CISOs understand the risk scenarios that can help create safeguards so everyone can use AI safely and focus on the technology's promises and opportunities.

Lucas Moody, Chief Information Security Officer, Alteryx

November 13, 2024

4 Min Read

Source: Andreas Prott via Alamy Stock Photo

COMMENTARY

No one wants to miss the artificial intelligence (AI) wave, but the "fear of missing out" has leaders poised to step onto an already fast-moving train where the risks can outweigh the rewards. A PwC survey highlighted a stark reality: 40% of global leaders don't understand the cyber-risks of generative AI (GenAI), despite their enthusiasm for the emerging technology. This is a red flag that could expose companies to security risks from negligent AI adoption. This is precisely why a chief information security officer (CISO) should lead in AI technology evaluation, implementation, and governance. CISOs understand the risk scenarios that can help create safeguards so everyone can use the technology safely and focus more on AI's promises and opportunities. 

**The AI Journey Starts With a CISO **

Embarking on the AI journey can be daunting without clear guidelines, and many organizations are uncertain about which C-suite executive should lead the AI strategy. Although having a dedicated chief AI officer (CAIO) is one approach, the fundamental issue remains that integrating any new technology inherently involves security considerations. 

The rise of AI is bringing security expertise to the forefront for organizationwide security and compliance. CISOs are critical to navigating the complex AI landscape among emerging new regulations and executive orders to ensure privacy, security, and risk management. As a first step to an organization's AI journey, the CISOs are responsible for implementing a security-first approach to AI and establishing a proper risk management strategy via policy and tools. This strategy should include:   

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

*   Aligning AI goals: Establish an AI consortium to align stakeholders and the adoption goals with your organization's risk tolerance and strategic objectives to avoid rogue adoption.  
    

*   Collaborating with cybersecurity teams: Partner with cybersecurity experts to build a robust risk evaluation framework.  
    

*   Creating security-forward guardrails: Implement safeguards to protect intellectual property, customer and internal data, and other critical assets against cyber threats.  
    

**Determining Acceptable Risk **

Although AI has plenty of promise for organizations, rapid and unrestrained GenAI deployment can lead to issues like product sprawl and data mismanagement. Preventing the risk associated with these problems requires aligning the organization's AI adoption efforts.  

CISOs ultimately set the security agenda with other leaders, like chief technology officers, to address knowledge gaps and ensure the entire business is aligned on the strategy to manage governance, risk, and compliance. CISOs are responsible for the entire spectrum of AI adoption — from securing AI consumption (i.e., employees using ChatGPT) to building AI solutions. To help determine acceptable risk for their organization, CISOs can establish an AI consortium with key stakeholders that work cross-functionally to surface risks associated with the development or consumption of GenAI capabilities, establish acceptable risk tolerances, and act as a shared enforcement arm to maintain appropriate controls on the proliferation of AI use. 

Related:Varonis Warns of Bug Discovered in PostgreSQL PL/Perl

Suppose the organization is focused on securing AI consumption. In that case, the CISO must determine how employees can and cannot use the technology, which can be whitelisted or blacklisted or more granularly managed with products like Harmonic Security that enable a risk-managed adoption of SaaS-delivered GenAI tech. On the other hand, if the organization is building AI solutions, CISOs must develop a framework for how the technology will work. In either case, CISOs must have a pulse on AI developments to recognize the potential risks and stack projects with the right resources and experts for responsible adoption. 

Related:The Vendor's Role in Combating Alert Fatigue

**Locking in Your Security Foundation  **

Since CISOs have a security background, they can implement a robust security foundation for AI adoption that proactively manages risk and establishes the correct barriers to prevent breakdowns from cyber threats. CISOs bridge the collaboration of cybersecurity and information teams with business units to stay informed about threats, industry standards, and regulations like the EU AI Act.  

In other words, CISOs and their security teams establish comprehensive guardrails, from assets management to robust encryption techniques, to be the backbone of secure AI integration. They protect intellectual property, customer and internal data, and other vital assets. It also ensures a broad spectrum of security monitoring, from rigorous personnel security checks and ongoing training to robust encryption techniques, to respond promptly and effectively to potential security incidents. 

Remaining vigilant about the evolving security landscape is essential as AI becomes mainstream. By seamlessly integrating security into every step of the AI life cycle, organizations can be proactive against the rising use of GenAI for social engineering attacks, making distinguishing between genuine and malicious content harder. Additionally, bad actors are leveraging GenAI to create vulnerabilities and accelerate the discovery of weaknesses in defenses. To address these challenges, CISOs must be diligent by continuing to invest in preventative and detective controls and considering new ways to disseminate awareness among the workforces.   

**Final Thoughts  **

AI will touch every business function, even in ways that have yet to be predicted. As the bridge between security efforts and business goals, CISOs serve as gatekeepers for quality control and responsible AI use across the business. They can articulate the necessary ground for security integrations that avoid missteps in AI adoption and enable businesses to unlock AI's full potential to drive better, more informed business outcomes.    

**About the Author**

Chief Information Security Officer, Alteryx

Lucas Moody is chief information security officer (CISO) at Alteryx and is focused on protecting Alteryx products, customers, and the business from cyber threats. Lucas is a technical security leader with extensive experience spanning enterprise and consumer software companies across the technology, financial, social networking, and retail sectors. He is a global-minded executive noted for his ability to drive security outcomes while enabling growing businesses to accelerate. His passion for technology, security, and building amazing teams has helped companies thrive during periods of hyper-growth and change.

How CISOs Can Lead the Responsible AI Charge

Despite having only a scant focus on cybersecurity regulations a decade ago, countries in the Middle East — led by Saudi Arabia and other Gulf nations — have adopted mature frameworks and regulations amid escalating volumes of attacks.

Source: KamilSD via Alamy Stock Photo

The increase in cyber operations, disruptive attacks, and hacktivism in the Middle East has led the region's largest nations to pursue more sophisticated cybersecurity laws and frameworks over the past decade, leading to a dynamic regulatory landscape that companies need to navigate moving forward, according to regional experts.

Efforts to move their nations beyond the traditional petrochemical-based economies to a knowledge-based future have led Middle East nations to invest heavily in digital and cloud technologies over the past two decades. The result: Cyberattacks and cybercriminal operations have increased in the region. In reaction, countries such as Qatar, Saudi Arabia, and Oman all have developed mature regulatory regimes based on international standards, Cisco stated in a recent analysis of Middle East regulatory frameworks.

The goal of the effort is for countries to protect their valuable investments in the future from the dangers highlighted by destructive attacks and geopolitical tensions, says Yuri Kramarz, a principal engineer leading the global Incident response practice at Cisco's Talos threat intelligence group.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larson from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

Related:Southeast Asian Cybercrime Profits Fuel Shadow Economy

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

"As various states started to diversify from traditional sources of income to a digital economy, they realized that technology adoption plays a crucial role in their economies as both a source of revenue and employment," he says. "It was not until the late 2000s and early 2010, when attacks became increasingly sophisticated, that countries began to take notice."

Yet, once the cyber danger was identified, the regional governments swung into action, with Saudi Arabia and the United Arab Emirates (UAE) leading the way, according to business consultancy Oliver Wyman. While Middle East nations have made significant strides, they do have to overcome a variety of factors, including uneven enforcement and the migration of talent away from the region, Souheil Moukaddem, global head of cyber risk at Oliver Wyman, stated in a video interview.

Related:Ransomware Gangs Pummel Southeast Asia

"A global problem, \[which is\] particularly exacerbated in the Middle East, \[is\] the shortage of cyber talent," he said. "And what you see really is, as the professionals become more experienced, they tend to migrate to other geographies where the pay is better, and the jobs are better."

**Mideast Plays Catch Up**

In 2014, nations in the Middle East began establishing cybersecurity and data-protection frameworks following a series of critical cybersecurity attacks, such as the Stuxnet attack and the Shamoon wiper. Recent tensions in the Middle East have driven even more advanced hacktivism, denial-of-service attacks, and supply chain compromises, including Israel's cyber-physical attack using exploding pagers.

Cisco's Kramarz points to the Shamoon wiper attacks as an example of the type of threats that have driven the change in perceptions of cybersecurity in the Middle East. Despite its lack of sophistication, the Shamoon wiper virus crashed more than 30,000 workstations at Saudi Arabia's state-owned oil giant, Saudi Aramco.

"As we have seen, the economy of an entire country can be impacted by a cybersecurity attack," he says.

As international tensions in the region have escalated, many countries in the Gulf Cooperative Council (GCC) have developed national cybersecurity strategies using international regulatory frameworks and standards and establishing a minimum set of security controls — especially in critical sectors, says Koroush Tajbakhsh, a director in the cybersecurity practice at FTI Consulting, based in Dubai.

Related:India's Critical Infrastructure Suffers Spike in Cyberattacks

"In the face of increasing cyber warfare, GCC countries have responded by bolstering regional cyber alliances, conducting joint cybersecurity drills, and fostering intelligence-sharing initiatives, though political tensions can complicate cooperation," he says.

**Standardized Approach Pays Off**

Companies that already use standards from the United States' National Institute of Standards and Technology, the European Union's General Data Protection Directive, or the global International Organization for Standardization are already well along in meeting most of the cybersecurity controls required by nations in the Middle East, Cisco's Kramarz says.

"Most country-level standards and frameworks are built on top of these well-known standards," he says. "However, companies must also pay attention to the specific requirements in each country, particularly around data localization, incident reporting, and compliance with sector-specific regulations that might often be only available through regulatory bodies who add additional frameworks on top of existing country-level regulations and laws."

However, enforcement of the regulations can be uneven — often due to a lack of expertise about newly passed laws or a failure to establish offices for data authorities — which poses problems for companies looking to prioritize their efforts. In addition, the lack of enforcement contributes to sometimes spotty responses to data breaches, says FTI Consulting's Tajbakhsh.

"Effectively responding to cybercrime and data breaches is not as much about gaps in local data protection legislation as it is about their effective enforcement," he says. "While laws exist, cross-border enforcement will remain a challenge when looking to prosecute foreign agents or international crime syndicates, as this would require local data offices responsible for enforcing laws locally to reach a level of operational maturity that also includes cross-border data sharing."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Middle East Cybersecurity Efforts Catch Up After Late Start

The November 2024 Patch Tuesday update contains a substantially high percentage of remote code execution (RCE) vulnerabilities (including a critical issue in Windows Kerberos), and two other zero-day bugs that have been previously disclosed and could soon come under attack.

Source: Rix Pix Photography via Shutterstock

Attackers are already actively exploiting two vulnerabilities for which Microsoft issued patches on Nov. 12 as part of its monthly security update. And they could soon begin targeting two other publicly disclosed, but as yet unexploited, flaws.

The four zero-day bugs are among a set of 89 common vulnerabilities and exposures (CVEs) that Microsoft addressed in November's Patch Tuesday. The batch contains a substantially high percentage of remote code execution (RCE) vulnerabilities, in addition to the usual collection of elevation of privileges flaws, spoofing vulnerabilities, security bypass, denial-of-service issues, and other vulnerability classes. Microsoft identified eight of the flaws as issues that attackers are more likely to exploit, though researchers pointed to other flaws as well that are of likely of high interest to adversaries.

**Microsoft Adopts CSAF Standard**

Along with the November security update, Microsoft also announced its adoption of Common Security Advisory Framework (CSAF), an OASIS standard for disclosing vulnerabilities in machine-readable form. "CSAF files are meant to be consumed by computers more so than by humans," Microsoft said in a blog post. It should help organizations accelerate their vulnerability response and remediation processes, the company noted.

"This is a huge win for the security community and a welcome addition to Microsoft’s security pages," said Tyler Reguly, associate director of security R&D at Fortra, via email. "This is a standard that has been adopted by many software vendors and it is great to see that Microsoft is following suit."

**Zero-Day Bugs Under Active Exploit**

One of the zero-day bugs that attackers are already actively exploiting is CVE-2024-43451 (CVSS 6.5 out of 10), a flaw that discloses a user's NTLMv2 hash for validating credentials in Windows environments. The hashes allow attackers to authenticate as legitimate users, and access applications and data to which they have permissions. The vulnerability affects all Windows versions and requires minimal user interaction to exploit. Merely selecting or inspecting a file could trigger the vulnerability, Microsoft warned.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

"To my knowledge, it's the third such vulnerability that can disclose a user's NTLMv2 hash that was exploited in the wild in 2024," Satnam Narang, senior staff engineer at Tenable, wrote in an emailed comment. The other two are CVE-2024-21410 in Microsoft Exchange Server from February, and CVE-2024-38021 in Microsoft Office from July.

"One thing is certain," according to Narang. "Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes."

The second bug under active exploit in Microsoft's latest update is CVE-2024-49039 (CVSS 8.8), a Windows Task Scheduler elevation of privilege bug that allows an attacker to execute remote procedure calls (RPC) normally available only to privileged accounts.

"In this case, a successful attack could be performed from a low privilege AppContainer," Microsoft said. "The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment."

The fact that it was Google's Threat Analysis Group that discovered and reported this flaw to Microsoft suggests that the attackers currently exploiting the flaw are either a nation-state-backed group or other advanced persistent threat actor, Narang said.

"An attacker can perform this exploit as a low-privileged AppContainer and effectively execute RPCs that should be available only to privileged tasks," added Ben McCarthy, lead cybersecurity engineer at Immersive Labs, via email. "It is unclear what RPCs are affected here, but it could give an attacker access to elevate privileges and execute code on a remote machine, as well as the machine in which they are executing the vulnerability."

**Previously Disclosed but Unexploited Zero-Days**

One of the two already disclosed — but not yet exploited — zero-days is CVE-2024-49019 (CVSS 7.8), an elevation-of-privilege vulnerability in Active Directory Certificate Services that attackers could use to gain domain administrator access. Microsoft's advisory listed several recommendations for organizations to secure certificate templates, including removing overly broad enrollment rights for users or groups, removing unused templates, and implementing additional measures to secure templates that allow users to specify a subject in the request.  

Microsoft is tracking the other publicly disclosed but unexploited flaw as CVE-2024-49040 (CVSS 7.5), a Windows Exchange Server spoofing flaw. "The primary issue lies in how Exchange processes ... headers, enabling attackers to construct emails that falsely appear to be from legitimate sources," Mike Walters, president and co-founder of Action1, wrote in a blog post. "This capability is particularly useful for spear phishing and other forms of email-based deception."

**RCE Security Bugs Have a Big Month**

Nearly 60% of the bugs — 52 of 89 — that Microsoft disclosed in its November update are RCE vulnerabilities that allow remote attackers to execute arbitrary code on vulnerable systems. Some allow for unauthenticated RCE, while others require an attacker to have authenticated access to exploit the bug. Most of the RCEs in Microsoft's latest update affect various versions of MS SQL Server. Other impacted technologies include MS Office 2016, MS Defender for iOS, MS Excel 2016, and Windows Server 2012, 2022, and 2025, said Will Bradle, security consultant at NetSPI, in an emailed statement.

Among the most critical of the RCEs, according to Walters, is CVE-2024-43639 in Windows Kerberos. The bug has a near-maximum CVSS severity score of 9.8 of 10 because, among other things, an unauthenticated attacker can exploit it remotely. Microsoft itself has assessed the bug as something that attackers are less likely to exploit. But putting it on the back burner for that reason could be a mistake.

"Kerberos is a fundamental component of Windows environments, crucial for authenticating user and service identities," Walters added. "This vulnerability turns Kerberos into a high-value target, allowing attackers to exploit the truncation flaw to craft messages that Kerberos fails to process securely, potentially enabling the execution of arbitrary code."

Bradle pointed to CVE-2024-49050 in Visual Studio Code Python Extension as another RCE in this month's set that merits priority attention. "The extension currently has over 139 million downloads and is affected by an RCE vulnerability with a base CVSS score of 8.8," he said. "Microsoft has patched the VSCode extension, and updates should be installed immediately."

Immersive Labs' McCarthy also identified multiple other flaws that organizations would do well to address quickly. They include the critical CVE-2024-43498 (CVSS 9.8), an RCE in .NET and Visual Studio; CVE-2024-49019 (CVSS 7.8), an Active Directory privilege escalation flaw; CVE-2024-49033 (CVSS 7.5), a Microsoft Word security bypass flaw; and CVE-2024-43623 (CVSS 7.8), a privilege escalation flaw in the Windows NT OS kernel that enables attacker to gain system level access on affected systems. Importantly, Microsoft has assessed the latter vulnerability as one that attackers are more likely to exploit.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

2 Zero-Day Bugs in Microsoft's Nov. Update Under Active Exploit

The data leak was not actually due to a breach in Amazon's systems but rather that of a third-party vendor; the supply chain incident affected several other clients as well.

Source: Ian Dagnall via Alamy Stock Photo

Amazon has confirmed that its employees' data was exposed on a cybercrime forum due to the now-infamous MOVEit vulnerability.

The vulnerability, tracked as CVE-2023-34362, was discovered last year in the MOVEit file transfer software. The flaw allows hackers to bypass authentication on unpatched systems in order to access files, and it has affected thousands of organizations to date.

An Amazon spokesperson said that Amazon and AWS systems are secure and that its systems have not experienced a security breach. The "security event" actually occurred at a third-party property-management vendor, and several other customers it worked with in addition to Amazon were also affected, the person said. The type of compromised information includes work email addresses, desk phone numbers, and building locations.

"Amazon's recent data breach, traced back to a third-party vendor's use of the MOVEit tool, is another wake-up call for the supply chain's hidden vulnerabilities," Ferhat Dikbiyik, chief research and intelligence officer at Black Kite, wrote in an emailed statement to Dark Reading. "The MOVEit flaw initially hit hundreds, but the shockwave extended across 2,700+ organizations as the ripple effects reached third- and even fourth-party vendors. We've identified over 600 MOVEit servers that were likely caught in this 'spray' attack — leaving a vast field of potential targets."

Cybercrime intelligence company Hudson Rock referred to the fallout of the bug as one of the most substantial leaks of corporate information last year; and authors of the "Verizon Data Breach Investigation Report (DBIR)" in February noted that breaches attributable to MOVEit were so numerous that they skewed its statistics for the year.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Amazon Employee Data Compromised in MOVEit Breach

The essays are to focus on the impact that artificial intelligence will have on European policy.

Source: Deco via Alamy Stock Photo

The Munich Security Conference is partnering with the European Cyber Conflict Research Initiative's Binding Hook on the AI-Cybersecurity Essay Prize Competition to explore the intersection of cybersecurity and artificial intelligence (AI).

As cyber threats rapidly evolve, AI is at the forefront, shaping the next generation of cyber defenses and bringing new challenges and opportunities, said Max Smeets, co-director of the European Cyber Conflict Research Initiative (ECCRI) and the European Cyber Conflict Research Incubator, in a statement. Researchers are invited to submit essays on how AI will change cybersecurity, its implications for Europe, and actionable recommendations for policymakers. Essays can reference previously published research, but the content should be reworked to provide new insights.

"Launching this competition is, for me, about opening the door to voices from a range of disciplines - encouraging contributions that speak to both the opportunities and risks AI presents for cybersecurity," Smeets said. "I also hope we will see not just analysis but ideas that policymakers can consider seriously; thoughtful pieces that get at the heart of what AI could mean for cybersecurity policy in Europe."

Essays will be reviewed by a board led by co-chairs Kersti Kaljulaid, former president of Estonia, and Shashank Joshi, defense editor at The Economist. Board members include Heather Adkins, vice president of security engineering and head of office of cybersecurity resilience at Google; Klaus Hommels, founder of Lakestar and chair of the board of directors at the NATO Innovation Fund; Mikko Hyppönen, a security and privacy expert; Maria Markstedter, founder of Azeria Labs; Eva Maydell, member of the European Parliament; and ECCRI's Smeets. Prizes will be awarded for the top five essays, starting at €10,000 (US$10,628) for the top prize and €5,000 (US$5314) for the runner-up. The winning author will also be invited to attend the 2025 Munich Security Conference.

Essays should be 800 to 1,200 words. The deadline for submissions is Jan. 2, 2025. 

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

New Essay Competition Explores AI's Role in Cybersecurity

Adaptive Shield is the third security posture management provider the company has acquired in the last 14 months as identity-based attacks continue to rise.

Source: Artemis Diana via Alamy Stock Photo

CrowdStrike's spending spree for security posture management capabilities continued with a deal to buy Adaptive Shield, an Israeli startup  that specializes in securing organizations' SaaS ecosystems and protecting against identity-based attacks.

Last week's deal calls for CrowdStrike to pay cash and stock for Adaptive Shield; CrowdStrike expects to complete the transaction by the end of January 2025. Press reports estimate the value of the deal at around $300 million.

Founded in 2019, Adaptive Shield is one of many companies in the SaaS security posture management (SSPM) sector; others include AppOmni, DoControl, Obsidian, and Reco. 

Adaptive Shield's platform supports more than 150 SaaS applications including Adobe, Google Workspace, Microsoft 365, Salesforce, Slack, and Zoom. It monitors for misconfigurations and identity threats, and offers a no-code tool for custom SaaS applications called Integration Builder.

**Competitive Impact?**

Omdia senior principal analyst Rik Turner wonders whether the deal will prompt CrowdStrike's competitors like Cisco, Palo Alto Networks, and Sentinal One to follow suit with their own deals. Overall, it's been an active time for acquisitions of cloud and data security posture management (DSPM) startups, he noted. 

Adaptive Shield is CrowdStrike's third security posture management provider in the last 18 months. In October 2023, CrowdStrike bought Bionic, an early provider of application security posture management (ASPM), extending security risk visibility from code development to cloud deployment. 

Earlier this year, CrowdStrike bought Flow Security, another DSPM cloud platform that protects data at rest and in motion. "In contrast, there has been no such buying frenzy with SSPMs. CrowdStrike's acquisition of Adaptive Shield is the first deal of this kind, raising the question of whether it might start a trend among the purchaser’s competitors," Turner note in a recent report.

CrowdStrike emphasizes that the addition of Adaptive Shield will boost the capability of its Falcon platform to protect organizations against identity-based attacks by adding SaaS applications to the mix. 

Once integrated into Falcon, Adaptive Shield's SSPM platform will give organizations visibility into misconfigurations, unnecessary or rogue privileges, and activities undertaken among accounts of on-premises and cloud identity providers as well as SaaS security applications. The addition "provides organizations with granular visibility into their growing cloud environments, enables them to manage and secure their SaaS security posture and their human and non-human identities, and helps them detect and prevent identity-centric, cloud-focused cyberattacks," CrowdStrike president Michael Sentonas explained in a blog post.

CrowdStrike senior product manager for identity Ryan Terry buttressed that message at a company meeting last week in Amsterdam. "Our vision is to unify identity protection across the entire Falcon security platform that includes cloud security," he said. "That will bring ISPM, CIEM, and ITDR together in an integrated way, in one single platform to help you address today's modern identity challenges."

**Keying in on Identity**

SaaS connectors will improve visibility into threat activity and precursors to identity-based attacks, says Forrester Research principal analyst Andras Cser. And he believes adding SSPM to CrowdStrike Falcon will fill a gap in the platform's identity protection module.

"Identity-wise, CrowdStrike claims they have ITDR, but in reality, it's mainly cloud infrastructure entitlement management, addressing how admins have access to policies that drive privileges on things like \[AWS\] S3 buckets and Azure Blobs and things like that," Cser says. "It's not true \[identity and access management\] in the sense of user account provisioning-deprovisioning, federation, token service, and all these other types of things."

The Adaptive Shield SSPM and ITDR platform promises to provide a broad range of protection against such attacks by providing unified, hybrid identity management for SaaS-based apps and on-premises authentication, notably Microsoft's Active Directory.

Adaptive Shield's platform also continuously monitors generative AI-based SaaS applications for configuration shifts and enforces security standards and privileges. And it's designed to prevent data exfiltration and discover unauthorized AI applications. "Beyond identities, it also provides visibility into misconfigurations and other risks affecting SaaS applications so organizations can better manage these issues and detect and respond to threats," Sentonas added.

Identity-Based Attacks Continue to Mount

Vendor focus on identity isn't happening in a vacuum. Threat actors such as Scattered Spider and Cozy Bear (also known as APT29 and Midnight Blizzard) have actively exploited identity through various techniques, including password spraying, phishing, stealing legitimate credentials, and exploiting misconfigurations. 

After managing to get global administrator rights to MGM Resorts' Azure instances last year, Scattered Spider was able to exfiltrate data and disrupt its operations. Earlier this year, Microsoft was among the victims of a password spray attack by Russia-based Midnight Blizzard, compromising its corporate email systems. Overall, CrowdStrike has claimed that 80% of breaches now have an identity component.  

At the RSA Conference earlier in the year, Sentonas and CrowdStrike co-founder and CEO George Kurtz demonstrated how hackers exploit identity provider misconfigurations with phish-able authentication factors to gain access to highly privileged accounts. "They move laterally once they're inside an organization to achieve their outcome," Sentonas said.

**More Identity Features in the Wings**

Ross Penny, a principal technical strategist for CrowdStrike, said the company plans to roll out several tools to bolster CrowdStrike Falcon Identity by February 2025. Among recent and current deliverables include integration with AWS Identity Center, which reports on the "full picture" of risks associated with federated AWS accounts. 

"If you're only looking within AWS because it's federated, you lack a lot of information about it," Penny explained. "The fact that we know where that account lives and originates means you have a much wider variety of risk that you're able to use to calculate those access decisions and detections."

Penny said that CrowdStrike is also readying a policy management API that can be integrated into external workflows. CrowdStrike developed this API because many of its customers also use ServiceNow.

Early next year, CrowdStrike will extend integration with other identity providers, including Okta Universal Directory, Google Workspace, and AWS permission usage analysis. CrowdStrike also plans to add attack path detection across those multiple identity providers in 2025.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 am ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, Dr. Max Smeets from ETH Zurich, and Elvia Finalle from Omdia. Register now!

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

CrowdStrike Spends to Boost Identity Threat Detection

Marketed on a cybercriminal forum, the $700 tool harvests email addresses from public GitHub profiles, priming cyberattackers for further credential theft, malware delivery, OAuth subversion, supply chain attacks, and other corporate breaches.

Source: Piotr Swat via Alamy Stock Photo

Researchers have uncovered a tool aimed at targeting GitHub users, distributed on a cybercrime forum. It offers bulk developer credential theft and the ability to conduct further malicious activities, including supply chain attacks.

The tool — called GoIssue and potentially linked to a previous GitHub repository extortion campaign called Gitloker — allows potential attackers to extract email addresses from GitHub profiles and to send bulk emails directly to user inboxes, researchers from SlashNext discovered.

"At its core, the tool systematically harvests email addresses from public GitHub profiles, using automated processes and GitHub tokens to collect data based on various criteria — from organization memberships to stargazer lists," SlashNext revealed in a blog post on Nov. 12.

GoIssue is marketed to potential attackers at $700 for a custom build or $3,000 for full source code access. The tool combines bulk email capabilities with sophisticated data collection features, and protects the operator's identity through proxy networks, according to SlashNext. 

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

Related:Citrix Issues Patches for Zero-Day Recording Manager Bugs

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

**Developers Have a Target on Their Backs**

Developers increasingly have become a top target for threat actors because they provide the keys to valuable source code that can be used to launch supply chain attacks, reaching numerous victims by merely altering or abusing lines of code. As the leading online repository for source code, GitHub already has been in the crosshairs of numerous malicious campaigns targeting its users.

"The emergence of GoIssue signals a new era where developer platforms become high-stakes battlegrounds," with attackers aiming to "exploit trusted developer environments," observes Jason Soroko, senior fellow at Sectigo, an automated certificate life-cycle management firm.

GoIssue represents an evolution in GitHub-focused attack tools, giving attackers a way to orchestrate large-scale, customized phishing campaigns that can bypass spam filters and target specific developer communities, while attackers maintain the cover of anonymity.

Related:Citrix 'Recording Manager' Zero-Day Bug Allows Unauthenticated RCE

Through these campaigns, attackers can steal developer credentials and use that stolen information in phishing attacks that can steal login credentials, spread malicious payloads to compromise a user's device, or distribute prompts for OAuth app authorization that give attackers access to private repositories and data.

In this way, threat actors can steal and/or poison source code from GitHub projects to launch supply chain and other attacks that can breach corporate networks, the researchers said. "This is a high-impact attack mechanism that specifically preys on the trust and openness of the developer community," Soroko observes.

**Cybercrime Link to Gitloker Extortion Campaign?**

When investigating GoIssue, the contact info provided to potential buyers of the tool led SlashNext researchers to a Telegram profile for "cyberluffy," which states that someone called "Cyber D' Luffy" is a member of the Gitloker team. Gitloker is an ongoing campaign uncovered in June that uses GitHub notifications to push malicious OAuth apps aimed at wiping developer repositories for extortion purposes.

Moreover, in a thread advertising GoIssue, the seller even links to high-profile security blogs that detail and validate Gitloker attack efficacy. This seems to suggest that the same attackers selling GoIssue are behind Gitloker, and the tool "could be an extension of the Gitloker campaign or an evolved version of the same tool," according to SlashNext.

Related:'SteelFox' Malware Blitz Infects 11K Victims With Bundle of Pain

"Both tools share a similar target audience (GitHub users) and leverage email communication to initiate attacks," according to the post. "This overlap in purpose and personnel strongly supports the theory that they are either linked or variations of one another."

No matter who is distributing the tool, it represents a dire warning to developers using GitHub that they need to remain vigilant and not engage with any anomalous email correspondence or messages that seem suspicious, the researchers noted. "This isn’t just spam; it’s a potential entry point to taking over your account or projects," according to SlashNext.

Enterprises with developers in the organization that use GitHub in particular should be especially proactive and adaptive at securing their people, notes Mika Aalto, co-founder and CEO at human risk-management firm Hoxhunt.

"As attackers leverage automation and advanced tools with increasing sophistication, we must give people the instincts to recognize a suspicious email and the skills to report threats that bypass filters," he says.

Enterprises also should integrate human threat intelligence into the security stack to facilitate accelerated detection and response to suspicious activity, Aalto adds.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'GoIssue' Cybercrime Tool Targets GitHub Developers En Masse

There is some disagreement over whether the remote code execution (RCE) security flaws allow for unauthenticated exploitation or not. Citrix says no, but researchers say the company is downplaying a "good old unauthenticated RCE."

Source: JHVEPhoto via Shutterstock

Very swiftly after their disclosure, Citrix has issued patches for two vulnerabilities in its Citrix Virtual Apps and Desktop technology that allow a remote attacker escalate privileges or execute code of their choice on vulnerable systems.

Citrix has described the remote code execution (RCE) vulnerabilities as something that only a previously authenticated attacker could abuse. However, researchers at watchTowr who discovered the flaws and developed a proof-of-concept exploit (PoC) say it's a point-and-click vulnerability that an unauthenticated attacker can exploit with relative ease.

Citrix is tracking one of the flaws as CVE-2024-8068 and the other as CVE-2024-8069.  

**Citrix Downplaying Threat Severity?**

The flaws affect the thin-client technology's Session Recording Manager component that allows admins to capture, store, and manage recordings of user sessions. They stem from a weakness in how Session Recording Manager deserializes or unpacks data that has been converted into a format that makes it easy to store and transmit, according to the researchers at watchTowr who discovered and reported the issues to Citrix in July.

Citrix initially said it was unable to reproduce the issue but later acknowledged the problem after the security vendor gave them a PoC exploit for the vulnerability.

Related:'GoIssue' Cybercrime Tool Targets GitHub Developers En Masse

In an advisory on Nov. 12, the company described CVE-2024-8068 as a privilege escalation vulnerability that allows an authenticated user in the same Windows Active Directory domain as the session recording server to gain NetworkService Account access. CVE-2024-8069, according to Citrix, is a "limited" RCE for attackers with admin level account access on vulnerable systems. "Cloud Software Group strongly urges affected customers of Citrix Session Recording to install the relevant updated versions of Citrix Session Recording as soon their upgrade schedule permits," the company cautioned.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Even so, Citrix has assigned both vulnerabilities only medium severity scores of 5.1 of 10 on the CVSS vulnerability rating scale. It's an assignment that watchTowr has disputed.

Related:Citrix 'Recording Manager' Zero-Day Bug Allows Unauthenticated RCE

"Citrix is downplaying the severity of this vulnerability as a medium priority when it’s really point-click-full-takeover," says Benjamin Harris, CEO of watchTowr, pointing to the company's exploit code. The combination of the two vulnerabilities allows for a "good old unauthenticated RCE," Harris tells Dark Reading.

"Citrix's Virtual Apps and Desktop offering is a flagship Citrix solution, targeted at \[Fortune 500\] organizations," he notes. "Since we're dealing with a deserialization issue, a bug class that is known for being relatively stable, we \[have\] a high degree of confidence that our exploit will work reliably. There's no tricky heap manipulation or other entropy creeping in."

Many organizations use Citrix’s Virtual Apps and Desktop technology to enable users to access their applications and desktop environments from anywhere and using any device. It gives organizations a way to centrally deploy, update and secure all user apps from a single location making maintenance more efficient, consistent and cost effective. Another benefit that Citrix advertises is increased security from having applications and data on centralized servers rather than on individual endpoint devices. The technology's Session Recording feature — where watchTowr discovered the flaws — enables admins to monitor for anomalous behavior and to maintain a detailed record of user activity for future audit and troubleshooting purposes.

Related:'SteelFox' Malware Blitz Infects 11K Victims With Bundle of Pain

Demand for such technologies has increased in recent years as more companies have embraced remote and hybrid work models. Research firm MarketsandMarkets estimates the market will reach $1.7 billion in 2028 from around $1.5 billion last year. The broader desktop as a service (DaaS) market itself is expected to hit nearly $19 billion by 2030 from just over $4 billion in 2021.

**Dependence on Known Insecure Technology**

watchTowr discovered the vulnerabilities while scrutinizing Citrix's Virtual Apps and Desktop's architecture for potential security issues. The security vendor's examination showed that Citrix's app uses Microsoft's Message Queuing (MSMQ) service to receive recorded user session files and to store them in a separate storage manager component. In addition, watchTowr found Citrix using a Microsoft technology called BinaryFormatter to deserialize data in the storage manager component when needed. BinaryFormatter is technology that Microsoft itself has urged organizations to stop using as soon as possible because of security weaknesses that are no longer fixable, watchTowr said.

The vulnerabilities that watchTowr discovered involved a combination of an Internet-accessible MSMQ instance in the session recording component of Citrix's Virtual Apps and Desktop technology along with misconfigured permissions related to BinaryFormatter. "This isn't really a bug in the BinaryFormatter itself, nor a bug in MSMQ, but rather the unfortunate consequence of Citrix relying on the documented-to-be-insecure BinaryFormatter to maintain a security boundary," Harris says. "It's a 'bug' that manifested during the design phase, when Citrix decided which serialization library to use."

Harris says watchTowr reported the vulnerability as a single issue, whereas Citrix appears to have treated it as two separate issues.  

"While it is inarguable that Citrix's use of a BinaryFormatter with untrusted data is a de-facto bug, we don't have enough context to determine if exposing the MSMQ queue via HTTP is a really a bug, caused by a careless oversight, or a carefully calculated effect of some obscure business requirement."

Citrix's technologies are a frequent target for attackers because of the high-level of access the company's technology provides to enterprise applications and data. Many of the reported security flaws recently have impacted the company's NetScaler ADC and NetScaler Gateway remote access platforms.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Citrix Issues Patches for Zero-Day Recording Manager Bugs

The security vulnerability is due to an exposed Microsoft Message Queuing (MSMQ) instance and the use of the insecure BinaryFormatter.

Source: Brian Jackson via Alamy Stock PhotoSource:

\[Ed. note, Nov. 12 at 12:30 p.m. ET: Citrix has now issued patches for the issue and assigned CVE-2024-8068/CVE-2024-8069 for tracking.\]

An unpatched zero-day vulnerability in Citrix’s Session Recording Manager allows unauthenticated remote code execution (RCE, paving the way for data theft, lateral movement, and desktop takeover.

According to watchTowr research out today, the issue (which does not yet have a CVE or CVSS score) resides in Citrix's Session Recording Manager, which, as its name implies, records user activity, including keyboard and mouse inputs, websites visited, video streams of desktop activity, and more.

"Citrix advertises the feature as being really useful for monitoring (somewhat obviously), but also for compliance and troubleshooting. It can even be set up so that certain actions (like identifying sensitive data) will trigger recording, which helps meet regulatory needs and flag suspicious activities," the watchTowr researchers noted in the report.

The feature logs session recordings via Microsoft Message Queuing (MSMQ), which enables efficient data transfer from individual computers to centralized storage. However, the Citrix implementation uses BinaryFormatter for serialization and deserialization of the information for easier and more accurate transfer and storage. The utility is unfortunately well-known to be insecure.

Related:'GoIssue' Cybercrime Tool Targets GitHub Developers En Masse

BinaryFormatter is a .NET class created by Microsoft, which is in the process of deprecating it: "BinaryFormatter is insecure and can't be made secure. Applications should stop using \[it\] as soon as possible, even if they believe the data they're processing to be trustworthy," the computing giant said in August.

On top of the BinaryFormatter issue, Recording Session Manager also involves an exposed MSMQ service that can be reached from any host via HTTP. This, combined with what watchTowr says are misconfigured permissions, paves the way for unauthenticated RCE.

Dark Reading has reached out for comment and planned patching or mitigation information from both watchTowr and Citrix. There is no evidence of in-the-wild exploitation yet, but given Citrix's attractiveness as a cybercrime target, that could soon change.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 am ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larson from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

Related:Citrix Issues Patches for Zero-Day Recording Manager Bugs

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Citrix 'Recording Manager' Zero-Day Bug Allows Unauthenticated RCE

CISA should make its recommended goals mandatory and perform audits to ensure compliance.

Gary Barlet, Public Sector Chief Technology Officer, Illumio

November 12, 2024

5 Min Read

Source: Zoonar GmbH via Alamy Stock Photo

COMMENTARY  
Companies across the country are lining up to join the latest cybersecurity trend: the Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design pledge, a commitment aimed at software manufacturers that compels them to keep up with fundamental cybersecurity strategies. Companies such as Lenovo, Google, AWS, Cloudflare, and Microsoft have already signed on. 

On the face of it, the Secure by Design pledge is a good thing. Its seven goals each encourage manufacturers to adopt or increase the usage of a key cybersecurity strategy within one year. The goals, such as "implement multifactor authentication (MFA)" are worthy, if basic, and CISA encourages companies to document their progress. If they fall short, they are also encouraged to report that failure to CISA. 

The problem is that this pledge is entirely voluntary. Companies are free to sign it — or not — as they wish. And there's no regulatory compliance factored in. This means that if a company does sign the pledge and falls short of one or more goals, no one may ever know and no action will be taken. It will be as if the pledge never existed in the first place.   

Without teeth, the pledge is essentially worthless. Outside of highlighting the low-bar steps major companies should take to ensure their infrastructure is secured from the most common attacks (which, admittedly, is a good thing), it takes no steps to ensure that companies will actually do so. And it provides no repercussions if they fail.    

**Is the Honor System Good Enough?**

With data breaches up 72% in 2023 and the average cost of a breach estimated at $4.88 million, can we afford for our nation's technological infrastructure to be governed by the honor system? What happens when the next big cyberattack takes down a pillar of our society because the company responsible failed to implement MFA?  

I'd argue for a much more aggressive approach from our federal government. Given the potential for widespread disruptions inherent with any cybersecurity failure, we can't afford to take such a lax attitude toward securing our systems. The sanctity of our nation's airlines, power grids, and other critical infrastructure relies on stringent cybersecurity measures. Merely "suggesting" that companies institute basic protocols is not enough. We need to mandate it — and punish those who fail. 

**The EU's Higher Standard**

I look at the European Union's approach to setting standards for its electronic devices. In 2022,  the EU passed a law mandating electronics manufacturers move to a standardized charging port for their mobile devices. The EU's stance toward Apple, which famously used a proprietary Lightning charging port for its iPhones, was simply: Adapt or die. Apple adapted. As a result, iPhones in Europe are now sold with the standardized USB-C charging port, alongside every other mobile device. 

The EU did not fool around with vague suggestions or pledges. It saw the value to consumers of a standardized charging port and demanded that manufacturers make the change. Those that failed to comply were not allowed to sell their devices in Europe. Simple. Effective. 

You can also look closer to home, to California, for an example of this kind of confident action by the government. The government of California adopted the Zero Emissions Vehicle requirements in 1990, and has adjusted the rules over the ensuing decades as technology has evolved. The purpose was to protect the state's air from automotive pollution. The result has been a near industrywide reduction in auto emissions for the past 30 years. 

For vehicle manufacturers that want to sell cars in California, the largest economy in the United States, the equation was the same one facing Apple in the EU: Adapt or die. They could either engineer their vehicles to produce fewer emissions or simply not sell them in California. Most elected for the former option, and, as a result, automotive emission control technology has advanced further in the past 30 years than at any point since the automobile was introduced. 

**Adopting a Similar Approach**

To protect our cyber infrastructure, we need to adopt a similar approach. Instead of simply making recommendations, our nation's cybersecurity agency should be empowered to make regulations.  

CISA should begin by making its recommended goals mandatory, forcing software companies to do the following: 

●      Increase the use of MFA 

●      Reduce default passwords 

●      Enable a significant measurable reduction in the prevalence of one or more vulnerability classes 

●      Increase the installation of security patches by customers 

●      Publish a vulnerability disclosure policy 

●      Demonstrate transparency in vulnerability reporting. 

●      Increase the ability for customers to gather evidence of cybersecurity intrusions 

Next, CISA should perform audits to ensure compliance. Relying on companies to self-report is no different from giving them permission not to report. Look closely at CISA's list of pledgees and come back in a year to see how many of these vaunted companies will have willingly admitted they aren't taking the most basic steps toward protecting their users' data. 

Finally, CISA should be empowered to make a simple statement to software manufacturers that want to sell products in the US similar to what the EU said to electronics manufacturers and what California said to automobile manufacturers: Adapt or die. 

If you want to sell software in the US, you should have to follow basic principles that will ensure your software is safe. This should not be a "nice to have." It should be mandatory. The stakes are as high if not higher than with charging ports and automobile emissions. As we witnessed with the recent failure of cybersecurity software, the impact was felt across entire industries and resulted in billions of dollars in lost productivity. This is not a realm for timidity.    

Hi all -- please add this to all of your content at the bottom between now and Thursday -- I'm adding it to this week's news items now. Rashid, Fahmida Donahue, Jim Bracken, Becky Spiegelman, Karen Beek, Kristina

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Public Sector Chief Technology Officer, Illumio

Gary Barlet has nearly three decades of cloud, cybersecurity, and network experience in the US federal government leading security and IT teams in both civilian agencies and the Department of Defense (DoD). At Illumio, Gary works with government agencies, contractors, and the broader ecosystem to build in zero-trust segmentation as a strategic component of the government’s zero-trust architecture. Before joining Illumio, Gary served as the chief information officer at the Office of the Inspector General for the US Postal Service and served in the Air Force in several technology leadership capacities, retiring from his role as cyber operations officer.

Source

DARKReading