News

SEC Sues Solarwinds CISO

As the SEC moves to increase disclosure rules about material cybersecurity incidents this week, comes news that the SEC is charging Solarwinds for the 2020 hack. The source names then CISO Timothy Brown as knowing that SolarWinds' cybersecurity practices were poor and not meeting standards while publically stating the opposite. Source

Whitehouse Executive Order on AI

The Whitehouse has released a broad executive order to “ensure that America leads the way” in AI. Key aspects include news standards oversight for AI Safety and Security. One of the best takes I heard this week on the EO was by the All-In Podcast, where critical questions are raised on government overreach, enforceability, worries about legislative capture, and the lack of an outcomes-based approach. Source

CVSS 4.0 Released

FIRST has announced CVSS 4.0. While I’m not a fan of CVSS scores used for prioritization, the ability to cohesively describe a vulnerability is necessary. 4.0 addresses applicability to OT/ICS/IoT, and an aspect I like is the new nomenclature for Based + Threat + Environment. Source

New York Increases Cybersecurity Rules

The NYDFS has expanded the scope of its cybersecurity regulations to include a 72-hour reporting window (which was refined to "after determining"), increased oversight, and notably the requirement to provide reasoning for ransomware payments. Source Source

Microsoft Advanced Security Engineering

Catalog this under "not soon enough." Brad Smith, MS’s Vice Chair and President, announced news initiatives this week addressing Microsoft’s cybersecurity response. In a move that feels remarkably familiar to Microsoft's early 2000s action on bugs, the announcement addresses secure-by-design engineering changes, updates on secure default practices, access and identification, and security update responses. In a world of generally available AI (brought to you by them) and hyper-iterative attacks, this feels both appropriate and a step behind. Source

Thank you for reading Infosec Monitor. This post is public so feel free to share it.

Cyber Security Incidents

Mr. Cooper Outage

An outage to mortgage processing giant Mr. Cooper is being blamed on a “cybersecurity incident.” I can attest that they’ve still not been able to process mortgages. No data loss has been reported yet. Source

Okta Breach (Yes, Again)

I did a double-take to make sure this was a new incident. But yes, Okta has been hit again. This time, “only” employee data was impacted (covering 5,000 employees), highlighting everyone’s increasing worries about third-party risk; the attack vector came through a vendor. Source

AboutCybersecurity is at a crossroads, changing more rapidly than we believed was possible just a few years ago. Stay informed on what’s going on, what’s happened, and what’s coming next.I’m Bryan Smith, the author of the InfoSec Monitor. I’ve spent over a decade pioneering changes in how cybersecurity is managed. From helping create the first cyber risk quantification (CRQ) software to advising how to approach cybersecurity pragmatically and proactively.

Data

2023 Comcast Small Business Cybersecurity Report

48% of companies reported a cyberattack in 2022, up 7% y/y. All this before advanced AI-driven phishing. What’s 2023’s data going to show up? Source

ISC2 Cybersecurity Workforce Study

The supply of cybersecurity professionals has grown by 8.7%, but the shortfall grew by 12.6%. Where will we get 4 million more trained professionals? With more companies than ever seeing cyber incidents, can we lean on AI to close the gap? Source

Cybersecurity M&A

Palo Alto Networks, $600M deal for Israeli startup Talon Cyber Security Source

Accenture, acquires Innotec Security for undisclosed sum Source