Most companies offer some kind of awareness training these days. But how much of those lessons are employees actually retaining?

Imagine this: As part of an exercise to teach security awareness, employees enter a room. An actual, physical operational security "escape room," which at first looks like a regular office room. But as people look closer, roleplaying as criminal social engineers that broke into the building, they start to spot information they can use for nefarious purposes.

For example, there's a password in a trash can. And there's a video conference meeting left unclosed. All around the participants are clues that could help them exploit the business. The hope is this experience helps them see through the eyes of a criminal — and leaves them understanding the importance of physical security. Once they are done, the goal is to have them remember the need to keep things like whiteboards clean, laptops locked, and documents hidden or shredded to protect the company.

This is the kind of security awareness training that Kim Burton, head of trust and compliance with Tessian, has used to make sure training leaves its mark on employees.

Awareness training that sticks is still desperately needed as human error is responsible for many breaches and data loss events. In fact, the most recent Verizon Data Breach Investigations Report found that 74% of breaches involved the human element, which includes social engineering attacks, errors, or misuse.

Figures also reveal many companies still fall short in their delivery of awareness training. New data from Hornetsecurity found that 33% of companies are not providing any cybersecurity awareness training to users who work remotely, a common arrangement in a post-COVID world. And those organizations that do provide awareness training — whether to on-site or remote employees — often administer it only annually. This is far from effective, according to Lisa Plaggemier, executive director at National Cyber Security Alliance, who has a long history of developing and running security awareness programs.

It's time, she says, for organizations to get it together when it comes to effective awareness.

"Short but frequent; no more of this once-a-year nonsense," she says.

**Go Beyond Compliance**

But more frequency is only one of many ways that modern security awareness training needs to improve. In a constantly evolving threat landscape, what does an effective security awareness training look like?

"At the National Cybersecurity Alliance, a lot of the behaviors we're trying to influence are the same, so the advice is the same — using MFA, reporting phishing, etc. — but we deliver them through unique messages over time," says Plaggemier. "Those messages use different approaches: storytelling from a victim's perspective, storytelling from the defender's perspective, leveraging current events in the headlines."

Compelling, timely, engaging, and memorable. It sounds simple, right? But it's not. They key problem holding many companies back, is attitude, says Dr. Jason Nurse, director of science and research at CybSafe and associate professor in cyber security at University of Kent.

"Many security awareness programs still fall flat because the organization views the training as a box that must be ticked," he says. "Organizations often focus on compliance and meeting the basic requirements, which may result in training that lacks depth and engagement."

**Create 'Sticky' Awareness**

How can security leaders put together a program that moves far beyond compliance mandates and shape training into something people not only remember, but actually use when faced with risk-based decisions?

One way is to deliver the content through a communication channel that works for them, says Nurse. Research by CybSafe earlier this year found that 79% of office workers are likely to act on security advice provided on the platforms they use daily, such as Slack and Teams. And 90% of respondents thought security nudges on instant messaging platforms would be valuable. Similarly, people who received cyber information daily and weekly were twice as likely to remember all of their training as those who received it monthly, quarterly, or annually.

"While a base-level understanding of cyber hygiene is essential through regular, engaging training, it's equally crucial to help employees when they need it in a helpful format," says Nurse. "Training should go beyond just conveying information; it should guide individuals on how to behave securely in their day-to-day activities. Furthermore, it should ensure people know where to seek help when needed."

Another way to make it mean more is to make training role-based. One-size-fits-all is "necessary to a degree for compliance," says Plaggemier, "but once you've fulfilled your compliance obligation, people should be receiving training that is appropriate for their role and the specific risks that affect them."

Tessian's Burton says in addition to making it too generic, many organizations fail to consider the culture and big picture when devising training.

"The programs fail to take into account the holistic experiences of employees, such as the current culture of the organization, the current signals from leadership about the importance of secure practices, and where the general employee is being asked to use most of their time and energy," she says. "Security awareness programs may neglect non-engineering employees, and engineers may lack mentorship to integrate the material into their practice."

"There is no one right way to train people to be cyber secure. There is only the right way for your organization, department, or team," adds Nurse.

**Play to the Room**

Another important factor to sticky awareness is knowing your audience, says Burton. Like a good stand-up comedian, you need to understand who you are playing to if you want them to remember what you're telling them.

"The first step is empathy," she says. "The security educator needs a deep understanding of the people they are teaching. Repetition over a longer period of time while introducing content in a variety of ways will also ensure recall. And finally, don't forget to have fun. Organizations frequently lose interest and engagement because of a fear of being too weird. However, people are more likely to retain unique content. Weird is good! Be funny, be creative, find joy!"

Burton, in addition to the escape room, has also had employees take part in a story contest that asked employees to write out a "spooky Halloween tale" of how they would attack the company. She has also created narratives that put people in the position of a security analyst at the company, in which they have to evaluate the security of external vendors.

The most effective security training, she says, covers core risks the business is concerned about; it is tailored to the audience; the concepts are presented over time and in a variety of ways; and the material is memorable due to its unique delivery, humor, or creative experience.

"The key component has been, and always will be, a focus on the people themselves."

**HOW TO MOVE FROM FORGETTABLE TO MEMORABLE SECURITY AWARENESS**

Sticky security awareness training can be elusive for many organizations. And with 74% of security events directly tied back to human error, it is important to find ways to reach employees and help them understand cyber risks. Kim Burton, head of trust and compliance with Tessian, uses a variety of awareness training techniques in her programs. Here are the important tenets she says to keep in mind when creating a program at your own company.

1.  **Work with how people work:** Use information about how human memory works, how human beings learn, what incentives provide the best long-term outcomes.
2.  **Approach holistically:** Understand the employees. What pressures do they face? What is the local culture like? What is the internal culture like? What professional backgrounds do these people have? How is the security team or IT team currently perceived internally? Do executives champion security?
3.  **Tell stories:** Share real anecdotes, tell stories from the industry or your experience, and use examples. This helps people see themselves in the narrative. Ideally, each individual would be able to see how they uniquely contribute to the security story of the organization.
4.  **Gamification:** Go beyond a leaderboard. Make engaging with security content fun by using your knowledge of how people work and the holistic experience of working at your company. Make puzzles, encourage curiosity and mystery, recreate the delight of discovery in learning, point out progress, and use positive reinforcement for secure behaviors.
5.  **Build trust:** Build relationships internally. Become a trusted source of information, but also a safe person to be vulnerable with about difficult concepts, security mistakes, and general concerns. The security educator should be one of the most well-known people within the business.

From Snooze to Enthuse: Making Security Awareness Training 'Sticky'

SolarWinds' access controls contain five high and three critical-severity security vulnerabilities that need to be patched yesterday.

Eight newly discovered vulnerabilities in the SolarWinds Access Rights Manager Tool (ARM) — including three deemed to be of critical severity — could open the door for attackers to gain the highest levels of privilege in any unpatched systems.

As a broad IT management platform, SolarWinds occupies a uniquely sensitive place in corporate networks, as the world learned the hard way three years ago. Its power to oversee and affect critical components in a corporate network is nowhere better epitomized than in its ARM tool, which administrators use to provision, manage, and audit user access rights to data, files, and systems.

So, admins should take note that on Thursday, Trend Micro's Zero Day Initiative (ZDI) revealed a series of "High" and "Critical"-rated vulnerabilities in ARM. As Dustin Childs, head of threat awareness at the ZDI, explains, "The most severe of these bugs would allow a remote unauthenticated attacker to execute arbitrary code at system level. They could completely take over an affected system. While we did not look at exploitability, the potential of these vulnerabilities is about as bad as it gets."

**Serious Issues in SolarWinds ARM**

Two of the eight vulnerabilities — CVE-2023-35181 and CVE-2023-35183 — allow unauthorized users to abuse local resources and incorrect folder permissions to perform local privilege escalation. Each was assigned a "High" severity rating of 7.8 out of 10.

A few more — CVE-2023-35180, CVE-2023-35184, and CVE-2023-35186, all rated 8.8 out of 10 by Trend Micro — open the door for users to abuse a SolarWinds service, or its ARM API, in order to perform remote code execution (RCE).

The most concerning of the bunch, however, are another trio of RCE vulnerabilities that Trend Micro assigned "critical" 9.8 ratings: CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187. (For its part, SolarWinds diverged from Trend Micro here, assigning them all 8.8 ratings.)

In each case, a lack of proper validation for the methods _createGlobalServerChannelInternal_, _OpenFile_, and _OpenClientUpdateFile_, respectively, could enable attackers to run arbitrary code at the SYSTEM level — the highest possible level of privilege on a Windows machine. And unlike the other five bugs released Thursday, these three do not require prior authentication for exploitation.

A new ARM version 2023.2.1, pushed to the public on Wednesday, fixes all eight vulnerabilities. SolarWinds clients are advised to patch immediately.

Critical SolarWinds RCE Bugs Enable Unauthorized Network Takeover

A patch for the max severity zero-day bug tracked as CVE-2023-20198 is coming soon, but the bug has already led to the compromise of tens of thousands of Cisco devices. And now, there's a new unpatched threat.

Cisco said a patch for two actively exploited zero-day flaws in its IOS XE devices is scheduled to drop on Oct. 22.

The first Cisco zero-day bug, tracked under CVE-2023-20198, was announced on Oct. 16 and has a severity rating of 10 out of 10. At the time it was discovered, it had already allowed threat actors to compromise more than 10,000 Cisco devices.

On Oct. 19, Cisco said it believed the cyberattacks against its IOS XE devices were all being carried out by the same threat actor.

Now, in an Oct. 20 update to its threat advisory, Cisco reported there's another previously unknown flaw involved, tracked under CVE-2023-20273 — it carries a slightly less scary CVSS score of 7.2.

Both are being used in the same exploit chain. Threat actors used the first bug for initial access, and the second to escalate privileges once authenticated, according to an emailed statement from Cisco announcing the coming patch release.

Cisco also added another clarification from its earlier reporting on the first bug: it was thought in the early response that the threat actor had combined the new zero-day with a known and patched vulnerability from 2021, raising the specter of a patch bypass issue. But Cisco has now dismissed that theory, according to a statement from the company.

"The CVE-2021-1435 that had previously been mentioned is no longer assessed to be associated with this activity," it said.

**Exploitation Could Continue for Years**

As Cisco continues to wrap its arms around the breadth of the threat, cybersecurity expert and consultant Immanuel Chavoya expects to see a spike in malicious activity against vulnerable devices in the lead up to the release of the updated version.

"Active exploitation will continue and lead to ransomware probably over this weekend, as threat actors rush to capitalize before any patch or remediation," he predicts.

But beyond the short-term, Chavoya is dubious many Cisco customers will take the necessary steps to remediate.

"I can tell you from experience many customers do not or will never patch — and are absolutely unaware of the exploitation status currently (SMBs, etc.) — and so thus, exploitation will continue for months or years."

Cisco Finds New Zero Day Bug, Pledges Patches in Days

Though there is speculation regarding potential candidates, the Department of Defense will likely not nominate someone in the near term.

The RAND Corporation, which the Pentagon assigned to study the measures it would take to create a position for an assistant secretary of defense for cyber policy, has submitted its research on the matter, and the US Defense Department is reviewing the results. However, it will be months until anyone is formally nominated.

RAND submitted its research at the end of September. A Department of Defense (DoD) spokesperson stated that it "will inform forthcoming decisions on the organizational structure, resourcing, and workforce of the new office."

Mieke Eoyang, current deputy assistant secretary of defense for cyber policy, is considered a likely candidate; however, her background as a senior Democratic staffer and as an MSNBC commentator has raised concerns that the country's divided Senate would not confirm her.

Another rumored potential candidate is Michael Sulmeyer, principal cyber adviser for the Army. His past experience includes working on cyber policy for the National Security Council.

The DoD, which was opposed to forming the post, has not commented on these potential candidates.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DoD Gets Closer to Nominating Cyber Policy Chief

Vietnamese cybercrime groups are using multiple different MaaS infostealers and RATs to target the digital marketing sector.

Cybersecurity researchers have uncovered a connection between the notorious DarkGate remote access trojan (RAT) and the Vietnam-based financial cybercrime operation behind the Ducktail infostealer.

WithSecure's researchers, who spotted Ducktail's activity in 2022, started their investigation into DarkGate after detecting multiple infection attempts against organizations in the UK, US, and India.

"It rapidly became apparent that the lure documents and targeting were very similar to recent Ducktail infostealer campaigns, and it was possible to pivot through open source data from the DarkGate campaign to multiple other infostealers which are very likely being used by the same actor/group," the report noted.

**DarkGate's Ties to Ducktail**

DarkGate is backdoor malware capable of a wide range of malicious activities, including information stealing, cryptojacking, and using Skype, Teams, and Messages to distribute malware.

The malware can steal a variety of data from infected devices, including usernames, passwords, credit card numbers, and other sensitive information and be used to mine cryptocurrency on infected devices without the user's knowledge or consent.

It can be used to deliver ransomware to infected devices, encrypting the user's files and demanding a ransom payment to decrypt them.

WithSecure senior threat intelligence analyst Stephen Robinson explains that at a high level, DarkGate malware functionality hasn’t changed since the initial reporting in 2018.

"It has always been a Swiss-army knife, multifunctional malware," he says. "That said, it has been repeatedly updated and modified by the author since then, which we can assume has been to improve the implementation of those malicious functions, and to keep up with the AV/Malware detection arms race."

He notes DarkGate campaigns (and the actors behind them) can be differentiated by who they are targeting, the lures and infection vectors they are using, and their actions on the target.

"The specific Vietnamese cluster that the report focuses on used the same targeting, file names, and even lure files for multiple campaigns using multiple strains of malware," Robinson says.

They created PDF lure files using an online service that adds its own metadata to each file created; that metadata gave further strong links between the different campaigns.

They also created multiple malicious LNK files on the same device and did not wipe the metadata, enabling further activity to be clustered.

The correlation between DarkGate and Ducktail was determined from nontechnical markers such as lure files, targeting patterns, and delivery methods, collated in a 15-page report.

"Nontechnical indicators like lure files and metadata are highly impactful forensic cues. Lure files, which act as bait to entice victims into executing the malware, offer invaluable insights into an attacker's modus operandi, their potential targets, and their evolving techniques," explains Callie Guenther, senior manager of cyber threat research at Critical Start.

Similarly, metadata — information like "LNK Drive ID" or details from services like Canva — can leave discernible traces or patterns that might persist across different attacks or specific actors.

"These consistent patterns, when analyzed, can bridge the gap between varied campaigns, enabling researchers to attribute them to a common perpetrator, even if the malware's technical footprint differs," she says.

Ngoc Bui, cybersecurity expert at Menlo Security, says understanding the relationships between different malware families linked to the same threat actors is essential.

"It helps in building a more comprehensive threat profile and identifying the tactics and motivations of these threat actors," Bui says.

For example, if researchers find connections between DarkGate, Ducktail, Lobshot, and Redline Stealer, they may be able to conclude that a single actor or group is involved in multiple campaigns, which suggests a high level of sophistication.

"It may also help analysts determine if more than one threat group is working together as we see with ransomware campaigns and efforts," Bui adds.

**MaaS Impacts Cyber-Threat Landscape**

Bui points out the availability of DarkGate as a service has significant implications for the cybersecurity landscape.

"It lowers the entry barrier for aspiring cybercriminals who may lack technical expertise," Bui explains. "As a result, more individuals or groups can access and deploy sophisticated malware like DarkGate, increasing the overall threat level."

Bui adds that malware-as-a-service (MaaS) offerings provide cybercriminals with a convenient and cost-effective means to conduct attacks.

For a cybersecurity analyst, this poses a challenge because they must continually adapt to new threats and consider the possibility of multiple threat actors using the same malware service.

It also can make tracking the threat actor using the malware a little more difficult as the malware itself may cluster back to the developer and not the threat actor using the malware.

**Paradigm Shift in Defense**

Guenther says that to better comprehend the modern, ever-evolving cyber-threat landscape, a paradigm shift in defense strategies is overdue.

"Embracing behavior-based detection sequences, as well as leveraging AI and ML, allows for the identification of anomalous network behaviors, surpassing the previous limitations of signature-based methods," she says.

Furthermore, pooling threat intelligence and fostering communication about emergent threats and tactics across industry verticals can catalyze early detection and mitigation.

"Regular audits, encompassing network configurations and penetration tests, can preemptively unearth vulnerabilities," Guenther adds. "Moreover, a well-informed workforce, trained in recognizing contemporary threats and phishing vectors, becomes an organization's first line of defense, reducing the risk quotient substantially."

Ducktail Infostealer, DarkGate RAT Linked to Same Threat Actors

Users could hold up to five SIM cards previously, but now they can only have two; it's a move that the government says is intended to cut down mobile spam levels.

Burkina Faso aims to increase mobile security in the African country with a new bill that says users can only hold two SIM cards (i.e., lines of service) from a mobile provider.

And the sale of SIM cards will only be made in approved agencies and points of sale.

The use of multiple SIM cards can allow for SIM farms to be built, which are typically connected to organizations where the SIM cards are connected to computer servers to send large amounts of SMS spam.

Aminata Zerbo-Sabané, Burkina Faso's Minister of Digital Transition, Posts, and Electronic Communications, said this measure is aimed at reducing the improper use of electronic communication services.

The bill will better regulate the identification of customers of electronic communications service providers, and reduce the illicit use of mobile services, she said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

SIM Card Ownership Slashed in Burkina Faso

To make cybersecurity an organizationwide priority, CISOs must avoid these common input, empathy, and alignment obstacles.

Whether they're earned or not, there are certain stigmas associated with chief information security officers (CISOs): They work in isolation, with only a vague sense of how various departments contribute to the organization's greater good. They impose controls without considering business impact. They focus on highly technical metrics with unclear net positive value. They aren't good at listening. Or empathy.

Be honest. Does this describe you and your team — even just a bit? Or more so? If you concede that it does, that's a good thing. The first step toward a solution is acknowledging that a problem exists. Improvement requires change, which is sometimes uncomfortable, because change starts with you.

Accountability, then action. For CISOs and their teams, that means transforming into ubiquitous advocates for cybersecurity — and then leading the transformation for everyone in the enterprise into advocates for the same.

CISOs will thrive within this change by focusing on input, empathy, and alignment. This will enable lasting success for the shift by allowing CISOs to fully identify and understand information asymmetries throughout the organization and then remove them to clear the path to optimal communications and awareness.

However, there are several obstacles that hinder these efforts. Here are three and how to overcome their traps.

**Assigning Tasks to the Wrong Subject Matter Expert (SME)**

CISOs are responsible for an extremely wide scope and frequently deal with high stress — but are consistently biased toward taking action themselves. They lead the organization well, but at times miss opportunities to leverage SMEs' soft skills to optimize resolution. As leaders, it is necessary that CISOs remain cognizant of the balance between SMEs' skill sets, shared values between them and the target organization, and the true goal of this collaboration.

The solution requires raising engagement between security and the enterprise across the board, building relationships that ensure the right expert is assigned to the right issue to give the right support.

CISOs must rely on the people around them to truly know what is going on. They must create pathways so that the right information flows freely everywhere and that this knowledge is committed to organizational and institutional memory. By interfacing with external teams, CISOs create contacts that result in the effective ingestion of information and the proper application of personnel and responses to the information.

**Failing to Tie Actions to Organizational and Business Goals**

If CISOs don't connect their work to broader goals, it's pretty much impossible for non-IT managers and employees to appreciate the value of their actions. CISOs know why certain controls and responses to threats are needed. But they can never assume those outside their team do.

To overcome these potential credibility gaps, I've proactively communicated with my heads of finance, marketing, sales, and other key departments to learn about their roles. Because I've invested that time — to find out what they do every day, along with their strategic goals and challenges — I gain their trust in myself and my team. They are confident we will approach threats, risks, and remediation with an appreciation of business objectives.

**Executing Without Making Broad Impact**

I push my team members to constantly ask themselves: "Am I implementing a fix that benefits people outside our team? Or am I just trying to make my own life easier?" Obviously, we seek to achieve the former and avoid the latter. Simply stated, we need to think big. Our return on investment (ROI) growth is directly tied to our ability to sow seeds once and reap the fruits of our labor in multiple seasons to come. 

"Everyone has a plan," boxer Mike Tyson is credited with saying, "until they get punched in the mouth." If we work within security silos — isolated in our knowledge, dogmas, and execution — every security issue is like the first time in the ring, and we consistently take punches that we have little understanding of how to handle. 

But if we proactively pursue empathy and alignment as part of our core values, we gain a level of trust that builds pathways throughout the enterprise. Subsequently, we can remove those informational asymmetries, elevate the conversation across the organization, and lead strategically. And we will walk out of the ring with our arms raised — stronger and together.

Change From Within: 3 Cybersecurity Transformation Traps for CISOs to Avoid

Cybersecurity exceptions are a fact of life in most organizations, but there's work that should be done to make sure those exceptions are justified and worth the risk.

There is always a new shiny object to chase in cybersecurity: zero trust, AI, passwordless authentication, quantum computing. These are just some of the latest hot topics, and organizations are feeling pressure to adopt them to stay ahead of current threats.

While these new technologies are certainly relevant, they may not be as important as getting the "cyber basics" right. Buying new cutting-edge tools or planning a whole new architecture won't replace excelling at those foundational, structural underpinnings that build a successful security program. One example of these fundamental considerations is the area of "exceptions." 

It is simply a given in any enterprise that there will be exceptions to cybersecurity policies and procedures. These range from patching exceptions to multifactor authentication (MFA) exceptions to access and firewall exceptions. How an organization processes and tracks exception requests, and evaluates risks associated with exceptions, can have a major impact on how easy or difficult it is for the organization to monitor, detect, and respond to cyberattacks.

**Are Cybersecurity Exceptions Justified? **

Attackers will leverage exceptions because they provide an easier path into an organization's environment. For example, I supported a military contract and the command was rolling out application allowlisting. The aides to senior officers requested exceptions for those seniors because they were concerned that the technology might "interfere" with the senior officers' work. However, the senior officers were the exact group needing additional security protection. 

We were able to meet and explain to the aides how the tech would better protect these VIPs, and we would coordinate with their offices to quickly resolve any issues with the technology. Despite some misgivings, the VIPs ultimately were better protected and the exception requests were dropped. All it took was sitting down and discussing the users' worries and patiently explaining how to ease those worries. 

Exceptions ultimately indicate how good your security could be — if there were fewer exceptions (or none at all). Here are some things to keep in mind:

*   Ensure you have a clear and concise process for requesting and approving exceptions. (Hint: Convenience is not a good basis for granting exceptions!) That process should align with other security policies, such as the organization's acceptable use policy.
*   The process should include a risk assessment to determine the impact of the exception.
*   Track all exceptions to ensure they are not being abused.
*   If you have too many exception requests, you may need to modify your policy so that employees can get their work done securely.
*   Exceptions should expire. If necessary, they can be reviewed to see if they are still valid.

If you're falling short on cybersecurity fundamentals, such as an exception process, you're going to be facing security issues regardless of how much time and money you invest in new technologies. Automation and other solutions can help, but they don't erase every problem, including those that require new human behaviors and processes. Just like Achilles from Greek mythology, it’s easy to forget a weak spot if you’ve lived with it for a long time. And just like Achilles, such forgetfulness can have severe consequences.

_Read more_ Partner Perspectives from Google Cloud

What are Your Exception Expectations?

**PRESS RELEASE**

**PALO ALTO, Calif.****,** **Oct. 19, 2023** **/PRNewswire/ --** Artificial intelligence (AI) provides a powerful tool for energy companies to deliver an affordable, reliable clean energy transformation. Today before a U.S. House Energy and Commerce Subcommittee, EPRI Senior Technical Executive Jeremy Renshaw testified that parties need to collectively work on addressing today's AI challenges and tomorrow's opportunities.

For more than a decade, EPRI has been studying AI and its potential impacts on the energy sector, and in the last five years, the institute has accelerated its activities around AI and data science. To date, EPRI has been involved in more than 70 projects related to AI applications in the energy sector.

As EPRI research has found, AI can help energy companies improve efficiency of existing assets, assist with wildfire risk evaluation and early-stage detection, aid vegetation management and storm recovery, and optimize energy usage, among other benefits.

"AI allows computers and humans to interact more effectively to improve safety and reliability while reducing costs," Renshaw testified before the House Energy and Commerce Subcommittee on Energy, Climate, and Grid Security. "This is done by allowing humans to do what humans do best - creative thinking and dealing with new or unforeseen situations, while computers do what computers do best - rapid, accurate computations," he said.

"While AI has come a long way in a short amount of time, there are still many more opportunities to solve existing challenges today, as well as considerations for ethical and responsible use of AI," Renshaw noted. Among pressing considerations:

*   **Data privacy and security**: AI models are typically trained on large datasets, which may contain personally identifiable information or other sensitive data. Steps should be taken to ensure the security and privacy of the data.
*   **AI-assisted cybersecurity**: EPRI and other companies are developing tools to proactively monitor and address suspicious cyber-related activity.
*   **Data**: Without sufficient quantity and quality of data, AI systems can potentially produce erroneous results that can be used in decision-making processes.
*   **Workforce training**: People need to be trained on how and when AI is the right tool to use and when it is not.

"Clearly, AI will have a significant impact on the energy industry, likely both positive and negative. It is anticipated that, through the introduction of AI, utilities will be able to utilize its benefits for maintaining or improving safety, affordability, reliability, efficiency, and environmentally friendly energy production," Renshaw concluded.

A copy of Renshaw's prepared testimony is available here. To learn more about EPRI's AI work, visit www.ai.epri.com.

**About EPRI**

Founded in 1972, EPRI is the world's preeminent independent, non-profit energy research and development organization, with offices around the world. EPRI's trusted experts collaborate with more than 450 companies in 45 countries, driving innovation to ensure the public has clean, safe, reliable, affordable, and equitable access to electricity across the globe. Together, we are shaping the future of energy.

SOURCE EPRI

AI 'Will Have a Significant Impact on Energy Industry,' EPRI Tells Congress

**PRESS RELEASE**

**TEMPE, Ariz.** **& PRAGUE****,** **Oct. 19, 2023** **/PRNewswire/ --** Norton, a consumer Cyber Safety brand of Gen™ (NASDAQ: GEN), today unveiled new features included with Norton Password Manager and Norton AntiTrack. Norton Password Manager offers a premium password management experience that continues to be available at no cost, and a new Private Email feature now available in Norton AntiTrack helps consumers quickly and easily take back control of their online privacy.

"Our enhancements to Norton Password Manager and Norton AntiTrack exemplify our passion for constantly improving our products and services to help our customers protect their online privacy and stay one step ahead of threats to their security," said Leena Elias, Chief Product Officer at Gen. "Free password managers are traditionally basic, difficult to access on different devices, and lack multi-layered security. With Norton Password Manager, you no longer have to choose between conveniently accessing your accounts and having excellent password protection. And, our addition of Private Email as part of Norton AntiTrack allows you to easily take steps to protect your online privacy when you're engaging with the digital world and protect your personal email address, which is often the gateway to your personal information and accounts. We are committed to helping our customers safeguard their online privacy through the launch of these solutions."

Accessible via the web, and available as a browser extension or mobile app, Norton Password Manager has been rebuilt with improvements to password security and privacy and redesigned to provide a seamless, intuitive customer experience.

Norton Password Manager now delivers greater convenience, security, and privacy with the following upgrades:

*   **Strengthened Vault Security and Recovery:** We notify you if your vault password needs to be strengthened and monitor the dark web for your vault password to help keep your passwords secure. New vault access recovery helps you recover the vault password if it's forgotten without compromising security.
*   **Improved Password Assessment:** Password strength is automatically assessed. If a weak password is detected, it's now easier to change it to be more complex and difficult to crack.
*   **Easy to Use:** A modern look and feel that's simple to set up and access the most used features from more locations; auto-filling and credential saving options appear seamlessly as you browse the web to provide quick access to accounts.

In addition to Norton Password Manager enhancements, Private Email is now available in Norton AntiTrack on Windows PCs. Private Email improves email privacy by masking your personal email addresses so they're unrecognizable, and removes hidden trackers often found in sent emails that can be used to gather private, personally identifiable information, including location, device usage, interests, and shopping behaviors.

Norton Password Manager is compatible with Windows PC, Mac, Android, and iOS, and available as a browser extension on Chrome, Firefox, Microsoft Edge, Safari, as well as browsers from Gen brands, Norton, Avast and Avira. For more information and to download Norton Password Manager, visit us.norton.com/products/norton-password-manager. Norton AntiTrack with Private Email is available to download at https://norton.com/products/norton-antitrack.

**About Norton**

Norton is a leader in Cyber Safety, and part of Gen™ (NASDAQ: GEN), a global company dedicated to powering Digital Freedom with a family of trusted consumer brands. Norton empowers millions of individuals and families with award-winning protection for their devices, online privacy, and identity. Norton products and services are certified by independent testing organizations including AV-TEST, AV-Comparatives, and SE Labs. Norton is a founding member of the Coalition Against Stalkerware. Learn more at www.norton.com.

Source

DARKReading