But, What's the Catch?

Marketing is a critical part of any industry and security is no exception.

We market security externally to potential customers/clients who need improved security controls and processes.

We market security internally to employees and stakeholders as we push for better MFA options, more complex passwords, and least privilege controls.

But, sometimes the marketing drive can get a little ahead of the actual security project behind it.

I reviewed a web application vulnerability scanner that has this huge headline at the top of their website:

“ship your webapps… with zero known vulnerabilities, every time”.

When I talked to the security engineer, he admitted that marketing wrote that one.

Here is my favorite illustration of this concept from Jorge Monteiro on Linkedin in honor of Cybersecurity Awareness Month.

And it isn't hard to understand why this might happen, where marketing over-promises or over-hypes certain things. After all, marketing has different goals than security.

Security focuses on limiting access to data, patching vulnerabilities, and monitoring alerts.

Marketing focuses on sales.?

So, especially during Cybersecurity Awareness Month, but even at all times of the year, it is important to read security news, emails, infographics, and reports, with this question in mind:

Who made this resource and why?

This question applies even to “Top 10 Lists”. This one is hard for me personally, because I have tremendous respect for the OWASP Top 10 application vulnerabilities list. It is a great way to get conversations started with developers and other teams in an easy-to-consume way. Once you have them hooked then, you can dive into deeper details.

But, even the OWASP Top 10 has its limits. For example, in its methodology section for 2021, they explain that they get the data that drives the list from “testing vendors by trade, bug bounty vendors, and organizations that contribute internal testing data”.

In other words, pentesters and security vendors that can help developers fix the very issues that are being highlighted.

Conflict of interest, much?

Does that mean we should ignore all security news out there (excluding this newsletter of course)?

No, of course not!?

But, it does mean that we have to read every resource with a discerning eye, to understand both the quality of the piece (including sources, methodology, and action-ability) and whether or not it can actually apply to our unique situation and environment.

Security and marketing are both critical.?

Just don't let marketing's goals let you lose sight of your own.

?

Security News

• Okta, an identity and access management services provider, disclosed that its customer support case management system was recently compromised, exposing sensitive customer data including cookies and session tokens.
• Cisco is asking customers to immediately disable the HTTPS Server feature on all of their Internet-facing IOS XE devices to protect against a critical zero-day vulnerability in the Web User Interface of the operating system that an attacker is actively exploiting.
• In the face of rapid digital transformation, a positive organizational culture and user-centric design are the backbone of successful software delivery, according to the 2023 Accelerate State of DevOps Report from Google Cloud's DevOps Research and Assessment team.
• New data from Outpost24 reveals that IT administrators could be just as predictable as end-users when it comes to passwords. An analysis of just over 1.8 million passwords ranks 'admin' as the most popular password with over 40,000 entries, with additional findings pointing to a continued acceptance of default passwords.
• Details have emerged about a malvertising campaign that leverages Google Ads to direct users searching for popular software to fictitious landing pages and distribute next-stage payloads.
• Google says?that several state-backed hacking groups have joined ongoing attacks?exploiting a high-severity vulnerability in WinRAR, a compression software used by over 500 million users,?aiming to gain arbitrary code execution on targets' systems.
• A majority of risk and compliance pros say employee use of generative artificial intelligence (AI) opens the door to business risk, adding that less than 10% of companies are prepared to mitigate internal threats associated with the emerging tech.
• The US Cybersecurity and Infrastructure Security Agency (CISA), along with 17 global partners, has updates secure-by-design guidance for software manufacturers.
• Amazon has quietly rolled out support for passkeys as it becomes the latest tech giant to join the passwordless future. But you still might have to hold onto your Amazon password for a little while longer.
• Hackers used an updated malware framework to target more than a dozen oil, gas and defense sector companies in Eastern Europe, including air-gapped systems.
• Iranian state-sponsored hackers conducted an eight-month espionage campaign against a Middle Eastern government, compromising dozens of computers between February and September.

Until next time,

The Craft Compliance Team