Investment led by Section 32 will be used to scale the product and team.

MOUNTAIN VIEW, Calif., Oct. 11, 2022 — Stairwell, a company that empowers security teams to outsmart any attacker, today announced a $45M Series B capitalization. The funding round was led by Section 32, with additional investments from Sequoia Capital, Accel, Lux Capital, Gradient Ventures, and angel investors Eric Schmidt and Michael Ovitz. This brings Stairwell’s total funding to date to $69.5 million as it looks to scale its flagship product, Inception, to become the most powerful continuous intelligence, detection, and response solution available.

“New vulnerabilities are discovered daily, and continuous monitoring, threat hunting, and response are needed for around-the-clock efforts to secure the enterprise. Our goal is to plug these gaps, while simultaneously strengthening organizations’ overall security stack via capturing, storing, and analyzing all executable files across their environment,” said Mike Wiacek, CEO and Founder of Stairwell. “This Series B reflects the confidence investors feel in Inception and Stairwell’s mission to enable security teams to take back control of their data and stay one step ahead of even the most advanced attackers.”

Following deals with key customers and MSSP partner Cyderes earlier this year, this Series B will enable Stairwell to meet increased demand for new Inception features as malware attacks continue to rise. By scaling the Inception platform, Stairwell will create a more intuitive and integrated experience for increased customer success in securing their organizations against any emerging malware threats, including supply chain attacks.

“The platform Stairwell has built is making a huge impact for security teams, and the company is led by some of the sharpest minds in cybersecurity,” said Andy Harrison, Managing Partner at Section 32. “The power and advanced capabilities of the Inception platform are clear to customers and partners, and it's rare to find a company with such a strong combination of product, engineering, customer focus, and executive leadership.”

This funding will also play a critical role in the expansion of Stairwell’s team. Since the Series B round closed, Stairwell has increased headcount by 100%, with plans to add significantly more employees this year. These hires will include specialized engineers to bring more functionality to Inception as a whole. Notable recent appointments within the company include Brian Lee as Vice President of Marketing and Eric Byrd as Head of Enterprise Sales.

Lee has spent the last decade at Ogilvy working with some of the most famous technology brands in the world, from large Fortune 500 companies (Google, Samsung, Qualcomm, Cummins) to exciting, high-growth start-ups. His vision for Stairwell’s marketing arm is to drive holistic growth for the company, building an enduring brand complemented with a robust marketing machine to drive awareness using the latest technology, data, and techniques.

“As a marketer, the best asset you can have is a good company and product. That’s what initially drew me to Stairwell,” said Lee. “We have a differentiated, innovative product in a category growing in importance. Add to that the incredible pedigree of our team, top investors, and positive business momentum. I knew from my first conversation with Mike Wiacek that I had to be a part of this company’s trajectory as Vice President of Marketing.”

Byrd comes from Red Canary, where he led a team of Senior Enterprise Account Executives across the Northeast and Southeast regions of the United States in securing new customers for security solutions. At Stairwell, Byrd will lead the sales team in identifying Stairwell’s next customers who will make significant strides in their security goals by partnering with the company.

“I've been really lucky to work with many incredible teams, so I've learned what it takes to build a strong security business that continues to improve its capabilities for customers as you grow,” said Byrd. “Understanding what leading security teams expect from their partners has prepared me to deliver exceptional service for Stairwell’s customers so they can take their security teams to new heights.”

For more information on the roles Stairwell is currently hiring for, please visit www.stairwell.com/careers.

**About Stairwell  
**Stairwell helps organizations with security solutions that attackers can't evade. Its Inception platform empowers security teams to outsmart any attacker by providing continuous intelligence, detection, and response. The Inception platform is used by a number of Fortune 500 companies. Stairwell is comprised of security industry leaders and engineers from Google and is backed by Sequoia Capital, Accel, Section 32, Lux Capital, and Gradient Ventures. For more information, visit www.stairwell.com or connect with us on Twitter or LinkedIn.

Stairwell Announces $45M Series B Funding Round

Pen testing solutions to empower businesses to proactively address application security vulnerabilities amid surging threats.

CHICAGO, Oct. 11, 2022 /PRNewswire-PRWeb/ — Today, Outpost24 announced the introduction of its Penetration Testing as a Service (PTaaS) solutions to the North American market to better empower businesses to understand and address threats in their web application attack surface. Outpost24's PTaaS solutions provide companies with on-demand, continuous monitoring, ensuring organizations are fully protected against threats in their application attack surface.

Web application attacks accounted for roughly 70% of security incidents in 2021, making application security a top priority. While penetration testing provides an effective way to detect application flaws before they turn into a serious threat, in the always-on economy, traditional penetration testing is no longer enough. Traditional penetration testing solutions often require long and disruptive set-up times and usually only examine a specific and isolated point in time - insufficient when application code changes multiple times per day.

Outpost24's PTaaS is a modernized approach to penetration testing with continuous, real-time monitoring. Additionally, providing customers with direct access to a team of penetration testers and a knowledge base to address vulnerabilities, it allows IT and development teams to remediate quickly and efficiently, making it well-suited for agile organizations who need a more flexible approach to review and secure web application code at scale. 

"In an agile application development cycle, security is imperative - but it can also be a roadblock," said Eren Cihangir, Product Engineer, Outpost24. "Outpost24 is meeting a critical gap in the market by providing ongoing monitoring to secure applications as they evolve while also saving developers time so they can stay focused on their real priority: Innovation."

Outpost24 PTaaS includes annual or project-based packages depending on an organization's priorities, including:

*   SWAT: Outpost24's flagship PTaaS offering that combines continuous monitoring with manual penetration testing to ensure continuous  
    protection for the most prevalent software vulnerabilities

*   Snapshot: A time-boxed PTaaS offering that provides on-demand penetration testing and deep analysis of web applications with expert  
    validation, support, and re-testing services for 30 days For more information about Outpost24's PTaaS offerings, check out outpost24.com and contact us today.

**  
About Outpost24**  
The Outpost24 group is pioneering cyber risk management with vulnerability management, application security testing, threat intelligence and access management - in a single solution. Over 2,500 customers in more than 65 countries trust Outpost24's unified solution to identify vulnerabilities, monitor external threats and reduce the attack surface with speed and confidence. Delivered through our cloud platform with powerful automation supported by our cyber security experts, Outpost24 enables organizations to improve business outcomes by focusing on the cyber risk that matters.

Outpost24 Announces Expansion of Penetration Testing Offerings to North America

Australian IT services provider Dialog has announced a breach, making it the third telecom company in the area compromised in less than a month.

First it was Optus, followed by Telstra. Now, a third Australian telecom company has disclosed it was breached — this time it's Dialog, an information technology services provider with a sizable market share of Aussie customers in both the public and private sectors. 

Dialog, a subsidiary of SingTel, said its servers were compromised on Sept. 10, and although initial investigations showed no signs of exfiltrated data, on Oct. 7, a sample of the company's employee personal data was available on the Dark Web. 

Dialog said it is still investigating the incident further. 

Just days before, Australia's largest telecom carrier, Telstra, announced its own breach, of personal and sensitive employee information, going back to 2017. 

Telstra's major competitor, Optus, was also recently targeted in a massive cyberattack, which successfully stole the personal information of nearly 10 million customers across Australia. Optus, also a SingTel subsidiary, first announced the cyberattack on Sept. 21, which then drew the attention of the FBI. 

Days later, the cybercriminals withdrew their ransom demand of $1 million, explaining there were "too many eyes" on the data. But before the attackers had a change of heart, they leaked more than 10,000 customer records, reportedly as proof of what they had. 

The attackers later apologized for leaking the stolen info. 

**Telcos Historically Draw Advanced Attacks**

Telecommunications companies will always be an attractive target for cybercrime because of the vast amounts of data they gather, process, and store on their customers, Erfan Shadabi, a cybersecurity expert with Comforte AG tells Dark Reading. 

"However, they have an obligation to keep this sensitive customer data safe and out of the hands of the wrong people, obligations that are both ethical and regulatory in nature. The outcome of not doing this is exactly what these companies face now," he adds.

John Bambanek, principal threat hunter with Netenrich, agrees, adding that IT providers, managed service providers (MSPs), managed security service providers (MSSPs), and telcos have always been prime targets from advanced threat actors. 

"These companies have privileged access so its easy to go from point A to points B through Z immediately," Bambanek explains to Dark Reading. He adds that intelligence services like the National Security Agency (NSA) also regularly turn the focus of their operations to telecommunications service providers because of the wealth of sensitive data inside their systems. 

"Eventually, targeting priorities and techniques filter from the intelligence world into sophisticated cybercriminals such as ransomware groups," Bambenek says. "Ultimately, the math is the same. Why attack one target and have only one victim when you can attack one target and have many victims? More victims means more money."

High-Value Targets: String of Aussie Telco Breaches Continues

LOUISVILLE, Ky., Oct. 11, 2022 /PRNewswire/ — Deloitte and the National Association of State Chief Information Officers (NASCIO) today released their 2022 Cybersecurity Study, "State Cybersecurity in a Heightened Risk Environment." The survey captures responses from chief information security officers (CISOs) in all 50 states and three territories about current cybersecurity trends, challenges and opportunities.

The survey found that state CISOs throughout the U.S. gained considerable strength and authority over the past few years, as they rapidly migrated government operations and services to a virtual environment and expedited digital transformations to meet the immediate needs of individuals and families. Due to the dedicated efforts of these CISOs, state agencies were able to continue providing high-quality service to their constituents, despite the challenges imposed by a global pandemic.  

Additional highlights from the 2022 Deloitte/NASCIO survey include:

*   **Addressing the talent gap**: In 2022, the demand for high-skilled workers has grown even more acute for public and private sector employers. In this environment, the lack of cybersecurity professionals and other staff remains among the top five barriers cited by state CISOs.
    *   Despite CISOs' growing responsibilities and the increasing sophistication of both technology and threats, **headcounts for state cybersecurity professionals remain about the same as in 2020, and more than 6 in 10 CISOs report gaps in competencies among their staffs**.
*   **Embracing the entire state**: It is an imperative to provide for greater security across the entire state through a tighter collaboration with local governments and state higher education institutions. CISOs made significant progress in enhancing their stature and visibility at the state executive and legislative levels, and they are continuing to get the institutional support and resources they need.
    *   All 50 states now have a CISO, and many are establishing new positions for chief privacy officers, chief risk officers and identity program directors.
    *   More state legislators are codifying the role of the CISO into state law and funding the position. They are also codifying several cyber initiatives into state law, such as enterprise risk management frameworks, cybersecurity legislative councils and cybersecurity training.
    *   More states now require CISOs to provide periodic reports to senior state officials, such as the governor, legislature and agency secretaries.
    *   CISOs are looking to establish and activate a shared security services approach to enable a whole-of-state approach to protecting local governments and public higher education institutions.
*   **Emerging technologies present new opportunities**: In the post-pandemic digital landscape, CISOs have an even more critical role to play in guiding the evaluation and implementation of new technologies.
    *   State CISOs confirm that many applications have migrated to the cloud. With remote work, digital and mobile platforms have become part of the fabric of daily life by which people work, communicate and transact.
    *   **States have taken a big step forward to provide digital identities for citizen services**. Capabilities, such as cloud computing, artificial intelligence and robotic process automation, enable states to further enhance digital modernization in service of their missions and constituents.

"The complexity of cyber challenges that the state CISOs tackle is increasing with the need to take a whole-of-state approach involving multiple jurisdictions and stakeholders," said Srini Subramanian, principal, Deloitte & Touche LLP, and Deloitte's global risk advisory leader for government and public services. "To address these challenges, state CISOs are increasingly laying the groundwork to adopt emerging technologies, promoting more collaboration with local government agencies and higher education institutions, upskilling state employees and transforming employment practices to attract the next-generation of highly capable cyber talent."

"State CISOs played critical roles helping the country successfully navigate the twists and turns of the pandemic, and this year's survey identifies the steps needed to grow this increasingly public role and meet the current and future challenges faced by state agencies," said Meredith Ward, director of policy and research at NASCIO and a co-author of the 2022 Deloitte/NASCIO Cybersecurity Study. "We're proud to again bring the perspectives of state CISOs to the forefront of conversations around cybersecurity."

Additional takeaways from the 2022 Deloitte/NASCIO survey include:

*   Thirty states increased their cybersecurity budgets from 2021 to 2022. And for the first time, CISOs report that a handful of states are allocating more than 10% of their IT budgets to cybersecurity, in alignment with federal government levels. However, most states still only allocate between 2% and 10% of their budgets to cybersecurity efforts.
*   Many state CISOs identified the drafting and implementation of the Zero Trust framework as a key initiative.
*   CISOs say that malware, ransomware and phishing attempts continue to present security challenges. Concern among CISOs about foreign state-sponsored espionage has also risen significantly, while the perceived threat from third parties and social engineering has declined.
*   CISOs found that the three leading causes of cyber incidents remain web applications, malicious code and financial fraud. However, CISOs note a rise in cyber incidents involving foreign state-sponsored espionage, zero-day attacks and attacks against cloud platforms.
*   Nearly one-third of state CISOs say that state agencies manage cyber incidents on their own, rather than working with a central state IT security group.
*   CISOs are increasingly contracting cybersecurity professionals and states are demonstrating more interest in outsourcing specific cybersecurity functions to managed service providers. In fact, more than half of CISOs report outsourcing security operations center tasks, which require 24x7 monitoring, and more than 60% of CISOs report having confidence in the cybersecurity services of third-party vendors.
*   State CISOs are starting to incorporate diversity, equity and inclusion (DEI) practices, such as designating a DEI leadership position or teams to foster a culture of inclusion. However, many CISOs say they do not know if they have such practices in place.

See here for the full survey results.

See here for learn more about Deloitte's cyber risk practice.

**About Deloitte**

Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world's most admired brands, including nearly 90% of the Fortune 500® and more than 7,000 private companies. Our people come together for the greater good and work across the industry sectors that drive and shape today's marketplace — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthier society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Building on more than 175 years of service, our network of member firms spans more than 150 countries and territories. Learn how Deloitte's approximately 415,000 people worldwide connect for impact at www.deloitte.com.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

Cybersecurity Survey of State CISOs Identifies Many Positive Trends

Cyber criminals are using a previously undocumented phishing-as-a-service (PhaaS) toolkit called Caffeine to effectively scale up their attacks and distribute nefarious payloads.
"This platform has an intuitive interface and comes at a relatively low cost while providing a multitude of features and tools to its criminal clients to orchestrate and automate core elements of their phishing

Cyber criminals are using a previously undocumented phishing-as-a-service (PhaaS) toolkit called **Caffeine** to effectively scale up their attacks and distribute nefarious payloads.

"This platform has an intuitive interface and comes at a relatively low cost while providing a multitude of features and tools to its criminal clients to orchestrate and automate core elements of their phishing campaigns," Mandiant said in a new report.

Some of the core features offered by the platform comprise the ability to craft customized phishing kits, manage redirect pages, dynamically generate URLs that host the payloads, and track the success of the campaigns.

The development comes a little over a month after Resecurity took the wraps off another PhaaS service dubbed EvilProxy that's offered for sale on dark web criminal forums.

But unlike EvilProxy, whose operators are known to vet prospective customers before activating the subscriptions, Caffeine is notable for running an open registration process, effectively enabling anyone with an email address to sign up for the service.

This restriction-free approach not only obviates the need for approaching the actors on underground forums or requiring a referral from an existing user, but also allows Caffeine to rapidly expand its clientele and lower the barrier for entry.

Making it further stand apart from the rest, the PhaaS toolkit is noteworthy for offering phishing email templates for use against Chinese and Russian targets.

"Although the use of phishing platforms is certainly not a novel mechanism to facilitate attacks, it is worth noting that such feature-rich options, like Caffeine, are readily accessible to cybercriminals," the researchers said.

PhaaS services typically entail an operator to develop and deploy a significant chunk of the phishing campaigns, right from fake sign-in pages, website hosting, site templates, and credential theft.

The evolution of email-based phishing threats into a service-based economy means that adversaries who aim to conduct phishing attacks can now simply purchase such resources and infrastructure without having to work on it themselves. Caffeine is no exception.

It requires users to create an account, and buy a subscription that costs $250 a month (Basic), $450 for three months (Professional), or $850 for a six-month license (Enterprise) to avail its wide range of services, including the campaign management dashboard and the tools to configure the attacks.

The ultimate goal of the phishing campaign is to facilitate the theft of Microsoft 365 credentials through rogue sign-in pages hosted on legitimate WordPress sites, indicating that the Caffeine actors are leveraging compromised admin accounts, misconfigured websites, or flaws in web infrastructure platforms to deploy the kits.

While the login pages are currently limited to Microsoft 365 credential harvesting lures, the Google-owned threat intelligence firm noted that additional login page formats could be introduced in the future as per customer demands.

"It is also important to keep in mind that defensive measures against PhaaS attacks can be a game of cat and mouse," Mandiant said. "As quickly as threat actor infrastructure gets taken down, new infrastructure can be spun up."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Warn of New Phishing-as-a-Service Being Used by Cyber Criminals

Killnet calls on other groups to launch similar attacks against US civilian infrastructure, including marine terminals and logistics facilities, weather monitoring centers, and healthcare systems.

UPDATE 

Hot on the heels of attacks against US state government websites, pro-Russian threat group Killnet on Monday disrupted the websites of multiple US airports in a series of distributed denial-of-service (DDoS) attacks.

It also called on similarly aligned groups and individuals to carry out DDoS attacks on other US infrastructure targets, in what appears to be an escalation of a recent campaign protesting the US government's support for Ukraine in its war with Russia.

Airport websites that were affected by Killnet's DDoS attacks included Los Angeles International Airport (LAX), Chicago O'Hare, and the Hartsfield-Jackson Atlanta International Airport, among others. While the DDoS attacks made some of the sites inaccessible for several hours, they do not appear to have had any impact on airport operations.

Researchers from Mandiant who have been tracking the attacks said they observed a total of 15 US airport websites being impacted.

**Mostly Brief Interruptions**

In a statement to Dark Reading, airport authorities at LAX confirmed the attack.

"Early this morning, the FlyLAX.com website was partially disrupted," an LAX spokesperson noted in an emailed statement. LAX officials described the service interruption as being limited to portions of the public-facing FlyLAX.com website only. "No internal airport systems were compromised and there were no operational disruptions," according to the statement, adding that the airport's IT team has restored services and that the airport has notified the FBI and the Transportation Security Administration (TSA).

In an emailed statement to Dark Reading, the Chicago Department of Aviation (CDA) noted that its flychicago.com and related websites for O'Hare and Midway international airports went offline, but confirmed that airport operations were affected. 

"City of Chicago IT staff worked diligently to restore the website's functionality shortly after noon Central Time, and they continue to vigilantly monitor the situation," the statement said.

Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows, says Killnet has also asked its supporters to join in on the airport attacks and posted a list of domains to be targeted on its Telegram channel. In total, the group mentioned 49 domains belonging to airports across the US, he says. Killnet's target list includes airports in some two dozen states including California, Delaware, Florida, Georgia, Illinois, Maryland, Massachusetts, and Michigan.

"At this time, it is unknown how successful these attacks were, but Killnet attacks are known to take websites down for short periods," Righi says. The attacks began with a DDoS attack on O'Hare, where the group stated its motivation to target US civilian network sector, which the group deemed to be not secure, he says.  

**Calls for Broader Attacks**

Vlad Cuiujuclu, team lead for global intel at Flashpoint, says the DDoS attack on O'Hare International Airport came shortly after Killnet announced new rounds of DDoS attacks against domains that belong to the civilian infrastructure of the United States. Among the targets it is urging supporters to attack are marine terminals and logistics facilities, weather monitoring centers, healthcare systems, ticketing systems for public transit, exchanges, and online trading systems, Cuiujuclu says.

Killnet's post urging other pro-Russian groups to launch DDoS attacks against domains that belong to the US civilian infrastructure was shared by other Russian-speaking cyber-collectives, including Anonymous | Russia, Phoenix, and We Are Clowns, Cuiujuclu noted.

Killnet has been among the more active pro-Russian cyberthreat groups in recent months. Just last week it claimed credit for DDoS attacks on the government websites of Mississippi, Kentucky, and Colorado. In July, the group claimed credit for a DDoS attack on the website of the US Congress, which briefly affected public access.

In August, Killnet said it planned to attack Lockheed Martin, the company manufacturing the US-made rocket launchers that the Ukrainian military has been using in the conflict. The group claimed it had compromised Lockheed Martin's identity authorization infrastructure, but Flashpoint, which tracked the campaign, said it was unable to find any verifiable evidence of the supposed attack. "This is possible, but Killnet has this far shown little verifiable evidence of this beyond a video and a spreadsheet allegedly containing employee data, the authenticity of which could not be determined," Flashpoint said at the time.

**An Especially Active Threat Actor**

Almost since the beginning of the Russian invasion of Ukraine, Killnet has been continuously posting alleged evidence of DDoS attacks against organizations in NATO member states and those it perceives as supporting Ukraine in the conflict. Flashpoint has previously described Killnet as a media-savvy threat group with a tendency to try to inflate its profile by bragging about attacks. "While Killnet’s threats are often grandiose and ambitious, the tangible effects of their recent DDoS attacks have so far appeared to be negligible."

Killnet's attacks — and those it is urging others to carry out — are examples of what security experts say is the tendency in recent years for geopolitical conflicts to spill over into the cyber domain. The threat group's apparent escalation of its campaign against US and other NATO countries, for instance, comes just days after an explosion destroyed a section of a critical bridge connecting Russia to the Crimean Peninsula.

So far, most of the cyberattacks by pro-Russian groups that impacted US organizations have not been nearly as disruptive as attacks by Russian groups against Ukrainian entities. Some of those attacks — including many going back to Russia's annexation of Crimea — were designed to destroy systems and degrade power and other critical infrastructure in support of Russian military objectives.

**_This story was updated at 11:30 a.m. ET to include a statement from the Chicago Department of Aviation, and to reflect that the Indianapolis airport was not affected._**

US Airports in Cyberattack Crosshairs for Pro-Russian Group Killnet

A CISO's responsibilities have evolved immensely in recent years, so their first three months on the job should look a different today than they might have several years ago.

Not too long ago, the role of chief information security officer was a purely technical position designed to help an organization overcome cybersecurity challenges. Today, however, the CISO role has evolved — growing both in responsibility and stature within a company. The CISO is now a critical member of the executive team, responsible for tying not only cybersecurity, but overall risk management, to the company's business strategy and operations.

The modern CISO is involved in strategic decision-making, for example, ensuring the business securely embraces digital transformation while assuring the board, clients, and investors that cyber capabilities and defenses are active and evolving with current threats. And they are responsible for leveraging people, processes, and technologies to enable their organization to fulfill its overarching business objectives securely.

Given this evolution in responsibilities, a CISO's first 90 days on the job should look a lot different today than it did even several years ago.

**The First 90 Days**

While many CISOs want to immediately demonstrate value by jumping in with big ideas and projects on day one, they will be able to make much more of a long-term impact if they first take the time to understand the company's mission, values, and business objectives. They also need to get up to speed on core activities, products, services, research and development, intellectual property, and merger and acquisition plans. And they need to understand all potential issues, previous breaches, regulatory or external obligations, and existing technical debt.

With this in mind, here are a few recommendations on what a CISO's focus should be during their first 90 days on the job.

**Gain An Understanding of the Organization's Larger Mission and Culture**

The very first day, begin to deploy a collection of interview and interrogation techniques with a goal of understanding the business, its purposes and its priorities. Interview your employees, midlevel business leaders, and customers to get a sense of all key stakeholders, initial pain points, and how mature the cybersecurity culture is within the organization. Finally, gently interrogate your partners, suppliers, and vendors to determine who is just selling and who is a trusted advisor. Going through this process will open lines of communication, uncover challenges, and help build a 90-day action plan and road map.

**Identify the Crown Jewels**

Determine which data and systems underpin the company's strategic mission and core competencies, represent intellectual property, differentiate the enterprise from its competitors, or support major customer segments or revenue lines. These crown jewels are the digital assets that are most likely to be targeted by threat actors, and thus must have their cyber-hygiene efforts accelerated. If the C-suite and board understand these critical areas, they can tell you their risk appetite, and you can implement security strategies accordingly.

**Develop a Plan Based on the Company's Current IT and Business Landscape**

Once assets are identified and prioritized, develop a written risk management plan with checklists for deliverables, structure and communication between key internal and external stakeholders. On this latter point, the CISO always must act as an information broker and as a partner to all the key organizational decision-makers. One effective way to do this is to establish formal and informal communication with these roles, so the organization can move forward strategically.

**Master the Basics**

There are many technologies needed to secure the modern company, but there are a few must-haves that should be implemented right away, if they aren't already. These are baseline controls, including vulnerability management and anti-malware defenses for the endpoint, and non-negotiable controls, including multifactor authentication, sensitive data encryption, application whitelisting, 24/7 security monitoring, file integrity monitoring, privileged access management, network segmentation, data loss prevention, and a rigorous assessment and audit function connected to vulnerability and patching strategies.

**Implement Benchmarks**

Prove the value of security plans, processes, and technologies to the C-suite, business unit executives, and the board by implementing benchmarks and maturity assessments that show how the company stacks up against competitors, how security strategies stack up against industry best practices and frameworks, and how security initiatives are enabling the business with secure operations.

**Always Treat Security as a Business Problem**

Security incidents can result in myriad consequences on the business, and conversely, strong security can help the business succeed in a secure fashion. This is why it's so important that IT and security teams always remain integrated with the business side of the organization. As part of this, ensure ongoing communication and collaboration between executive leaders, the board, and security leaders. When management understands the business risks posed by cybersecurity threats, they'll be more apt to pay attention and participate in security efforts.

At the end of the first 90 days, a CISO should be able to answer questions such as: How well protected is the organization? What is our capability maturity against industry standard frameworks? What are our most critical vulnerabilities and cyber-risk scenarios? What data is most important to the organization? What data risks could have the most significant negative impact on the organization? And what will it take to improve the organization's security posture, and do we have a road map?

While this may seem like a lot to get to the bottom of in a three-month timespan, following these six steps will set your company up for both short- and long-term security and business success.

6 Things Every CISO Should Do the First 90 Days on the Job

Categories: News
The blueprint aims to make AI less harmful to Americans by holding its creators accountable.



(Read more...)




The post White House unveils Blueprint for an AI Bill of Rights appeared first on Malwarebytes Labs.

On Tuesday, the Biden-Harris Administration's Office of Science and Technology Policy (OSTP) unveiled a new Blueprint for an AI Bill of Rights, which lists five principles to guide the design, use, and development of intelligence-based automated systems "to protect the American public in the age of artificial intelligence".

These principles focus on things that matter to Internet users: Protection from risky systems, protection from discrimination, data privacy, notice and explanation of AI use, and the option to opt out.

"Automated technologies are increasingly used to make everyday decisions affecting people's rights, opportunities, and access in everything from hiring and housing, to healthcare, education, and financial services," the White House said in a press release. It continued:

> While these technologies can drive great innovations, like enabling early cancer detection or helping farmers grow food more efficiently, studies have shown how AI can display opportunities unequally or embed bias and discrimination in decision-making processes. As a result, automated systems can replicate or deepen inequalities already present in society against ordinary people, underscoring the need for greater transparency, accountability, and privacy.

While the blueprint is for big tech companies, Dr. Alondra Nelson, deputy director for science and society in the OSTP, made clear it's also for every American who interacts with AI or whose life is affected by "unaccountable algorithms". 

In mid-September, the White House conducted a listening session on tech platform accountability wherein experts identified six concerns, each paired with a core principle for reform.

**AI prejudice**

Perhaps the most significant source of AI pain is algorithm discrimination. The descrimination stems from the fact that AIs are trained using training data sets rather than programmed. Gaps or biases in the training data inform the way that AI evaluates data in the real world.

As a result, the human prejudices some hoped AI would eliminate are sometimes baked right in. There are AI's that can't understand certain accents, others have prevented African Americans from getting kidney transplants, and some just don't think women can be computer programmers.

Although failings in AI are generally unintentional, their effects on marginalized populations can be real and severe.

**Just the first step**

While many organizations, such as the Center for Democracy and Technology (CDT), the American Civil Liberties Union (ACLU), and Access Now, have welcomed the government's Blueprint for the AI Bill of Rights, some say it shouldn't end here.

"This is clearly a starting point. That doesn't end the discussion over how the US implements human-centric and trustworthy AI," Marc Rotenberg, head of the Center for AI and Digital Policy (CAIDP), told Technology Review. "But it is a very good starting point to move the US to a place where it can carry forward on that commitment."

He also wants to see the US implement "checks and balances to AI uses that have the most potential to cause harm to humans", such as those in the EU's upcoming AI Act.

"We'd like to see some clear prohibitions on AI deployments that have been most controversial, which include, for example, the use of facial recognition for mass surveillance," Rotenberg said. 

Director of Policy for Stanford Institute for Human-Centered, AI Russell Wald, thinks the blueprint lacks details or mechanisms for enforcement. "It is disheartening to see the lack of coherent federal policy to tackle desperately needed challenges posed by AI, such as federally coordinated monitoring, auditing, and reviewing actions to mitigate the risks and harm brought by deployed or open-source foundation models," he said.

Sneha Revanur, founder and president of Encode Justice, an organization focusing on the youth and AI, also sees that flaw but has high hopes: "Though it is limited in its ability to address the harms of the private sector, the AI Bill of Rights can live up to its promise if it is enforced meaningfully, and we hope that regulation with real teeth will follow suit," she said.

White House unveils Blueprint for an AI Bill of Rights

Chipmaker Intel has confirmed that proprietary source code related to its Alder Lake CPUs has been leaked, following its release by an unknown third-party on 4chan and GitHub last week.
The published content contains Unified Extensible Firmware Interface (UEFI) code for Alder Lake, the company's 12th generation processors that was originally launched in November 2021.
In a statement shared with

Chipmaker Intel has confirmed that proprietary source code related to its Alder Lake CPUs has been leaked, following its release by an unknown third-party on 4chan and GitHub last week.

The published content contains Unified Extensible Firmware Interface (UEFI) code for Alder Lake, the company's 12th generation processors that was originally launched in November 2021.

In a statement shared with Tom's Hardware, Intel said the leak doesn't expose "any new security vulnerabilities as we do not rely on obfuscation of information as a security measure."

It's also encouraging the broader security research community to report any potential issues through its bug bounty program, adding it's reaching out to customers to notify them of the matter.

Besides the UEFI code, the leaked data dump includes a plethora of files and tools, some of which appear to come from firmware vendor Insyde Software.

Exact details surrounding the nature of the hack, including its provenance, are unclear. The GitHub repository has since been taken down, although it remains accessible via other replicated versions.

That said, indications are that the repository had been created by an employee of LC Future Center, a Chinese manufacturer of computers and laptops.

Earlier this February, the LAPSUS$ extortionist group breached NVIDIA, siphoning 1TB of sensitive data. The threat actor later claimed that the company had launched a retaliatory ransomware strike to prevent the release of the stolen data.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Intel Confirms Leak of Alder Lake BIOS Source Code

About 1 in 5 phishing email messages reach workers' inboxes, as attackers get better at dodging Microsoft's platform defenses and defenders run into processing limitations.

This week's report that cyberattackers are laser-focused on crafting attacks specialized to bypass Microsoft's default security showcases an alarming evolution in phishing tactics, security experts said this week.

Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defenses, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They're also doing more targeting and research on victims.

As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft's platform defenses and landed in workers' inboxes in 2022, a rate that increased 74% compared to 2020, according to research published on Oct. 6 by cybersecurity firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.

The increasing capabilities of attackers is due to the better understanding of current defenses, says Gil Friedrich, vice president of email security at Avanan, an email security firm acquired by Check Point in August 2021.

"It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company's security layers," he says. "The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyzes the content."

Microsoft declined to comment on the research. However, the company has warned of advanced techniques, such as adversary-in-the-middle phishing (AiTM), which uses a custom URL to place a proxy server between a victim and their desired site, allowing the attacker to capture sensitive data, such as usernames and passwords. In July, the company warned that more than 10,000 organizations had been targeted during one AiTM campaign.

Check Point is not the only vendor to warn that phishing attacks are getting better. In a survey, email security firm Proofpoint found that 83% of organizations experienced a successful email-based phishing attack, nearly half again as many as suffered such an attack in 2020. Cybersecurity firm Trend Micro saw the number of phishing attacks more than double, growing 137% in the first half of 2022 compared to the same period in 2021, according to the firm's 2022 Mid-year Cybersecurity report.

Meanwhile, cybercriminals services, such as phishing-as-a-service and malware-as-a-service, are encapsulating the most successful techniques into easy-to-use offerings. In a survey of penetration testers and red teams, nearly half (49%) considered phishing and social engineering to be the attack techniques with the best return on investment.

**Research & Recon Inform Phishing**

Attackers are improving too because of the effort that cyberattackers make in collecting intel for targeting victims with social engineering. For one, they're utilizing the vast amounts of information that can be harvested online, says Jon Clay, vice president of threat intelligence for cybersecurity firm Trend Micro.

"The actors investigate their victims using open source intelligence to obtain lots of information about their victim \[and\] craft very realistic phishing emails to get them to click a URL, open an attachment, or simply do what the email tells them to do, like in the case of business e-mail compromise (BEC) attacks," he says.

The data suggests that attackers are also getting better at analyzing defensive technologies and determining their limitations. To get around systems that detect malicious URLs, for example, cybercriminals are increasingly using dynamic websites that may appear legitimate when an email is sent at 2 a.m., for example, but will present a different site at 8 a.m., when the worker opens the message.

**Improvements in Defense**

Such techniques not only deceive, but take advantage of asymmetries in defending versus attacking. Scanning every URL sent in an email is not a scalable defense, says Check Point's Friedrich. Running URLs in a full sandbox, analyzing the links to a specific depth, and using image processing to determine sites that are trying to mimic a brand requires a lot of computational power.

Instead, email security firms are deploying "click-time" analysis to tackle the problem.

"There are some algorithms or tests that you can't run on every URL, because the compute is huge, it eventually become price prohibited," he says. "Doing that at click time, we only need to do the tests on the URLs that users actually click on, which is a fraction, so 1% of the total links in e-mail."

In addition, defenses increasing rely on machine learning and artificial intelligence to classify malicious URLs and files in ways that rules-based systems cannot, says Trend Micro's Clay.

"Dealing with weaponized attachments can be difficult for those security controls that still rely on signatures only and don’t have advanced technologies that can scan the file using ML or a sandbox, both of which could detect many of these malware files," he says.

In addition, previous statements from Microsoft have noted that Office 365 includes many of the email protection capabilities discussed by other vendors, including protection from impersonation, visibility into attack campaigns, and using advanced heuristics and machine learning to recognize phishing attacks affecting an entire organization or industry.

Tag

#intel