This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Jimmy Benoit, vp, cybersecurity, PBS
Missed the live show? Check it out on YouTube
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
EPA warns of critical risks in drinking water infrastructure
A report from the EPA’s Office of Inspector General (OIG) reveals vulnerabilities in over 300 U.S. drinking water systems, potentially affecting service for 110 million people. Among 1,062 systems assessed, 97 systems serving 27 million individuals had critical or high-severity issues. Exploitable flaws could lead to denial-of-service attacks, physical infrastructure damage, or compromised customer information. The OIG went on to say that if a threat actor were to exploit any of the vulnerabilities they discovered not only would service be disrupted but it could cause irreparable physical damage to the drinking water infrastructure.
Over 145,000 Industrial Control Systems Across 175 Countries Found Exposed Online
New research has uncovered more than 145,000 internet-exposed Industrial Control Systems (ICS) across 175 countries, with the U.S. alone accounting for over one-third of the total exposures.The analysis, which comes from attack surface management company Censys, found that 38% of the devices are located in North America, 35.4% in Europe, 22.9% in Asia, 1.7% in Oceania, 1.2% in South America, and 0.5% in Africa.
Microsoft launches Zero Day Quest hacking event
On Tuesday, at its Ignite annual conference in Chicago, Microsoft unveiled Zero Day Quest, a new hacking event focusing on cloud and Artificial Intelligence products and platforms. Zero Day Quest begins with Microsoft offering $4 million in awards to researchers who identify vulnerabilities in high-impact areas, specifically cloud and AI. Throughout the campaign, Microsoft is providing researchers direct access to their Microsoft AI engineers and AI Red Team. Through their vuln submissions, researchers may qualify for next year’s (invite only) onsite hacking event in Redmond, Washington. This challenge kicked off yesterday, is open to everyone, and will run through January 19, 2025.
CISOs can now obtain professional liability insurance
New Jersey-based insurer Crum & Forster recently unveiled a policy specifically designed to shield CISOs from personal liability. Representatives from the firm pointed out that unlike other members of the C-Suite, CISOs “may not be recognized as corporate officers under a directors and officers liability policy, which normally covers executive liability.” The firm says their goal is to help CISOs who “are in a no-win situation…if everything goes right, that’s what people expect. If something goes wrong, they’re the person that everybody looks at and they’re left holding the bag. Then, there are potentially significant financial ramifications for them because they’re often not covered by traditional insurance policies.”
Huge thanks to our sponsor, ThreatLocker
ThreatLocker helps you take a proactive, default-deny approach to cybersecurity and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation are fully supported by their US-based support team.
To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit ThreatLocker.com.
Ransomware gangs now recruiting pen testers
According to a new report from Cato Networks, ransomware gangs such as Apos, Lynx, and Rabbit Hole are posting job listings on the Russian Anonymous Marketplace (RAMP) to recruit pen testers to join their ransomware affiliate programs. Penetration testing simulates common attacks in order to identify gaps and system vulnerabilities and gauges the strength of an organization’s cyber defenses. These new recruitment efforts are the latest example of the professionalization of Russian cybercriminal groups.
(Infosecurity Magazine and Dark Reading)
TSA not implementing cybersecurity recommendations
A report from the US Government Accountability Office, or GAO, criticized the Transportation Security Administration for failing to address four out of six cybersecurity recommendations it made in 2018. The TSA did implement a plan to develop strategies to expand its cybersecurity workforce and partially updated its Pipeline Security and Incident Recovery Protocol Plan to include cybersecurity. GAO’s recommendations about ransomware best practices were not been heeded by TSA yet, from evaluating which transportation sectors were following best practices to aligning its directives with NIST standards or assessing the effectiveness of federal support for organizations experiencing a ransomware attack. It also noted a lack of metrics to measure the effectiveness of TSA measures implemented in the wake of the Colonial Pipeline attack.
MITRE offers updated list of most dangerous software vulnerabilities
MITRE, the not-for-profit organization that oversees federally funded R&D centers with an eye to cybersecurity, has updated its “Common Weakness Enumeration Top 25 Most Dangerous Software Weaknesses” list, reflecting the newest developments in the cyber threat landscape. At the top of the list is Cross-site scripting in top place followed by out-of-bounds write flaws, SQL injection bugs. Missing authorization comes in at number 10. CISA, which worked with a branch of MITRE in putting together the report, is now urging organizations to “review the list and prioritize these weaknesses in development and procurement processes.”