The MITRE framework's applied exercise provides defenders with critical feedback about how to detect and defend against common, but sophisticated, attacks.

In 2025, an international fintech firm will face attacks through its hybrid cloud infrastructure by some of the most sophisticated cyber operators on the Internet, targeting the company's Active Directory instance, employees' LinkedIn profiles, and shared code repositories to further their compromises.

A prediction? Not quite.

The scenario is the premise of the latest MITRE ATT&CK Evaluations test, an annual assessment gauntlet that pits cybersecurity firms against the techniques and tactics of the latest cyber threats actors. For vendors, the exercises — conducted by government contractor MITRE — allow them to test their detection, protection, and response capabilities in real-world scenarios to see what can be improved. For cybersecurity professionals, the results of the assessments can help them determine whether they are prepared to defend against sophisticated attacks.

While some vendors tout their detection ratings in the evaluations, the point is less about grades for security software and more about improving companies' defenses and vendors' products, says Lex Crumpton, principal cybersecurity engineer at MITRE.

"ATT&CK Evaluations is more of an adversary-emulation, purple-teaming, collaboration effort, if you will — we assess the vendors tooling on an environment that we build in-house," she says. "They don't know which techniques we are going to choose, or what we're not going to choose, based off of that techniques and scope document."

The MITRE ATT&CK Framework is well-known as a taxonomy of tactics and techniques used by cyberattackers, but every year MITRE also conducts testing of security products against the latest threats targeting organizations. In 2024, for example, the exercise mimicked attacks by the LockBit ransomware-as-a-service group, the Cl0p ransomware gang, and North Korean state-sponsored threat groups, which have commonly used ransomware to fund national goals.

A variety of ransomware attacks were emulated in the test environment, including those targeting Windows and MacOS, MITRE said in a December 2024 statement.

For 2025, one part of the evaluation — known as the Managed Services Evaluation — will focus on "cloud-based attacks, response/containment strategies, and post-incident analysis," according to the organization's scenario outline.

Companies can use the ATT&CK Evaluations in two ways, says Greg Young, vice president of cybersecurity at Trend Micro, which participated in the 2024 Evaluations along with 18 other companies.

"For \[a company's\] purchase decisions, this is one sort of data input — it should not be the only data input because the testing for MITRE is exceptionally narrow against a few techniques and tactics," he says. "For the second part, the tests \[can inform\] companies' own security ops centers and their own red teaming behavior — looking at it and saying, 'Well, what are adversaries using today?'"

**Developing More Realistic Adversaries**

The ATT&CK evaluations use cybersecurity observations and threat reporting from analysts worldwide, collected from both MITRE's in-house cyber threat intelligence team and from the CTI community at large. The group collects information on attacks and selects the adversaries for the evaluations. A red development team creates a set of tools to emulate current techniques used by selected adversaries, while the detection team — the blue team — confirms whether those approaches are legitimate in terms of the evaluation.

MITRE conducts two distinct rounds of testing. One is a managed-service round, in which the organization creates a black-box testing environment, giving no information about the attack to the vendor being evaluated except for the general category of threat. In an enterprise round, the vendor is given the technical scope and potential information about the adversaries, such as whether they are a nation-state, such as China or the DPRK, or using some other tactics.

Like many testing organizations, MITRE has faced some pushback on aspects of its scenarios, Crumpton says.

"One of the biggest comments we had this year is — because we brought in false-positive noise \[such as\] benign user activity — some vendors argued that, 'Hey, this could be deemed malicious activity'," she says. "I think one of the benign use cases was disabling the firewall. One vendor said, 'Hey, the sys admins from our companies would never disable the firewall.'"

**Evaluations Push for Improvement**

Vendors get graded on how they perform, but the focus is on giving information to both the vendors and businesses about how they can improve their defenses, Crumpton says.

"Ultimately, we are there to improve the tools," she explains. "If we're emulating this adversary and we find this technique that your tool can't detect, can we help you improve your tool so that you can now detect that technique? That's something that I think also the customers or the community should look at."

Defenders can take a page from the ATT&CK evaluations as well, creating playbooks to detect and protect against the tested threats, says Trend Micro's Young. During the ATT&CK Evaluation, MITRE logs activity and takes screenshots, giving organizations a detailed picture of the attack unfolding and mapping the steps against the ATT&CK Framework.

"Knowing that adversaries are now using this kind of technique — say, this kind of lateral movement, or they're going to go after this kind of resource — that's exceptionally helpful for \[a company\] designing their defenses," he says. "I almost think there's more value in looking at the \[ATT&CK\] framework than the evaluations, but it depends on your purpose."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

MITRE's Latest ATT&amp;CK Simulations Tackle Cloud Defenses

The bug has been given a 9.9 CVSS score, and could allow authenticated threat actors to escalate their privileges to admin-level if exploited.

Source: Kristoffer Tripplaar via Alamy Stock Photo

NEWS BRIEF

Cisco has released a patch for a critical vulnerability found in its Cisco Meeting Management feature that could allow a remote, authenticated attacker to elevate themselves to administrator privileges on an affected device.

Cisco Meeting Management is a management tool for Cisco's on-premises meeting platform, Cisco Meeting Server. The management system allows users to monitor and manage meetings that are running on the platform through two user roles: the first is for administrators with full rein over the platform; and the second is for "video operators," who only have access to the meetings and overview pages.

The vulnerability, tracked as CVE-2025-20156 (CVSS score of 9.9), is located in the REST API and exists because "proper authorization" is not enforced on REST API users. Should an attacker send specially crafted API requests to a specific endpoint, they could exploit the vulnerability and allow an attacker to gain administrator-level control over edge nodes managed by Cisco Meeting Management.

This poses a risk to businesses, as a threat actor with video operator access on the platform could exploit this vulnerability to give themselves administrator privileges, allowing them the ability to change configurations, add users, and more, according to the advisory.

The management system is vulnerable to the bug regardless of device configuration, according to the advisory. So, anyone using Cisco Meeting Management 3.9 or earlier would need to migrate to a supported version in order to fix the bug. Those with version 3.9 should upgrade to version 3.9.1; and those with version 3.10 remain unaffected. There are no workarounds to address the vulnerability.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Cisco: Critical Meeting Management Bug Requires Urgent Patch

Third-party API security requires a tailored approach for different scenarios. Learn how to adapt your security strategy to outbound data flows, inbound traffic, and SaaS-to-SaaS interconnections.

Source: Elena Uve via Alamy Stock Photo

COMMENTARY

API security often involves third-party, rather than first-party, APIs, and each use case can have different requirements. Rather than trying to make one technological approach work for all instances, security and risk management leaders must adapt their approach to the specific use case.

According to a recent Gartner survey, 71% of IT leaders report using third-party application programming interfaces (APIs) in their organizations. Many security and risk management leaders must focus on API security when dealing with consumption and integration with third-party APIs, rather than exposure of first-party APIs. 

In addition, when it comes to third-party APIs, many remediation measures, such as patching for exposures, are not under the organization's direct control. Therefore, the approach will have to be fundamentally different as compared to first-party APIs. 

Three use cases should be top of mind for these security leaders.

**Use Case 1: Discover and Manage Outbound Data Flows to Third-Party APIs**

In this first use case, the enterprise sends data to third parties via APIs, typically by invoking them from homegrown applications. In an e-commerce scenario, for instance, the service providing the API could be a payment gateway. In this example, the outgoing traffic would contain payment data used to process a payment. There are different ways to invoke the API from within the application, such as direct integration, using a software development kit or a webhook.

A main risk is that sensitive data may be sent toward the API. This activity may conflict with enterprise policies or industry regulations. Third-party APIs may also put the data, or the data of customers, in danger. For example, an attacker may be able to steal payment data from customers by using a vulnerable payment API. Depending on the scenario, injecting a malicious payload could also corrupt the database of a business partner.

In this scenario, security leaders should discover third-party APIs by performing traffic inspection, code repository inspection, and software composition analysis, as certain third-party APIs may be invoked via third-party libraries, not homegrown code.

Security leaders should also liaise with the team that manages sourcing, procurement, and vendor management (SPVM) and third-party cyber-risk to ensure software-as-a-service (SaaS) applications are vetted and comply with organizational policies.

Security leaders must also identify sensitive data exfiltration by monitoring the outgoing traffic in these API exchanges. This is typically achieved by implementing data loss prevention (DLP) capabilities. Disparate tools could apply—for example, security service edge (SSE), DLP, and API protection tools all have certain DLP capabilities.

*   Differentiators could include whether the tool can categorize data while in transit (“on the fly”) or whether it can perform remediation actions, such as blocking the exchange, anonymizing, or encrypting the data.
    
*   The monitoring point may also matter, as some tools may already be installed or have access to unencrypted traffic.
    
*   Most importantly, the way security leaders have configured a tool matters. If it is set up to act as a choke point, it could be a better option than a tool configured to process only specific types of traffic or incoming traffic, for example.
    
*   Internal considerations, such as which team owns and operates each tool, will also play a role in determining which tool to choose.
    

Finally, security leaders can implement proper authentication and authorization of the API client (in this scenario, the application) using the mechanisms offered by the API provider. At a minimum, favor tokens over API keys for authorization. Assess how opaque and proof-of-possession tokens (or at least frequently rotated access credentials) and certificate pinning may efficiently mitigate token leakage and interception risks in specific use cases. Be mindful of the technical burdens they may require to set them up and issues with traffic inspection.

**Use Case 2: Protect From Inbound Traffic From Third-Party APIs**

In this use case, the organization consumes the third-party API, and the data is incoming. A typical example could be an enterprise application that makes an API call to obtain data from a commercial SaaS provider or a business partner.

One risk in this use case is receiving potentially harmful input from the API. Malicious input from third-party APIs may endanger applications, its users, or the infrastructure hosting applications. For example, if an API response with a malicious payload is sent to a database, it could result in an injection attack.

Data exfiltration is still a risk for this use case, and many of the recommendations from the first use case still apply here. If the outgoing API request contains sensitive data, that data could be intercepted. For example, if an API call requests a list of restaurants based on GPS coordinates, said GPS coordinates could be intercepted if the connection is not secure. Most importantly, the third-party API could be fetching the specific data of the enterprise. (Think, for example, of an API fetching data about customers from specific instances of a CRM SaaS application.)

Security leaders should perform input validation. Ask developers to add input validation controls when ingesting any input, including input from third-party APIs. This will prevent a large spectrum of attacks from malicious input, such as SQL injection attacks. Application security testing (AST) tools can help automate these checks.

Use Web application firewall functionality from a Web application and API protection tool in-line to add contingencies against injection attacks and other types of malicious input.

Finally, vet the input with an antivirus, sandboxing, or content disarm and reconstruction solution by integrating applications typically via Internet content adaptation protocol or APIs with one or more of these tools.

**Use Case 3: Discover, Vet and Manage the Data for Third-Party Apps That Communicate via APIs**

Many security leaders are focused on API security but describe a scenario where one or more SaaS applications typically communicate via APIs, exchanging enterprise data. This issue can be exacerbated because users may be able to interconnect SaaS applications without having administrative privileges. While the underlying communication may be API-based, this problem's solution is closer to the best practices for SaaS security.

This situation is particularly challenging when an authorized SaaS application user connects it via API to an unauthorized SaaS app. Many organizations will have little to no visibility of the connection's existence, let alone of any data transfers across it. Second, visibility is limited to what SaaS providers reveal through their own management APIs, as there's no clear place to insert an in-line control. The main risk with this scenario is that the SaaS application may expose sensitive enterprise data via the API, and that data may be transferred to an unapproved and even unknown location that security has not vetted.

Security leaders should discover the SaaS applications used by performing a census, releasing a policy, and inspecting traffic. Use SSE, firewalls, SaaS management platforms, or other tools to identify the SaaS applications users are accessing, especially those housing sensitive data. Until they know what applications users are accessing, they cannot check for SaaS-to-SaaS connectivity

Discover rogue SaaS access tokens by querying the SaaS applications used, where supported. Create and promote policy to users about connecting SaaS apps via OAuth.

For the previous use cases, liaise with the team that manages SPVM and third-party cyber-risk to ensure SaaS applications are vetted and comply with organizational policies, such as data security and third-party sharing ones. In addition, inventory SaaS-to-SaaS interconnections; automated tooling, such as SSPM offerings, can help ensure this is a continuous process.

By adapting their approaches to these three specific use cases and their possible variations, security leaders can address the risks that third-party APIs present for their organizations.

**About the Author**

VP Analyst, Gartner

Dionisio Zumerle is a VP Analyst at Gartner, where he is currently focused on application and mobile security topics. Zumerle's coverage includes API security, mobile application security, DevSecOps, and mobile threat defense.

3 Use Cases for Third-Party API Security

For the first time in a long while, the federal government and the software sector alike finally have the tools and resources needed to do security well — consistently and cost-effectively.

Source: Vladimir Stanisic via Alamy Stock Photo

COMMENTARY

The federal government is often slow moving when it comes to various technology modernization efforts (thanks to the obstacles posed by resourcing, staffing, and politics), so it's no surprise that a lack of cybersecurity awareness and action has caused federal infrastructure to reach new levels of criticality. 

Year after year we see data breaches become more commonplace, with ransomware plaguing organizations and agencies of all sizes, while foreign adversaries continue to work their way into our networks and most high-value infrastructure. There's a good reason why trust has been slowly eroding across our federal institutions over the past 20 years. But aptly timed in this tumultuous era — and released during his final days in office — is the Biden administration's executive order on Strengthening and Promoting Innovation in the Nation's Cybersecurity. 

My take is that it's certainly good. And it's certainly needed. There's clearly a problem in shoring up our national supply chain. Our adversaries are getting stronger every day, and they're exploiting gaps and weaknesses in our interconnected systems in a way that's very real and urgent. Plus, as our workforce (federal and private) continues to modernize, digitalize, and work from anywhere, our inability to reconcile secure-by-design development with fast work-from-anywhere productivity has created a harsh reality. 

The takeaways from this executive order are the same as ever. People have long deprioritized getting the basics right when it comes to cybersecurity. A history of sporadic and continuous investment in legacy IT has left organizations ripe for and open to attacks. In fact, 90% of organizations lack visibility over all their endpoints at any given time, and in 2024, breaches caused by the successful exploitation of vulnerabilities went up 180% year over year. There remains an evident education, enforcement, and skills gap in cyber. How much longer will it take us to recognize and make the necessary changes to overcome these issues? 

But there are some positives. In my mind, here's why this executive order is different: It comes at a time when there's an actual, viable solution readily available to help the US federal government — and the larger software supply chain — overcome the challenges that have long stifled our collective resilience efforts. AI and automation pose a real and lasting way for the US federal government to shore up resilience, improve the integrity of the software supply chain, and upskill the federal workforce. AI allows organizations working with the federal government to reach a balance between productivity, growth, and security in a way that's never before been possible. 

As written in the executive order, "Artificial intelligence (AI) has the potential to transform cyber defense by rapidly identifying new vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense." AI, when used strategically to analyze, synthesize, and inform security actions — particularly in areas like patch management and vulnerability assessment — not only presents the opportunity to help the federal government achieve resilience, solidifying infrastructure and streamlining operations in the process, but also frees up critical talent to reach new goals and mission critical resilience objectives as they evolve. 

For the first time in a long while, the federal government and the software sector alike finally have the tools and resources needed to do security well — consistently and cost-effectively. Though like anything else in technology, not all of AI is created equal, and thoughtful adoption in addition to rigorous coding, testing, and transparent disclosure practices will be essential to ensure that we as a community and as a software supply chain continue to implement, grow, and refine accordingly. 

Even if this executive order gets overturned, mandates like these serve as a helpful reminder of all that is important — and possible — to prioritize and achieve in this new AI era. While utilizing AI won't be without its challenges, and no development program will ever be perfect, AI offers organizations a unique opportunity to strive for more, strengthen development and compliance practices, and grow, while upskilling the next crop of cybersecurity talent to more proactively get ahead of the next generation of threats. 

**About the Author**

Chief Trust Officer, NinjaOne

Mike Arrowsmith is the Chief Trust Officer at Ninjaone where he leads the organization’s IT, security, and support infrastructure to ensure NinjaOne meets customers’ security and data privacy demands as it scales. Prior to NinjaOne, Arrowsmith held top security roles at Guardant Health and Splunk, where he focused on managing and scaling IT and security teams. Arrowsmith brings a deep understanding of how high-value, fast-growth companies can navigate security challenges, embed a culture of security, and bake in data ethics to everything they do. Most of all, Arrowsmith has an unrelenting focus on customer experiences and is heavily involved in product development at NinjaOne, bringing a "company zero" mentality to his team.

Strengthening Our National Security in the AI Era

At Black Hat and DEF CON, cybersecurity experts were asked to game out how Taiwan could protect its communications and power infrastructure in case of invasion by China.

Source: Kevin M. Law via Alamy Stock Photo

If China attacked Taiwan, how could Taiwan defend its critical communications infrastructure from cyberattack?

Last year, Dr. Nina A. Kollars and Jason Vogt — both associate professors at the US Naval War College (USNWC) Cyber and Innovation Policy Institute (CIPI) — designed a war game to inspire some novel strategies. They enlisted government and private sector cybersecurity experts at Black Hat and DEF CON to participate, and presented the results at ShmooCon earlier this month.

The scenario was this:

August 6, 2030. Relations between the PRC and Taiwan had deteriorated to the breaking point due to the re-election of a liberal, pro-independence party. Rhetoric towards independence was at an all-time high, and several government representatives had openly called for UN recognition of Taiwan as an independent state. The Central Committee of the Communist Party (CCCP) decided that the risk of Taiwan declaring independence was high enough to warrant military intervention. They began preparations for an invasion. With little chance of surprise, the PRC decided to do their utmost to disrupt Taiwan’s military and civilian communications prior to the assault.

The experts came up with 65 ways Taiwan's government could prepare for such a war, ranging from the low tech, like using ham radio when mobile networks go down, to the ambitious, such as investing in modular nuclear reactors or tidal power generation, to the outlandish, for example using civilians or cultural artifacts as deterrents against military strikes.

Related:Thai Police Systems Under Fire From 'Yokai' Backdoor

**Taiwan's Unique Indefensibility**

In designing the war game, "We put very specific emphasis on what we call the 'Zelensky playbook,'" Kollars says. Ukrainian President Volodymyr Zelensky made certain that communications could occur between his own people and the capital, and between the capital and the rest of the world. "We went into designing the war game specifically to answer the question: Could the Taiwanese play Zelensky? Even under any kind of duress, could they find a way to keep communicating?"

What was clear early on is that political and geographic factors make Taiwan much more vulnerable to blockade. Ukraine is in mainland Europe, with a long border through which it can receive resources of one kind or another — fuel, Internet connectivity, and food, for example. Taiwan's highly connected populus is served by 16 undersea cables, three of which run through China, making them eminently cuttable. Meanwhile, it imports nearly all of its energy from overseas, and has been phasing out domestic nuclear power, which might otherwise provide a balance. "So pretty quickly you get this pretty dire picture, where it's just a fundamentally different kind of battle," Kollars explains.

Related:Russian FSB Hackers Breach Pakistani APT Storm-0156

"Taiwan is in a very vulnerable position because of its geography, but also because of a million little micro-decisions, which ultimately give you the telecommunications and power system that you have," Vogt says. At the time of Russia's invasion, "Ukraine had a much more diverse set of mobile providers, and the power was much more distributed — there's a lot more connections to other countries. So the Russians were probably never in a position where they could digitally isolate Ukraine, writ large. They tried to do it to the capital, but it was always going to be very hard for them. I think in the Taiwan–China scenario, China has the potential to be much more damaging."

**How to Defend Taiwan from China**

Initially, players devised strategies to combat aggressive but ultimately tempered cyberwarfare: ransomware attacks against data centers, severed submarine fiber optic cables, and forced power outages. Only then did China kick up its game with kinetic strikes, including PRC strikes on Taiwanes aircraft and ensuring that nothing can fly in Taiwanese airspace. In the scenario, PRC also destroyed bridges and key routes to coastal defenses, while also targeting Taiwan's command-and-control systems and all manner of communications systems.

Related:Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel

How could a small island nation possibly protect its infrastructure against the combined might of the world's second greatest military power?

More than two-thirds (70%) of the solutions proposed by players involved investing in infrastructure for communications, power generation, storage, and data backup and distribution. Some 20% of the ideas focused on recovery — preparing civilians with technical skills, and stockpiling spare resources, for example. Only 10% of recommendations focused on straight cybersecurity.

The physical location of critical resources was also of utmost importance. Some suggested that Taiwan take advantage of its geography by building and stockpiling equipment along its far coast, in forests, and nestled in its eastern mountain range. Some suggested decentralizing its infrastructure, spreading it out in smaller chunks all around the country using solar power and cheap radio systems. Others argued for the opposite: concentrating communications and power systems in fewer, denser areas that China might be reticent to destroy.

"There were some ideas I thought, from a military perspective, were pretty risky," Kollars admits. "One of them was to colocate all of Taiwan's precious assets — like the TSMC semiconductor plant, all of its antiquities from China, large populations, and a nuclear power plant — assuming an adversary wouldn't strike a target that had everything stacked on top of it. That's a heck of a gamble."

Ultimately, the most popular ideas were those that were cheap and practical, like using Bluetooth or Raspberry Pi mesh networks as backups to cellular connectivity. "The thing that surprised us most about this exercise," Vogt recalls, "was how much time they spent talking about the civilian population, and what needed to be done to prepare them: everything from public messaging campaigns on how to be cyber secure to full-on training programs to create civilian cyber cores that could not just protect themselves but also operate and maintain equipment when there's no government around, and keep the communications going for longer periods of time."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

War Game Pits China Against Taiwan in All-Out Cyberwar

The first team to successfully hack the electric vehicle maker's charger won $50,000 for their ingenuity.

Source: VDWI Automotive via Alamy Stock Photo

NEWS BRIEF

Researchers at the this year's Pwn2Own Automotive hacking contest successfully hacked Tesla's wall connector electric vehicle (EV) charger.

The annual contest focuses on hacking automotive technologies during the Automotive World tradeshow in Tokyo. The contest allows researchers to target car operating systems, electric vehicles, chargers, and infotainment systems in vehicles to uncover hidden vulnerabilities and potential threats.

Zero Day Initiative said the PHP Hooligans used a "numeric range comparison without minimum check" zero-day bug to take over the EV charger and crash it. This feat earned them $50,000 in prize money and five Master of Pwn points.

Right behind them was Synacktic, which hacked the Tesla EV charger through the charging connector.

The PHP Hooligans also exploited 23 other zero-day vulnerabilities in WOLFBOX, ChargePoint Home Flex, Autel MaxiCharger, Phoenix Contact CHARX, and EMPORIA EV chargers.

On day two of the contest, Trend Micro's Zero Day Initiative paid out $718,250 in rewards to onsite security researchers who discovered 39 unique zero-days.

Sina Kheirkhah is currently leading the Pwn2Own contest with 24.5 points, followed by Synacktiv in second place, and PHP Hooligans in third.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Tesla Gear Gets Hacked Multiple Times in Pwn2Own Contests

PRESS RELEASE

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Defense Advanced Research Projects Agency (DARPA), the Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E), and the National Security Agency (NSA), published Closing the Software Understanding Gap that calls for decisive and coordinated action by the U.S. government to obtain a deep, scalable understanding of software-controlled systems. Specifically, the report calls for software-controlled systems that can be assessed to verify functionality, safety, and security across all conditions, which is currently not available.

Mission owners and operators lack adequate capabilities for software understanding because technology manufacturers build software that greatly outstrips the ability to understand it. The inadequate understanding leads to exploited software vulnerabilities because technology manufacturers create software that is not secure by design.

“Recent discoveries of adversarial state-sponsored activity in US critical infrastructure – primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems – pose imminent threats to US national security. The software understanding gap exacerbates the risk to this threat activity,” said CISA Technical Director Chris Butera. “Mission owners and operators have an enormous and accelerating dependence on the software underwriting U.S. critical infrastructure. With our partners, we urge the USG to close this gap before other nations and urge software manufactures to align to Secure by Design principles.” 

The report highlights potential solutions to change the security posture of legacy and future software. One example is the application of mathematically rigorous techniques known as formal methods. For a long time, formally verified software has seemed hopelessly out of reach, but advances by DARPA and others over the past decade have made formal approaches more accessible for mainstream practice.

“We have the tools today to greatly reduce the number of software vulnerabilities that plague our software infrastructure,” said DARPA’s Information Innovation Office Director, Kathleen Fisher. “Rapid action to implement these tools in legacy and future systems can dramatically reduce the United States’ cyber vulnerabilities ahead of future global conflicts.”

This report also provides recommendations to obtain a deep, scalable understanding of software-controlled systems, including AI-based systems. By providing an adequate capacity for software understanding, the United States will secure an advantage in geopolitics for the foreseeable future and will help harden critical infrastructure against state-sponsored activity.

This report highlights the enduring broad government coordination required to create the capabilities to address these threats.

For more information on Secure by Design, visit Secure by Design webpage.

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

You May Also Like

CISA Calls For Action to Close the Software Understanding Gap

PRESS RELEASE

LONDON, Jan. 20, 2025 /PRNewswire/ -- A new survey from Omdia reveals that phishing scams are the leading security threat for smartphone users, with 24% of respondents reporting they have fallen victim to these attacks. Phishing, which includes fraudulent texts, emails, or calls designed to trick individuals into revealing sensitive personal information, remains a significant concern as cybercriminals continue to exploit unsuspecting consumers.

Omdia surveyed 1,572 consumers across the Americas, Asia & Oceania, and Europe in October 2024 for the fourth annual Omdia Mobile Device Security Scorecard. The survey found that the next most common security issue was malware and viruses, followed by physical theft, such as pickpocketing, mugging, or snatching.

In Omdia's recent assessment of leading premium smartphones, Google's Pixel 9 Pro and Samsung's Galaxy S24 outperformed Apple's iPhone 16 Pro and other Android-based devices, including the OnePlus 12, Xiaomi 14, and Honor Magic 6 Pro. Anti-phishing protection proved to be a weak spot across all devices, as none successfully intercepted all phishing texts, calls and emails.  

Simulated spam calls revealed that all Android devices from Google, Xiaomi, OnePlus, Honor, and Samsung successfully flagged suspected spam calls before users answered, while the iPhone 16 Pro lacked similar voice call protection. 

None of the tested devices fully No device flagged simulated phishing emails from Gmail as phishing, only identifying them as spam when sent from Google's SMTP. 

Despite gaps in detecting phishing texts and emails, devices with Google Safe Browsing protections successfully blocked the link from opening, displaying a warning screen and requiring user confirmation to proceed. Performance across browsers varied significantly: Samsung Internet effectively blocked most links, including advanced custom URLs, while Xiaomi Mii and OnePlus Internet browsers failed to warn users about known malicious links, underscoring inconsistencies in Android device's security.

"The lack of security protection, particularly against the growing threat of phishing attacks, is eroding consumer trust," said Omdia Senior Analyst, Aaron West. "When consumers were asked if their trust following a security issue increased (due to how well the issue was handled) or decreased, 73% reported they had reduced trust in the smartphone brand and operating system developer."  

"Despite the latest protections in place by some manufacturers, it is difficult to protect 100% against phishing attempts, highlighting the severity of the issue and potential impact to consumers. That said, smartphone manufacturers can (demonstrated by the more advanced phishing protection capabilities available) and should have a better baseline of phishing protection – such as voice call protection, and all Android devices making use of Google's Safe Browsing protections," said Hollie Hennessy, Principal Analyst, Omdia. "This needs to be paired with awareness activity from manufacturers and the wider industry to help consumers be vigilant and prepared".

ABOUT OMDIA

Omdia, part of Informa TechTarget, Inc. (Nasdaq: TTGT), is a technology research and advisory group. Our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.

Omdia Finds Phishing Attacks Top Smartphone Security Concern for Consumers

PRESS RELEASE

AUSTIN, TX, Jan. 21, 2025 (GLOBE NEWSWIRE) -- Automox launches FastAgent, a breakthrough in modern agent technology designed to deliver unprecedented speed, reliability, and control for IT professionals. 

With reimagined communication protocols, infrastructure, and user-facing functionality, FastAgent modernizes endpoint management to meet the evolving demands of secure enterprise environments.

"FastAgent represents a significant leap forward for IT teams seeking uncompromising reliability and empowered endpoint control," said Jason Kikta, CISO/VP of Product at Automox. "This innovation demonstrates our commitment to simplifying IT operations without sacrificing security or speed."

Key Innovations of FastAgent:

*   Industry-Leading Reliability: Agent-aware command tracking and hyper-efficient backend communication protocols ensure consistent, secure, device-centric management across Windows, macOS, and Linux systems. Persistent outgoing response queuing enables the agent to operate intelligently, even in high-traffic or intermittent connectivity situations. 
    
*   Unparalleled Scalability and Control: FastAgent enhances reliability without compromising security policies. With dynamic reconnection delay, configuration IT teams can tailor agent reconnection attempts for environments with strict network policies, such as those using network access control (NAC) solutions, to maximize reliability and connectivity between Automox and devices. 
    
*   Intuitive User Experience with Automox Tray: Automox Tray provides end users with an intuitive, familiar, and friendly interface for managing system updates and device reboots. This innovative experience maintains security SLAs while delivering transparency and control to end users. 
    

FastAgent's advanced capabilities are built to scale, offering IT decision-makers certainty in maintaining secure, efficient, and consistent configurations across all their Windows, macOS, and Linux endpoints.

Up Next: End-User Empowerment with Automox Tray

Automox Tray redefines the end-user experience between IT and the workforce with an approachable, modern notification system for Windows, macOS, and third-party updates. IT teams can implement deadline-based notifications to streamline updates and reboot processes while ensuring business-critical systems stay compliant and secure.

Enhanced IT Efficiency with Automox FastAgent

FastAgent brings a comprehensive set of industry-leading capabilities:

1.  Redesigned Backend Protocols ensure scalability and low latency. 
    
2.  Persistent Response Queuing enables command delivery under any network condition. 
    
3.  Enhanced Security Controls allow configurable reconnection delays to improve stability in highly controlled environments. 
    

By combining enhanced functionality with industry-leading automation, FastAgent empowers organizations to address key IT challenges, maintain compliance, and improve operational efficiency.

About Automox

Automox is the IT automation platform for modern organizations. Policy-driven human-controlled automation empowers IT professionals to prove vulnerabilities are fixed, slash cost and complexity, win back hours in their days, and delight end users. 360+ Automox Worklet automation scripts make it easy for IT to save time, reduce risk, and thoughtfully automate OS, third-party software, and configuration updates on Windows, macOS, and Linux desktops, laptops, and servers.

Join thousands of IT heroes automating confidence across millions of endpoints with Automox. Learn more at www.automox.com, connect with the Automox Community, or connect with us on Twitter/X, Threads, LinkedIn, Facebook, Reddit, or Instagram.

Automox Releases Endpoint Management With FastAgent

PRESS RELEASE

FRISCO, Texas, January 21, 2025 – Netwrix, a vendor specializing in cybersecurity solutions focused on data and identity threats, surveyed 1,309 IT and security professionals globally and today released findings for the healthcare sector based on the data collected.

It reveals that 84% of organizations in the healthcare sector spotted a cyberattack on their infrastructure within the last 12 months. Phishing was the most common type of incident experienced on premises, similar to other industries. Account compromise topped the list for cloud attacks: 74% of healthcare organizations that spotted a cyberattack reported user or admin account compromise.

“Healthcare workers regularly communicate with many people they do not know — patients, laboratory assistants, external auditors and more — so properly vetting every message is a huge burden. Plus, they do not realize how critical it is to be cautious, since security awareness training often takes a back seat to the urgent work of taking care of patients. Combined, these factors can lead to a higher rate of security incidents,” says Dirk Schrader, VP of Security Research and Field CISO EMEA at Netwrix.

A cyberattack resulted in financial damage for 69% of healthcare organizations, compared to 60% among other industries. One in five healthcare organizations that suffered an attack experienced a change in senior leadership (21%) or lawsuits (19%) as a result, compared to 13% for each of these outcomes among all industries surveyed.

“Due to the sensitivity of the protected health information (PHI) data, breaches can cause severe concerns among the general public and various stakeholders. On top of that, healthcare is a highly regulated industry where organizations face strict penalties for non-compliance. Together, these factors lead to a higher-than-average likelihood of lawsuits. At the same time, organizations can feel pressured to change IT or even executive leadership to signal their commitment to addressing security issues and rebuilding trust,” says Ilia Sotnikov, Security Strategist at Netwrix.

Learn more about how the healthcare sector can thwart attacks here. 

About Netwrix  

Netwrix champions cybersecurity to ensure a brighter digital future for any organization. Netwrix's innovative solutions safeguard data, identities, and infrastructure reducing both the risk and impact of a breach for more than 13,500 organizations across 100+ countries. Netwrix empowers security professionals to face digital threats with confidence by enabling them to identify and protect sensitive data as well as to detect, respond to, and recover from attacks.

For more information, visit www.netwrix.com.

You May Also Like

Source

DARKReading