Below are some of the stories we’ve been reporting this week on Cyber Security Headlines.If you’d like to watch and participate in a discussion about them, the CISO Series delivers a vibrant live 20-minute show every Friday at 12:30pm PT/3:30pm ET. Each week we welcome a different cyber practitioner to offer some color to the week's stories. Our guest this week is Jimmy Benoit, vp, cybersecurity, PBS.
To get involved you can watch live and participate in the discussion on YouTube Live https://www.youtube.com/watch?v=m4AP4MeXulU%3Ffeature%3Dshare or you can subscribe to the Cyber Security Headlines podcast and get it into your feed.Here are the stories we plan to cover:
EPA warns of critical risks in drinking water infrastructure
A report from the EPA’s Office of Inspector General (OIG) reveals vulnerabilities in over 300 U.S. drinking water systems, potentially affecting service for 110 million people. Among 1,062 systems assessed, 97 systems serving 27 million individuals had critical or high-severity issues. Exploitable flaws could lead to denial-of-service attacks, physical infrastructure damage, or compromised customer information. The OIG went on to say that if a threat actor were to exploit any of the vulnerabilities they discovered not only would service be disrupted but it could cause irreparable physical damage to the drinking water infrastructure.
(Security Week)
Over 145,000 Industrial Control Systems Across 175 Countries Found Exposed Online
New research has uncovered more than 145,000 internet-exposed Industrial Control Systems (ICS) across 175 countries, with the U.S. alone accounting for over one-third of the total exposures. The analysis, which comes from attack surface management company Censys, found that 38% of the devices are located in North America, 35.4% in Europe, 22.9% in Asia, 1.7% in Oceania, 1.2% in South America, and 0.5% in Africa.
(The Hacker News)
TSA not implementing cybersecurity recommendations
A report from the US Government Accountability Office, or GAO, criticized the Transportation Security Administration for failing to address four out of six cybersecurity recommendations it made in 2018. The TSA did implement a plan to develop strategies to expand its cybersecurity workforce and partially updated its Pipeline Security and Incident Recovery Protocol Plan to include cybersecurity. GAO’s recommendations about ransomware best practices were not been heeded by TSA yet, from evaluating which transportation sectors were following best practices to aligning its directives with NIST standards or assessing the effectiveness of federal support for organizations experiencing a ransomware attack. It also noted a lack of metrics to measure the effectiveness of TSA measures implemented in the wake of the Colonial Pipeline attack.
(The Record)
Microsoft launches Zero Day Quest hacking event
On Tuesday, at its Ignite annual conference in Chicago, Microsoft unveiled Zero Day Quest, a new hacking event focusing on cloud and Artificial Intelligence products and platforms. Zero Day Quest begins with Microsoft offering $4 million in awards to researchers who identify vulnerabilities in high-impact areas, specifically cloud and AI. Throughout the campaign, Microsoft is providing researchers direct access to their Microsoft AI engineers and AI Red Team. Through their vuln submissions, researchers may qualify for next year’s (invite only) onsite hacking event in Redmond, Washington. This challenge kicked off yesterday, is open to everyone, and will run through January 19, 2025.
(Bleeping Computer)
Ransomware gangs now recruiting pen testers
According to a new report from Cato Networks, ransomware gangs such as Apos, Lynx, and Rabbit Hole are posting job listings on the Russian Anonymous Marketplace (RAMP) to recruit pen testers to join their ransomware affiliate programs. Penetration testing simulates common attacks in order to identify gaps and system vulnerabilities and gauges the strength of an organization’s cyber defenses. These new recruitment efforts are the latest example of the professionalization of Russian cybercriminal groups.
(Infosecurity Magazine andDark Reading)
MITRE offers updated list of most dangerous software vulnerabilities
MITRE, the not-for-profit organization that oversees federally funded R&D centers with an eye to cybersecurity, has updated its “Common Weakness Enumeration Top 25 Most Dangerous Software Weaknesses” list, reflecting the newest developments in the cyber threat landscape. At the top of the list is Cross-site scripting in top place followed by out-of-bounds write flaws, SQL injection bugs. Missing authorization comes in at number 10. CISA, which worked with a branch of MITRE in putting together the report, is now urging organizations to “review the list and prioritize these weaknesses in development and procurement processes.”
(Security Week)
CISOs can now obtain professional liability insurance
New Jersey-based insurer Crum & Forster recently unveiled a policy specifically designed to shield CISOs from personal liability. Representatives from the firm pointed out that unlike other members of the C-Suite, CISOs “may not be recognized as corporate officers under a directors and officers liability policy, which normally covers executive liability.” The firm says their goal is to help CISOs who “are in a no-win situation…if everything goes right, that’s what people expect. If something goes wrong, they’re the person that everybody looks at and they’re left holding the bag. Then, there are potentially significant financial ramifications for them because they’re often not covered by traditional insurance policies.”
(Cyberscoop)