Cyber Security Headlines: Week in Review – November 22, 2024
Hosted by Rich Stroffolino of the CISO Series, featuring guest Jimmy Benoit, VP of Cybersecurity at PBS.
1. Introduction
In this episode of Cyber Security Headlines, host Rich Stroffolino reviews the week's significant cybersecurity events alongside guest Jimmy Benoit. The discussion spans critical infrastructure vulnerabilities, professional liability insurance for CISOs, and notable industry initiatives like Microsoft's Zero Day Quest.
2. Critical Risks to US Drinking Water Systems
Summary: The Environmental Protection Agency (EPA) has issued a stark warning regarding vulnerabilities within over 300 US drinking water systems. A report from the EPA's Office of Inspector General highlights that these weaknesses could jeopardize the water supply for approximately 110 million Americans. Out of more than 1,000 systems evaluated, 97 exhibited critical or high-severity issues beyond standard denial-of-service (DoS) attacks and Personally Identifiable Information (PII) theft. The EPA emphasizes that exploitation of these vulnerabilities could lead to irreversible physical damage to water infrastructure.
Discussion: Jimmy Benoit expressed concern over the potential disconnect between government mandates and the actual funding provided to utilities. He noted, "If you were to ask the locales, do you have enough money to handle this, they're going to say no" ([04:26]).
Notable Quote:
"I think as we'll get into some of these next stories, it is because of the overwhelming amount of bad things going on in the world right there."
– Jimmy Benoit [04:26]
3. Exposed Industrial Control Systems
Summary: A recent study by Census, a tax service management company, revealed that over 145,000 industrial control systems (ICS) across 175 countries are exposed online. The United States accounts for approximately one-third of these exposures. The distribution is as follows:
- North America: 38%
- Europe: 35.4%
- Asia: 22.9%
- Oceania: 1.7%
- South America: 1.2%
- Africa: 0.5%
Discussion: The conversation highlighted the strategic importance of securing ICS against sophisticated threat actors. Benoit referenced FBI allegations about Chinese government access to critical infrastructure networks, emphasizing the need for CISOs to communicate risks effectively to business leaders and secure necessary resources.
Notable Quotes:
"We just need to be very realistic, pragmatic. We need to communicate in terms of business risk to business leaders."
– Jimmy Benoit [07:14]
"If you don't get them, document that on your risk register and just maintain really good records for your own personal liability sake."
– Jimmy Benoit [07:14]
4. TSA's Implementation of Cybersecurity Recommendations
Summary: The U.S. Government Accountability Office (GAO) criticized the Transportation Security Administration (TSA) for failing to implement four out of six cybersecurity recommendations made in 2018. While TSA has made progress in expanding its cybersecurity workforce and updating its incident recovery protocols, it fell short on recommendations related to ransomware and establishing effectiveness metrics post the Colonial Pipeline attack.
Discussion: Benoit acknowledged the breadth of TSA's responsibilities, noting, "They have a lot of priorities not to defend them, but, hey, they gotta do a lot of things." He suggested rethinking how cybersecurity assistance is provided to critical infrastructure, especially considering the disproportionate impact on disadvantaged communities.
Notable Quotes:
"It's an incredibly complicated and complex problem that involves hundreds, if not thousands of people who I do think are genuinely trying to do the right thing."
– Jimmy Benoit [11:06]
"You can't kind of protect what you don't have visibility into."
– Jimmy Benoit [21:18]
5. CISOs Gain Access to Professional Liability Insurance
Summary: In positive news, Crum and Forster Quality Name, a New Jersey-based insurer, has introduced a professional liability insurance policy tailored for Chief Information Security Officers (CISOs). This policy aims to shield CISOs from personal liability, addressing the gap where traditional Directors and Officers (D&O) policies may not fully cover them.
Discussion: Benoit viewed this development favorably but emphasized the importance of elevating CISOs within organizational structures to ensure comprehensive protection. He highlighted concerns about the adequacy of representation under existing insurance frameworks.
Notable Quotes:
"Especially given what's happened with Uber, SolarWinds and any other issues out there with CISOs being held personally liable."
– Jimmy Benoit [14:27]
"It's something that I'm personally looking into because it's, you know, just, we should always be aware of what's out there."
– Jimmy Benoit [14:27]
6. Microsoft Launches Zero Day Quest Hacking Event
Summary: At its Ignite conference in Chicago, Microsoft announced the Zero Day Quest, a hacking competition focused on identifying vulnerabilities in cloud and artificial intelligence (AI) products. The challenge offers $4 million in rewards to researchers who discover significant vulnerabilities. Participants receive direct access to Microsoft's AI engineers and Red Team, with potential qualification for an exclusive on-site event in Redmond, Washington. The competition runs until January 19, 2025.
Discussion: Benoit commended Microsoft's initiative but suggested that the company could allocate more resources to cybersecurity beyond the $4 million prize, given their substantial net profit of $90 billion. He argued that a greater investment could enhance the security of Microsoft's products and benefit the broader cybersecurity community.
Notable Quotes:
"I think we could just do a little bit more, right. I'm not asking them to be a non-profit here."
– Jimmy Benoit [18:44]
"It's just a net win for them as well."
– Jimmy Benoit [18:59]
7. Ransomware Gangs Recruiting Pen Testers
Summary: A report from Cato Networks uncovered that ransomware groups like Oppos, Lynx, and Rabbit Hole are posting job listings on the Russian anonymous marketplace, Ramp, to recruit penetration testers for their ransomware affiliate programs. These individuals are tasked with simulating common cyberattacks, enhancing the sophistication and effectiveness of ransomware operations.
Discussion: Benoit likened the scenario to a high-stakes game of espionage, underscoring the blurred lines between ethical hacking and malicious activities. The conversation highlighted the competitive nature of cybersecurity, where both defenders and attackers vie for advanced skills.
Notable Quotes:
"Choose the blue pill and you hack for the good guys. You choose the red pill, you hack for the bad guys."
– Jimmy Benoit [17:39]
8. MITRE Updates Top 25 Software Vulnerabilities
Summary: MITRE has released an updated list of the top 25 most dangerous software weaknesses, reflecting the evolving threat landscape. Leading the list are:
- Cross-Site Scripting (XSS)
- Out-of-Bounds Write Flaws
- SQL Injection ...
- Missing Authorization
MITRE urges organizations to prioritize addressing these vulnerabilities during development and procurement processes to mitigate potential risks.
Discussion: While Benoit found no major surprises in the updated list, he offered constructive criticism regarding MITRE's methodology. He pointed out that the current approach may overemphasize the frequency of vulnerabilities and their severity scores (CVSS) without adequately considering exploitability. Benoit advocated for incorporating the Exploit Prediction Scoring System (EPSS) to better assess actual risk.
Notable Quotes:
"There's something like 70 something percent of all CVEs have no known exploit."
– Jimmy Benoit [20:16]
"Because exploitability means so much more in my eyes when it comes to actual risk versus just the count of CVEs and the CVSS of those."
– Jimmy Benoit [20:16]
9. Conclusion and Final Thoughts
As the episode wrapped up, Rich and Jimmy reflected on the critical infrastructure issues discussed, emphasizing the importance of preparedness and gratitude for operational systems that continue to function despite vulnerabilities. Benoit advised, “Maybe not an eye roller but maybe a frowny face on all the critical infrastructure news stories.”
Notable Quote:
"We never know. Or just be grateful when you turn on your tap and it's still working."
– Rich Stroffolino [22:29]
Rich encouraged listeners to follow Jimmy Benoit on LinkedIn and stay tuned for the next episode slated for December 6, following the Thanksgiving break.
Key Takeaways:
- Infrastructure Security: Critical vulnerabilities in US drinking water systems and widespread exposure of industrial control systems demand urgent attention and resources.
- CISO Protection: The introduction of professional liability insurance for CISOs is a positive step, though organizational elevation of CISOs remains essential.
- Industry Initiatives: Microsoft's Zero Day Quest represents ongoing efforts to enhance cybersecurity through collaborative challenges, though larger investments are advocated.
- Evolving Threats: Ransomware groups are increasingly professionalizing by recruiting skilled pen testers, intensifying the cyber threat landscape.
- Vulnerability Management: MITRE's updated Top 25 list serves as a crucial guide for organizations to prioritize their cybersecurity defenses, though methodologies may need refinement to better assess exploitability.
For more detailed stories and daily updates, visit CISOseries.com.
Note: This summary omits advertisements, intros, outros, and non-content sections to focus solely on the substantive discussions of the episode.