Companies that recognize current market opportunities — from the need to safely implement revolutionary technology like AI to the vast proliferation of cyber threats — have remarkable growth prospects.

Source" Brian Jackson via Alamy Stock Photo

Companies have never faced a wider and more dynamic array of cyber threats than they do right now. From rapidly rising costs associated with data breaches and other cyberattacks to the exploitation of artificial intelligence (AI) to make attacks more effective than ever, the cyber-threat landscape is constantly evolving. This has led to a drastic increase in cybersecurity spending, as well as a wave of innovation in the sector.

As cyberattacks become more targeted and sophisticated, there is a vast and growing market for solutions that help companies address their most vulnerable attack vectors. For example, cybercriminals often steal account names, passwords, and other credentials to launch attacks, which is why identity and access management have become key priorities for companies across many industries. Cybercriminals are also using AI resources such as LLMs to target employees with advanced social engineering attacks that allow them to infiltrate secure networks and steal information.

Cybercriminals and other bad actors such as hostile foreign governments are more motivated than ever to develop powerful cyber capabilities that enable them to hijack data, disrupt operations, and bypass existing cybersecurity protocols. This trend will only gain momentum, and revolutionary technology like AI will function as a force multiplier that makes cyberattacks more destructive and difficult to detect. This is why the cybersecurity industry will continue to see unprecedented demand and investment in the coming years.

**A New Era of Cyberattacks**

Companies are investing heavily in cybersecurity — according to a PwC survey, 77% of companies plan to increase their cyber budgets, while Gartner has projected that information security spending will spike by 15% in 2025. However, these investments haven't yet turned the tide against the onslaught of cyberattacks that are inflicting increasingly severe financial, reputational, and operational costs on companies. A 2024 IBM report found that the average cost of a data breach hit $4.88 million globally this year, a record high and a 10% increase from 2023.

The 2024 Allianz Risk Barometer found that cyber incidents are the top global business risk for the "first time and by a clear margin" — a finding that applies to companies of all sizes. AI is a key driver of this trend, as it has lowered the barriers to entry for cybercriminals around the world. For example, large language models (LLMs) allow cybercriminals to launch advanced phishing attacks regardless of their language skills or technical ability. Hostile foreign governments are using AI to launch cyberattacks as well — Microsoft reported that Russia, North Korea, and China are all using AI for surveillance, scripting, and social engineering.

As cyber threats become more dangerous and dynamic, the market for robust solutions will continue to expand. Companies in the sector will have to leverage emerging technology like AI and develop cybersecurity solutions that address specific vulnerabilities more effectively than their competitors.

**Opportunities in the Cybersecurity Market**

The cybersecurity industry has seen significant fragmentation in recent years as the demand for specialized solutions increases. Particular categories of cyberattacks, such as phishing, call for targeted solutions capable of countering the latest cybercriminal tactics. IBM reported that phishing is one of the most common and financially destructive initial attack vectors, which means cybercriminals are using it to gain access and launch broader cyberattacks. A major goal of phishing attacks is credential theft, which is why stolen or compromised credentials are involved in initial attacks more often than any other individual factor.

Companies like Strata help customers resist phishing attacks and other forms of credential theft with holistic identity and access management solutions. The reliance on legacy systems is one of the most urgent cybersecurity challenges many companies face — a challenge that has become all the more daunting due to the growing risk posed by third-party vendors and other partners. Supply chain cyberattacks are becoming increasingly common — Verizon found that there was a 68% increase in "supply chain interconnection" involved in breaches between 2023 and 2024.

Integrated cybersecurity solutions are critical, as cybercriminals and other bad actors need only  a single access point to infiltrate an organization. Solutions that help customers modernize their cybersecurity infrastructure for the evolving cyber-threat landscape are becoming more vital. Chief information security officers (CISOs) and other cybersecurity leaders need access to simplified solutions that break down silos between IT and security teams, meet increasingly stringent compliance demands, and help them evaluate and address vulnerabilities.

**Maximizing the Impact of Emerging Technology**

While AI is propelling a new wave of cyberattacks, it can also be harnessed to keep companies safer. Companies can use AI to simulate cyberattacks, detect malicious activity, prioritize cyber threats and potential vulnerabilities, and protect data across many different environments. However, AI still faces significant trust issues, due to problems like hallucinations (when LLMs present false information as accurate) and the existence of "black box" machine learning algorithms that don't provide any transparency into their decision-making processes.

According to a recent survey of 6,000 knowledge workers, 54% of AI users don't trust the data used to train AI systems — and more than two-thirds of these workers say they're hesitant to adopt AI. Meanwhile, laws and regulations around AI are becoming stricter all the time. For example, the EU AI Act requires companies to mitigate systemic risks, report cyber incidents, and focus on cybersecurity in their AI implementations.

While the AI trust gap is hindering adoption of the technology and regulations are becoming tougher, this opens a market for companies that provide end-to-end AI governance. At a time when AI adoption is skyrocketing, companies need the infrastructure necessary to ensure compliance and monitor AI systems for potential cyber threats. IBM found that 82% of executives believe "secure and trustworthy AI is essential to the success of their business," but less than a quarter of generative AI projects are being secured.

From the need to safely implement technology like AI to the vast proliferation of cyber threats (many of which are being powered by that very same technology), the cybersecurity industry has reached an inflection point. The companies that recognize these market opportunities have remarkable growth prospects in the coming years.

**About the Author**

General Partner, Titanium Ventures

Marcus Bartram is General Partner at Titanium Ventures (former Telstra Ventures), a San Francisco-based VC firm that differentiates by generating revenue for its portfolio with strategic channel partners and customer relationships as well as by using data science to drive its investment process. Marcus is on the founding team and has led investments in cybersecurity companies like CrowdStrike, Auth0, Anomali, Cequence, CloudKnox, Cofense, CyberGRX, Elastica, vArmour, and Zimperium.

Why the Demand for Cybersecurity Innovation Is Surging

The voluntary recommendations from the Department of Homeland Security cover how artificial intelligence should be used in the power grid, water system, air travel network, healthcare, and other pieces of critical infrastructure.

Source: GK Images via Alamy Stock Photo

The US Department of Homeland Security (DHS) has released recommendations that outline how to securely develop and deploy artificial intelligence (AI) in critical infrastructure. The recommendations apply to all players in the AI supply chain, starting with cloud and compute infrastructure providers, to AI developers, and all the way to critical infrastructure owners and operators. Recommendations for civil society and public-sector organizations are also provided.

The voluntary recommendations in "Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure" look at each of the roles across five key areas: securing environments, driving responsible model and system design, implementing data governance, ensuring safe and secure deployment, and monitoring performance and impact. There are also technical and process recommendations to enhance the safety, security, and trustworthiness of AI systems.

AI is already being used for resilience and risk mitigation across sectors, DHS said in a release, such as AI applications for earthquake detection, stabilizing power grids, and sorting mail.

The framework looks at each role's responsibilities:

*   Cloud and compute infrastructure providers need to vet their hardware and software supply chain, implement strong access management, and protect the physical security of data centers powering AI systems. The framework also has recommendations on supporting downstream customers and processes by monitoring for anomalous activity and establishing clear processes for reporting suspicious and harmful activities.
    
*   AI developers should adopt a secure by design approach, evaluate dangerous capabilities of AI models, and "ensure model alignment with human-centric values." The framework further encourages AI developers to implement strong privacy practices; conduct evaluations that test for possible biases, failure modes, and vulnerabilities; and support independent assessments for models that present heightened risks to critical infrastructure systems and their consumers.
    
*   Critical infrastructure owners and operators should deploy AI systems securely, including maintaining strong cybersecurity practices that account for AI-related risks, protecting customer data when fine-tuning AI products, and providing meaningful transparency regarding their use of AI to provide goods, services, or benefits to the public.
    
*   Civil society, including universities, research institutions, and consumer advocates engaged on issues of AI safety and security, should continue working on standards development alongside government and industry, as well as research on AI evaluations that considers critical infrastructure use cases.
    
*   Public sector entities, including federal, state, local, tribal, and territorial governments, should advance standards of practice for AI safety and security through statutory and regulatory action.
    

"The framework, if widely adopted, will go a long way to better ensure the safety and security of critical services that deliver clean water, consistent power, Internet access, and more," said DHS secretary Alejandro N. Mayorkas, in a statement.

The DHS framework proposes a model of shared and separate responsibilities for the safe and secure use of AI in critical infrastructure. It also relies on existing risk frameworks to enable entities to evaluate whether using AI for certain systems or applications carries severe risks that could cause harm.

"We intend the framework to be, frankly, a living document and to change as developments in the industry change as well," Mayorkas said during a media call.

DHS Releases Secure AI Framework for Critical Infrastructure

Email at many organizations has stopped working; the tech giant has advised users who are facing the issue to uninstall the updates so that it can address flaw.

Source: Eric D ricochet69 via Alamy Stock Photo

Microsoft pulled its November 2024 Exchange security updates that it released earlier this month for Patch Tuesday due to them breaking email delivery.

This decision came after there were reports from admins saying that email had stopped flowing altogether.

The issue affects Microsoft Exchange customers who use transport rules, or mail flow rules, as well as data loss protection rules. The mail flow rules filter and redirect emails in transit, while the data loss protection rules ensure that sensitive information isn't being shared via email to an outside organization.

According to Microsoft, some customers found that the mail flow rules stopped periodically after they installed the update. It is now advising admins who are noticing this issue to uninstall the November security updates entirely until they're re-released.

"We are continuing the investigation and are working on a permanent fix to address this issue," Microsoft stated in an update regarding the issue. "We will release it when ready. We have also paused the rollout of November 2024 SU to Windows / Microsoft Update. Customers who might not use Transport or DLP rules and did not run into the issue with rules, can continue using the November SU update."

**About the Author**

Microsoft Pulls Exchange Patches Amid Mail Flow Issues

According to Mozilla, users have a lot more power to manipulate ChatGPT than they might realize. OpenAI hopes those manipulations remain within a clearly delineated sandbox.

Source: mundissima via Alamy Stock Photo

ChatGPT exposes significant data pertaining to its instructions, history, and the files it runs on, placing public GPTs at risk of sensitive data exposure, and raising questions about OpenAI's security on the whole.

The world's leading AI chatbot is more malleable and multifunctional than most people realize. With some specific prompt engineering, users can execute commands almost like one would in a shell, upload and manage files as they would in an operating system, and access the inner workings of the large language model (LLM) it runs on: the data, instructions, and configurations that influence its outputs.

OpenAI argues that this is all by design, but Marco Figueroa, a generative AI (GenAI) bug-bounty programs manager at Mozilla who has uncovered prompt-injection concerns before in ChatGPT, disagrees.

"They're not documented features," he says. "I think this is a pure design flaw. It's a matter of time until something happens, and some zero-day is found," by virtue of the data leakage.

**Prompt Injection: What ChatGPT Will Tell You**

Figueroa didn't set out to expose the guts of ChatGPT. "I wanted to refactor some Python code, and I stumbled upon this," he recalls. When he asked the model to refactor his code, it returned an unexpected response: directory not found. "That's odd, right? It's like a \[glitch in\] the Matrix."

Related:Microsoft Pulls Exchange Patches Amid Mail Flow Issues

Was ChatGPT processing his request using more than just its general understanding of programming? Was there some kind of file system hidden underneath it? After some brainstorming, he thought of a follow-up prompt that might help elucidate the matter: "list files /", an English translation of the Linux command "ls /".

In response, ChatGPT provided a list of its files and directories: common Linux ones like "bin", "dev", "tmp", "sys", etc. Evidently, Figueroa says, ChatGPT runs on the Linux distribution "Debian Bookworm," within a containerized environment.

By probing the bot's internal file system — and in particular, the directory "/home/sandbox/.openai\_internal/" — he discovered that besides just observing, he could also upload files, verify their location, move them around, and execute them.

**OpenAI Access: Feature or Flaw?**

In a certain light, all of this added visibility and functionality is a positive — offering even more ways for users to customize and level up how they use ChatGPT, and enhancing OpenAI's reputation for transparency and trustworthiness.

Indeed, the risk that a user could really do anything malicious here — say, upload and execute a malicious Python script — is softened by the fact that ChatGPT runs in a sandboxed environment. Anything a user can do will, in theory, be limited only to their specific environment, strictly cordoned off from any of OpenAI's broader infrastructure and most sensitive data.

Related:Trump 2.0 May Mean Fewer Cybersecurity Regs, Shift in Threats

Figueroa warns, though, that the extent of information ChatGPT leaks via prompt injection might one day help hackers find zero-day vulnerabilities, and break out of their sandboxes. "The reason why I stumbled onto everything I did was because of an error. This is what hackers do \[to find bugs\]," he says. And if trial and error doesn't work for them, he adds, "the LLM could assist you in figuring out how to get through it."

In an email to Dark Reading, a representative of OpenAI reaffirmed that it does not consider any of this a vulnerability, or otherwise unexpected behavior, and claimed that there were "technical inaccuracies" in Figueroa's research. Dark Reading has followed up for more specific information.

**The More Immediate Risk: Reverse-Engineering**

There is one risk here, however, that isn't so abstract.

Besides standard Linux files, ChatGPT also allows its users to access and extract much more actionable information. With the right prompts, they can unearth its internal instructions — the rules and guidelines that shape the model's behavior. And even deeper down, they can access its knowledge data: the foundational structure and guidelines that define how the model "thinks," and interacts with users.

Related:Cloud Ransomware Flexes Fresh Scripts Against Web Apps

On one hand, users might be grateful to have such a clear view into how ChatGPT operates, including how it handles safety and ethical concerns. On the other hand, this insight could potentially help bad actors reverse engineer those guardrails, and better engineer malicious prompts.

Worse still is what this means for the millions of custom GPTs available in the ChatGPT store today. Users have designed custom ChatGPT models with focuses in programming, security, research, and more, and the instructions and data that gives them their particular flavor is accessible to anyone who feeds them the right prompts.

"People have put secure data and information from their organizations into these GPTs, thinking it's not available to everyone. I think that is an issue, because it's not explicitly clear that your data potentially could be accessed," Figueroa says.

In an email to Dark Reading, an OpenAI representative pointed to GPT Builder documentation, which warns developers about the risk: "Don't include information you do not want the user to know" it reads, and flags its user interface, which warns, "if you upload files under Knowledge, conversations with your GPT may include file contents. Files can be downloaded when Code Interpreter is enabled."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

ChatGPT Exposes Its Instructions, Knowledge &amp; OS Files

In the future, the cybersecurity landscape likely will depend not only on the ability of federal workforces to protect their agencies but also on their capacity to continuously develop and sharpen those skills.

Tony Holmes, Practice Lead, Practice Lead for Solutions Architects in the Public Sector, Pluralsight

November 15, 2024

4 Min Read

Source: Stuart Miles via Alamy Stock Photo

COMMENTARY

The public sector is facing a security crisis. The acceleration of deepfake videos, AI-generated threats, and nation-state cyberattacks has put the federal government under increasing pressure to protect its employees, agencies, and the general public. Last year, the FBI, the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) released details on the "growing challenge" that deepfake threats present to a range of federal agencies. 

According to the three groups, "threats from synthetic media such as deepfakes have exponentially increased — presenting a growing challenge for users of modern technology and communications." In addition to national critical infrastructure owners and operators, these users include the National Security Systems, the Department of Defense, and the Defense Industrial Base.  

What's more, in 2023, the NSA reported that deepfake threats pose "a new set of challenges to national security." According to the NSA, "organizations and their employees need to learn to recognize deepfake tradecraft and techniques and have a plan in place to respond and minimize impact if they come under attack." 

Effectively managing the combination of cyber threats, misinformation, and disinformation requires coordination across federal agencies. The workforce within these agencies must possess the most up-to-date cybersecurity skills possible. Agencies can position themselves to future-proof cybersecurity strategies and maintain an advantage against threats by training teams on how to outmaneuver malicious actors. Regularly practicing simulated cyberattacks and leveraging predetermined incident response plans to mitigate breaches is crucial.  

**The Public Sector's Cyber-AI Skills Gap **

Against the backdrop of this intricate threat landscape, federal agencies need tech-proficient employees with a unique set of skills to ensure protection. As 90% of surveyed IT leaders said they don't completely understand their teams' AI skills and proficiency, there is a clear need for agencies to take action. By promoting training to improve team members' confidence and enhance their skills, leaders can engage themselves in the process and better understand the workforce's strengths and weaknesses. 

As the country transitions into the post-election period, deepfake threats remain a pressing concern, capable of shaping public perceptions through deceptive content. Federal employees and the agencies they serve must continue to bolster defenses against this and other cyber threats by prioritizing strategic skills development and training. 

These programs should consider existing proficiencies their teams possess and also foresee what skills are necessary to mitigate threats that may be detrimental to their agencies and the voting public. Agencies can arm their technologists with the tools they need to stay one step ahead of threats by prioritizing skills and implementing active, enterprisewide cybersecurity measures.  

Efforts to combat cyberattacks at the federal level coincide with the federal government's campaign to promote high-tech career paths across all of its agencies to address tech talent shortages. Last year, the Biden administration launched its National AI Talent Surge to fill open agency positions by recruiting technology professionals who can "bring their experience, expertise, and vision into government." This program brings the deficit of skilled technologists in the public sector into sharp focus.  

**Agency Workforces Need the Skills to Be Vigilant Against Attacks**

As cyber threats against government organizations continue, it's critical that agency workforces have the skills they need to recognize threats, and have the know-how to respond when an attack occurs. Earlier this year, Ashley Manning, the US assistant secretary of defense for cyber policy, told a congressional subcommittee about measures the Department of Defense is taking to counter cyber threats.  

According to Manning, the US faces cyber challenges, including China's targeting of US networks in prolonged espionage campaigns, Russia's use of cyberspace to target critical infrastructure networks, and for-profit cybercriminals who target an array of vulnerable sectors with ransomware attacks that impact American citizens.  

To guard against cyberattacks, federal agencies must take a holistic approach to ensuring that their teams have the skills to keep their networks and data secure. This includes addressing skills gaps in the workforce, leveraging best practices in cybersecurity, and creating a culture of continuous learning and upskilling. By arming their teams with the best possible defense against threats, agency leaders can empower employees to counteract cyberattacks effectively.  

**Create an Enterprisewide Knowledge Base to Ensure Cybersecurity**

It's critical for agencies to better understand their teams' current cybersecurity knowledge by benchmarking the skill sets of their workforce. Training resources that align with their skills gaps and technologists' needs include providing content created by industry experts, tracking skill acquisition, creating forums or community support, and providing hands-on labs. By implementing individualized learning programs that ensure every employee receives the necessary training, agencies can build a workforce equipped with the skills needed to keep their networks and data as secure as possible. 

**About the Author**

Practice Lead, Practice Lead for Solutions Architects in the Public Sector, Pluralsight

Pathological problem solver, and serial question asker, a lifelong student of mental models, experienced in creating innovative solutions where analogical ideas meet rigorous socratic method. For more than two decades Tony Holmes has been solving complex problems for some of the largest, and most forward-thinking technology organizations in the world, including British Broadcasting Corporation, Digital Equipment Corporation, Microsoft Research, Opsware, Hewlett Packard, Oracle, and, currently, Pluralsight, the Technology Skills platform for the Government.

Combating the Rise of Federally Aimed Malicious Intent

A new report from the Open Software Supply Chain Attack Reference (OSC&R) team provides a framework to reduce how much vulnerable software reaches production.

Neatsun Ziv, CEO & Co-Founder, Ox Security

November 15, 2024

5 Min Read

Source: Andrey Kryuchkov via Alamy Stock Photo

COMMENTARY

The complexity of today's software development — a mix of open source and third-party components, as well as internally developed code — has resulted in an abundance of vulnerabilities for attackers to exploit throughout the software supply chain.

We've seen the direct effects of software supply chain attacks in incidents like the MOVEit and SolarWinds breaches, revealing that no industry sector, size of company, or stage of software development is immune. According to a survey from Enterprise Strategy Group (ESG), 91% of organizations experienced at least one software supply chain security incident in 2023, and 2024 hasn't seemed any better.

Security teams are overwhelmed by the task of sorting through, assessing, and prioritizing the mitigation of tens of thousands of alerts to discern those that pose real risk from those that are benign. In 2023, a group of AppSec experts addressed this problem by launching the Open Software Supply Chain Attack Reference (OSC&R), a freely available, MITRE ATT&CK-like framework to help organizations gain a deeper understanding of their software supply chain vulnerabilities.

The OSC&R community's inaugural report, "OSC&R in the Wild: A New Look at the Most Common Software Supply Chain Exposures," offers a comprehensive analysis of the severity of vulnerabilities across the software supply kill chain. Based on a nine-month analysis of over 100 million alerts, tens of thousands of code repositories, and 140,000 real-world applications, it examines the risk to software supply chains and probes the alignment between the vulnerabilities found in the wild and the focus of AppSec teams today.

The research offers some eye-opening statistics, including that 95% of organizations have at least one high, critical, or apocalyptic risk in their software supply chain, with the average organization having nine such issues. What's more, the OSC&R data shows that many of the most common software supply chain vulnerabilities are tied to fundamental security controls, such as authentication, encryption, publicly available information in logs, and the principle of least privilege. Following are some of the most important takeaways from the report.

**1\. Watch for Run-Time Exposure**

One in five applications was found to contain high, critical, or apocalyptic runtime vulnerabilities during the execution phase of an attack. This makes them prime targets for attackers. Because the most significant software vulnerabilities tend to surface in later attack stages, it's crucial to catch issues early in the software development life cycle.

As such, AppSec and DevOps teams should aim to strengthen application runtime security. This can be accomplished by integrating continuous monitoring and real-time protection mechanisms that focus on the later stages of an attack, when the damage potential is greatest.

**2\. It's Worth Fixing Older Vulnerabilities**

While newer vulnerabilities may grab headlines, older vulnerabilities remain the most common attack vectors when it comes to supply chain security. Techniques like command injection (15.4% of applications), sensitive data in log files (12.4% of applications), and cross-site scripting (11.4% of applications) — as well as slow-burn vulnerabilities like CVE-2024-3094, which targeted the compression utility XZ Utils in major Linux distributions — still wreak havoc in unpatched systems. Attackers continue to successfully use historical tactics and techniques, showing that "old school" vulnerabilities present significant and persistent risks.

To counter these tactics and techniques and drive down the opportunity for attack, organizations should regularly review and update legacy systems and codebases to patch known vulnerabilities. Further, implementing a robust vulnerability management program that includes continuous scanning for both old and emerging threats will harden software to known risks.

**3\. Vulnerabilities That Span Multiple Attack Stages Amplify Damage**

In the OSC&R report data analysis, 36% of applications were found to be vulnerable to exploits in the initial access attack stage, with many overlapping across multiple stages of attack. Indeed, vulnerabilities in initial access stages often open the door for more severe threats, such as persistence and execution exploits.

The data underscores the need for AppSec and DevOps team to bolster defenses across all stages of the attack life cycle, not just in initial phases. Organizations should adopt multilayered security solutions that can detect and neutralize threats at various stages of the kill chain to prevent attackers from moving laterally within systems and causing widespread cyber and business damage.

**Next Steps for AppSec Teams**

One of the questions the inaugural OSC&R report sought to answer was whether what AppSec and DevOps teams focus on matched the vulnerabilities found in the wild. The data reveals that this is not yet the case. Progress is being made, but the high volume of vulnerabilities passing through the supply chain into live applications, and the large percentage of organizations that report supply chain security incidents, indicate that greater focus on proactive software security measures is needed.

In addition, organizations need to do a better job of looking systemically at both their software development processes and the attack lifecycle to identify the places most likely to be at risk. But historical data alone is not the answer. Organizations must implement the tools and processes that give them holistic visibility of their supply chain — from the build stage all the way through runtime, and including the development and testing environments, which are occasionally overlooked.

Further, it's clear that focusing on one or two stages of software development or one stage of the attack lifecycle isn't enough. Businesses must adopt a multilayered, full-lifecycle AppSec strategy — accompanied by tools that can unify all stages — to reduce the probability of attack.

Development and security teams now have a reference they can use to map their programs to known attack vectors and tactics. OSC&R, in effect, sets the foundation for operating a streamlined software security program that reduces the number of vulnerabilities that reach production, enhancing the resiliency of the organization as a whole and easing the fears of breach due to software flaws.

**About the Author**

CEO & Co-Founder, Ox Security

Neatsun Ziv is the CEO and Co-Founder of Ox Security, the end-to-end software Active ASPM Platform. Prior to that, he was the VP of Cyber Security at Check Point, where he oversaw all cyber initiatives. His team was one of the first to respond to SolarWinds, NotPetya, and other major attacks, working closely with Interpol, Local CERT, and other enforcement agencies. Neatsun is a passionate and seasoned entrepreneur with vast cybersecurity experience. He served in the IDF Cyber Intelligence Unit and is a frequent speaker at global forums, including RSA and CPX, among others. Neatsun holds a B.Sc. from Israel's Open University (honors) and an MBA from the Technion (Magna Cum Laude).

Lessons From OSC&amp;R on Protecting the Software Supply Chain

Given increased tensions with China over tariffs, companies could see a shift in attacks, but also fewer regulations and a run at a business-friendly federal privacy law.

Source: Anna Moneymaker via Shutterstock

President-elect Donald Trump's return and his promised shift to a more insular foreign policy will likely result in a new set of cyber threats, fewer regulations for most industrial sectors, and possible business-friendly federal privacy legislation, cybersecurity and legal experts say.

The president-elect is moving quickly with nominations for cabinet officials and other high-level appointees. While he named South Dakota Gov. Kristi Noem to lead the Department of Homeland Security, Trump has not yet named a candidate for director of the Cybersecurity and Infrastructure Security Agency (CISA), which leads government cybersecurity efforts.

Overall, however, companies should expect far less emphasis on regulations and more focus on protecting critical infrastructure and technology companies, says Michael Bahar, co-lead of global cybersecurity and data privacy at Eversheds Sutherland, a global legal advisory firm.

"We are going to see — at the federal level — a deprioritization of cybersecurity regulations and cybersecurity enforcement," he says. "One really important exception is where cybersecurity intersects with trade policy and national security and technology. That's actually where you're going to see an increase of enforcement and at least a continuation of the regulatory environment."

Threats will likely shift depending on the changes in foreign policy initiated by the incoming Trump administration. Already, China has become a major concern for its cyber operations in the Asia Pacific, opposing US support for Taiwanese democracy and international opposition to China's claims to large areas of the South China Sea. Trump's stated support for Israeli settlers and for Russia's annexation of parts of Ukraine will also likely drive increasing cyber threats.

With the departure from the policy of the Biden administration, the incoming US government will spur different rivalries, says Lou Steinberg, founder and managing partner of CTM Insights

"As a new administration comes in — and there's a perception that maybe there's more support for Israel over Palestine, or more support for a deal with Russia, and maybe more toe-to-toe \[tensions\] with China — those will result in a different set of motivations, and so a different kind of response," Steinberg says. "We need to realign to the new kinds of threats that come from a new political landscape."

**Administration — and Threats — to Focus on Critical Infrastructure**

The GOP platform hosted on the Trump for President site already prioritizes the safety of critical infrastructure and the industrial base against cyber threats. But that remains the only mention of cyber in the entire document.

The president-elect's support for cybersecurity efforts shifted during his first term. In 2018, he signed the Cybersecurity and Infrastructure Security Agency Act, establishing the agency of the same name to lead efforts to protect critical infrastructure from cyberattack. Yet following his loss in the 2020 election, then President Trump criticized CISA's statement validating the security of the elections and fired then-Director Chris Krebs.

Still, the threat landscape has evolved since then, and in ways that align with the incoming Trump administration's priorities. Both China and Iran are considered larger threats, with a variety of officials pointing to China's effort to establish a network of digital beachheads for a future possible conflict as particularly dangerous.

President-elect Trump's pledge to set high tariffs on Chinese goods will likely increase tensions, and potentially lead to more significant attacks, causing China to shift its covert efforts to overt disruption, says Steinberg.

"If China thinks we're going to engage directly, their response could completely change," he says. "We're likely to see a sustained attack against critical infrastructure — so yes power, yes water, yes communications. We usually think of \[distributed denial-of-service\] attacks as last\[ing\] a couple of days, not months, but the point will be to degrade our ability to respond."

Meanwhile, Iran will likely ramp up efforts against US and Israeli targets, following the president-elect's deep support for Israel. Russia and Iran will likely continue to use disinformation against the US administration, but the approach may change, as both countries are focused on sowing discord, rather than supporting the agenda of one party over another.

**Easing Regulations, but Will It Matter?**

The deprioritization of cybersecurity regulations — and promised efforts to shrink the federal government — will likely lead to less enforcement of cyber regulations against businesses. Yet data-protection and privacy regulations will likely see a shake-up, as states look to bolster privacy and give their attorneys general the ability to pursue violators.

As a result, the US could see federal privacy legislation, says Bahar, who also co-leads Eversheds Sutherland's Congressional Investigations group.

"I think, at the state level, you're going to see an uptick — if that's even possible — of regulatory activity, in large part because there might be a perception that they need to step in to ... 'fill the void,'" he says. "It's actually likely you're going to get a federal privacy law —  a very business-friendly federal privacy law — so that \[companies do not have to deal with\] that patchwork effect of state laws."

In the end, however, easing regulations may not result in less corporate focus on cybersecurity, because the latest cybercriminal attacks often threaten business operations, Steinberg says.

"We've seen more and more companies — even less regulated companies — start to worry about cyberattacks like ransomware," he says. "So do I think a decrease in the regulatory environment might lead to a decrease in cybersecurity investment? Yeah, a little, but probably not in the defense industry, probably not in financial services, and maybe not in healthcare."

With increasing global tensions come increasing dangers, Steinberg says, and most companies will likely not be able to justify cutting budgets in the face of an uncertain threat landscape.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Trump 2.0 May Mean Fewer Cybersecurity Regs, Shift in Threats

The proposed rules codify existing temporary directives requiring pipeline and railroad operators to report cyber incidents and create cyber risk management plans.

The Transportation Security Administration (TSA) has released a Notice of Proposed Rulemaking to establish cyber risk management and reporting practices for pipeline, railroad, bus and other public transportation systems. The proposed rules extends existing cybersecurity framework developed by the National Institute of Standards and Technology as well as the cybersecurity performance goals of the Cybersecurity and Infrastructure Security Agency (CISA).

 The proposed rules, as laid out in the Federal Register on Thursday, would affect "certain pipeline and rail owner/operators," and impose lesser requirements on some types of bus operators. These organizations would be required to establish and maintain comprehensive cyber risk management programs, to report incidents to the Cybersecurity and Infrastructure Security Agency (CISA), and to designate a physical security coordinator and report significant physical security concerns to TSA. The cyber risk management plans will need to include annual cybersecurity evaluations; assessment plans that identify unaddressed vulnerabilities; and a cybersecurity operational implementation plan describing officials in charge of cyber, critical cyber systems and how they are protected, measures in place to detect cyberattacks, and what will be done to address and recover from cyber incidents.

If approved, the new rules would impact just under 300 surface transportation owners/operators regulated by the TSA across freight railroad, passenger railroad, rail transit and pipeline sectors, and would also require the aviation sector to comply. Specifically, the rules would impact 73 of the approximately 620 freight railroads currently operating in the U.S., 34 of the approximately 92 public transportation agencies and passenger railroads, 71 over-the-road bus owners and operators, and 115 of the more than 2,000 pipeline facilities and systems.

"TSA has collaborated closely with its industry partners to increase the cybersecurity resilience of the nation’s critical transportation infrastructure," said TSA Administrator David Pekoske in a statement. "The requirements in the proposed rule seek to build on this collaborative effort and further strengthen the cybersecurity posture of surface transportation stakeholders. We look forward to industry and public input on this proposed regulation."

This is one of the Biden administration’s last efforts to shore up the cybersecurity of critical infrastructure in the wake of the ransomware attack that crippled Colonial Pipeline back in 2021. The proposed rule is open for public comment until February 2, 2025.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

TSA Proposes Cyber Risk Mandates for Pipelines, Transportation Systems

Frenos offers a zero-impact, continuous security assessment platform for operational technology environments.

Source: Zoonar GmbH via Alamy Stock Photo

Continuous security assessment platform newcomer Frenos narrowly edged out the competition to win this year's DataTribe Challenge, held by seed-stage venture capital firm DataTribe.

Four finalists were chosen from hundreds of pre-seed and seed stage cybersecurity and data science startups, and each got to present their case during Wednesday's Challenge Finalists Event. In addition to splitting part of a $25,000 prize, finalists were given the opportunity to present their business to a panel of judges, investors and industry leaders. Finalists also received one-on-one messaging and strategy coaching from DataTribe.

When evaluating the finalists, whether the company has the right team in place — and if they're truly experts in their field — plays a big part, says DataTribe's chief innovation officer Leo Scott. The judges also evaluate the addressable market for each company’s offering and how well they meet that need. 

Frenos, based in Charlotte, N.C., has both.

The startup created a zero-impact, continuous security assessment platform for operational technology environments, giving OT organizations the ability to perform attack simulations and penetration testing. 

"They are truly leading experts in the OT environment," Scott says. "And if you look into the geopolitical landscape, it is a pretty important space, from broad national security to literally keeping the lights on."

The list of finalists include Austin, Tex.-based DataMonstr, New Jersey-based Force Field, and San Francisco-based Validia.

*   DataMonstr provides protection to the developer environment, both at developer endpoints and at the source code repository level. 
    
*   Force Field offers a system to verify the authenticity of photos, videos and audio to reduce fraud in areas like insurance claims. 
    
*   Validia provides real-time identify verification to combat deepfakes and impersonation in remote work environments. 
    

For Brian Proctor, founder and CEO of Frenos, participating in the competition has helped the company on its road to landing seed funding. 

"One of the great things about it, which we really liked, is that every finalist is assigned an advisor from DataTribe. So they really work hand in hand with you to refine the pitch, get feedback on your presentation," says Proctor. "We had an excellent advisor, David, who was part of our team. Honestly, without David, I'm not sure what the outcome would have been. He was a huge help."

DataTribe has invested in eight of the finalists of its six previous competitions, and more than 20 companies have received funding after participating in the competition, Scott says.

Check out what DataTribe's Leo Scott had to say regarding the DataTribe Challenge in this Dark Reading News Desk segment from Black Hat USA 2024.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Frenos Takes Home the Prize at 2024 DataTribe Challenge

Several versions of PostgreSQL are impacted, and customers will need to upgrade in order to patch.

Source: tofino via Alamy Stock Photo

Researchers at Varonis discovered a vulnerability within Postgres language extension PL/Perl, allowing a user to set arbitrary environment variables in PostgreSQL session processes.

The vulnerability was given a CVSS 8.8 score for severity and could lead to severe security issues, depending on the scenario where it's exploited.

Tracked as CVE-2024-10979, the flaw allows a threat actor to modify a sensitive environment, ultimately allowing them to execute arbitrary code without accessing a user of the operating system.

The vulnerability also allows a threat actor to run additional queries to gather information on the machine and its contents.

Versions preceding PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected by this vulnerability and can be mitigated by upgrading to PostgreSQL, "to the latest minor version at a minimum," according to the researchers, as well as restricting allowed extensions.

Postgres customers should also examine ddl logs for creation of functions they do not recognize or did not create themselves to assess if they have been impacted.

**About the Author**

Source

DARKReading