Plaintext: The Sisense Breach and the CISO's Long To-Do List

Welcome to Dark Reading in Plaintext, brought to your inbox this week by Adaptive Shield . In this issue of Plaintext, we delve into the fallout from the breach at Sisense. We also wonder if the latest Supreme Court decision will impact the SEC cybersecurity disclosure rule. If you enjoy Plaintext, please share with friends and colleagues !

Time to Reset Credentials and Secrets. The U.S. Cybersecurity and Infrastructure Security Agency urged Sisense customers to reset their Sisense credentials and any other credentials and secrets that could be potentially accessed through the platform. That could mean Salesforce, BigQuery, Snowflake, etc. According to the list from Sisense, customers should change their Sisense-related passwords, update all secrets used in single sign-on, log out all users, and replace all passwords in the Sisense application. Customers should also reset credentials in the database used in the Sisense application, change all usernames and passwords in data models, reset user parameters, change credentials affecting Active Directory. "Rotate the credentials in every GIT project." For Web access tokens, "Rotate all tokens." And so on — it is a long list.

A security breach — no details yet — at Sisense has potentially exposed customer credentials across multiple platforms . Sisense provides business intelligence and data analytics tools to organizations. The platform connects to various data sources and repositories in order to analyze and visualize the information. Matt Johansen described Sisense pretty aptly when he wrote in VulnerableU , "Sisense is one of those companies few of us have ever heard of until something like this, but also has thousands of customers and a juicy pile of data." Marc Rogers recommends CISOs insist on an impact statement to understand how they are affected.

“The odds are decent this is more complex than what’s emerged.” —Rich Mogull, Securosis.

Even if you are not a Sisense customer, this is not the time to be complacent. What does your cloud infrastructure look like? Do you connect to customer platforms? Check out the list of things security practitioners should be thinking about to secure their cloud infrastructure from Rich Mogull . It's pretty detailed and not an easy list: Scan repositories for cloud credentials and get rid of them (or create a policy within the identity access management tool to restrict usage); Lock down customer credentials (using secrets managers, IAM platforms, etc); Lock down sensitive buckets and identities.

Dark Reading in Plaintext is brought to you by Adaptive Shield

2024 Guide: Applying NIST CSF 2.0 to Your SaaS Stack

The updated NIST Cybersecurity Framework?includes a new governance layer for greater oversight that is vital for effective SaaS risk management.?Download the?2024 Guide to Applying NIST CSF 2.0 to Your SaaS Stack?to ensure a strong cybersecurity program.

Supreme Court Rules on Materiality. The Supreme Court ruled that shareholders cannot sue companies for fraud if the company withholds material information, as long as being silent doesn't make another statement misleading . The 9-0 ruling in Macquarie Infrastructure Corp v Moab Partners said that while companies are prohibited from telling misleading half-truths, there is nothing preventing the company from not saying anything at all. The case has nothing to do with cybersecurity — the lawsuit said Macquarie hid the fact that its revenues were vulnerable to an international phase-out of high-sulfur fuel oil—but the discussion about materiality is relevant. Macquarie was accused of violating an Securities and Exchange Commission rule requiring companies to disclose trends and uncertainties likely to have a financial impact on the company. That should sound familiar, since the SEC adopted a rule last July requiring companies to "disclose material cybersecurity incidents. " There has been a lot of discussion on what materiality means in regard to cybersecurity incidents, how much information to disclose , and what steps organizations need to take . Here is an important question for security practitioners: does this decision pave the way for organizations to avoid disclosing security incidents? There is a fine line between not saying anything and lying (or misleading) by omission, and it will be interesting to see how this unfolds in practice

What We Are Reading

• [Adaptive Shield ] Kickstarter Guide Your SaaS Security From Strategy to Execution .
• Businesses in Singapore are doing fairly well with focusing on cybersecurity defense and implementing security protections.
• The Apex Program trains and prepares blind and visually impaired individuals for cybersecurity careers .
• The Rust Project updated its standard library to address an injection vulnerability.
• Critical Infrastructure Security: Observations From the Front Lines .

What We Heard On-Air

Tune in to our on-demand webinar?“Securing the Software Development Lifecycle from Start to Finish ” to learn how security and development teams can work together to make sure security is built-in, not bolted on, to software development.

“In the post Solar Winds era, organizations are thinking about the security of externally developed software.” —Jake Williams.

From Our Library

Check out some of the latest reports from our?Dark Reading Library .

• [Adaptive Shield ] Offboarding Employees from Your SaaS Stack in 7 Steps
• Dark Reading Research: How Enterprises Secure Their Applications
• Tech Insight: How Supply Chain Attacks Work, and How to Stop Them
• Tech Insight: Making Sense of Your Security Data: The 6 Hardest Problems
• Dark Reading Research: The State of Incident Response

On That Note

What's the deal with this guy? Come up with a clever cybersecurity-related caption for this month's Edge Cartoon Contest for a chance to win $25. Deadline is April 24!

Dark Reading in Plaintext is brought to you by Adaptive Shield