Diversity isn't just an issue of fairness — it's about operational excellence and ensuring we have the best possible teams defending our national security.

Theresa Payton, Former White House CIO, and CEO, Fortalice Solutions, LLC

November 25, 2024

6 Min Read

Source: designer491 via Alamy Stock Photo

COMMENTARY

The US government often operates with a natural inclination toward risk aversion and a slower pace of change compared with the private sector. While this cautious approach is understandable, given the high stakes of national security, it can inadvertently hinder efforts to close the diversity gap in cybersecurity and STEM fields (that is, science, technology, engineering, and mathematics). By sharing best practices across the public and private sectors, the US government and the private sector can build a more diverse and resilient cybersecurity workforce, capable of addressing today's complex threats. 

Here are seven strategies that every enterprise, whether in the public or the private sector, can implement to close the diversity gap in cybersecurity, drawing from successful approaches: 

**Proactive Recruitment **

In the private sector, actively seeking diverse talent rather than waiting for applicants has yielded substantial results. We've broadened our talent pool by partnering with organizations dedicated to underrepresented groups in tech and attending diversity-focused events. Similarly, the US government can implement a proactive approach, targeting communities that historically have been underrepresented in STEM and cybersecurity. 

Stat: Partnering with organizations like Women in Cybersecurity (WiCyS) or the National Society of Black Engineers (NSBE) can help increase diversity. According to the "ISC2 Cybersecurity Workforce Study," only 24% of cybersecurity professionals are women, and the numbers are even lower for Black and Hispanic professionals. Proactive partnerships and outreach are crucial to closing this gap. 

**Flexible Career Pathways**

Offering flexible career pathways has proven to be a powerful recruitment and retention tool in the private sector. Rather than adhering to rigid, predefined positions, designing roles around an individual's strengths, skills, and interests attracts a more diverse workforce. Nontraditional candidates bring fresh perspectives, which are invaluable in the evolving cybersecurity landscape. 

The US government has leveraged the NICE framework, which is a good foundation. All enterprises can implement dynamic roles and career pathways tailored to diverse skill sets and backgrounds. This flexibility would make government careers more appealing to underrepresented talent. 

Stat: According to the "ISC2 Cybersecurity Workforce Study," expanding career pathways can help close the global cybersecurity workforce gap, which is estimated to be more than 3.4 million professionals. 

**Building an Inclusive Culture**

Culture is critical to retaining diverse talent. It's not enough to hire diverse candidates — organizations must also create environments where everyone feels valued. In our experience, building an inclusive culture has strengthened our team's ability to tackle complex challenges.  

Fostering an inclusive culture would help enterprises recruit and retain diverse talent. A diverse team brings new ideas and varied perspectives, which is crucial when defending against rapidly evolving cyber threats. 

**Leveraging Midcareer Switchers**

Midcareer professionals from diverse fields like project management, communications, music, and arts can bring valuable transferable skills to cybersecurity roles. Some of our most effective cybersecurity professionals come from non-technical backgrounds, where problem-solving, creativity, and leadership were honed. 

The US government and private sector could benefit from targeting mid-career switchers and offering retraining and upskilling programs to support their transition. This approach would diversify the talent pool and inject fresh perspectives into government cybersecurity teams. 

Stat: According to the World Economic Forum, 50% of all employees will need reskilling by 2025. Leveraging the transferable skills of midcareer professionals can be a strategic solution for addressing talent shortages. 

**Targeted Outreach for BIPOC Talent**

To close the diversity gap, targeted outreach to Black, indigenous, and people of color (BIPOC) communities is essential. This can be achieved through partnerships with minority-serving institutions and organizations focused on increasing representation in tech. Scholarships, mentorship, and internship programs specifically designed for BIPOC students and professionals can help build a pipeline of diverse talent into government roles. 

Stat: Currently, only 9% of cybersecurity professionals are Black, and just 4% are Hispanic, according to ISC2's "Cybersecurity Workforce Study." Targeted initiatives can help bridge these gaps and attract underrepresented talent to cybersecurity roles. 

**Early Engagement With Younger Talent**

The private sector has seen remarkable success by engaging younger talent early in their education and careers. Hackathons, internships, and partnerships with gaming communities have effectively identified and nurtured young cybersecurity talent. This generation is motivated by mission-driven work and seeks roles where they can make a tangible impact. 

The US government can adopt similar strategies by creating internships, challenges, and self-paced learning opportunities. By emphasizing the critical role of cybersecurity in national security, the government can make these positions more appealing to younger talent who seek purpose in their careers. 

Stat: A Deloitte survey revealed that 87% of millennials value professional development and learning opportunities in their jobs, which aligns with the desire for continuous growth and impact-driven careers. 

**Retention Through Flexibility and Support**

Retention is as important as recruitment when building a diverse workforce. Offering flexible work arrangements, professional development opportunities, and support during life transitions — such as raising children or caring for aging parents — can significantly improve retention rates. In the private sector, these initiatives have allowed us to keep diverse talent engaged and thriving. 

The US government can adopt similar strategies by implementing flexible work policies and providing robust professional development programs. When employees feel supported in balancing work and personal responsibilities, they are likely to stay and grow within the organization. 

Stat: Research shows that organizations with inclusive and flexible cultures have 1.7 times greater innovation and 2.3 times higher cash flow per employee than those without. 

**Conclusion**

Closing the career diversity gap in STEM and cybersecurity fields is critical to our nation's cybersecurity future. By sharing best practices and lessons between the public and private sectors, the United States can lead by example, closing the career diversity gap and building a more resilient cybersecurity workforce. Diversity isn't just an issue of fairness — it's about operational excellence and ensuring we have the best possible teams defending our national security.

**About the Author**

Former White House CIO, and CEO, Fortalice Solutions, LLC

Theresa Payton made history as the first female to serve as White House Chief Information Officer and currently helps organizations in both the public and private sectors protect their most valuable resources. As one of the nation’s most respected authorities on secured digital transformation, Theresa Payton is frequently requested to advise boards of the Fortune 500, CEOs, and technology executives. Theresa is a visionary in the digital world leading the way as an inventor of new security designs and has an approved US patent in security. She provides advice drawing from her experience as a technologist first and now veteran cybercrime fighter and entrepreneur, masterfully blending memorable anecdotes with cutting-edge insights.

Closing the Cybersecurity Career Diversity Gap

Attackers are betting that the hype around generative AI (GenAI) is attracting less technical, less cautious developers who might be more inclined to download an open source Python code package for free access, without vetting it or thinking twice.

Source: Adrian Vidal via Alamy Stock Photo

Two Python packages claiming to integrate with popular chatbots actually transmit an infostealer to potentially thousands of victims.

Publishing open source packages with malware hidden inside is a popular way to infect application developers, and the organizations they work for or serve as customers. In this latest case, the targets were engineers eager to make the most out of OpenAI's ChatGPT and Anthrophic's Claude generative artificial intelligence (GenAI) platforms. The packages, claiming to offer application programming interface (API) access to the chatbot functionality, actually deliver an infostealer called "JarkaStealer."

"AI is very hot, but also, many of these services require you to pay," notes George Apostopoulos, founding engineer at Endor Labs. As a result, in malicious circles, there's an effort to attract people to free access, "and people that don't know better will fall for this."

**Two Malicious "GenAI" Python Packages**

About this time last year, someone created a profile with the username "Xeroline" on the Python Package Index (PyPI), the official third-party repository for open source Python packages. Three days later, the person published two custom packages to the site. The first, "gptplus," claimed to enable API access to OpenAI's GPT-4 Turbo language learning model (LLM). The second, "claudeai-eng," offered the same for ChatGPT's popular competitor, Claude.

Neither package does what it says it does, but each provide users with a half-baked substitute — a mechanism for interacting with the free demo version of ChatGPT. As Apostopoulos says, "At first sight, this attack is not unusual, but what makes it interesting is if you download it and you try to use it, it will kind of look like it works. They committed the extra effort to make it look legitimate."

Under the hood, meanwhile, the programs would drop a Java archive (JAR) file containing JarkaStealer.

JarkaStealer is a newly documented infostealer sold in the Russian language Dark Web for just $20 — with various modifications available for $3 to $10 apiece — though its source code is also freely available on GitHub. It's capable of all the basic stealer tasks one might expect: stealing data from the targeted system and browsers running on it, taking screenshots, and grabbing session tokens from various popular apps like Telegram, Discord, and Steam. Its efficacy at these tasks is debatable.

**Gptplus & claudeai-eng's Year in the Sun**

The two packages managed to survive on PyPI for a year, until researchers from Kaspersky recently spotted and reported them to the platform's moderators. They've since been taken offline but, in the interim, they were each downloaded more than 1,700 times, across Windows and Linux systems, in more than 30 countries, most often the United States.

Those download statistics may be slightly misleading, though, as data from the PyPI analytics site "ClickPy" shows that both — particularly gptplus — experienced a huge drop in downloads after their first day, hinting that Xeroline may have artificially inflated their popularity (claudeai-eng, to its credit, did experience steady growth during February and March).

"One of the things that \[security professionals\] recommend is that before you download it, you should see if the package is popular — if other people are using it. So it makes sense for the attackers to try to pump this number up with some tricks, to make it look like it's legit," Apostopoulos says.

He adds, "Of course, most average people won't even bother with this. They will just go for it, and install it."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Faux ChatGPT, Claude API Packages Deliver JarkaStealer

A local government resource for helping Japanese citizens cut ties with organized crime was successfully phished in a tech support scam, and could have dangerous consequences.

Source: Robert Gilhooly via Alamy Stock Photo

Japan's web of ruthless Yakuza organized crime syndicates continues to operate, threatening the country's citizens with everything from extortion to gangland murders. Local agencies within communities are set up to help those who get involved with gangsters — but unfortunately, one of them has been hacked, potentially leading to physical safety consequences for the victims.

The Kumamoto Prefecture Violence Prevention Movement Promotion Center said that 2,500 people who have used its counseling services (which aid with everything from evading extortion to disentangling romantically from Yakuza members) have been impacted by a data breach following a successful phishing effort.

"On November 15th, a center staff member was directed to a support fraud website while working and was illegally accessed," according to an "apology" notice on the agency's website (via Google Translate). "When the staff member noticed something was wrong, he immediately cut off the power and network connection of the computer terminal, but we cannot deny the possibility that data including personal information used in work may have been leaked."

That information could include addresses, phone numbers, and names: “If you receive a phone call or mail using the name or staff of the 'Violence Prevention Movement Promotion Center' at your address or workplace, please immediately report it … without responding to the request of the other party or opening the mail.”

Beyond follow-on phishing or fraud calls however, the information could be valuable for syndicates looking for those who have left "the life" or extortion victims who got away. The center is contacting those who may have been affected.

**About the Author**

Yakuza Victim Data Leaked in Japanese Agency Attack

While the need for cybersecurity talent still exists, the budget may not. Here's how to maximize security staff despite hiring freezes.

Source: imtmphoto via Alamy Stock Photo

Talk of the talent gap in cybersecurity continues, with ISACA, ISC2, and even the Biden administration releasing new publications addressing the problem. Indeed, the US alone has almost half a million open cybersecurity positions, and ISC2 estimates a shortfall of 4.8 million professionals needed to secure the world's computing resources.

However, all that the surveys and studies tell us is that the cybersecurity sector is inadequately staffed, not that companies are looking to hire or that there are no people to fill positions. What exists is a disconnect between companies and candidates over issues like pay and required certifications, as well as budgeting struggles within organizations.

The recent "ISC2 2024 Cybersecurity Workforce Study" quantifies the budget issue inside companies. "In 2024, 25% of respondents reported layoffs in their cybersecurity departments, a 3% rise from 2023, while 37% faced budget cuts, a 7% rise from 2023," the report states. That means fewer job openings and less money to fill those positions that are opened.

Among a sea of qualified candidates, job seekers are struggling to figure out how to stand out to recruiters and hiring managers.

"I do tons of networking," says Xavier Ashe, a job seeker with more than 30 years' experience targeting director-level and CISO roles. "That's allowed me to get a number of opportunities to interview, but the competition is tough. Everyone is looking, and there are a lot of great folks I'm competing against."

**Hiring Expectations Are Misaligned**

In a Dark Reading article on this year's "Service for America" cybersecurity push, Shane Fry, CTO of RunSafe Security, blamed the employment gap on large organizations' tendency to favor highly skilled cyber workers with college degrees.

"This can lead to some great candidates, but it also ostracizes a large group of folks that are so passionate about cyber that they picked up the skills on their own and don't have a degree to put on a resume," Fry wrote. "There's a ton of opportunities for businesses to provide on-the-job training and external training courses to get people from the fringes of cybersecurity into the cybersecurity fold."

CyberSeek, a joint project between tech certification organization CompTIA, labor market analyst Lightcast, and US federal cybersecurity program NICE, shows that external training might require better alignment between job seekers and hiring organizations. Its cybersecurity career heat map compares certifications held and certifications requested. Some certs, like CompTIA+ and Certified Information Systems Security Professional (CISSP), are overrepresented in the hiring pool, while others — such as Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) — do not have enough certification holders to meet employer demand.

CyberSeek illustrates a further misalignment in its Career Pathway graphic, which represents entry-level, mid-level, and advanced-level positions with circles proportionally sized to the number of job openings. All of the entry-level and all but one of the mid-level job types are tiny dots representing fewer than 7,000 jobs nationwide in the US; the big circles representing north of 24,000 job openings are out of reach of people making a career switch or just starting out.

Besides how the field tilts away from early-career job seekers, senior-level candidates are running into a different issue: disparity between what they expect to be paid for their experience level and what job listings offer. Budget cuts affect the hiring environment, even leading to layoffs, according to ISC2's study. "In 2023, the top causes for talent and skills gaps were an inability to find the talent or skills they needed to succeed," the ISC2 said. "But today, it's not about supply, it's about limited resources for hiring."

That matches Ashe's job-hunting experience. "The big companies are lowballing executive compensation," he says. "I turned down one offer this summer due to the pay cut I would have to take."

The ISC2 study found a 0.1% increase in global cybersecurity workers in 2024 over 2023. Compared to the 8.7% increase in 2023 over 2022, "This year's numbers suggest that hiring has slowed for 2023–2024," the study concludes.

**If You Can't Hire, Improve the Tech**

So if nobody is hiring entry-level people, and nobody can hire higher-level professionals because of salary requirements, how can an organization maintain its cybersecurity team? By keeping existing workers from jumping ship, says Steve Wilson, chief product officer at Exabeam.

One way to create a better working environment, Wilson says, is to make the workload less crushing by automating more. Machine learning algorithms analyze raw data as it flows through the network, continuously learning patterns of normal behavior and identifying anomalies. When a suspicious case emerges, traces of unusual activity are summarized and presented in natural language, making it easier for analysts to interpret the data without sifting through dense logs. This approach saves time and allows security professionals to focus their efforts where they matter most.

"It's about reaching the point where we can identify what's abnormal and worrisome, and then get that in front of a human analyst to take action," says Wilson. "That's where the real work starts and where the time saved becomes so valuable."

For the beginning analyst, these kinds of tools allow them to understand exactly what is suspicious about a flagged issue, in the process learning to understand the technical points, Wilson says. This gives Tier 1 analysts a chance to fix the problem themselves rather than escalate it to a Tier 3 analyst. By reducing escalations, the workload for Tier 3 analysts is eased, and they can use the LLM to search for obscure data points for tougher problems.

"It builds the skills for those younger ones because they can ask the dumb question without feeling like they're exposing themselves," Wilson says. "And then it frees up the time on those senior ones to actually go work the really tricky problems."

Notes Bryan Kissinger, CISO and senior VP at Trace3: "People get burned out when they're doing a job they don't like or their team around them is not supportive of work/life balance," he says. "The more repetitive and mundane activities ... a lot of that can be taken up by tools and automation."

**The Right People, If You Can Keep Them**

While poor salaries dropped as the reason cybersecurity talent left a job, from 54% in 2023 to 50% in 2024, work stress levels pushed 46% of staff to leave their cybersecurity jobs this year (up from 43% in 2023). That's according to the ISACA's "Global State of Cybersecurity 2024," which also cited lack of support from management (34%), poor work culture (32%), and return-to-office initiatives (32%) as reasons people quit.

Retention is key to Trace3, Kissinger adds. "Sometimes it's very challenging to tell when someone's burning out," he says. "\[An employee was\] ready to leave because they were burning out, and I said, 'This is the first I've heard about it. Can we bring on some contractors to help us moderate the workload?' Unless people speak up, you're really doing yourself a disservice."

Adds Wilson: "Sometimes these automation products, whether they're cybersecurity or marketing or whatever, there's a value proposition that says you can have less people on your staff. I don't think there's anybody saying, 'I'm spending too much on my SOC team — I'm going to reduce that by bringing in automation.' What they're saying is, 'My SOC team is overwhelmed, and people are quitting because they're burned out.'"

**About the Author**

Karen joined Dark Reading in January 2022 as features editor. She's been in tech editing since before the img tag was introduced, working for outlets such as the IEEE Computer Society, CNET Download.com, and TechTV. She lives in Los Angeles with her husband, son, and two cats. Find her on Mastodon.

What Talent Gap? Hiring Practices Are the Real Problem

At least 97 major water systems in the US have serious cybersecurity vulnerabilities and compliance issues, raising concerns that cyberattacks could disrupt businesses, industry, and the lives of millions of citizens.

Source: Clare Louise Jackson via Shutterstock

Despite a spate of recent cyberattacks raising the awareness of water-infrastructure vulnerabilities, nearly 100 large community water systems (CWS) continue to have serious security weaknesses in Internet-facing systems, putting the water supply of nearly 27 million Americans at risk.

The critical and high-severity vulnerabilities affect more than 9% of the 1,062 water systems in the United States that serve at least 50,000 people, according to an Environmental Protection Agency (EPA) report released on Nov. 13. The vulnerabilities were discovered through passive assessments conducted in October that looked at more than 75,000 IP addresses and 14,400 domains.

Overall, millions of citizens — along with businesses, schools, and hospitals — rely on the affected water systems. "If malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure," the EPA stated.

Over the past three years, water systems have become increasingly targeted by state-sponsored groups, ransomware gangs, and hacktivists. In 2023, Iran-linked cyberattackers compromised programmable logic controllers (PLCs) at a water utility in Pennsylvania, as well as 10 wastewater treatment plants in Israel. In 2021, a hacker targeted a water treatment plant in Florida and even changed the chemical mixture for the water, but did not have the sophistication to evade detection. In September, a water treatment plant in Arkansas City, Kan., switched to manual operation after the facility was the target of a cybersecurity incident.

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

Water system vulnerabilities are a critical issue that could impact businesses, especially power-generation systems and data centers, but especially have the potential to cause human harm, says Vinod D'Souza, head of manufacturing and industry in the Office of the CISO at Google Cloud.

"Water utilities are unique in the \[operational technology\] OT world because they directly impact public health, requiring stringent security to prevent catastrophic consequences like contaminated water supplies," he says. "Their geographical spread and complex systems pose distinct cybersecurity challenges not found in other sectors."

**Water, Water, Everywhere ... Nary a Drop of Security?**

The United States has nearly 150,000 water systems, consisting of three types of public infrastructure. Community water systems (CWS) provide water to residents living in a town or city year-round and account for approximately a third (33.7%) of water systems. Transient noncommunity water systems (TNCWS) supply water to travelers and visitors to a specific location — such as a campground or gas station — but not on a permanent basis. These make up 54.3% of public water systems. The final 12% of systems consist of nontransient noncommunity water systems (NTNCWS), which provide water to people in nonresidential locations — such as schools, businesses, and hospitals.

Related:Going Beyond Secure by Demand

Because many water agencies are small and serving communities, they face the same challenges as other local government agencies: a lack of resources, legacy technology, architectures that were not designed to be defensible, and a lack of visibility, says Paul Shaver, global practice lead for ICS/OT security consulting at Google Cloud's Mandiant division.

"This is compounded by the fact that many municipal water agencies have financial constraints that make it difficult to identify risk and develop security capabilities that are appropriate for their organization size," he says.

By EPA regulation, any water systems serving more than 3,300 people must conduct risk assessments, including cybersecurity assessments, and develop emergency response plans. But most do not have the money, and without the funding, the utilities are hard pressed to comply with regulations, Shaver says.

Related:Small US Cyber Agencies Are Underfunded & That's a Problem

The criticality of these systems and their relative lack of protection has government officials worried. In May, the EPA warned that Iran and Russia had stepped up their attacks on water systems in the United States, while the Cybersecurity and Infrastructure Security Agency (CISA) released a cyber-incident response guide for the water and wastewater sector earlier this year.

The May 2024 alert from the EPA noted that "water systems had inadequate risk and resilience assessments and emergency response plans ... \[and\] found significant failures in best practices, such as failure to change default passwords, use of single logins for all staff, and failure to curtail access by former employees."

**US Needs More Investment in Water System Cyber Defense**

Even with the current requirements, many water utilities are already failing to meet their cybersecurity obligations, Google Cloud's D'Souza says.

"Simply increasing regulations won't solve this problem, and merely highlights the financial constraints preventing utilities from adequately protecting critical infrastructure," he says.

Overall, the federal government needs to do more than offer regulations and best practices. In many respects, the water sector is no different than any other critical infrastructure sector with a great deal of operational technology, says Sean Arrowsmith, head of industrials at NCC Group, a cybersecurity consultancy.

"Generally, OT protocols were designed when security was not so much of a consideration but the devices and infrastructure they run is deployed for a long lifetime and now there are business drivers to collect data from them and converge OT with IT, which is where the security challenges arise," he says.

In addition, Arrowsmith says that the amount of legacy infrastructure and breadth of the attack surface area continues to make securing water infrastructure challenging.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Leaky Cybersecurity Holes Put Water Systems at Risk

Secure by Demand offers a starting point for third-party risk management teams, but they need to take the essential step of using a mature software supply chain security solution to ensure they're not blindly trusting a provider's software.

Saša Zdjelar, Chief Trust Officer, ReversingLabs

November 22, 2024

5 Min Read

Source: Science Photo Library Alamy Stock Photo

COMMENTARY

In late June 2017, maritime giant A.P. Møller – Maersk was hit with a devastating software infection that affected "close to a fifth of the world's shipping capacity." 

As it turned out, the attack was not targeted at Maersk, but spun out of a regional "hot war" between Ukraine and Russia that saw a malware strain named "NotPetya" delivered to customers of a Ukrainian software company, with clients in the Ukraine and the rest of the world. The attack cost the global economy a whopping $10 billion in damages — the world's most costly cyber event to date.  

Seven years later, NotPetya is considered to be one of the most significant cyberattacks of our time. But this was not just a malware attack, but a software supply chain attack that exploited a commercial software update.  

In the years since, software supply chain attacks have taken center stage, with more incidents like NotPetya arising, including supply chain attacks on SolarWinds and the voice-over-IP firm 3CX. Also, Verizon's "2024 Data Breach Investigations Report" (DBIR) found that breaches stemming from third-party software development organizations increased by 68% from 2023. 

In response, the US Cybersecurity and Infrastructure Security Agency (CISA) released Secure by Design guidance in 2023. This move signaled to software producers the need to securely design their products, track and mitigate common vulnerabilities and exposures (CVEs), implement legacy AppSec tools, and enable protocols like multifactor authentication (MFA). But it wasn't until August 2024 that CISA released new Secure by Demand guidance that approaches this problem differently by empowering enterprise buyers to demand safer commercial software products from their suppliers, period.  

Secure by Demand is a good starting point for enterprise buyers looking to raise the bar for the firms that supply them business-critical software. However, it's imperative that these businesses go one step further. Here's why. 

**Software Assurance**

Secure by Demand targets several areas of software assurance: secure software development, vulnerability tracking and patching, authentication and logging, and software transparency. CISA hopes that enterprise consumers will ask commercial software vendors about each of these areas during the procurement process.

While these checks target key parts of software supply chain security, CISA's guidance should include more than a list of questions — not so different from the prevailing form of third-party risk management (TPRM), which relies heavily on questionnaires. Unfortunately, such an approach falls well short of providing genuine software assurance.

Instead, questionnaires leave major gaps in assessments of third-party cyber-risk, in that enterprise consumers will ask smart questions of commercial software vendors but won't possess the appropriate capabilities to verify their answers. That lapse leaves enterprise buyers vulnerable, requiring them to blindly trust the attestations of the mission-critical software products they rely on.  

The same can be said for software bills of materials (SBOMs), which Secure by Demand also recommends to enterprise buyers. SBOMs provide transparency in that they list a piece of software's components, which can include open source, proprietary, and third-party software. However, not listed in an SBOM are the calculated risks associated with third-party and commercial software products.  

Consider this: Neither a detailed SBOM nor a completed vendor security questionnaire would have thwarted the NotPetya attack, as customers were unaware of the existence of a Russian backdoor in the offending software update. So why should enterprise consumers take comfort from SBOMs and questionnaires alone when looking to protect their organizations? 

**Limited View of Supply Chain Risk**

It's true: Some of the checks recommended by CISA in its Secure by Demand guide include the vetting of open source software components used in commercial software products. CISA also calls for end-user organizations to determine how software vendors find, disclose, and patch vulnerabilities in their software. However, software supply chain risks extend well beyond these checks.  

Sophisticated cybercriminal and nation-state groups today are targeting commercial software by compromising build pipelines to insert malicious code, or by uncovering and abusing secrets lurking in application code. This is evident in the fact that the most detrimental software supply chain attacks to date did not occur due to cybercriminals exploiting open source components and vulnerabilities in software. Rather, they targeted commercial software directly, as was the case with NotPetya, 3CX, and more.  

**The Solution? Don't Trust — and Verify**

For enterprise buyers to ensure that the commercial software they are consuming is safe, they will need to independently validate the security of their mission-critical software. Doing so will require more than just asking vendors to answer a list of questions and provide an SBOM. Proper validation requires independently testing and verifying that software is free from malicious components (open source or commercial), critical vulnerabilities, malware, tampering, suspicious behaviors, and more — before, during, or after its deployment. 

Secure by Demand offers a solid starting point for TPRM teams. But they should then take the essential step of using a mature software supply chain security solution — one that provides comprehensive and independent software analysis, to ensure they are not blindly trusting their provider's software. Such a tool should also offer an actionable software risk assessment, which serves as a TPRM team's recipe for success when protecting their organization from such incidents.  

Having this level of control and verifiable evidence will allow enterprise consumers to verify the security and integrity of the mission-critical commercial software they rely on, even in the wake of the latest software supply chain attack. 

**About the Author**

Chief Trust Officer, ReversingLabs

Saša is the chief trust officer (CTrO) at ReversingLabs, and operating partner at Crosspoint Capital, with approximately 20 years of Fortune 10 global executive leadership experience. His CTrO scope includes leadership, oversight and governance of the CISO/CSO function, including product security, as well as partnering with other leaders on corporate and product strategy, strategic partnerships and research, and customer and technology advisory boards, including sponsoring the ReversingLabs CISO Council. Prior to ReversingLabs and Crosspoint Capital, Saša served as the senior vice president of security at Salesforce, where he led a global organization encompassing enterprise security, product security, offensive security, security engineering/automation, bug bounty programs, technical product/program/project management, and mergers and acquisitions. He also played a crucial role as the executive sponsor for strategic corporate security initiatives, such as zero trust.

Going Beyond Secure by Demand

The scale of Beijing's systematic tapping of private industry and universities to build up its formidable hacking and cyber-warfare capabilities is larger than previously understood.

Source: KaimDH via Shutterstock

Hundreds of private cybersecurity firms, technology services providers, and universities are helping China's state apparatus develop offensive cyber capabilities to support the country's strategic military, economic, and geopolitical goals, according to research released this week.

"The existence of state-sponsored threat groups operating under the Chinese state's direction has long been well documented," researchers at France's Orange Cyberdefense wrote in their report, based on eight months of analysis of China's cyber-offense capabilities. But any notions that these entities are strictly in government hands, especially given the authoritarian nature of China's government, are off base, the authors warned. "China's offensive cyber capabilities are, in fact, supported by a complex and multilayered ecosystem involving a broad array of state and non-state actors," they wrote.

Their findings provide deeper context on the troubling success that Chinese cyber actors have had infiltrating US critical infrastructure, breaching government, military, and business networks, not to mention theft of defense data, trade secrets, and intellectual property from American entities and others around the world.

**An Extensive Ecosystem**

The synergies have enabled quicker government access to cutting-edge technology and talent, especially in critical areas such as artificial intelligence (AI), big data analytics, 5G wireless, and cloud computing, says Dan Ortega, security strategist at Anomali. "China's collaboration between its tech companies and state entities has dramatically accelerated the development of its cyber-offensive capabilities," Ortega says. Importantly, it has also allowed the nation to scale state-sponsored cyber missions effectively. And that collaboration enables government access to vast data sets collected by companies, facilitating enhanced targeting and more-effective cyberattacks, he notes.

"China fosters formal and informal partnerships with tech firms through initiatives like the Military-Civil Fusion strategy, mandating companies to share their technological advancements and insights with the state," he says. A feedback loop exists in which innovations made in the private sector directly enhance state capabilities.

**Poised to Strike?**

The Orange report arrives as domestic concerns grow over Chinese cyberattacks on US entities, such as operations like Volt Typhoon's targeting of critical infrastructure organizations. Many in government and industry are convinced that Chinese groups have attained the presence they need on US networks to cause widespread disruption to domestic energy, telecommunications utilities, and technology services. Such concerns prompted the Office of the Director of National Intelligence (ODNI) to describe China as the "most active and persistent cyber threat to US government, private sector, and critical infrastructure networks," in its 2024 annual report.

Orange's research showed the four main government stakeholders responsible for building and executing China's cyber-offense capabilities are the People's Liberation Army (PLA), the Ministry of State Security (MSS), the Ministry of Public Security (MPS), and the Ministry of Industry and Information Technology (MIIT). Their multipronged efforts include actively recruiting or otherwise supporting private hackers and hacktivists in activities such as data theft, website defacement, and distributed denial-of-service attacks.

**Hundreds of Private Firms**

Under the current model, the government stakeholders are working with hundreds of private companies, both big and small, to carry out cyberattacks against foreign and domestic entities that are of strategic interest to Beijing, the Orange report noted. One example of big-player involvement in the report is Shanghai stock exchange-listed Integrity Technology Group (ITG), which the FBI has linked to the Flax Typhoon APT. Like ITG, many of China's top technology companies are also the state's biggest cyber contractors, according to Orange's report. "Enterprises such as ThreatBook, Qihoo360, and Qi An Xin not only provide defensive security solutions to public agencies but are also believed to indirectly contribute to offensive cyber operations."

At the other end of the spectrum are dozens of smaller and medium-size private entities that often act as subcontractors for the bigger companies and deliver a range of highly specialized services. One example is i-Soon, a 72-person Shanghai firm whose ties to the Chinese government emerged after a leak earlier this year. "These entities often act as subcontractors to the industry giants, filling the gap in their cyber offensive competencies and further fragmenting the hack-for-hire supply chain," Orange's researchers wrote. The company found that while in many instances, China's PLA, MSS, and others worked with legitimate private entities, others created shell companies that acted as fronts for procuring cyberattack infrastructure.

**Tapping Top Universities**

The Chinese government's efforts to rope in academic institutions began in earnest in 2017. Today many universities — including eight of the C9 League of China's top nine public universities — are engaged in state-sponsored cyber-offense research, according to Orange. Their contributions range from advanced research on the use of AI in cybersecurity to helping state operatives translate stolen documents and gathering open source intelligence.

Trey Ford, chief information security officer at Bugcrowd, says the willingness among Chinese companies to work for the government point up very different business norms in China. While organizations in countries like the US are beholden to fiduciary, legal, ethical, and privacy norms, those in China have a different set of obligations. "Communist government-backed organizations, aligned to formal Five-Year economic and military objectives, will have very different outcomes in mind, and can make different investments and sacrifices than capitalist businesses," he says.

Customer trust and user privacy are different context in China than in the US and other western nations, Ford says.  "Companies doing business in China must run their services in-country today. This includes the expectation of access to their systems, data, intellectual property — as well as their customers' data."

The continued expansion of China's cyber ecosystem will lead to more sophisticated attacks and better targeting of intellectual property and critical infrastructure through trusted business relationships, cautions Stephen Kowski, field chief technology officer at SlashNext Email Security+. "This model could enable more advanced supply chain compromises and social engineering attacks that bypass traditional security controls," Kowski says. "China's civil-military fusion model creates a seamless flow of technology and expertise between private sector innovations and state-sponsored cyber operations, enabling faster deployment of advanced attack techniques."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

China's Cyber Offensives Built in Lockstep With Private Firms, Academia

Building on its broad security portfolio, Microsoft's new exposure management is now available in the Microsoft Defender portal, with third-party-connectors on the way.

Source: Wavebreak Media ltd via Alamy Stock Photo

Microsoft is the latest big name to add continuous threat exposure management (CTEM) to its formidable security portfolio with the release of its new Microsoft Security Exposure Management offering. Microsoft made the announcement at its annual Microsoft Ignite conference this week.

Security experts describe CTEM, or proactive exposure management, as a programmatic and unified approach to detecting and mitigating threats. Gartner predicts that by 2026, organizations that embrace CTEM will see two-thirds fewer breaches.

Enterprise Strategy Group principal analyst Tyler Shields describes exposure management as the next iteration of vulnerability management.

"It's centered on the overlap of continuous asset discovery and management, threat and exposure analysis, and vulnerability discovery," Shields says. "If you can understand the assets you have, the state they are in, the vulnerabilities that exist, and the active threats against them, you are all prepared to secure your environment."

Microsoft initially introduced Security Exposure Management in March as a technical preview. It is now available in the Microsoft Defender portal, included with its E5 licenses, and as an option for various other Microsoft 365 licenses.

**Unified Views of Attack Surfaces**

With its entry, Microsoft seeks to enable defenders to prevent successful attacks by providing comprehensive and unified views of their organizations' broad attack surfaces, allowing them to take a more proactive approach to identifying and mitigating threats.

"Exposure management is critical for enabling teams to understand the posture of the organization, and it helps security teams see all the potential attack paths to critical assets as if they were looking through it, through the eyes of the attacker," said Vasu Jakkal, Microsoft's corporate VP for compliance, identity management, during the opening session at Ignite, which took place in Chicago.

The tooling is designed to identify attack paths and evaluate vulnerabilities in the context of an organization's critical assets in a more proactive and expansive manner than traditional vulnerability and threat detection offerings. Security Exposure Management uses Microsoft's new exposure graph APIs to identify attack paths and evaluate vulnerabilities in the context of critical assets.

Analysts say Microsoft's entry is poised to reshape the competitive environment of exposure management solutions offered by Cisco/Splunk, CrowdStrike, Palo Alto Networks Rapid7, Tenable, Trend Micro, and Wiz, as well as various others that provide more specialized capabilities.

"Exposure management is becoming an incredibly competitive market, and Microsoft is demonstrating that it wants to be a leader in this space," says Omdia principal analyst Andrew Braunberg.

Adds Forrester senior analyst Erik Nost, since Microsoft is initially allowing access to exposure management through a variety of licensing options, customers will have widespread access to insights.

"The data Microsoft possesses on existing customer environments without needing to ingest third-party data is the biggest opportunity for Microsoft to set it apart from competitors," Nost says. "Microsoft is building a platform that integrates a very broad set of security posture management telemetry."

**Building an Ecosystem of External Connections**

While the initial release is available and included with various Microsoft 365 and Microsoft Defender licenses and will ingest telemetry from those offerings, Microsoft announced it will enable integration with competing external third-party tools, including Qualys, Rapid7, Tenable, and ServiceNow's CMDB.

Microsoft released public preview versions of its third-party connectors, slated to become generally available next quarter.

Unlike Microsoft telemetry, which customers can ingest at no additional cost, they will incur charges to gather data from external sources, said Microsoft product director Brjann Brekkan, during a session on security exposure management at Ignite.

"We don't own that data," Brekkan explained. "We need to charge a little bit of cost to bring that third-party signal in, to attach those new data points from those services as well. But this is there for you to unify your data."

Security Exposure Management collects data through these connectors and normalizes it through its exposure graph, which maps relationships and exposes new attack paths. In a blog post, Brekkan said this provides "comprehensive attack surface visibility."

Microsoft exposure management also provides insights on the most critical assets, Internet exposure, and context related to business applications incorporated from the connected tools. Customers can view the integrated data, which can be visualized through the Attack Map tool or analyzed using advanced hunting queries via KQL (Kusto Query Language), Microsoft's Azure-based tool designed to identify anomalies in large data sets.

The offering now consists of three primary tools:

*   Attack Surface Management: Defenders have access to continuous views of their organization's attack surface. Notably, the tool identifies the most critical assets and those that are the prime targets of attackers
    
*   Attack Path Analysis: Security teams can visualize and prioritize high-risk attack paths, particularly those targeting those critical assets
    
*   Unified Exposure Insights: Administrators can view their organization's threat exposure, allowing them to prioritize risks and tie remediation priorities with business imperatives.
    

Omdia's Braunberg says it remains to be seen how many customers will build their exposure management strategies around Microsoft's offering, it is likely many will evaluate it, especially considering its potentially low cost.

"As per Microsoft's usual playbook, exposure management is attractive because it pulls together a lot of existing Microsoft functionality into an integrated solution with small incremental costs," he says.

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Microsoft Highlights Security Exposure Management at Ignite

MITRE and CISA's 2024 list of the 25 most dangerous software weaknesses exposes the need for organizations to continue to invest in secure code.

Source: Sergey Tarasov via Alamy Stock Photo

Although a new methodology shook up the rankings of this year's most dangerous software bugs, the classic persistent threats still proved to be the biggest risk to organizations, reinforcing the need for continued focus on — and investment in — secure code.

The annual Common Weakness Enumeration (CWE) list is compiled by MITRE and the Cybersecurity and Infrastructure Agency (CISA). This year, for the first time, their formula included both severity and frequency of the flaws.

"Weaknesses that were rarely discovered will not receive a high frequency score, regardless of the typical consequence associated with any exploitation," the list's methodology page explained. "Weaknesses that are both common and caused significant harm will receive the highest scores."

The year's top weaknesses, according to the 2024 CWE list, was cross-site scripting (second last year), followed by out-of-bounds write (2023's winner), SQL injection (also third last year), cross-site request forgery (CSRF) (ninth in 2023), and path traversal (eighth last year).

"While we see a bit of movement in rankings throughout the list for sure, we also continue to see the presence of the 'usual suspects' (e.g., CWE-79, CWE-89, CWE-125)," says Alec Summers, the project leader for the CVE Program at MITRE and one of the list's authors. "It’s an ongoing concern that these and other stubborn weaknesses remain high on the Top 25 consistently."

The only real curveball in this year's rankings, he points out, was CRSF rising from the ninth spot last year to fourth in 2024. "This might reflect a greater emphasis on CSRF by vulnerability researchers or maybe there are improvements in CSRF detection, or maybe more adversaries are focusing on this kind of issue. We can’t be completely sure why it jumped the way it did," Summers says.

As the software development life cycle (SDLC) and software supply chain become more labyrinthine every year, and everyday software flaws continue to proliferate, it's increasingly important for organizations get a handle on their systems before everyday weaknesses become something more sinister, he recommends.  
"Looking at the Top 25, organizations are strongly encouraged to review and leverage the list as a guiding resource for shaping their software security strategies," Summers says. "By prioritizing them in both development and procurement processes, organizations can more proactively address risk."

**Shoring Up the Software Supply Chain Starts at Home**

Those efforts likewise should extend across the software supple chain, Summers adds.

"It's becoming more and more important for organizations to adopt and demand their suppliers adopt root cause mapping CVE with CWE," he urges. "This encourages a valuable feedback loop into an organization's SDLC and architecture design planning, which in addition to increasing product security can also save money: The more weaknesses avoided in your product development, the less vulnerabilities to manage after deployment."

In addition to incorporating a new methodology for determining which software flaws posed the most risk, 2024 was the first year the full community of CVE Numbering Authorities (CNAs) contributed to the CWE Program's effort. In total 148 CNAs helped develop this year's list, according to the CWE Project. Currently there are 421 CNAs across 40 countries, according to CVE.org.

Cross-Site Scripting Is 2024's Most Dangerous Software Weakness

PRESS RELEASE

PALO ALTO, Calif., Nov. 19, 2024 /PRNewswire/ -- As artificial intelligence (AI) continues to revolutionize industries, the cybersecurity field faces a dual-edged sword of opportunities and threats. StrongDM's latest report, "The State of AI in Cybersecurity," highlights the growing concerns and readiness of cybersecurity professionals to tackle AI-driven challenges. Based on a survey of 600 cybersecurity professionals, the report sheds light on pressing issues around AI regulation, perceived threats, defense confidence, and the future of the cybersecurity workforce.

Key Findings from the Survey:

*   Regulation Concerns: 76% of cybersecurity professionals believe AI should be "heavily regulated" to prevent misuse, underscoring the need for balance between safety and innovation.
    
*   AI-Driven Threats: A significant 87% of respondents expressed concerns about AI-driven cyberattacks, with malware (33%) and data breaches (30%) ranking as top threats.
    
*   Preparedness Levels: Only 33% of professionals feel "very confident" in their current defenses, and 65% of companies admit they are not fully prepared for AI-powered attacks.
    
*   Workforce Impact: Despite challenges, two-thirds of respondents feel optimistic about AI's potential to enhance, rather than replace, jobs in cybersecurity.
    

A Call for Regulation Amid Rapid AI Growth: The report reveals that 76% of surveyed professionals support "heavy regulation" of AI to mitigate potential risks. However, 15% worry that excessive oversight could stifle innovation. This underscores a need for balanced regulations that ensure security while fostering technological advancement.

Growing Concern Over AI-Powered Attacks: AI's potential to enable new attack vectors is top of mind for cybersecurity professionals, with 87% citing concern over AI-driven threats. Malware and data breaches emerged as the leading AI-powered concerns, with 33% and 30% of respondents, respectively, indicating their apprehension over these types of attacks.

Confidence Levels Are Low, but Hope Persists: The report highlights a stark contrast in preparedness, as only 33% of respondents expressed being "very confident" in their current defenses against AI threats. Meanwhile, 46% felt "somewhat confident," and 17% admitted their organizations were not ready for AI-driven attacks. These findings emphasize an urgent call for stronger strategies and investments to bolster AI-specific defenses.

Companies Playing Catch-Up: StrongDM's research found that 65% of respondents admitted their organizations are not fully prepared for AI-driven threats. While 32% of companies are actively investing in AI defenses, 48% say there's still much to be done to close the gap.

AI's Mixed Impact on the Cybersecurity Workforce: Despite the concerns surrounding AI, two-thirds of cybersecurity professionals maintain an optimistic outlook on the technology's impact on their jobs. 40% believe AI will enhance job roles without replacing them, and 25% foresee the creation of new job opportunities. Nonetheless, 30% expressed fears of job replacement, showcasing the nuanced views professionals hold on AI's future role in the workforce.

Complete Study Results: https://www.strongdm.com/blog/state-of-ai-in-cybersecurity-report

Methodology 

The report is based on a survey conducted in October 2024, targeting 600 US-based cybersecurity professionals. The survey was completed online via Pollfish, and responses were random, voluntary, and completely anonymous.

About StrongDM 

StrongDM is at the forefront of cybersecurity, specializing in Zero Trust Privileged Access Management (PAM). Our innovative solutions focus on continuous, policy-based controls that leverage actions and context to enhance enterprise security. StrongDM's technology scrutinizes each interaction in real time, preventing breaches before they occur and ensuring secure, frustration-free access across all platforms.

Supported by leading investors, including GV, Sequoia Capital, True Ventures, and Anchor Capital, StrongDM operates across North America, Europe, and Asia-Pacific, dedicated to setting new standards in cybersecurity and providing top-tier protection for today's digital enterprises.

For more information, visit the StrongDM website.

Source

DARKReading