Find out why Uncle Sam is warning critical infrastructure facilities about drones made in China, while urging water treatment plants to beef up incident response plans. Plus, the challenges stressing out CISOs are also opening new doors for them. In addition, the latest on the Androxgh0st malware. And much more!
Dive into six things that are top of mind for the week ending January 19.
Here’s a warning from the U.S. government to critical infrastructure organizations: If the drones you’re using were made in China, be careful.
Why? These drones represent a “significant risk” because the data they collect could end up in the hands of the Chinese government, the U.S. Cybersecurity and Infrastructure Security (CISA) agency and the Federal Bureau of Investigation (FBI) said this week.
At issue are laws enacted by the People’s Republic of China (PRC) that give the government “expanded legal grounds” to access and control data held by firms in China, according to CISA and the FBI.
As a result, using unmanned aircraft systems UAS), more commonly known as drones, “requires careful consideration and potential mitigation to reduce risk to networks and sensitive information,” reads the joint advisory “Cybersecurity Guidance: Chinese-Manufactured UAS.”
“Without mitigations in place, the widespread deployment of Chinese-manufactured UAS in our nation’s key sectors is a national security concern, and it carries the risk of unauthorized access to systems and data,” Bryan A. Vorndran, Assistant Director of the FBI’s Cyber Division, said in a statement.
To mitigate this risk, the agencies recommendations include:
To get more details, check out:
What’s the current mindset of the average CISO? Apparently it’s a contrasting combination of stress over mounting challenges and enthusiasm over new opportunities.
That’s according to the “State of the CISO, 2023–2024 Benchmark Report” from IANS Research and Artico Search, which was announced this week and is based on a survey of 660 CISOs and on unstructured interviews with 100 CISOs.
For example, CISOs worry about tightening budgets, increasingly sophisticated cyberattacks, mounting cyber regulations, chilling personal liability risk, and the threat from malicious AI use.
But these and other challenges also raise CISOs’ profiles in their organizations, opening the door for them to play a larger role.
“Navigating an exceptionally complex landscape, CISOs are having to do more with less and risk personal legal exposure,” reads a blog post about the report.
“The upside? Increased pressure on organizations gives CISOs more leeway to influence business leadership along with an unprecedented opportunity to argue for a place in the executive ranks,” the blog adds.
Here are key findings from the report:
(Source: “State of the CISO, 2023–2024 Benchmark Report” from IANS Research and Artico Search, January 2024)
(Source: “State of the CISO, 2023–2024 Benchmark Report” from IANS Research and Artico Search, January 2024)
For more information about current CISO challenges and opportunities:
VIDEOS
CISO 2024 Predictions (CDM Media)
Achievements and Aspirations: Reflecting on 2023 and Predicting 2024 (CISO Global)
A big target for cyber attackers, water and wastewater treatment organizations must have solid cyber incident response plans and capabilities. That’s why CISA, the FBI and the Environmental Protection Agency this week published the “Water and Wastewater Sector - Incident Response Guide.”
The 27-page document offers these critical infrastructure organizations a set of best practices for responding to cyberattacks; guidance for reporting cyber incidents; and information about available resources from the federal government.
The guide covers these core stages of incident response:
The water and wastewater systems sector (WSS) faces significant cybers resilience challenges, including the need to comply with a mix of federal, state and local regulations; uneven cyber maturity levels among operators; and often insufficient cybersecurity resources.
“In the new year, CISA will continue to focus on taking every action possible to support ‘target-rich, cyber-poor’ entities like WWS utilities,” CISA Executive Assistant Director for Cybersecurity, Eric Goldstein said in a statement.
More than 25 partners contributed to the guide, including Tenable.
To get more details, read the announcement “CISA, FBI and EPA Release Incident Response Guide for Water and Wastewater Systems Sector” and the “Water and Wastewater Sector - Incident Response Guide.”
For more information about the cybersecurity of water plants:
VIDEO
Cyber group backed by Iran is taking credit for Pennsylvania water system cyberattack (ABC News)
The U.S. urgently needs laws and regulations to govern the use of facial recognition technology, whose use has ballooned with little guidance over how to develop and deploy it responsibly to prevent abuses.
That’s the main takeaway from the National Academies of Sciences, Engineering and Medicine’s “Facial Recognition Technology: Current Capabilities, Future Prospects and Governance” report, published this week.
“Facial recognition technology generates novel and complex legal challenges and raises a variety of distinct, unsettled legal questions,” Jennifer Mnookin, co-chair of the committee that authored the report, said in a statement.
“It also raises complicated social questions about privacy and public and private surveillance, given the highly personal implications of the technology,” added Mnookin, who is chancellor of the University of Wisconsin-Madison.
Specifically, the report, which was sponsored by the U.S. Department of Homeland Security and the FBI, raises concerns around potential harm to people’s privacy and civil liberties from misuse of facial recognition tools, which increasingly are:
Recommendations include:
The National Academies of Sciences, Engineering, and Medicine is a private, nongovernmental organization created by the U.S. Congress to provide independent, objective advice on technology, medicine and science issues.
For more information about the risks of facial recognition technology:
During Tenable’s recent webinar “When, Why, and How Your Security Team Needs to Harness the Power of CNAPPs,” we took the opportunity to poll the audience about several cloud topics. Check out what they said about their cloud security challenges, app delivery models and security provider roster.
(50 respondents polled by Tenable, January 2024)
(46 respondents polled by Tenable, January 2024)
(46 respondents polled by Tenable, January 2024)
Want to get all the insights offered during the webinar about leveraging cloud native application protection platforms (CNAPPs) to improve security, agility and competitiveness? Watch it on demand!
Is the Androxgh0st malware on your radar screen? A new advisory published this week by CISA and the FBI detail Androxgh0st indicators of compromise; techniques, tactics and procedures; and mitigation strategies.
“Androxgh0st malware establishes a botnet for victim identification and exploitation in vulnerable networks, and targets files that contain confidential information, such as credentials, for various high profile applications,” reads a CISA-FBI alert.
Specifically, attackers using Androxgh0st have been observed exploiting these vulnerabilities which can lead to remote code execution:
“Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment,” reads the advisory.
Mitigation recommendations include:
To get more details, read:
Juan has been writing about IT since the mid-1990s, first as a reporter and editor, and now as a content marketer. He spent the bulk of his journalism career at International Data Group’s IDG News Service, a tech news wire service where he held various positions over the years, including Senior Editor and News Editor. His content marketing journey began at Qualys, with stops at Moogsoft and JFrog. As a content marketer, he's helped plan, write and edit the whole gamut of content assets, including blog posts, case studies, e-books, product briefs and white papers, while supporting a wide variety of teams, including product marketing, demand generation, corporate communications, and events.