Threat actors are actively exploiting two of the vulnerabilities, while three others are publicly known and ripe for attack.

Source: fadfebrian via Shutterstock

Microsoft's October security update addressed a substantial 117 vulnerabilities, including two actively exploited flaws and three publicly disclosed but as yet unexploited bugs.

The update is the third largest so far this year in terms of disclosed CVEs, after April's 147 CVEs and July's set of 139 flaws.

A plurality of the bugs (46) enables remote code execution (RCE), and 28 others give threat actors a way to elevate privileges. The remaining vulnerabilities include those that enable spoofing, denial of service, and other malicious outcomes. As always, the CVEs affected a wide range of Microsoft technologies, including the Windows operating system, Microsoft's Hyper-V virtualization technology, Windows Kerberos, Azure, Power BI, and .NET components.

**Actively Exploited Bugs**

The two vulnerabilities in the October update that attackers are actively exploiting are also the ones that merit immediate attention.

One of them is CVE-2024-43573, a spoofing vulnerability in MSHTML, or the Trident legacy browsing engine for Internet Explorer that Microsoft includes in modern versions to maintain backward compatibility. The bug is similar to CVE-2024-38112 and CVE-2024-43461 that Microsoft disclosed in MSHTML in July and September, respectively, which the Void Banshee group has been actively exploiting. Another unusual aspect of the bug: Microsoft has not credited anyone for reporting or discovering it.

Organizations should not allow Microsoft's moderate severity assessment for CVE-2024-43573 to lull them into thinking the bug does not merit immediate attention, researchers at Trend Micro's Zero Day Initiative wrote in a blog post. "There's no word from Microsoft on whether it's \[Void Banshee\], but considering there is no acknowledgment here, it makes me think the original patch was insufficient," the ZDI post noted. "Either way, don't ignore this based on the severity rating. Test and deploy this update quickly."

The other zero-day that attackers are currently exploiting is CVE-2024-43572, an RCE flaw in Microsoft Management Console (MMC). Microsoft said its patch prevents "untrusted Microsoft Saved Console (MSC) files from being opened to protect customers against the risks associated with this vulnerability."

Earlier this year, researchers at Elastic Security reported observing threat actors using specially crafted MMC files, dubbed GrimResource for initial access and defense evasion purposes. However, it is not immediately clear if the attackers were exploiting CVE-2024-43572 in that campaign or some other bug. Microsoft didn't address the point in this most recent patch update.

**Publicly Known but Unexploited — for the Moment**

The three other zero-day bugs that Microsoft disclosed as part of its October security update — but which attackers have not exploited yet — are CVE-2024-6197, a remote code execution vulnerability in the open source cURLl command line tool; CVE-2024-20659, a moderate severity security bypass vulnerability in Windows Hyper-V; and CVE-2024-43583, a WinLogon elevation of privilege vulnerability.

Mike Walters, president and co-founder of Action 1, said organizations should prioritize patching CVE-2024-6197. Though Microsoft has assessed the vulnerability as something that attackers are less likely to exploit, Walters expects to see proof-of-concept code for the flaw become available soon. "This vulnerability is particularly concerning, because it impacts the fundamental architecture of memory management in cURL, a tool integral to data transfers across various network protocols," Walters wrote in a blog post. "The affected systems include those using cURL or libcurl, the underlying library that powers numerous applications on diverse platforms."

Meanwhile, organizations using third-party input method editors (IMEs) that allow users to type in different languages are at particular risk from CVE-2024-43583, which is the WinLogon elevation of privilege flaw, Walters added. "This vulnerability is particularly pertinent in diverse settings where multilingual support is crucial, such as in global enterprises or educational institutions," he said. Attackers could exploit the vulnerability as part of a broader attack chain to compromise affected environments he said.

**Other Critical Bugs that Need Attention Now**

Microsoft assessed just three of the 117 vulnerabilities it disclosed this week as being critical. All three are RCEs. They are CVE-2024-43468 in Microsoft Configuration Manager, CVE-2024-43582 in the Remote Desktop Protocol (RDP) server, and CVE-2024-43488 in Visual Studio Code extension for Arduino Remote.

CVE-2024-43468 highlights some memory safety concerns with Microsoft Configuration Manager, Cody Dietz, a researcher with Automox, wrote in a blog post. "Successful exploitation of this vulnerability can allow for lateral movement throughout a network and offers the potential to deploy malicious configurations to other systems." In addition to immediately patching the vulnerability, organizations should consider using an alternate service account to mitigate risk, Dietz said.

Automox also highlighted CVE-2024-43533, a high-severity bug in RDP. The bug is present in the RDP client and enables attackers to execute arbitrary code on a client machine. "Unlike typical RDP vulnerabilities targeting servers, this one flips the script, offering a unique attack vector against clients," Tom Bowyer, director of IT security at Automox, wrote in the company's blog post.

"This vulnerability opens the door for back-hacks," Boyer added, "where attackers set up rogue RDP servers to exploit scanning activities from entities like nation-states or security companies."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

5 Zero-Days in Microsoft's October Update to Patch Immediately

As healthcare organizations struggle against operational issues, two-thirds of the industry suffered ransomware attacks in the past year, and an increasing number are caving to extortion and paying up.

Source: Yuri A/PeopleImages via ShutterStock

The healthcare sector continues to grow, but without the proper focus on cybersecurity, the prognosis for the industry's resilience against ransomware and other attacks has only worsened.

Against a backdrop of non-IT disruptions — such as private equity failures, shortages of medicines, and the cutting of services — two-thirds (66%) of healthcare organizations also suffered ransomware attacks in the past year, up from 60% in the prior year, according to a report from cybersecurity firm Sophos. Major attacks on hospitals and medical-service providers have led to disruptions of services, significant financial outlay, and the exposure of sensitive patient data. In some cases, they also affected patient outcomes.

There are also new threats emerging all the time. The Trinity ransomware, for instance, first seen last May, poses a "significant threat" to the healthcare and public health sector, according to an alert this week from the US Department of Health and Human Services.  

Overall, more than 14 million US citizens — and an unknown number worldwide — have been affected by healthcare breaches in 2024, according to another data set from security firm SonicWall.

Healthcare suffers such a cyber malaise that Senate Finance Committee chair Ron Wyden (D-Ore.), and Sen. Mark Warner (D-Va.) last week announced legislation to attempt to patch up the system. The bill would require jail time for healthcare CEOs that lie to the government about their cybersecurity postures, offer federal resources to rural and underserved hospitals for cyber improvements, and introduce accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data. The bill would also remove the existing cap on fines for data mishandling under the Health Insurance Portability and Accountability Act (HIPAA).

"Mega-corporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result," Wyden said in a statement announcing the bill. "The healthcare industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy."

**Healthcare Cyber-Profiles Are Ripe for Infection**

Healthcare organizations have three attributes that ensure ransomware gangs will continue to focus on the industry: Their operations are critical to society, their technology is often old and rife with vulnerabilities, and individual organizations are willing to pay ransoms, says Doug McKee, executive director of threat research of SonicWall.

"There's a lot of money in healthcare, \[and\] healthcare is not only notorious for having a lot of money, but they've been painted as an industry that's willing to pay the ransom," he says. "If we're going to keep paying the ransom, the attackers are going to keep ramping up in that industry. The math is that simple."

The cybersecurity problems plaguing the industry are not just affecting the business of healthcare. They're also having real impacts on patients and national health efforts. Attackers used stolen credentials, for example, to compromise UnitedHealth subsidiary Change Healthcare and infect its systems with ransomware in February, leading to stalled payments for doctors, pharmacies, and hospitals — and eventually a $22 million ransom paid to the criminals. In the United Kingdom, an attack on medical-services provider Synnovis in June led to delays in matching patient blood types and other pathology services. The same month, an attack on South Africa's National Health Laboratory Service (NHLS) disrupted the service provided by the government-run testing laboratories, while the nation found itself in the midst of an mpox outbreak.

"I can either pay the ransom, get back up and running, or I can try to rebuild it myself and pray that we get everything back set up running in a week — not an option," says Errol Weiss, chief information security officer (CISO) of the Healthcare Information Sharing and Analysis Center (Health-ISAC). "So now, we've got a sector who is more prevalent to pay, and I think the bad guys — cybercriminals, nation-states that are doing this — figured that out pretty quickly. I think it's getting worse, and I think that they've also figured out the weak spots in the sector."

**A Pound of Cure Typically Fails**

The weakest spot for healthcare entities is arguably the inter-reliance of hospitals and pharmacies on their third-party providers. When Change Healthcare suffered its weekslong outage, the incident demonstrated that efforts to shore up cyber resilience has to extend all the way to any third-party suppliers on which healthcare providers rely.

"Change Healthcare definitely rocked the sector and made us \[realize\] that it's a single point of failure for so many services," Weiss says. "We had thousands of patients across the US that couldn't get prescriptions filled because of that outage, and then ... we had hospitals that couldn't file claims."

Similarly, the attacks on Synnovis and NHLS slowed diagnostic services.

While their operational requirements — prioritizing human life, which means keeping open the access to needed data — pose challenging issues, healthcare organizations must gain oversight over their (often legacy) technology and the large variety of medical devices and equipment, which might not be kept totally up to date. Seven out of every eight breaches were caused by exploitable vulnerabilities, compromised credentials, and malicious emails — so focusing on those three areas could pay significant dividends for cybercriminals, says Christopher Budd, director of threat research for Sophos X-Ops.

"Healthcare — along with energy, oil/gas, and utilities — is challenged by higher levels of legacy technology, and infrastructure controls more than most other sectors, which likely makes it harder to secure devices, limit lateral movement, and prevent attacks from spreading," he says.

**Time for an Ounce of Prevention**

Yet, perhaps most telling is the industry's problems with backups.

In 95% of attacks targeting healthcare organizations, the attacker tried to compromise the backups. Unfortunately, they succeeded in 66%, putting healthcare organizations' defensive shortcomings behind that of only the energy, oil/gas, and utilities sector (79%) and the education sector (71%), according to Sophos' report.

While healthcare organizations continue to use backups to recover, many also pay ransoms. Source: Sophos

The loss of backups results in much worse — and more expensive — outcomes, the report stated. The value of the initial ransom demand more than tripled, to $4.4 million, compared with $1.3 million for organizations with backups, and the organizations were far more likely to pay the ransom, with 63% of organizations with a failed backup paying the ransom, compared with 27% of organizations with complete backups.

In its threat brief, SonicWall recommended the typical trio of cybersecurity best practices: patch management, strong access controls, and continuous monitoring. However, out of those three, monitoring is the most important capability for organizations to establish first, says SonicWall's McKee. Companies with good visibility can detect cybersecurity issues early and remediate them before they are attacked, he says.

While the outlook is currently messy, progress is being made, he added.

"I think that we've gotten better," McKee says. "Over the last five years, I've seen a huge improvement in healthcare, as far as being able to turn around cybersecurity best practices ... but \[technology\] has to get through all the regulatory requirements ... and that's simply going to take time ... probably years, for healthcare to get to a point that we're able to reduce some of the effectiveness of these attacks."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Healthcare's Grim Cyber Prognosis Requires Security Booster

The annual event reinforces best practices while finding new ways to build a culture where employees understand how their daily decisions affect company security. Find out how AWS, IBM, Intuit, SentinelOne, and Gallo are spreading the word.

Source: Prostock-studio via Alamy Stock Photo

COMMENTARY

Cybersecurity Awareness Month, an annual initiative since 2004, provides organizations each October with valuable opportunities to reinforce security best practices among employees. As we engage in these activities this month, it's also an opportunity to discover ways to build a culture of security where employees understand how their daily decisions and actions can affect an organization's overall security.  

Employees remain every organization's best first line of defense. Making the most secure way of doing things the easiest way helps motivate employees to make security-first decisions. For example, getting employees to use multifactor authentication (MFA) — once again a top recommendation of the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NSA) — is one of the simplest and most effective ways to enhance security. Fifteen years ago, when AWS made MFA publicly available, we knew the criticality of using MFA would only increase as technology rapidly evolved and the cloud ushered in a new era of business transformation.  

At AWS, Cybersecurity Awareness Month is also an opportunity to foster internal cross-team collaboration and learning among employees — whether "security" is officially in their title or not. During Amazon's annual Security Week in October, employees will learn online and physical security best practices, how to easily report a security matter, proper ID badge usage, device protection, and how to opt-in for emergency messaging.  

We're also hosting our fourth annual One Amazon Security Conference, bringing our security teams from across the company together for two days in October to connect, collaborate, and amplify knowledge sharing and skill development. Through a variety of programming, including activities to enhance practical security skills, breakout sessions covering security innovations and best practices, and presentations from experts and Amazon security leaders, employees will learn about our efforts to improve security, both internally and for our customers.  

Mark Hughes, Global Managing Partner Cybersecurity Services, IBM Consulting 

At IBM, we're committed to educating and empowering our teams and clients with the knowledge and tools they need to stay secure. As innovative new solutions help advance today's businesses, we also understand the complexity of addressing new cybersecurity threats and advocate to our clients the importance of proactively embedding security into all aspects of their business. 

Cybersecurity Awareness Month provides an opportunity for IBM to drive awareness, highlight our security expertise, and engage our global community around the important role of cybersecurity. We're kicking October off with our "Cloud Threat Landscape" report that will examine cloud threats and highlight how companies can assess and address their risks in areas such as identity access management and data security. Throughout the month, we'll showcase these findings, alongside key takeaways from our recent "Cost of a Data Breach" report, through a series of digital content, including expert-led discussions and security-themed insights, equipping our consultants with the strategies needed to help clients address emerging cloud threats and effectively adopt automation and generative AI (GenAI) to strengthen their security. 

While IBM educates our employees year-round, Cybersecurity Awareness Month allows us to intensify our focus on security-based skills training for our consultants while empowering them to get security industry certifications to help provide guidance to our clients on architectures and technologies that can help them stay ahead of attacks. 

By creating an organization with a security-first mindset, and leveraging the capabilities of the cloud, automation, and GenAI, IBM educates our employees, informs our clients, and inspires new approaches to cybersecurity — like quantum-safe standards — to reinforce our commitment to a secure digital future. 

Atticus Tysen, Chief Information Security Officer, Intuit  

This year, our theme for Cybersecurity Awareness Month is Cyber Wellness, focusing on the importance of maintaining digital health alongside physical well-being. We're using this theme to highlight that protecting our digital lives is an ongoing responsibility, like looking after our physical health. Through this theme, we aim to foster a culture of continuous cybersecurity awareness, encouraging employees to take proactive steps in safeguarding themselves and Intuit. 

As part of our Cybersecurity Awareness Month program, our chief financial officer (CFO), Sandeep Aujla, and our general counsel, Kerry McLean, will join me in an opening keynote, sharing why cybersecurity is critical to our company's overall success. In addition to general sessions for all employees, we've crafted targeted sessions for groups identified as being more prone to social engineering, based on months of phishing simulation data. This focused approach allows us to directly address the needs of specific groups. 

Josh Blackwelder, Deputy Chief Information Security Officer, SentinelOne  

SentinelOne lives and breathes security, all day, every day. And while our mission — Secure Tomorrow — is most often focused on a promise and dedication to our customers, it extends far beyond the business goals of the company to securing our teammates, communities, and democracy, as whole. We see Cybersecurity Awareness Month as a way to bring our expertise into our communities — helping to create future generations of cyber-aware citizens while expanding the next generation of cyber defenders.  

For Cybersecurity Awareness Month, SentinelOne focuses on its CyberSafe University program, an in-school program that targets kids in grades K-12 and is designed to introduce the concept of cybersecurity in age- and activity-appropriate ways.  

The program provides a range of ways that kids can think about their online activities and privacy. For younger elementary students, we focus on essential skills for safeguarding personal data online. For middle schoolers, we focus on the best practices to retain cybersecurity safety, including the importance of multifactor authentication. For older students, we also include information on how to pursue a career in cybersecurity, what to major in, and leading university programs around the globe.  

Over the past two years, this massive volunteer effort has delivered amazing results — over 100 Global SentinelOne Employee Ambassadors were able to reach more than 12,000 students, in over 40 schools, in eight countries. 

Raul Sanchez, Director of Information Security, Gallo 

Gallo recognizes Cyber Awareness Month with a series of engaging, educational initiatives aimed at enhancing the cyber resilience of its workforce. The highlight is the annual Cybersecurity Awareness Day event, held at corporate headquarters. This event features keynote speakers and representation from our security partners, offering insights into the latest cyber threats and best practices. Designed to be fun and educational, the event provides employees with hands-on experiences and practical knowledge to better protect the organization and its data. Adding a twist, the event also includes a 5 kilometer run/walk, allowing employees to earn points in the company's health and wellness program while promoting physical fitness alongside cyber fitness.  

In addition to the awareness day event, Gallo hosts weekly cybersecurity webinars throughout October. These sessions cover a range of topics, from phishing prevention to secure password management, and are designed to educate employees on how to recognize and respond to potential threats. The webinars are well received, offering employees the flexibility to participate and learn at their own pace.  

To keep cybersecurity top of mind, the information security department also publishes daily security tips for all Gallo employees. These tips provide practical advice and actionable steps employees can take to improve their personal and professional cybersecurity practices. By integrating these daily reminders into the workday, Gallo ensures that cybersecurity remains a priority throughout the month, leading to a more prepared and vigilant workforce.  

About the Contributors

Mark Hughes is the global managing partner of IBM Consulting Cybersecurity Services and leads IBM's team of thousands of experts in helping organizations transform security into a business enabler and establish cyber resiliency. His role spans the sales and services delivery of threat detection and response, data security, cloud security, IAM, infrastructure, risk management and ecosystem partnerships. Mark's cybersecurity career spans across two decades, including recent roles as president of security at DXC Technology, a Fortune 500 global technology services provider, and chief executive at BT Security, a leading global telecommunications provider.  

As senior vice president and chief information security officer (CISO) of Intuit, Atticus Tysen is responsible for information security, fraud prevention, and enterprise information technology. Before assuming this expanded role, Tysen served as chief information officer (CIO) for nearly 10 years. Prior to that, Tysen was vice president of product development for Intuit's Financial Management Solutions group, leading product development efforts for the company's Small Business division. Since joining Intuit in 2002, he has also served as director of new technology and led the company's patent program, building a process to protect the company's intellectual property. Tysen earned a bachelor's degree in computer science from Stanford University. 

Josh Blackwelder has been at the forefront of enhancing security operations at SentinelOne since early 2022. His leadership extends across cloud security engineering, security operations, FedRAMP, security engineering, vendor risk, security architecture, and application security. Before joining SentinelOne, Josh held security leadership positions at Instructer (makers of the learning management software Canvas), as well as Adobe, RBS Markets & International Banking, and Verizon Business. 

Raul Sanchez, director of information security of Gallo, is a seasoned security professional with extensive experience in all facets of IT compliance, privacy, vendor risk management, security design and architecture, regulatory audits, and managing the security of mergers and acquisitions. In recent years, he has focused on implementing modern cybersecurity initiatives and enhancing cyber resilience to better protect against evolving threats. His ability to establish meaningful relationships with business teams enables the effective execution of business initiatives while ensuring the security of customer and corporate data and maintaining the company's positive brand reputation.  

**About the Author**

Chief Information Security Officer, AWS

Chris Betz is the chief information security officer (CISO) at AWS, where he oversees the security teams responsible for protecting AWS infrastructure and cloud services. Betz leads the development and implementation of comprehensive security policies and strategies aimed at effectively managing risk and aligning AWS's security posture with the company's business objectives. Betz is based in northern Virginia, where he resides with his family.

How Major Companies Are Honoring Cybersecurity Awareness Month

The massive outage involving a faulty Falcon update is an excellent illustration of what happens when organizations neglect security fundamentals.

Source: Tero Vesalainen via Alamy Stock Photo

UPDATE  
Back in July, 8 million Windows devices around the world went offline after CrowdStrike released a threat intelligence update with a buggy content validator. Hospitals could not access patient records, interrupting patient care. Airlines were forced to delay or cancel thousands of flights. Some payment platforms were unavailable, resulting in people not being paid on time. The Emergency Alert System in the United States was affected, which, in turn, disrupted 911 services in several states.

The problem ultimately boiled down to an inadvertent systems failure, intensified by poor update management issue and processes that violated third-party risk management policies and procedures. CrowdStrike's quality-control testing did not catch the bug beforehand. The outage highlighted what happens when basic IT rules are forgotten, ignored, or simply abbreviated.

Cloud-based endpoint detection and response (EDR) security tools, such as CrowdStrike's solution, work best when the sensors can process real-time intelligence from the cloud, says Eric O'Neill, a cybersecurity consultant and former undercover FBI counterintelligence operative, noting that this was mainly a update management issue. Ideally, a vendor would roll out updates to a subset of its customers, then continue the rollout in stages to ensure there were no issues. In this case, he says, all customers received the update at the same time. From a third-party risk management perspective, organizations should test updates they receive before deploying them to their systems.

In this case, most CrowdStrike customers opted for the popular automatic update installation instead of the more complex and time-consuming staged rollout, which is rarely done for endpoint applications. Because such an anomaly has never happened before with an update, the decision to forgo testing was understandable, O'Neill notes. In light of this incident, he expects to see major changes in how organizations roll out and install updates in the future.

Crowdstrike takes exception with O'Neill's assessment that testing was incomplete, and noted in a statement to Dark Reading that, "as stated in the Root Cause Analysis report: A stress test of the IPC Template Type with a test Template Instance was executed in our test environment, which consists of a variety of operating systems and workloads. The IPC Template Type passed the stress test and was validated for use, and a Template Instance was released to production as part of a Rapid Response Content update."

**Reducing the Risk**

John Young, a consulting CISO and former cloud and data center executive at IBM, likens the impact of the unintended outage to previous cyberattacks on SolarWinds and Kaseya but without the malicious intent, as with ransomware and other malware. Instead, this became an eye-opening event for boards to ensure they are conducting appropriate business risk and interruption analyses. Here, only one operating system (OS), Windows, was affected. Organizations could reduce their vulnerabilities if they spread their operational risk over multiple OSes, he says.

"If we use different operating systems \[for hot backup systems\], we could run it at 25% service delivery level," Young says. "We'd limp along, but we would have a real-time objective that we would recover in two days."

Young likens this approach to enterprises having servers around the world that run multiple OSes, so that companies can protect themselves from regional threats and vulnerabilities. While running multiple OSes could protect against similar, OS-specific vulnerabilities, the arguments against it are the high cost and the unlikeliness of such an event occurring again, he adds.

While it makes sense to trust key software vendors, Young notes, basic security practices indicate that software should not be trusted simply because it is from a known source and is identified as a security update. Many of the system failures were because "they didn't really follow best practices. There was no compartmentalization. There was no business continuity planning. There was no impact analysis on the critical system," he says. "There was too much integration with their third party."

**The Impact on Cyber Insurance**

While the outage clearly was not a cyberattack, some cyber insurance policies could include coverage for dependent systems failures that are not brought on by a malicious attacker, says David Anderson, vice president of cyber liability at Woodruff Sawyer, a national insurance brokerage. While addressing insurance coverage, in general, he says a property policy might address such losses, but it depends on the negotiated policy, any extra coverages the company might have selected, and the policy's specific language.

"A system failure event is absolutely different than a network interruption or business interruption event, which is always tied to a malicious attack," Anderson says. "It's important to know that not every cyber insurance policy affirmatively includes system failure coverage; you have to have purchased the enhancement in order for this event to be covered."

This alone could get the attention of general counsels or whichever corporate executive is responsible for their company's cyber insurance policy. While not all incidents are always covered — generally, that is based on the severity of the incident, the amount of loss, and the amount of time the company was affected — this could be a watershed moment for an organization to reevaluate its existing insurance policies.

What would be an interesting question, he notes, is: Does a property policy that clearly includes data processing equipment breakdown coverage, which are non-malicious events, have some coverage to include here? Larger commercial property policies often include human errors, errors and omissions, and unplanned failures coverage within the property policy.

"It all is going to depend if the coverage is considered mechanical breakdown, which I don't think this would be, or if it was truly a human error and unplanned outage," Anderson notes. Again, the final decisions will be up to the insurance companies, which could interpret the situation differently.

This story was updated at 3 p.m. ET on Oct. 9 to clarify that the catalyst for the CrowdStrike outage was not a software patch or bug fix, but rather an update to its threat intelligence engine with the latest threat signatures, known as Rapid Response Content.

**About the Author**

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at \[email protected\].

The Perils of Ignoring Cybersecurity Basics

Company leadership needs to ensure technology teams are managing continuous monitoring, automated testing, and alignment with business needs across their enterprise.

Source: Stu Gray via Alamy Stock Photo

COMMENTARY

This summer, a cyberattack disrupted the normal operations of thousands of auto dealerships across the United States, affecting everything from records to scheduling, causing no end to annoyances and leaving hordes of exasperated salespeople and customers at their wits' end.

The most recent and dramatic example of hacker success illustrates that IT security must become the first priority at the highest levels of an organization. This modern-day plague shows no sign of subsiding. With each successful attack, hackers become even more emboldened. 

It's an all-out assault, requiring the corporate equivalent of an all-points bulletin. In short, cybersecurity is not just an IT issue; it's a critical business risk that requires active involvement from the entire C-suite, in particular, the CEO. This is one area of the enterprise that may benefit from micromanagement in an effort to display the importance of the pursuit.

My colleagues and I regularly advise our clients that they should be asking three questions of their team: What are we doing? Is it enough? How do we know?

Effective cybersecurity requires the right balance of spending and technology value, continuous assessment, and the adoption of advanced technologies such as automation and artificial intelligence. Few regret wise investments in cybersecurity defenses.

The increasing frequency and sophistication of cyberattacks underscore the seriousness for executive-level engagement in cybersecurity. Recent incidents, such as the SEC's $10 million fine on the New York Stock Exchange's parent company and the notorious SolarWinds action, illustrate the severe impact on business operations and regulatory compliance. These events highlight the necessity for CEOs to recognize their critical role in cybersecurity. 

Ascension Healthcare's ransomware attack, among other prime examples, serves as an object lesson in the urgency of the matter, especially in healthcare. Doctors and pharmacies struggled with order and prescription issues, leading to lost revenue as patients sought services elsewhere, and virtually bringing the massive hospital system to its figurative knees, causing tremendous frustration among staff and patients. This situation underscored the need for technologists to understand business operations and implement security measures that support the business. 

CEOs must understand that cybersecurity is central to their management duties and not just "tech stuff" to be delegated. They need to receive business-outcome-focused reporting with the same level of rigor as financial and safety reporting. This reporting should answer the above three questions using system-generated metrics and integrate results into business decisions to stay ahead of the increasingly destructive capabilities of adversaries conspiring to do them harm.

CEOs set the organizational tone and ultimately are responsible for cybersecurity. Their endorsement of security measures can drive home their importance, ensure alignment with business goals across the senior leadership team, and communicate capabilities to their boards. The following steps are essential for CEOs to prioritize cybersecurity:

*   Engage in cybersecurity planning and response: CEOs and executive leaders must be actively involved in cybersecurity planning and response. Their endorsement and understanding of cybersecurity's importance can fuel organizational commitment and set the right tone. Deciding how to handle hypothetical ransom, extortion, and fraud events accelerates response when an event occurs.
    

*   Conduct business analysis for cyber spending: Utilize business analysis to determine the appropriate cybersecurity investments. Focus on preventive technologies that provide greater risk reduction and ensure that the spending aligns with business priorities.
    

*   Implement multifactor authentication: Ensure that multifactor authentication is in place and effective. Avoid inferior solutions that users can mindlessly click through, and prioritize strong authentication measures for password resets to enhance security.
    

*   Regularly review and assess cybersecurity measures: Frequently review assessment results and address important gaps. This includes adopting automation for continuous threat exposure management and ensuring cybersecurity is integrated into business operations.
    

*   Adopt advanced technologies and continuous testing: Embrace automation and advanced technologies for security testing and closing security gaps. Stay ahead of emerging threats by keeping up with advancements in AI and other technologies.
    

*   Seek independent advice and expertise: Business leaders will be called to answer for hiring well-qualified cybersecurity advisers and executives. Use the three questions to understand the current state of cybersecurity within the organization. Seek independent advice to keep up with current threats and defenses. Obtain board members' cybersecurity expertise combined with other essential business skills, or hire independent advisers to provide valuable insights.
    

What hasn't played out yet is the full impact of increased AI usage by both attackers and defenders. As AI technology advances, organizations must keep up to ensure their cybersecurity measures are effective. A recent survey of IT security officers revealed that increasing use of AI will lead to more security breaches, while, conversely, four in five intend to use AI to guard against those same breaches. The ongoing complexity and expanding surface area of systems likely will lead to an increase in cyberattacks through 2030. This necessitates continuous vigilance, adoption of automation for threat and vulnerability management, and regular reviews of cybersecurity measures. Companies will also have to understand and protect against new AI-enabled systems that they are developing. 

Cyber-risk is inherently a business risk, and effective cybersecurity measures are essential for protecting valuable information and maintaining system availability.

One might argue that cybersecurity can be managed solely by IT departments. However, without executive-level involvement, organizations may face significant business disruptions and regulatory penalties. CEOs must understand their role in cybersecurity to ensure comprehensive protection.

The consistent pattern of cyber incidents causing business disruptions and regulatory fines supports the conclusion that CEO involvement is crucial to ensure that companies can answer the three questions: What are we doing? Is it enough? How do we know? Determining business value at risk and the right amount of protection requires business input. As company leadership, now is the time to ensure that technology teams are managing continuous monitoring, automated testing, and alignment with business needs across the enterprise.

**About the Author**

Managing Director, BPM

Ken Frantz is a transformational IT leader and consultant with experience in global financial services, emerging technology, and top-tier health system networks. He focuses on innovative technology advancement with reduced risk and is interested in high impact/high value opportunities to improve IT operations, deliver value, and help companies grow efficiently and effectively.

Your IT Systems Are Being Attacked. Are You Prepared?

The largest publicly traded water utility in the US was forced to disconnect some of its online systems, and its website and telecommunications system remained unavailable as of Tuesday morning, Oct. 8.

Source: Juri Samsonov via Alamy Stock Photo

The website of the largest publicly traded water utility in the US remained offline this morning after a cyberattack Oct. 3 forced the company to shut down some of its connected systems and services.

American Water is a significant supplier of water in the US, serving more than 14 million customers across 14 states and 18 military installations. The company employees about 6,500 people across its facilities. It discovered "unauthorized activity within its computer networks and systems" on Oct. 3 that turned out to be the result of a cybersecurity incident, the company reported in a Form 8-K filing with the US Securities and Exchange Commission.

The company activated incident-response protocols and enlisted third-party cybersecurity experts to help it contain and mitigate the attack, which included disconnecting and deactivating "certain" systems to "protect" systems and data, it reported.

**Online, Telecom Systems Affected**

The outages appear to have included the company's online customer-facing sites, as the American Water website as well as its "MyWater" customer portal served up white pages with "Forbidden 403" text today.

An attendant who answered a Dark Reading phone call to American Water's headquarters in Camden, N.J., early on Oct. 8 said she was unable to connect to a member of the media relations team, nor leave a message for anyone because the telecommunications system also "is down."

At this time, it seems that none of the company's water or wastewater facilities or operations have been negatively affected by the incident, although it's too soon to predict the full impact and material effect it will have on the company, according to the filing. An investigation alongside law enforcement officials remains ongoing as to the exact cause and extent of the damage.

**Utilities Under Attack**

Critical infrastructure such as the public water supply and electricity grid both in the US and overseas face increasing risk of attack from threat actors, incidents that have the potential to not only affect network infrastructure or financial coffers, but also cause supply shortages or even physical harm.

The now-infamous May 2021 ransomware attack on Colonial Pipeline is a prime example of the former, while a February 2021 attack on a Florida water-treatment facility, which potentially could have poisoned the water supply if an employee hadn't acted quickly, demonstrates the latter.

“We often overlook how vulnerable our everyday essentials are to digital threats," observes Akhil Mittal, senior manager of cybersecurity strategy and solutions at Black Duck (formerly known as Synopsys Software Integrity Group). "We’re not just talking about data breaches — this is about the safety of millions of people who rely on clean water every day. A cyber incident like this could disrupt water services, delay safety checks, and potentially risk public health."

**Regulatory Effort Stalled**

Unsurprisingly concerned, US federal authorities have put a concerted effort into to doing more to ensure cybersecurity measures at water utilities are a mandatory effort, as nearly 70% of the United States' community drinking water systems fails to comply with the Safe Drinking Water Act, according to the Environmental Protection Agency (EPA).

In fact, the EPA planned to ramp up efforts to enforce the act and other regulatory efforts to ensure better cybersecurity safety across water utilities in May. However, the agency had to roll back these actions last year after it faced litigation from Republican lawmakers and industry groups. Other agencies like CISA have advanced cybersecurity guides for the water sector in the wake of that failed effort.

Prevention of cybersecurity attacks through infrastructure security is indeed the key to ensuring critical services such as the ones utilities offer remain safe, as "protecting these systems is no longer optional now," but "critical to keep things running smoothly and safely," Mittal says.

As this is too late in the case of American Water, he adds, the key to recovering quickly from the incident now will be in taking quick actions to contain the attack, getting all systems back online in a reasonable time frame, and being transparent with the public about what happened.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

American Water Suffers Network Disruptions After Cyberattack

The vast majority of organizations in the region saw more attacks in the past year, but most don't feel prepared for future incidents.

Source: Viacheslav Lopatin via Shutterstock

Organizations in Saudi Arabia, the United Arab Emirates, and Turkey suffered more than 10 attacks in the past year on average — and the vast majority of business and IT professionals expect the coming year to be worse — driving efforts by cybersecurity experts in those countries to simplify and modernize their cyber defenses and IT infrastructure.

Overall, less than half of organizations (46%) feel well-prepared to defend against future cyberattacks, according to a survey of nearly 1,000 security professionals in those three regions published by Internet-services provider Cloudflare. With geopolitical conflict on the rise and cybercriminals increasingly focused on the Middle East region and Turkey, Bashar Bashaireh, regional vice president at Cloudflare, said in a statement.

"Organizations across the Middle East and Türkiye are managing an increasingly complex cybersecurity landscape," he said. "With incidents on the rise in both volume and frequency, this balancing act becomes even more challenging, leaving leaders with a sense of diminishing control over their organizations’ technological and security frameworks."

Cyberattacks have become commonplace in the region, but each nation's threat profile is slightly different. While the vast majority of companies in the UAE, for example, have suffered cyberattacks in the past two years, approximately a quarter of those incidents were caused by insiders. Both Saudi Arabia and the UAE have seen an increase in attacks over the past year, with DDoS attacks alone leveled by hacktivists jumping 70%. And in another wrinkle, a group of cybercriminals recently targeted Turkish users with Android malware aimed at stealing accounts.

The three countries have all embarked on major investments in modernization, pursuing major initiatives such as Abu Dhabi's Economic Vision 2030 and Saudi Arabia's Vision 2030, but the countries also need to strengthen their cybersecurity efforts to protect their investments, Chris Murphy, managing director at FTI Consulting, said in a November 2023 analysis of Middle East firms' cyber-readiness.

"Threat actors will not pause their activities while these strategic plans unfold, and without the necessary security and preparedness measures in place, cyber risks will threaten the vitality of key sectors and the overall economic growth of the region," he said.

**Simplifying & Modernizing Cyber Defense**

The majority of organizations in the Middle East and Turkey plan to increase cybersecurity's share of their IT budgets. The top priority for businesses across the region is to consolidate and simplify their cybersecurity infrastructure, with half of all organizations ranking the effort as a Top 3 initiative, followed by almost half (47%) prioritizing the modernization of their applications, according to Cloudflare's report.

"Despite their plans, many feel they are still not ready for what lies ahead, and there is a 'confidence gap' in key areas for a large number of respondents," Cloudflare stated.

Those include the security of applications and data in the public cloud, a lack of oversight into their supply chain, and a lack of visibility and control over the devices that access their networks, Cloudflare stated in its report.

The good news is that some nations have made strong progress in securing their systems, to the point that the Kingdom of Saudi Arabia is ranked second, after the United States, in the International Telecommunication Union's Global Cybersecurity Index.

**Most Pessimistic Industries: Media, Telecom & Gaming**

According to Cloudflare, cyberattackers in the past year targeted financial services, IT firms, and companies providing business and professional services most often, and were more likely to target larger organizations. Yet, the sectors most worried about future cyberattacks are the media and telecom sector, and the gaming sector, with 97% and 92% of respondents, respectively, predicting a cybersecurity incident in the next 12 months.

Perhaps unsurprisingly, the telecom and media sectors are among the least staffed as well, with 39% of information-security roles remaining unfilled, according to a recent report by cybersecurity firm Kaspersky.

"The growth rate of the domestic IT market in some developing regions is changing so rapidly, the labor market cannot manage to educate and train the appropriate specialists with the necessary skills and expertise in such tight deadlines," Vladimir Dashchenko, a security evangelist with Kaspersky's ICS CERT, said in a statement.

Companies in each region have struggled to meet government-backed cybersecurity frameworks, with 62% of companies in Turkey meeting the requirements of the EU cybersecurity framework, 69% of Saudi firms meeting the Saudi Arabian Monetary Authority (SAMA) framework, and many UAE organizations falling short in complying with the National Electronic Security Authority (NESA) framework.

Yet, despite that, executives' commitment to cybersecurity remains lukewarm, Cloudflare stated in the report

"Interestingly, despite the increasing volume of attacks, many cite a lack of buy-in from leadership as a key challenge," the firm stated. "Perhaps this is a case of cybersecurity fatigue, but whatever the cause, senior leaders cannot afford to ignore the challenges facing their organizations."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Mideast, Turkey Cyber Threats Spike, Prompting Defense Changes

Among those affected by all this monkeying around with DDoS in September were some 4,000 organizations in the US.

Source: Moviestore Collection Ltd via Alamy Stock Photo

Distributed denial-of-service (DDoS) attacks involving a new Mirai variant called GorillaBot surged sharply last month, launching 300,000 attacks, affecting some 20,000 organizations worldwide — including nearly 4,000 in the US alone.

In 41% of the attacks, the threat actor attempted to overwhelm the target network with a flood of User Datagram Protocol (UDP) packets, which are basically lightweight, connection-less units of data often associated with gaming, video streaming, and other apps. Nearly a quarter of the GorillaBot attacks were TCP ACK Bypass flood attacks, where the adversary's goal was to flood the target — often just one port — with a large number of spoofed TCP Acknowledgement (ACK) packets.

**GorillaBot, the Latest Mirai Variant**

"This Trojan is modified from the Mirai family, supporting architectures like ARM, MIPS, x86\_64, and x86," researchers at NSFocus said in report last week, after observing the threat actor behind GorillaBot launch its massive wave of attacks, between Sept. 4 and Sept. 27. "The online package and command parsing module reuse Mirai source code, but leave a signature message stating, 'gorilla botnet is on the device ur not a cat go away \[sic\],' hence we named this family GorillaBot."

NSFocus said it observed the botnet controller leverage five built-in command-and-control servers (C2s) in GorillaBot to issue a steady cadence of attack commands throughout each day. At its peak, the attack commands hit 20,000 in a single day. In all, the attacks targeted organizations in 113 countries with China being the hardest hit, followed by the US, Canada, and Germany, in that order.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

Though GorillaBot is based on Mirai code, it packs considerably more DDoS attack methods — 19 in all. The available attack methods in GorillaBot include DDoS floods via UDP packets and TCP Syn and ACK packets. Such multivector attacks can be challenging for target organizations to address, because each vector often requires a different mitigation approach.

For example, mitigating volumetric attacks such as UDP floods often involve rate limiting or restricting the number of UDP packets from a single source, blocking UDP traffic to unused ports, and distributing attack traffic across multiple servers to blunt the impact. SynAck flood mitigation on the other hand is about using stateful firewalls, SYN cookies, and intrusion-detection systems to track TCP connections and ensure that only valid ACK packets are processed.

**Bad Bots Rising**

Traffic related to so-called bad bots like GorillaBot has been steadily increasing over the past few years, and currently represents a significant proportion of all traffic on the Internet. Researchers at Imperva recently analyzed some 6 trillion blocked bad bot requests from its global network in 2023, and concluded that traffic from such bots currently accounts for 32% of all online traffic — a nearly 2% increase from the prior year. In 2013, when Imperva did a similar analysis, the vendor estimated bad bot traffic at 23.6% and human traffic as accounting for 57% of all traffic.

Related:Criminals Are Testing Their Ransomware Campaigns in Africa

Imperva's 2024 "Bad Bot Report" is focused entirely on the use of bad bots at the application layer and not specifically on volumetric DDoS attack on low-level network protocols. But 12.4% of the bad bot attacks that the company helped customers mitigate in 2023 were DDoS attacks. The security vendor found that DoS attacks in general were the biggest — or among the biggest — use cases for bad bots in some industries, such as gaming, and the telecom and ISP sector in healthcare and retail. Imperva found that threat actors often tend to use bad bots for DDoS attacks where any kind of system downtime or disruption can have significant impact on an organization's operations.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

GorillaBot Goes Ape With 300K Cyberattacks Worldwide

The Chinese state-sponsored cyberattack threat managed to infiltrate the "lawful intercept" network connections that police use in criminal investigations.

Source: Miro Novak via Alamy Stock Photo

The Chinese state-sponsored advanced persistent threat (APT) known as Salt Typhoon appears to have accessed major US broadband provider networks by hacking into the systems that law-enforcement agencies use for court-authorized wiretapping.

According to unnamed sources speaking to the Wall Street Journal, the affected providers include major national players like AT&T and Verizon Communications, along with enterprise-specific service providers like Lumen Technologies.

In addition to the wiretapping connections, the sources said Salt Typhoon also had access to more general Internet traffic flowing through the provider networks, and that the cyberattackers went after a handful of targets outside the US as well. The APT could have had access for months, they added.

"The widespread compromise is considered a potentially catastrophic security breach and was carried out by a sophisticated Chinese hacking group dubbed Salt Typhoon," sources told the WSJ. "It appeared to be geared toward intelligence collection."

Neither AT&T, Lumen, or Verizon immediately responded to a request for comment from Dark Reading.

**Lawful Intercept Connections in China's Hacking Sights**

The news comes about a week after Salt Typhoon was outed as hacking into major telecom networks for cyber-espionage purposes, and possibly to position itself to disrupt communications in the event of a kinetic conflict between China and the US. But the subversion of the connections that law enforcement entities have to service provider networks (which they can use to intercept communications of private individuals or organizations during criminal investigations or for purposes of national security) is a new wrinkle.

No information is available on how the attackers might have gotten access to the lawful intercept infrastructure, but Ram Elboim, CEO of Sygnia, which tracks the APT as "GhostEmperor," notes that clearly Salt Typhoon performed extensive reconnaissance.

"Reaching and compromising these sensitive assets requires not only familiarity with the network structure, but also advanced capabilities to be able to move laterally across separated sub-networks," he tells Dark Reading. "One assumes that these assets are far separated from the ISP corporate and operational network, and also connected to law enforcements’ networks in order for authorities to be able to operate and stream the gathered data in a very secure method."

This breach demonstrates the need for critical infrastructure organizations to not only design their network structure securely with strict segregation strategies, but to "continuously update and test the resilience of their operational networks and sensitive assets as part of a robust incident response playbook," he adds.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Salt Typhoon APT Subverts Law Enforcement Wiretapping: Report

CISOs' cash compensation tops $400,000 now, but with the high pay comes struggles, rapidly changing responsibilities, and tight budgets.

Source: Natee Jindakum via Shutterstock

Cybersecurity professionals serving as chief information security officers (CISOs) continue to see respectable increases in pay, but not at the same rate as two years ago, and not in a way the keeps up with the changes to their responsibilities.

The average CISO now earns $403,000 in annual compensation — including salary, bonuses for reaching specific goals, and equity, such as stock options — representing a 6.4% increase over the past 12 months, according to IANS Research's "2024 CISO Compensation Report" published on Oct. 2. However, changes to the threat landscape frequently put business operations under attack, the responsibility for which falls on the shoulders of the CISO, especially following rules issued by the Securities and Exchange Commission (SEC) that requires CISOs to determine whether a breach is material within four days of discovery.

CISOs often do not have enough resources at heir disposal to do so, putting them in legal jeopardy, or, conversely, are successfully mitigating threats only to endure budget pressures because of that success, says Fred Kwong, vice president and CISO at DeVry University.

"There's this dichotomy between, Hey, Fred's doing a good job, keeping on top of the threats, mitigating the issues, \[yet\] at the same time \[he's\] asking for more resources, more money, even when they're seeing that the threat is not actualized," he explains. "We're kind of getting questioned, 'Well, do we really need another person? Do we need really need another technology or control, because it seems like you have these things handled.'"

Kwong manages a team of five other cybersecurity professionals, but continues to fight to hire a sixth — even though the organization is unlikely to approve another full-time employee.

Source: 2024 CISO Compensation Report, IANS and Artico

In 2021 and 2022, following increased remote work due to the pandemic, companies found themselves needing to secure their operations infrastructure, driving demand for CISOs — especially as cybercriminals started compromising firms and infecting their systems with ransomware. While CISOs made significant gains in compensation during the tail end of the pandemic — 44% either switched jobs or took a retention bonus in 2022 — the demand now shows signs of settling down, with only 11% doing the same in 2024, says Nick Kakolowski, senior research director at IANS Research.

"We are seeing generally a lack of movement, mostly because of macroeconomic conditions — businesses are just being conservative about hiring more," he says. "Businesses are kind of saying, We'll get by with what we have for a while. We'll hold off on hiring. We'll keep on our current path, and more CISOs are staying put, rather than taking the risk of taking on something new right now."

**CISO Mindsets: A State of Stress**

CISOs that move jobs — or are paid an incentive to stay in their current position — see the biggest increases in compensation, and CISOs for state governments are among the most likely to move. Nearly half of states hired a new CISOs in the past year, leading the average tenure of a CISO to drop from 30 months in 2022 to 23 months this year, according to the biennial Deloitte-NASCIO Cybersecurity Study.

Stress will only continue to build for CISOs in state government positions: Finding and retaining cybersecurity-skilled professionals is difficult, more sophisticated attacks — such as ransomware — have become common, and budgets continue to be tight and often hard-to-predict, says Srini Subramanian, principal with the risk and financial advisory group at consulting firm Deloitte.

Government cybersecurity professionals, which make between $125,000 to $225,000, typically do not include compensation in their Top 3 reasons for job satisfaction. Yet, increasing attacks and greater consequences for their networks, along with increased scrutiny for any outage or incident, puts them squarely in the in the eyes of the public and government officials, he says.

"The state-level systems are also dealing with ... a lot more challenges compared to a private sector systems," Subramanian says. "They have budget constraints, they have talent constraints, and now we are expanding the scope of the systems even more."

**Public Headaches, Private Stressors**

Daniel Schwalbe used to work as a security pro under the CISO at the University of Washington, a large public university, which meant that his role bridged both government and education sectors. He loved the work, and he certainly wasn't there for high pay, he says. Education CISOs are the lowest-paid of all the industries tracked by the IANS survey, with a median annual total compensation of $243,000 (the government sector was not listed).

Yet, the security work was neverending, he says.

"We had half a million devices on a network that we were supposed to protect, and I can tell you that on any given day, we pretty much figured there are 1,000 compromised devices on that network out of half a million," he says. "That's just the reality."

When he left, it wasn't about scoring a better salary, but about combatting the lack of a career path. The only position left for him to graduate to in the security career track at UW was CISO, but the current holder of that position did not intend to retire for at least three years. So, he accepted the job of deputy CISO with Farsight Security, and assumed the role of CISO at DomainTools when that company bought Farsight.

His responsibilities have changed somewhat. Compliance is more of an issue at a private firm, whereas the government and education sector have to deal with bureaucracy. Yet, making technology work better for security is a common factor, and he hopes that automation will reduce stress across the board.

"Investing a little bit upfront and tuning the alerts — so the stuff that actually comes out of your security tools is much more useful — can help," he says. "It costs money, and it's not a silver bullet, but in my opinion, it does help and can help with issues like threat analyst burnout."

**How AI Is Impacting Security**

The research firms' analyses also found that hot potato of AI risk is putting a lot of pressure on CISOs as individuals, escalating the stress. IANS Research's Kakolowski says that, typically, no one security pro in the business is really well positioned to own AI. The right person needs a blend of technical, governance, privacy, and data-science backgrounds to really help organizations fully manage the risk, he says.

Usually, CISOs do not check all those boxes, which could expose them to liability.

"CISOs are becoming the go-to person to inform AI risk decisions, and there's this pushback where CISOs say, 'Well, we can't own all of this risk, because this risk isn't owned by the business unit," he says. "'Using the tooling, we can help inform you about this risk, and we can help you understand this risk, but you have to ultimately be the ones making that decision and taking that ownership.'"

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Source

DARKReading