Cybersecurity Quarterly (Summer 2024)

Reasonable Steps to StrongerCyberDefense

Several U.S. State and Federal agencies have called for organizations to enact reasonable cybersecurity measures, but no one has made clear what "reasonable cybersecurity" entails. Together with technical cybersecurity and legal experts, we're providing first-of-itskind, practical, and specific guidance to help organizations meet the general standard of reasonable cybersecurity.

Summer 2024

The 2024 Verizon DBIR and How the CIS Controls Help Defend Against Today's Cyber Attacks

Using Automation to Make Compliance Simpler and Easier

How Our Cyber Threat Intelligence Team Helps Protect the U.S. SLTT Community

Partnering with State and Federal Cybersecurity Experts to Make K-12 Schools Safer

CIS CyberMarket

Rigorously vetted cybersecurity solutions with negotiated pricing just for SLTTs.

CIS SecureSuite

Optimize your use of industry-leading security best practices with benefits, tools, and resources available to SLTTs at no cost.

Albert

Powerful, cost-e ective IDS solution that identifies SLTT-specific malicious network activity.

CIS Endpoint

Security Services

Ad Placement

Cost-e ective endpoint protection and response solution with additional capabilities o ering real-time vulnerability data and mobile device visibility at your fingertips.

CIS Hardened Images

Securely pre-configured virtual machine images available to deploy from major cloud service provider marketplaces.

Malicious Domain Blocking and Reporting Plus

Customizable secure DNS service that blocks access to harmful web domains and o ers real-time reports.

Cyber Audit Platform

High-level assessment that provides you with action items for improving your cybersecurity posture in key areas.

Editor-in-Chief

Michael Mineconzo

Supervising Editor

Laura MacGregor

Copy Editors

Aaron Perkins

David Bisson

Autum Pylant Staff

Sean Atkinson

David Bisson

Charity Otwell

Aaron Perkins

Natalie Schlabig

Karen Sorady

QuarterlyUpdate with John Gilligan

“While all this attention on the growing challenge of providing secure and resilient systems to customers is positive, some fundamental weaknesses remain.”

Summer has come quickly this year in the northern hemisphere. We are already seeing temperatures in the 90-degree range in the area around Washington, D.C. While the temperatures change seasonally, threats to our cybersecurity environment remain on a steady growth trajectory — not a good thing. The reports of infiltration of our nation’s critical infrastructure, the growing use of artificial intelligence to develop cyber exploits, and potential increased cyber, information, and physical threats tied to the November general election all justify increased concern about our cybersecurity posture.

In response to these threats, our government has increased its attention on cybersecurity. Various regulatory agencies have drafted or issued guidance. Several initiatives have put emphasis on designing security by default, including CISA’s Secure by Design campaign. Some of these efforts require attestation by senior organization officials that they have followed established security principles. Moreover, a recent report published by CISA’s Cyber Safety Review Board is highly critical of fundamental security process failures of Microsoft, and it suggests significant changes.

While all this attention on the growing challenge of providing secure and resilient systems to customers is positive, some fundamental weaknesses remain. Among these weaknesses is the lack of measurable expectations for what determines adequate or "reasonable" security. Lists of security features or examples of security features provide directional intent. However, there is no basis for discretely measuring what is adequate or reasonable. This topic is the focus of this quarter’s publication.

CIS recently published “A Guide to Defining Reasonable Security.” This guide was developed in collaboration with the legal community with the primary objective of informing U.S. courts on what should be the standard of expectation for cybersecurity in deciding legal liability. However, the Guide can be viewed as a valuable starting point in defining reasonable and measurable security for all organizations. Charity Otwell, Director of the CIS Critical Security Controls® (CIS Controls®), has provided an article that describes the Guide and

the potential implications on the long-term quest for "adequate security."

Charity has also provided a complementary article that highlights the use of the CIS Controls by Verizon in its Data Breach Investigation Report (DBIR). Specifically, due to the specific metrics associated with the CIS Controls, these security best practices have become the preferred reference of Verizon for advising organizations on how to reduce their susceptibility to the most common cyber threats. Tying both pieces together, Sean Atkinson, CISO at CIS, has provided an article discussing the intersection of reasonableness and threat reports like the recent one from Verizon.

The CIS Cyber Threat Intelligence (CTI) team has also provided an article describing how they help protect the U.S. SLTT community, highlighting their recent list of Top 10 Malware for Q1 2024. This effort leverages the unique threat perspectives provided to the CTI team by monitoring the threat activity of many thousands of U.S. State, Local, Tribal, and Territorial (SLTT) organizations. Our new CIS CyberMarket® partners at SteelCloud have also contributed an article on implementing automated measures to maintain compliance with CIS Benchmarks™.

Finally, Karen Sorady, Vice President of MS-ISAC Strategy and Plans, has provided an article on the recent work by the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) to increase focus on security for K-12 schools. Her article discusses recent roundtables held in Michigan and New Mexico by the new National Cyber Director, Harry Coker, as well efforts by the MS-ISAC to increase availability of tools and training for K-12 schools.

I hope you enjoy this quarter’s issue.

Best Regards,

NewsBits&Bytes

The Center for Internet Security® (CIS®) in the Spotlight at RSA Conference 2024

CIS was a proud partner and sponsor of RSA Conference (RSAC) 2024, which took place at the Moscone Center in San Francisco, California on May 6–9, 2024. CIS presented on numerous topics and networked with attendees at a sponsored breakfast, cyber nonprofits reception, and AI summit. Topics of discussion covered during our sessions and presentations included:

• Reasonable Cybersecurity: Oxymoron or Opportunity? with Tony Sager, SVP and Chief Evangelist

• Shades of Purple: Getting Started and Making Purple Teaming Possible with Mathew Everman, Information Security Operations Manager

• From Attacks to Action: An Open Community Model to Drive Defensive Choices with Tony Sager, SVP and Chief Evangelist, and Phyllis Lee, VP of SBP Content Development

Driving Security Best Practices with Our Global Community

to Support Women in CyberSecurity (WiCyS)

CIS is proud to award the second annual Alan Paller Laureate Program grant to Women in CyberSecurity (WiCyS), a nonprofit organization that creates accessibility and opportunities for women in the cybersecurity workforce.

WiCyS plans to use the grant to help fund its Security Training Scholarship program, a skill-development program designed to uncover hidden talent and increase diversity in the cyber workforce, empower women with the skills necessary for success, and address the critical workforce shortage in the cybersecurity industry.

Everything we do at CIS is community-driven. Our CIS Benchmarks™ and CIS Critical Security Controls® (CIS Controls®) rely on IT security practitioners from across the globe who volunteer to help our team continuously refine and verify our consensus-based best practices and cybersecurity tools. CIS recently highlighted a number of our volunteers on our blog; we're always looking for security professionals to help keep our connected world a safer place. Learn how you can join and contribute to one of our communities by visiting our Communities page. CIS Awards $250,000 Grant

CIS CyberMarket® Launches New Vendor

CIS CyberMarket® has added a new vendor to its list of valued partners: SteelCloud. SteelCloud's ConfigOS solution simplifies implementation of the CIS Benchmarks with automation and remediation using your existing staff and resources.

CIS CyberMarket is a cybersecurity marketplace specifically designed to help connect U.S. State, Local, Tribal, and Territorial (SLTT) government organizations with rigorously-vetted, cost-effective cybersecurity solutions from industry-leading vendors. To view all of our current offerings, please visit our official CIS CyberMarket webpage.

The grant will also enable WiCyS to offer a course on the CIS Controls, which will better qualify program participants to secure long term jobs and encourage more widespread adoption of the CIS Controls.

To learn more about the Alan Paller Laureate program, including eligibility and the application process, please visit our webpage about the Alan Paller Laureate Program

To learn more about WiCyS and the Security Training Scholarship program, please visit Women in Cybersecurity.

Reasonable Cybersecurity: On the Need for a Definition

In the United States, there is no national standard for cybersecurity; many federal and state regulations and policies cover elements of it, but all fail to define a standard of reasonable cybersecurity. Our new guide seeks to remedy this.

In a digital era where cyber threats have become increasingly potent and pervasive, the concept of reasonable cybersecurity is assuming greater significance. "Reasonable cybersecurity" is a phrase that has broad implications across various sectors, especially for businesses that handle sensitive data. Yet the definition lacks clarity and fails to specify what an organization must do to meet the standard of reasonable cybersecurity.

In collaboration with recognized technical cybersecurity and legal experts, the Center for Internet Security® (CIS®) has addressed this complex subject in “A Guide to Defining Reasonable Cybersecurity.”

The goal of this guide is to provide practical and specific guidance to organizations seeking to develop a cybersecurity program that satisfies the general standard of reasonable cybersecurity, exercises the duty of care that an organization owes to its customers and stakeholders, and improves an organization's security at scale.

Defining Reasonable Cybersecurity

Reasonable cybersecurity refers to measures that are intended to protect against the loss, misuse, unauthorized access to, or modification of information or data based on the appropriate standard of care of how a reasonably prudent person in the same or similar circumstances would act. By nature, the concept of "reasonable" cybersecurity is both subjective and dynamic.

“The standard of reasonableness is important to organizations when it comes to risk assessments and what it is they need to do to implement across their enterprise,” said Phyllis Lee, VP of Security Best Practices Content Development at CIS. “Not only do they need to protect themselves, but of course, there's an obligation to protect others around them, including people affected by their mission.”

Reasonable cybersecurity varies based on factors including: industry practices, the nature and sensitivity of the information involved, the size and resources of the business handling it, any guidance or industry standards available at that time, foreseeable threats, available technology, and costs. The ongoing evolution of technology and cyber threats requires constant vigilance about what might be considered reasonable at a given point in time.

Reasonable Cybersecurity in the Limelight

The federal and state governments in the United States have various statutes, regulations, and caselaw on elements of cybersecurity, like data breach notification and data privacy. These requirements also increasingly require organizations to implement cybersecurity controls that are reasonable. However, these efforts fail to specify what an organization must do to meet the standard of reasonable cybersecurity. Specifically, they do not require a specific framework, nor do they direct organizations how to interpret or implement the frameworks in a manner by which they can demonstrate due care — a term for fulfilling the standard of care of acting with the necessary caution to avoid foreseeable risks.

“One of the questions that is often asked is, 'How to best implement reasonable cybersecurity?' The answer is that you must choose an identified framework, and you need to implement it properly. This guide shows you how to implement it in a way that demonstrates how you have conformed to the actual framework," said Curt Dukes, CIS Executive VP & GM, Security Best Practices Automation Group.

By considering emerging state laws as well as existing industry cybersecurity standards, our guide proposes

that a definition for reasonable cybersecurity can be derived, articulated, and implemented.

Guidelines for Businesses and Auditors

Businesses and auditors assessing an organization's security measures post-incident need to understand what constitutes reasonable cybersecurity. They should look for evidence of cyber defenses that include robust incident response procedures, employee training programs, intrusion detection systems, firewalls, encryption technology, and ongoing monitoring. Our guide recommends that organizations adhere to recognized standards, such as the CIS Critical Security Controls® (CIS Controls®), while reviewing such measures.

An equally important goal of this guide is to eliminate breaches and, therefore, reduce litigation resulting from data breaches. Businesses should adopt a proactive approach to cybersecurity by conducting regular information risk assessments and disaster recovery planning exercises, which would strengthen their defenses against cyber attacks.

Guidelines for Lawyers and Courts

As the intermediaries between businesses and government agencies dealing with cybersecurity matters arising from data breaches, lawyers play a crucial role. They need to have a sound understanding of legal issues associated with cybersecurity like statutory obligations for data handling or breach notification rules. At the same time, they also must grasp technical concepts related to IT infrastructure to represent their clients effectively.

The court system, which is responsible for interpreting these laws, will also benefit from a clearer understanding of what constitutes reasonable cybersecurity.

Guidance for Regulators

Government-appointed regulators of the cybersecurity industry have a vital role in providing appropriate guidance regarding reasonable cybersecurity measures. To maintain public confidence and trust, they must be able to articulate what their regulations mean when they call for reasonable safeguards. They should, like the states are beginning to do, offer specific guidance that helps organizations to identify more clearly what should be done. For example, the Federal Communications Commission (FCC), in a current ruling, specifically referenced the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Performance Goals (CPGs) and the CIS Controls as standards.

"If you're going to convince someone else — a regulator, a lawmaker, a judge, a lawyer — that you behave reasonably, the best case is to say, 'I have a way to measure myself against a plan of attack that is understood to be reasonable.'

So that says, 'I have some way to say I've looked at a framework of activity. I've chosen the activities that make sense to me, and here's the plan I put in place to execute against that,’” said Tony Sager, CIS Senior Vice President and Chief Evangelist.

The authors of this guide considered federal and state laws, existing regulations, various industry best practices and cyber frameworks, and other resources to derive and propose a methodology for determining what should be considered reasonable cybersecurity to thwart data breaches. While there is no comprehensive U.S. law defining reasonable cybersecurity in all settings, this

guide offers principles that may be used in interpreting and applying the laws that do exist.

A Step Forward for Reasonable Cybersecurity

U.S. cybersecurity requirements increasingly reference "reasonable cybersecurity," but none specify exactly what reasonable cybersecurity means. "A Guide to Defining Reasonable Cybersecurity" points to a growing trend in the states of specifically identifying industry best practices that will enable organizations to better protect their business operations and their customers’ personally identifiable information (PII). It goes on to provide, as an example, how one framework, the CIS Controls, can be implemented prescriptively and in a manner that affords lawyers, courts, regulators, businesses, and auditors the ability to assess whether reasonable cybersecurity measures have been taken.

Ready to align your cybersecurity program to the standard of reasonable cybersecurity? Download a copy of "A Guide to Defining Reasonable Cybersecurity " today.

Charity Otwell is the Director of the CIS Critical Security Controls for CIS. She has nearly 20 years of experience in the financial services industry and has built and led various programs such as Business Continuity, Disaster Recovery, Technology Governance, and Enterprise Architecture in a highly regulated environment. Before coming to CIS, Otwell was a GRC champion and practitioner with a focus on risk assessment, process optimization, process engineering, and best practice adoption for a top-50 bank within the United States. She also helped manage the relationship with federal regulators and the management of federal regulatory exams. She completed undergraduate and graduate studies in Birmingham, Alabama, and holds multiple industry certifications.

Cracking the Compliance Code with a Unified CIS Benchmarks™ Automation Process

Ensuring continuous compliance to configuration guidelines like the CIS Benchmarks can sometimes be a challenge to do manually, especially with limited resources. Automating the process can help alleviate the burden on your staff.

Multiple critical issues hinder an organization’s ability to meet its cybersecurity and Risk Management Framework (RMF) objectives. First, the complexity of the process can be overwhelming, even if following the CIS Benchmarks™ and CIS Critical Security Controls® (CIS Controls®) of the Center for Internet Security® (CIS®). Then you must tackle the challenge of limited resources — manpower is lacking and hard to come by, budgets are limited, and time is always of the essence. For all these reasons, an automation solution is a recommended approach.

While automation may seem like the easy answer, it also has its challenges. With different teams and different objectives operating within the organization, it is essential that you unify all stakeholders, including the compliance and IT functions, around how you plan to interpret and implement CIS security best practices.

While automation may seem like the easy answer, it also has its challenges. With different teams and different objectives operating within the organization, it is essential that you unify all stakeholders, including the compliance and IT functions, around how you plan to interpret and implement CIS security best practices.

A Unified Approach to RMF and Compliance

Streamlining the RMF process to support continuous compliance requires teams to synchronize the implementation and assessment of CIS Benchmarks in the production environment. The assessment artifacts provided by scanning tools rarely match the controls approved in the RMF process. Most notably, compliance reporting created by this process is inaccurate and requires a significant amount of manual rework. Here, the lack of synchronization is caused by an inherent flaw in the traditional ways controls are approved, implemented, and assessed.

Traditional implementation and assessment methods rely on multiple processes and multiple technologies from multiple vendors, which effectively isolate the processes for:

• Selecting CIS Benchmarks

• Maintaining CIS Benchmarks

• Implementing CIS Benchmarks

• Assessing CIS Benchmarks

It’s difficult to achieve a singular result when using multiple processes and systems with differing CIS content. It's even harder when you consider the compliance challenges encountered throughout an application’s entire development-to-production lifecycle. As a result, traditional means of CIS implementation and assessment are not well-suited to an enhanced compliance process.

The Operational Challenge of Cyber Compliance

Traditionally, a CIS Benchmark specification is created as part of the process to approve an application to be fielded in production. Selecting controls involves the arduous task of hardening the appropriate CIS Benchmark configuration guidance around an application stack. Seasoned IT staff usually take weeks or more to perform this task manually. The output of that hardening process is a CIS operational policy document that is then approved for release to the production environment as part of the RMF process. An approved CIS operational policy document details all the approved CIS Benchmark configuration values and any deviations required and identified in the hardening process. This document is supplied to the IT/system administration staff to implement the approved controls using Group Policy Objects (GPOs), various scripting tools, and/or manual processes.

How often is that policy implemented correctly in the production environment? Rarely. From human error to insufficient assessment tools and generic scanners, the production implementation of CIS controls seldom matches the RMF-approved policy. In fact, traditional

How often is that policy implemented correctly in the production environment? Rarely. From human error to insufficient assessment tools and generic scanners, the production implementation of CIS controls seldom matches the RMF-approved policy.

implementations of controls utilize three or more policies that are not synchronized:

1. The CIS Benchmark policies that are approved in the RMF process

2. The CIS Benchmark policies that are implemented by the IT organization with the various tools available in the environment

3. The CIS Benchmark scan results that are produced using generic CIS policies

The result is an overall compliance that requires significant human resources to sift through results for actionable data. The burden is high enough that reconciliation can take days or weeks, thereby eliminating any possibility of an agile process.

Anatomy of the Solution

The solution is easy to recognize. Organizations must use the same policy and automation solution for all four steps — selecting, implementing, maintaining, and assessing CIS Benchmark configuration guidelines. Several other imperatives are also key:

• Unified Operations — The tool must be unified in both its automation capabilities and its ability to utilize unified CIS content to implement, maintain, and assess controls at a granular level.

• Hardening Process Simplification — Simplifying the hardening process enables non-specialized, less experienced personnel to easily harden CIS controls around an application stack.

Accomplishing this will justify the creation of compliance-as-code as early in the production process as possible.

• Policy Portability — Once created in the pre-production phase, the compliance-as-code policy should be portable, i.e., easily moved from domain to domain as the application stack moves from phases of development to production.

• Compliance Artifacts — A complete solution should also produce the requisite RMF compliance artifacts, such as reports and logs.

• Capacity and Simplification — This is a tricky one. The automation solution and requisite policy content must be agile enough to quickly harden policy around an individual application stack or system while additionally having the capacity to remediate and maintain thousands of systems with discrete CIS Benchmark configuration policies tailored for each system.

• Policy Maintenance Automation — First, the solution should be able to eliminate drift by bringing production systems into compliance while they are in production. Second, the solution should automate the process of ingesting, testing, and creating new production policy baselines. Third, the solution should reliably automate the deployment of the updated configuration policies in production by bringing the infrastructure into compliance with the new policies.

Unified Automation with Unified Content

The key to bringing about this fundamental improvement is creating compliance-as-code policy as an output of the RMF process. Traditional single-purpose automation tools cannot efficiently or effectively achieve that goal. However, a comprehensive automation solution that unifies policy content ensures that control selection, implementation, and assessment are automatically and continually in synch.

Brian Hajost is the Founder and Chief Operating Officer of SteelCloud, a CIS CyberMarket® partner company that develops automated compliance technology for the CIS Benchmarks. Hajost has transformed SteelCloud into a recognized leader in delivering new technologies that allow organizations to effectively meet the compliance mandates of RMF, NIST 800-53, NIST 800-171, CMMC, and IRS Pub 1075. His technical career has spanned over 30 years, and he holds 12 patents in IT security and two patents in mobile security. Hajost is an active contributor to AFCEA International and is also the Vice Chair of the Advanced Technology Academic Research Center (ATARC) Continuous ATO Working Group.

CIS Controls Featured as Recommended Defenses in Verizon's 2024 Data Breach Investigations Report

For over a decade, CIS and Verizon have worked together to contextualize prevalent attack vectors and emerging trends in data breaches, as well as show how organizations can use the CIS Controls to enhance their defenses.

The Verizon 2024 Data Breach Investigations Report (DBIR) is widely recognized across the cybersecurity industry for its comprehensive analysis of the global threat landscape based on real-world data from actual security incidents and breaches. It provides a robust assessment of thousands of incidents worldwide, focusing on prevalent attack vectors and emerging trends in data breaches. It also serves as an authoritative source of information for organizations seeking to enhance their cybersecurity defenses and make better-informed risk management decisions.

Like previous years' reports, the 2024 DBIR points to the CIS Critical Security Controls® (CIS Controls®) as

It's not enough for you to react to security incidents at your organization before they develop into

data breaches. Verizon's report specifies that the CIS Controls come with a tactical advantage in thwarting cyber threats .

mitigations to today's most pervasive attacks. Let's quickly explore how this helps you to strengthen your organization's cyber defenses.

The Need for a Proactive Approach to Cybersecurity

It's not enough for you to react to security incidents at your organization before they develop into data breaches. Verizon's report specifies that the CIS Controls come with a tactical advantage in thwarting cyber threats. A recognized set of globally acknowledged best practices for securing IT systems and data, the CIS Controls offer a prioritized and actionable way to protect your organization against prevalent cyber threats. More than that, they provide you with proactive defense mechanisms designed to tackle potential risks before they can be exploited. In this way, you can meaningfully strengthen your organization's cybersecurity defense strategy

against system intrusion, social engineering, and other attack patterns featured in the 2024 DBIR.

“The DBIR provides valuable insights into the threat landscape, helping businesses around the globe mitigate risks and fortify defenses,” said Philippe Langlois, Lead Data Scientist for the Verizon DBIR. “By integrating the CIS Controls into our recommendations, we aim to provide easyto-implement measures that can significantly enhance an organization's security posture.”.

This year’s report also takes a deeper look at the pathways from breaches and maps those patterns to the CIS Controls at a Safeguard level that would help mitigate the threats. This showcases the effectiveness of the CIS Controls in protecting against global threats for all industries. Additionally, the report includes a look at how to use the VERIS Community Database (VCDB) coupled with the CIS Risk Assessment Method (CIS RAM) to estimate risk.

An Ongoing Cybersecurity Partnership

The synergy between the CIS Controls and the Verizon DBIR on display again in this year's report continues to offer organizations meaningful defensive recommendations and actions to improve their cybersecurity. Combined, they underscore the importance of adopting a data-driven approach to security decisions, underpinned by the prescriptive guidance contained in the CIS Controls.

CIS and Verizon hosted a joint webinar titled, “2024 Verizon DBIR Findings and How the CIS Critical Security Controls can Help to Mitigate Risk to Your Organization" on June 11, 2024. The webinar highlights the longstanding partnership between CIS and Verizon, key insights and findings from this year’s report, the way Controls impact threats seen through incidents in breaches, how to leverage the data from the 2024 report, and more.

You can watch a recording of the webinar and learn more about our collaboration at https://www.cisecurity.org/ insights/webinar/2024-dbir-findings-and-how-the-ciscritical-security-controls-can-help-to-mitigate-risk-toyour-organization.

Charity Otwell is the Director of the CIS Critical Security Controls for CIS. She has nearly 20 years of experience in the financial services industry and has built and led various programs such as Business Continuity, Disaster Recovery, Technology Governance, and Enterprise Architecture in a highly regulated environment. Before coming to CIS, Otwell was a GRC champion and practitioner with a focus on risk assessment, process optimization, process engineering, and best practice adoption for a top-50 bank within the United States. She also helped manage the relationship with federal regulators and the management of federal regulatory exams. She completed undergraduate and graduate studies in Birmingham, Alabama, and holds multiple industry certifications.

The Intersection of Reasonable and the Verizon Data Breach Investigations Report

As we address the publication of the new white paper, “A Guide to Defining Reasonable Cybersecurity “, and the excellent work in the recently released Verizon 2024 Data Breach Investigations Report (DBIR) in this quarter’s publication, I wanted to provide a perspective about the utility of both efforts and how they reframe my approach to “reasonable.”

The alignment of reasonableness in threat reports, such as the Verizon DBIR, plays a critical role in defining and implementing effective security controls within organizations. The concept of "reasonable" controls is a cornerstone of cybersecurity, often used to ensure that measures taken are appropriate and adequate to the cyber threats faced without being overly burdensome or costly. Reasonableness provides guidelines you can utilize to make data-based decisions that address

both a reasonable likelihood of seeing threats to your organization and what control capabilities to address those threats are reasonable given the available resources at your disposal.

The Verizon DBIR is an authoritative source of insight derived from thorough analysis of real-world data breaches and security incidents that provides comprehensive assessments into the current global threat landscape. As the Center for Internet Security® (CIS®) has been a regular contributor to this report for 11 years, you can align your organization's capabilities around the CIS Critical Security Controls® (CIS Controls®) and see the alignment directly to your own internal information security plans. By analyzing trends, patterns, and the prevalence of different types of cyber threats, the Verizon DBIR offers a data-driven foundation for assessing cybersecurity risks and determining

what constitutes reasonable security measures.

Key Areas of Alignment

1. Threat Identification and Prioritization: The Verizon DBIR categorizes cybersecurity threats based on frequency, impact, and vectors. You can use this information to identify which threats

The concept of "reasonable" controls is a cornerstone of cybersecurity... Reasonableness provides guidelines you can utilize to make data-based decisions that address both a reasonable likelihood of seeing threats to your organization and what control capabilities to address those threats are reasonable given the resources at your disposal.

As the Center for Internet Security® (CIS®) has been a regular contributor to this report for 11 years, you can align your organization's capabilities around the CIS Critical Security Controls® (CIS Controls®) and see the alignment directly to your own internal information security plans.

are most relevant to your organization's industry and operational environment. For instance, if the Verizon DBIR highlights that phishing and credential theft are the predominant attack vectors in a specific sector, you can implement robust email security and multi-factor authentication (MFA) as reasonable controls.

2. Risk Assessment and Mitigation: Using the Verizon DBIR, you can perform risk assessments to evaluate your current security posture against the identified cyber threats. The report's detailed analysis helps in understanding the tactics, techniques, and procedures (TTPs) used by malicious attackers. Consequently, you can prioritize mitigations such as patch management, network segmentation, and user training programs in your information security program based on the

likelihood and potential impact of these threats.

3. Benchmarking and Best Practices: The Verizon DBIR includes statistical data and case studies that illustrate effective defenses and common failure points. You can benchmark your organization's security controls against industry standards and best practices highlighted in the report. This benchmarking process ensures that the security measures in place are not only reasonable but also effective in countering prevalent cyber threats.

4. Regulatory and Compliance Alignment: Many regulatory frameworks and standards, such as GDPR, HIPAA, and PCI DSS, require you to implement reasonable security controls. The Verizon DBIR's data can help justify these controls to regulators by demonstrating that they are aligned with current threat intelligence and industry benchmarks.

5. Continuous Improvement: Cyber threats are constantly evolving. Regularly reviewing and incorporating findings from annual threat reports like the Verizon DBIR into a security strategy ensures that your cyber defenses remain relevant and effective. This continuous improvement process is essential for maintaining a reasonable and adaptive security posture.

By leveraging the insights from the Verizon DBIR, you can ensure that your organization's security controls are reasonable and aligned with the latest cyber threat data. This

alignment not only helps in effectively mitigating risks but also demonstrates due diligence and adherence to best practices in cybersecurity, becoming “reasonable” with an approach that embraces continuous threat modeling and risk management posture assessment.

CIS CTI Team Delivers Unparalleled Value to the SLTT Community

An in-depth look at some of the most prevalent malware threats affecting our U.S. State, Local, Tribal, and Territorial (SLTT) members from our Cyber Threat Intelligence (CTI) Team, one of the many resources available to members of the Multi-State Information Sharing and Analysis Center (MS-ISAC)

An Introduction to the CIS CTI Team

The Center for Internet Security® (CIS®) Cyber Threat Intelligence (CTI) team is staffed with a cadre of cybersecurity experts who are among the best the world has to offer. Its technical experts, outstanding communicators, and mission-driven threat intelligence professionals are constantly on the lookout for new and emerging threats.

The CIS CTI team works tirelessly to help U.S. State, Local, Tribal, and Territorial (SLTT) organizations who are members of the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) to better protect systems and data from cyber threat actors (CTAs). Their vigilance and expertise are critical in identifying, mitigating, and reporting on cyber threats before they can materialize and cause significant damage to SLTT organizations.

In this article that highlights one of the many reports the CIS CTI team has published, we highlight the changes to the cyber threat landscape since the previous quarter, drilling down into each of the top 10 malware threats the CIS CTI team observed in the first quarter of 2024.

How Did Cyber Threats Change in Q1 2024?

In the first quarter of 2024, the landscape of malware threats observed by the MS-ISAC saw several changes from the previous quarter.

SocGholish, a downloader, remains the most common threat, making up 60% of the top 10 malware. Following SocGholish are ArechClient2, a Remote Access Trojan (RAT), and CoinMiner, malware designed to steal system resources to mine cryptocurrency without the user's consent. Other notable mentions include Lumma Stealer, Jupyter, and Ratenjay, all of which reappeared on the list this quarter.

How Does Malware Infect Systems?

The MS-ISAC tracks potential initial infection vectors for the Top 10 Malware each quarter based on open-source reporting. Malware typically infects systems through several common infection vectors:

1. Malvertisement: These are malicious advertisements posing as legitimate software updates or ads that trick users into downloading malware to their systems.

2. Malspam: Malspam — short for malicious spam — involves CTAs sending unsolicited emails that lure

users into clicking on malicious links or downloading harmful attachments.

3. Dropped: This method involves CTAs exploiting system vulnerabilities or using other malware to place (or drop) malware on a target system.

4. Multiple Vectors: Some malware use more than one method to infect systems.

In Q1 of 2024, Malvertisement was the number one initial infection vector due to a significant increase in alerts related to SocGholish and its ongoing campaign where it masquerades as software updates for initial access . Additionally, the Dropped category increased 290% from the previous quarter due to an increase in Gh0st and Ratenjay activity.

An Overview of the Top 10 Malware in Q1 2024

1. SocGholish: SocGholish spreads through malicious websites disguised as legitimate software updates. Once on a system, SocGholish can redirect web traffic and deliver additional malicious payloads such as Cobalt Strike and information stealers.

2. ArechClient2: This NET-based RAT has a variety of capabilities, including stealing browser and cryptocurrency wallet information as well as launching hidden browser sessions. ArechClient2 can also evade virtual machine environments and emulators, making attempts to analyze this malware more challenge for threat intelligence teams.

3. CoinMiner: CoinMiner, a malware that has been around for at least 10 years, uses system resources to mine cryptocurrency. It often spread via network exploitation or malspam, and it may use scripts to maintain persistence on infected systems.

4. NanoCore: NanoCore spreads through email attachments. It can execute various commands, download files, and visit website without the user's knowledge.

5. Agent Tesla: This RAT is sold on criminal forums, and once installed on a target system, it can capture keystrokes, screenshots, and browser data. Agent Tesla is highly customizable and is often used to steal sensitive information.

6. Lumma Stealer: Lumma Stealer is designed to collect personal information, including credentials and banking details. Like ArechClient2, Lumma Stealer uses a wide variety of techniques to avoid detection and prevent analysis.

7. Ratenjay: Ratenjay is often delivered by other malware and allows remote control of infected systems, including keylogging capabilities.

8. Jupyter: Also known as SolarMarker, Jupyter is a sophisticated info-stealer that initially infects systems when a user downloads a malicious document from a compromised website.

9. RogueRaticate: RogueRaticate spreads through malicious websites and fake browser updates,

In Q1 of 2024, Malvertisement was the number one initial infection vector due to a significant increase in alerts related to SocGholish and its ongoing campaign where it masquerades as software updates for initial access .

providing CTAs with an opportunity to further exploit the target system by loading additional malicious tools.

10. Gh0st: Gh0st is a RAT that provides full control over infected systems and is often used in conjunction with other malware to create a backdoor for CTAs.

How Can You Protect Yourself Against Malware Threats?

To protect against these threats, it is crucial to be aware of the common methods used for infection:

• Be cautious of unsolicited emails and never click on unknown links or download attachments from untrusted sources (Malspam).

• Avoid downloading software updates from unverified websites (Malvertisement).

• Ensure your systems are regularly updated and patched to protect against vulnerabilities that can be exploited by malware (Dropped).

• Use comprehensive security solutions that can detect and block various types of malware and their infection vectors (Multiple Vectors).

Take the Next Step in Strengthening Your Cyber Defenses

Understanding the common types of malware and their methods of infection is key to protecting your systems. But understanding only goes so far, and you must take action to strengthen your cyber defenses to better protect yourself and your organization from cyber threats.

Remain vigilant and employ robust security measures, and you will reduce your risk of falling victim to these

Understanding the common types of malware and their methods of infection is key to protecting your systems. But understanding only goes so far, and you must take action to strengthen your cyber defenses to better protect yourself and your organization from cyber threats

malicious threats. Always keep your software updated, be cautious of unsolicited emails, and use security tools to help detect and prevent infections.

If malware were the only cyber threat SLTT organizations faced, the solution would likely be more straightforward. Unfortunately, malware is just one tactic, technique, or procedure (TTP) used by CTAs. Vigilance, high-quality analysis, a team of cybersecurity professionals like those who comprise the CIS CTI team, and the collective expertise of the cybersecurity community are all vital aspects of achieving a higher level of cyber maturity.

Are you an SLTT organization ready to take the next step in your cyber maturity journey? Join the MS-ISAC for free today so you can take the next step in better securing your organization against cyber threats with no-cost and cost-effective cybersecurity services and solutions designed with you, the SLTT organization, in mind.

Ready to stay one step ahead of the latest cyber threats to better inform your cyber defense priorities? Get timely updates and expert insights directly from the MS-ISAC. Visit https://learn.cisecurity.org/ms-isac-subscription to subscribe to Cybersecurity Advisories.

The CIS Cyber Threat Intelligence (CTI) team at the MultiState and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC® and EI-ISAC®) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures.

www.sans.org/partnerships/sltt

ISACUpdate

CIS Partners with State and Federal Experts to Enhance Cybersecurity for K-12 Schools

In the increasingly complex world of cybersecurity, K-12 organizations face seemingly insurmountable challenges. Yet amid this ever-evolving digital threat landscape, an established support network for K-12 entities continues to grow stronger. In collaboration with the Office of the National Cyber Director (ONCD), the U.S. Department of Education and state partners, the Center for Internet Security® (CIS®), and the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) are partnering to increase awareness and adoption of low- and no-cost services available to K-12 organizations and other public entities. This partnership embodies a community defense model fueled by the collective efforts of mission-driven organizations.

The Collective Effort

The collaboration between CIS, MS-ISAC, and ONCD is committed to addressing the unique cybersecurity needs of K-12 schools across the

United States, including the country's tribal lands and territories. K-12 organizations hold a wealth of sensitive data and yet possess limited resources for defense. According to the most recent report released by the MS-ISAC, 81% of responding schools said they struggle with a lack of sufficient cybersecurity funding. In a continued effort to address this gap, CIS and the MS-ISAC, in partnership with state and federal cybersecurity experts, are stepping up now more than ever to provide essential support and resources to these cyber underserved organizations that are so critical to the strength of our nation.

Key Meetings and Discussions

A roundtable discussion held in Lansing, Michigan and hosted by the

Michigan Department of Technology, Management, and Budget (DTMB), brought together representatives from CIS, MS-ISAC, ONCD Director Harry Coker Jr., and members of Michigan's K-12 education community. This meeting focused on the critical need for enhanced cybersecurity measures in schools.

In a continued effort to address this gap, CIS and the MS-ISAC, in partnership with state and federal cybersecurity experts, are stepping up now more than ever to provide essential support and resources to these cyber underserved organizations that are so critical to the strength of our nation.

Similarly, in Santa Fe, New Mexico, CIS and MS-ISAC representatives, along with state representatives and Director Coker and his team, met with local school superintendents and IT staff at the New Mexico National Guard Office to discuss viable solutions to elevating the cyber maturity of K-12 organizations.

Practical Solutions and Resources

Through its Cooperative Agreement with the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), CIS administers the MS-ISAC, offering MS-ISAC membership to public K-12 organizations at no cost to them. MS-ISAC membership provides K-12 entities with much-needed no-cost and cost-effective cybersecurity services and solutions tailored for the state, local, tribal, and territorial community, including K-12 schools.

No-cost services include network monitoring, analysis, and response from the 24x7x365 CIS Security Operations Center (SOC), access to the CIS Cyber Incident Response Team (CIRT), and Malicious Domain Blocking and Reporting (MDBR), a protective domain name service (PDNS) that prevents connection to known malicious sites, often stopping ransomware and other malware in its tracks.

Building a Secure Future

The roundtable discussions and collaborative efforts highlight an ongoing partnership aimed at improving the cybersecurity posture of K-12 schools.

Laura Clark, the State of Michigan’s Chief Information Officer, emphasized the importance of collective effort:

“Cybersecurity is a team effort, and our number one priority is keeping our networks and data safe, secure, and private.”

Continuous Improvement and Collaboration

The partnership extends beyond immediate solutions. Santa Fe Public Schools, an MS-ISAC member, actively utilizes MDBR and engages in continuous training to stay ahead of evolving cyber threats. Superintendent Hilario “Larry” Chavez highlighted the need for ongoing vigilance and education in cybersecurity practices, and MS-ISAC is proud to be a part of helping these K-12 schools do just that. With a member base of close to 6,000 K-12 organizations and an active member community, MS-ISAC ensures that its offerings align with the requirements of our members, meeting them where they are in their cyber maturity journey.

A United Front

At the heart of our collaborative approach is

the belief that community is a necessary and effective layer of defense. By helping to foster a culture of mutual support, shared knowledge, and actionable best practices, our collective organizations become an enabler for K-12 schools and others, reminding them that they are not alone in their fight against cyber threats. The relationships and partnerships formed through these initiatives are expected to strengthen over time as we work tirelessly to help K-12 educational institutions along their cyber maturity journey.

In the vast and often daunting cybersecurity arena, CIS, MS-ISAC, ONCD, U.S. Department of Education, and our members and partners serve as a powerful reminder that a shared vision and unifying mission create an environment where K-12 schools can focus create more secure environments for students and staff to learn together, work together, and thrive together.

For more information on MS-ISAC membership, visit https://www.cisecurity.org/ms-isac.

UpcomingEvents

July

July 9 – 12

The National Association of Secretaries of State (NASS) will host the NASS 2024 Summer Conference in San Juan, Puerto Rico. The event will bring together the nation’s Secretaries of State and their staff together to network, learn about trending topics in the industry, and discover new solutions and strategies for serving their constituents. Learn more at https://www.nass.org/ events/nass-2024-summer-conference .

July 12 – 15

The National Association of Counties (NACo) will host the 2024 NACo Annual Conference and Exposition at the Tampa Convention Center in Tampa, Florida. The conference is the premier gathering of elected and appointed officials from the nation’s counties, parishes, and boroughs. It will include discussion of federal policies impacting counties, workshops lifting up county best practices, and engaging general sessions. Learn more at https:// www.naco.org/event/2024-nacoannual-conference-exposition.

July 16

The Second Annual Raleigh-Durham Cybersecurity Summit will take place at the Raleigh Marriott City Center in Raleigh, North Carolina. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. CIS Senior Cybersecurity Engineer Eric Pinnell will lead a panel session at the event on cloud security. Through our partnership, U.S. State, Local, Tribal, and Territorial (SLTT) government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/ summit/raleigh24/.

July 18

The 11th Annual DC-Metro Cybersecurity Summit will take place at the The Ritz-Carlton, Tysons Corner in McLean, Virginia. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. CIS Cybersecurity Engineer for Cloud Chantel Duckworth will lead a panel discussion at the event on cloud security. Through our partnership, U.S. State, Local, Tribal, and Territorial (SLTT) government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/ summit/dcmetro24/.

July 22 – 23

Midwest Tech Talk 2024 will take place at Osage High School in Osage Beach, Missouri. The event will bring together K-12 IT and technology leaders and professionals in the Midwest to focus on the future of their districts' technology programs. Attendees will improve their skills and take knowledge back to their school district that they can use to improve their district’s overall technology program and make a tech’s life easier. MS-ISAC Regional Engagement Manager Heather Doxon will lead a session at the event on incident response planning and cybersecurity services for K-12 schools. Learn more at https://www. midwesttechtalk.com/.

July 22 – 25

The Mississippi Circuit Clerks Association will host the 2024 Mississippi Circuit Clerks Convention in Biloxi, Mississippi. The event will bring together the state's circuit court clerks and other judicial officials and staff together to network, learn about trending topics in the industry, and discover new solutions. The EI-ISAC team will be at the event, sharing our no-cost cybersecurity resources for election agencies. Learn more at https://mscircuitclerks.org/.

July 23 – 25

The National Association of State Election Directors (NASED) will host the NASED 2024 Summer Conference in Minneapolis, Minnesota. The event will bring together the nation’s state election directors and their staff together to network, learn about trending topics in the industry, and discover new solutions and strategies for serving their constituents. Learn more at https:// www.nased.org/- conferences

July 30 – August 1

The Florida Municipal Electric Association (FMEA) will host the 2024 FMEA Annual Conference at The Breakers in Palm Beach, Florida. The event will bring together Florida's leading elected officials and decisionmakers from public power utilities for insightful speakers and valuable networking opportunities, all aimed at tackling the pressing challenges of our industry. MS-ISAC Regional Engagement Manager Megan Incerto will speak at event on no-cost cybersecurity resources for public utilities. Learn more at https://www.flpublicpower.com/ fmea-annual-conference-2024.

August

August 1

The Third Annual St. Louis Cybersecurity Summit will take place at the Marriott St. Louis Grand in St. Louis, Missouri. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. State, Local, Tribal, and Territorial (SLTT) government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/ summit/stlouis24/.

August 8

GovTech will host its South Dakota Regional Public Sector Cybersecurity Summit at the Ramkota Hotel and Conference Center in Pierre, South Dakota. The event will provide an opportunity for state and local government technology professionals from across the state to learn about the latest efforts to defend, respond, and recover from cyber criminals who wish to do harm. MS-ISAC Regional Engagement Manager Michelle Nolan will speak during the event on no- and low-cost cybersecurity resources for state and local governments. Learn more at https://events.govtech.com/ South-Dakota-Regional-Public-SectorCybersecurity-Summit .

August 18 – 21

The National Association of State Technology Directors (NASTD) will host its Annual NASTD Conference and Technology Showcase in Minneapolis, Minnesota. The event will bring together the nation’s state technology directors and their staff to network, learn about trending topics in the industry, and discover new solutions and strategies for serving their constituents. Learn more at https:// www.nastd.org/membership797440/ new-conferenceshowcase .

August 20

The Fourth Annual Detroit Cybersecurity Summit will take place at the Detroit Marriott Renaissance Center in Detroit, Michigan. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. State, Local, Tribal, and Territorial (SLTT) government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/ summit/detroit24/.

August 22

The Inaugural Portland Cybersecurity Summit will take place at the Hyatt Regency Portland at the Oregon Convention Center in Portland, Oregon. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. State, Local, Tribal, and Territorial (SLTT) government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ portland24/.

August 25 – 28

GMIS International will host GMIS MEETS 2024 at the Grand Hotel Golf Resort and Spa in Point Clear, Alabama. The event will bring together leaders in the public sector IT industry for informative educational sessions on topics important in today's environment, interaction with industry-leading providers, networking opportunities, and much more. CIS Services Account Executives Jeff Sparks and Semona Houghlan will speak during the conference, discussing cybersecurity resources for SLTT organizations. Learn more at https://www.gmis.org/ page/2024homepage .

August 27

The Inaugural San Antonio Cybersecurity Summit will take place at the Hyatt Regency San Antonio Riverwalk in San Antonio, Texas. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. State, Local, Tribal, and Territorial (SLTT) government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ sanantonio24/.

August 27 – 29

The Oregon State Police Criminal Justice Information Services (CJIS) Learning & Development Unit will host the 2024 Oregon State Police CJIS Statewide Conference at the Spirit Mountain Event Center in Grand Ronde, Oregon. The event will cover topics relevant to criminal justice and regulatory agencies throughout the State of Oregon and provide the state's criminal justice leaders and professionals with opportunities to receive the best possible training in the latest tools and techniques in their career disciplines. MS-ISAC Regional Engagement Manager Michelle Nolan will speak at the event on no- and low-cost cybersecurity resources for law enforcement agencies. Learn more at https://www.eventbrite.com/e/2024oregon-state-police-cjis-statewideconference-tickets-7 21334229097.

September

September 6

The Ninth Annual Chicago Cybersecurity Summit will take place at the Marriott Marquis Chicago in Chicago, Illinois. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. State, Local, Tribal, and Territorial (SLTT) government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/ summit/chicago24/

September

8 – 11

The American Public Power Association (APPA) will host the 2024 APPA Cybersecurity and Technology Summit will take place at the Hilton Cleveland Downtown in Cleveland, Ohio. The summit will bring together professionals, experts, and stakeholders within the public power sector to share insights and raise awareness of how to better protect their public power utility, its assets, and customers from cyber threats and other challenges posed by emerging technology. MS-ISAC Regional Engagement Manager Megan Incerto will speak at event on no-cost cybersecurity resources for public utilities. Learn more at https://www.publicpower.org/event/ cybersecurity-summit .

September 9 – 12

Oracle CloudWorld will take place at the Venetian Convention and Expo Center in Las Vegas. The event will bring together Oracle customers and partners to see the latest innovations in cloud technology, discover methods for getting the most business value today, and explore ways to increase productivity and efficiency through automation. Attendees will learn from experts and their peers who build and use the applications, cloud infrastructure, databases, developer tools, and AI services that help solve complex business challenges in every industry. CIS Product Manager for Benchmarks and Cloud Mia LaVada will co-lead a session at the conference titled "Build a Secure Landing Zone on Oracle Cloud Infrastructure ." Learn more at https://www.oracle.com/cloudworld/.

September 11 – 12

The StateRAMP Cyber Summit will take place at the Hyatt Regency Indianapolis in Indianapolis, Indiana. The event kicks off with the State and Local CISO Symposium, hosted by the Center for Digital Government and StateRAMP in collaboration with NASCIO, MS-ISAC, and the Public Technology Institute. The Symposium will bring together top CISOs from across the country to discuss framework harmonization and provide a platform for discussions on the latest trends, threats, and innovative solutions. The following day, the main Cyber Summit will take place, where leaders in government, industry, and cybersecurity will discuss the latest trends, challenges, and solutions in securing state information systems. This event offers invaluable networking opportunities, expert panel discussions, and insightful keynote presentations aimed at advancing cybersecurity practices across state agencies. MS-ISAC VP of Strategy and Plans and StateRAMP Steering Committee Member Karen Sorady will lead a panel session on developing a strong cyber risk management program. Learn more at https://stateramp.org/cybersummit-2024/

September 16 – 19

CrowdStrike will host its annual Fal. Con at the Aria Resort and Casino in Las Vegas. The event will bring together CrowdStrike experts, users, and partners to transform business, disrupt the legacy security market, and build a safer future. Attendees will hear inspirational keynotes, discover groundbreaking content, and engage in networking opportunities with peers, experts, elite threat hunters, CrowdStrike executives, and the CrowdStrike partner ecosystem. Learn more at https://www.crowdstrike. com/events/fal-con/las-vegas/

September 16 – 19

The 25th Annual TribalNet Conference and Tradeshow will take place at the Westgate Las Vegas Resort and Casino. As one of the only events truly dedicated to Native American government, gaming, and health technology, TribalNet will bring tribes, tribal employees, and solution providers together to connect with peers, learn about the latest industry topics, and seek opportunities in solutions, best practices, and technology. Learn more at https://www. tribalnetconference.com/.

September

17

The 11th Annual Atlanta Cybersecurity Summit will take place at the Hyatt Regency Atlanta in Atlanta, Georgia. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. State, Local, Tribal, and Territorial (SLTT) government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/ summit/atlanta24/.

September 19

The Inaugural New York/Wall Street Cybersecurity Summit will take place at the Cipriani Wall Street in New York City. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. State, Local, Tribal, and Territorial (SLTT) government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ wallstreet24/.

September 23 – 25

InfoSec World will take place at Disney's Coronado Springs Resort in Lake Buena Vista, Florida. For 30 years, InfoSec World has gathered security professionals together to navigate waves of change in strategy, tactics, tools, and best practices. In 2024, thousands of information security leaders and professionals will again gather together at the event to learn about topics such as AI, prevalent threat actors, regulatory and legal issues, working with C-suite leaders, and skills needed to thrive and survive in today's cybersecurity industry. CIS will be a supporting partner of the event, and our team will be on the show floor sharing our tools and resources for improving organizations' cybersecurity postures. Organizations that work with CIS can receive 25% off admission with promo code ISW24-CIS25. Learn more at https://www.infosecworldusa.com/.

September 26

The Fifth Annual Columbus Cybersecurity Summit will take place at the Renaissance Columbus Downtown Hotel in Columbus, Ohio. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. State, Local, Tribal, and Territorial (SLTT) government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ columbus24/.

September 27

The Sixth Annual Philadelphia Cybersecurity Summit will take place at the Philadelphia Marriott Downtown in Philadelphia, Pennsylvania. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. State, Local, Tribal, and Territorial (SLTT) government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ philadelphia24/.

September 29 – October 2

The National Association of State Chief Information Officers (NASCIO) will host its 2024 NASCIO Annual Conference at the Sheraton New Orleans in New Orleans, Louisiana. The event will bring together state CIOs and their staff from across the country to connect and collaborate with peers, learn about pressing topics from industry thought leaders, and discover new solutions and strategies to better serve their constituents. Learn more at https:// www.nascio.org/conferences-events/.

Interested in being a contributor?

Please contact us: cybermarket@cisecurity.org

www.cisecurity.org

518.266.3460

cisecurity.org

info@cisecurity.org

518-266-3460

Center for Internet Security

@CISecurity

TheCISecurity cisecurity