The CIS Benchmarks are unique for many reasons. None compare to the community consensus process that forms their hardening guidance. Learn how to get involved.

The Center for Internet Security (CIS) recently celebrated 20 years of bringing confidence to the connected world with consensus-based security guidance. The first CIS Benchmark was released in 2000.

Today, there are more than 100 CIS Benchmarks configuration guidelines across 25+ product vendor families. Without community participation, we would not have CIS Benchmarks, as the community is at the heart of what drives development and consensus across industries and technologies.

**What Is a CIS Benchmark?**

CIS Benchmarks cover operating systems, servers, cloud, mobile devices, desktop software, and network devices. The PDF versions are available to download at no cost from the CIS website, and additional file formats (XCCDF, Word, Excel, etc.) are available to CIS SecureSuite Members.

CIS Benchmarks are unique in the following ways:

*   Developed through a community consensus process
*   Provide vendor-neutral, technology-specific recommendations
*   Provide the necessary steps to configure a system
*   Recognized as an industry standard and referenced specifically by PCI DSS, FISMA, and more, as a way to be compliant with those standards
*   Map to the CIS Controls

Download CIS Benchmarks.

Although a number of factors have led the CIS Benchmarks to be trusted guidelines for a variety of industries, the way they are developed is also important. The CIS Benchmarks are created through a unique community consensus process on CIS WorkBench, our development platform.

**Guidance Driven by Community Consensus**

The CIS Benchmarks Communities on CIS WorkBench are open to anyone who wants to contribute to the development of Benchmark best practices. The communities are made up of subject-matter experts, vendors, technical writers, and CIS SecureSuite Members from around the world. Together with CIS, these volunteers develop, review, and maintain the CIS Benchmarks. Each community brings real-world experience and expertise to the process to ensure we are addressing the most prevalent security for various technologies.

CIS team members and volunteer subject-matter experts (SMEs) are key to creating the initial content, which is the foundation for the continued development and publication of the CIS Benchmark. Technical writers, testers, and contributors all play a role in the process, reviewing recommendations and determining the best solutions through discussions. Vendors are also welcome to participate.

Learn more about volunteer roles.

**Why You Should Get Involved**

Volunteers have the opportunity to be part of a large network of professionals and help shape security. Those who make significant contributions are recognized in the final published CIS Benchmark document.

**The CIS Benchmark Development Process**

CIS depends on our community and partners to assist in developing and maintaining the CIS Benchmarks. Using CIS WorkBench, tickets and discussion threads are established to continue dialogue until a consensus has been reached on proposed recommendations and the working drafts.

The typical development process:

1.  The initial development process defines the scope of the Benchmark and subject-matter experts begin the discussion, creation, and testing process of working drafts.
2.  After the initial draft is completed, we announce availability of the draft and invite folks to join the community to review, test, and provide feedback. This is the consensus process.
3.  All of the feedback that’s received is reviewed by the CIS lead for the community along with the subject-matter experts. They discuss and adjust the CIS Benchmark as necessary. This ensures the recommendations are complete and represent comprehensive guidance.
4.  Once all feedback has been reviewed and addressed, CIS makes a final call for participation in the community. The final review period lasts an average of two weeks, allowing for a final review of the CIS Benchmark before publishing.
5.  Any final feedback is addressed.
6.  Once consensus has been reached in the CIS Benchmark community, the final CIS Benchmark is published and made publicly available online.

    

**Join a Community Today!**

Why not join the CIS Benchmarks Community and lend your expertise?

Learn more here.

The CIS Benchmarks Community Consensus Process

Long-awaited security fixes for ProxyNotShell and Mark of the Web bypasses are part of a glut of actively exploited zero-day vulnerabilities and other critical flaws that admins need to prioritize in the coming hours.

Microsoft finally patched the publicly known "ProxyNotShell" and Mark of the Web (MotW) security vulnerabilities in its penultimate monthly security update for 2022 — two of six zero-day bugs under active exploit in the wild.

The targeted zero-days are part of a tranche of 68 security fixes for November's Patch Tuesday group, 11 of which are rated critical.

The fixes address CVEs that affect the gamut of the security giant's product line, including Azure, BitLocker, Dynamics, Exchange Server, Office and Office components, Network Policy Server (NPS), SharePoint Server, SysInternals, Visual Studio, Windows and Windows Components, and the Linux kernel and other open source software bugs affecting Microsoft products.

**Actively Exploited Zero-Day Vulnerabilities**

The group of zero-days listed as under active attack is the largest for Microsoft so far this year.

Two of them are the critical ProxyNotShell flaws affecting Exchange Server, first disclosed in September. Both carry a CVSS vulnerability-severity score rating of 8.8 out of 10. The bug tracked as CVE-2022-41040 is a server-side request forgery (SSRF) flaw that enables attackers to elevate privileges on a compromised system, and CVE-2022-41082 is a remote code execution (RCE) flaw when PowerShell is remotely accessible to the attacker. They can be chained together for full "pwning" of an Exchange Server.

"At long last, Microsoft released patches for the ProxyNotShell vulnerabilities that are being actively exploited by Chinese threat actors," Automox researcher Preetham Gurram said in a Nov. 8 analysis. "The elevation of privilege and remote code execution vulnerabilities have been exposed and exploited since late September, so we recommend applying patches within 24 hours if you have vulnerable on-prem or hybrid Exchange Servers where temporary mitigation has not been applied."

Microsoft also addressed the known and analyzed Mark of the Web issues — they're being tracked as CVE-2022-41091 and CVE-2022-41049, two separate vulnerabilities that exist in different versions of Windows. The important-rated bugs both allow attackers to sneak malicious attachments and files past Microsoft's MotW security feature — Microsoft says only the former is being exploited in the wild. 

Another zero-day being used in active campaigns is a critical RCE bug affecting Windows Scripting Languages (CVE-2022-41128, CVSS 8.8). Mike Walters, vice president of vulnerability and threat research at Action1, tells Dark Reading that it specifically affects the JScript9 scripting language, which is Microsoft’s legacy JavaScript dialect, used by the Internet Explorer browser.

"The new zero-day vulnerability … as low complexity, uses the network vector, and requires no privilege to use, but it needs user interaction, such as using a phishing email to convince the victim to visit a malicious server share or website," he explains. "It affects all Windows OS versions starting from Windows 7 and Windows Server 2008 R2. … However, the proof-of-concept has not yet been publicly disclosed."

The remaining two bugs are important-rated elevation of privilege (EoP) issues carrying 7.8 CVSS scores. One is a memory bug that affects Microsoft's next-gen cryptography, the Windows CNG Key Isolation Service (CVE-2022-41125).

"With low privileges required and a local attack vector, this vulnerability does not necessitate any user interaction. Instead, an attacker would have to gain execution privileges on the victim’s device and run a specially crafted application to elevate privileges to exploit this vulnerability," Automox researcher Gina Geisel said in an emailed analysis. "With a long list of Windows 10 and 11 affected (in addition to Win 8.0, 7.0, Server 2008, 2012, 2016, 2019, 2022, and 2022 Azure), this vulnerability exposes industry-leading versions of Windows and could have wide-ranging impacts."

The second exists in Windows Print Spooler (CVE-2022-41073), and Action1's Walters describes it as a relative of last year's PrintNightmare bug.

"Microsoft continues to patch minions of the PrintNightmare vulnerability," he says. "This vulnerability has a local vector through which an attacker can gain system rights on the target server or desktop."

**Critical Bugs of Note for November**

Other issues in November's update that admins should prioritize include a vulnerability in Windows Kerberos RC4-HMAC (CVE-2022-37966). It earns a critical rating (CVSS 8.1), even though an attacker needs to have access and the ability to run code on the target system to exploit it.

That's likely because Kerberos is an authentication protocol to verify a user or the host's identity, noted Automox's Gurram. It provides a token that enables a service to act on behalf of its client when connecting to other services; when used within an organization's domain, it enables single sign-on (SSO).

"The primary encryption type used in Windows is based on the RC4 stream cipher, with an MD5-HMAC algorithm used for the checksum field," Gurram said. "RC4 encryption is considered to be the least secure and most attackable encryption algorithm. If being used for encrypting Kerberos tokens in the Active Directory domain, it can be exploited and take full control of any service accounts."

ZDI's Dustin Childs noted in a blog post that for this bug and another critical-rated issue in Kerberos tracked as CVE-2022-37967 (CVSS 7.2), admins will need to take additional actions beyond just applying the patch.

"Specifically, you’ll need to review KB5020805 and KB5021131 to see the changes made and next steps," he advised. "Microsoft notes this is a phased rollout of fixes, so look for additional updates to further impact the Kerberos functionality."

Childs also flagged three critical-rated fixes for the Point-to-Point Tunneling Protocol (PPTP), all carrying CVSS scores of 8.1, and all allowing RCE (CVE-2022-41039, CVE-2022-41088, and CVE-2022-41044).

"There seems to be a continuing trend of researchers looking for (and finding) bugs in older protocols," Childs said. "If you rely on PPTP, you should really consider upgrading to something more modern."

The remaining critical bugs are as follows:

*   CVE-2022-38015: A denial-of-service (DoS) bug in Hyper-V (CVSS 6.5), which Microsoft said "could allow a Hyper-V guest to affect the functionality of the Hyper-V host.”
*   CVE-2022-41118: An RCE bug affecting the Chakra and Jscript scripting languages (CVSS 7.5)
*   CVE-2022-39327: An Azure CLI RCE bug (no CVSS) — a previously released fix that is just being documented now.

**Patch ASAP**

Even though this month's update is relatively light, admins should get to patching ASAP, according to Bharat Jogi, director of vulnerability and threat research at Qualys — especially with so many zero-day exploits circulating.

"As we approach the holiday season, security teams must be on high alert and increasingly vigilant, as attackers typically ramp up activity during this time (e.g., Log4j, SolarWinds, etc.)," he said in emailed commentary. "It is likely we will see bad actors attempting to take advantage of disclosed zero-days and vulnerabilities released that organizations have left unpatched."

Microsoft Quashes Bevy of Actively Exploited Zero-Days for November Patch Tuesday

Ransomware-as-a-service lowers the barriers to entry, hides attackers’ identities, and creates multitier, specialized roles in service of ill-gotten gains.

Did you know that more than 80% of ransomware attacks can be traced to common configuration errors in software and devices? This ease of access is one of many reasons why cybercriminals have become emboldened by the underground ransomware economy.

And yet many threat actors work within a relatively small and interconnected ecosystem of players. This pool of cyber criminals has created specialized roles and consolidated the cybercrime economy, fueling ransomware-as-a-service (RaaS) to become the dominant business model. In doing so, they've enabled a wider range of criminals to deploy ransomware regardless of their technical expertise and forced all of us to become cybersecurity defenders in the process.

Microsoft Security doesn't just rely on open forum monitoring and ransomware claims to identify emerging cybercrime trends. We track ransomware attacks across the entire arc of the event — from incursion and exfiltration to ransom demand. This has allowed us to identify patterns in cybercriminal activity and turn cybercrime into a preventable business disruption. Following are some of our top tips.

**Understanding How RaaS Works**

Ransomware takes advantage of existing security compromises to gain access to internal networks. In the same way businesses hire gig workers to cut costs, cybercriminals have turned to renting or selling their ransomware tools for a portion of the profits rather than performing the attacks themselves.

This flourishing RaaS economy allows cybercriminals to purchase access to ransomware payloads and data leakage, as well as payment infrastructure. What we think of as ransomware gangs are actually RaaS programs like Conti or REvil, used by the many different actors who switch between RaaS programs and payloads.

RaaS lowers the barrier to entry and obfuscates the identity of the attackers behind the ransoming. Some programs can have 50 or more "affiliates," as they refer to their users, with varying tools, tradecraft, and objectives. Anyone with a laptop and credit card who is willing to search the Dark Web for penetration-testing tools or out-of-the-box malware can join this maximum efficiency economy.

So what does this mean for enterprises?

**Fresh Insight From a New Business Model**

This industrialization of cybercrime has created specialized roles in the RaaS economy. When companies experience a breach, multiple cybercriminals are often involved at different stages of the intrusion. These threat actors can gain access by purchasing RaaS kits off the Dark Web, consisting of customer service support, bundled offers, user reviews, forums, and other features.

Ransomware attacks are customized based on target network configurations, even if the ransomware payload is the same. They can take the form of data exfiltration and other impacts. Because of the interconnected nature of the cybercriminal economy, seemingly unrelated intrusions can build upon each other. For example, infostealer malware steals passwords and cookies. These attacks are often viewed as less serious, but cybercriminals can sell these passwords to enable other, more devastating attacks.

However, these attacks follow a common template. First comes initial access via malware infection or exploitation of a vulnerability. Then credential theft is used to elevate privileges and move laterally. This templatization has allowed prolific and detrimental ransomware attacks to be performed by attackers without sophisticated or advanced skills.

**Strategies for Businesses to Deploy**

Now that we understand the mechanics behind RaaS, let's examine several preventative measures that companies can take.

*   **Build credential hygiene:** Develop a logical network segmentation based on privileges that can be implemented alongside network segmentation to limit lateral movement. Failure to implement credential hygiene is one of the biggest security misconfigurations that we observe, and yet this simple tool can be a major factor in preventing threat actors from moving laterally and distributing a ransomware payload across the company. 
*   **Audit credential exposure:** Audit your credential exposure to better prevent ransomware attacks and cybercrime at large. IT security teams and security operations centers (SOCs) can work together to reduce administrative privileges and understand the level at which their credentials are exposed.
*   **Reduce the attack surface:** Establish attack surface reduction rules to prevent common attack techniques used in ransomware attacks. In observed attacks from several ransomware-associated activity groups, organizations with clearly defined rules have been able to mitigate attacks in their initial stages while preventing hands-on-keyboard activity.

Ultimately, carrying out a ransomware attack is easier than ever thanks to the commoditization of ransomware toolkits. But by implementing foundational security best practices and monitoring their credentials, companies will be less likely to fall victim to a ransomware attack.

Extortion Economics: Ransomware's New Business Model

Prolific online scammer and social media influencer 'Hushpuppi' sentenced for bank cyber heists, BEC campaigns, money laundering, and more.

A Nigerian man has been sentenced to US federal prison for 11 years for committing various cybercrimes and using the proceeds to fund a luxurious lifestyle — one documented in detail on his popular Instagram account with the handle "Ray Hushpuppi." 

The Department of Justice said in a statement the man, whose government name is Ramon Olorunwa Abbas, stole money through an array of cybercrimes, including online bank robberies and business email compromise (BEC). Abbas was also found guilty of running a huge money-laundering operation. In just one 18-month period, Abbas admitted to laundering more than $300 million, the DOJ noted. 

    

A Hushpuppi fan page on Instagram.

"Ramon Abbas, a.k.a. 'Hushpuppi,' targeted both American and international victims, becoming one of the most prolific money launderers in the world," Don Alway, the assistant director in charge of the FBI's Los Angeles Field Office said in the DOJ announcement. "Abbas leveraged his social media platforms — where he amassed a considerable following — to gain notoriety and to brag about the immense wealth he acquired by conducting business email compromise scams, online bank heists and other cyber-enabled fraud that financially ruined scores of victims and provided assistance to the North Korean regime."

One notable ostentatious purchase that made frequent appearances on the now abandoned Hushpuppi Instagram account was a Richard Mille RM11-03 watch, which Abbas had paid $230,000 for with funds he scammed from an unsuspecting business owner. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Instagram Star Gets 11 Years for Cybercrimes Used to Fund His Lavish Lifestyle

There's real value in having a better perspective around future regulation and compliance requirements.

Business leaders must move to a deeper understanding of regulation and compliance requirements for their industry. These frequently complicated and confusing laws are too often viewed only through the negative lens of the avoidance of punishment. But there's real value to be found in these rules as they can facilitate the creation of a new "prescriptive framework" that helps a company more clearly understand where it sits in terms of risk — and the protection of its data and brand reputation.

**The Importance of a Prescriptive Framework for Cybersecurity**

Executives, and even board members, have a responsibility to demand and contribute to the creation of the right prescriptive framework in collaboration with the chief information security officer (CISO). This framework needs to provide transparency, identify security gaps, and use company-appropriate metrics. And the data in that framework must be easily digestible and acted upon by non-security experts in the evaluation and approval of proposals around cybersecurity.

PCI DSS (Payment Card Industry Data Security Standard) for retail companies and FFIEC CAT (Federal Financial Institutions Examination Council's Cybersecurity Assessment Tool) in the financial services space are well-known cybersecurity frameworks that can serve as the basis of developing one at your company. Both measure a large set of security controls (authentication, data security, and vulnerability prioritization) that help to lower organizational risk posture and give companies an understanding of how solid their security policy really is.

A CISO can benefit by using these kinds of industry standards and tools to create a framework that is thorough and can be understood by executives who are non-security experts. This way, it can "prescriptively" guide the way that security gaps and vulnerabilities are not only identified but addressed within an appropriate business context.

**Factors in Selecting the Right Cybersecurity Risk Framework**

The big question for a company is: How do we select and use the right existing cybersecurity framework to inform the creation of our own guidelines? Three main variables guide this choice: the size and maturity of the organization, issues of relevance to the industry, and an understanding of the company's internal business processes.

**1\. Company Size**

Larger companies will often already have well-articulated requirements for mandatory adherence to several types of regulatory controls. And public companies must file reports to comply with financial regulations, such as those required by the Securities and Exchange Commission for public mergers and acquisitions or private equity acquisitions. Both of these sources will contain a certain amount of cybersecurity intelligence for audits that are valuable input sources for your framework.

For smaller companies, IT and security teams are lean and processes are more limited simply because of the maturity and resources of the organization. This often results in overlapping regulatory responsibilities — for example, a CISO with responsibility for both security and compliance policy. Overlaps can be advantageous in mapping out organizational processes — since there are fewer stakeholders from which to collect the policy information and a less bureaucratic and onerous approval process.

**2\. Industry Relevance**

Security control issues have different weights of importance depending on what's critical in the specific industry. In retail, a cybersecurity framework such as the PCI DSS does an excellent job articulating the issues with many common security controls that are needed to protect valuable customer data. However, PCI DSS may not work well in an industry like manufacturing,where the enterprise may reside entirely on-premises with little to no access to an external network. In this case, security issues revolve around protecting critical internal IP, and a more vertical agnostic guideline such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CFS) may be a better place to start.

**3\. Business Processes**

Too often, companies think about cybersecurity only from the perspective of outside forces. They forget to think about the vulnerabilities that can be caused by their own everyday internal processes. An understanding of how data is stored, processed, or transmitted inside the business provides greater clarity about which security controls and measurements are needed at different stages of the data life cycle.

Large organizations will have well-codified internal processes. Smaller companies may have never articulated their business processes, which may have grown organically (and unattended) over time. If cybersecurity is an issue (and it is), then it's time to go to your IT lead or CISO to create an initial mapping of your processes.

**Cybersecurity and the True Fiduciary**

At first glance, some executives might think that asking for a usable cybersecurity compliance framework is pushing cybersecurity concerns too far. But how is this different from expecting a chief financial officer to provide a balance sheet, profit and loss statement, and robust analyses of potential acquisitions? It's not. Both security frameworks and financial analysis should be based on industry-recognized and accepted models for data that are useful and actionable by non-expert fiduciaries and management. Today, both security and financial information should be considered of equal value and importance in executive and board decisions.

For CISOs, executives, and board members alike, it's time to look at regulations as friends, not foes, in the evolution of cybersecurity preparedness.

It's Time to See Cybersecurity Regulation as a Friend, Not a Foe

The classroom-based curriculum addresses the cybersecurity workforce gap with free training labs and virtual cyberattack environments to hone the skills of the next generation of talent.

Kids in grades K-12 will soon have a no-cost virtual environment in which to beef up their cybersecurity skills, thanks to the expansion of the Cybersecurity and Infrastructure Security Agency’s Cyber.org Range.

The program, developed in conjunction with the Cyber Innovation Center (CIC), is a classroom-based effort that's meant to act as a workforce development engine, providing high school students especially the opportunity to experience and defend against realistic cyberattacks in a virtual, safe environment. They can learn about the other side too, performing pen testing and red teaming activities.

The teacher-led "Cybersecurity Course" curriculum includes access to a range of free resources and online labs that are designed to prepare students for the CompTIA Security+ Exam. Security+ incorporates best practices in hands-on troubleshooting and practical security problem-solving skills, offering a springboard into medium-level cybersecurity jobs.

Such initiatives will be critical as organizations strive to fill hundreds of thousands of open cybersecurity positions, according to CISA director Jen Easterly.

"We all need to come together to invest and make sure that we are building that diverse and capable cybersecurity pipeline to defend our nation. There's a lot more work to do to reach those 52 million students, those 3 million educators all across our country, but I think we're starting today," she said during a launch event on Monday.

The Cyber.org Range is going to be available nationwide starting next year after its pilot phase through the end of 2022. Initially funded by the State of Louisiana, the nationwide expansion is due to a CISA grant.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyber.org Range Offers Cybersecurity Job Paths for K-12 Students

My year as a venture capital CISO-in-residence.

The CISO role has evolved dramatically over the past decade, maturing from security officer to impactful business leader who, increasingly, is a part of their organization's C-suite. In light of the considerable impact security risks have on business objectives, this is a welcome transformation. Encouraging employees to go beyond their day-to-day and view security as a priority, making allies of users and business managers and providing the organization with tangible value, is extremely rewarding.

However, for many chief information security officers, the operational, real-time, and often strenuous aspects of the role haven't changed, despite this evolution. Being a CISO can be a lonely job, as employees know that if you approach them, you're likely going to be adding to their workload — whether by requesting that they learn more about a specific risk or asking for their help in mitigating it. Employees may see CISOs as causing friction within the organization, while CISOs today strive to become enablers — not obstructers. CISO burnout is real; having to juggle business expectations, customer needs, shifting workflows, new vulnerabilities, and incident-response 24/7 can become grueling over time.

The shifting role of the CISO has not gone unnoticed by other players in the tech industry, including startup founders and venture capital firms that view CISOs' expertise as a leverageable commodity in the competitive startup landscape. After years of perpetual threat mitigation, CISOs may be keen to explore alternative career opportunities down the line, pivoting away from the operational aspects of the CISO role.

These factors, as well as my passion for assisting vendors with optimizing their approach to CISOs, greatly influenced my 2021 decision to join the cybersecurity-focused venture capital firm YL Ventures as their CISO-in-residence.

**The CISO's Vantage Point**

Being a VC CISO-in-residence provides both a strategic and a behind-the-scenes vantage point into the startup environment. Shifting from a 24/7 incident-response role to a more holistic guidance position complements a CISO's breadth of knowledge and allows them to use their insights and experience to build new security products, rather than managing or mitigating risk. At YL Ventures, which invests at the earliest stages of a cybersecurity startup, I work with founders who are in the most crucial phases of their startup journey, and this is one of the most enjoyable and challenging aspects of my position.

My responsibility centers around participating in ideation sessions with a new generation of cybersecurity founders, holding weekly sessions with them on product strategy, and sharing my expertise as part of the YL Ventures team through personal branding opportunities. My close involvement in the startup process allows me to take an active part in building my dream solutions for pain points that have plagued the industry for years — and which have affected (and frustrated) me personally, in my job as an operational CISO.

Working closely with the Israeli cybersecurity industry is an exceptional opportunity to be part of the cradle of cybersecurity innovation. Israeli entrepreneurs are the Ivy League of young cybersecurity professionals, and embedding myself in their passion and drive makes me a better CISO. Before joining YL Ventures, I was under the impression that VCs dealt primarily in ideas. Learning that the firm bets on the team, not just the idea, was surprising, but also helped define my role in the process. I take an active part in the due diligence activities that are integral to deciding which startup to fund. This poses a challenge, as an idea may be exactly what the CISO ordered — everything you've dreamed about as an operational cyber professional — but the team may not stack up to expectations. And for the company, that factor would prevail.

Such exposure to nascent technologies and investment strategies rounds out my decades of security experience in an new way and opens up possibilities for angel investing, personal branding opportunities, and exposure to a global network of security professionals that has immense professional value going forward. In my experience, many CISOs harbor ambitions of becoming entrepreneurs, and guiding startup founders as a CISO-in-residence can be a crash course in entrepreneurship and understanding what it takes to launch your own startups and become a CEO.

I've had the opportunity to learn about more than just the technical product aspects during my time as CISO-in-residence so far. My role provides me with insights on team building, funding strategies, what investors look for in founders, and why the co-founder dynamic is important. For entrepreneurs, having a seasoned CISO at their disposal to bounce ideas off of has a real impact on their product-market fit strategy, as the CISO represents the customer — and these conversations are crucial at their early stage. Saving the world one incident at a time has its glamour, but stepping behind the curtain and helping stack the building blocks of future solutions as a VC CISO-in-residence is a unique and rewarding experience.

The Shifting Role of the CISO

AppSec and Cybersecurity veteran will leverage his strong institutional experience as demand for crowdsourced cybersecurity solutions grows.

**SAN FRANCISCO, Nov. 8, 2022 /PRNewswire/ —** Bugcrowd, the leader in crowdsourced cybersecurity, today announced the appointment of Dave Gerry as Chief Executive Officer (CEO). As CEO, Gerry will oversee operations, drive growth and profitability, and manage the company's overall strategy. This appointment follows another year of rapid growth for the company, which has experienced record customer adoption of its crowdsourced cybersecurity solutions and represents the next step in Bugcrowd's global expansion strategy. Bugcrowd partners with hundreds of clients including: CISA/Department of Homeland Security, BigCommerce, Monash University, TX Group, and Comcast.

"Security organizations are facing an incredible challenge securing their companies in the digital era," said Gerry. "Now, more than ever, there is a need for continuous, real-time vulnerability insights across today's expanding digital attack surface. Bugcrowd has pioneered crowdsourced security through a platform-powered approach that connects the untapped talent of the global security community into an organization's security strategy in a trusted, efficient way. Our innovation is second to none in the cybersecurity industry and I'm excited to lead the company in its next growth stage."

Gerry is a highly regarded technology executive with a proven track record of leadership at several high-growth companies in the AppSec space. Most recently, Gerry served as Chief Operating Officer at Bugcrowd. Prior to Bugcrowd, Gerry was the Chief Revenue Officer and Head of Global Operations of WhiteHat Security which was first acquired by NTT and most recently by Synopsys. Previously, he held key growth-driving positions in sales, marketing, and business development at Veracode and Sumo Logic.

"From our inception, the mission of the Bugcrowd platform has been to connect the latent potential of the good-faith hacker community with cybersecurity's unmet demands—unlocking an army of allies to outsmart an army of adversaries," said Casey Ellis, Founder, Chairperson, and CTO. "In 2022 the need for this has never been more obvious. As the Board considered the best CEO to lead Bugcrowd's coming season of acceleration and innovation, Dave's track record of operational excellence, deep cybersecurity experience, go-to-market and partnership prowess, and profound enthusiasm for the space our company pioneered all shone through. Personally, I'm thrilled to welcome him to the CEO role, and very excited to partner with him in continuing to level the cybersecurity playing field."

"After considering and interviewing several candidates for the job, it became obvious Dave is the clear choice to lead Bugcrowd," said Mike Jennings, Venture Partner, Rally Ventures. "In addition to the knowledge that Dave has gathered since joining Bugcrowd, he brings strong institutional experience in cybersecurity making him a natural fit for the CEO role. He is a proven leader with over a decade of experience in the AppSec market, and his familiarity with Bugcrowd allows him to seamlessly assume the new responsibilities of the position. We are confident that he is well-positioned to lead the team in accelerating Bugcrowd's growth strategy moving forward."

Gerry will help Bugcrowd continue its momentum after recently announcing the appointment of Robert Taccini as Chief Financial Officer. To learn more about how some of the biggest brands in the world rely on Bugcrowd, visit www.bugcrowd.com/customers.

"Bugcrowd" is a trademark of Bugcrowd Inc. and its subsidiaries. All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

**About Bugcrowd**

Bugcrowd is the leading provider of crowdsourced cybersecurity solutions purpose-built to secure the digitally connected world. Today's enterprise demands an offensive approach to cybersecurity—and Bugcrowd offers the only solution that orchestrates data, technology, and human intelligence to expose blind spots. The Bugcrowd Security Knowledge Platform™ enables businesses to do everything proactively possible to protect their organization, reputation and customers with products like Bug Bounty, Penetration Testing-as-a-Service, and more. Trusted by organizations across the globe, Bugcrowd uncovers and remediates vulnerabilities before they interrupt business by leveraging expert ingenuity and the knowledge of world-class security researchers. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at www.bugcrowd.com.

Bugcrowd Names David Gerry Chief Executive Officer

Retailers and hospitality companies expect to battle credential harvesting, phishing, bots, and various malware variants.

For companies in the retail and hospitality sector, the holiday shopping season represents their busiest time of year, both for sales and fighting cybercrime threats.

This year is no different, with companies in the sector anticipating that phishing, fraud, credential harvesting, and the ever-evolving malware landscape will cast a shadow over their security posture in the coming months, according to a report published by Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) this week.

The 2022 RH-ISAC Holiday Season Threat Trends Summary report polled analysts and members of the industry group about what their security focus is this season — which is defined as the time between Oct. 1 and Dec. 31, when people tend to do their online shopping for holidays that are celebrated in much of the world — as well as what they experienced in the previous 2020 and 2021 holiday seasons. RH-ISAC associate member Flashpoint also provided research and data for the report.

While many threats plaguing the sector have remained consistent over the years, others are evolving rapidly as threat actors develop new malware and exploit fresh vulnerabilities, posing new issues and requiring both reinforcement and change in defense tactics with each season.

**Phishing and Credential Theft**

Retailers cited recurring threats as their biggest worries this year, with phishing — which the organizations noted is a year-round concern — a significant worry that remains consistent. In 2020, nearly 20% of retailers said phishing was the most frequently shared threat among their member exchange, Slack, and the core member listserv boards, while the number was 16% in 2021, according to the report.

Indeed, the holiday season tends to bring a host of socially engineered promotional campaigns aimed at fooling account holders to harvest their credentials and perform other nefarious activities, organizations noted.

Of more concern than phishing, however, is what is often a result of that threat activity: credential harvesting, which 42% and 37% say was the most-shared threat in 2020 and 2021, respectively. Retailers also worry about a rise by threat actors in the use  of info-stealers that harvest customer data purchase don hacker forums, as well as customer account takeover that typically ramps up over the holidays.

Other types of fraud involving gift cards and loyalty cards — with the former allowing threat actors to remain anonymous and thus difficult to track while shopping — will be a focus this year, as well as fraud related to returning items that were not purchased legitimately.

**Evolving Malware Landscape**

The report outlined year-over-year changes between 2020 and 2021 in retail threats linked to malware, bots, and vulnerabilities — results that demonstrate just how quickly this threat landscape in particular can evolve.

Some of these threats, such as QakBot, Emotet, Agent Tesla, and Dridex — remain a constant worry. However, others — such as Log4Shell — emerge quickly and predictably, forcing organizations to pivot in terms of defense, researchers found.

Bots in particular have risen in profile in terms of their impact on online retailers, especially over the past two years, as individuals who otherwise participate in no criminal activity began exploring ways to earn additional income as resellers of stolen information on threat actor forums, according to the report.

"These 'side hustles' support an already thriving ecosystem wherein actors have been scalping high-demand products to sell at high markups," according to the report. "The use of automation to support this activity causes significant negative side effects on the back end and can even lead to DDoS-like disruptions."

Year-over-year changes in malware and bot activity reflect how quickly this threat landscape in particular can change. For example, in 2020, the Emotet banking Trojan and its loader were the top malware threats shared by retailers — 15% and 8%, respectively — while the remote access trojan (RAT) AgentTesla earned 4% of overall mentions.

In 2021, however, AgentTesla rose to greater prominence, with 16% of mentions by retailers, while Emotet virtually disappeared from message boards, respondents said. Moreover, the now infamous Log4j debacle emerged as a threat, with 16% of mentions by retail and hospitality companies.

Retailers say they expect the most prevalent malware and bot activity this holiday season to come from QakBot, Emotet, Agent Tesla, and Dridex, according to the report.

Changes in threat activity so far this year include an increase in imposter websites, and emerging phishing attempts that are either product-focused or impersonated executives. The latter reflects a rise in socially engineered attacks that aimed to harvest credentials and bypass multifactor authentication, retailers say.

**Retail and Hospitality Defenses**

Because of the diversity of the threats the retail and hospitality sector expects to see during the holiday shopping season, the defense tactics they plan to adopt this year also are varied and must encompass both a macro and micro approach to understanding their enemies, they reported.

"Members reported focusing on understanding very specific tactics fraudsters and threat actors are using across kill chains to enhance detection and mitigation efforts," according to the report. "Understanding broad trends across the threat landscape and how they work within member environments has enabled analysts to create more effective alerting, detection, and mitigation efforts."

One tactic they are adopting is to work closely with their respective customer service departments, in part by providing customer service representatives with threat training. They also are maintaining brand protection services to help take down malicious imposter sites, as well as instituting internal fraud working groups to counter threats.

Staffing-wise, retailers and hospitality vendors cite consistency as key, with the need to ensure that those working directly to spot threats have the appropriate experience and knowledge to respond. The companies say they could implement change freezes, staffing adjustments, or other operational changes to prepare for the season, including an improvement in endpoint detection and red team operations to validate threat concerns and highlight areas for improvement, according to the report.

Among the tools and practices the companies find particularly helpful for shoring up security over the holidays: leading vendor threat intelligence platforms and cyber threat intelligence feeds; RH-ISAC community resources and sharing platforms; updated policies and plans; and partnerships with leading cybersecurity associations and nonprofit organizations for additional threat research context.

Retail Sector Prepares for Annual Holiday Cybercrime Onslaught

Call on security industry to collaborate on a standard framework to close the gap on the human element in cybersecurity.

**AUSTIN, Texas and LONDON, Nov. 8, 2022 /PRNewswire/ —** Living Security and CybSafe, today announced a new Human Risk Management Maturity Model, to serve as a standard across the cybersecurity industry including: practitioners, analysts, vendors, and thought leaders to measure the impact of human behavior on an organization's risk.

While several frameworks and maturity models exist to measure cybersecurity risk, including the National Institutes of Standard and Technology (NIST), the Cyber Defense Matrix and the FAIR methodology for IT frameworks, none are specifically designated to quantify the specific risk that human behavior creates inside organizations. The proposed Human Risk Management Maturity Model will give practitioners guidance on how to evolve into the next phase of cybersecurity to measure and change human behaviors. In doing so, organizations are able to both reduce cyber risk and empower employees, creating true cultural change inside organizations and across industries.

"The human factor is the last frontier of cybersecurity. We've focused for decades on technologies and systems, but have consistently siloed our approach to the single most important element of any enterprise security plan, the people themselves. We at Living Security believe it is time for a paradigm shift," said Ashley Rose, CEO and co-founder of Living Security. "Launching this model is our way to start a ripple that grows. This is a collective journey to continue the disruption and leverage behavioral data to effectively manage and mitigate human cybersecurity risk and create a safer world."

"There is no doubt that now, more than ever, society needs the security community to take an even more intelligent approach to managing human risk," said Oz Alashe, CEO and Founder of CybSafe. "And so as security professionals we need to come together to continue to fuel curiosity and understanding that helps us be more effective at managing the risk within our organizations. This can't be done by any one team, vendor, or group unilaterally. It's a collective effort and at CybSafe we're excited to play our part."

Eighty-two percent of breaches currently involve the human element, yet a majority of cybersecurity funding is still focused on technological interventions. We invite everyone; analysts, vendors, practitioners, and thought leaders to collectively participate in creating a model that truly helps companies of all sizes embark on the journey of human risk management.

To read and comment on the proposed Human Risk Management Risk Maturity Model go to https://humanriskmanagement.com/human-risk-management-maturity-model**.**

**About Living Security**

Living Security's mission is to transform human risk to drive dramatic improvement in human behaviors, organizational security culture, and infosec program effectiveness. With our Human Risk Management platform, Living Security engages each employee with innovative and relevant context and content, while simultaneously providing the ability for leadership to identify, report on and directly mitigate the risk brought on by human behavior. Living Security is trusted by security-minded organizations like MasterCard, Verizon, MassMutual, Biogen, AmerisourceBergen, Hewlett Packard, and Target. Learn more at www.livingsecurity.com.

**About CybSafe**

CybSafe is cloud-based software that reduces organizational risk by improving people's security decisions and behaviors. Our platform educates, nudges and provides real-time, tailored cyber assistance for users so that they can be secure in their daily digital lives. It's human risk software that helps security professionals target specific security behaviors. It also provides security behavior, culture and risk reporting metrics that allow you to pre-empt security problems. CybSafe is underpinned by a data-led model of human behavior and leverages SebDB, the world's most comprehensive security behavior database. It's designed for a modern workforce and a hybrid working environment. Learn more about CybSafe at www.cybsafe.com.

Source

DARKReading