A novel technique to stump artificial intelligence (AI) text-based systems increases the likelihood of a successful cyberattack by 60%.

Source: Krot Studio via Alamy Stock Photo

A new jailbreak technique for OpenAI and other large language models (LLMs) increases the chance that attackers can circumvent cybersecurity guardrails and abuse the system to deliver malicious content.

Discovered by researchers at Palo Alto Networks' Unit 42, the so-called Bad Likert Judge attack asks the LLM to act as a judge scoring the harmfulness of a given response using the Likert scale. The psychometric scale, named after its inventor and commonly used in questionnaires, is a rating scale measuring a respondent's agreement or disagreement with a statement.

The jailbreak then asks the LLM to generate responses that contain examples that align with the scales, with the ultimate result being that "the example that has the highest Likert scale can potentially contain the harmful content," Unit 42's Yongzhe Huang, Yang Ji, Wenjun Hu, Jay Chen, Akshata Rao, and Danny Tsechansky wrote in a post describing their findings.

Tests conducted across a range of categories against six state-of-the-art text-generation LLMs from OpenAI, Azure, Google, Amazon Web Services, Meta, and Nvidia revealed that the technique can increase the attack success rate (ASR) by more than 60% compared with plain attack prompts on average, according to the researchers.

The categories of attacks evaluated in the research involved prompting various inappropriate responses from the system, including: ones promoting bigotry, hate, or prejudice; ones engaging in behavior that harasses an individual or group; ones that encourage suicide or other acts of self-harm; ones that generate inappropriate explicitly sexual material and pornography; ones providing info on how to manufacture, acquire, or use illegal weapons; or ones that promote illegal activities.

Other categories explored and for which the jailbreak increases the likelihood of attack success include: malware generation or the creation and distribution of malicious software; and system prompt leakage, which could reveal the confidential set of instructions used to guide the LLM.

**How Bad Likert Judge Works**

The first step in the Bad Likert Judge attack involves asking the target LLM to act as a judge to evaluate responses generated by other LLMs, the researchers explained.

"To confirm that the LLM can produce harmful content, we provide specific guidelines for the scoring task," they wrote. "For example, one could provide guidelines asking the LLM to evaluate content that may contain information on generating malware."

Once the first step is properly completed, the LLM should understand the task and the different scales of harmful content, which makes the second step "straightforward," they said. "Simply ask the LLM to provide different responses corresponding to the various scales," the researchers wrote.

"After completing step two, the LLM typically generates content that is considered harmful," they wrote, adding that in some cases, "the generated content may not be sufficient to reach the intended harmfulness score for the experiment."

To address the latter issue, an attacker can ask the LLM to refine the response with the highest score by extending it or adding more details. "Based on our observations, an additional one or two rounds of follow-up prompts requesting refinement often lead the LLM to produce content containing more harmful information," the researchers wrote.

**Rise of LLM Jailbreaks**

The exploding use of LLMs for personal, research, and business purposes has led researchers to test their susceptibility to generate harmful and biased content when prompted in specific ways. Jailbreaks are the term for methods that allow researchers to bypass guardrails put in place by LLM creators to avoid the generation of bad content.

Security researchers have already identified several types of jailbreaks, according to Unit 42. They include one called persona persuasion; a role-playing jailbreak dubbed Do Anything Now; and token smuggling, which uses encoded words in an attacker's input.

Researchers at Robust Intelligence and Yale University also recently discovered a jailbreak called Tree of Attacks with Pruning (TAP), which involves using an unaligned LLM to "jailbreak" another aligned LLM, or to get it to breach its guardrails, quickly and with a high success rate.

Unit 42 researchers stressed that their jailbreak technique "targets edge cases and does not necessarily reflect typical LLM use cases." This means that "most AI models are safe and secure when operated responsibly and with caution," they wrote.

**How to Mitigate LLM Jailbreaks**

However, no LLM matter is completely secure from jailbreaks, the researchers cautioned. The reason that they can undermine the security that OpenAI, Microsoft, Google, and others are building into their LLMs is mainly due to the computational limits of language models, they said.

"Some prompts require the model to perform computationally intensive tasks, such as generating long-form content or engaging in complex reasoning," they wrote. "These tasks can strain the model's resources, potentially causing it to overlook or bypass certain safety guardrails."

Attackers also can manipulate the model's understanding of the conversation's context by "strategically crafting a series of prompts" that "gradually steer it toward generating unsafe or inappropriate responses that the model's safety guardrails would otherwise prevent," they wrote.

To mitigate the risks from jailbreaks, the researchers recommend applying content-filtering systems alongside LLMs for jailbreak mitigation. These systems run classification models on both the prompt and the output of the models to detect potentially harmful content.

"The results show that content filters can reduce the ASR by an average of 89.2 percentage points across all tested models," the researchers wrote. "This indicates the critical role of implementing comprehensive content filtering as a best practice when deploying LLMs in real-world applications."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Bad Likert Judge' Jailbreak Bypasses Guardrails of OpenAI, Other Top LLMs

The results of Dark Reading's 2024 Strategic Security Survey suggest that security teams continue to grapple with the challenges that come with increased cloud adoption, such as data visibility and loss of controls. Managing cloud risks will be a focus for security teams in 2025.

Source: John Williams RF via Alamy Stock Photo

Enterprise IT and security managers had a lot to worry about in 2024, such as the exploding number of vulnerabilities, increased volume of threats against their organizations, constant drumbeat of data breaches, and steady stream of user errors and behaviors to manage. Also a big concern was the growing risk exposure as a result of their organizations' increased reliance on cloud technologies.

Respondents to Dark Reading's Strategic Security Survey revealed growing concerns about risks tied to cloud services. In the face of rising adoption of cloud services for data storage, applications, and business operations, organizations appear to be particularly worried about their dependence on cloud providers' security measures and their reduced control over data in cloud environments. Thirty-five percent of organizations, compared with just 23% in the 2023 survey, reported using between 10 and 29 cloud applications internally. Most organizations said they work with multiple cloud providers, which contributes to the visibility challenges. Almost half (48%) rely on two or three providers, and 60% use between two to five cloud service providers.

The near ubiquity of the cloud means organizations are increasingly concerned about cloud security threats. Exploits targeting cloud service providers is the top worry for almost half of the respondents (49.6%), followed closely by cloud services breaches and intrusions (47.8%). The lack of data visibility in cloud environments and an inability to enforce security policies on cloud-stored data tie for third place (39.1%). In comparison, the 2023 survey revealed 45% of respondents worried about cloud exploits, 38% worried about cloud services breaches, and 24% worried about the inability to enforce security policies in the cloud.

The complexity of cloud security is further highlighted by organizations' staffing and control concerns. Overreliance on cloud service providers to detect data breaches was cited by 28.7% of respondents, while 19.1% expressed concern about unclear incident-response protocols with their cloud service providers. Notably, the percentage of organizations worried about their inability to enforce security policies on cloud-stored data increased from 24.4% in 2023 to 39.1% in 2024, suggesting a growing awareness of the challenges in maintaining security control in cloud environments. These findings indicate that while organizations continue to embrace cloud services, they struggle with visibility, control, and the division of security responsibilities between themselves and their cloud service providers.

Security teams have long grappled with the challenges posed by the shared responsibility model with cloud providers, where the provider and the organization have to work together to handle their part of the security tasks. The survey found that organizations are increasingly including the challenges of shared responsibility models, data sovereignty issues, and loss of control in their risk assessments. For instance, 39% are worried about risks tied to a lack of visibility in cloud environments, and an identical proportion believed their inability to enforce enterprise data security policies in the cloud has put them at risk. Nearly three in 10 (29%) are concerned about their overreliance on cloud vendors to detect security issues.

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Managing Cloud Risks Gave Security Teams a Big Headache in 2024

The fast growing region has its own unique cyber issues — and it needs its own talent to fight them.

Source: Panther Media via Alamy Stock Photo

COMMENTARY

The Middle East is undergoing a digital transformation that is as rapid as it is remarkable. Tech multinationals are investing big in the region as Dubai, Riyadh, and Abu Dhabi strive to establish themselves as global innovation hubs.   

But this increased digitization comes with an increased risk of cyberattacks — and businesses throughout the Middle East are at risk of being caught with their guard down.

The pace of digital growth in countries throughout the Middle East has far outstripped cybersecurity talent in the region, leaving organizations fatally exposed. While some businesses resort to outsourcing their cybersecurity measures to tech giants and their tools, this hands-off approach is risk-prone.

The Middle East now sits squarely in the firing line. With cyberattacks emboldened by AI, robust cybersecurity defenses are more crucial than ever. Businesses must move away from outsourcing and focus on building strong in-house defenses by investing in tool-based approaches and heavily leveraging in-house hiring, upskilling, and talent retention practices.

**Victims of Their Own Success?**

The commercial success of locations like Dubai, Abu Dhabi, and Saudi Arabia has transformed them into potential hotbeds for cybercrime. Distributed denial-of-service (DDoS) attacks on Middle Eastern countries have risen 75% in the past year, with the UAE and Saudi Arabia taking the brunt of the blow. 

Related:Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel

The UAE alone falls victim to around 50,000 cyberattacks a day. And it comes at a cost: in 2023, cyberattacks cost businesses, organizations, and public bodies more than $8 million per incident.

The uptick in cyberattacks is only exacerbated by changing patterns in the cybercrime landscape. The rise of AI has lowered the barrier to entry for would-be hackers, allowing those with even the most novice skills to carry out a full-scale attack. Meanwhile, the proliferation of cybercrime as a service (CaaS), offering services like DDoS-for-hire, means threat actors now need little more than an intention to launch a cyberattack. In this new era of cybercrime, where there's a will, there's a way.

The current cybersecurity skills gap seen throughout the Middle East is leaving companies exposed and vulnerable to bad actors. Over half the companies in the EMEA region have attributed cybersecurity breaches to a lack of skills and training, while 70% of business leaders believe that skills shortages create a whole host of additional cybersecurity risks for companies to address.

**AI Muddles Outsourced Security Equation**

Related:DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

Too many businesses attempt to remedy this lack of talent by outsourcing their cybersecurity to third parties. While this might have been effective when countries like the US were the main target for threat actors, that's no longer the case.   

The rise of AI-enhanced cyberattacks presents a new host of threats that businesses outsourcing cybersecurity won't necessarily be able to tackle. Not only has AI made it easier for threat actors to carry out cyberattacks, it's also made the attacks themselves more sophisticated and more malicious.

AI-enhanced malware is stealthier, making it harder to detect a breach of IT infrastructure. Automated phishing attacks enable bad actors to target a larger number of potential victims, while the phishing attacks themselves are highly tailored to their targets.

It is crucial that Middle Eastern businesses — particularly those in the UAE and Saudi Arabia — are on top of their cybersecurity measures. They cannot sit back and outsource cybersecurity with the assumption that the risk is also transferred. Instead, they must take an active approach to their cybersecurity measures by building up a strong in-house cybersecurity team that can identify, respond to, and deal with threats in an effective and timely manner. 

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

Bringing cybersecurity in-house mitigates the risks that can crop up when relying on outsourced defenses, such as slow response times. Instead, in-house cybersecurity teams will have their fingers on the pulse of the business's security framework, as well as a thorough understanding of business specifics, enabling them to react quickly to threats.

But to achieve this, businesses must invest heavily in new and pre-existing IT talent to close the Middle East's skills gap — and this should be done with a particular focus on hiring and retention practices.

**Retention Is Tough in Smaller Talent Pool**

Over half of organizations globally say they struggle to recruit candidates with cybersecurity experience. Difficulties in hiring cybersecurity talent are compounded by trouble retaining cybersecurity staff, throwing employers into a vicious cycle of hiring and re-hiring. In the Middle East, where the digital economy is still young, this is of particular concern — the talent pool is finite, and companies cannot afford to lose out on promising employees.   

To combat this, corporations in the Middle East should turn their attention to the fresh talent coming out of universities throughout the Middle East and around the world. By forming partnerships with universities and offering attractive graduate schemes, businesses can tap into dense talent pools brimming with promising cybersecurity talent.

Graduates are eager to learn and willing to mold to the company ethos, making them the ideal choice for corporations looking to build up a dedicated in-house cybersecurity team.

Investing in apprenticeship schemes is another option for companies. Although more hands-on, companies will be able to train candidates from the ground up, ensuring the candidate's skills and knowledge are strongly aligned with the business's cybersecurity needs.

**Learning & Development Must Be Fostered**

Retaining this talent is just as crucial as bringing them on board in the first place.  Alongside the usual retention tactics, such as competitive pay packets and desirable benefits, companies must invest heavily in continuous learning and development (L&D) opportunities throughout the employee's career.  

Poor training — or a lack of training altogether — is a surefire way to lose employees. Conversely, 94% of employees say they would stay longer with an employer that invested in L&D. In a fast-changing, continually developing industry like cybersecurity, L&D is especially vital.

Investing in training sessions and development courses for cybersecurity employees will ensure they're kept up to date with any changes in the threat and security landscape. And, in the process, employees will feel as if the company is giving them opportunities to develop their skills and abilities, rounding them out into highly experienced cybersecurity professionals.

Investing in staff as a cybersecurity tactic shouldn't begin and end with cybersecurity staff. Deploying a company-wide cybersecurity upskilling program is a vital first step — and a simple way of ruling out one of the greatest causes behind cybersecurity breaches: human error. Negligence, a lack of awareness, or simple mistakes can lead to vulnerabilities and breaches, even in the most robust systems. Upskilling is a vital step companies must take to mitigate this risk.

With the rising rate of cyberattacks in the Middle East, corporations cannot afford to sit back and wait until they become the next big victim of a data breach or DDoS attack.

Companies can't rely solely on third-party cybersecurity measures — they must build up comprehensive in-house defenses. Businesses need to act now and double their investments in cybersecurity talent, paying particular mind to up-and-coming graduate talent.

**About the Author**

Founder, PG Advisors Ltd.

Partha Gopalakrishnan is a leading business transformation expert with more than 25 years of experience directing global teams to drive digital growth. He also has his own firm, PG Advisors, which offers board advisory and non-executive director services for prominent analysts and PE Firms. 

Partha has served in executive leadership positions with some of the world’s largest technology firms and global systems Integrators, including 17 years with Infosys, followed by a tenure at Tech Mahindra. He has completed executive education programs at the Stanford University Graduate School of Business and The Wharton School of the University of Pennsylvania.

Cybersecurity Lags in Middle East Business Development

AI tools will enable significant productivity and efficiency benefits for organizations in the coming year, but they also will exacerbate privacy, governance, and security risks.

Source: Anggalih Prasetya via Shutterstock

Most industry analysts expect organizations will accelerate efforts to harness generative artificial intelligence (GenAI) and large language models (LLMs) in a variety of use cases over the next year.

Typical examples include customer support, fraud detection, content creation, data analytics, knowledge management, and, increasingly, software development. A recent survey of 1,700 IT professionals conducted by Centient on behalf of OutSystems had 81% of respondents describing their organizations as currently using GenAI to assist with coding and software development. Nearly three-quarters (74%) plan on building 10 or more apps over the next 12 months using AI-powered development approaches.

While such use cases promise to deliver significant efficiency and productivity gains for organizations, they also introduce new privacy, governance, and security risks. Here are six AI-related security issues that industry experts say IT and security leaders should pay attention to in the next 12 months.

**AI Coding Assistants Will Go Mainstream — and So Will Risks**

Use of AI-based coding assistants, such as GitHub Copilot, Amazon CodeWhisperer, and OpenAI Codex, will go from experimental and early adopter status to mainstream, especially among startup organizations. The touted upsides of such tools include improved developer productivity, automation of repetitive tasks, error reduction, and faster development times. However, as with all new technologies, there are some downsides as well. From a security standpoint these include auto-coding responses like vulnerable code, data exposure, and propagation of insecure coding practices.

"While AI-based code assistants undoubtedly offer strong benefits when it comes to auto-complete, code generation, re-use, and making coding more accessible to a non-engineering audience, it is not without risks," says Derek Holt, CEO of Digital.ai. The biggest is the fact that the AI models are only as good as the code they are trained on. Early users saw coding errors, security anti-patterns, and code sprawl while using AI coding assistants for development, Holt says. "Enterprises users will continue to be required to scan for known vulnerabilities with \[Dynamic Application Security Testing, or DAST; and Static Application Security Testing, or SAST\] and harden code against reverse-engineering attempts to ensure negative impacts are limited and productivity gains are driving expect benefits."

**AI to Accelerate Adoption of xOps Practices**

As more organizations work to embed AI capabilities into their software, expect to see DevSecOps, DataOps, and ModelOps — or the practice of managing and monitoring AI models in production — converge into a broader, all-encompassing xOps management approach, Holt says. The push to AI-enabled software is increasingly blurring the lines between traditional declarative apps that follow predefined rules to achieve specific outcomes, and LLMs and GenAI apps that dynamically generate responses based on patterns learned from training data sets, Holt says. The trend will put new pressures on operations, support, and QA teams, and drive adoption of xOps, he notes.

"xOps is an emerging term that outlines the DevOps requirements when creating applications that leverage in-house or open source models trained on enterprise proprietary data," he says. "This new approach recognizes that when delivering mobile or web applications that leverage AI models, there is a requirement to integrate and synchronize traditional DevSecOps processes with that of DataOps, MLOps, and ModelOps into an integrated end-to-end life cycle." Holt perceives this emerging set of best practices will become hyper-critical for companies to ensure quality, secure, and supportable AI-enhanced applications.

**Shadow AI: A Bigger Security Headache**

The easy availability of a wide and rapidly growing range of GenAI tools has fueled unauthorized use of the technologies at many organizations and spawned a new set of challenges for already overburdened security teams. One example is the rapidly proliferating — and often unmanaged — use of AI chatbots among workers for a variety of purposes. The trend has heightened concerns about the inadvertent exposure of sensitive data at many organizations.

Security teams can expect to see a spike in the unsanctioned use of such tools in the coming year, predicts Nicole Carignan, vice president of strategic cyber AI at Darktrace. "We will see an explosion of tools that use AI and generative AI within enterprises and on devices used by employees," leading to a rise in shadow AI, Carignan says. "If unchecked, this raises serious questions and concerns about data loss prevention as well as compliance concerns as new regulations like the EU AI Act start to take effect," she says. Carignan expects that chief information officers (CIOs) and chief information security officers (CISOs) will come under increasing pressure to implement capabilities for detecting, tracking, and rooting out unsanctioned use of AI tools in their environment.

**AI Will Augment, Not Replace, Human Skills**

AI excels at processing massive volumes of threat data and identifying patterns in that data. But for some time at least, it remains at best an augmentation tool that is adept at handling repetitive tasks and enabling automation of basic threat detection functions. The most successful security programs over the next year will continue to be ones that combine AI's processing power with human creativity, according to Stephen Kowski, field CTO at SlashNext Email Security+.

Many organizations will continue to require human expertise to identify and respond to real-world attacks that evolve beyond the historical patterns that AI systems use. Effective threat hunting will continue to depend on human intuition and skills to spot subtle anomalies and connect seemingly unrelated indicators, he says. "The key is achieving the right balance where AI handles high-volume routine detection while skilled analysts investigate novel attack patterns and determine strategic responses."

AI's ability to rapidly analyze large datasets will heighten the need for cybersecurity workers to sharpen their data analytics skills, adds Julian Davies, vice president of advanced services at Bugcrowd. "The ability to interpret AI-generated insights will be essential for detecting anomalies, predicting threats, and enhancing overall security measures." Prompt engineering skills are going to be increasingly useful as well for organizations seeking to derive maximum value from their AI investments, he adds.

**Attackers Will Leverage AI to Exploit Open Source Vulns**

Venky Raju, field CTO at ColorTokens, expects threat actors will leverage AI tools to exploit vulnerabilities and automatically generate exploit code in open source software. "Even closed source software is not immune, as AI-based fuzzing tools can identify vulnerabilities without access to the original source code. Such zero-day attacks are a significant concern for the cybersecurity community," Raju says.

In a report earlier this year, CrowdStrike pointed to AI-enabled ransomware as an example of how attackers are harnessing AI to hone their malicious capabilities. Attackers could also use AI to research targets, identify system vulnerabilities, encrypt data, and easily adapt and modify ransomware to evade endpoint detection and remediation mechanisms.

**Verification, Human Oversight Will Be Critical**

Organizations will continue to find it hard to fully and implicitly trust AI to do the right thing. A recent survey by Qlik of 4,200 C-suite executives and AI decision-makers showed most respondents overwhelmingly favored the use of AI for a variety of uses. At the same time, 37% described their senior managers as lacking trust in AI, with 42% of mid-level managers expressing the same sentiment. Some 21% reported their customers as distrusting AI as well.

"Trust in AI will remain a complex balance of benefits versus risks, as current research shows that eliminating bias and hallucinations may be counterproductive and impossible," SlashNext's Kowski says. "While industry agreements provide some ethical frameworks, the subjective nature of ethics means different organizations and cultures will continue to interpret and implement AI guidelines differently." The practical approach is to implement robust verification systems and maintain human oversight rather than seeking perfect trustworthiness, he says.

Davies from Bugcrowd says there's already a growing need for professionals who can handle the ethical implications of AI. Their role is to ensure privacy, prevent bias, and maintain transparency in AI-driven decisions. "The ability to test for AI’s unique security and safety use cases is becoming critical," he says.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

6 AI-Related Security Trends to Watch in 2025

In what's being called a "major cybersecurity incident," Beijing-backed adversaries broke into cyber vendor BeyondTrust to access the US Department of the Treasury workstations and steal unclassified data, according to a letter sent to lawmakers.

Source: trekandshoot via Alamy Stock Photo

UPDATE: This story was updated on Dec. 30 to include a statement from a BeyondTrust spokesperson.

The US Department of the Treasury alerted lawmakers on Monday that Chinese state-backed threat actors were able to compromise its systems and steal data from workstations earlier this month.

Because an advanced persistent threat (APT) group is suspected to be behind the hack, it is being treated as a "major cybersecurity incident," the disclosure letter from the Treasury Department said. The letter was sent to the chairman and ranking member of the Senate committee that oversees the agency.

Adversaries broke into the Treasury Department through third-party cybersecurity vendor BeyondTrust and "...gained access to a remote key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users," the letter explained. "With access to the stolen key, the threat actor was able to override the service's security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users."

BeyondTrust has more than 20,000 customers across more than 100 countries who use its privileged remote access tools, according to its website, which also states that the company is used among 75% of Fortune 100 organizations. The company has not responded to Dark Reading's request for comment.

BeyondTrust told the Treasury Department about the issue on Dec. 8; the department, along with the Cybersecurity and Infrastructure Security Agency and the FBI, is investigating the compromise, according to the letter.

A BeyondTrust advisory said the company was alerted on Dec. 5 to a compromised API key, which was immediately revoked. Impacted customers have already been notified, and the company is working with them on remediation, according to a statement from a BeyondTrust spokesperson.

"BeyondTrust previously identified and took measures to address a security incident in early December 2024 that involved the Remote Support product," the statement said. "No other BeyondTrust products were involved."

**'Epic' Chinese Hack of US Treasury**

The revelation that Beijing was able to strike right at the heart of America's federal capitalist system itself comes as the federal government continues to grapple with the sprawling and coordinated Chinese-backed cyberattacks against telecommunications companies in the US. Once inside, hackers from groups including Salt Typhoon accessed call data and text messages of an unknown number of Americans. So far Chinese hacking groups have been discovered inside at least nine different telecom networks in the US.

While investigations into the US Treasury breach are ongoing, these brazen Chinese acts of cyber espionage are almost to certain to require dicey diplomatic maneuvering. That could prove to be difficult to pull off during the murky transition period from the Biden administration to the incoming Trump administration.

"Beijing's routine denial of responsibility for cyberespionage incidents raises diplomatic challenges with the US in addressing such breaches effectively since there's lack of transparency and accountability/coordination," said Lawrence Pingree, vice president of Dispersive, in a statement provided to Dark Reading.

It's still unclear whether the Chinese hackers were able to crack the application's secrets or a cryptographic key, he added.

"Secrets and cryptographic key management are critical elements of managing software API access and thus if deficient in some way, or a compromise occurs via a developer's endpoint, the breach of those secrets and authentication keys can create these types of epic breaches," Pingree said.

The breach also shows that cybersecurity vendors remain a favorite target of sophisticated state threat actors, according to former NSA cyber expert Evan Dornbush, who provided a statement in reaction to the breach.

"The cybersecurity world is reeling from yet another high-profile breach, this time targeting the clients of security vendor BeyondTrust," Dornbush said. "This incident joins a growing list of attacks on security firms, including Okta (whose breach directly impacted BeyondTrust as a customer), LastPass, SolarWinds, and Snowflake."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Chinese State Hackers Breach US Treasury Department

Cyber insurance should augment your cybersecurity strategy — not replace it.

Source: Mungkhood Studio via Shutterstock

COMMENTARY

Cybersecurity insurance is the fastest-growing segment of the global insurance market, and there's a good reason for that. Cybersecurity has become one of the most critical requirements for organizations of all types — from small business to large corporation — as cyber threats remain constant. 

Unsurprisingly, cyber-insurance rates increased substantially from 2018 to 2022. Though overall cyber-insurance premiums began to decrease in 2023, many organizations are still seeing their rates rise.

**Costs Are Increasing — for Those Able to Get Insured**

The cyber-insurance industry is maturing just as quickly as cyber threats are growing in quantity, scale, and sophistication. As payouts and annual premiums increase, coverage limits are becoming more restrictive.

In a 2023 survey of US organizations, "79% saw insurance costs increase, with 67% facing an increase of 50-100%." Smaller companies, with fewer than 250 employees, were more likely to be denied coverage than large businesses (28% versus 8%). The primary reason small businesses were rejected was their lack of security protocols.

The good news is that the work you do to strengthen your organization's overall security posture and identity hygiene is also the work that will satisfy many of the compliance requirements underwriters are looking for — resulting in better security protections and better insurance coverage and premiums.

**Tips to Ensure Affordable Cybersecurity Protection**

Self-assess: To help with the process, proactively self-assess your risk profile and ask yourself the hard questions before the underwriters do. Conduct a thorough self-assessment of your current cybersecurity posture, identifying strengths and weaknesses.

This process has two main benefits: 

1.  It gives you a clear picture of where you stand now. 
    
2.  It guides you to evaluate policy options that will cover your specific risks.
    

Don't underestimate risks: Make sure not to underestimate your company's or industry's risks. Everyone is vulnerable to cyberattacks, not just traditional high-risk sectors such as financial services. In recent years, we've seen cyber incidents across many verticals, including healthcare, energy, and retail.

Insurance providers categorize rates based on industry-specific risks, comparing you to your peers in the process. Understand your sector's unique vulnerabilities — even if you haven't had to worry about them in the past—and be prepared to demonstrate how you're addressing them. 

Know your coverage limits: That leads me to my next piece of advice — understand your coverage limits. Thoroughly review the limits, sublimits, and exclusions in your policy. Pay close attention to what the coverage provides in terms of the full scope of potential losses, including third-party liabilities and regulatory fines. You can often negotiate terms, including specific clauses and deductibles, during the process.

Not all policies are the same. Many insurance providers focus on particular verticals or demographics. They each have different views of risk and leverage a range of data points to make their decisions. Do your research on individual providers to find the best fit for your organization so regularly review your policy. The threat landscape is always changing, and the coverage you need may evolve along with it. Conduct periodic reviews of your policy well ahead of your renewal term date to make sure it is still meeting your needs.

Understand your requirements: It's important to pay attention to the compliance requirements. Many policies explicitly call out compliance requirements. Failing to meet these standards can result in having your claims denied. Carefully assess your policy's requirements to verify that you are fulfilling them.

When engaging with insurance providers, be ready to show your work. Demonstrate the effectiveness of your security controls, particularly those related to identity hygiene. If you're renewing your policy, show how you've matured your approach to cyber-risk since your last assessment. What tangible improvements have you made? What products are you using to automate processes?

Focus on areas that underwriters prioritize, such as privileged access management and credential protection. Quantify your progress by highlighting reductions in accounts with administrative access or new requirements for regular password updates. Providers are looking for year-over-year maturity — moving from ad hoc, manual approaches to clean, consistent, automated, and sustainable hygiene practices. Be sure that you are getting full credit for your hard work.

**Conclusion**

As cyber threats continue to evolve, so must our approach to mitigating them. Bolster your cybersecurity posture in a holistic manner — self-assessing your risk profile, addressing vulnerabilities, and striving for continuous improvement — and you can better safeguard your organization against threats and control your cyber-insurance costs.

Prepare for increasingly rigorous risk assessments from providers moving forward. Underwriters now have access to extensive data about cyber threats and protections. Expect them to ask more granular questions and do deeper inspections into the efficacy of controls, especially those around identity-related risks, such as privileged access and credential theft. Anticipate their questions, and be prepared with comprehensive, up-to-date answers.

Cyber insurance should augment your cybersecurity strategy, not replace it. Prioritize implementing robust, ongoing cyber practices that protect your organization.

**About the Author**

CEO & Founder, SPHERE

Rita Gurevich is the CEO and founder of SPHERE, leading the strategic growth and vision for the organization.

Rita began her career at Lehman Brothers and helped oversee the distribution of technology assets after their bankruptcy in 2008. From this, Rita gained a deep understanding in analyzing identities, data platforms, and overall application and system landscape that had to be distributed across all the buying entities. At the same time, the enhanced regulatory environment focusing on protecting data from misuse, forced large enterprises to manage and control access more proactively across their on-premises and cloud environments.

With this knowledge, Gurevich founded SPHERE, an identity hygiene organization that provides critical discovery, security and compliance solutions centered around identity security and access control problems that organizations face. The company has developed a repeatable and effective approach to automating the discovery, remediation, and management of access controls across any scope. Rita has overseen the growth of SPHERE into a leading software company providing its clients with the only end-to-end identity hygiene solution available today.

How to Get the Most Out of Cyber Insurance

Proactive defenses, cross-sector collaboration, and resilience are key to combating increasingly sophisticated threats.

Source: Artur Szczybylo via Alamy Stock Photo

From the growing sophistication of zero-day exploits to the entrenchment of nation-state and cybercriminal alliances, 2024 delivered more evidence of how quickly the threat landscape continues to evolve. The year reinforced hard truths about the persistence of attackers and the systemic challenges of defense. We look back on some of the events that defined 2024 and the tactical insights that security teams can apply to stay ahead in the ongoing battle in 2025.

**Surging Zero-Day Exploits and Nation-State Collaboration**

Threat researchers continued to see a year-over-year increase of zero days. Recent analysis by Mandiant of 138 vulnerabilities that were disclosed in 2023 found the majority (97) were exploited as zero-days — an increase from 2022. Tom Kellermann, senior vice president of cyber strategy at Contrast Security, expects that number to increase in 2024.

The growth is a direct result of geopolitical tensions, he says. Nation-state actors, particularly China, are exploiting these types of vulnerabilities at unprecedented rates.

"The Chinese specifically have been doing tremendous research into exploiting zero-days and discovering them," Kellermann says. "I think everyone's kind of on their back foot when dealing with this because traditional cybersecurity defenses can't thwart those attacks."

The rise in these kinds of attacks includes a new trend in 2024: collaboration or coordination between nation-states and cybercrime rings, says Stephan Jou, senior director of security analytics at OpenText Cybersecurity.

"In this model, an attack with nation-state characteristics is launched at the same time, or followed closely by, an attack on the same target by an independent for-profit threat actor. Russia, for example, has been seen to collaborate with malware-as-a-service gangs, including Killnet, LokiBot, Gumblar, Pony Loader, and Amadey. China has entered similar relationships with the Storm-0558 and Red Relay cybercrime rings, typically to support its geopolitical agenda in the South China Sea."

Chester Wisniewski, global field CTO at Sophos, says China-sponsored attackers have developed assembly-line zero-day exploits shared through state-mandated disclosure laws. Attackers initially used zero-days in targeted attacks, then escalated them to widespread exploitation to cover their tracks. Proactive patch management and collaboration between vendors and organizations to mitigate threats is critical, he says.

"The real problem is this accumulation of stuff that's not getting patched," Wisniewski says. "We just keep launching more equipment out there onto the Internet. And it's getting more and more polluted, and nobody's responsible for taking care of it."

Jou agrees and says the lesson here is that defense against even sophisticated attacks comes back to the same basics: patch management, endpoint protection, email security, awareness training, and backup and disaster recovery planning.

"By ensuring that these unglamorous but essential best practices are in place, security teams can rob threat actors of many of their favorite tactics to abuse networks and businesses," he says.

**Resiliency Planning Needs More Focus**

Ransomware attacks in 2024 highlighted the fragility of supply chains and business continuity. Ransomware operators are now targeting service providers and supply chain networks, Wisniewski says. A cyberattack on Ahold Delhaize, the parent company of major US supermarket chains, including Stop & Shop, Hannaford, Food Lion, and Giant Food, disrupted services across its network in November, impacting more than 2,000 stores. For several days, customers had issues with online grocery delivery, offline websites, and limited pharmacy services.

Improving business continuity strategies to include modern segmentation tools can help minimize operational disruptions during incidents, Wisniewski says.

"When one part of a supply chain goes down, it impacts thousands of businesses," he says. "This amplifies the economic and operational pressure to comply with attackers' demands. You can't plan never to fail, but you can plan to fail gracefully."

Another headline-making business continuity incident this year was the CrowdStrike outage. In July, the company released a faulty software update that affected approximately 8.5 million devices running the Windows operating system. The glitch triggered widespread system crashes that resulted in multiple disruptions, particularly in the travel industry. Delta Air Lines was forced to cancel thousands of flights due to system disruptions. 

The event dominated news cycles for several days. In its wake, analysts pointed to the critical need for better process adherence and visibility. But Dror Liwer, cofounder of Coro, says it also highlights a need for security leaders to  effectively communicate with diverse stakeholders — whether technical teams, business executives, or external parties — when managing the fallout of a large-scale incident.

**Critical Infrastructure Is a Growing Target**

Attacks on critical infrastructure reached new levels in 2024. In September, the Cybersecurity and Infrastructure Security Agency (CISA) issued a notice that government-run water systems were at risk of attack by nation-states after officials reported a cybersecurity issue at a facility in Arkansas City, Kansas, which was forced to switch to manual operations while the situation was resolved.

Barry Mainz, CEO of Forescout, says cyberattacks are evolving to target critical services, like municipal water authorities and airport landing systems. This year made it clear that attackers are shifting their focus from well-protected facilities to more vulnerable upstream systems, like water supplies and power grids, he says.

"If you just zoom out a bit and look at where the vulnerabilities are, the bad actors are saying, 'Well, it's a lot harder now since people are spending money to secure certain IT functions. We're going to go down the food chain a little bit,'" Mainz says.

One of the key challenges in securing critical infrastructure is the inherent complexity of operational environments. Many industrial systems operate using legacy equipment that was never designed with cybersecurity in mind. In addition, there is often a lack of visibility into connected devices within these environments, which can make detecting threats extremely difficult.

"I think the lesson is we've got to invest in a cybersecurity strategy for not only IT systems but \[operational technology\] systems," Mainz says. "And also we need to think structurally about how we manage those systems because the people that actually manage those OT systems, they're not IT professionals.”

A better approach, he says, involves adopting advanced monitoring and threat detection tools as well as fostering collaboration between IT and OT teams. By breaking down silos and improving communication, organizations can better address the unique security requirements of critical infrastructure. Mainz pointed to the importance of government and private-sector partnerships in bolstering defenses.

**Telecom Can't Be Trusted**

We wrap up 2024 with news that Salt Typhoon, a cyber-espionage group allegedly linked to the Chinese government, has successfully infiltrated telecommunications networks in multiple countries. In the US alone, FBI officials say at least eight major telecom companies, including AT&T, Verizon, and Lumen Technologies, were compromised. The group gained access to sensitive data, such as call logs, unencrypted text messages, and, in some cases, live call audio. The FBI recommended that Americans use encrypted messaging apps, like Signal and WhatsApp, to ensure their communications stay hidden.

The ongoing issues around nation-state attackers and their use of telecom is one of his biggest worries heading into 2025, Kellermann says. He also points to T-Mobile's acquisition of Sprint in 2020, which he says is concerning because "Sprint used to be the classified backbone network of the US government." This means that if there are security vulnerabilities within T-Mobile's infrastructure, they could potentially compromise sensitive government communications or systems that were part of Sprint's legacy network. 

"I think the people are ignoring that and are not paying attention fully," he says.

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

What Security Lessons Did We Learn in 2024?

Organizations in the region should expect to see threat actors accelerate their use of AI tools and mount ongoing "harvest now, decrypt later" attacks for various malicious use cases.

Source: Tero Vesalainen via Shutterstock

If incidents this year are any indication, deepfakes and “harvest now, decrypt later” attacks spurred by the growing adoption of quantum computing projects are among the many concerns that organizations in the Asia-Pacific (APAC) region will need to deal with in 2025.

Over the past year, cybercriminals operating in the APAC region have increasingly leveraged AI to launch sophisticated campaigns — such as AI-generated phishing emails, adaptive malware, and deepfakes. The attacks have undermined trust in critical communications and exacerbated social tensions, says Clement Lee, security architect and evangelist at Check Point Software Technologies, Asia Pacific.

**An Increase in Deepfakes & Quantum Computing-Related Cyberattacks**

"This was starkly demonstrated during recent elections seen across APAC: in India where deepfakes fueled widespread disinformation; in Indonesia, where a doctored deepfake video aimed to stir anti-China sentiment; and in Hong Kong, a finance worker who was duped into sending $25 million by a deepfake impersonation of company executives," Lee says. As these tactics start extending from political spheres into the corporate realm, businesses must adopt AI-driven security defenses to counter them, Lee notes.

Simon Green, president of Asia, Pacific, and Japan at Palo Alto Networks, described the APAC region as being on the cusp of a "perfect storm of AI-driven cyber threats" heading into 2025. Attacks featuring deepfake audio and video will likely be the most visible manifestations of the trend, he noted.

Related:Middle East Cyberwar Rages On, With No End in Sight

"We can expect deepfakes to be used alone or as part of a larger attack much more often in 2025," Green said. The use of audio deepfakes in particular is likely to increase over the next 12 month, as technology for highly credible voice cloning becomes more easily accessible.

**AI-Focused Cybersecurity Preparations**

Expect also to see more organizations in the APAC region looking for ways to better protect their data as they implement AI-enabled projects.

"Our customers are asking how they can get more value out of their data, while maintaining robust security, especially as they look to benefit from GenAI products like Microsoft Copilot," adds Max McNamara, vice president and managing director Australia and New Zealand at AvePoint.

"This starts with having secure, accessible data, ensuring you can scale with solutions that don't compromise your security posture, and rigorously adhering to increasingly complex regulatory standards," he says. APAC organizations will increasingly be looking to ensure their data is not just accessible, but also fundamentally secure within their borders, he notes.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

"Our customers are asking how they can get more value out of their data, while maintaining robust security, especially as they look to benefit from GenAI products like Microsoft Copilot," McNamara says, adding that this starts with having secure, accessible data, ensuring you can scale with solutions that don't compromise your security posture, and rigorously adhering to increasingly complex regulatory standards.

**Quantum Projects Will Drive Increase in Harvest Now, Decrypt Later Attacks**

The growing number of quantum computing projects in the APAC region is likely going to fuel an increase in "harvest now, decrypt later" attacks as well. Such attacks involve adversaries collecting and storing currently encrypted data with the intention of decrypting it in the future, when quantum computers become powerful enough to break today's encryption standards. The attacks pose a significant threat to sensitive information that needs to remain secure for extended periods of time.

According to Fortune Business Insights, Asia Pacific is the fastest growing quantum computing market in the world, with multiple companies including IBM, Microsoft, Google, Alibaba, Baidu, JSR, and D-Wave systems currently involved in large regional quantum software and hardware projects. One example is a new quantum computing cloud platform that Alibaba has deployed in collaboration with the Chinese Academy of Sciences. Some quantum projects in the APAC region are happening at a national level, such as India's US-funded National Mission on Quantum Technologies & Applications, and Singapore's Quantum Engineering Programs.

Related:Governments, Telcos Ward Off China's Hacking Typhoons

"The advent of quantum computing threatens to render current encryption standards obsolete, risking exposure of sensitive data and compromising critical infrastructure," Lee says. "Quantum-resistant cryptography will gain traction as organizations prepare for future decryption threats."

Organizations in the APAC region should expect increased interest in harvest now, decrypt later attacks from a wide range of adversaries, including nation-state-backed threat actors, according to Palo Alto Networks' Green. The attacks will pose a threat to governments and businesses, civilian and military communications, critical infrastructure, and organizations developing quantum projects, Green said. Organizations concerned about the trend should develop a quantum resistant road map that includes deployment of quantum resistant tunnelling, stronger crypto libraries and quantum key distribution, according to Palo Alto Networks.

Richard Sorosina, chief technology security officer and vice president of solution architecture at Qualys' EMEA & APAC operations, believes that the fast-evolving and increasingly sophisticated nature of the APAC threat landscape will likely accelerate ongoing consolidation of security capabilities at many organizations in the region. He expects organizations will increasingly move toward a unified security platform approach that will provide both a centralized view of risk across the organization and mechanisms to remediate that risk when found. Many of these efforts will be "driven by a need to reduce complexity, increase operational efficiency, enhance detection and response capabilities, and reduce overall cost," Sorosina says.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Deepfakes, Quantum Attacks Loom Over APAC in 2025

The US water sector suffered a stream of cyberattacks over the past year and half, from a mix of cybercriminals, hacktivists, and nation-state hacking teams. Here's how the industry and ICS/OT security experts are working to better secure vulnerable drinking and wastewater utilities.

Source: Vyacheslav Lopatin via Alamy Stock Photo

The unprecedented wave of high-profile cyberattacks on US water utilities over the past year has just kept flowing.

In one incident, pro-Iranian hackers penetrated a Pittsburgh-area water utility's PLC and defaced the touchscreen with an anti-Israel message, forcing the utility to revert to manual control of its water pressure-regulation system. A water and wastewater operator for 500 North American communities temporarily severed connections between its IT and OT networks after ransomware infiltrated some back-end systems and exposed its customers' personal data. Customer-facing websites and the telecommunications network at the US's largest regulated water utility went dark after an October cyberattack.

Those were just some of the more chilling stories that have recently sparked fear over the security and physical safety of drinking water and wastewater systems. The cyberattacks have spurred warnings and security guidelines from the Cybersecurity and Infrastructure Security Agency (CISA), the White House, the FBI and the Office of the Director of National Intelligence (ODNI), the Environmental Protection Agency (EPA), and the Water ISAC (Information Sharing and Analysis Center).

Most of the attacks landed on the softest of targets, small water utilities without security expertise and resources, in mainly opportunistic attacks. Meanwhile, cyberattacks on large utilities like Veolia and American Water hit IT, not OT, systems — none of which actually disrupted water services. Overall, the cyberattacks on water appeared to be mainly about "poking around and eroding confidence," says Gus Serino, president of I&C Secure and a former process control engineer for the Massachusetts Water Resources Authority.

Related:IoT Cloud Cracked by 'Open Sesame' Over-the-Air Attack

The race is now on to secure the water sector — especially the smaller more vulnerable utilities — from further cyberattacks. Many larger water utilities already have been "stepping up their game" in securing their OT networks, and others started building out their security infrastructures years ago, notes Dale Peterson, president of ICS/OT security consultancy Digital Bond. "My first client in 2000 was a water utility," he recalls. "Some \[large utilities\] have been working on this for a very long time."

The challenge lies in securing smaller utilities, without overprescribing them with unnecessary and high-overhead security infrastructure. Tools that require expertise and overhead are a nonstarter at sites where there isn't even dedicated IT support, much less cyber know-how. Peterson argues that government recommendations for sophisticated security monitoring systems are just plain overkill for most small utilities. These tiny outfits have bigger and more tangible priorities, he says, like replacing aging or damaged pipes in their physical infrastructure.

Related:Frenos Takes Home the Prize at 2024 DataTribe Challenge

**ICS/OT Cyber-Risk: Something in the Water?**

Like other ICS/OT industries, water utilities of all sizes have been outfitting once-isolated programmable logic controller (PLC) systems and OT equipment with remote access, so operators can more efficiently monitor and manage plants from afar — to control water pumps or check alarms, for instance. That has put traditionally isolated equipment at risk.

"They are starting and stopping pumps, setting changes, responding to alarms or failures \[in\] a system. They remote in to look at SCADA/HMI screens to see what's wrong or to take corrective action," explains I&C Secure's Serino, who works closely with water utilities. He says it's rare for those systems to be properly segmented, and VPNs are "not always" used for secure remote access.

PLC vendors such as Siemens are increasingly building security features into their devices, but water plants don't typically run this next-generation gear.

"I have yet to see any secure PLCs deployed" in smaller water sites, Serino says. "Even if there are new PLCs, their security features are not 'on.' So if you \[an attacker\] can get in and get access to the device on that network, you can do whatever you are capable of doing to a PLC."

Related:20% of Industrial Manufacturers Are Using Network Security as a First Line of Defense

Because many ICS/OT systems integrators that install OT systems traditionally do not also set up security for the equipment and software they install in water utility networks, these networks often are left exposed, with open ports or default credentials. "We need to help integrators making \[and installing\] SCADA equipment for these utilities make sure they are secured" for utilities, says Chris Sistrunk, technical leader of Google Cloud Mandiant's ICS/OT consulting practice and a former senior engineer at Entergy. 

Default credentials are one of the most common security weaknesses found in OT networks, as well as industrial devices sitting exposed on the public Internet. The Iranian-based Cyber Av3ngers hacking group easily broke into the Israeli-made Unitronics Vision Series PLCs at the Aliquippa Municipal Water Authority plant (as well as other water utilities and organizations), merely by logging in with the PLCs' easily discoverable factory-setting credentials.

The good news is that some major systems integrators such as Black & Veatch are working with large water utilities on building security into their new OT installations. Ian Bramson, vice president of global industrial cybersecurity at Black & Veatch, says his team works with utilities that consider security a physical safety issue. "They are looking to build \[security\] in and not bolt it in," he explains, to prevent any physical safety consequences from poor cybersecurity security controls.

**Cybersecurity Cleanup for Water**

Meanwhile, there are plenty of free cybersecurity resources for resource-strapped water utilities, including the Water-ISAC's top 12 Security Fundamentals and the American Waterworks Association (AWWA)'s free security assessment tool for water utilities that helps them map their environments to the NIST Cybersecurity Framework. Kevin Morley, manager of federal relations for the AWWA and a utility cybersecurity expert, says the tool includes a survey of the utility's technology and then provides a priority list of the security controls the utility should adopt and address, focusing on risk and resilience.

"It creates a heat map" of where the utility's security weaknesses and risks lie, he says. That helps arm a utility with a cybersecurity business case in the budget process. "They can go to leadership and say 'we did this analysis and this is what we found,'" he explains.

There's also a new cyber volunteer program that assists rural water utilities. The National Rural Water Association recently teamed up with DEF CON to match volunteer cybersecurity experts to utilities in need of cyber help. Six utilities in Utah, Vermont, Indiana, and Oregon encompass the initial cohort for the bespoke DEF CON Franklin project, where volunteer ICS/OT security experts will assess their security posture and help them secure and protect their OT systems from cyber threats.

Mandiant's Sistrunk, who serves as a volunteer cyber expert for some small utilities, points to three main and basic security steps small (and large) utilities should take to improve their defenses: enact multifactor authentication, especially for remote access to OT systems; store backups offline or with a trusted third party; and have a written response plan for who to call when a cyberattack hits.

Serino recommends a firewall as well. "Get a firewall if you don't have one, and have it configured and locked down to control data flows in and out," he says. It's common for firewalls at a water utility to be misconfigured and left wide open to outgoing traffic, he notes: "If an adversary can get in, they could establish their own persistence and command and control, so hardening up the perimeter" for both outgoing and ingoing traffic is important.

He also recommends centralized logging of OT systems, especially for larger water utilities with the resources to support logging and detection operations: "Have the ability to detect a problem so you can stop it before it reaches the end goal of causing an impact."

**About the Author**

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Hackers Are Hot for Water Utilities

Sometimes it feels like burnout is an inevitable part of working in cybersecurity. But a little bit of knowledge can help you and your staff stay healthy.

Source: Magdalena Iordache via Alamy Stock Photo

"A quarter of cybersecurity leaders want to quit," hollered the headline of a study sponsored by global cybersecurity company Black Fog. While that is suggestive of stress or morale problems at the higher levels of security teams, the more alarming numbers came later in the press release, below the graphic: 45% of security leaders have used drugs or alcohol to relieve work pressure in the past year, and 69% have "withdrawn from social activities."

That's starting to sound more like burnout than stress.

The reason it's important to distinguish the cause of self-destructive behavior at work is that short-term stress and burnout have different treatments and timelines. According to a journal article by Arno van Dam, 80% of people suffering short-term stress are back at work in six to 12 weeks. Burnout patients, however, take more than a year to recover; one quarter to one half of patients still haven't recovered after two to four years.

**What Is Cybersecurity Burnout?**

To discern burnout, it's helpful to have a standard definition. While the US list of maladies, Diagnostic and Statistical Manual of Mental Disorders (aka the DSM), still doesn't include work-related burnout as a diagnosis as of version 5, the World Health Organization (WHO) sees it differently. The WHO's alternative resource, International Statistical Classification of Diseases and Related Health Problems (aka the ICD), has a code for burnout — QD85 — and defined it in the context of work/unemployment problems:

Related:Emerging Threats & Vulnerabilities to Prepare for in 2025

> "Burnout is a syndrome conceptualized as resulting from chronic workplace stress that has not been successfully managed. It is characterized by three dimensions: 1) feelings of energy depletion or exhaustion; 2) increased mental distance from one's job, or feelings of negativism or cynicism related to one's job; and 3) a sense of ineffectiveness and lack of accomplishment."

According to the van Dam article, burnout happens when an employee buries their experience of chronic stress for years. The people who burn out are often formerly great performers, perfectionists who exhibit perseverance. But if the person perseveres in a situation where they don't have control, they can experience the kind of morale-killing stress that, left unaddressed for months and years, leads to burnout. In such cases, "perseverance is not adaptive anymore and individuals should shift to other coping strategies like asking for social support and reflecting on one's situation and feelings," the article read.

"I wrestle with burnout pretty regularly, escalated thanks to neurodivergence," says Ian Campbell, senior security operations engineer at DomainTools. Burnout is also a condition familiar to the neurodivergent, especially autistic people. Autistic burnout, a term used mostly by that community, entails chronic exhaustion, losing the use of skills, and a lowered tolerance for stimuli. The role it might play in the better-known work burnout is unknown, but the similarity of symptoms is interesting.

Related:Name That Toon: Sneaking Around

Campbell sees the interplay from the inside. "Autism, depression, and anxiety are a wickedly effective combination in encouraging burnout. Hyperfocus can lead to working far too much and ignoring work/life balance," he says. "Depression and anxiety are self-perpetuating, exquisitely engineered to set up feedback cycles hard to break away from, and that can be doubly toxic around work — the depression saying things won't get better, the anxiety pressing you to work longer, harder, be more useful and less expendable."

Bryan Kissinger, chief information security officer (CISO) and senior VP at Trace3, adds, "People also need to have the courage to say to their managers or coworkers, 'Hey, I need a break.'"

**Handling Staff Burnout on Security Teams**

"Sometimes it's very challenging" to tell when someone's burning out, Kissinger says. He tells the story of one employee who kept their stress to themselves until it was almost too late: "They were ready to leave because they were burning out, and I said, 'This is the first I've heard about it. Can we bring on some contractors to help us moderate the workload?'"

Related:How Nation-State Cybercriminals Are Targeting the Enterprise

When asked how he helps his staff fend off burnout, Kissinger describes a hands-on approach. "I audit their day. A lot of people either tend to get roped into things ... or volunteer for things," he says. "What are the one or two things that need to be done today, and what can be done Monday or later next week?"

Jill Knesek, CISO at BlackLine, has a team of about 30 people, and has a quarterly one-on-one with each of them. "I offer more if they want more, and if you want to do monthly or every six weeks, then please do," she says. "I just try to take the time with each person on the team to make them feel important and empowered. And I know that there's opportunities for them, even if it's not maybe what they're doing today."

If a person's team is not supportive of work/life balance, that can exacerbate the issue.

Knesek says, "I want to make sure they know that I know what they're doing and I care about what they're doing and I can help guide them. So they feel important, and they feel like the really important things get noticed by leadership."

**How Cyber Staff Handles Work Pressure**

"Taking all my holiday was a big help," says Terence Eden, who moved from civil service to start his own consultancy, Open Ideas, which affords him much more control over his schedule and work/life balance. "And doing it in big chunks, not just a day or two, allowed me to reset."

Resetting from the buildup of stress is an important part of disrupting the path to burnout, as Knesek knows well. She says, "I encourage my team all the time to make sure their work-life balance is always good. Recharging your batteries is really important, and I am an important representative of that, right? So if I don't do it and everybody says, 'Well, Jill never takes \[paid time off\] but she tells us to do it. But does she really mean that? Because she's not taking it.'"

Employees sometimes scoff at the wellness programs companies put out as an attempt to keep people healthy. "Most 'corporate' solutions — use this app! attend this webinar! — felt juvenile and unhelpful," Eden says. And it does seem like many solutions fall into the same quick-fix category as home improvement hacks or dump dinner recipes.

Christina Maslach's scholarly work attributed work stress to six main sources: workload, values, reward, control, fairness, and community. "If any are lacking or out of sync, you may be headed toward exhaustion, cynicism, and the feeling of being ineffective," said this article presenting a two-minute burnout assessment tool.

An even quicker assessment is promised by the Matches Measure from Cindy Muir Zapata. "The graphic she offered in her paper is a six-point and eight-point spectrum of matches, from unlit, to singed, to burned, to disintegrated," read an article on HR Dive. A worker looks at the layout of matches and picks the one that shows how burned out they feel.

But Campbell has an idea for how to handle wellness better: "So my first and strongest recommendation to everyone is this: psychotherapy."

"Professionals will help a lot more than any quick hack to keep you running for another few weeks — therapy allows you to vent out what's building up, gain insight on your own status and choices, and plan for future burnout occurrences," he adds. "It doesn't make everything magically better, but you learn the tools to keep treading water, then tools to swim against counterproductive currents, and more."

"The time to start learning and building the tool sets is before the burnout hits, or at least before it becomes a true crisis," he adds.

**Hope in a Hopeless Place**

If worse comes to worst, and burnout hits, the van Dam article found hope in the study of disaster survivors. No matter how awful the disastrous events they went through, people tend to perceive some good coming from their trauma. This post-traumatic growth falls into three categories of benefits: changes in self-perception, in relationships, and in life philosophy.

The article built on that to posit post-burnout growth as well. "Many former burnout patients report that they have learned from their burnout and that their life is better now than before their burnout," Campbell explains. "They know better who they are and what is important to them in life; they spend more time with their friends and families; and they changed their priorities. Many former burnout patients allow themselves to enjoy life more and to be happy."

And again, he has some advice, particularly for the neurodivergent people: hack your needs to make yourself comfortable. "There are a thousand ways to optimize your own senses, and it's something we as a culture often fail at. Whether you're neurodivergent, neurotypical, or something else entirely — find the best sensory augments that allow you to work, and the better we'll all be protecting, hacking, investigating, hunting, and more."

Source

DARKReading