:

Tell me about CSMS from ISO 21434

 

ChatGPT:

CSMS (Cybersecurity Management System) is a framework for managing cybersecurity within an organization, as defined in ISO 21434. ISO 21434 is an international standard for automotive cybersecurity that provides guidelines for the development and implementation of cybersecurity measures in the automotive sector.
CSMS is designed to help organizations manage cybersecurity risks and protect against cyber threats.

It is based on the same principles as other management systems, such as quality management or environmental management, and provides a structured approach to managing cybersecurity.

The framework covers a range of cybersecurity-related activities, including:

  • Threat identification and assessment
  • Risk management
  • Security controls and measures
  • Incident management
  • Continuous improvement

CSMS is designed to be flexible and adaptable, allowing organizations to tailor the framework to meet their specific needs and requirements.

The standard also provides a basis for certification, enabling organizations to demonstrate their commitment to cybersecurity and their ability to effectively manage cybersecurity risks.

In summary, CSMS from ISO 21434 provides a comprehensive framework for managing cybersecurity and is an important aspect of information security for organizations operating in the automotive sector.”

 

This text is not returned by a google search. If I search the exact same terms, google returns me a bunch of links and ads (4 Ads, 9 links, 1 ad) and some Youtube videos.

So, is this text relevant?

Yes, it is a very good summary. I will actually use it in the offerings of my company.

 

 

Part #2 is about “TISAX certification”.

 

The post ChatGPT and automotive cybersecurity #1/2: About CSMS from ISO 21434 first appeared on Sorin Mustaca on Cybersecurity.