Red Hat Security Advisory 2024-2583-03 - An update for linux-firmware is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2583.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: linux-firmware security updateAdvisory ID:        RHSA-2024:2583-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2583Issue date:         2024-04-30Revision:           03CVE Names:          CVE-2022-46329====================================================================Summary: An update for linux-firmware is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The linux-firmware packages contain all of the firmware files that are required by various devices to operate.Security Fix(es):* hw: intel: Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi (CVE-2022-46329)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-46329References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2238961

Red Hat Security Advisory 2024-2583-03

Red Hat Security Advisory 2024-2582-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2582.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel security and bug fix update  
Advisory ID:        RHSA-2024:2582-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2582  
Issue date:         2024-04-30  
Revision:           03  
CVE Names:          CVE-2021-46915  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (CVE-2023-40283)

* kernel: mlxsw: spectrum_acl_tcam: Fix stack corruption (CVE-2024-26586)

* kernel: netfilter: divide error in nft_limit_init (CVE-2021-46915)

* kernel: sched/membarrier: reduce the ability to hammer on sys_membarrier (CVE-2024-26602)

Bug Fix(es):

* kernel: use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (JIRA:RHEL-18996)

* rbd: don't move requests to the running list on errors [8.x] (JIRA:RHEL-24201)

* TRIAGE CVE-2021-46915 kernel: netfilter: divide error in nft_limit_init (JIRA:RHEL-28179)

* [RHEL 8.4] Soft Lockups from BZ-2174623 hit on RHEL 8.4 (JIRA:RHEL-16035)

* kernel: sched/membarrier: reduce the ability to hammer on sys_membarrier (JIRA:RHEL-26386)

* kernel: mlxsw: spectrum_acl_tcam: Fix stack corruption (JIRA:RHEL-29181)

* Intel i40e driver performance issue (JIRA:RHEL-30402)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-46915

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2231800  
https://bugzilla.redhat.com/show_bug.cgi?id=2265645  
https://bugzilla.redhat.com/show_bug.cgi?id=2266423  
https://bugzilla.redhat.com/show_bug.cgi?id=2267695

Red Hat Security Advisory 2024-2582-03

With mergers and acquisitions making a comeback, organizations need to be sure they safeguard their digital assets before, during, and after.

Source: Cagkan Sayin via Alamy Stock Photo

COMMENTARY

Mergers and acquisitions (M&A) activity is making a much-anticipated comeback, soaring in the US by 130% — to the tune of $288 billion. Around the world, M&As are up 56%, to $453 billion, according to data from Dealogic.

When two companies are combined, a vast amount of sensitive data and information is exchanged between them, including financial records, customer information, and intellectual property. Additionally, different types of software and hardware often need to be integrated, which can create security vulnerabilities for cybercriminals to exploit.

Cybersecurity is critical to protect and safeguard the integrity of confidential data and can make or break an M&A deal. Having worked across a range of industries in my career, from banking and finance to healthcare, technology, and government, I've witnessed firsthand the cybersecurity challenges associated with managing M&As. Each M&A transaction I've been involved with has been far more complex than initially envisioned and took longer than anticipated to complete. This is especially true when it comes to integrating the technology stack.

**Understanding Cybersecurity in M&A**

Merging with or acquiring a company with a poor cybersecurity posture makes it much easier for cybercriminals to launch an attack. A data breach not only carries severe financial consequences, including legal fees and financial penalties, it also can be extremely damaging to an organization's reputation.

Without effective prevention and mitigation of cyber-risks, organizations could lose the trust of customers, partners, and investors, jeopardizing the deal. This is why cybersecurity must be a key consideration right from the beginning of the M&A lifecycle — not after it has happened. Regulators are also ramping up scrutiny of M&A deals and issuing significant fines for non-compliance. In many states and countries, rules such as the EU's General Data Protection Regulation (GDPR) protect personal data when it is transferred between entities.

**M&A Cybersecurity Checklist**

Leveraging more than 25 years of experience in risk, governance, and cybersecurity, I've put together this checklist to help organizations safeguard their digital assets before, during, and after a merger and acquisition:

*   Conduct early due diligence. Both entities must collaborate to assess the target company's current cybersecurity practices, internal IT infrastructure, and incident history to identify any weaknesses and security vulnerabilities. They might even want to bring in external auditors and cybersecurity experts specializing in M&A transactions.
    

*   Adopt risk metrics. Before making a plan, both entities must agree on an accepted level of risk and how this risk will be measured. Standardized risk metrics ensure that risk stays within the agreed levels, facilitating communication and collaboration at all levels of leadership in the new organization.
    

*   Establish a cybersecurity team. Create a dedicated team, bringing together experts from both entities to work together on addressing and managing potential cyber-risks. This will ensure that security practices are consistent across the entire new organization.
    
*   Develop a risk mitigation strategy. Based on the early assessment, the cybersecurity team can determine what procedures, processes, and technologies must be implemented to enhance the target company's cybersecurity posture before the entities combine. This plan should also clearly outline company policies and the roles and responsibilities across both entities for managing cybersecurity.
    

*   Plan for IT integration. Security measures are essential when integrating IT systems and networks. These include reviewing and enhancing current security architecture, implementing security policies, and testing for any security vulnerabilities. Adopting new tools and technologies to safeguard data during the integration process may be necessary.
    

*   Check for third-party risks. If external vendors are involved in the M&A process, ask them to detail their processes around managing and monitoring cybersecurity risks. The assessment must ensure vendor practices align with the target company's cybersecurity standards.
    

*   Establish identity and access governance and management. Implement strong controls so only authorized people can access sensitive information, digital assets, data, or systems — with different access levels depending on roles and responsibilities. This will help prevent or minimize hacking, fraud, internal data breaches, and human error.
    

*   Create an incident response plan. If a data breach occurs, organizations need a plan to minimize disruption to the business. It's essential to back up critical databases and store them off of the network to ensure data can still be accessed. The incident response plan should be printed out or distributed among staff so everyone knows what to do during a cyberattack.
    

*   Ensure ongoing monitoring. Cybersecurity doesn't end when the deal closes, and the post-M&A period can be a particularly vulnerable time for companies — so it's essential to be vigilant. That's why organizations need mechanisms for continuous 24/7 monitoring of systems and networks and real-time threat detection to identify security vulnerabilities and potential breaches.
    

*   Train employees. Ensure all employees of both entities involved in the merger or acquisition receive comprehensive and regular training about cybersecurity best practices. It's vital to communicate that each person can help play a part by watching out for threats and promptly reporting them. Consider conducting cybersecurity drills to prepare staff for what a cyberattack might look like.
    

**About the Author(s)**

CISO, Gathid

As the Chief Information Security Officer and an Executive Director of Gathid Ltd., Craig Davies is passionate about helping organizations strengthen access management without completely overhauling their people, processes, physical infrastructure, and technology. He has spent more than 25 years in cybersecurity, working in a number of fields, including infrastructure operations, security architecture and software, web development, and operations. As the first CEO of AustCyber, he negotiated agreements with states and territories to establish innovation notes across the country and set out a plan to make Australia a global force in the cybersecurity market.

The Cybersecurity Checklist That Could Save Your M&amp;A Deal

MOVEit drove a big chunk of the increase, but human vulnerability to social engineering and failure to patch known bugs led to a doubling of breaches since 2023, said Verizon Business.

Security bugs are having a cybercrime moment: For 2023, 14% of all data breaches started with the exploitation of a vulnerability, which is up a jaw-dropping 180%, almost triple the exploit rate of the previous year.

Let's put this in context, though. The MOVEit software breach, which wreaked supply chain havoc on companies across every sector, accounted for a large chunk of the increase in using exploits as an initial access method, and likely drove overall breach volumes up as well.

That's according to Verizon Business' 2024 Data Breach Investigations Report (DBIR), which analyzed a record 30,458 security incidents, out of which 10,626 were confirmed breaches — as a stat in itself, that's more than double the numbers from a year ago.

**Organizations Still Lack Security Maturity**

The DBIR, released today, detailed just how far patching can go in heading off a data breach. It also noted that a full 68% of the breaches Verizon Business identified involved human error — either someone clicked on a phishing email, fell for an elaborate social-engineering gambit, was convinced by a deepfake, or had misconfigured security controls, among other snafus. That's about the same percentage as last year, indicating that practitioners are not having much success when it comes to patching the human vulnerability.

In all, a picture in this year's DBIR emerges of an organizational norm where gaps in basic security defenses — including the low-hanging fruit of timely patching and effective user awareness training — continue to plague security teams, despite the rising stakes for CISOs and others that come with "experiencing a cyber incident."

"It can be a bit overwhelming for CISOs, particularly in environments where the security maturity of the organization is not as high as they would like," Suzanne Widup, distinguished engineer in threat intelligence at Verizon Business, tells Dark Reading. "But seeing organizations (large and small) still falling down in some of the basics is disheartening."

She adds, "Sometimes it takes the stakes being raised to get the attention of the appropriate people to affect change, sadly. What began with the data breach reporting laws has moved into serious consequences to company officers being codified into laws and regulations. But the bottom line is most organizations are not in business to worry about security. It has been an add-on after the fact for so long."

Other trends in the DBIR underscore the fact that teams need to address their cyber risk as a priority, and soon: A full 15% of breaches in the past year came from the supply chain, including issues with data custodians, vulnerabilities in third-party code, malicious packages in software repositories, and so on. That is an eyewatering 68% increase from 12 months previous, indicating that adversaries have copped to the fact that this is a tough area for security teams to get their arms around.

**MOVEit Moves the Cybercrime Needle**

Using the MOVEit bug was like shooting proverbial fish in a barrel — the world suddenly became a target-rich environment in the middle of last year for the Cl0p extortion gang and those cybercriminals that followed in its footsteps.

MOVEit Transfer is a managed file transfer app from Progress Software that organizations use to exchange sensitive data and large files both internally and externally. Progress claims thousands of customers for MOVEit, including major brands such as Disney, Chase, BlueCross BlueShield, Geico, and Major League Baseball.

Cl0p reportedly spent two years developing the MOVEit file transfer zero-day exploit, first discovered and disclosed on May 31, 2023, by researchers after months of surreptitious attacks. Within a week of its public debut, CVE-2023-34362 was under mass exploitation by an array of threat actors; within a month, it had been used to breach at least 160 confirmed victims, including whales like Avast parent company Gen Digital, British Airways, Siemens, and UCLA. By the end of September 2023, it was linked to breaches at 900 different universities.

This MOVEit bonanza, which accounted for 8% of the breaches in Verizon Business' data set, had a ripple effect on several metrics in the DBIR, including a finding that 32% of all breaches involved some type of extortion technique (the MOVEit attacks involved stealing information and holding it for ransom) and the bump in supply chain breaches. And the DBIR found that the spike in the use of exploits for initial access was driven primarily by the increasing frequency of zero-day vulnerabilities by ransomware actors — a category that fits MOVEit to a T.

It should be noted, however, that zero-day use was up even outside of MOVEit: "The exploitation of zero-day vulnerabilities by ransomware actors remains a persistent threat to safeguarding enterprises," said Chris Novak, senior director of cybersecurity consulting at Verizon Business, in a media statement.

And finally, 32% of breaches had an extortion or ransom element, with an average loss of $46,000 per company per incident.

**Challenges in Large-Scale Vulnerability Management**

Dovetailing with the increase in the use of bugs for initial access, Verizon Business also found that on average it takes organizations 55 days to remediate 50% of critical vulnerabilities listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Cybercriminals are a bit more johnny-on-the-spot: The median time for how long it takes for mass exploitations of the CISA KEV to develop on the Internet is just five days.

This "n-day" gap is one that threat actors have looked to exploit for years. But given the increasingly broad resources available to track and prioritize vulnerability patches, and the high stakes that now come with suffering a data breach (i.e., new mandatory SEC disclosure rules and personal liability for the CISO), it's clear that security teams need to make a coherent effort to move the needle on this risk.

"Time to patch the critical vulnerabilities getting faster would be welcome news," says Widup. "Having a background as a system admin, though, I do understand the necessities of testing the patches on complex environments to make sure you don't break production systems and cripple the organization. But at least working on that metric would be a good place to start."

One potential answer to getting off the patch-management hamster wheel is gaining more visibility into the attack surface, she advises.

"It's a bit like the tree falling in the forest — these software vulnerabilities exist whether or not someone finds them, and if we have more people looking for them by whatever means or motives, then we see them exploited (maliciously) or submitted to bug bounty programs (as a security researcher), which just means they are coming to light then," she explains. "The real action item for security teams is to do vulnerability scanning of the software that is deployed in their environments to see if they can find and report problems before they are found by someone with malicious intentions."

She also notes that considering vulnerability rates when bringing new platforms into the environment can help close the n-day gap simply by restricting the attack surface. "\[This means\] having security standards as part of the software vendor selection process, to make sure that the vendor is cognizant of the risks to their own organization and that of their customers. It may be that the best choice of a software vendor from a risk perspective is the one that follows the \[tenets\] of Secure by Design."

The overall lack of timely patching has had a surprise halo effect, according to the report: Despite the hype around AI risks, Verizon Business found little evidence that AI-enabled cybercrime was about to deliver organizations a data-breach Waterloo.

"While the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach," said Novak.

**Humans Still the Weakest Cyber Link**

The DBIR found one trend that saw almost no change, ready for filing under "no surprise there": Most breaches (68%) involve a "non-malicious human element" who falls for phishing, misconfigures something, or otherwise makes a mistake. In other words, it's us. The problem is us.

And we fail fast, too. It takes less than 60 seconds for a mark to fall to a phishing routine, according to Verizon Business' phishing test results. The median time to click on a malicious link after an email is opened is 21 seconds, and then only another 28 seconds before the victim is obliviously entering their data into an attacker-controlled form.

Falling for social-engineering attacks in general is costly, too: The analysis found that the median loss in the past two years for business email compromise (BEC) scams is $50,000.

There was one slight glimmer of hope in the data-crunching: One-fifth (20%) of users identified and reported phishing in simulation engagements, and 11% of users who clicked on a decoy email went on to report it.

"So we did see some improvement in people not falling for the phish in simulations, and then those who have fallen for it, at least realizing it fairly quickly and reporting it," Widup explains. "It is vital to make sure that people can easily and quickly report when they have made a mistake, and not to discourage them with punishments. It is also important to have multiple layers of controls in place so that if someone does fall for a social attack, it doesn't necessarily mean a breach."

**Supply Chain Threats Accelerate to Warp Speed**

For the first time, Verizon is specifically breaking out supply-chain breaches as its own metric, which, as previously mentioned, are up significantly in volume in the last year.

"The threat actors are definitely turning towards compromising the larger third-party software companies, and it makes a lot of sense from their perspective if you think about it," says Widup. "They can compromise one vendor, and gain access to a large number of downstream victims in the form of their customer base. If they use the same kind of processes that push code updates, like we saw with SolarWinds, they have the opportunity to push malware to those systems without having to do the work of going into each of their environments. It's definitely more bang for their buck in terms of resources and effort expended. Then they can decide which of these newly compromised systems they want to leverage for further attacks."

The DBIR defines these as breaches that occur through a third-party "custodian," such as a managed service provider (common in the MOVEit cases); entry via a business partner (i.e, the HVAC incident that led to the 2013 Target breach); physical breaches in a partner company facility or even partner vehicles used to gain entry to a target; SolarWinds and 3CX-style breaches where software development processes and updates were hijacked; and vulnerabilities in open source or third-party software.

"This metric ultimately represents a failure of community resilience and recognition of how organizations depend on each other," according to the report's authors. "Every time a choice is made on a partner (or software provider) by your organization and it fails you, this metric goes up."

They added, "We recommend that organizations start looking at ways of making better choices so as to not reward the weakest links in the chain. In a time where disclosure of breaches is becoming mandatory, we might finally have the tools and information to help measure the security effectiveness of our prospective partners."

**Time to Shore Up the Security Basics**

For companies looking to take the DBIR findings to heart and take action, the report includes CIS Critical Security Controls for consideration in the sections where they apply.

"If they haven't already, I would recommend taking a look at them and all of the CIS Critical Security Controls as well, since their recommendations are tailored to the security maturity level of the organization," advises Widup. "It's a very helpful place to go for developing a security strategy, and we'd love to see more organizations adopting this or some other formal security methodology towards making their environments more secure. We break our metrics down into organizational size, industry, and regions to help our readers determine which threats they are most likely to face, and to point them in a direction where they can get some help with deciding how to increase their ability to defend against those threats."

The DBIR's focus on real-world metrics will hopefully be a tool for security teams to use to bring the stakes into focus for business owners and the board, she adds.

"People use the DBIR metrics to bring the threat from the theoretical 'this bad thing might happen to us' into the reality of 'this is already happening to other organizations of a similar size and in the same industry, and we need to address it now,'" she explains. "Breaches are not going away anytime soon, and any organization that thinks they are flying under the radar is in for a rude awakening. It is not a matter of if. It is a matter of when."

**For more information on the DBIR and what it means for your organizations, don't miss "Anatomy of a Data Breach: What to Do If It Happens to You," a free Dark Reading virtual event scheduled for June 20. Verizon's Alex Pinto will deliver a keynote, Up Close: Real-World Data Breaches, detailing DBIR findings and more.**

Verizon DBIR: Basic Security Gaffes Underpin Bumper Crop of Breaches

As the social media giant celebrates its two-decade anniversary, privacy experts reflect on how it changed the way the world shares information.

SourceL Skorzewiak via Alamy Stock Photo

In the 20 years since then-Harvard University student Mark Zuckerberg launched Facebook, there has been a profound shift in our understanding of privacy and security in the digital age. Facebook's path to becoming a digital town square has been fraught with challenges as the company — and the rest of the world — balanced the human desire to share information with the expectation of personal privacy.

In February, Zuckerberg went before a Senate committee and made apologies to parents who blame social media for what they say was its role in their children's death by suicide or from drug overdoses. Zuckerberg has appeared before congressional committees multiple times over the years to address concerns about the platform's impact. The issue of privacy, security, and Facebook has been a long-standing lightning rod, says Martin J. Kraemer, a security awareness advocate at KnowBe4 who has a doctorate in cybersecurity.

"Facebook's fundamental purpose, centered around the systematic collection of information, naturally conflicts with privacy and data protection laws," Kraemer says.

The social media company's missteps over the years have shaped the broader discussions and regulations around data privacy. In fact, it is that tension between social connectivity and privacy rights that prompted the need for robust data protection measures, influencing the creation of significant legal frameworks, like Europe's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The Cambridge Analytica scandal in 2016 was a watershed moment for many, as the company's decision to grant third-party entities with unethical access to user data underscored the potential for personal data to be weaponized against democratic processes. This incident, according to Kraemer, was a direct catalyst for the CCPA and marked a decisive turn in how policymakers and the public at large perceived and prioritized online privacy and data security.

"Cambridge Analytica was the first time the dangers of mass data collection and processing became a tangible reality for the public," Kraemer says.

**The 'Attention Economy': Your Data Up For Sale**

Facebook has also been a key player in the development of the "attention economy," says Justin Daniels, a faculty member at IANS Research. Its creation catalyzed a shift toward the sale of user data as a commodity sold to the highest bidder under the guise of a "free" service.

"Their algorithm, designed to keep you on the site with things that you emotionally respond to, has resulted in the following: Information is available everywhere, yet the facts prove elusive, and anyone who disagrees with you becomes your adversary," Daniels says. "Our need to have convenience above all has made privacy and security afterthoughts for too many people."

The platform's initial slow response to recognize its role in disseminating misinformation, as evidenced by Zuckerberg's later retracted comments on the 2016 election, underscores the company's significant impact, Daniels says. Resulting state laws in Texas and Florida, targeting big tech, highlight a legislative response to privacy concerns directly influenced by Facebook's actions. Facebook's long-standing stance of neutrality as mere "engineers" has also allowed misinformation to proliferate, causing harm and dividing communities, he says.

Looking ahead, Daniels foresees a challenging future for online privacy and security, particularly with the advent of AI.

"If you connect the dots, you see that we are paying the price in privacy and security for Congressional inaction on the digital economy," he says. "They basically let the private sector innovate without any rules. Since big tech business models depend on collecting personal information, they are never going to voluntarily limit themselves, as data collection is critical to their business model. They are the richest companies in human history and now have great influence. An AI black swan event will be the culmination of this lack of regulatory oversight."

**A Privacy-Free Future?**

Like Daniels, AJ Nash, VP and Distinguished Fellow of Intelligence at ZeroFox, also thinks the quest for profitability, driving platforms like Facebook to maximize user engagement, comes at the expense of user privacy. Social media companies are neither legally accountable for user content, thanks to Section 230(c)(1) of the Communications Decency Act, nor are they obligated to adhere to First Amendment principles, he notes. That means policy changes within these platforms are primarily motivated by either the pursuit of growth or forced with governmental mandates, such as GDPR.

"If the user base shrinks or engagement drops as a result of user concerns regarding censorship, mis/dis/malinformation, privacy, or security \[for example\], social media platforms will likely be motivated to address those concerns with new policies," Nash says. "Beyond that, the only motivation any private corporation — including social media platforms — has for making any policy changes will likely be when they are required to do so by a government with the authority to enforce such mandates."

And as anyone working in security knows, social media's extensive data collection practices have also become a goldmine for attackers, enabling crimes ranging from theft to influence campaigns designed to sway public opinion — underscoring the complexity of securing user data against cyber threats on social sites that are designed to be, well, social.

"I recently read that 1.4 billion social media accounts are hacked every month, showing that hackers aren't reluctant to attack users directly," Nash says. "Social media platforms can \[and do\] collect an impressive amount of information about their users, including name, age, gender, location, IP address, devices used, hobbies/interests, shopping tendencies, political views, and individual or group pattern of life analysis … the list goes on. Most \[if not all\] social media platforms have reportedly been compromised at least once."

In light of this near-constant onslaught of attacks, Nash thinks there will be a shift toward resignation and skepticism among users. The concept of privacy also will be increasingly viewed as untenable in the face of the Internet and social media's expansion, he says.

"I think we've reached a point where most people believe they've been compromised and are becoming numb to — and skeptical of — the idea that their privacy can be protected," Nash says. "The two youngest generations seem largely less concerned with privacy than their predecessors. Social media probably played a significant role in all of this. As people spent more time on these platforms over the last two decades, they have grown accustomed to the news of data leaks, while becoming more interested in the potential benefits of less privacy than the associated risks. To be frank, I think we are nearing — if not already at — the dawn of a post-privacy world."

**About the Author(s)**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Facebook at 20: Contemplating the Cost of Privacy

President Joe Biden has updated the directives to protect US critical infrastructure against major threats, from cyberattacks to terrorism to climate change.

The Biden administration is updating the US government’s blueprint for protecting the country’s most important infrastructure from hackers, terrorists, and natural disasters.

On Tuesday, President Joe Biden signed a national security memorandum overhauling a 2013 directive that lays out how agencies work together, with private companies, and with state and local governments to improve the security of hospitals, power plants, water facilities, schools, and other critical infrastructure.

Biden’s memo, which is full of updates to the Obama-era directive and new assignments for federal agencies, arrives as the US confronts an array of serious threats to the computer systems and industrial equipment undergirding daily life. In addition to foreign government hackers and cyber criminals seeking to destabilize American society by crippling vital infrastructure, extremist groups and lone actors have plotted to sabotage these systems, and climate change is fueling natural disasters that regularly overwhelm basic services.

But foreign cyber threats loom largest as a danger in the near future. “America faces an era of strategic competition, where state actors will continue to target American critical infrastructure and tolerate or enable malicious activity conducted by nonstate actors,” Caitlin Durkovich, the deputy homeland security adviser for resilience and response, told reporters during a briefing on Monday.

The memorandum has three core purposes: to formalize the role of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as the lead agency tasked with protecting infrastructure from bad actors and natural hazards; to improve partnerships with the private sector through faster, more comprehensive information sharing; and to lay out the groundwork for minimum cybersecurity requirements for sectors that currently lack them.

The regulatory push represents a dramatic shift from the government’s approach to infrastructure protection a decade ago. The Biden administration, having concluded that voluntary partnerships were not sufficiently reducing risks to essential services, has applied new cyber rules to the aviation, pipeline, railroad, maritime, and medical device industries, and the Department of Health and Human Services is working on security requirements for hospitals. Now, the administration plans to use the new memo to turbocharge efforts to apply rules to other sectors.

“It is important that we work together to set baseline security standards for the lifeline sectors on which the American way of life and our democracy depends,” Durkovich says.

The document tasks the government’s “Sector Risk Management Agencies,” or SRMAs—each of which oversees and assists one or more infrastructure sectors with cyber and physical security—with determining whether existing rules adequately address their industries’ vulnerabilities and, if not, crafting new rules. The memo includes a process to help agencies if they conclude that they lack “the tools or authorities necessary to ensure effective implementation of those requirements,” a senior administration official said during Monday’s briefing, speaking anonymously pursuant to the White House’s terms.

That process is designed to support agencies like the Environmental Protection Agency, which tried to issue cyber requirements for water systems in 2023 but abandoned the effort after a legal challenge from industry groups and Republican-led states.

Anticipating further industry pushback to new rules in various sectors, the White House is promising to collaborate with companies. “These requirements … need to be developed in close coordination with the owners and operators of that infrastructure to ensure they are appropriate and proportionate to the vulnerability,” the senior administration official says.

In addition to new cyber standards, the memo attempts to kickstart more harmonious and productive information-sharing relationships between government agencies and private companies. The private sector often complains that agencies either declassify information too slowly or keep it tightly restricted to only executives with security clearances. Many companies say that without timely access to the government’s detailed intelligence about hackers’ activities, it is difficult to stay ahead of those adversaries.

To address these tensions, Biden is directing US spy agencies to redouble their efforts to “collect, produce, and share intelligence” with infrastructure operators, Durkovich says.

The memo requires the Office of the Director of National Intelligence (ODNI) to produce a report on the state of the government’s information-sharing with the private sector. As part of that process, the senior administration official says, ODNI will work with CISA and other agencies to write procedures for better outreach to companies.

The government can look to two recent case studies for insights about the best ways to share useful information without jeopardizing the sensitive sources and methods used to gather it. As Russia began its expanded invasion of Ukraine in 2022, the intelligence community declassified and published intelligence about the Kremlin’s plans at such a rapid tempo that it stunned many former officials. And when officials wanted to warn companies about the seriousness of China’s recent cyber intrusions into US infrastructure, they convened classified briefings that starkly laid out the potential damage Beijing could do in the event of a war.

“We have a lot of instructive emerging practices and lessons learned from what has happened in the first three years of this administration,” says the senior official.

In addition to the report on information sharing, the memo also gives ODNI 180 days to produce a formal intelligence assessment on threats to America’s infrastructure, and the senior official says the government “will work to share that” with companies to the extent possible.

Beyond its major substantive changes, the new memo significantly boosts the stature of CISA, which did not exist when the previous plan was written. The memo codifies CISA’s twin roles as a government-wide coordinator for infrastructure security work and as the designated SRMA for eight of the 16 sectors.

CISA has pursued its role as the lead infrastructure protection agency in multiple ways, its director, Jen Easterly, told reporters during Monday’s briefing.

First, CISA reestablished a council of senior officials that makes major decisions about how agencies coordinate to address risks. Second, Easterly says, CISA has provided agencies with “guidance and templates” to help produce risk assessments and risk management plans for each of their sectors. Third, CISA is finalizing a list of “systemically important entities” whose operations power daily life in fundamental ways.

The government will work with the companies on the important-entities list—there are fewer than 500 of them—“to ensure they have the resources necessary to manage risk,” a second senior administration official told reporters on Monday. Those companies will also be priorities for regulation.

While it updates key parts of the government’s defensive playbook, the memo does not change the basic structure underpinning this work: the 16 sectors—each containing a collection of related industries—that together comprise the nation’s critical infrastructure. A CISA report published in late 2021 recommended that the administration consider adding new sectors for the space and bioeconomy industries, but officials decided not to do so.

“Because space is really a part of so many different sectors, it did not, at this time, make sense to break space out as a separate sector,” the second senior official says. (CISA is, however, focused on space cybersecurity.) Government leaders similarly decided that bioeconomy risks were not unique enough to merit a new sector. But both industries could receive their own sectors in the future “if there are significant changes” to the risks they face, says the second official.

In light of how quickly those risks and other conditions could change, the memo directs DHS to submit a “national risk management plan” to the White House every two years summarizing what the government is doing to prevent harm.

Biden administration officials see the new document as more than just an updated strategy. To them, it is a watershed moment in how the government organizes itself to protect Americans from poisoned water, widespread blackouts, and other infrastructure disasters.

The new memo, Durkovich says, “prepares us for the next decade—what the president calls the decisive decade—and what lies out on the horizon.”

The White House Has a New Master Plan to Stop Worst-Case Scenarios

With RSAC just a week away, Cisco Talos is gearing up for another year of heading to San Francisco to share in some of the latest major cybersecurity announcements, research and news.

Tuesday, April 30, 2024 08:00

With RSAC just a week away, Cisco Talos is gearing up for another year of heading to San Francisco to share in some of the latest major cybersecurity announcements, research and news.  

We’ve pulled together the highlights, so you don’t miss out on all things Talos.  

**Tuesday, May 5**  

Joe Marshall will be presenting on Project Power Up alongside Tara Vasyliv of NPC UKRENERGO on how Talos has helped to protect Ukraine’s power grid from disruptive electronic warfare. Reserve your seat for the 8:30 a.m. session here. 

Nick Biasini will be giving a lighting talk at the Cisco Booth N-5845 in the North Hall at 3:30 p.m. on the good, the bad and the ugly of ransomware in 2024.  

**Wednesday, May 6**  

Nicole Hoffman will be signing her children’s book, “The Mighty Threat Intelligence Warrior,” at 12:30 p.m. in the RSA Bookstore located in Moscone South, Esplanade Level.  

**Thursday, May 7**  

Hoffman will be out again, this time hosting a session on applying past lessons learned in hopes of a better future for identify threat detection at 9:40 a.m. in Moscone West 3022. Reserve a seat for the session here.  

And you can always follow along all week on X and LinkedIn for the latest updates.

Cisco Talos at RSAC 2024

The U.S. government has unveiled new security guidelines aimed at bolstering critical infrastructure against artificial intelligence (AI)-related threats.
"These guidelines are informed by the whole-of-government effort to assess AI risks across all sixteen critical infrastructure sectors, and address threats both to and from, and involving AI systems," the Department of Homeland Security (DHS)&

U.S. Government Releases New AI Security Guidelines for Critical Infrastructure

PRESS RELEASE

SAN DIEGO, April 29, 2024/PRNewswire/ -- ESET, a global leader in cybersecurity solutions, today announced the launch of two new Managed Detection and Response (MDR) subscription tiers: ESET PROTECT MDR for small and medium businesses (SMBs) and ESET PROTECT MDR Ultimate for enterprises. These offerings are built on the foundation of ESET PROTECT Elite and ESET PROTECT Enterprise, offering businesses of all sizes the most comprehensive, AI-powered threat detection and response capabilities, in combination with expert human analysis and comprehensive threat intelligence.

ESET's MDR offerings are designed to cater to the specific needs of both SMBs and Enterprises. To that end, ESET PROTECT MDR delivers a comprehensive cybersecurity package, offering 24/7/365 superior protection that addresses the most common challenges of small and medium-sized businesses. This includes modern protection for endpoints, email, and cloud applications, vulnerability detection and patching, and managed threat monitoring, hunting, and response. It addresses the cybersecurity talent shortages and ensures compliance with cyber insurance and regulations, offering a remarkable 20-minute average time to detect and respond, a comprehensive MDR dedicated dashboard and regular reporting for complete peace of mind.

For enterprises, ESET PROTECT MDR Ultimate offers continuous proactive protection and enhanced visibility, coupled with customized threat hunting and remote digital forensic incident response assistance. This comprehensive service is designed to support overstretched SOC teams, providing them with 24/7 access to world-class cybersecurity expertise. It ensures enterprises stay one step ahead of all known and emerging threats, effectively closing the cybersecurity skills gap, and facilitating expert consultations for incident management and containment in a fully managed experience.

ESET also sets itself apart with its own telemetry and unique global coverage, leveraging its detections and ESET Research to gather unique data about attacks, a competitive edge not offered by many players in the market.

"With the update of our business offering, we want to make ESET products accessible to customers without the necessary skill set or resources to operate them, but to also empower organizations to navigate the digital landscape confidently, safeguarded by our expertise and continuous, comprehensive coverage," stated Michal Jankech, Vice President of SMB and MSP segment at ESET.

Enhancements to the ESET business portfolio

Additionally, all ESET PROTECT subscription tiers, starting from ESET PROTECT Advanced, are now enhanced with ESET Mobile Threat Defense (EMTD). This new value-added, standalone module extends attack vector coverage to an organization's entire mobile fleet, seamlessly integrating into the ESET PROTECT Platform for efficient management, ensuring comprehensive protection for mobile devices. EMTD also includes a Mobile Device Management (MDM) functionality, with added support for Microsoft Entra ID.

Moreover, ESET Server Security introduces a firewall specifically designed for Windows servers, and Vulnerability & Patch Management, offering manual patch management and a 60-second delay of application process kill.

Finally, ESET LiveGuard Advanced now also offers advanced behavioral reports for our detection and response customers, providing an in-depth look into how our cloud sandboxing technology analyzes suspicious files, offering better visibility and context for security operators like cybersecurity and threat analysts, security engineers, or threat responders.

"This significant launch underscores ESET's unwavering dedication to delivering superior protection and services, effectively responding to the dynamic challenges faced by customers to stay one step ahead of threats," added Michal Jankech, Vice President of SMB and MSP segment at ESET.

For more detailed information about ESET and its updated portfolio, please visit the dedicated offering pages for SMBs and Enterprises.

About ESET  
ESET provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyber threats — securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud or mobile protection, its AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multi-factor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and X.

ESET PROTECT Portfolio Now Includes New MDR Tiers and Features

Red teaming is a crucial part of proactive GenAI security that helps map and measure AI risks.

Source: josefotograf via Alamy

Generative artificial intelligence (GenAI) has emerged as a significant change-maker, enabling teams to innovate faster, automate existing workflows, and rethink the way we go to work. Today, more than 55% of companies are currently piloting or actively using GenAI solutions.

But for all its promise, GenAI also represents a significant risk factor. In an ISMG poll of business and cybersecurity professionals, respondents identified a number of concerns around GenAI implementation, including data security or leakage of sensitive data, privacy, hallucinations, misuse and fraud, and model or output bias.

For organizations looking to create additional safeguards around GenAI use, red teaming is one strategy they can deploy to proactively uncover risks in their GenAI systems. Here's how it works.

**Unique Considerations When Red Teaming GenAI**

GenAI red teaming is a complex, multistep process that differs significantly from red teaming classical AI systems or traditional software.

For starters, while traditional software or classical AI red teaming is primarily focused on identifying security failures, GenAI red teaming must account for responsible AI risks. These risks can vary widely, ranging from generating content with fairness issues to producing ungrounded or inaccurate information. GenAI red teaming has to explore potential security risks and responsible AI failures simultaneously.

Additionally, GenAI red teaming is more probabilistic than traditional red teaming. Executing the same attack path multiple times on traditional software systems is likely to yield similar results.

However, due to its multiple layers of nondeterminism, GenAI can provide different outputs for the same input. This can happen due to app-specific logic or the GenAI model itself. Sometimes the orchestrator that controls the output of the system can even engage different extensibility or plug-ins. Unlike traditional software systems with well-defined APIs and parameters, red teams must account for the probabilistic nature of GenAI systems when evaluating the technology.

Finally, system architectures vary widely between different types of GenAI tools. There are standalone applications, integrations with existing applications, and input and output modalities, like text, audio, images, and videos, for teams to consider.

These different system architectures make it incredibly difficult to conduct manual red-team probing. For example, to surface violent content generation risks on a browser-hosted chat interface, red teams would need to try different strategies multiple times to gather sufficient evidence of potential failures. Doing this manually for all types of harm, across all modalities and strategies, can be exceedingly tedious and slow.

**Best Practices for GenAI Red Teaming**

While manual red teaming can be a time-consuming, labor-intensive process, it's also one of the most effective ways to identify potential blind spots. Red teams can also scale certain aspects of probing through automation, particularly when it comes to automating routine tasks and helping identify potentially risky areas that require more attention.

At Microsoft, we use an open automation framework — known as the Python Risk Identification Tool for generative AI (PyRIT) — to red team GenAI systems. It is not intended to replace manual GenAI red teaming, but it can augment red teamers' existing domain expertise, automate tedious tasks, and create new efficiency gains by identifying hot spots for potential risks. This allows security professionals to control their GenAI red-teaming strategy and execution while PyRIT provides the automation code to generate potentially harmful prompts based on the initial dataset of harmful prompts provided by the security professional. PyRIT can also change tactics based on the GenAI system's response and generate its next input. 

Regardless of the method you use, sharing GenAI red-teaming resources like PyRIT across the industry raises all boats. Red teaming is a crucial part of proactive GenAI security, enabling red teamers to map AI risks, measure identified risks, and build out scoped mitigations to minimize their impact. In turn, this empowers organizations with the confidence and security they need to innovate responsibly with the latest AI advances.

— Read more Partner Perspectives from Microsoft Security

**About the Author(s)**

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Tag

#intel