Week in Review: Drinking water threat, CISO liability insurance, Microsoft zero-day event - Cybersecurity Headlines

Summary7 min read

Cyber Security Headlines: Week in Review – November 22, 2024

Hosted by Rich Stroffolino of the CISO Series, featuring guest Jimmy Benoit, VP of Cybersecurity at PBS.

1. Introduction

In this episode of Cyber Security Headlines, host Rich Stroffolino reviews the week's significant cybersecurity events alongside guest Jimmy Benoit. The discussion spans critical infrastructure vulnerabilities, professional liability insurance for CISOs, and notable industry initiatives like Microsoft's Zero Day Quest.

2. Critical Risks to US Drinking Water Systems

Summary: The Environmental Protection Agency (EPA) has issued a stark warning regarding vulnerabilities within over 300 US drinking water systems. A report from the EPA's Office of Inspector General highlights that these weaknesses could jeopardize the water supply for approximately 110 million Americans. Out of more than 1,000 systems evaluated, 97 exhibited critical or high-severity issues beyond standard denial-of-service (DoS) attacks and Personally Identifiable Information (PII) theft. The EPA emphasizes that exploitation of these vulnerabilities could lead to irreversible physical damage to water infrastructure.

Discussion: Jimmy Benoit expressed concern over the potential disconnect between government mandates and the actual funding provided to utilities. He noted, "If you were to ask the locales, do you have enough money to handle this, they're going to say no" ([04:26]).

Notable Quote:

"I think as we'll get into some of these next stories, it is because of the overwhelming amount of bad things going on in the world right there."
– Jimmy Benoit [04:26]

3. Exposed Industrial Control Systems

Summary: A recent study by Census, a tax service management company, revealed that over 145,000 industrial control systems (ICS) across 175 countries are exposed online. The United States accounts for approximately one-third of these exposures. The distribution is as follows:

North America: 38%
Europe: 35.4%
Asia: 22.9%
Oceania: 1.7%
South America: 1.2%
Africa: 0.5%

Discussion: The conversation highlighted the strategic importance of securing ICS against sophisticated threat actors. Benoit referenced FBI allegations about Chinese government access to critical infrastructure networks, emphasizing the need for CISOs to communicate risks effectively to business leaders and secure necessary resources.

Notable Quotes:

"We just need to be very realistic, pragmatic. We need to communicate in terms of business risk to business leaders."
– Jimmy Benoit [07:14]

"If you don't get them, document that on your risk register and just maintain really good records for your own personal liability sake."
– Jimmy Benoit [07:14]

4. TSA's Implementation of Cybersecurity Recommendations

Summary: The U.S. Government Accountability Office (GAO) criticized the Transportation Security Administration (TSA) for failing to implement four out of six cybersecurity recommendations made in 2018. While TSA has made progress in expanding its cybersecurity workforce and updating its incident recovery protocols, it fell short on recommendations related to ransomware and establishing effectiveness metrics post the Colonial Pipeline attack.

Discussion: Benoit acknowledged the breadth of TSA's responsibilities, noting, "They have a lot of priorities not to defend them, but, hey, they gotta do a lot of things." He suggested rethinking how cybersecurity assistance is provided to critical infrastructure, especially considering the disproportionate impact on disadvantaged communities.

Notable Quotes:

"It's an incredibly complicated and complex problem that involves hundreds, if not thousands of people who I do think are genuinely trying to do the right thing."
– Jimmy Benoit [11:06]

"You can't kind of protect what you don't have visibility into."
– Jimmy Benoit [21:18]

5. CISOs Gain Access to Professional Liability Insurance

Summary: In positive news, Crum and Forster Quality Name, a New Jersey-based insurer, has introduced a professional liability insurance policy tailored for Chief Information Security Officers (CISOs). This policy aims to shield CISOs from personal liability, addressing the gap where traditional Directors and Officers (D&O) policies may not fully cover them.

Discussion: Benoit viewed this development favorably but emphasized the importance of elevating CISOs within organizational structures to ensure comprehensive protection. He highlighted concerns about the adequacy of representation under existing insurance frameworks.

Notable Quotes:

"Especially given what's happened with Uber, SolarWinds and any other issues out there with CISOs being held personally liable."
– Jimmy Benoit [14:27]

"It's something that I'm personally looking into because it's, you know, just, we should always be aware of what's out there."
– Jimmy Benoit [14:27]

6. Microsoft Launches Zero Day Quest Hacking Event

Summary: At its Ignite conference in Chicago, Microsoft announced the Zero Day Quest, a hacking competition focused on identifying vulnerabilities in cloud and artificial intelligence (AI) products. The challenge offers $4 million in rewards to researchers who discover significant vulnerabilities. Participants receive direct access to Microsoft's AI engineers and Red Team, with potential qualification for an exclusive on-site event in Redmond, Washington. The competition runs until January 19, 2025.

Discussion: Benoit commended Microsoft's initiative but suggested that the company could allocate more resources to cybersecurity beyond the $4 million prize, given their substantial net profit of $90 billion. He argued that a greater investment could enhance the security of Microsoft's products and benefit the broader cybersecurity community.

Notable Quotes:

"I think we could just do a little bit more, right. I'm not asking them to be a non-profit here."
– Jimmy Benoit [18:44]

"It's just a net win for them as well."
– Jimmy Benoit [18:59]

7. Ransomware Gangs Recruiting Pen Testers

Summary: A report from Cato Networks uncovered that ransomware groups like Oppos, Lynx, and Rabbit Hole are posting job listings on the Russian anonymous marketplace, Ramp, to recruit penetration testers for their ransomware affiliate programs. These individuals are tasked with simulating common cyberattacks, enhancing the sophistication and effectiveness of ransomware operations.

Discussion: Benoit likened the scenario to a high-stakes game of espionage, underscoring the blurred lines between ethical hacking and malicious activities. The conversation highlighted the competitive nature of cybersecurity, where both defenders and attackers vie for advanced skills.

Notable Quotes:

"Choose the blue pill and you hack for the good guys. You choose the red pill, you hack for the bad guys."
– Jimmy Benoit [17:39]

8. MITRE Updates Top 25 Software Vulnerabilities

Summary: MITRE has released an updated list of the top 25 most dangerous software weaknesses, reflecting the evolving threat landscape. Leading the list are:

Cross-Site Scripting (XSS)
Out-of-Bounds Write Flaws
SQL Injection ...
Missing Authorization

MITRE urges organizations to prioritize addressing these vulnerabilities during development and procurement processes to mitigate potential risks.

Discussion: While Benoit found no major surprises in the updated list, he offered constructive criticism regarding MITRE's methodology. He pointed out that the current approach may overemphasize the frequency of vulnerabilities and their severity scores (CVSS) without adequately considering exploitability. Benoit advocated for incorporating the Exploit Prediction Scoring System (EPSS) to better assess actual risk.

Notable Quotes:

"There's something like 70 something percent of all CVEs have no known exploit."
– Jimmy Benoit [20:16]

"Because exploitability means so much more in my eyes when it comes to actual risk versus just the count of CVEs and the CVSS of those."
– Jimmy Benoit [20:16]

9. Conclusion and Final Thoughts

As the episode wrapped up, Rich and Jimmy reflected on the critical infrastructure issues discussed, emphasizing the importance of preparedness and gratitude for operational systems that continue to function despite vulnerabilities. Benoit advised, “Maybe not an eye roller but maybe a frowny face on all the critical infrastructure news stories.”

Notable Quote:

"We never know. Or just be grateful when you turn on your tap and it's still working."
– Rich Stroffolino [22:29]

Rich encouraged listeners to follow Jimmy Benoit on LinkedIn and stay tuned for the next episode slated for December 6, following the Thanksgiving break.

Key Takeaways:

Infrastructure Security: Critical vulnerabilities in US drinking water systems and widespread exposure of industrial control systems demand urgent attention and resources.
CISO Protection: The introduction of professional liability insurance for CISOs is a positive step, though organizational elevation of CISOs remains essential.
Industry Initiatives: Microsoft's Zero Day Quest represents ongoing efforts to enhance cybersecurity through collaborative challenges, though larger investments are advocated.
Evolving Threats: Ransomware groups are increasingly professionalizing by recruiting skilled pen testers, intensifying the cyber threat landscape.
Vulnerability Management: MITRE's updated Top 25 list serves as a crucial guide for organizations to prioritize their cybersecurity defenses, though methodologies may need refinement to better assess exploitability.

For more detailed stories and daily updates, visit CISOseries.com.

Note: This summary omits advertisements, intros, outros, and non-content sections to focus solely on the substantive discussions of the episode.

Loading summary

Transcript31 lines

[00:00]
Rich Stroffolino
From the CISO series, it's cybersecurity headlines. Water, infrastructure, industrial controls and TSA. We need to talk. Microsoft launches Zero Day Quest hacking event and CISOs can now obtain professional liability insurance. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And now we're ready for some insight, some opinion and expertise from our guest, Jimmy Benoit, VP of cybersecurity at pbs. Jimmy, thanks so much for being on the show. I have to ask, to start off the show, how was your week in cybersecurity?
[00:38]
Jimmy Benoit
Hey, Rich and everybody out there, thanks for having me. It's been an okay week, a good week. I'm going to knock on wood three or four times.
[00:47]
Rich Stroffolino
Yeah, the week. The week isn't over. Yeah, we don't want to jinx this week. Yeah.
[00:51]
Jimmy Benoit
So famous last words. You'll see me rush off to handle a fire here in a second, but.
[00:57]
Rich Stroffolino
If you keep that up, we'll put you on a top CISO list to really just make sure we're going to jinx everything. All right, so hopefully a Jinx Free week in cybersecurity. All right, that sounds good. Another thing that's Jinx Free is our sponsor for today. Threat Locker Zero Trust Endpoint protection platform. Remember, you can join us on YouTube live. To do so, go to csoseries.com, hit the events dropdown to look for the cybersecurity headlines. Week in review image. If you've never joined us for a live show, you're missing out. You're missing out from great comments from Kevin Farrell from ccl, from the big boss man, David Spark from A Cat, another one of our people that join us most weeks. So there's a lot of regulars, but we want you to be the new regulars. Join us on the live stream. We'd love to have you here and we'll try and get your comments up in the chat during the course of the show. Before we start out here, just want a quick remind everybody that Jimmy's opinions are his own, not necessarily those of his employer. We've got about 20 minutes though, so let's jump right into the first story. We got kind of a triumvirate of stories here. They're all kind of related. Water infrastructure, industrial controls, and tsa. We do need to talk. We had three major infrastructure stories, so let's keep going here in a little segment we like to call hello Infrastructure here. Is this thing on? Jimmy pointed this out during our pre production. Definite threat here. First, the EPA warns of critical risk to drinking water. A report from the EPA's Office of Inspector General reveals vulnerabilities in over 300 US drinking water systems, potentially impacting service for 110 million people. For those not keen on math, that's about a third of the US population. From over 1,000 systems assessed, 97 systems serving 27 million individuals had critical or high severity issues beyond standard denial of service attacks and PII theft. You know the classics. The OIG went on to say that the vulnerabilities, if exploited, could cause irreparable physical damage to the drinking water infrastructure. So, Jimmy, you know, we've covered infrastructure stories here in the past. Many times, water being one of the big ones, we all forget about it until we need it. Definitely seems to be a disconnect because people just assume when they turn on the tap there's going to be safe drinking water there. There's also a strong sentiment against what some will call government overreach when it comes to stronger cybersecurity regulation for utilities. I'm curious, where are your thoughts on all this?
[03:17]
Jimmy Benoit
Yeah, so I used to work in utilities. So I saw this article and I reminisced a little bit. Didn't work in water, but I had to look it up. I was curious when we talked about government overreach, just I googled it and I was like, what percentage are private versus public? And it turns about 88% of water systems in the US are public with 12% being private. That's some government data that I found out there. So I also was curious, does the federal government appropriate any funds for these locales? And they do. So Congress has allocated funding for the locales. So my first thought was increased mandates without any kind of funding to support those mandates. And I wanted to shake my hand at that, but it sounds like maybe there is some degree of funding that's going from the federal government to the locales. I don't know. I'm not in this industry, but I presume if you were to ask the locales, do you have enough money to handle this, they're going to say no. And I think as we'll get into some of these next stories, it is because of the overwhelming amount of bad things going on in the world right there. There has been additional appropriation of funding, but not to keep up with the pace of bad things happening out there in the cyber world.
[04:26]
Rich Stroffolino
Yeah. And even knowing, you know, not to get into whole government tirade here, but even when you have the funding, whether you have the ability to spend it as quickly in the areas that you want to. We know there's challenges with bring on staffing anytime there's public dollars involved there too. So there is a wide variety of systemic issues that could lead to this. Even if the dollar figure, like you were saying, might be somewhat responsive to the needs of regulation, at least if not to the threats that we're facing, for sure. But yeah, let's get into that next story here because I do think all of these first three stories here are definitely all of a kind. Our Second story, over 145,000 industrial control systems across 175 countries found exposed online. This new research has uncovered more than 145,000 Internet exposed industrial control systems across 175 countries. The US alone accounted for a third of total exposures. The analysis, which comes from a tax service management company Census, found that 38% of devices are located in North America, 35.4% in Europe, 22.9% in Asia, about 1.7 in Oceania, 1.2% in South America, and 0.5% in Africa. Good on you, Africa. So, Jimmy, from this story, perhaps we can look at the fact that sophisticated threat actors are well aware that there is much to be gained from vandalizing infrastructure to create chaos. Especially when we think about the rash of mysterious unfortunate events that befell Finland this week. Just as the most recent example here. I'm curious, how can CISOs get the message across without being dismissed as Chicken Littles that, hey, this is a big deal?
[06:03]
Jimmy Benoit
Yeah. So I think 100% right when you say sophisticated threat actors. So I looked it up. FBI said in April of this year, 2024, quote quoting, the FBI here gained illicit access to networks within America's critical telecommunications, energy, water and other infrastructure sectors. That being the Chinese government that they're alleging there. It's been described to me that this alleged access that's been gained to the critical infrastructure, they're just waiting. So they're not, they're, they're not pulling the trigger. They're not trying to cause any chaos right now, but they're just waiting for that opportune moment where it might pay off or have some sort of benefit. Those are all allegations. I can't attest to having any inside knowledge on that. So I'm not going to try. I think when CISOs talk about it, we just need to be very realistic, pragmatic. We need to communicate in terms of business risk to business leaders, catalog everything and make sure that the board is aware of what's going on. Request the funds, request the resources that are needed. If you don't get them, document that on your risk register and just maintain really good records for your own personal liability sake of which I think we'll talk about shortly.
[07:15]
Rich Stroffolino
Yes, yes, definitely getting on that. Yeah. The idea of at least we can go into this with our accounting for the risk that's clearly already out there. I mean, we've talked about now in the past, like two months, like two massive operations from Chinese linked threat actors infiltrating telcos. Right. And basically, you know, doing mass, you know, theoretically doing some sort of cyber espionage with the ability to mass export, you know, communications data and stuff like that. So, yeah, there is definitely. And that's kind of been a thread that we've been covering, certainly this year at least, of kind of that. Hey, we've seen the shift from either smash and grab or monetary or, hey, let's cause chaos to it doesn't hurt to let everybody know that we could press a button and a lot of bad things happen. So talk about that being in the realm of political tools, perhaps down the road. Definitely something that organizations at least need to be aware of, account for, plan for. Because, I mean, it's one of those things you can't stop, so you might as well be as prepared as possible.
[08:19]
Jimmy Benoit
Yeah, definitely.
[08:21]
Rich Stroffolino
All right, our last of our first triumvirate here. TSA not implementing cybersecurity recommendations. A report from the U.S. government Accountability Office criticized the Transportation Security Administration, we know him as the good old TSA, for failing to address four out of six cybersecurity recommendations it made in 2018. If you checked your calendar, that's a while ago. The TSA did implement a plan to develop strategies, which. A lovely term. To expand its cybersecurity workforce, and also partially updated its pipeline security and incident recovery protocol plan to include cybersecurity. So a gold star and I guess a silver star there. But recommendations around ransomware were not heeded, nor was the establishment of metrics in the wake of the colonial pipeline attack to kind of judge how effective some of the remediations on that were. So, Jimmy, here we see the frustrating scenario of proactive security measures being developed, or at least seeing the need for them but not being acted upon. One could argue the TSA oversees a lot of facilities, but that likely will not garner much sympathy from the cyber crime world. Yes, they have a big mandate, but they still need to do their job. I'm curious, what's your take on this?
[09:30]
Jimmy Benoit
First of All, I would bet a dollar. Most people don't realize that TSA is in charge of pipeline security, both oil and natural gas and water. I know when I first learned that years ago, I was like, the tsa, the airplane, the airport people, what are we talking about? I went ahead and I looked at their budgetary overview for the last few years, and they have been getting additional funding and they've been justifying, within these budgetary reports, additional staff. I think if this were me, and I went to the board three years ago and said, the board says we got to do these six things, and then I did one and a half of them, that's not good. So looking at it through that lens, I think I can understand the frustration with the tsa. They have a lot of priorities not to defend them, but, hey, they gotta do a lot of things. I'm always curious if there's another way that we can provide these types of resources and security to critical infrastructure. Right. You've got cisa, and their mission's a little bit different from what the TSA does. But I think it could be helpful to just rethink the way that we provide cybersecurity assistance to critical infrastructure. In particular, I think it disproportionately impacts disadvantaged communities if the water went down or the electrical grid went down. Right. And those are the people who are at most risk. So something's got to be done. I'm not going to pretend that I have the answer. It is an incredibly complicated and complex problem that involves hundreds, if not thousands of people who I do think are genuinely trying to do the right thing and genuinely trying to help protect critical infrastructure. It's just a tough one.
[11:06]
Rich Stroffolino
Yeah. A cat in our chat says, yeah, news to them about TSA being in charge of that. So you learn something new every day. A cat. Thanks for joining us. But, yeah, the idea, I kind of like that idea because a lot of the recommendations that weren't followed were around kind of spreading best practices around ransomware. And I do think that that is actually where we are seeing CISA being successful. Not necessarily in critical infrastructure specifically, but just kind of trying to raise that cybersecurity poverty line for a lot of organizations. Giving free tooling, giving out frameworks and stuff like that. That could be for that. And yeah, and ccl, we can't improve something. We were not measuring. That, to me, was almost the most damning thing of not implementing metrics around the biggest, like, of all the things like, you know, you want to talk about not wasting a good Disaster, Right. Like you have this very high profile colonial pipeline attack. You think that gives you carte blanche to do whatever you need to do and not to have those metrics in place again. Again I realize they're deal that in that instance they're dealing with private industry, you know, so I know that adds a whole different layer of complexity to it. But yeah, you can't kind of protect what you don't have visibility into. So that was the most concerning to me. We will see if we have any update on these. I know the political winds are shifting so we will see if anything changes with TSA and any more updates on that. We will keep you informed. Before I move on to our next story though, I want to spend a few moments with our sponsor for today, Threat Locker. Do zero day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with Threat Locker. Threat Locker helps you take a proactive default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how Threat Locker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com that's T H R E A T L O c k e r.com all right, we've talked about some very serious issues here in the past one, so I'm going to chalk this one up to good news. CISOs can now obtain professional liability insurance. New Jersey based insurer Crum and Forster Quality Name folks recently unveiled a policy specifically designed to shield CISOs from personal liability. Representatives from the firm pointed out that unlike other members of the C suite, CISOs may not be recognized as corporate officers under a director's or officer's liability policy which normally covers executive liability. The firm says that their goal is to help CISOs who are in a no win situation. If everything goes right, that's what people expect. If something goes wrong, they're the person that everybody looks at and they're left holding the bag. So Jimmy, this appears on the surface to be good news for CISOs. I'm curious, do you agree with this type of liability insurance? Be a good thing, any negative consequences? Or do you see this as, I don't know, maybe like a liminal step between where CISOs were and where CISOs are going?
[14:17]
Jimmy Benoit
Yeah, I think it's kind of good news. Although I prefer if the CISO were included at an appropriate level in the organization to get the DNO Insurance, yes.
[14:26]
Rich Stroffolino
That would be nice.
[14:27]
Jimmy Benoit
But even to that point, just, just the other day I was co facilitating a discussion with CISOs at a summit and we personal liability came up in question. We said who has personal liability insurance as a ciso? And nobody had it. We talked about DNO and I think one person had it. This was about a dozen, dozen and a half CISOs sitting at the table. And you know, the comment came up, well, even if you are on the company's DNO insurance, what's to say you're going to get good representation? Right. The, the insurance is there to protect the company and sure they might give you some coverage, but are they going to get you the equivalent of a public defender? And so I think the optionality is good here. I think the CISOs should be elevated to a position where they are protected. Especially given what's happened with Uber, SolarWinds and any other issues out there with CISOs being held personally liable. It's something that I'm personally looking into because it's, you know, just, we should always be aware of what's out there. But again, good news. Ish. But better news would be elevate the CISO to an appropriate level within the organization.
[15:32]
Rich Stroffolino
Well and we've had conversations like this on defense in depth. I know for sure where the conversations around oh if you're, if you're applying for a new CISO role, you know, include that in your negotiations because you know, I mean increasingly that is not a, an unusual thing to be thinking about when you're looking at that position. But yeah, there is a whole swath of people that have, you know, that don't, aren't in that position to necessarily renegotiate or anything like that. And this is, it's, it's good to see an insurer providing that option, providing that for people that feel like they need it. And it's probably Quite a few CISOs too for sure. Next up here, Microsoft launches Zero Day Quest hacking event. We got another story here. Kind of a, kind of a two for around two sides of the same coin I feel like. So first on Tuesday at its Ignite annual conference in Chicago. A lot of announcements from Microsoft at this but they, the one I think that applies most to us is Microsoft's Zero Day Quest, a new hacking event focused on cloud and artificial intelligence products and platforms. Zero day quest begins with Microsoft offering $4 million in awards to researchers who identify vulnerabilities in high impact areas, specifically cloud and AI. You may have heard of them. They're a Little buzzy. Throughout the campaign, Microsoft is providing researchers with direct access to their Microsoft AI engineers and AI Red team Through their vulnerability submissions. Researchers may qualify for next year's invite only on site hacking event in good old Redmond, Washington. This challenge kicked off yesterday and it's open to everyone. It'll run through January 19, 2025. But then we have a new report from Cato Networks that shows ransomware gangs such as Oppos, Lynx and Rabbit Hole are posting job listings on the Russian anonymous marketplace or ramp to recruit pen testers to join their ransomware affiliate programs. Penetration testing. I mean I don't need to tell anybody here this, but you know, simulating common attacks and that kind of stuff. So Jimmy, this reminds me a little bit of Spy versus Spy, you know, in an old Mad magazine. You know, both sides equally matched in their approaches. But I, I think in our pre production you were talking about a little bit of a different cultural reference on hand.
[17:39]
Jimmy Benoit
Yeah, yeah, I was thinking more Matrix. Right. Choose the blue pill and you hack for the good guys. You choose the red pill, you hack for the bad guys.
[17:49]
Rich Stroffolino
I mean, yeah, I mean that is the reddest of red teams right there. When you're working for the Russians. Yeah, I mean, I guess. What are we to make of this? I mean obviously Microsoft taking it very seriously, they're asking for submissions. I mean this is not their first foray into this kind of competition certainly. But is it concerning to see that or is that just, hey, these ransomware organizations are businesses, they're increasingly acting like businesses.
[18:17]
Jimmy Benoit
I think Microsoft does a lot of good for the cybersecurity community. I'd like to see them do more. So for the reporting period ending September 2024, their net profit was $90 billion. So that's just net profit, $90 billion. $4 million in rewards for cybersecurity bug bounties, basically. I think we could just do a little bit more, right? I'm not asking them to be a non profit here. They can still make 89.9 billion, but.
[18:44]
Rich Stroffolino
They can shake out the other couch and find another couple million.
[18:48]
Jimmy Benoit
And I think there's a direct ROI there. If they were to make a bigger investment, yield greater talent, find more bugs, it increases the security of their products and adjacent products and I think it's just a net win for them as well.
[18:59]
Rich Stroffolino
Well, and as a Cat pointed out in our chat, you know, we have, you know, spyware companies and threat actors that will pay for zero day vulnerabilities, you know, offering, you know, low millions like that. That's the competition right there.
[19:14]
Jimmy Benoit
Yeah, absolutely.
[19:16]
Rich Stroffolino
All right, so we're going to finish off the show today with Mitre offering updated list of the most dangerous software vulnerabilities. Mitre, the not for profit organization that oversees federally funded R and D centers with an eye to cybersecurity, has updated its good old common weakness enumeration top 25 most dangerous software weaknesses list. Love the rolls off the tongue reflecting the new developments in the cyber threat landscape. At the top of the list, cross site scripting in the top followed by out of bounds write flaws and SQL injection bugs. Really just the greatest hits there. Missing authorization comes in at number 10C worked with a branch of MITRE in putting the report together. Is now urging organizations to review the list and prioritize their weaknesses in development and procurement processes. So Jimmy, do any of the listings here surprise you on the update in terms of the techniques being most exploited? As a security executive, I'm curious, what do you do with this type of information? How does this inform how you work?
[20:16]
Jimmy Benoit
No major surprises. I think most of the items just kind of shifted plus or minus one or two. There was no breakthroughs that I saw. I love mitre. MITRE is fantastic. I'm going to gripe, maybe I'm just being a curmudgeon today, but the way they come up with the CWE list is a combination of frequency of CVEs mapped to the CWE and the severity as measured by the cvss. I don't think that they take into account adequately the exploitability. There's something like 70 something percent of all CVEs have no known exploit. If you look at the number two CWE on their list, it's got 18, I think known exploit vulnerabilities where number one only has three. So that's not to say number two is naturally going to be worse, but I think they should look at the epss, the exploit prediction scoring system versus CVSS alone. Because exploitability means so much more in my eyes when it comes to actual risk versus just the count of CVEs and the CVSS of those.
[21:19]
Rich Stroffolino
Yeah, I mean you would think, yeah, you'd want to see kind of I guess what the blast radius is as opposed. Yeah, keeping it in that realm makes it more hypothetical almost versus what's actually going to be going on there. CCL in our chat says intricacy use after free dropping to number eight. Wonder how much memory safe language adoption is responsible for that. I mean, yeah, I can't imagine there's A negative correlation there for that ccl. Really, really good point. Thank you so much for that. Before we get out of here, I just want to thank everybody for contributing in the chat. CCL cat Kevin Farrell, big boss man, of course. David Spark in there as well. And we want you for next week, please, 3:30 Eastern. We would love to have you here. I know I always enjoy seeing everybody in the chat here. Before we get off here, Jimmy, was there any story that was a thumbs up or an eye roller for you in the either in the rundown or just in the news of the week this week?
[22:21]
Jimmy Benoit
Maybe not an eye roller but maybe a frowny face on all the critical infrastructure news stories. I think you need to go get some more Brita water filters just in case.
[22:30]
Rich Stroffolino
Wow. Okay, yeah, yeah, don't. And yeah, don't get Aquafina. Your family will not drink it. Okay. So yeah, get stock up on the water filters. We never know. Or just be grateful when you turn on your tap and it's still working. Just maybe a little gratitude also as well. Jimmy Benoit, the VP of cybersecurity at pbs. Thank you so much for being here. This was amazing. Where can people find you online if they are so inclined to follow you?
[22:57]
Jimmy Benoit
LinkedIn. Yeah, find me on LinkedIn. That's the best spot where I engage most often with people. And Rich, thanks for having me. I had a blast. I appreciate it.
[23:04]
Rich Stroffolino
Oh yeah, we will definitely have to have it back on. This was a ton of fun. We'll have a link to your LinkedIn in our show notes or you can just search for Jimmy Benoit on LinkedIn. You're all competent people. You can find them. Thanks also for our sponsor for today, Threat Locker Zero Trust Endpoint Protection Platform. Thanks to everybody in our audience again today. If we didn't get your comment up, I deeply apologize. But hey, we're doing a show here. We're doing our best. We appreciate everybody participating. It was a blast. And a reminder that Jimmy was recently a guest on this week's CISO series podcast. So if you want to hear more from if you really enjoyed them on this show, you want to check out more, look for the episode. Once you show me your diploma, I'll explain why we don't gatekeep in your favorite podcast app or just head on over to csoseries.com just a reminder, there will be no Super Cyber Friday. I said join us next week and I knew this was coming. There'll be no Super Cyber Friday or Weekend review or taking the long holiday weekend off next week. On account of Thanksgiving will we return on December 6, so that's when you can tune in for our next live show. In the meantime, though, you can still get your daily news fix every day through cybersecurity headlines. Except for this Thursday. We'll be taking Thanksgiving off, but if you give us six minutes, we'll get you all caught up. Until the next time we meet, I'm Rich Stroffolino. For myself, for Jimmy Benoit. For all of us, the great CISO series staff and family, here's wishing you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.