The company is beginning to bring its systems back online, though the investigation wages on.

Source: Amanda Ahn via Alamy Stock Photo

American Water, the largest regulated water and wastewater utility company in the US, is now reconnecting its infrastructures, after taking its systems offline due to a cybersecurity incident it reported on Oct. 7.

The company provides drinking water and sewer services to more than 14 million people across 14 states and 18 military installations. In an update on Oct. 10, it reported that there is no evidence to support that the cyber incident impacted its water or wastewater facilities. It also noted that while its customers will not face any late fees for the time its systems were unavailable, its customer portal, MyWater, is now operational once more, and standard billing processes will resume.

Systems are being reactivated in coordination with the company's cyber incident response protocols, after its internal security team, as well as external parties, confirmed that the systems are secure, it said.

"American Water takes the cybersecurity of its systems and related data with utmost seriousness and has taken additional steps to strengthen the cybersecurity of its systems," said the company in its update to the US Securities and Exchange Commission (SEC).

This incident only adds to the rising concerns regarding critical infrastructure being a prime victim for cyberattacks.

"This attack highlights the vulnerability of water treatment facilities and other critical infrastructure to cyberattacks, especially when cybersecurity is underfunded or overlooked," said Nick Creath, senior global product manager at Rockwell Automation, in an emailed statement to Dark Reading. "Operators must recognize that even newer facilities, with advanced technologies, are not immune to attacks. This incident serves as a wake-up call for operators to ensure that cybersecurity is integrated into both new and legacy systems to prevent service disruptions or more severe consequences."

**About the Author**

American Water Reconnects Its Network Taps After Cyber Incident

The future of cybersecurity will be shaped by how well we manage the explosion of NHIs.

Source: Brain light via Alamy Stock Photo

COMMENTARY

Imagine a vast and invisible army silently infiltrating your organization's digital defenses. No, this isn't the plot of a sci-fi thriller — it's the reality of non-human identities (NHIs) in today's cybersecurity landscape. As a seasoned security architect, I've watched this hidden force grow from a manageable contingent to a sprawling, often ungoverned multitude that's keeping chief information security officers (CISOs) awake at night. 

In my journey across startups and Fortune 500 companies, I've witnessed firsthand the mixed effects of NHIs. They keep our digital machinery running smoothly — but they are also a potential treasure trove for attackers looking to exploit our blind spots. It's time to shine a light on this invisible army and develop strategies to harness its power while mitigating its risks. 

**The Scale of the Problem**

Consider this: For every 1,000 human users in your organization, you likely have 10,000 non-human connections or credentials. Some estimates suggest the ratio could be as high as 45-to-1. These NHIs include service accounts, system accounts, API keys, tokens, and other forms of machine-based authentication that facilitate the complex web of interactions in our modern digital ecosystem. 

**Why NHIs Matter**

1.  Attack surface expansion: Each NHI represents a potential entry point for attackers. With their often-elevated privileges and lack of human oversight, compromised NHIs can be a goldmine for malicious actors. 
    
2.  Visibility challenges: Unlike human users, NHIs often operate in the background, created by developers or systems without proper governance. This lack of visibility makes them a significant blind spot for many security teams. 
    
3.  Privilege sprawl: Studies show that only 2% of permissions granted for NHIs are actually used. This massive overprovisioning of access rights creates an unnecessary risk landscape. 
    
4.  Third-party risk: NHIs often facilitate connections to external services and partners. When these third parties experience a breach, your organization's NHIs become a potential vector for lateral movement. 
    

**Real-World Implications**

The importance of securing NHIs is more than just theoretical. Recent high-profile incidents underscore their critical role in modern attacks. 

Nation-state actors have demonstrated proficiency in abusing OAuth applications to move laterally across cloud environments. At the same time, major software companies like Microsoft and Okta have fallen victim to attacks leveraging compromised machine identities. In a recent Securities and Exchange Commission (SEC) filing, even Dropbox disclosed a material incident involving a compromised service account. 

**Practical Steps for Mitigation**

1.  Discovery and inventory: You can't secure what you can't see. Implement tools and processes to continuously discover and catalog NHIs across all environments, including software-as-a-service (SaaS) applications. 
    
2.  Posture management: Go beyond simple inventory. Understand the permissions associated with each NHI, their usage patterns, and the potential risk they pose. 
    

**A Call to Action**

The explosion of NHIs represents both a challenge and an opportunity for the cybersecurity community. While the scale of the problem can seem daunting, we're ahead of the curve compared to where we were with human identity access management (IAM) decades ago. 

In my conversations with CISOs and security leaders, I've started to see a shift in mindset. There's a growing recognition that NHI security needs to be elevated to a top-tier priority, on par with traditional IAM and network security initiatives. 

As we move forward, I'm cautiously optimistic. The technology and practices to secure NHIs are evolving rapidly. We can turn the tide on this silent tsunami of risk with the right mix of visibility, automation, and a security-first culture. 

The future of cybersecurity will be shaped by how well we manage the explosion of non-human identities. As security professionals, it's our responsibility to lead the charge in this new frontier of identity security. Are you ready to meet the challenge? 

**About the Author**

Partner Solutions Architect

Vaibhav Malik has more than 14 years of experience in networking and security. He collaborates with global partners to create and deploy robust security solutions for enterprise clients. Malik is a recognized thought leader and expert in zero-trust security architecture. His previous roles at large service providers and security companies involved assisting Fortune 500 clients with network, security, and cloud transformation projects. He champions an identity and data-centric approach to security and is a popular speaker at industry events. With a master's in telecommunication from the University of Colorado Boulder and an MBA from the University of Illinois Urbana-Champaign, Malik's extensive expertise and hands-on experience make him an invaluable asset for organizations aiming to strengthen their cybersecurity posture in today's complex threat landscape.

The Invisible Army of Non-Human Identities

CISOs in consumer and retail organizations appear to accept greater risks to allow for more innovation, which could be a model for future growth.

Source: FOTOGRIN via Shutterstock

Chief information security officers (CISOs) have long borne the reputation of blocking innovation to keep their organization and all its data safe and sound.

However, those competing priorities appear to be shifting, especially in the retail and consumer sectors. While the majority of CISOs (59%) across all sectors see themselves as "enablers" — as opposed to just managers of cyber-risk — nearly all (97%) CISOs in the retail segment view their role as an enabler, according to a survey of more than 1,000 global CISOs conducted by cybersecurity firm Netskope. As a result, CISOs' acceptance of risk has grown, with the majority of all CISOs ready to take on more risk compared with five years ago. For the retail sector, the share of risk-embracing CISOs is even higher (74%).

The pressure on companies to innovate — and CISOs' understanding of their role in making that happen — are driving CISOs to become risk-takers, Netskope CISO James Robinson says.

"Typically, you had someone who was really, really technical, and they were working through things, but they really didn't have that business side of the brain — knowing the business metrics and data," he says. "CISOs have moved from the need to say no and maybe even taken it a step further — saying the answer is always, "Yes, just how do we get there?'"

From gift-card scams to brand hijacking for phishing attacks to devastating ransomware, retailers are a popular target for cybercriminals and fraudsters. At the same time, the retail sector has had to weather the chaos caused by the pandemic and supply-chain disruptions, which led to demand fluctuations and a loss of brand loyalty. The subsequent spike in inflation over the past two years left many consumers prioritizing price. Most retail executives (67%) expect consumers to purchase fewer products in 2024, and so retailers are increasingly focused on winning loyalty, according to consultancy Deloitte's "2024 US Retail Industry Outlook" report.

**Security in the Era of Amazon and AI**

With all those disruptive forces in the market, retailers have had to transform themselves to compete, morphing from just focused on selling products to becoming data companies. Consequently, CISOs at retail companies can no longer afford to focus solely on putting a wall around their information, says Netskope's Robinson.

Like other members of the C-suite, CISOs have to be thinking about the business more holistically, Robinson says.

"Retailers now have to ask, 'What's the next innovation? What's the next thing we have to do?'" he says. "And all of those decisions are data driven ... they're being led by this wealth of data that they're collecting, so that they can have targeted experiences for their customers."

Artificial intelligence is one obvious way to innovate. A great deal of the pressure to change over the past two years has come from the development of AI capabilities and businesses' fear of missing out on any innovations — and competitive advantages. In-store cameras paired with AI analysis can determine consumer interest in products, ecommerce platforms can better predict inventory, and stores can even use recognition of facial expressions to gauge consumer sentiment.

While most companies have slowly tested the waters of AI, many will be putting their first AI-powered applications into product in the next 12 months, Robinson says.

"This is the first year also that we're really seeing GenAI projects kick off, and in the next year, we'll start to really see kind of the value of some of these projects," he says. "So I think that's probably what's shaping it even more."

**The Business-Focused CISO**

Yet, AI and cybersecurity are two technology areas that are least likely to have positive returns on investments for retailers, according to consultancy KPMG's 2023 "US Consumer and Retail Sector Insights Report." Only 46% of survey respondents noted an increase in profitability or performance due to AI — and 45% from cybersecurity. But the consumer and retail sector fell even short of that threshold, with 38% and 37% of respondents, respectively, in those industries seeing a return on investment from AI or cybersecurity.

"For many consumer and retail organizations, getting data right is still a work in progress," KPMG stated in the report.

Understandably, there are still some risks where CISOs are unwilling to compromise. Sharing information with outside parties or third parties without the proper review and without the proper agreement in place — a threat becoming more common in the era of AI — is just not possible, says Robinson.

"We knew how to data warehouse, and it's got business value — even more now with the development of GenAI," he says. "I think all of those things have kind of started to come together at this point, allowing the retail CISO to really have a leg to stand on. Now they just also have kind of the business knowledge, because they're being brought into more of these conversations at this point."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Retail CISOs Take on More Risk to Foster Innovation

The bug is already being exploited in the wild, but Firefox has provided patches for those who may be vulnerable.

Source: 2020WEB via Alamy Stock Photo

Mozilla has patched a critical security vulnerability in its Firefox Web browser that's being actively exploited in the wild.

Tracked as CVE-2024-9680, the vulnerability is a use-after-free issue in Animation timelines, with attackers exploiting it to execute arbitrary code, according to Mozilla's advisory. It carries a CVSSv3 vulnerability-severity rating of 9.8 out of 10 and a low attack complexity (no privileges or user interaction is needed to successfully exploit the flaw), and translates into high risk in the event of a successful attack.

Critical bugs in Firefox, which is used by around 178 million people worldwide, are few and far between. The Web browser hasn't had to offer patches for such a severe flaw since March, and only a small number have been discovered in the past few years.

The disclosure sparked a flurry of alerts from international cyber agencies, including Dutch national cyber center Nationaal Cyber Security Centrum, and the cybersecurity centers of Canada and Italy.

The Web browser vulnerability affects Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1. Users should upgrade to version 131.0.2 in Firefox and to versions 115.16.1 or 128.3.1 for Firefox ESR to fix the vulnerability and thwart potential exploitation.

**About the Author**

Critical Mozilla Firefox Zero-Day Allows Code Execution

The third-party actor had access for two days, in the financial services company's second major breach of the year.

Source: Ryan McGinnis via Alamy Stock Photo

Just over 77,000 individuals will be receiving news from Fidelity Investments that their personal information has been compromised in a data security incident. 

The breach itself occurred between Aug. 17 and Aug. 19, when an unauthorized third-party gained access to two customer accounts and obtained private information. When the activity was detected on Aug. 19, access was terminated and an investigation began.

According to Fidelity's notification letter, the incident did not involve any access to Fidelity accounts and the information obtained by the threat actors "related to a small subset of our customers."

"While the attackers' specific motives remain unclear, it's likely that information gathering was a primary objective," said Sarah Jones, cyber threat intelligence research analyst at Critical Start, in an emailed statement to Dark Reading. "The 'beachhead' theory, where attackers establish a foothold to launch further attacks, is a common tactic in such incidents. Although Fidelity assures customers that their accounts and funds were not directly accessed, the breach raises concerns about the security of personal information, increasing the risk of identity theft, fraud, or other malicious activities."

Indeed, though Fidelity iterates that it is unaware of any misuse of its customers' personal information obtained in this breach, this is the second time this year that it has faced a data breach. In March, Fidelity notified roughly 30,000 individuals that their information had been compromised in a third-party breach involving service provider Infosys McCamish (IMS).

Fidelity is providing free credit monitoring and identity restoration services for those impacted by this breach through TransUnion Interactive for 24 months.

It also encourages individuals to remain vigilant and review their financial statements often, reporting any suspicious or fraudulent activity.

Fidelity Notifies 77K Customers of Data Breach

The European Union's new sanctions framework will target individuals and organizations engaging in pro-Russian activities such as cyberattacks and information manipulation to undermine EU support for Ukraine.

Source: Daniren via Alamy Stock Photo

In an effort to thwart adversaries launching cyberattacks, information manipulation, and interference campaigns on Russia's behalf, representatives from 27 European Union member states approved a sanctions mechanism. This new framework will allow the EU to target individuals, agencies or organizations that attempt to undermine the values of the member states or their "security, independence and integrity."

The EU said in a statement it had detected an increasing number of these pro-Russian activities: Targets included critical infrastructure as well as "instrumentalisation of migration and other disruption actions."

Earlier this year NATO warned of Russian "hostile state activity," against several EU nations, including Germany, the United Kingdom, Poland, the Czech Republic, Estonia, Latvia, and Lithuania. Many of the activities meant to undermine support for Ukraine wouldn't merit a military response, which left the EU countries and NATO trying to figure out how best to respond to these attacks.

The EU now has to determine which sanctions would be imposed for which types of actions. For example, hybrid threats including undermining elections, democratic institutions or the economy, or critical infrastructure attacks could result in asset freezes or travel bans. Hybrid in this context refers to actions carried out on behalf of a state to undermine the functioning of another country. As of now, no actual sanctions have been imposed using this system.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

EU Plans Sanctions for Cyberattackers Acting on Behalf of Russia

In its latest Windows preview, Microsoft adds a feature — Administrator Protection — designed to prevent threat actors from easily escalating privileges and restrict lateral movement.

Source: Mundissima via Shutterstock

Microsoft has introduced a significant security upgrade in its latest preview edition of Windows that aims to lock down local administrator privileges, making it much harder for cyberattackers to exploit privilege escalation issues.

The feature, Administrator Protection, changes the ability to elevate privileges from a free-floating capability to a "just-in-time" event that is much more limited in scope. The coming feature shifts the way Windows handles administrator permissions, moving from a split-token model gated by the User Account Control (UAC) prompt to an isolated, shadow environment managed by the system. This shadow administrator account disappears as soon as the designated task is completed, making it much harder for a cyberattacker to abuse the administrator's elevated privileges for malicious actions.

The feature will limit the scope of an elevation of privileges for administrator-enabled accounts, says Rudy Ooms, a technical content creator at Patch My PC, who published a technical analysis of the feature.

"The old legacy concept is that you have a split token, and it's not that secure," Ooms says. "With the new Administrator Protection, things change, and it completely reimagines this approach by eliminating the direct use of the split tokens and replacing it with a hidden system, managed account."

The feature should make it much harder for cyberattackers using living-off-the-land techniques to elevate their privileges and co-opt administrator access on compromised systems. Post-compromise, most attackers use common applications — such as PowerShell and system services — paired with administrative privileges to move laterally.

The Administrator Protection feature is the latest tactic in software firms' push toward eliminating poor trust models in their software. It's also a dramatic improvement from the days of pass-the-hash attacks, where attackers could gain elevated privileges without knowing the administrator's credentials. With this new feature, attackers can still use the administrator's credentials to try to escalate privileges, but the window to do so is much smaller.

"Attackers have to rethink all their old tricks," says Jason Soroko, a senior fellow at certificate management firm Sectigo. "It impacts the ability for an attacker to be able to walk around as the administrator, and so living off the land is \[less of a threat\] because organizations have a lot of tools that are installed that are of great usage to the attacker."

**Administrators' Split Personalities on Windows**

Microsoft's current approach to handling elevated privileges is to give administrator accounts a "split token." The user account will by default be treated as a standard user — and with the same token, "TokenElevationTypeDefault" — limiting privileges. When a user attempts an action requiring administrative privileges, they must use the UAC feature to elevate their token to "TokenElevationTypeFull."

The split-token concept is a good approach, but it has problems, says Ooms.

"The problem here is this approach keeps admin rights relatively hidden but not inaccessible," he says. "Once the elevated admin token is activated, any malware running in the background can potentially hijack it and perform malicious actions. Essentially, while split tokens are better than running as an 'always-on' admin, they are still vulnerable to those kinds of attacks."

If Administrator Protection is enabled, users who elevate their privilege will switch to an isolated, managed system administrator account that protects the administrator token, according to Ooms's technical analysis.

"In my opinion, it will increase the security posture a lot because it reduces the attack surface," he says.

**Purpose-Built Accounts, Better Monitoring**

Microsoft declined to comment on the feature, but a spokesperson says the company plans to share more information at its Microsoft Ignite technology conference in November.

In the release notes for its Windows Preview, the company stated: "Administrator protection is an upcoming platform security feature in Windows 11, which aims to protect free floating admin rights for administrator users allowing them to still perform all admin functions with just-in-time admin privileges. This feature is off by default and needs to be enabled via group policy."

While the feature will significantly improve system security, the instantiation and destruction of a shadow administrator account for specific tasks is also a boon to companies monitoring account activity, says Sectigo's Soroko.

"If you're monitoring privileged accounts, then your ability to monitor these short-lived privileged accounts and make sure they're not walking around doing something that they shouldn't \[is much better\]," he says. "You are able to contextualize what that account was created for, there's now new opportunities for people who are defending."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Microsoft Previews New Windows Feature to Limit Admin Privileges

When employees and leaders engage with CISOs early in innovation projects, security concerns are addressed proactively, building trust and ensuring innovation and security coexist.

Source: lorenzo rossi via Alamy Stock Photo

COMMENTARY

July's CrowdStrike incident serves as a stark reminder of the unintended consequences organizations face when innovating to enhance security and streamline operations. Using best-in-class technology is usually a safe bet for chief information security officers (CISOs) when selecting a security vendor, but it's equally important to be cognizant of how that technology will be deployed and the amount of risk it can create. I've deployed CrowdStrike as one of my endpoint security tools, and standardizing on this solution allowed for my security operations to be automated, and created muscle memory among my security engineers. This resulted in a faster and more streamlined response to security alerts.  

However, the CrowdStrike incident served as a sobering lesson about the potential consequences of real-time misconfigured updates on critical business operations. This has opened my eyes to thinking about risk and innovation in a slightly different way. It's not just about selecting a vendor with a strong security program, but also about considering the breadth of the implementation of the vendor product, as well as the way the product is updated across an environment. By understanding these different elements, enterprises can make more informed decisions to manage innovation against risk in a controlled manner. 

Interestingly, some companies' reliance on older operational systems shielded them from the direct effects of the CrowdStrike incident. While their outdated technology was once viewed as a liability, it became a surprising advantage in this case. This scenario suggests that the trade-off between innovation and risk may be inevitable. However, both are achievable. So, how can CISOs strategically balance both to ensure secure, forward-thinking operations? 

**Bridge the Barrier in the Boardroom **

CISOs often face the misconception of being barriers to innovation within the boardroom. To dispel this, we must reframe the discussion from a "security versus innovation" perspective to one of "secure innovation."  

Security and innovation are not mutually exclusive, nor should they be. When security is integrated early in the development process, it ensures that innovations are both groundbreaking and secure. CISOs must proactively reach out to other leaders across the organization, from the chief technology officer (CTO) to the chief financial officer (CFO), to ensure security is factored into strategic decisions from the beginning. It's about building relationships, where security becomes as natural as brakes on a car — essential for control but enabling speed and progress. 

**Foster a Culture of Security**

One of the most important roles for a CISO is to be viewed as an enabler to innovation instead of a blocker. In reality, the role of a CISO extends far beyond protecting systems; it involves communicating risks at a business level and ensuring that security enables progress rather than stifles it. The key to achieving this lies in fostering a culture of security involving the entire organization, from leadership to employees in the field. 

As the first line of defense, employees are crucial to establishing a security-first culture. Daily interactions with third-party vendors and potentially malicious content expose them to risks that can compromise the entire organization. 

A powerful way to engage employees in this mission is by making security personal. Phishing attacks, data breaches, and threats to personal banking information are tangible examples that resonate with employees. When people understand that their actions can directly affect their own security, as well as the company's, they become more motivated to adopt secure practices. With a security-aware employee culture, defense strategies are baked into innovation efforts from the start. 

**You're Secure, but Are Your Vendors?**

The sheer volume of the third-party relationships we manage keeps me on my toes. A single compromised user from any vendor could trigger a company-wide incident. After all, hackers only need one successful attack while security teams must be right every time. 

For CISOs, this means that secure innovation doesn't stop at internal processes — it must extend to the vendors that support their IT landscape. Collaborating with technology peers to better understand and mitigate risks is key to fostering innovation without increasing the cyber-risk. Equally important is building strong, proactive partnerships with third-party vendors to verify they are prepared to respond at scale when disruptions occur. 

To optimize this process, CISOs should focus on understanding which vendors are critical to the corporate infrastructure, particularly those involved in environments that require frequent updates. By ensuring these vendors follow rigorous testing protocols before rolling out changes, companies can better manage the trade-offs between innovation and operational stability.  

**Security-First Innovation**

CISOs must lead the charge in integrating security-first practices into the heart of innovation, positioning themselves as trusted advisers who enhance the company's overall objectives. By coming to the table with solutions rather than simply highlighting risks, we can shift the dialogue from "security will never approve" to "security can help make this better."  

This cultural shift fosters collaboration with executives and third-party vendors, embedding security into every phase of the organization's growth. When employees and leaders engage with CISOs early in innovation projects, security concerns are addressed proactively, building trust and ensuring that innovation and security coexist.  

**About the Author**

CISO, BlackLine

Jill leads all information security programs at BlackLine, including promoting information security awareness within the company, ensuring the confidentiality, integrity and availability of clients’ data, as well as BlackLine’s internal information resources, managing incident response teams and also facilitating adherence to security industry best practices and regulatory compliance requirements. 

Jill came to BlackLine in April 2022 with more than 25 years of cybersecurity experience working in both internal and customer-facing roles including serving over 15 years in CISO positions at Cheetah Digital, Mattel and BT Global Services. Previously, Jill served as a Special Agent for the FBI, assigned to the Cyber Crime Squad in the Los Angeles field office where she was the lead case agent for several high-profile cases, including the infamous Kevin Mitnick and MafiaBoy investigations.

Walking the Tightrope Between Innovation &amp; Risk

Vulnerability prioritization has evolved over the years. Several frameworks exist to help organizations make the right decisions when it comes to deciding which patches to apply and when. But are these better than a Magic 8 Ball?

Source: olga Yastremska via Alamy Stock Photo

COMMENTARY

Last month marks 25 years of operation for the CVE (Common Vulnerabilities and Exposures) program, launched in September 1999. It's difficult to imagine a world without CVEs. Much of the "vulnerability management" activities, before the CVE program became popular, relied on matching version numbers from remote scans and executing shady exploits found in dark places on the Internet to validate findings. We've come a long way when it comes to vulnerability tracking. Our journey has been fraught with peril, however, and we still have many challenges to overcome, including:

*   Volume: To keep pace with the sheer number of CVEs being created each year, we've had to increase the numbering format and assign CNAs (CVE Numbering Authority), spreading the responsibility and making it difficult to be consistent.
    
*   Date tracking: In certain circumstances, CVEs will be issued in the current year but with a previous year in the designation. Sometimes this is due to CNAs being pre-assigned CVEs for future use. However, this can make tracking and analyzing vulnerabilities in the CVE database by year inaccurate. This is rare but problematic, because it leads security practitioners to believe it's an older vulnerability, and some may not pay attention to it.
    
*   Free market: While there are some guidelines and barriers, for the most part, anyone can get a CVE issued. While it's important we not limit the creation of CVEs to prevent people from trying to hide a vulnerability, the free-market concept has caused issues. There are recent reports of folks automating the process of creating CVEs — hundreds of them — based on previously fixed bugs in GitHub repositories.
    

While the creation of formal tracking for vulnerabilities was huge for the industry, it wasn't until 2005 that we began to assign a severity rating using CVSS. This, too, is not without challenges, such as:

*   Subjective scoring: Anyone can score a vulnerability using CVSS and publish the results. We need checks and balances. If the security researchers who found the bug believe the severity to be different from the vendor that created the software, we should be able to see both scores.
    
*   It reflects only the vulnerability: While you can use CVSS to customize the score for your environment and take into consideration compensating controls, most users will just go by what has been published. Often, vulnerabilities are scored by the CNA that owns the software, and its incentives are not to score vulnerabilities on the high side.
    
*   Multiple versions of CVSS: Since CVSS version 1 was released in 2005, three subsequent versions have been released through November 2023. A CVE entry scored with a previous version may not be updated to the latest version. CVSS scores should also be updated due to changes in the security research landscape or new information about the vulnerability. These changes, if they happen at all, can be difficult to track.
    

**What Do We Do Now?**

Given there are pros and cons to each of these programs whose intentions are to help organizations make informed risk-based decisions, how do we know what to patch first? Many will rely on one mechanism, likely CVSS, pick a magic number, and patch everything that scores above that magic number. The problem is this is a very limited view of the vulnerability world. Everything that needs to be patched will not have a high CVSS score, or even a low score for that matter. We can choose to follow one or more of the above frameworks, such as MITRE ATT&CK, CISA KEV, and EPSS. Following these individually can be tricky, and you'd miss pieces of the larger picture. If you only patched the CISA KEV, you'd miss out on select attacker techniques that don't deal with vulnerabilities and CVEs. A blended approach isn't a bad idea, but solely relying on guidance external to your organization is the equivalent of just shaking a Magic 8 Ball and using that as the guidance to patch.

What matters most when it comes to patching is the impact on your organization. My best advice is to identify the most critical parts of your business, tie that back to systems and applications, patch those first, and patch as much as you can on those systems.

**Conclusion**

Too often, I hear folks dismissing vulnerabilities that could be devastating for various reasons, such as "No one is attacking those vulnerabilities today," "I am not the target of nation-state-level attacks," and "An attacker would have to already be on the system." None of these things matter when a clever group of attackers is determined to be successful. They will target every weakness in your attack surface: hardware, firmware, and software, from bare metal all the way to the cloud. Pre-operating system attacks could render a system permanently damaged or inoperable, such as if an attacker were to gain access to the baseboard management controller (BMC) and cause an infinite reboot loop. Through low-level firmware attacks, malicious actors can permanently damage the hardware. Attackers can utilize the Unified Extensible Firmware Interface (UEFI) to bypass OS protections, be persistent on the system (think of ransomware that just won't go away), and allow attackers to be stealthy. At this point, every vulnerability is now available for exploit. 

Remediating vulnerabilities is a complex process, and several factors go into the decision as to whether or not to apply a patch, or thousands of patches to thousands of systems. As complex as this task may be, it's something we must continue to improve upon, or attackers will greatly benefit. Oh, and put down the Magic 8 Ball, please.

**About the Author**

Principal Security Evangelist, Eclypsium

Paul Asadoorian is the principal security evangelist at Eclypsium, focused on supply chain security awareness. Paul's passion for security extends back many years, to the WRT54G hacking days and reverse-engineering firmware on IoT devices for fun. He co-authored the book WRTG54G Ultimate Hacking in 2007, which fueled the firmware hacking fire even more. Asadoorian has worked in technology and information security for more than 20 years, holding various security and engineering roles at a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005, he founded Security Weekly, a weekly podcast dedicated to hacking and information security. Asadoorian is still the host of one of the longest-running security podcasts, Paul's Security Weekly. He enjoys coding in Python, telling everyone he uses Linux as his daily driver, poking at the supply chain, and reading about UEFI and other firmware-related technical topics.

Vulnerability Prioritization &amp; the Magic 8 Ball

The average higher education institution is getting hit once a week now, and as one University of Oregon attack shows, the sector often lacks the resources to keep pace.

Source: Simon Turner via Alamy Stock Photo

The education sector is facing thousands of cyberattacks per week these days — especially universities, a good portion of which experience at least one incident per week.

Education was the third most targeted industry in second quarter of 2024, according to Microsoft's latest "Cyber Signals" report. This finding corroborates data from Check Point Software, indicating that the education and research sectors now face more than 2,500 attacks weekly, up 15% over the past couple of years.

The US has it the worst, but schools and related organizations across the world face the same sorts of risks. In Europe, for example, 43% of institutes of higher education report experiencing a cyber incident at least once a week, if not more often. Schools for earlier age groups faced significantly less frequent attacks (13% to 16%).

As Microsoft explained, education makes for a uniquely soft target, combining the vulnerabilities, blind spots, and legacy infrastructure issues endemic to various other major industries, but all in one package.

**Education Sector Is an "Industry of Industries"**

Schools — in particular, universities — tend to combine the functions of many kinds of organizations in one package.

A university is also a financial institution with lending capabilities (sometimes even more the latter than the former), and a healthcare and housing provider to its students and faculty. Schools at every level host payment processing systems, websites and email domains, and networks that, especially since the COVID-19 pandemic, can resemble Internet service providers. They employ food service and athletics staff, and host events. They might be in possession of potentially sensitive research data, and all of them have to manage the full spectrum of personally identifiable information (PII) belonging to usually thousands of people at once.

It follows, then, that educational institutions enjoy all of the cybersecurity challenges any other industry faces. New and legacy technologies commingle. Public schools struggle with funding. Cybersecurity talent is tough to find and retain. Students and teachers bring their own devices on and off campus every day, each one potentially carrying malware. And virtual learning extends the attack surface outward.

In some ways, these issues affect schools to a greater degree than they do other industries. For instance, bring your own device (BYOD) risk is one thing in a corporate environment, where employees can be educated in cyber-risk, but it's an entirely different beast at schools, where those devices belong to children.

Or, consider QR codes. According to Microsoft's telemetry, more than 15,000 malicious phishing and spam messages are directed to educational institutions every day, with so-called "quishing" on the rise.

In open and collaborative environments like schools, "defenses that typically would be in place to help reduce the noise and create more effective defenses don't always work," explains Corey Lee, security chief technology officer (CTO) for Microsoft's M365 Security.

Schools tend to pass around lots of QR codes, but lack the same rigor in vetting the messages they travel with. "A lot of that has to do with the fact that email filters are not the same in education environments. Post-detection and response capabilities aren't always the same in education environments. So when we have business email compromise attacks that use advanced lures like QR codes, it becomes very hard to detect and respond to," Lee says.

**Taking Hackers to School**

In 2021, Oregon State University experienced a cyberattack "unlike anything before," Microsoft wrote. In the aftermath, it established its own security operations center.

A number of universities have done the same, or more. Louisiana State University (LSU), the University of Cincinnati, and California Polytechnic State University all operate SOCs. In Texas, the state's Department of Information Resources (DIR) oversees a Regional Security Operations Center in collaboration with Angelo State University in San Angelo.

"Education, as a sector, doesn't necessarily have lots of advanced personnel just sitting around, not doing anything. Oftentimes, \[security staff\] wear multiple hats, and they're limited," Lee explains. Luckily, universities have a significant, untapped pool of potential talent waiting to be activated.

"The challenge oftentimes is being addressed by scaling through students — being able to activate students to help them join in on the fight and be effective and efficient security defenders for the school."

Student-staffed SOCs serve multiple functions at once: not only helping to protect universities, but also other nearby educational, government, or even private organizations, all while training a new generation of cybersecurity talent. As Lee says, "They're helping to address the security skill shortage, while defending home base."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading