Akshay Aggarwal

on Entrepreneurship, AI & Security

You are here: Home / Archives for Product Security

Product Security

Honor among thieves or Set an example?

The Dark Angels ransomware group recently secured a record $75 million ransom payment from an undisclosed victim, surpassing the previous record of $40 million paid by insurance giant CNA Financial in 2021. In contrast, Seattle Public Library is suffering from a month’s long attack, and ostensibly not paying a ransom.

I wonder who will get attacked again. Did a little tabletop exercise using various analysis models to find support for attacks on the entity that Paid (EtP) or Seattle Public Library (SPL)

Scenario 1: Attackers Reattack an Entity that Paid

Economic Theory (Rational Choice Theory)

  • High-Value Targets: The entity that previously paid a large ransom, such as the undisclosed victim of the $75 million payment, is an attractive target because it has already demonstrated its ability and willingness to pay. The potential financial reward outweighs the costs and risks of another attack.

Behavioral Economics

  • Heuristics and Biases: Attackers may use the availability heuristic, believing that an entity that has paid a large ransom in the past is likely to pay again. This past behavior is seen as a predictor of future actions.

Risk Analysis

  • High Reward, Predictable Behavior: The previously compliant entity is seen as a high-reward target with a predictable likelihood of paying again. The risk of attack is justified by the substantial potential payoff.

Network Theory

  • Highly Connected Entities: If the entity is well-connected within its industry, compromising it again could provide access to additional valuable targets or sensitive information, amplifying the potential rewards.

Game Theory (Extended Models)

  • Signaling Theory: Reattacking a high-paying entity sends a message to other potential victims that payment is the preferred course of action. This reinforces the attackers’ reputation and can deter resistance in future targets.
  • Repeated Games: In the long term, attackers aim to maintain a reputation that ensures future compliance by demonstrating the benefits of paying a ransom.

Cybersecurity Posture Analysis

  • Weak Defenses, Inadequate Response: If the entity has not significantly improved its cybersecurity posture since the last attack, it remains vulnerable, making it an easy and lucrative target.

Sociopolitical Factors

  • Regulatory Environment: Entities in regions with lenient regulations regarding ransom payments are more likely to be reattacked. The regulatory context can influence the attackers’ perception of the likelihood of receiving payment.

Technological Factors

  • Exploitable Vulnerabilities: Entities using vulnerable or outdated technologies, which were previously exploited, remain at risk. Attackers may continue to exploit these known weaknesses.

Scenario 2: Support for Attackers Reattacking Seattle Public Library

Game Theory (Extended Models)

  • Signaling Theory: Continuously attacking the Seattle Public Library sends a message to other entities that refusal to pay will result in prolonged and disruptive attacks. This tactic aims to break the resistance of future targets by setting a deterrent example.
  • Repeated Games: Attackers maintain a strategy where non-compliance is punished to create a deterrent effect. This establishes a long-term reputation that encourages future compliance.

Behavioral Economics

  • Prospect Theory: Attackers leverage the fear of prolonged operational disruption and reputational damage. The library’s ongoing suffering serves as a powerful example of the costs associated with non-payment, exploiting the psychological impact on other potential victims.

Risk Analysis

  • Low Security, Low Reward but Persistent Attacks: Although the financial reward from attacking the library is low, the persistent attack serves to create a deterrent effect, reducing future risks of encountering non-compliant targets.

Network Theory

  • Peripheral Nodes in a Network: The library, while not a high-value target, is part of a broader network of public institutions. Continuous attacks can serve as practice or testing grounds for attackers, and the visible impact on one public institution can pressure others in the network to comply.

Cybersecurity Posture Analysis

  • Weak Defenses, Poor Response: The library’s inability to effectively respond to and resolve the ongoing attack highlights its weak defenses, making it an easy target for repeated exploitation. This persistent vulnerability is exploited to set an example.

Sociopolitical Factors

  • Public Impact: The highly visible and public nature of the Seattle Public Library amplifies the impact of the attack. Media coverage and public awareness increase the pressure on similar institutions to comply with ransom demands to avoid similar disruptions.

Technological Factors

  • Vulnerable Technology Users: Public institutions like libraries often use outdated or vulnerable technology due to budget constraints. This makes them easy targets for attackers who can repeatedly exploit these known weaknesses.

Summary of Analysis

Reattacking an Entity that Paid:

  • Attackers are motivated by the high potential reward, predictable compliance, and weak defenses of a previously paying entity. The strategy is reinforced by economic theory, behavioral economics, risk analysis, network theory, game theory, cybersecurity posture analysis, sociopolitical factors, and technological vulnerabilities.

Reattacking Seattle Public Library:

  • Attackers aim to set a deterrent example by demonstrating the consequences of non-payment. This strategy leverages game theory, behavioral economics, risk analysis, network theory, cybersecurity posture analysis, sociopolitical factors, and technological vulnerabilities. The goal is to create a climate of fear and compliance among other potential victims, using the library as a high-visibility example.

Ransomware attackers are likely to reattack high-value entities that have previously paid large ransoms, as seen in economic and behavioral theories, due to the predictability of compliance and substantial rewards. Conversely, targeting the Seattle Public Library, despite its lower financial value, serves as a deterrent example to other potential victims. This strategy exploits weak defenses and psychological pressure, signaling severe consequences for non-payment.

Candidly, I still wonder which will happen!

Author Note
I originally posted this post on LinkedIn.

Reference as Honor among thieves or Set an example? by Akshay Aggarwal, Zove Security

Zove Security’s AI Technology Unit Acquired To Protect High-Value Targets

Zove Security’s AI unit acquired, enhancing cyber defense for high-value targets with ZoveTrustAI technology

Malicious actors are leveraging AI to scale complex attacks at lower costs. The ZoveTrustAI platform protects critical individuals from sophisticated attacks and paves the path to autonomous defense.” — Akshay Aggarwal, CEO, Zove Security

SEATTLE, WASHINGTON, USA, June 25, 2024 /EINPresswire.com/ — Zove Security, a leading provider of emerging technology and information security capabilities, announced today that its AI technology unit has been acquired by a stealth firm, a subsidiary of a renowned global technology enterprise. The acquisition includes all technology assets, exclusive rights to the ZoveTrustAI platform, and Zove’s dedicated operations team. The integration of Zove’s assets into the acquiring firm will be completed over the third quarter of the calendar year. The financial terms of the acquisition are not being disclosed.

ZoveTrustAI: A Game-Changer in Cybersecurity

The deal encompasses the proprietary ZoveTrustAI platform, an artificial intelligence system for devices that merges generative models with personal context and threat reports. This unique solution delivers incredibly relevant and actionable intelligence, enhancing cyber risk management by combining on-device large language models (LLMs) and server-based models. During field trials, ZoveTrustAI successfully identified multiple instances of previously unknown active attacks, demonstrating its effectiveness in real-world scenarios.

A Fruitful Collaboration

For almost two years, Zove Security co-created the solution with the acquiring firm. This solution protects high-value targets (HVTs), including executives, celebrities, and other sensitive individuals from cybercriminals and adversarial state actors. This partnership has focused on active attack identification, leveraging the strengths of both organizations to develop and refine ZoveTrustAI.

Future Integration and Capabilities

Post-acquisition, ZoveTrustAI will be integrated into a security solution designed to manage cyber risk for high-risk individuals. This technology is poised to revolutionize fraud detection and cyberattack response by utilizing personal context and on-device LLMs to deliver autonomous defense mechanisms. With secure on-device data processing, it will ensure your privacy while providing robust protection. It is designed to be smart, adaptive, and always one step ahead.

CEO Statement

Akshay Aggarwal, Founder and CEO of Zove Security, stated, “Advancements in Artificial Intelligence (AI) are poised to significantly impact cybersecurity. For most enterprises, AI presents both threats and potential. Malicious actors are leveraging AI to scale complex attacks at lower costs. The ZoveTrustAI platform allows enterprises to protect their critical users from sophisticated attacks and paves the path to autonomous defense.”

About Zove Security

Zove Security secures the products and platforms that power innovation and underpin our digital lives. Their mission is Platform Trust through secure engineering and trusted operations, ensuring users trust the technology they use and the companies behind them.

About the Acquiring Firm

The acquiring firm, currently in stealth mode, is part of a leading global tech enterprise known for its innovation and premium consumer electronics, including smartphones, PCs, tablets, wearables, and a range of software and services.

Avoiding the Security Bottleneck

Digital transformation is the use of digital technology in solving traditional problems where transformation occurs by means of digital innovation, resulting in new solutions. By its nature, it causes constant disruption to new and existing business models, products, services, or experiences enabled by data and technology across the enterprise. The ensuing continuous demand for new capabilities at faster speeds and bigger scales is pushing the limits of traditional development models.

Shahnawaz securedevops industry issues.png

Progress in the age of digital transformation has seen DevOps become the preferred development methodology of market leaders who are constantly adapting to meet fluctuating customer demands. DevOps includes continuous deployment with quick development of new capabilities and constant collaboration. The goal of DevOps is to shorten the systems development life cycle while delivering features, fixes, and updates frequently in close alignment with business objectives.

It is a common mistake to assume that traditional security controls can still be used in this new iterative environment since defects are fixed at a faster rate. While secure development principles still apply, and automated checkpoints do need to be built into each phase, the integration points and methodology need to be changed to adapt to the faster phases and account for the operation’s changes.

DevOps and the Security Challenge

DevOps refers to the combination of development and operations with a focus on cross-departmental integration and automation. The idea of DevOps spawned from the popularity of Agile, but placed greater emphasis on the cultural shifts necessary to sustain faster releases and drive toward a shared goal.  

Screen Shot 2019-02-08 at 3.23.08 PM.png

Security practices need to adapt to the business drivers making these methodologies popular, such as the need to increase speed to market, enhance overall product quality, and address issues in a timely manner. Security must adapt to the requirements that enable the business drivers, such as short iterations, narrow focus, and an ability to quickly accommodate changing demands.

Integrating Security into DevOps

The top changes used by successful organizations to incorporate security into DevOps and overcome the characteristic challenges were identified and are described below:

Screen Shot 2019-02-08 at 3.59.42 PM.png
  • Integrate Security Champions: Security team members need to be an integral part of the DevOps team through a champion/maven model deployment. Structurally, this helps build one cohesive development, operation, and security team, with one overarching objective to achieve business needs. The Security Champion is responsible for iterative threat modeling during the design process, using templates for driving architectural design patterns. The Information Security (InfoSec) team needs to set the standards the application team needs to meet on a periodic basis.
  • Risk-based approach: A risk-based approach to integrating security in the DevOps life cycle must be adopted.
  • Organizations consistently apply a set of security activities to every release. These security activities must scale based on the risk profile of the user story and the associated epic. Defining these parameters is key to understanding the security activities that need to be integrated in the process.
  • Automation: Traditional security activities do not fit the short iterative DevOps cycles. Security methodologies are not being built for DevOps. Organizations are trying to adapt existing security methodologies used in traditional software development life cycle (SDLC) models. Organizations need to leverage automation to integrate security into the DevOps cycle. A couple of ways to do that include:
    • Using Integrated Application Security Testing (IAST) instead of traditional static analysis during automated quality assurance (QA) testing to identify security bugs
    • Leveraging Runtime Application Self-Protection (RASP)-based technologies to help mitigate and monitor product level code
Screen Shot 2019-02-11 at 2.16.32 PM.png
  • Preapproved security patterns: Predefined nonfunctional security requirements need to be created and added to story cycles. Enterprise-approved libraries/functionalities must be available for core functionalities, such as authentication and system accounts management. Any deviation from the approved patterns is typically considered a defect that needs to be tracked to remediation. In addition, security testing results need to be tracked as part of a defect tracking system. Security vulnerabilities need to be considered bugs and added as criteria for automated checkpoints before release.
  • Standardize infrastructure and operational controls: Environment and security controls must be consistent across all environments, including testing and production. Organizations need to have a security baseline for infrastructure that is consistent across environments and can be deployed in an automated manner (e.g. cloud-based deployment activities with scripts can be leveraged for automation and complemented with checks to ensure security baselines are met).
  • Continuous monitoring: In addition to automation and baseline controls, activities to identify security defects must be performed on an ongoing basis. Continuous monitoring needs to include red team testing and fuzzing.
  • Using cloud-based technologies allows teams to take advantage of Security Center detection capabilities built into the platform.

Benefits of This Model

The methods presented above have several key benefits:

Screen Shot 2019-02-08 at 4.08.47 PM.png
Authors Note

This article was originally co-authored by Akshay Aggarwal and Shahnawaz Sabuwala. It has been updated in 2023 with additional analysis.

Navigating the Security Landscape of Blockchains: Understanding Risks and Opportunities

An analysis of the blockchain security landscape by Akshay Aggarwal, CEO of Zove Security, with examples from fintech, banking, insurance, and retail industries. Our experience and insights into the foundational issues, risk factors, and promising use cases associated with blockchain technology.

As the blockchain industry continues to grow, with market projections reaching around $20 billion in the next few years, it is essential for us to understand the security landscape of blockchains. In doing so, we can better leverage this innovative technology across various industries, such as fintech, banking, insurance, and retail.

A key aspect of understanding blockchain security is recognizing the inherent risks associated with its foundational technologies, including decentralized and distributed ledger systems, public-key cryptography, and Merkle trees. By comprehending these risks, we can determine the suitability of use cases and their implementation strategies.

Cross-border B2B payments are one of the most compelling use cases for blockchain technology. Blockchain promises to streamline processes, reduce transaction costs, enhance security, and enable trust through identity management. According to a 2020 report from the World Economic Forum(1), 40% of blockchain use cases are in the financial services sector, with 70% focusing on cost reduction.

For instance, Ripple(2), a global payments network, leverages blockchain technology to provide faster and cheaper cross-border transactions for financial institutions. In the insurance industry, companies like Lemonade(3) use blockchain technology to automate claims processing and reduce fraud, resulting in lower premiums for customers.

In the retail industry, Walmart(4) has partnered with IBM to implement a blockchain-based system for tracking food products in its supply chain. This initiative helps improve transparency, traceability, and efficiency, ensuring that consumers receive safe and high-quality products.

To navigate the blockchain security landscape, we propose a risk criteria model for business decision-makers, as suggested by Aggarwal et al. The Zove Blockchain Risk Framework includes six different criteria:

  1. Legal and Regulatory: This refers to the uncertainty surrounding the use of blockchain technology in various jurisdictions and the potential impact of changing regulations on its value and implementation.
  2. Foundational: This involves the inherent risks associated with the underlying blockchain technology, its fundamental building blocks, and the choice of foundational elements.
  3. Technical Implementation: This refers to the risks related to how the blockchain solution is implemented from both a code and deployment perspective, including adherence to application security practices.
  4. Operational Integrity: This criterion focuses on how the blockchain technology is actually going to work in practice, ensuring its smooth operation.
  5. Scalability: This risk criterion is unique to blockchains and concerns the potential limitations in the foundational technology’s ability to handle increased usage, which may ultimately limit its value.
  6. Future-proofing: This involves considering the evolving nature of the technology and its various foundational elements and implementations, ensuring that the chosen solution remains relevant and adaptable over time.

To make this real, the authors convened a panel of a dozen blockchain, security and legal experts. The panel examined 10 use cases and created a heatmap of the risks associated with various blockchain use cases. In the heatmap, red represents high and unmitigated risk, yellow signifies high risk with some mitigations in place, green indicates managed risk, and white denotes unknown or undetermined risk.

Smart Contracts - Zove Blockchain Risk Framework

For example, the expert panel evaluated risk for smart contracts (see attached heatmap) are as follows:

  1. Legal and Regulatory: Smart contracts are in a better position compared to ICOs from a legal and regulatory perspective, but they still face uncertainties.
  2. Foundational: Smart contracts share some of the same basic foundational issues related to security as other blockchain technologies.
  3. Technical Implementation: The real risk for smart contracts lies in the technical implementation, as poorly implemented contracts may lead to security vulnerabilities and other issues.
  4. Operational Integrity: Ensuring the smooth operation and execution of smart contracts is another area of risk.
  5. Scalability: The scalability of smart contracts can be a significant issue, particularly in an enterprise setting where massive adoption could hamper the effectiveness of the underlying blockchain.
  6. Future-proofing: Smart contracts may require a higher level of future-proofing due to their potential long-term nature, as they need to withstand the temporal aspects of blockchain technology.

As we look to the future, we anticipate the wide acceptance of 20 to 30 enterprise use cases and an increase in legal and regulatory frameworks surrounding blockchain. We are also interested in the security challenges that may arise when a popular blockchain technology loses users and becomes vulnerable to attacks.

Blockchain auditing holds significant value for supply chain management and digital assets. While the technology can be useful in tracing the origin and changes in code for digital products, verifying physical products can be more challenging, as the digital record may not always match the physical reality.

In conclusion, navigating the security landscape of blockchains requires a deep understanding of the technology’s inherent risks and a comprehensive risk criteria model for business decision-makers. By staying informed and anticipating future challenges, we can leverage the power of blockchain technology across various industries while mitigating potential risks.

Sources:

(1) World Economic Forum. (2020). “Unlocking Blockchain for the Underbanked.” Retrieved from https://www.weforum.org/agenda/2020/10/blockchain-technology-financial-inclusion/

(2) Ripple. (n.d.). “RippleNet.” Retrieved from https://ripple.com/ripplenet/

(3) Lemonade. (n.d.). “Powered by Tech, Driven by Social Good.” Retrieved from https://www.lemonade.com/about

(4) IBM. (2017). “Walmart and IBM Are Partnering to Put Chinese Pork on a Blockchain.” Retrieved from https://www.ibm.com/blogs/blockchain/2017/10/walmart-ibm-chinese-pork-on-a-blockchain/

Authors Note:

Reference as Navigating the Security Landscape of Blockchains: Understanding Risks and Opportunities by Akshay Aggarwal, Zove Security

Scaled Programs to Secure Connected Systems and Products

Executive Summary

Industry issues and trends.png

What is the cumulative cybersecurity risk of an organization’s connected systems and products (CSP)? Does everyone agree the company is addressing the right risks at the right time? Do all partners understand their roles in responding to security issues?

CSP are driving industry growth across every sector of the market due to their cost saving and product lifecycle benefits. Security challenges have evolved
in this space and are more complex because security requires a different approach today–one that prioritizes not only availability, integrity, and confidentiality, but also control and safety.

In this article, we outline some of the most prevalent challenges posed by todays CSP–including lack of security integration into the development lifecycle–and provides an overview of an approach to integrating security into the lifecycle.

Table 1.1 - Level of autonomy vs. threat rating
Table 1.1 – Level of autonomy vs. threat rating

CSP and the security challenge

Vuln to remote control.png

The increase in CSP brings mounting risks. In recent years, companies large and small have become susceptible to various attacks and exploits due to open vulnerabilities through their vulnerable CSP. Based on our experience with similar organizations, there are increased risks associated with CSP that send data to other CSP in accordance with their level of autonomy, leading to risks that transcend typical company risks (Table 1.1). These are heightened risks, primarily on disruptions to CSP, in turn causing system/equipment impairment, threat of physical safety, loss of R&D, and other critical issues. These have major consequences such as altered or interrupted automated production processes, and human injury or casualty. In addition, CSP, left unsecured, may affect customer expectations and customer trust. Security concerns have evolved in complexity due to the nature of CSP and the challenges they pose. A shifting paradigm requires that product security prioritizes confidentiality, integrity, availability, control and safety.

Top 5 challenges posed by CSP

Hexagons.png

In an evolving technology landscape driven by CSP, organizations face a myriad of challenges related to incorporating security within the development and post-development phases of CSP. Based on our experience with delivering cybersecurity services to organizations across a variety of industry sectors, we have compiled a list of top 5 CSP security challenges faced by our clients as follows:

Integrating security into CSP

In order to properly identify and mitigate these vulnerabilities, one must understand the environment and technologies that underlie them. Each component has a disparate development methodology, making it essential that the security program be holistic in nature. The final CSP is typically a combination of internally developed and externally sourced components, making it essential to ensure security of the underlying components from the supply chain.

SDL.png

Securing CSPs entails starting an inventory and risk profile, development of policies and procedures around CSPs, security testing, and monitoring. Securing analytics and control backend requires effective practices in software security, continuous monitoring, vulnerability identification and management, and denial of service protection. Finally, securing the operating product involves development of deployment guidance, intellectual property protection, threat intelligence, and incident response capabilities.

A common misconception across organizations is that traditional security controls can still be applied to a CSP environment since defects are fixed at a faster rate. While secure development principles still apply and automated checkpoints need to be built into each phase, the integration point and methodology need to be tailored for adaptation to faster phases and account for the operation’s changes.

Our outlined approach to connected products is unique because it covers the entire product development lifecycle. Maturing risk management is achieved by integrating an advanced risk identification processes into the development lifecycle, and the threat and vulnerability management processes. When implemented correctly, software security effectively manages the total cost of development and strategically aligns information security with business partners. Our approach can be applied to organizations regardless of their development methodologies or whether they build in-house or use vendors.

Author Note: This article and subsequent updates were co-written by Akshay Aggarwal and Shahnawaz Sabuwala.