Friday Five: CISA’s Own Security Incident, Open-Source Security Worries, & More
Contact Us | |
Free Demo | |
Chat | |
Congress' sweeping privacy bill was stopped in its tracks, CISA's own tool was targeted in a January breach, concerns are arising over open-source code, & more. Read more about all these stories in this week's Friday Five.
CISA: MOST CRITICAL OPEN SOURCE PROJECTS NOT USING MEMORY SAFE CODE BY BILL TOULAS
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and other organizations published a report on memory safety in 172 key open-source projects. They found that over half contain memory-unsafe code, with 55% of total lines of code being memory-unsafe, with critical projects like Linux and Tor having high proportions of unsafe code. CISA recommends using memory-safe languages like Rust, Java, and GO for new code, transitioning existing projects to these languages, and following safe coding practices. Developers are said to often use memory-unsafe languages due to performance needs, and some even disable safety features, increasing risks. Continuous testing and careful dependency management are advised to address these issues.
HOUSE PANEL ABRUPTLY CANCELS FEDERAL PRIVACY BILL VOTE BY TIM STARKS
A House panel canceled plans to act on the American Privacy Rights Act due to disagreements with Republican leadership and opposition from key interest groups. The bill, which had bipartisan support, faced objections from House GOP leaders and concerns from businesses and civil rights groups. Rep. Frank Pallone (D) criticized the interference, expressing commitment to continue working with Chair Cathy McMorris Rodgers on the bill, both of whom emphasized the importance of privacy rights online. House Speaker Mike Johnson also supported greater online privacy control. Civil rights groups celebrated the decision, calling for safeguards against data discrimination.
CISA INFRASTRUCTURE TOOL TARGETED IN JANUARY BREACH, AGENCY SAYS BY DAVID DIMOLFETTA
CISA confirmed in a recent blog post that its Chemical Security Assessment Tool (CSAT) was targeted by hackers between January 23 and 26, allowing potential access to sensitive information, though no data exfiltration was found. The accessed data may include past security assessments of chemical facilities among other sensitive information. The intrusion involved an advanced webshell on Ivanti VPN products, leading CISA to shut down the system and later instruct federal agencies to disconnect from Ivanti products, underscoring the importance of incident response plans. CSAT, part of the Chemical Facility Anti-Terrorism Standards program established post-9/11, had lapsed in July, reducing its current data relevance.
DHS HIGHLIGHTS AI AS A THREAT AND ASSET TO CRITICAL INFRASTRUCTURE IN NEW PRIORITY GUIDANCE BY ALEXANDRA KELLEY
The Department of Homeland Security (DHS) is focusing on artificial intelligence (AI) and other emerging technologies under its 2024-2025 Strategic Guidance and National Priorities for U.S. Critical Infrastructure Security and Resilience plan. The guidance aims to enhance the security and resilience of critical infrastructure, such as the electrical grid and transportation systems, against AI-related risks. DHS emphasizes the dual role of AI in both posing risks and aiding in cybersecurity efforts. The guidance also highlights concerns about quantum computing, which could threaten current encryption methods. CISA will lead efforts to address these risks, as outlined in the upcoming 2025 National Infrastructure Risk Management Plan.
US BUSINESSES STRUGGLE TO OBTAIN CYBER INSURANCE, LAWMAKERS ARE TOLD BY CHRISTIAN VASQUEZ
At a House Homeland Security Committee hearing, experts and industry representatives highlighted the challenges U.S. businesses face in obtaining cybersecurity insurance. Kimberly Denbow from the American Gas Association noted the limited availability and complexity of cyber insurance policies for natural gas utilities. Meanwhile, Matthew McCabe from Guy Carpenter & Company mentioned that the increasing prevalence of state-sponsored cyberattacks on critical infrastructure raises concerns about coverage exclusions for acts of war. High premiums and lack of consistent terminology have led to calls for a federal "backstop" to guarantee large-scale insurance losses, though such a measure has not yet been enacted. DHS officials emphasize the need for resilient critical infrastructure against persistent cyber threats.
Recommended Resources
All the essential information you need about DLP in one eBook.
Expert views on the challenges of today & tomorrow.
The details on our platform architecture, how it works, and your deployment options.
Don't Fall Behind
Get the latest security insights
delivered to your inbox each week.
Thank you for subscribing!