At least 97 major water systems in the US have serious cybersecurity vulnerabilities and compliance issues, raising concerns that cyberattacks could disrupt businesses, industry, and the lives of millions of citizens.

Source: Clare Louise Jackson via Shutterstock

Despite a spate of recent cyberattacks raising the awareness of water-infrastructure vulnerabilities, nearly 100 large community water systems (CWS) continue to have serious security weaknesses in Internet-facing systems, putting the water supply of nearly 27 million Americans at risk.

The critical and high-severity vulnerabilities affect more than 9% of the 1,062 water systems in the United States that serve at least 50,000 people, according to an Environmental Protection Agency (EPA) report released on Nov. 13. The vulnerabilities were discovered through passive assessments conducted in October that looked at more than 75,000 IP addresses and 14,400 domains.

Overall, millions of citizens — along with businesses, schools, and hospitals — rely on the affected water systems. "If malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure," the EPA stated.

Over the past three years, water systems have become increasingly targeted by state-sponsored groups, ransomware gangs, and hacktivists. In 2023, Iran-linked cyberattackers compromised programmable logic controllers (PLCs) at a water utility in Pennsylvania, as well as 10 wastewater treatment plants in Israel. In 2021, a hacker targeted a water treatment plant in Florida and even changed the chemical mixture for the water, but did not have the sophistication to evade detection. In September, a water treatment plant in Arkansas City, Kan., switched to manual operation after the facility was the target of a cybersecurity incident.

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

Water system vulnerabilities are a critical issue that could impact businesses, especially power-generation systems and data centers, but especially have the potential to cause human harm, says Vinod D'Souza, head of manufacturing and industry in the Office of the CISO at Google Cloud.

"Water utilities are unique in the \[operational technology\] OT world because they directly impact public health, requiring stringent security to prevent catastrophic consequences like contaminated water supplies," he says. "Their geographical spread and complex systems pose distinct cybersecurity challenges not found in other sectors."

**Water, Water, Everywhere ... Nary a Drop of Security?**

The United States has nearly 150,000 water systems, consisting of three types of public infrastructure. Community water systems (CWS) provide water to residents living in a town or city year-round and account for approximately a third (33.7%) of water systems. Transient noncommunity water systems (TNCWS) supply water to travelers and visitors to a specific location — such as a campground or gas station — but not on a permanent basis. These make up 54.3% of public water systems. The final 12% of systems consist of nontransient noncommunity water systems (NTNCWS), which provide water to people in nonresidential locations — such as schools, businesses, and hospitals.

Related:Going Beyond Secure by Demand

Because many water agencies are small and serving communities, they face the same challenges as other local government agencies: a lack of resources, legacy technology, architectures that were not designed to be defensible, and a lack of visibility, says Paul Shaver, global practice lead for ICS/OT security consulting at Google Cloud's Mandiant division.

"This is compounded by the fact that many municipal water agencies have financial constraints that make it difficult to identify risk and develop security capabilities that are appropriate for their organization size," he says.

By EPA regulation, any water systems serving more than 3,300 people must conduct risk assessments, including cybersecurity assessments, and develop emergency response plans. But most do not have the money, and without the funding, the utilities are hard pressed to comply with regulations, Shaver says.

Related:Small US Cyber Agencies Are Underfunded & That's a Problem

The criticality of these systems and their relative lack of protection has government officials worried. In May, the EPA warned that Iran and Russia had stepped up their attacks on water systems in the United States, while the Cybersecurity and Infrastructure Security Agency (CISA) released a cyber-incident response guide for the water and wastewater sector earlier this year.

The May 2024 alert from the EPA noted that "water systems had inadequate risk and resilience assessments and emergency response plans ... \[and\] found significant failures in best practices, such as failure to change default passwords, use of single logins for all staff, and failure to curtail access by former employees."

**US Needs More Investment in Water System Cyber Defense**

Even with the current requirements, many water utilities are already failing to meet their cybersecurity obligations, Google Cloud's D'Souza says.

"Simply increasing regulations won't solve this problem, and merely highlights the financial constraints preventing utilities from adequately protecting critical infrastructure," he says.

Overall, the federal government needs to do more than offer regulations and best practices. In many respects, the water sector is no different than any other critical infrastructure sector with a great deal of operational technology, says Sean Arrowsmith, head of industrials at NCC Group, a cybersecurity consultancy.

"Generally, OT protocols were designed when security was not so much of a consideration but the devices and infrastructure they run is deployed for a long lifetime and now there are business drivers to collect data from them and converge OT with IT, which is where the security challenges arise," he says.

In addition, Arrowsmith says that the amount of legacy infrastructure and breadth of the attack surface area continues to make securing water infrastructure challenging.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Leaky Cybersecurity Holes Put Water Systems at Risk

Secure by Demand offers a starting point for third-party risk management teams, but they need to take the essential step of using a mature software supply chain security solution to ensure they're not blindly trusting a provider's software.

Saša Zdjelar, Chief Trust Officer, ReversingLabs

November 22, 2024

5 Min Read

Source: Science Photo Library Alamy Stock Photo

COMMENTARY

In late June 2017, maritime giant A.P. Møller – Maersk was hit with a devastating software infection that affected "close to a fifth of the world's shipping capacity." 

As it turned out, the attack was not targeted at Maersk, but spun out of a regional "hot war" between Ukraine and Russia that saw a malware strain named "NotPetya" delivered to customers of a Ukrainian software company, with clients in the Ukraine and the rest of the world. The attack cost the global economy a whopping $10 billion in damages — the world's most costly cyber event to date.  

Seven years later, NotPetya is considered to be one of the most significant cyberattacks of our time. But this was not just a malware attack, but a software supply chain attack that exploited a commercial software update.  

In the years since, software supply chain attacks have taken center stage, with more incidents like NotPetya arising, including supply chain attacks on SolarWinds and the voice-over-IP firm 3CX. Also, Verizon's "2024 Data Breach Investigations Report" (DBIR) found that breaches stemming from third-party software development organizations increased by 68% from 2023. 

In response, the US Cybersecurity and Infrastructure Security Agency (CISA) released Secure by Design guidance in 2023. This move signaled to software producers the need to securely design their products, track and mitigate common vulnerabilities and exposures (CVEs), implement legacy AppSec tools, and enable protocols like multifactor authentication (MFA). But it wasn't until August 2024 that CISA released new Secure by Demand guidance that approaches this problem differently by empowering enterprise buyers to demand safer commercial software products from their suppliers, period.  

Secure by Demand is a good starting point for enterprise buyers looking to raise the bar for the firms that supply them business-critical software. However, it's imperative that these businesses go one step further. Here's why. 

**Software Assurance**

Secure by Demand targets several areas of software assurance: secure software development, vulnerability tracking and patching, authentication and logging, and software transparency. CISA hopes that enterprise consumers will ask commercial software vendors about each of these areas during the procurement process.

While these checks target key parts of software supply chain security, CISA's guidance should include more than a list of questions — not so different from the prevailing form of third-party risk management (TPRM), which relies heavily on questionnaires. Unfortunately, such an approach falls well short of providing genuine software assurance.

Instead, questionnaires leave major gaps in assessments of third-party cyber-risk, in that enterprise consumers will ask smart questions of commercial software vendors but won't possess the appropriate capabilities to verify their answers. That lapse leaves enterprise buyers vulnerable, requiring them to blindly trust the attestations of the mission-critical software products they rely on.  

The same can be said for software bills of materials (SBOMs), which Secure by Demand also recommends to enterprise buyers. SBOMs provide transparency in that they list a piece of software's components, which can include open source, proprietary, and third-party software. However, not listed in an SBOM are the calculated risks associated with third-party and commercial software products.  

Consider this: Neither a detailed SBOM nor a completed vendor security questionnaire would have thwarted the NotPetya attack, as customers were unaware of the existence of a Russian backdoor in the offending software update. So why should enterprise consumers take comfort from SBOMs and questionnaires alone when looking to protect their organizations? 

**Limited View of Supply Chain Risk**

It's true: Some of the checks recommended by CISA in its Secure by Demand guide include the vetting of open source software components used in commercial software products. CISA also calls for end-user organizations to determine how software vendors find, disclose, and patch vulnerabilities in their software. However, software supply chain risks extend well beyond these checks.  

Sophisticated cybercriminal and nation-state groups today are targeting commercial software by compromising build pipelines to insert malicious code, or by uncovering and abusing secrets lurking in application code. This is evident in the fact that the most detrimental software supply chain attacks to date did not occur due to cybercriminals exploiting open source components and vulnerabilities in software. Rather, they targeted commercial software directly, as was the case with NotPetya, 3CX, and more.  

**The Solution? Don't Trust — and Verify**

For enterprise buyers to ensure that the commercial software they are consuming is safe, they will need to independently validate the security of their mission-critical software. Doing so will require more than just asking vendors to answer a list of questions and provide an SBOM. Proper validation requires independently testing and verifying that software is free from malicious components (open source or commercial), critical vulnerabilities, malware, tampering, suspicious behaviors, and more — before, during, or after its deployment. 

Secure by Demand offers a solid starting point for TPRM teams. But they should then take the essential step of using a mature software supply chain security solution — one that provides comprehensive and independent software analysis, to ensure they are not blindly trusting their provider's software. Such a tool should also offer an actionable software risk assessment, which serves as a TPRM team's recipe for success when protecting their organization from such incidents.  

Having this level of control and verifiable evidence will allow enterprise consumers to verify the security and integrity of the mission-critical commercial software they rely on, even in the wake of the latest software supply chain attack. 

**About the Author**

Chief Trust Officer, ReversingLabs

Saša is the chief trust officer (CTrO) at ReversingLabs, and operating partner at Crosspoint Capital, with approximately 20 years of Fortune 10 global executive leadership experience. His CTrO scope includes leadership, oversight and governance of the CISO/CSO function, including product security, as well as partnering with other leaders on corporate and product strategy, strategic partnerships and research, and customer and technology advisory boards, including sponsoring the ReversingLabs CISO Council. Prior to ReversingLabs and Crosspoint Capital, Saša served as the senior vice president of security at Salesforce, where he led a global organization encompassing enterprise security, product security, offensive security, security engineering/automation, bug bounty programs, technical product/program/project management, and mergers and acquisitions. He also played a crucial role as the executive sponsor for strategic corporate security initiatives, such as zero trust.

Going Beyond Secure by Demand

The scale of Beijing's systematic tapping of private industry and universities to build up its formidable hacking and cyber-warfare capabilities is larger than previously understood.

Source: KaimDH via Shutterstock

Hundreds of private cybersecurity firms, technology services providers, and universities are helping China's state apparatus develop offensive cyber capabilities to support the country's strategic military, economic, and geopolitical goals, according to research released this week.

"The existence of state-sponsored threat groups operating under the Chinese state's direction has long been well documented," researchers at France's Orange Cyberdefense wrote in their report, based on eight months of analysis of China's cyber-offense capabilities. But any notions that these entities are strictly in government hands, especially given the authoritarian nature of China's government, are off base, the authors warned. "China's offensive cyber capabilities are, in fact, supported by a complex and multilayered ecosystem involving a broad array of state and non-state actors," they wrote.

Their findings provide deeper context on the troubling success that Chinese cyber actors have had infiltrating US critical infrastructure, breaching government, military, and business networks, not to mention theft of defense data, trade secrets, and intellectual property from American entities and others around the world.

**An Extensive Ecosystem**

The synergies have enabled quicker government access to cutting-edge technology and talent, especially in critical areas such as artificial intelligence (AI), big data analytics, 5G wireless, and cloud computing, says Dan Ortega, security strategist at Anomali. "China's collaboration between its tech companies and state entities has dramatically accelerated the development of its cyber-offensive capabilities," Ortega says. Importantly, it has also allowed the nation to scale state-sponsored cyber missions effectively. And that collaboration enables government access to vast data sets collected by companies, facilitating enhanced targeting and more-effective cyberattacks, he notes.

"China fosters formal and informal partnerships with tech firms through initiatives like the Military-Civil Fusion strategy, mandating companies to share their technological advancements and insights with the state," he says. A feedback loop exists in which innovations made in the private sector directly enhance state capabilities.

**Poised to Strike?**

The Orange report arrives as domestic concerns grow over Chinese cyberattacks on US entities, such as operations like Volt Typhoon's targeting of critical infrastructure organizations. Many in government and industry are convinced that Chinese groups have attained the presence they need on US networks to cause widespread disruption to domestic energy, telecommunications utilities, and technology services. Such concerns prompted the Office of the Director of National Intelligence (ODNI) to describe China as the "most active and persistent cyber threat to US government, private sector, and critical infrastructure networks," in its 2024 annual report.

Orange's research showed the four main government stakeholders responsible for building and executing China's cyber-offense capabilities are the People's Liberation Army (PLA), the Ministry of State Security (MSS), the Ministry of Public Security (MPS), and the Ministry of Industry and Information Technology (MIIT). Their multipronged efforts include actively recruiting or otherwise supporting private hackers and hacktivists in activities such as data theft, website defacement, and distributed denial-of-service attacks.

**Hundreds of Private Firms**

Under the current model, the government stakeholders are working with hundreds of private companies, both big and small, to carry out cyberattacks against foreign and domestic entities that are of strategic interest to Beijing, the Orange report noted. One example of big-player involvement in the report is Shanghai stock exchange-listed Integrity Technology Group (ITG), which the FBI has linked to the Flax Typhoon APT. Like ITG, many of China's top technology companies are also the state's biggest cyber contractors, according to Orange's report. "Enterprises such as ThreatBook, Qihoo360, and Qi An Xin not only provide defensive security solutions to public agencies but are also believed to indirectly contribute to offensive cyber operations."

At the other end of the spectrum are dozens of smaller and medium-size private entities that often act as subcontractors for the bigger companies and deliver a range of highly specialized services. One example is i-Soon, a 72-person Shanghai firm whose ties to the Chinese government emerged after a leak earlier this year. "These entities often act as subcontractors to the industry giants, filling the gap in their cyber offensive competencies and further fragmenting the hack-for-hire supply chain," Orange's researchers wrote. The company found that while in many instances, China's PLA, MSS, and others worked with legitimate private entities, others created shell companies that acted as fronts for procuring cyberattack infrastructure.

**Tapping Top Universities**

The Chinese government's efforts to rope in academic institutions began in earnest in 2017. Today many universities — including eight of the C9 League of China's top nine public universities — are engaged in state-sponsored cyber-offense research, according to Orange. Their contributions range from advanced research on the use of AI in cybersecurity to helping state operatives translate stolen documents and gathering open source intelligence.

Trey Ford, chief information security officer at Bugcrowd, says the willingness among Chinese companies to work for the government point up very different business norms in China. While organizations in countries like the US are beholden to fiduciary, legal, ethical, and privacy norms, those in China have a different set of obligations. "Communist government-backed organizations, aligned to formal Five-Year economic and military objectives, will have very different outcomes in mind, and can make different investments and sacrifices than capitalist businesses," he says.

Customer trust and user privacy are different context in China than in the US and other western nations, Ford says.  "Companies doing business in China must run their services in-country today. This includes the expectation of access to their systems, data, intellectual property — as well as their customers' data."

The continued expansion of China's cyber ecosystem will lead to more sophisticated attacks and better targeting of intellectual property and critical infrastructure through trusted business relationships, cautions Stephen Kowski, field chief technology officer at SlashNext Email Security+. "This model could enable more advanced supply chain compromises and social engineering attacks that bypass traditional security controls," Kowski says. "China's civil-military fusion model creates a seamless flow of technology and expertise between private sector innovations and state-sponsored cyber operations, enabling faster deployment of advanced attack techniques."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

China's Cyber Offensives Built in Lockstep With Private Firms, Academia

Building on its broad security portfolio, Microsoft's new exposure management is now available in the Microsoft Defender portal, with third-party-connectors on the way.

Source: Wavebreak Media ltd via Alamy Stock Photo

Microsoft is the latest big name to add continuous threat exposure management (CTEM) to its formidable security portfolio with the release of its new Microsoft Security Exposure Management offering. Microsoft made the announcement at its annual Microsoft Ignite conference this week.

Security experts describe CTEM, or proactive exposure management, as a programmatic and unified approach to detecting and mitigating threats. Gartner predicts that by 2026, organizations that embrace CTEM will see two-thirds fewer breaches.

Enterprise Strategy Group principal analyst Tyler Shields describes exposure management as the next iteration of vulnerability management.

"It's centered on the overlap of continuous asset discovery and management, threat and exposure analysis, and vulnerability discovery," Shields says. "If you can understand the assets you have, the state they are in, the vulnerabilities that exist, and the active threats against them, you are all prepared to secure your environment."

Microsoft initially introduced Security Exposure Management in March as a technical preview. It is now available in the Microsoft Defender portal, included with its E5 licenses, and as an option for various other Microsoft 365 licenses.

**Unified Views of Attack Surfaces**

With its entry, Microsoft seeks to enable defenders to prevent successful attacks by providing comprehensive and unified views of their organizations' broad attack surfaces, allowing them to take a more proactive approach to identifying and mitigating threats.

"Exposure management is critical for enabling teams to understand the posture of the organization, and it helps security teams see all the potential attack paths to critical assets as if they were looking through it, through the eyes of the attacker," said Vasu Jakkal, Microsoft's corporate VP for compliance, identity management, during the opening session at Ignite, which took place in Chicago.

The tooling is designed to identify attack paths and evaluate vulnerabilities in the context of an organization's critical assets in a more proactive and expansive manner than traditional vulnerability and threat detection offerings. Security Exposure Management uses Microsoft's new exposure graph APIs to identify attack paths and evaluate vulnerabilities in the context of critical assets.

Analysts say Microsoft's entry is poised to reshape the competitive environment of exposure management solutions offered by Cisco/Splunk, CrowdStrike, Palo Alto Networks Rapid7, Tenable, Trend Micro, and Wiz, as well as various others that provide more specialized capabilities.

"Exposure management is becoming an incredibly competitive market, and Microsoft is demonstrating that it wants to be a leader in this space," says Omdia principal analyst Andrew Braunberg.

Adds Forrester senior analyst Erik Nost, since Microsoft is initially allowing access to exposure management through a variety of licensing options, customers will have widespread access to insights.

"The data Microsoft possesses on existing customer environments without needing to ingest third-party data is the biggest opportunity for Microsoft to set it apart from competitors," Nost says. "Microsoft is building a platform that integrates a very broad set of security posture management telemetry."

**Building an Ecosystem of External Connections**

While the initial release is available and included with various Microsoft 365 and Microsoft Defender licenses and will ingest telemetry from those offerings, Microsoft announced it will enable integration with competing external third-party tools, including Qualys, Rapid7, Tenable, and ServiceNow's CMDB.

Microsoft released public preview versions of its third-party connectors, slated to become generally available next quarter.

Unlike Microsoft telemetry, which customers can ingest at no additional cost, they will incur charges to gather data from external sources, said Microsoft product director Brjann Brekkan, during a session on security exposure management at Ignite.

"We don't own that data," Brekkan explained. "We need to charge a little bit of cost to bring that third-party signal in, to attach those new data points from those services as well. But this is there for you to unify your data."

Security Exposure Management collects data through these connectors and normalizes it through its exposure graph, which maps relationships and exposes new attack paths. In a blog post, Brekkan said this provides "comprehensive attack surface visibility."

Microsoft exposure management also provides insights on the most critical assets, Internet exposure, and context related to business applications incorporated from the connected tools. Customers can view the integrated data, which can be visualized through the Attack Map tool or analyzed using advanced hunting queries via KQL (Kusto Query Language), Microsoft's Azure-based tool designed to identify anomalies in large data sets.

The offering now consists of three primary tools:

*   Attack Surface Management: Defenders have access to continuous views of their organization's attack surface. Notably, the tool identifies the most critical assets and those that are the prime targets of attackers
    
*   Attack Path Analysis: Security teams can visualize and prioritize high-risk attack paths, particularly those targeting those critical assets
    
*   Unified Exposure Insights: Administrators can view their organization's threat exposure, allowing them to prioritize risks and tie remediation priorities with business imperatives.
    

Omdia's Braunberg says it remains to be seen how many customers will build their exposure management strategies around Microsoft's offering, it is likely many will evaluate it, especially considering its potentially low cost.

"As per Microsoft's usual playbook, exposure management is attractive because it pulls together a lot of existing Microsoft functionality into an integrated solution with small incremental costs," he says.

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Microsoft Highlights Security Exposure Management at Ignite

MITRE and CISA's 2024 list of the 25 most dangerous software weaknesses exposes the need for organizations to continue to invest in secure code.

Source: Sergey Tarasov via Alamy Stock Photo

Although a new methodology shook up the rankings of this year's most dangerous software bugs, the classic persistent threats still proved to be the biggest risk to organizations, reinforcing the need for continued focus on — and investment in — secure code.

The annual Common Weakness Enumeration (CWE) list is compiled by MITRE and the Cybersecurity and Infrastructure Agency (CISA). This year, for the first time, their formula included both severity and frequency of the flaws.

"Weaknesses that were rarely discovered will not receive a high frequency score, regardless of the typical consequence associated with any exploitation," the list's methodology page explained. "Weaknesses that are both common and caused significant harm will receive the highest scores."

The year's top weaknesses, according to the 2024 CWE list, was cross-site scripting (second last year), followed by out-of-bounds write (2023's winner), SQL injection (also third last year), cross-site request forgery (CSRF) (ninth in 2023), and path traversal (eighth last year).

"While we see a bit of movement in rankings throughout the list for sure, we also continue to see the presence of the 'usual suspects' (e.g., CWE-79, CWE-89, CWE-125)," says Alec Summers, the project leader for the CVE Program at MITRE and one of the list's authors. "It’s an ongoing concern that these and other stubborn weaknesses remain high on the Top 25 consistently."

The only real curveball in this year's rankings, he points out, was CRSF rising from the ninth spot last year to fourth in 2024. "This might reflect a greater emphasis on CSRF by vulnerability researchers or maybe there are improvements in CSRF detection, or maybe more adversaries are focusing on this kind of issue. We can’t be completely sure why it jumped the way it did," Summers says.

As the software development life cycle (SDLC) and software supply chain become more labyrinthine every year, and everyday software flaws continue to proliferate, it's increasingly important for organizations get a handle on their systems before everyday weaknesses become something more sinister, he recommends.  
"Looking at the Top 25, organizations are strongly encouraged to review and leverage the list as a guiding resource for shaping their software security strategies," Summers says. "By prioritizing them in both development and procurement processes, organizations can more proactively address risk."

**Shoring Up the Software Supply Chain Starts at Home**

Those efforts likewise should extend across the software supple chain, Summers adds.

"It's becoming more and more important for organizations to adopt and demand their suppliers adopt root cause mapping CVE with CWE," he urges. "This encourages a valuable feedback loop into an organization's SDLC and architecture design planning, which in addition to increasing product security can also save money: The more weaknesses avoided in your product development, the less vulnerabilities to manage after deployment."

In addition to incorporating a new methodology for determining which software flaws posed the most risk, 2024 was the first year the full community of CVE Numbering Authorities (CNAs) contributed to the CWE Program's effort. In total 148 CNAs helped develop this year's list, according to the CWE Project. Currently there are 421 CNAs across 40 countries, according to CVE.org.

Cross-Site Scripting Is 2024's Most Dangerous Software Weakness

PRESS RELEASE

PALO ALTO, Calif., Nov. 19, 2024 /PRNewswire/ -- As artificial intelligence (AI) continues to revolutionize industries, the cybersecurity field faces a dual-edged sword of opportunities and threats. StrongDM's latest report, "The State of AI in Cybersecurity," highlights the growing concerns and readiness of cybersecurity professionals to tackle AI-driven challenges. Based on a survey of 600 cybersecurity professionals, the report sheds light on pressing issues around AI regulation, perceived threats, defense confidence, and the future of the cybersecurity workforce.

Key Findings from the Survey:

*   Regulation Concerns: 76% of cybersecurity professionals believe AI should be "heavily regulated" to prevent misuse, underscoring the need for balance between safety and innovation.
    
*   AI-Driven Threats: A significant 87% of respondents expressed concerns about AI-driven cyberattacks, with malware (33%) and data breaches (30%) ranking as top threats.
    
*   Preparedness Levels: Only 33% of professionals feel "very confident" in their current defenses, and 65% of companies admit they are not fully prepared for AI-powered attacks.
    
*   Workforce Impact: Despite challenges, two-thirds of respondents feel optimistic about AI's potential to enhance, rather than replace, jobs in cybersecurity.
    

A Call for Regulation Amid Rapid AI Growth: The report reveals that 76% of surveyed professionals support "heavy regulation" of AI to mitigate potential risks. However, 15% worry that excessive oversight could stifle innovation. This underscores a need for balanced regulations that ensure security while fostering technological advancement.

Growing Concern Over AI-Powered Attacks: AI's potential to enable new attack vectors is top of mind for cybersecurity professionals, with 87% citing concern over AI-driven threats. Malware and data breaches emerged as the leading AI-powered concerns, with 33% and 30% of respondents, respectively, indicating their apprehension over these types of attacks.

Confidence Levels Are Low, but Hope Persists: The report highlights a stark contrast in preparedness, as only 33% of respondents expressed being "very confident" in their current defenses against AI threats. Meanwhile, 46% felt "somewhat confident," and 17% admitted their organizations were not ready for AI-driven attacks. These findings emphasize an urgent call for stronger strategies and investments to bolster AI-specific defenses.

Companies Playing Catch-Up: StrongDM's research found that 65% of respondents admitted their organizations are not fully prepared for AI-driven threats. While 32% of companies are actively investing in AI defenses, 48% say there's still much to be done to close the gap.

AI's Mixed Impact on the Cybersecurity Workforce: Despite the concerns surrounding AI, two-thirds of cybersecurity professionals maintain an optimistic outlook on the technology's impact on their jobs. 40% believe AI will enhance job roles without replacing them, and 25% foresee the creation of new job opportunities. Nonetheless, 30% expressed fears of job replacement, showcasing the nuanced views professionals hold on AI's future role in the workforce.

Complete Study Results: https://www.strongdm.com/blog/state-of-ai-in-cybersecurity-report

Methodology 

The report is based on a survey conducted in October 2024, targeting 600 US-based cybersecurity professionals. The survey was completed online via Pollfish, and responses were random, voluntary, and completely anonymous.

About StrongDM 

StrongDM is at the forefront of cybersecurity, specializing in Zero Trust Privileged Access Management (PAM). Our innovative solutions focus on continuous, policy-based controls that leverage actions and context to enhance enterprise security. StrongDM's technology scrutinizes each interaction in real time, preventing breaches before they occur and ensuring secure, frustration-free access across all platforms.

Supported by leading investors, including GV, Sequoia Capital, True Ventures, and Anchor Capital, StrongDM operates across North America, Europe, and Asia-Pacific, dedicated to setting new standards in cybersecurity and providing top-tier protection for today's digital enterprises.

For more information, visit the StrongDM website.

Study Finds 76% of Cybersecurity Professionals Believe AI Should Be Heavily Regulated

PRESS RELEASE

AUCKLAND, New Zealand and READING, UK – November 19, 2024 – Endace, the world leader in packet capture, announces the formation of a new company in the Kingdom of Saudi Arabia to continue expansion in the Middle East, further demonstrating Endace’s commitment to the Middle East Region.

Having successfully deployed a number of very large infrastructure projects in the Kingdom of Saudi Arabia (KSA) and the United Arab Emirates, Endace is expanding its footprint in the region with the establishment of a new Middle East Regional Headquarters – Endace Arabia LLC – located in Riyadh, Kingdom of Saudi Arabia. Endace will build a local team to assist customers in the Middle East to secure their mission critical networks by leveraging Endace’s Always-On packet capture.

“This is an extremely significant market,” says Endace CEO, Stuart Wilson. “Endace products are already deployed in mission-critical networks across the Globe to secure critical infrastructure against cyberattacks. With our close partnership with StarLink we are uncovering strong growth opportunities for Endace capabilities in Defense, Government, Critical Infrastructure and Enterprise across the Middle East region.”

“It’s encouraging to see organizations in the Middle East recognizing the critical importance of cybersecurity and prioritizing investments to implement the foundations of robust cyber defense for critical infrastructure. They are not only adopting but in many cases actually defining global best practice,” Wilson says.  “StarLink has proven to be a fantastic partner in the region, providing local expertise and broad reach in promoting the adoption of Endace technology.”

“StarLink and Endace have been collaborating strategically in Saudi from the very first project.  With Endace now incorporated and expanding its local team, we can jointly provide this critical technology for cyber defense to a much wider set of customers across the region.  We are looking forward to a closer and stronger collaboration,” says Mohammad Abou Okdeh, Regional Director for KSA at StarLink Saudi Arabia.

About Endace

Endace’s scalable, always-on packet capture gives Network Operations and Security teams the deep visibility they need for fast, accurate incident investigation with rich forensic evidence at their fingertips from all their tools. EndaceProbes provide enterprise-class packet sniffing in on-prem, public and private cloud environments, with rapid, centralized search and one-click access to full pcap data from leading security and performance solutions (including Palo Alto Networks, Fortinet, Cisco, Splunk, Elastic, and many others). Analyze network traffic using a single, unified console across all on-premise, private, or public cloud infrastructure for total hybrid cloud visibility.  Capture every packet. See every threat. www.endace.com

Endace Establishes Middle East Regional Headquarters in Saudi Arabia

PRESS RELEASE

TEMPE, Ariz. and PRAGUE, Nov. 21, 2024 /PRNewswire/ -- Norton, a leading Cyber Safety brand of Gen™ (NASDAQ: GEN), has launched the new Norton Small Business Premium, an all-in-one, easy-to-use cybersecurity plan specifically designed for entrepreneurs and small businesses. In addition to powerful device security, Norton Small Business Premium features 24/7 Business Tech Support, Financial Monitoring, Social Media Monitoring and more.

"More than half (56%)\* of small business owners report that cybersecurity threats impact their business. Unfortunately, not enough of these entrepreneurs and small businesses have cybersecurity in place, often due to their cost and complexity," said Leena Elias, Chief Product Officer at Gen. "Norton Small Business Premium not only takes the work out of securing your business, we also help when other IT issues crop up."

Cybersecurity is crucial for businesses to protect their sensitive data, networks, and digital assets from cyberthreats that can lead to unauthorized access to company networks, data breaches, financial losses, and reputation damage. To help protect businesses where they need it most, Norton Small Business Premium includes features such as:

*   24/7 Business Tech Support: Subscriptions include access to Norton experts five time as year. These experts are available 24/7 for remote IT support on your devices, network, and software.
    
*   Financial Monitoring: Get alerts so you can act quickly if we detect suspicious transactions on your company's bank accounts.   
    
*   Social Media Monitoring: Prevent your business social media profiles from being taken over by regularly monitoring for suspicious activities on your accounts. 
    
*   Device Security: Real-time antivirus helps protect your devices, and our firewall\* helps block cybercriminals from accessing your network.
    
*   Secure VPN: Work online and access websites more safely at home or on the go with bank-grade VPN encryption.
    
*   Additional features include Password Manager, Cloud Backup, performance enhancements and more.
    

Norton Small Business Premium doesn't require an IT specialist or cybersecurity knowledge to use. It's easy to install and runs seamlessly in the background on Windows, Mac, Android, and iOS, allowing you to focus on your business without slowing down operations. 

Norton recommends 10 tips for small business Cyber Safety: 

1.  Learn to spot signs of phishing and teach your employees
    
2.  Only click links or download attachments from known sources
    
3.  Avoid sharing personal information or private company data over email
    
4.  Always keep your operating system, applications, and drivers up-to-date
    
5.  Make sure your WiFi network is protected with a strong password
    
6.  Regularly back up your data
    
7.  Require employees to use a VPN when doing company work on a public WiFi network (think airports and coffee shops)
    
8.  Always use multi-factor-authentication for an extra layer of protection
    
9.  Don't neglect mobile devices – make sure they are password protected and use security software
    
10.  Invest in a cybersecurity solution such as Norton Small Business Premium
    

Norton Small Business Premium is available now with prices starting at $299.99/year with options for 6, 10 or 20-device plans. For more information, please visit norton.com/products/small-business.

About Norton   
Norton is a leading Cyber Safety brand of Gen™ (NASDAQ: GEN), a global company dedicated to powering Digital Freedom through its family of trusted consumer brands including Norton, Avast, LifeLock, Avira, AVG, ReputationDefender and CCleaner. Gen empowers people to live their digital lives safely, privately, and confidently today and for generations to come. Gen brings award-winning products and services in cybersecurity, online privacy and identity protection to more than 500 million users in more than 150 countries. Learn more at Norton.com and GenDigital.com.

You May Also Like

Norton Introduces Small Business Premium for Business-Grade Security

The ONNX infrastructure has been servicing criminal actors as far back as 2017.

Source: Eric D ricochet69 via Alamy Stock Photo

Microsoft seized 240 domains belonging to ONNX, a phishing-as-a-service platform that enabled its customers to target companies and individuals since 2017.

ONNX was the top adversary-in-the-middle (AitM) phishing service, according to Microsoft's "Digital Defense Report 2024," with a high volume of phishing messages during the first six months of this year. Millions of phishing emails targeted Microsoft 365 accounts each month, and Microsoft has apparently had enough.

ONNX promoted and sold phishing kits on Telegram using a subscription service model, which ranged from $150 to $550 a month.

"The fraudulent ONNX operation offered phishing kits designed to target a variety of companies across the technology sector, including Google, Dropbox, Rackspace, and Microsoft," Microsoft said in its statement.

The attacks themselves are controlled through Telegram bots and come with built-in, two-factor authentication (2FA) bypass mechanisms. As of late, QR code phishing, also known as quishing, has also been enabled, targeting financial firms' employees. ONNX uses bulletproof hosting services that allow delays in phishing domain takedowns, as well as encrypted JavaScript code that decrypts itself, all of which allows them to be highly effective in carrying out attacks and evading detection.

"While today's legal action will substantially hamper the fraudulent ONNX's operations, other providers will fill the void, and we expect threat actors will adapt their techniques in response," stated Steven Masada, assistant general counsel at Microsoft's Digital Crimes Unit. "However, taking action sends a strong message to those who choose to replicate our services to harm users online: we will proactively pursue remedies to protect our services and our customers and are continuously improving our technical and legal strategies to have greater impact."

A full list of the 240 domains that were seized is available online.

**About the Author**

Microsoft Takes Action Against Phishing-as-a-Service Platform

PRESS RELEASE

New York City, NY. November 21, 2024 – Apono, the leader in privileged access for the cloud, today announced an update to the Apono Cloud Access Platform that enables users to automatically discover and revoke standing access to resources across their cloud environments. Users can then create guardrails for sensitive resources, allowing Apono to process and assess access requests, and quickly provide Just-in-Time, Just-Enough access to users when needed. Today’s update will be available across all three major cloud service providers, with AWS being the first to launch, followed by Azure and Google Cloud Platform. 

“Today’s update enriches the Apono Cloud Access Platform’s unique combination of automated discovery, assessment, management, and enforcement capabilities,” said Rom Carmel, CEO and Co-founder of Apono. “With deep visibility across the cloud, seamless permission revocation, and automated Just-in-time, Just-Enough Access, we eliminate one of the largest risks organizations face while ensuring development teams can innovate rapidly with seamless access within secure guardrails. This powerful combination is essential for modern businesses, unlocking a new level of security and productivity for our customers.” 

Standing access within the cloud has long been a prime target for cybercriminals, enabling them to swiftly escalate both horizontally and vertically during a breach. However, security teams have lacked complete visibility over existing standing access, leaving critical vulnerabilities across the user base. Additionally, security teams have been reluctant to revoke existing standing access due to the risk of impacting users' day-to-day needs, which can ultimately lead to significantly hampering business operations across the organization.  

Today’s update allows users to overcome this challenge by enabling security teams to: 

Gain complete visibility over user permissions, identifying 100% of standing user entitlements in the cloud and where high-risk, standing privileges exist. 

Confidently and seamlessly remove 95% of standing entitlements without impacting business operations.  

Use critical insights on high-risk permissions to inform remediation plans, guide administrators in establishing access flows, and automatically grant Just-in-Time, Just-Enough access to cloud resources for only the required duration before access is revoked again. 

“Over-privileged access is one of the most significant risks to identity security that organizations face today, and it's made even more challenging to manage by expanding cloud environments. At the same time, to keep pace, organizations need to grant permissions dynamically to support day-to-day work. This creates a complex obstacle: how can an organization grant the necessary access for productivity while also enhancing its identity security?” said Simon Moffatt, Founder and Analyst, The Cyber Hut, “With this in mind, delivering Just-in-Time and Just-Enough Access across cloud services should be the goal of modern identity management. An approach to solve this will help companies significantly reduce their attack surface while ensuring a seamless access experience for their workforce.” 

Apono will provide in-person demonstrations of today's update and the complete Apono Cloud Access Platform at AWS re:Invent from December 2-6. Click here to learn more.  

For more information, visit the Apono website here: www.apono.io. 

You May Also Like

Source

DARKReading