New order mandates securing the federal software supply chain and communications networks, as well as deploying AI tools to protect critical infrastructure from cyberattacks — but will the Trump administration follow through?

Source: UPI via Alamy Stock Photo

As President Biden prepares to hand over the government to the incoming Trump administration, he has issued a new cybersecurity executive order (EO) outlining an aggressive cyber-defense plan for today's most dangerous national cyber threats — including China, and rampant software supply chain vulnerabilities across government and the private sector.

Sweeping and ambitious, the EO reads like a detailed US cybersecurity status report from the Biden administration, focused on laying groundwork for the incoming team. And with threats on the rise across the world, party affiliation and partisan predilections aside, America and Americans' cybersecurity relies on a smooth handoff from Biden to Trump, experts say.

The signs are positive so far. The order is a reflection of a forthright and responsible transition to the Trump administration, according to Tom Cross, a cybersecurity strategist at WitFoo.

"Cybersecurity is not a partisan issue — everyone in the United States has a shared interest in protecting our nation against foreign cyber threats, such as spying and network disruption," Cross wrote in a statement responding to the new Biden cybersecurity executive order. "By issuing this EO now, the Biden administration is able to put its best thinking on these topics in motion, giving the Trump administration time to put new leaders in place and develop its strategy going forward.”

The EO is a bookend to Biden's 2021 cybersecurity executive order, issued early in his term, and reflects a country plagued by a new set of geopolitical adversaries armed with increasingly sophisticated technology, including generative artificial intelligence (GenAI).

The order acknowledges the brazen rise in malicious cyber activity from China, including breaches of the US Treasury and at least nine telecommunications networks in a vast espionage operation carried out by Salt Typhoon and other advanced persistent threats (APTs) sponsored by the Chinese government. While the EO only covers federal agencies, the Biden administration has long used federal cybersecurity policies and resources as a way to push the private sector into adopting more secure standards in turn.

"The Biden administration’s latest cyber executive order is focused on securing critical infrastructure, adopting AI for defense, and transitioning to post-quantum cryptography with an ambitious agenda," Andrew Borene, executive director of global security for Flashpoint and a former Office of the Director of National Intelligence (ODNI) senior official, tells Dark Reading. "However, the real power of this executive order may lie in its ability to institutionalize some best practices as American multinational businesses and government agencies face a new Cold War's dangerous digital environment."

**Securing the Federal Software Supply Chain, Cloud, Space**

Biden's latest EO starts with the federal software supply chain, mandating that agencies develop secure software acquisition standards and only do business with software vendors that can attest to secure development practices and provide evidence of compliance with those standards. Within the next 60 days, a consortium is ordered to be convened, including the cecretary of commerce and National Institute of Standards and Technology (NIST) officials, to develop those standards, which will include practices, procedures, controls, and implementation examples, according to the EO.

Federal agencies were also ordered to implement NIST supply chain risk management practices. The Cybersecurity and Infrastructure Security Agency (CISA) and the General Services Administration (GSA) will evaluate how to securely manage open source software inside federal networks.

Biden's order additionally addresses emerging attack surfaces across the federal government, including cloud and space/satellite systems, and calls for the implementation of identity and access management (IAM) practices across agencies.

On the cloud front, the order mandates that FedRAMP marketplace service providers such as Google or Amazon provide federal agencies with recommendations on cloud configuration.

"I am particularly happy to see that cloud providers will be required to publish information to clients on how to operate securely," Chris Hauk, consumer privacy champion at Pixel Privacy, wrote in a statement. "Too many data breaches have been due to misconfigured cloud data buckets, many times leaving the data stored in those buckets open to anyone with an Internet connection and a little bit of knowledge."

Space systems meanwhile are ordered to receive continuous analysis to ensure US systems are keeping up with the latest threats, the EO explained.

"As cybersecurity threats to space systems increase, these systems and their supporting digital infrastructure must be designed to adapt to evolving cybersecurity threats and operate in contested environments," the EO reads. "In light of the pivotal role space systems play in global critical infrastructure and communications resilience, and to further protect space systems and the supporting digital infrastructure vital to our national security, including our economic security, agencies shall take steps to continually verify that federal space systems have the requisite cybersecurity capabilities through actions including continuous assessments, testing, exercises, and modeling and simulation."

**Securing Federal Communications**

China's espionage activities have highlighted the need to secure federal communications networks, according to the EO. The Biden administration thus has established guidelines for shoring up communications network cybersecurity, including implementing identity controls, encrypting DNS traffic, and encrypting all emails, voice, video, and messaging.

Regarding cryptography, the Biden EO said new rules for protecting and auditing cryptographic keys will be developed by NIST. Further, agencies should require post-quantum cryptography, where applicable, the EO states.

These cryptography and authentication controls requirements are also applicable to other critical national security systems, Flashpoint's Borene points out.

"From energy grids to satellites, the directive emphasizes the need to secure the systems that underpin our national security and daily life," he adds. "The push for universal encryption and authentication protocols is particularly timely, given the frequency and scale of recent attacks."

**Unleashing AI to Secure Critical Infrastructure**

Artificial Intelligence must be deployed to protect US critical infrastructure from cyberattack, according to the Biden EO. The order establishes a program to explore the use of AI to bolster US cyber defenses and push for additional research.

And indeed, AI will place an increasing role in protecting the US from cyberattacks in the future, according to Christian Geyer, CEO and founder of Actfore.

"While it's crucial to recognize the expanding attack surface that AI may bring, we can be optimistic about the incredible potential it holds for enhancing security and efficiency," Geyer wrote in a statement. "The main challenge lies in navigating the complexities of government processes, but with the right approach, these challenges can be overcome, ensuring that technology initiatives are both effective and secure."

Ransomware and the development of digital identification for secure online transactions are also included in the Biden administration's cybersecurity wish list.

The EO is clearly comprehensive and wide-ranging. But without buy-in from Trump's cyber team, many of the EO's efforts could be stymied, researchers warn. It's unclear for now how it will go.

The Trump administration has already signaled a distaste for regulation, and put it into practice throughout Trump's first term, according to Coleman Mehta, head of global public policy and strategy at Infoblox. Yet, he was willing to build on previous cybersecurity policies from the Obama administration.

"Similarly, President Biden often built on policies set by Trump," Mehta tells Dark Reading. "The fundamentals of that continuity should stay the same; focus on the threat from Chinese cyber adversaries, strengthen supply chain security, and continue to build public-private collaboration."

During his recent Senate confirmation hearings for secretary of state, Sen. Marco Rubio (R-Fla.) indicated an interest in seeing policy changes that address the global cyber supply chain threat, Flashpoint's Borene points out.

"Looking ahead, the new administration inherits a world of rapidly escalating state threats from adversaries like China, Russia, Iran, along with a growing network of cyber proxies and even transnational criminal extortion groups," Borene says. "A well-executed handoff of some of the executive order’s provisions could bolster US cyber defenses at a time when proactive information security has never been more critical."

Biden's Cybersecurity EO Leaves Trump a Comprehensive Blueprint for Defense

PRESS RELEASE

BRENTWOOD, Tenn., Jan. 14, 2025 /PRNewswire/ -- Fortified Health Security (Fortified), a Best in KLAS managed security services provider (MSSP) specializing in healthcare cybersecurity, today released the 2025 Horizon Report, a semiannual publication on cybersecurity news, trends, guidance and solutions for healthcare organizations.

Analyzing data from the Office for Civil Rights (OCR), the Horizon Report has served as a free resource for healthcare professionals since 2017. The 2025 edition includes contributions from experts—including internationally recognized cybersecurity expert Paul Connelly—on solutions for some of the acute cybersecurity issues facing healthcare organizations today. These include budget and talent challenges, the growing role of AI in hospitals, the evolution of threat actors and third-party risk management. 

"As we enter 2025, the healthcare sector will be confronted with a rise in cyberattacks, strict legislative regulations and the ongoing enhancement of AI, all while navigating financial pressures," wrote Dan Dodson, chief executive officer at Fortified, in the report. "There are no 'one-size-fits-all' answers to confronting these challenges. That is why collaboration is critical to safeguarding cybersecurity risks."

The report also provides important data breach statistics, building on those published in Fortified's mid-year report last summer. Key insights from the report include:

*   The total number of patient records exposed in 2024 rose 9%, from 168 million to 183 million
    
*   Business Associates accounted for a smaller percentage of cyber attacks in 2024 than the year prior, yet these attacks comprised 67% of total exposed patient records
    
*   Healthcare Clearing Houses saw an increase in cyber attacks of more than 2,000%, indicating growing vulnerability among entities that manage massive volumes of patient data
    
*   While network servers remained the most common breach location, phishing was reinforced as a go-to tactic for threat actors, with email breaches growing by 18% in 2024
    

"2024 was a challenging year for cybersecurity among healthcare organizations, with mega breaches like Change Healthcare—the largest ever reported in the United States—making national news and sending shockwaves through the healthcare industry," said Dodson. "With the Horizon Report, we aim to chart a path forward for healthcare organizations by gathering the latest expert insights and best practices for cyber resilience."

The full report is available for download here.

About Fortified Health Security   
Fortified is Healthcare's Cybersecurity Partner® – protecting patient data and reducing risk throughout the healthcare ecosystem. A managed security service provider that has been awarded numerous industry accolades, Fortified works alongside healthcare organizations to build customized programs that help clients leverage their prior security investments and current processes while implementing new solutions that reduce risk and increase their security posture over time. Led by a team of industry-recognized cyber experts, Fortified's high-touch engagements and client-specific process maximize value and deliver an actionable, scalable approach to help reduce the risk of cyber events. To learn more, visit www.fortifiedhealthsecurity.com.

You May Also Like

183M Patient Records Exposed: Fortified Health Security Releases 2025 Healthcare Cybersecurity Report

PRESS RELEASE

SALT LAKE CITY — January 13, 2025 — Ivanti, the software company that breaks down barriers between IT and security so that Everywhere Work can thrive, has appointed seasoned tech leader, Karl Triebes, as Chief Product Officer. In his new role, Triebes will focus on ensuring that Ivanti’s product strategy aligns with the company’s long-term goals, drives innovation, and enhances customer satisfaction.

Triebes’ appointment comes at a pivotal time for Ivanti, as the company continues to expand its footprint in the IT management and security landscape. His extensive experience and visionary approach are expected to ensure the company remains at the forefront of delivering high-quality technology solutions.

“I am thrilled to join Ivanti at such an exciting time in the company’s journey,” said Karl Triebes. “Ivanti's commitment to innovation and customer-centric approach align perfectly with my vision for product development. I look forward to working with the talented team at Ivanti to drive our product strategy forward, enhance our engineering capabilities, and deliver exceptional solutions to our customers.”

He joins Ivanti with over 30 years of extensive experience in technology leadership and product development. Throughout his career, Karl has held pivotal roles in several high-profile technology companies such as F5, Amazon and Imperva. In these positions, he has consistently demonstrated a strong prowess in engineering, product strategy, and driving business growth. His seasoned leadership and innovative vision have been instrumental in advancing technology solutions and enhancing product portfolios.

His strategic oversight will ensure that Ivanti’s products not only meet but exceed the expectations of customers, driving sustained business growth and solidifying Ivanti’s position as a leader in the industry.

“Customer satisfaction is at the heart of everything we do,” Triebes added. “By focusing on innovation and maintaining a customer-centric approach, we can develop products that not only solve current challenges but also anticipate future needs. I am eager to lead Ivanti in this direction and contribute to the company’s continued success.”

Ivanti’s CEO, Dennis Kozak, stated, “We are delighted to welcome Karl to the Ivanti team. His extensive experience and proven track record in technology leadership make him the perfect fit for our organization. We are confident that under his guidance, Ivanti will continue to innovate and deliver exceptional solutions to our customers.”

About Ivanti

Ivanti breaks down barriers between IT and security so that Everywhere Work can thrive. Ivanti has created the first purpose-built technology platform for CIOs and CISOs – giving IT and security teams comprehensive software solutions that scale with their organizations’ needs to enable, secure and elevate employees' experiences. The Ivanti platform is powered by Ivanti Neurons - a cloud-scale, intelligent hyper automation layer that enables proactive healing, user-friendly security across the organization, and provides an employee experience that delights users. Over 35,000 customers, including 85 of the Fortune 100, have chosen Ivanti to meet challenges head-on with its end-to-end solutions. At Ivanti, we strive to create an environment where all perspectives are heard, respected and valued and are committed to a more sustainable future for our customers, partners, employees and the planet. For more information, visit www.ivanti.com and follow @GoIvanti.

Karl Triebes Joins Ivanti as Chief Product Officer

PRESS RELEASE

Today, CISA — along with U.S. and international partners — released joint guidance Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products. As part of CISA’s Secure by Demand series, this guidance focuses on helping customers identify manufacturers dedicated to continuous improvement and achieving a better cost balance, as well as how Operational Technology (OT) owners and operators should integrate secure by design elements into their procurement process.

Critical infrastructure and industrial control systems are prime targets for cyberattacks. The authoring agencies warn that threat actors, when compromising OT components, target specific OT products rather than specific organizations. Many OT products are not designed and developed with Secure by Design principles and often have easily exploited weaknesses. When procuring products, OT owners and operators should select products from manufacturers who prioritize security elements identified in this guidance.

For more information on questions to consider during procurement discussions, see CISA's Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem. To learn more about secure by design principles and practices, visit Secure by Design.

CISA and US and International Partners Publish Guidance for OT Owners and Operators

PRESS RELEASE

Riyadh, Saudi Arabia, Jan. 13, 2025 (GLOBE NEWSWIRE) -- SEALSQ Corp (NASDAQ: LAES) ("SEALSQ" or "Company"), a company specializing in Semiconductors, PKI, and Post-Quantum technology hardware and software products, today announced that in partnership with its parent company, WISeKey International Holding (“WISeKey”) (SIX: WIHN, NASDAQ: WKEY), is scaling its presence in Saudi Arabia to support the Kingdom’s digital transformation and cybersecurity advancements. Through their joint venture, WISeKey Arabia, in collaboration with the Juffali Group, SEALSQ and WISeKey aim to gradually introduce groundbreaking technology innovations tailored to Saudi Arabia’s unique needs.

In 2019, WISeKey Arabia, in partnership with the Juffali Group, a leading Saudi business conglomerate, is committed to fostering a secure digital ecosystem in alignment with Vision 2030. The collaboration focuses on providing state-of-the-art solutions, including Public Key Infrastructure (PKI), digital identity management, and IoT security, enhanced with SEALSQ’s quantum-resistant cryptographic technologies. This initiative ensures a robust foundation for Saudi businesses and government entities to thrive in an increasingly digital world.

Gradual Deployment of Cutting-Edge Technologies  
SEALSQ and WISeKey plan to gradually introduce innovative solutions to Saudi Arabia’s technology landscape, including advancements in satellite communication and IoT security through the WISeSat.Space ecosystem. WISeSat.Space, WISeKey’s pioneering low-power, secure satellite solution, enables real-time data processing for IoT devices in remote locations.

The system is designed to provide:

*   End-to-End Security: Utilizing quantum-resistant encryption to protect critical IoT data.
    
*   Cost-Efficiency: Reducing the barriers to satellite communication for businesses and government projects.
    
*   Scalability: Supporting diverse applications, including environmental monitoring, smart cities, and supply chain optimization.
    

WISeSat.Space’s integration into the Saudi market represents a strategic step in equipping local industries with the tools needed to excel in the Fourth Industrial Revolution.

Partnership with Hedera and The Hashgraph Association  
In addition to WISeSat.Space’s deployment, SEALSQ and WISeKey are collaborating with Hedera, leveraging its enterprise-grade distributed ledger for blockchain-based applications. These efforts align with The Hashgraph Association’s five-year partnership with the Saudi Ministry of Investment Association, which includes the launch of the $250M DeepTech Venture Studio. The DeepTech Venture Studio is designed to support startups operating within Saudi Arabia in areas such as blockchain, AI, IoT, robotics, and quantum computing.

Funded with $50M from The Hashgraph Association and $200M from the Saudi Ministry of Investment Association, the DeepTech Venture Studio provides significant opportunities for Saudi-based companies leveraging Hedera’s hashgraph network. WISeKey Arabia will serve as a trusted technology partner, empowering startups with secure and scalable solutions.

Aligning with Vision 2030  
WISeKey and SEALSQ’s plans align with Saudi Arabia’s Vision 2030, which emphasizes innovation, digital transformation, and economic diversification. The partnership supports key national initiatives, including the Centre for the Fourth Industrial Revolution (C4IR) Saudi Arabia and the Quantum Economy project, ensuring that the Kingdom remains a global leader in advanced technologies.

“Our commitment to Saudi Arabia extends beyond cybersecurity,” said Carlos Moreira, CEO of SEALSQ. “By introducing groundbreaking technologies like WISeSat and collaborating with key partners such as the Juffali Group, Hedera, and The Hashgraph Association, we aim to empower the Kingdom’s businesses and government with the tools they need to succeed in a rapidly evolving digital landscape.”

About SEALSQ:  
SEALSQ focuses on selling integrated solutions based on Semiconductors, PKI and Provisioning services, while developing Post-Quantum technology hardware and software products. Our solutions can be used in a variety of applications, from Multi-Factor Authentication tokens, Smart Energy, Smart Home Appliances, Medical and Healthcare and IT Network Infrastructure, to Automotive, Industrial Automation and Control Systems.

Post-Quantum Cryptography (PQC) refers to cryptographic methods that are secure against an attack by a quantum computer. As quantum computers become more powerful, they may be able to break many of the cryptographic methods that are currently used to protect sensitive information, such as RSA and Elliptic Curve Cryptography (ECC). PQC aims to develop new cryptographic methods that are secure against quantum attacks. For more information, please visit www.sealsq.com.

Forward-Looking Statements  
This communication expressly or implicitly contains certain forward-looking statements concerning SEALSQ Corp and its businesses. Forward-looking statements include statements regarding our business strategy, financial performance, results of operations, market data, events or developments that we expect or anticipates will occur in the future, as well as any other statements which are not historical facts. Although we believe that the expectations reflected in such forward-looking statements are reasonable, no assurance can be given that such expectations will prove to have been correct. These statements involve known and unknown risks and are based upon a number of assumptions and estimates which are inherently subject to significant uncertainties and contingencies, many of which are beyond our control. Actual results may differ materially from those expressed or implied by such forward-looking statements. Important factors that, in our view, could cause actual results to differ materially from those discussed in the forward-looking statements include the expected success of our technology strategy and solutions for IoMT Security for Medical and Healthcare sectors, SEALSQ's ability to implement its growth strategies, SEALSQ's ability to continue beneficial transactions with material parties, including a limited number of significant customers; market demand and semiconductor industry conditions; and the risks discussed in SEALSQ's filings with the SEC. Risks and uncertainties are further described in reports filed by SEALSQ with the SEC.

SEALSQ Corp is providing this communication as of this date and does not undertake to update any forward-looking statements contained herein as a result of new information, future events or otherwise.

SEALSQ in Cooperation With WISeKey Expands Post-Quantum Footprint in Saudi Arabia

The FTC claims that the Web hosting company's security failures led to several major breaches in the past few years.

Source: M4OS Photos via Alamy Stock Photo

NEWS BRIEF

Having found GoDaddy's security policies inadequate, the Federal Trade Commission (FTC) is requiring the Web hosting company to implement a more rigorous set of security practices.

According to the FTC's complaint, "GoDaddy has failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services" since 2018, the agency said in a statement.

The FTC found GoDaddy failed to manage assets and software updates, assess risks to shared hosting services, adequately log and monitor any security-related events, and segment its shared hosting from insecure environments.

These cybersecurity failures led to several security breaches between 2019 and 2022, where hackers were able to gain unauthorized access to customers' websites and data, putting consumers of these websites at risk, according to the FTC. 

All this while GoDaddy claimed on its websites, social media, and emails that it "deployed reasonable security and that it was in compliance with the EU-US and Swiss-US Privacy Shield Frameworks," ultimately misleading its customers.

Going forward, GoDaddy is required to establish and implement a comprehensive information-security program, and must hire an independent third-party to perform biennial reviews of its security program.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

FTC Orders GoDaddy to Fix Inadequate Security Practices

By staying vigilant, agile, and prepared, organizations can turn TDIR from a defensive strategy into a proactive enabler of security and operational excellence.

The digital era has revolutionized how businesses operate, bringing unprecedented opportunities and challenges. Among the most pressing challenges are the ever-growing and sophisticated cyber threats. From crippling ransomware attacks to insidious phishing campaigns, organizations face a mounting need to defend their digital assets effectively.

In this complex landscape, threat detection, investigation, and response (TDIR) has become a cornerstone of modern cybersecurity. Unlike traditional, siloed approaches, TDIR integrates advanced technologies, skilled professionals, and well-defined processes into a unified framework. This holistic strategy empowers organizations to anticipate, identify, and address threats swiftly, fortifying both their security posture and operational resilience.

**Threat Detection: The First Line of Defense**

Cybersecurity begins with visibility — the ability to identify anomalies before they evolve into full-blown incidents. Threat detection serves as a digital sentinel, continuously monitoring systems for suspicious activities or deviations from the norm.

Take, for example, an instance where an employee's account starts downloading large volumes of sensitive data during non-business hours. While this may appear routine, sophisticated detection tools like security information and event management (SIEM) or endpoint detection and response (EDR) systems can flag such behavior as potentially malicious. These tools analyze vast amounts of data in real-time, enabling security teams to prioritize and respond to critical alerts.

**Real-World Applications of Threat Detection**

*   Phishing attacks: A SIEM solution identifies multiple failed log-in attempts from international IP addresses, signaling a targeted phishing campaign.
    
*   Ransomware: EDR platforms detect unusual file encryption patterns, catching ransomware in its early stages.
    
*   Insider threats: User and entity behavior analytics (UEBA) uncover unauthorized attempts to access sensitive files, potentially indicating insider malfeasance.
    

**Investigation: Unveiling the Bigger Picture**

Detection alone is not enough. Once a potential threat is identified, the investigation phase provides the context necessary to understand its origin, scope, and potential impact. This process is akin to piecing together a digital jigsaw puzzle to form a coherent narrative of the attack.

**Case Study**

A supply chain attack compromises an organization's network via a vulnerable third-party vendor. An investigation reveals that attackers exploited outdated software in the vendor's systems to gain unauthorized access.

During this phase, security teams leverage tools such as extended detection and response (XDR) platforms to correlate events, validate alerts, and construct a detailed timeline of the incident.

**Key Techniques in Threat Investigation**

*   Root cause analysis: Identifying vulnerabilities such as unpatched software or weak passwords.
    
*   Event correlation: Connecting seemingly unrelated events, such as unusual file transfers and login attempts, to reveal a coordinated attack.
    
*   Threat intelligence integration: Enriching investigations with external threat data to understand attacker tactics and methodologies.
    

**Response: Neutralizing the Threat**

The final phase of TDIR is response — an organized effort to contain, mitigate, and recover from the threat. The success of this phase hinges on speed, precision, and collaboration across teams.

**Example Scenario**

A university detects a ransomware attack encrypting files across its network. The incident response team acts swiftly to isolate infected systems, restore critical data from secure backups, and patch vulnerabilities exploited by the attackers. Post-incident, the university implements enhanced email filtering and endpoint protection to prevent future attacks.

**Key Response Strategies**

*   Containment: Isolating affected accounts or systems to limit the threat's impact.
    
*   Remediation: Eliminating malicious code, closing security gaps, and strengthening defenses.
    
*   Recovery: Restoring normal operations through reliable backups while leveraging lessons learned to refine future response protocols.
    

**The Value of TDIR in Modern Cybersecurity**

Organizations that adopt a comprehensive TDIR framework gain a competitive edge in cybersecurity. Here are some of the key benefits:

*   Enhanced visibility: Continuous monitoring across endpoints, networks, and cloud environments ensures a clear understanding of the security landscape.
    
*   Faster response times: Automated workflows and well-defined playbooks reduce the time taken to address incidents, minimizing damage.
    
*   Cost savings: Early detection and efficient response mechanisms lower the financial and reputational costs of breaches.
    
*   Regulatory compliance: A robust TDIR framework supports adherence to compliance standards like GDPR, HIPAA, and CCPA by ensuring effective threat management.
    

**TDIR in Action: Learning From Real-World Scenarios**

*   Healthcare data breach: A hospital responds to a ransomware attack by isolating compromised systems, restoring data from secure backups, and enhancing access controls to prevent recurrence.
    
*   Retail supply chain attack: A retailer mitigates a breach caused by a third-party vendor by implementing stronger third-party risk management practices and network segmentation.
    
*   Insider threat in banking: A financial institution uncovers unauthorized actions by an employee, leading to immediate corrective measures and stricter privileged access management.
    

**Proactive Defense Through TDIR**

In today's threat-filled digital landscape, TDIR is not merely a cybersecurity option — it's an imperative. By adopting a proactive, unified approach, organizations can build resilience against a diverse array of threats, from phishing and ransomware to insider attacks.

TDIR's strength lies in its integration of advanced technology, human expertise, and strategic processes, enabling organizations to navigate the evolving cyber threat landscape with confidence. As the battle against cybercrime continues, those who embrace TDIR will not only safeguard their operations but also strengthen their reputations and ensure long-term resilience.

By staying vigilant, agile, and prepared, organizations can turn TDIR from a defensive strategy into a proactive enabler of security and operational excellence.

**About the Author**

Lead Engineer/IAM Architect, Paramount Global

Sameer Bhanushali is an experienced IAM Architect with more than 16 years of expertise in information security, identity and access management (IAM), cloud services, and system architecture. Recognized for his ability to lead end-to-end IAM initiatives, Sameer leverages cutting-edge technologies and industry best practices to design and implement tailored solutions for both on-premises and cloud environments.

Sameer has been instrumental in aligning technical strategies with organizational goals, optimizing system performance, and enhancing cybersecurity defenses throughout his career. His consultancy excellence across diverse sectors has consistently delivered scalable IAM solutions that drive business growth while ensuring robust security.

A holder of advanced IAM and cybersecurity certifications, Sameer excels in navigating complex cybersecurity challenges, strengthening security postures, and exploring innovative technologies to deliver transformative outcomes. His dedication to the field is reflected in his thought leadership and unwavering commitment to protecting sensitive information in an evolving threat landscape.

Strategic Approaches to Threat Detection, Investigation &amp; Response

Part predictive analysis, part intuition, risk and reputation services are imperfect instruments at best — and better than nothing for most organizations and insurers.

Source: MMD Creative via Shutterstock

As companies seek to improve their cybersecurity postures, they are increasingly using a variety of metrics, scoring systems, and reputational rankings to measure their efforts. But in many cases, businesses are asking too much of the various systems that attempt to measure security.

The old saw says that you need to measure something to manage it, but many systems that have flourished — from the Common Vulnerability Scoring System (CVSS) to organizational security posture scoring and ratings for software development projects — are sometimes only successful at expressing measurable risk. Yet corporate boards are turning some security measurements into key performance indicators (KPIs), and some industries — such as insurance firms — are using them to determine risk. Their conclusion: Scoring risk and reputation tools are imperfect but better than nothing.

Part of the reason is that companies look to manage risk, not just improve security, says Bruce Schneier, chief technology officer of Inrupt, a user-focused data management provider, and an adjunct lecturer at the Harvard Kennedy School. Schneier is critical of many attempts to measure security.

"Whenever I've had a company that could do it, I've always tried to build comparative metrics — how am I doing compared to everybody else that does this?" he says. "That does help. People do want to know how they compare to their peers, and that's also good lawsuit protection." They may say, "Yes, this is a problem, but look, everybody else is doing the same thing."

From software and vulnerabilities to corporate security and human risk, efforts to assign scores and reputations to various components of the information technology ecosystem are growing. This week, detection and response platform Sweet Security inked a deal to use the early-stage startup Illustria to offer a package reputation service to detect risky changes to open source software packages. Providers of security posture ratings — such as Bitsight, SecurityScorecard, and UpGuard — have gained a following among cyber insurers, while human-risk management firms, such as Living Security and Mimecast, are increasingly assigning scores to users' cybersecurity awareness.

**Common Vexations of Scoring Security**

CVSS — the standard way to grade potential criticality of software flaws — highlights many of the issues that continue to dog rating and reputation systems. CVSS allows security researchers and software companies to assess the basic severity of vulnerabilities using a 10-point scoring system, but organizations need to evaluate the vulnerabilities' impacts in their own environments. This step that is often overlooked and gives critics significant fodder to attack the approach.

As a result, CVSS garners some praise but also a great deal of criticism. The scoring system is more like grading a high dive rather than tallying a baseball game, wrote Richard Brooks, co-founder and lead software engineer at consulting firm Business Cyber Guardian, in tepid defense of the system that often veered into criticism.

"It's highly subjective and each party needs to decide for themselves if there is risk from a vulnerability, based on their own circumstances and the information known about the vulnerability and its exploitation methods," he stated.

A major problem for any scoring systems is that security is often subjective and frequently amounts to proving a negative — a difficult application of metrics and scoring, says Inrupt's Schneier.

Using scores to fuel checklists can help, he says. Checklists are used in environments where reliability is critical, such as airplanes, hospitals, and spacecraft. To some degree the software security community has pursued this approach, creating lists of vulnerabilities — such as the OWASP Top 10 and the CWE Top 25 lists — that are intended to focus remediation efforts.

"Checklists are a way to turn the unprovable negative into a demonstrable positive," Schneier says. Yet we still have trouble creating metrics for security because "security is fundamentally not about capabilities. It's not about functionality. It's about denying functionality."

**Adoption by the Kings of Metrics (Insurers)**

One group that's hungry for scores and metrics is the insurance industry. Insurers aim to boil down events into data, and security events and cyberattacks are no different. Cyber insurers are increasingly collecting their own data to infer which products have good security and determine what to charge potential policyholders based on their use of those products.

Models that assign companies scores based on their observable cybersecurity posture, for example, can save insurance firms significant money by identifying the worst performers. Using information from Bitsight and internal data, for example, reinsurance firm Gallagher Re identified the bottom 20% of companies, which had a 3.17 times greater likelihood of suffering a loss — an approach that could reduce insurance firm losses by about 16%, the reinsurer stated in a 2024 study. A second study by professional services firm Marsh McLennan and Bitsight found that the lowest-scoring tier of companies were nearly five times more likely to have a cybersecurity incident than the highest-scoring tier.

A scoring system works only if companies are using it to reach their end goals (more security) rather than trying to just increase their scores (compliance), says Stephen Boyer, co-founder and chief technology officer at Bitsight.

"I do think that as long as it's communicating something that drives an action that ends up being risk-reducing, that's good," he says. "If it's a regulatory focus and \[the company\] is doing that to optimize the score and is not actually reducing risk, then it is a wasted effort for everybody."

Unsurprisingly, more regulated industries tend to score higher on organizational ratings. Financial firms, utilities, energy, and healthcare all average a score of 720 or higher, while communications services average a score of a 630 and industrials a score of 690, according to a report on cybersecurity oversight of corporate boards.

**Software Ratings Gain Traction**

As software supply chain worries mount, companies and the open source community are aiming to rate the reputation and development processes of open source projects and assign scores to the components they produce. The OpenSSF Scorecard, for example, conducts a number of automated checks and ranks a project by a numerical score for each area, including whether the project has binary artifacts, whether the branch protection is on, the cadence of commits, and whether the project shows signs of using automated tools and fuzzers. The popular machine-learning library TensorFlow, for example, currently has an overall score of 8.2, with low scores for its Code Review practices and the failure to pin dependencies.

In some ways, we have too much data, and often it's not the right data, says Dylan Thomas, senior director of product and engineering at IT conglomerate OpenText.

"Because there's so much more data, the biggest challenge is understanding that we're using it in an effective way and that we're using the right data to draw the right conclusions, \[so we don't\] misrepresent a particular data point or metric or scoring system," he says. "It's one of the reasons that LLM-based machine-learning algorithms really can provide a lot of value to augment security decision-making \[and\] can synthesize the vast amounts of data into potential patterns that we can actually make sense of."

The Open Source Select service offered by software supply chain security firm Debricked, part of OpenText, uses ratings for the contributors, the popularity, and the security of open source components to summarize their practices using a scale of 1 to 100, assigning a traffic-light color to each component. TensorFlow, for example, received green ratings for its contributors (score: 73) and popularity (score: 84) but only a yellow rating (score: 42) for security.

The ratings are not necessarily a way to detect whether a software component is dangerous but a way to automate the approval and intake process for the proposed use of open source components, speeding up decision-making, Thomas says.

"The benefit is, as a developer, I'm not waiting weeks to work through an open source intake process," he says. "I can quickly get a decision in a subset — and, hopefully, a meaningful subset — of use cases. Either quickly not waste my time going through a long process for a particular component or get green-lit very quickly."

The question that companies should ask when they use metrics is whether those metrics are speeding up decision-making processes, and if not, why not.

"Part of what we need to do is make sure that we are not just measuring for the sake of measuring, but that we're also taking time to measure the measuring stick," Thomas says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Risk, Reputational Scores Enjoy Mixed Success as Security Tools

Seven system recovery programs contained what amounted to a backdoor for injecting any untrusted file into the system startup process.

Source: Ognyan Yosifov via Alamy Stock Photo

A vulnerability in trusted system recovery programs could allow privileged attackers to inject malware directly into the system startup process in Unified Extensible Firmware Interface (UEFI) devices.

Seven real-time recovery products — Howyar SysReturn, Greenware GreenGuard, Radix SmartRecovery, Sanfong EZ-back System, WASAY eRecoveryRX, CES NeoImpact, and SignalComputer HDD King — all make use of "reloader.efi," the Microsoft-signed Extensible Firmware Interface (EFI) file at issue.

The problem, ESET explains in a new report, is that reloader.efi uses a custom loader that enables the application to load even unsigned binaries during the boot process. In essence, it's a backdoor for sneaking any kind of file into a system's startup, past UEFI Secure Boot. The issue has been assigned CVE-2024-7344, and earned a "medium" 6.5 Common Vulnerability Scoring System (CVSS) rating, as it requires administrator privileges to exploit.

**Backdoor to the UEFI Boot Process**

The standard way to load, prepare, and execute UEFI images in system memory is with the autological LoadImage and StartImage functions. The Microsoft-approved "reloader" application goes its own way, using a custom mechanism that allows it to load any binary, trusted or otherwise, at startup.

"Maybe it's a lack of secure coding awareness," Martin Smolár, malware researcher at ESET, guesses of the developers' motives in implementing the custom loader. "Or maybe it's because they found it convenient to create such a functionality. Because when a developer makes a change \[to a signed program\] they need to send it to Microsoft to get it re-signed. This means that they don't need to every time they create a new update or something like that."

Reloader.efi loads arbitrary binaries from a specific, encrypted file, "cloak.dat." When ESET decrypted cloak.dat, it found that it contained an unsigned executable primarily designed for classroom environments. "Its core function is to provide real-time system recovery, ensuring that students from different classes can work in a teacher-predefined computer environment within shared computer labs," Smolár says, though he adds that the same component might be used in other settings, like public Internet cafes. The larger point is that the unsigned executable is run during the startup process, completely bypassing UEFI Secure Boot checks.

This odd classroom recovery software is perfectly honest, but an attacker could easily swap it out for something worse. If they could just get a hold of administrator privileges on a targeted machine, an attacker could access the EFI system partition (ESP) and substitute their own malicious file in place of cloak.dat. Then all they'd need is a quick system reboot to drop any malicious file they wished into the startup process.

**Why UEFI Bugs Are So Bad**

UEFI is a kind of sacred space — a bridge between firmware and operating system, allowing a machine to boot up in the first place.

Any malware that invades this space will earn a dogged persistence through reboots, by reserving its own spot in the startup process. Security programs have a harder time detecting malware at such a low level of the system. Even more importantly, by loading first, UEFI malware will simply have a head start over those security checks that it aims to avoid. Malware authors take advantage of this order of operations by designing UEFI bootkits that can hook into security protocols, and undermine critical security mechanisms like UEFI Secure Boot or HVCI (Hypervisor-Protected Code Integrity), Windows' technology for blocking unsigned code in the kernel.

To ensure that none of this can happen, the UEFI Boot Manager verifies every boot application binary against two lists: "db," which includes all signed and trusted programs, and "dbx," including all forbidden programs. But when a vulnerable binary is signed by Microsoft, the matter is moot.

Microsoft maintains a list of requirements for signing UEFI binaries, but the process is a bit obscure, Smolár says. "I don't know if it involves only running through this list of requirements, or if there are some other activities involved, like manual binary reviews where they look for not necessarily malicious, but insecure behavior," he says.

Microsoft has previously alluded to UEFI binaries being "approved through manual review." In response to an inquiry from Dark Reading, a Microsoft spokesperson provided the following clarification:

"Our process is designed to meet the evolving standard for analysis of third-party binary code, while ensuring effective scalability across our vast ecosystem. It begins with vetting and analysis with the partner, understanding the components they are requesting to be signed, and aspects of the design and functionality that may require additional security measures. Submissions are run through automated security analysis and are manually reviewed through a rigorous process. As a result, we may require additional security reviews, investigations with the submitting partner, or other mitigations. We remain committed to evolving our vetting process to better the security of our ecosystem as we operate within this ever-changing threat landscape."

ESET first discovered CVE-2024-7344 in July 2024. Since then, all vulnerable applications have been fixed, and Microsoft revoked the old, vulnerable binaries in its Jan. 14, 2025, Patch Tuesday update.

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Trusted Apps Sneak a Bug Into the UEFI Boot Process

The Joint Cyber Defense Collaborative playbook seeks to establish a "a unified approach" on how to handle AI-related cybersecurity threats.

Source: Aleksey Funtap via Alamy Stock Photo

NEWS BRIEF

The U.S. Cybersecurity and Infrastructure Security Agency has released a new playbook providing detailed guidance for AI developers, providers, and adopters on how to voluntarily share cybersecurity information with federal agencies, private industry partners, and international stakeholders.

The JCDC AI Cybersecurity Collaboration Playbook encourages sharing information about cybersecurity incidents and vulnerabilities linked to AI systems. The playbook outlines specific protections and mechanisms for information exchange, such as the use of Traffic Light Protocol (TLP), which ensures controlled dissemination of sensitive information. Organizations should use the playbook to define their incident response activities, strengthen information sharing processes, and fortify defenses, CISA said. Participation is voluntary and there are no regulatory requirements for taking part.

The playbook encourages sharing information when malicious activity targeting AI systems is observed and proactively reporting newly identified cybersecurity vulnerabilities in products. Organizations are encouraged to share information that can be used to detect and prevent incidents, expose and disrupt adversary tactics and infrastructure, coordinate to address malicious infrastructure, and to identify and notify victims. Industry partners should flag opportunities for technical exchanges, identify priority issues for the AI community, promote after-the-fact analyses and knowledge-sharing, and join the JCDC.

"The playbook also identifies actionable information sharing categories applicable to broader critical infrastructure stakeholders and other sharing mechanisms," the agency said in a statement. "CISA encourages organizations to adopt the playbook’s guidance to enhance their own information-sharing practices, contributing to a unified approach to AI-related cybersecurity threats across critical infrastructure."

Issues related to AI fairness and ethics, as well as AI safety topics — such as risks to human life, health, property or the environment — are not covered by the playbook, CISA said.

The playbook was developed based on the results of two tabletop exercises in 2024 involving over 150 participants. The first exercise, hosted by Microsoft in June, explored the unique challenges posed by AI cybersecurity incidents. The second exercise, hosted by Scale AI in September, highlighted the need for enhanced operational collaboration and information sharing. CISA plans to periodically update the playbook with new recommendations.

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Source

DARKReading