Skip to content
View in the app

A better way to browse. Learn more.
hosang I.T.

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

CSOonline

Members

  • Joined

  • Last visited

    Never
View Profile Find content

Everything posted by CSOonline

  1. Cisco issues emergency patches for critical firewall vulnerabilities

    CSOonline posted a techarticle in Security
    Cisco has handed security teams one of the largest ever patching workloads affecting its firewall products, including fixes for two ‘perfect 10’ vulnerabilities in the company’s Secure Firewall Management Center (FMC) Software. Overall, the March 4 release, the first of its semiannual firewall updates for 2026, addresses 25 security advisories covering 48 individual CVEs. The biggest concerns will be the FMC flaws, CVE-2026-20079 and CVE-2026-20131, the first of which is an authentication bypass weakness, and the second involving insecure deserialization. Both are rated ‘critical’ with maximum CVSS scores of 10. The weaknesses relate to the platform’s web management interface and give unauthenticated root access. This will make them big targets for attackers using reverse engineering tools to reveal the workings of the underlying flaws. This hasn’t happened yet – neither has been reported as being under exploitation – but there is no question attackers will quickly pounce on them if they can. Cisco said of CVE-2026-20079: “An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device.” And CVE-2026-20131 is described thusly: “An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.” There are no workarounds for either if these vulnerabilities, Cisco said. However, for CVE-2026-20131, it noted, “If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.” In short, if they can’t patch right now, admins should ensure that the FMC is not exposed until that happens. Other vulnerabilities Of the remaining flaws, a further six are rated ‘high’, with CVSS scores of between 7.2 and 8.6. These include the Firewall Management Center SQL injection vulnerabilities CVE-2026-20001, CVE-2026-20002, and CVE-2026-20003, all remotely exploitable by an authenticated attacker. Again, no workarounds are possible. CVE-2026-20039, rated 8.6 (‘critical’), is a flaw affecting the VPN web server in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software which could allow an unauthenticated attacker to induce a denial of service state. Additionally, CVE-2026-20082, also rated 8.6, could allow an unauthenticated attacker to cause incoming TCP SYN packets to be dropped incorrectly in the Cisco Secure Firewall Adaptive Security Appliance (ASA) Software. The procedure for patching the flaws addressed in the March update varies depending on the software version installed. Cisco recommends using its software checker to determine the appropriate update. Alternatively, admins can consult the tables in the Cisco Secure Firewall Threat Defense Compatibility Guide. Déjà vu Critical-rated flaws and zero days have become a regular occurrence in Cisco patching rounds in the last couple of years, now almost seen as ‘zero-day events’ in themselves. Security teams will be reminded of last September’s emergency patches addressing similar web services flaws affecting Cisco’s Secure Firewall Adaptive Security Appliance (ASA) VPN and Cisco Secure Firewall Threat Defense (FTD) software. Of these, CVE-2025-20333 and CVE-2025-20362 were under zero-day exploitation, while the third, CVE-2025-20363, was seen as being under imminent threat. The attacks were serious enough that Cisco published an “event response” bulletin providing more detail on reported exploits and indicators of compromise. View the full article

  2. Coruna iOS exploit kit moved from spy tool to mass criminal campaign in under a year

    CSOonline posted a techarticle in Security
    Google’s threat intelligence researchers have identified a sophisticated exploit kit targeting iPhones that was first used by a commercial surveillance vendor’s customer before being repurposed by a suspected Russian espionage group and then by Chinese cybercriminals, highlighting what researchers describe as an active secondary market for high-end zero-day exploits. “How this proliferation occurred is unclear, but suggests an active market for ‘second hand’ zero-day exploits,” Google Threat Intelligence Group (GTIG) wrote in a blog post. “Multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.” The exploit kit, named Coruna by its developers, contains five full iOS exploit chains built from a total of 23 individual exploits targeting iPhones running iOS 13.0 through iOS 17.2.1 – a range spanning devices released from September 2019 through December 2023, Mobile security firm iVerify independently discovered and reverse-engineered the same toolkit, and published corroborating research the same day. It described the toolkit, which it calls CryptoWaters, as the first observed mass exploitation of iOS devices by a financially motivated criminal group. Three threat actors, one toolkit GTIG first detected elements of Coruna in February 2025, when researchers captured parts of an iOS exploit chain used by a customer of an unnamed commercial surveillance company. The framework fingerprinted target devices, identified their iPhone model and iOS version, and delivered the appropriate WebKit remote code execution exploit silently, the blog post said. The same framework resurfaced in summer 2025, this time repurposed by UNC6353, a suspected Russian espionage group, which embedded it as hidden iframes on compromised Ukrainian websites spanning industrial equipment, retail, and ecommerce sectors, according to Google. It said it worked with Ukraine’s CERT-UA to clean up all compromised websites. By year end the same kit had appeared across a large network of fake Chinese financial websites operated by UNC6691, a financially motivated, China-based threat actor. Unlike the earlier targeted deployments, iVerify confirmed the exploit chains contained no geolocation filtering, means any vulnerable iPhone visiting those pages was at risk. VIPs aren’t the only ones at risk from this malware, said Everest Group senior analyst Gautam Goel. “GTIG’s writeup is notable precisely because it shows surveillance-grade exploit chains moving from targeted use to broad-scale criminal campaigns.” A payload built to drain cryptocurrency wallets In the case of UNC6691, GTIG said, that broad-scale criminal campaign had a specific financial objective. The payload at the end of Coruna’s exploit chain, which GTIG tracks as Plasmagrid, is not conventional surveillance software. It injects itself into powerd, a daemon running as root on iOS, and is built specifically to steal cryptocurrency, according to GTIG. Plasmagrid hooks into 18 cryptocurrency wallet applications, including MetaMask, Phantom, Exodus, and Uniswap, to exfiltrate credentials. It scans images for QR codes and parses Apple Notes for seed phrases and keywords such as “backup phrase” and “bank account.” GTIG said code comments within the implant are written in Chinese, and some appear to have been generated by a large language model. iVerify added that its independent analysis found additional modules targeting WhatsApp beyond those identified by GTIG, and noted the kit appeared to be in active development. What Coruna reveals about the spyware market The case has renewed scrutiny of the commercial surveillance industry’s assurances that its tools remain under controlled, targeted use. Sanchit Vir Gogia, chief analyst at Greyhound Research, said the pattern reveals a structural problem. “The ecosystem includes exploit acquisition programs, vulnerability brokers and secondary markets that facilitate the circulation of offensive capabilities,” Gogia said. “Regulating a single category of vendor does little to address the underlying supply chain.” Goel said the timeline makes the policy failure concrete. “Even if the first buyer claims lawful targeted use, the capability itself can proliferate into criminal ecosystems within months,” he said. Google acknowledged the broader policy challenge, noting its participation in the Pall Mall Process, an international initiative focused on limiting the misuse of commercial cyber intrusion capabilities. Enterprise mobile security under scrutiny The Coruna kit is not effective against the latest version of iOS. GTIG urged all iPhone users to update their devices immediately, and recommended enabling Lockdown Mode where updates are not possible, noting the kit is engineered to abort on devices running in that mode. Google has added all identified domains to Safe Browsing. Indicators of compromise are available in a free GTIG collection on VirusTotal. Analysts said the remediation advice, while necessary, exposes a deeper architectural gap. “Most enterprise mobile security programs were built around device management rather than device integrity,” Gogia said. “They were never designed to detect exploitation that occurs within the operating system itself.” Goel put it more starkly. “Coruna sits under MDM and app-layer controls,” he said. “If an attacker can reliably get WebKit code execution and break out toward kernel-level access, the device can lie about its own state, and many policy controls become irrelevant in practice.” View the full article

  3. Europol: Großer Markt für gestohlene Daten geschlossen

    CSOonline posted a techarticle in Security
    PixelBiss – shutterstock.com Die Polizei von Amsterdam hat im Zuge einer internationalen Aktion laut Europol einen der weltweit größten Handelsplätze für gestohlene Daten geschlossen. Leakbase hatte weltweit 142.000 registrierte Nutzer, wie die europäische Polizeibehörde in Den Haag mitteilte. Die Server des Marktes waren in Amsterdam. Die Daten wurden sichergestellt. In 14 Ländern hatten Ermittler an einem gemeinsamen Aktionstag am Dienstag zugegriffen. Es gab nach Europol-Angaben rund 100 Einsätze vor allem gegen die 37 Hauptnutzer der Plattform. «Zentrale Drehscheibe» Leakbase war Europol zufolge eine «zentrale Drehscheibe im Ökosystem der Cyberkriminalität». Die Plattform hatte sich auf den Handel mit gestohlenen Daten spezialisiert. Sie war nach Angaben von Europol offen im Internet zugänglich. «Plattformen dieser Art sind der Motor für Cyberkriminalität», teilte die Amsterdamer Polizei mit. Die Cybercrime-Experten warnten auch, dass gestohlene Daten immer wieder weiterverkauft und für verschiedene Arten von Betrug missbraucht würden. Es ist unklar, wie viele Menschen Opfer der Praktiken geworden sind. Auf der bisherigen Website ist nun eine Nachricht der Polizei zu sehen: «Der Handel mit gestohlenen Daten ist strafbar. Jeder hinterlässt online Spuren.» 14 Länder beteiligt Die Ermittlungen waren nach Informationen des Cybercrime-Teams der Amsterdamer Polizei 2023 in den Niederlanden begonnen worden. Sie seien schnell erweitert worden, auch Ermittler in Deutschland waren demnach beteiligt. Die Amsterdamer Polizei arbeitete eng mit dem amerikanischen FBI zusammen. Europol koordinierte die Aktion. (dpa/ad) View the full article

  4. Europol: Großer Markt für gestohlene Daten geschlossen

    CSOonline posted a techarticle in Security
    PixelBiss – shutterstock.com Die Polizei von Amsterdam hat im Zuge einer internationalen Aktion laut Europol einen der weltweit größten Handelsplätze für gestohlene Daten geschlossen. Leakbase hatte weltweit 142.000 registrierte Nutzer, wie die europäische Polizeibehörde in Den Haag mitteilte. Die Server des Marktes waren in Amsterdam. Die Daten wurden sichergestellt. In 14 Ländern hatten Ermittler an einem gemeinsamen Aktionstag am Dienstag zugegriffen. Es gab nach Europol-Angaben rund 100 Einsätze vor allem gegen die 37 Hauptnutzer der Plattform. «Zentrale Drehscheibe» Leakbase war Europol zufolge eine «zentrale Drehscheibe im Ökosystem der Cyberkriminalität». Die Plattform hatte sich auf den Handel mit gestohlenen Daten spezialisiert. Sie war nach Angaben von Europol offen im Internet zugänglich. «Plattformen dieser Art sind der Motor für Cyberkriminalität», teilte die Amsterdamer Polizei mit. Die Cybercrime-Experten warnten auch, dass gestohlene Daten immer wieder weiterverkauft und für verschiedene Arten von Betrug missbraucht würden. Es ist unklar, wie viele Menschen Opfer der Praktiken geworden sind. Auf der bisherigen Website ist nun eine Nachricht der Polizei zu sehen: «Der Handel mit gestohlenen Daten ist strafbar. Jeder hinterlässt online Spuren.» 14 Länder beteiligt Die Ermittlungen waren nach Informationen des Cybercrime-Teams der Amsterdamer Polizei 2023 in den Niederlanden begonnen worden. Sie seien schnell erweitert worden, auch Ermittler in Deutschland waren demnach beteiligt. Die Amsterdamer Polizei arbeitete eng mit dem amerikanischen FBI zusammen. Europol koordinierte die Aktion. (dpa/ad) View the full article

  5. Europol schließt riesigen Markt für gestohlene Daten

    CSOonline posted a techarticle in Security
    Die Polizei von Amsterdam hat im Zuge einer internationalen Aktion laut Europol einen der weltweit größten Handelsplätze für gestohlene Daten geschlossen. Leakbase hatte weltweit 142.000 registrierte Nutzer, wie die europäische Polizeibehörde in Den Haag mitteilte. Die Server des Marktes waren in Amsterdam. Die Daten wurden sichergestellt. In 14 Ländern hatten Ermittler an einem gemeinsamen Aktionstag am Dienstag zugegriffen. Es gab nach Europol-Angaben rund 100 Einsätze vor allem gegen die 37 Hauptnutzer der Plattform. “Zentrale Drehscheibe” Leakbase war Europol zufolge eine “zentrale Drehscheibe im Ökosystem der Cyberkriminalität”. Die Plattform hatte sich auf den Handel mit gestohlenen Daten spezialisiert. Sie war nach Angaben von Europol offen im Internet zugänglich. “Plattformen dieser Art sind der Motor für Cyberkriminalität”, teilte die Amsterdamer Polizei mit. Die Cybercrime-Experten warnten auch, dass gestohlene Daten immer wieder weiterverkauft und für verschiedene Arten von Betrug missbraucht würden. Es ist unklar, wie viele Menschen Opfer der Praktiken geworden sind. Auf der bisherigen Website ist nun eine Nachricht der Polizei zu sehen: “Der Handel mit gestohlenen Daten ist strafbar. Jeder hinterlässt online Spuren.” 14 Länder beteiligt Die Ermittlungen waren nach Informationen des Cybercrime-Teams der Amsterdamer Polizei 2023 in den Niederlanden begonnen worden. Sie seien schnell erweitert worden, auch Ermittler in Deutschland waren demnach beteiligt. Die Amsterdamer Polizei arbeitete eng mit dem amerikanischen FBI zusammen. Europol koordinierte die Aktion. (dpa/rs) View the full article

  6. Europol schließt riesigen Markt für gestohlene Daten

    CSOonline posted a techarticle in Security
    Die Polizei von Amsterdam hat im Zuge einer internationalen Aktion laut Europol einen der weltweit größten Handelsplätze für gestohlene Daten geschlossen. Leakbase hatte weltweit 142.000 registrierte Nutzer, wie die europäische Polizeibehörde in Den Haag mitteilte. Die Server des Marktes waren in Amsterdam. Die Daten wurden sichergestellt. In 14 Ländern hatten Ermittler an einem gemeinsamen Aktionstag am Dienstag zugegriffen. Es gab nach Europol-Angaben rund 100 Einsätze vor allem gegen die 37 Hauptnutzer der Plattform. “Zentrale Drehscheibe” Leakbase war Europol zufolge eine “zentrale Drehscheibe im Ökosystem der Cyberkriminalität”. Die Plattform hatte sich auf den Handel mit gestohlenen Daten spezialisiert. Sie war nach Angaben von Europol offen im Internet zugänglich. “Plattformen dieser Art sind der Motor für Cyberkriminalität”, teilte die Amsterdamer Polizei mit. Die Cybercrime-Experten warnten auch, dass gestohlene Daten immer wieder weiterverkauft und für verschiedene Arten von Betrug missbraucht würden. Es ist unklar, wie viele Menschen Opfer der Praktiken geworden sind. Auf der bisherigen Website ist nun eine Nachricht der Polizei zu sehen: “Der Handel mit gestohlenen Daten ist strafbar. Jeder hinterlässt online Spuren.” 14 Länder beteiligt Die Ermittlungen waren nach Informationen des Cybercrime-Teams der Amsterdamer Polizei 2023 in den Niederlanden begonnen worden. Sie seien schnell erweitert worden, auch Ermittler in Deutschland waren demnach beteiligt. Die Amsterdamer Polizei arbeitete eng mit dem amerikanischen FBI zusammen. Europol koordinierte die Aktion. (dpa/rs) View the full article

  7. State-affiliated hackers set up for critical OT attacks that operators may not detect

    CSOonline posted a techarticle in Security
    Several state-linked threat groups known for breaking into operational technology (OT) networks have shifted their focus over the past year from gaining and maintaining access to actively mapping out ways to disrupt physical industrial processes. The shift poses a significant threat because fewer than one in 10 OT networks have monitoring in place to detect such activity, according to industrial cybersecurity firm Dragos. The group that Dragos tracks as Voltzite, which other researchers have linked to China’s Volt Typhoon campaign, was observed manipulating engineering workstations inside US energy and pipeline networks to determine what operational conditions could trigger process shutdowns — elevating the group to Stage 2 of Dragos’ ICS (industrial control system) Cyber Kill Chain. Another group called Kamacite has shifted from corporate supply-chain targeting to directly scanning US industrial control devices for four months, mapping specific control loops. Its partner group Electrum, which has exhibited techniques that overlap with those of Russia’s GRU Sandworm team, struck Polish energy infrastructure in December in what Dragos calls the first major cyberattack on distributed energy resources (DERs). “I think a reasonable assessment is that those teams — state teams, government, military, intelligence teams — are being told by their leadership: ‘You know what? It’s not just about getting access. We might want to leverage that access within a 12-month period,’” Robert M. Lee, CEO and co-founder of Dragos, said during a media briefing that accompanied the release of the company’s annual ICS/OT cybersecurity report. “And when you hear that as an offensive team, that’s when you go ahead and develop that out.” Lee, who previously held defensive and offensive cyber roles in the US military and the intelligence community, warned that given how little visibility most OT asset owners have into their own networks, some compromised sites will likely never be cleaned up. And that’s a scary reality because the disruptive capabilities these groups are setting up now could be triggered in the event of a geopolitical conflict. The access-broker model comes to ICS Voltzite compromised Sierra Wireless Airlink cellular gateways used in US energy and midstream pipeline operations, then pivoted to engineering workstations where it dumped configuration files and alarm data to understand what conditions would trigger process shutdowns. The group also used the JDY botnet for reconnaissance across the energy, oil and gas, and defense sectors, scanning VPN appliances from F5, Palo Alto, and Citrix. Less than 5% of environments Dragos assessed had the PowerShell execution logging needed to detect Voltzite’s techniques. Sylvanite, one of three new threat groups that Dragos identified in 2025, acts as an access broker for Voltzite, rapidly weaponizing vulnerabilities in network-edge devices and handing off footholds to Voltzite for deeper infiltration. Sylvanite exploited an Ivanti EPMM zero-day vulnerability at a US utility in May 2025 before Ivanti issued a patch and separately used a SAP NetWeaver zero-day in April. It also installed persistent web shells on F5 appliances and harvested Office 365 tokens and credentials from LDAP databases. Lee described the Sylvanite-Voltzite pairing as a two-team structure that suggests a mature, well-resourced state operation, either a government team working with a contractor or lab, or two separate agencies. This division of labor across multiple teams has been adopted by multiple nation-state threat actors as it shortens the compromise-to-operational-readiness timeline from weeks to days. Another group dubbed Azurite which has overlaps with what other researchers track as the Chinese Flax Typhoon group, infiltrated OT environments across manufacturing, defense, automotive, electric, and oil and gas organizations in the US, Europe, Taiwan, Japan, and Australia. The group exfiltrated alarm data, configuration files, project files, and process information from engineering workstations, and was not deterred by public exposure, law enforcement infrastructure takedowns, or government sanctions. Dragos believes this activity is highly likely preparation for offensive operations in the event of geopolitical conflict. Last year, the company also began tracking Pyroxene, a group that has technical overlaps with activity the US government has attributed to Iran’s Islamic Revolutionary Guard Corps. Pyroxene specializes in supply-chain attacks to pivot from IT networks into industrial control environments and operates in tandem with another group dubbed Parisite, which provides initial access. The group deployed wiper malware against multiple Israeli organizations during the 12-day Iran-Israel conflict in June 2025 and conducted a watering-hole attack against a water utility serving the Haifa Bay Port area in late 2024. Its targets span aviation, aerospace, defense, and maritime sectors across the US, Western Europe, Israel, and the UAE. Russia’s OT attack teams expand beyond Ukraine The Russia-linked pair Kamacite and Electrum, which Dragos has tracked since the mid-2010s and is responsible for the 2015 and 2016 cyberattacks that took down parts of Ukraine’s power grid, expanded operations into NATO territory in 2025 after years focused almost exclusively on Ukrainian targets. Kamacite, which serves as the access-and-reconnaissance arm that enables Electrum’s destructive operations, ran a four-month campaign from March to July 2025 scanning internet-exposed US industrial control devices, including Schneider Electric variable-frequency drives, smart HMIs, Accuenergy power meters, and Sierra Wireless cellular gateways. The scanning was not opportunistic, Dragos said. Kamacite targeted specific device types in sequence, suggesting the group was mapping entire control loops rather than probing for isolated vulnerabilities. Earlier in the year, Kamacite targeted attendees of a Gas Infrastructure Europe conference in Munich, engaging targets in multi-day, native-language spear-phishing conversations. The group also targeted at least 25 Ukrainian industrial companies across 10 regions in a sustained supply-chain campaign. Electrum, the operational arm that carries out destructive attacks, struck Polish energy infrastructure in late December 2025 in what Dragos describes as the first major coordinated cyberattack against DERs worldwide. The attack targeted roughly 30 wind farms, solar installations, and a combined heat and power plant, exploiting internet-facing Fortinet devices configured with default credentials and no multi-factor authentication. The attackers deployed wiper malware that destroyed data on HMIs and corrupted firmware on OT devices, causing operators to lose visibility and control over the facilities. Dragos attributed the Poland attack to Electrum with moderate confidence. Lee said the same style of attack in the US, Australia, or the Nordic countries, where grids rely more heavily on distributed energy resources, could have been “potentially catastrophic.” “Some of the defender teams across NATO countries stopped worrying as much about certain Russian threat groups because they stopped seeing them,” Lee said. “I’m saying it looks like they might come back to a theater near you and now with a heck of a lot more experience. So keep up on what’s going on in Ukraine, and try to apply those lessons learned, because it could be very impactful for you.” Electrum also developed two new wiper malware variants in 2025. PathWiper, discovered in June but active since March, uses a more thorough and methodical approach for data destruction compared to HermeticWiper, the wiper malware that Sandworm used against Ukrainian targets hours before the Russian invasion started. A second wiper variant was discovered in December. The group is also known to use pro-Russia hacktivist personas to mask their involvement in attacks. In May, the Solntsepek persona that Electrum used on several occasions conducted destructive operations against eight Ukrainian internet service providers. OT operators lack visibility to detect threats Less than 10% of OT networks worldwide have any security monitoring in place, according to Dragos’ data. And 90% of asset owners the firm works with still cannot detect the techniques Electrum used to take down Ukraine’s power grid a decade ago, Lee said. In tabletop exercises the company conducted in 2025, 88% of participants had trouble detecting threats, 94% had difficulty with containment, and 82% struggled to activate their incident response plans. During real-world engagements, a third of incident response cases began not with an alert from a product but with an operator noticing something seemed wrong, and in most of those cases, the data needed to investigate the incident had never been collected. Dragos also found that 82% of OT asset owners lack defined criteria for when an operational anomaly should trigger a cybersecurity investigation. On top of that, 81% of environments assessed had poor IT/OT network segmentation, and 56% of penetration tests found that attackers could move laterally inside OT networks using legitimate system tools without being detected. “We’ve told our community, build a big glass house, but the moment that perimeter is breached, like, I don’t know, good luck,” Lee said, noting that roughly 90% of security guidance for OT environments focuses on perimeter defense (“patch, passwords, antivirus, access controls, secure mode access”), with less than 10% addressing detection and response once intruders are inside the network. Dragos calls visibility the foundational control so building network monitoring and improving segmentation is of utmost importance. The firm’s vulnerability analysis found that only 3% of ICS vulnerabilities require immediate patching, while 71% can be addressed through basic network hygiene and 27% pose minimal operational risk. In the US new NERC CIP-015 regulations will require bulk electric system operators to implement internal network security monitoring within three years for high-criticality sites and five years for medium-criticality ones. But the requirement applies only to the electric sector, leaving water, oil and gas, and manufacturing without comparable mandates. “We’re going to have to live with the reality that a portion of our infrastructure is currently compromised and will remain compromised at the current trajectory of the [ICS] community,” Lee said. View the full article

  8. 14 old software bugs that took way too long to squash

    CSOonline posted a techarticle in Security
    In 2021, a vulnerability was revealed in a system that lay at the foundation of modern computing. An attacker could force the system to execute arbitrary code. Shockingly, the vulnerable code was almost 54 years old — and there was no patch available, and no expectation that one would be forthcoming. Fortunately, that’s because the system in question was Marvin Minsky’s 1967 implementation of a Universal Turing Machine, which, despite its momentous theoretical importance for the field of computer science, had never actually been built into a real-world computer. But in the decade or so after Minsky’s design, the earliest versions of Unix and DOS came into use, and their descendants are still with us today in the 21st century. Some of those systems have had bugs lurking beneath the surface for years or even decades. Here are 14 noteworthy bugs that, once long dormant, took over a decade to be discovered and fixed — in descending order of how long they went unaddressed. Libpng graphics library flaw Age: 30 years Date introduced: 1995 Date fixed: February 2026 Researchers unearthed a legacy flaw in the widely used libpng open-source library that had existed since the technology was first released more than 30 years ago. The heap buffer overflow vulnerability (CVE-2026-25646) meant that applications using the flawed software would crash when presented with a maliciously constructed PNG raster image file. Although difficult to exploit, the vulnerability potentially poses an information disclosure or remote code execution risk. The vulnerable png_set_quantize function, previously called png_set_dither, is rarely used. This in combination with the difficulty of exploitation mean that the flaw earns a CVSS score of 8.3, rating it as a “high” rather than “critical” risk. Nonetheless many Linux distributions (Debian, Red Hat, Ubuntu), desktop apps, and some Java runtimes rely on vulnerable versions of the library and need to be patched. PrintDemon Age: 24 years Date introduced: 1996 Date fixed: May 2020 Printers are a frequent pain point for IT because there are a lot of models, they aren’t made by the same vendors who make computers and operating systems, and users expect to plug them in and start printing. Microsoft in its early years battled to make installing a printer driver relatively easy and painless. But a bug found in 2020, dubbed PrintDemon, showed that maybe they took that a bit too far back in the ’90s — and paid for it for decades. The core of the vulnerability lies in three facts: Non-administrative users can add printers to a Windows machine; the underlying mechanics make it possible to print to a file rather than a physical printing device; and crucial printing services on Windows run with system privileges. That means that, if you do it right, you can build a “printer” driver that can create a file (even an executable one) anywhere on the filesystem (even in privileged directories). There are plenty of exploits that have been cooked up to take advantage of these design flaws — Stuxnet, it turns out, was one of them — but PrintDemon was a real doozy, made possible because Microsoft’s fixes over the years had been patches rather than a complete rebuild of the printing subsystem. As Winsider described it, “With very subtle file system modifications, you can achieve file copy/write behavior that is not attributable to any process, especially after a reboot … with a carefully crafted port name, you can imagine simply having the Spooler drop a [portable executable] file anywhere on disk for you.” Sounds like bad news! win32k.sys vulnerabilities Age: 23 years Date introduced: 1996 Date fixed: 2019 Two big vulnerabilities were detected in the Win32 API in Microsoft Windows in 2019. The first, found in April, was a Use-After-Free vulnerability, in which OS coding errors made it possible for programs to access system memory that should’ve been protected; this vulnerability was detected by security researchers when they discovered malicious hackers attempting to use it in the wild to gain control of computers. The other, discovered in December, was an elevation-of-privilege vulnerability lurking in the OS’s window switching functionality; this vulnerability was similarly discovered in the course of active attacks, which simulated keystrokes to create memory leaks. Both vulnerabilities have their origins in the early days of Windows. “The problem originates from the time when WIN32K made its debut with Windows NT 4.0, when much of Win32’s graphics engine was moved from user level to kernel to boost performance,” explained Boris Larin, senior security researcher at Kaspersky, back in 2019. And while these two vulnerabilities have been patched, that long-ago decision on the part of Microsoft has had much broader effects — and probably will continue to do so, Larin said then. “Throughout the years, the WIN32K component has been responsible for more than a half of all kernel security vulnerabilities discovered in Windows.” PuTTY heap overflow Age: 20 years, 9 months Date introduced: January 1999 Date fixed: October 2019 PuTTY is a free and open-source suite of tools that includes a serial console, a terminal emulator, and various network file transfer applications, with SSH and other encryption schemes built in. It was originally released to bring tools Unix admins took for granted to Windows and Mac OS, but has expanded its scope and is now in wide use on Unix systems as well. While PuTTY was designed to secure network connections, it turns out there was a vulnerability lurking at its heart. This was a heap overflow that could be triggered by a too-short SSH key, which could result in crashing PuTTY or even remote code execution. The vulnerability was submitted to HackerOne as part of a bug bounty program, netting the submitter a $3,645 reward and a thank you from the PuTTY team, which noted that the bug had been present in the very earliest versions of the source code, back to 1999. SIGRed DNS vulnerability Age: 17 years Date introduced: 2003 Date fixed: 2020 DNS is one of the underrated backbones of the internet, the system by which your computer knows what IP address correlates to any given URL. The system is hierarchical, with requests sent up and down the pyramid looking for DNS servers that know the answer to the question, “Where is this computer?” As a result, DNS has been built into all major operating systems. In 2020, Microsoft disclosed a critical vulnerability in its own version of DNS, which had been lurking in the code for 17 years. The vulnerability, dubbed SIGRed by its discoverers at Check Point, was a buffer overflow flaw in Windows DNS servers that could be triggered by exploit code tucked into a DNS packet’s signature. A malicious nameserver could send such packets in response to requests, bypassing most security protections and potentially gaining remote access to the Microsoft DNS server. The attack would be potentially wormable, meaning that it could be automated and spread without user intervention. Python tarfile vulnerability rises again Age: 15 years Date introduced: 2007 Date fixed: September 2022 Cybersecurity company Trellix discovered that CVE-2007-4559, a vulnerability affecting Python’s tarfile module first identified in 2007, continued to affect hundreds of thousands of repositories up until at least September 2022. “While investigating an unrelated vulnerability, Trellix Advanced Research Center stumbled across a vulnerability in Python’s tarfile module,” Kasimir Schulz, a vulnerability researcher for Trellix’s Threat Labs, wrote on the firm’s blog. “Initially we thought we had found a new zero-day vulnerability. As we dug into the issue, we realized this was in fact CVE-2007-4559.” According to NIST, CVE-2007-4559 is a directory traversal vulnerability in the extract and extractall functions in the tarfile module in Python that allows user-assisted remote attackers to overwrite arbitrary files via a “..” sequence in filenames in a TAR archive. Bad actors can create exploits with as few as six lines of code added to the tarfile module, which allows users to add a filter to parse and modify a file’s metadata before it is added to the tar archive, Schulz said. CVE-2007-4559 “is incredibly easy to exploit, requiring little to no knowledge about complicated security topics. Due to this fact and the prevalence of the vulnerability in the wild, Python’s tarfile module has become a massive supply chain issue threatening infrastructure around the world.” Trellix has found more than 300,000 repositories affected by the vulnerability. Trellix developed a scanning utility to identify the vulnerability and patched a number of open-source repositories. Linux SCSI subsystem bugs Age: 15 years Date introduced: 2006 Date fixed: March 2021 SCSI, a 1980s-era data transfer standard, is still in use in some contexts today, and Linux, always intended to be as flexible and universal as possible, still has an extensive SCSI subsystem for those systems that need it. These modules are available via automatic module loading, in which the OS grabs and installs the system code it needs when it needs it — helpful if you find yourself plugging a SCSI drive into your Linux machine and don’t want to hunt down the necessary supporting code. Cybersecurity consultancy Grimm posted an extensive breakdown of several bugs in this Linux SCSI code that they discovered in March 2021. One was a buffer overflow vulnerability that could allow a normal user to gain root privileges, and the others were errors where information from the kernel could be leaked to user space, and all could be used to get privileged information or as part of a DoS attack on the affected machine. Grimm dates the bugs back to 2006 and dryly notes that they’re “an indication of a lack of security-conscious programming practices that was prevalent at the time this code was developed.” Domain Time II man-on-the-side attack Age: 14 years Date introduced: 2007 Date fixed: April 2021 If two computers on the same network can’t agree on the time, the results can range from annoying to disastrous. This longstanding problem was to be solved by Domain Time II, a closed-source application in use on Windows, Linux, and Solaris. But Domain Time II harbored for most of its existence a very serious vulnerability. At intervals or on conditions the user can set, the program sends UDP queries to an update server run by Greyware Automation Products, the software’s vendor. If the server replies with a URL, Domain Time II will run a program with admin privileges to download and install an update from that URL. The problem? If a malicious actor manages to reply to the query before Greyware’s server does, that attacker can send its own reply, prompting Domain Time II to download whatever malware the attacker wants installed. In a true man-in-the-middle attack, the attacker would be intercepting communications in both directions; in contrast, this man-on-the-side attack can’t stop replies to its target machine getting through and so has to send its own reply more quickly. In practice, this means the attacker would need to control a computer on the target’s local network to pull this off, but this attack represents a way an attacker could escalate their intrusion onto more valuable and secure machines within a local network. This vulnerability was spotted by the security firm Grimm, which noted that the flaw was present in versions of the software going back at least to 2007. Critical vulnerability in Redis in-memory store Age: 13 years Date introduced: 2012 Date fixed: October 2025 A vulnerability in Redis in-memory store posed a critical risk for servers hosting the database. The vulnerability, identified as CVE-2025-49844 or RediShell, stemmed from a use-after-free memory corruption bug that has existed in the Redis code base for around 13 years and posed a remote code execution risk. While the flaw required authentication to exploit, an estimated 60,000 internet exposed Redis instances were exposed to the internet without authentication enabled, leaving these systems open to attack. Wiz researchers discovered the flaw and used it in the Pwn2Own Berlin contest in May 2025, weeks before its public disclosure in October 2025. LionWiki local file inclusion Age: 11 years, 11 months Date introduced: November 2008 Date fixed: October 2020 LionWiki is a minimalist wiki engine, programmed in PHP. Unlike many popular wiki engines, LionWiki doesn’t use a database, and instead is entirely file-based. Because its goal is simplicity, this is a strength, but it also makes a significant vulnerability possible. In essence, the various files underlying a particular LionWiki instance are accessed by file and pathnames in the URL of the corresponding pages. This means that, with a correctly crafted URL, you could traverse the filesystem of the server hosting the LionWiki instance. There are URL-filtering provisions in place to block attempts to do this, but as Infosec Institute Cyber Range Engineer June Werner discovered, they could be defeated fairly easily. One thing Werner noted is that the vulnerability persisted despite attempts to correct it. “Some mitigations were first put in place in July of 2009, and then more extensive mitigations were put in place in January of 2012,” she noted. “Despite these mitigations, the code was still vulnerable to the same type of attack. This vulnerability stayed in the code for another eight years until it was rediscovered, along with a way to bypass the mitigations, in October 2020.” After the bug was formally reported, it was patched by the developer. sudo host Age: 11 years, 10 months Date introduced: September 2013 Date fixed: July 2024 The sudo command is an important tool in any Unix admin’s toolkit, granting superpowered user privileges to those who have the permission to invoke it. To access these privileges, a user must be listed in a configuration file called sudoers. Because many organizations centrally administer many Unix hosts, sudoers can include a list of specific hosts where each user has sudo rights, so that these config files can be written once and then be pushed out to all the organization’s hosts. The problem is that, to get access to the sudoers file and see the hosts on which you or another user might have sudo powers, you need those sudo powers yourself. But a command-line flag intended to let users view host-specific privileges could be abused to trick sudo into treating the command as if it were running on a different host — potentially one where the user has elevated privileges. That could allow the user to run commands, including those that edit sudoers, even if they shouldn’t have that access on the local machine. This security flaw isn’t rated as too serious, but it did lurk undetected for nearly 12 years. (Another more serious flaw with the chroot option, revealed at the same time, is a mere baby at two years old.) HashiCorp Vault and CyberArk Conjur logic flaws Age: 10 years Date introduced: 2015[1] Date fixed: August 2025 Multiple flaws in components of HashiCorp Vault and CyberArk Conjur, two open-source credential management systems, left the door open to a variety of attacks, including authentication bypass and the theft or erasure of supposedly protected secrets. Both HashiCorp Vault and CyberArk Conjur are used for storing and controlling access to secrets such as API keys, database passwords, certificates, and encryption keys. Each technology is commonly used in DevSecOps pipelines. Researchers from Cyata discovered an array of issues, many of which had remained hidden in the codebase of widely used open-source secrets vaults for years. The vulnerabilities were discovered after manual code reviews that focused on logic flaws in components responsible for authentication and policy enforcement rather than memory corruption issues typically detected by automated tools. Findings from the research — which led to the discovery of a combined total of 14 vulnerabilities in the two secrets vaults — were revealed at Black Hat USA in August 2025. The most severe vulnerability in HashiCorp Vault (CVE-2025-6000) created a mechanism for attackers to delete a critical file containing the keys needed to decrypt stored secrets, leaving data unreachable. All the vulnerabilities were addressed before the research was publicly disclosed. Linux GRUB2 Secure Boot hole Age: 10 years Date introduced: 2010 Date fixed: July 2020 When UEFI was introduced to replace BIOS, it was deemed the cutting edge of security, with features to fight attacks that operated on the level of the bootloading software that starts up an OS. Key to this is an interlocked chain of signed cryptographic certificates that verifies each bootloader program as legit, a mechanism known as Secure Boot. The root certificate for UEFI is signed by Microsoft, and Linux distributions put their own bootloaders, each with its own validated certificate, further down the chain. But GRUB2, a widely popular Linux bootloader with a UEFI-ready certificate, contains a buffer overflow vulnerability that can be exploited by malicious code inserted into in its configuration file. (While GRUB2 itself is signed, its configuration file, meant to be editable by local admins, is not.) This hole was spotted by Eclypsium, and while an attacker would need to have a degree of local control of the target machine to implement this attack, if they pulled it off successfully, they could ensure that they remain in control of that computer going forward each time it boots up, making it difficult to evict them from the system. Telnet Age: 10 years, 8 months Date introduced: May 2017 Date fixed: Jan 2026 Telnet is an early internet protocol and associated tools used for remotely logging into another machine via a text-based terminal session. Although superseded by the more secure and encrypted SSH technology since the mid-1990s, Telnet is still widely used by embedded systems, network hardware, and other legacy systems. An easily-exploited Telnet authentication bypass vulnerability (CVE-2026-24061), introduced in code changes release in May 2017, left devices running pre-patched versions of the software wide open to remote compromise, provided that its Telnet server was exposed to the internet. [1]HashiCorp Vault was first released in 2015, with CyberArk Conjur becoming available in 2016. I’m assuming that at least some of these vulnerabilities date back to the first release of each technology. View the full article

  9. Die besten Cyber-Recovery-Lösungen

    CSOonline posted a techarticle in Security
    Arjuna Kodisinghe | shutterstock.com Im Rahmen traditioneller Incident-Response– und Recovery-Prozesse wird eine Kompromittierung identifiziert und ein “Desaster” deklariert – woraufhin die betroffenen Systeme aus dem Backup wiederhergestellt werden. Diese Abläufe erfolgen größtenteils manuell und erfordern an jedem Entscheidungspunkt menschliche Interaktion. Und sie werden durch immer raffiniertere Ransomware-Angriffe unterlaufen, bei denen auch Backups verschlüsselt werden. Die Herausforderungen: Die Backup-Systeme sind speziell für finanziell motivierte Angreifer ein maßgebliches Ziel. Die wiederhergestellten Daten gründlich zu überprüfen, ist deshalb essenziell – ansonsten könnte der Recovery-Prozess ins Leere laufen (während er trotzdem kostet). Ausfallzeiten verursachen für die Unternehmen enorme Kosten. Eine möglichst zeitnahe, vollständige Wiederherstellung der Betriebskapazität hat entsprechend hohe Priorität. Mit “Cyber Recovery” hat sich inzwischen ein neuer Ansatz etabliert, um Incident Response und Recovery auf die Höhe der Zeit zu bringen. Dabei handelt es sich laut den Marktforschern von IDC weniger um Standalone-Produkte, sondern vielmehr um Angebote, die Teil einer übergreifenden Plattform oder eines anderen Produkts sind und verschiedene Funktionen kombinieren. Die Lösungen dieser Kategorie zeichnen sich demnach in erster Linie dadurch aus, den anfänglichen Schaden eines Angriffs zu minimieren und eine möglichst effiziente Wiederherstellung zu ermöglichen. Idealerweise kommen dabei Features wie Systemüberwachung in Echtzeit, automatisierte Mitigation sowie IT-Forensik zum Einsatz. Der Recovery-Prozess selbst wird dabei in einer Sandbox initiiert. Das ermöglicht zusätzliche Analysen abseits der betroffenen Systeme und gründliche Malware-Scans. Die wichtigsten Cyber-Recovery-Anbieter Nachfolgend haben wir einige empfehlenswerte Cyber-Recovery-Anbieter und ihre Offerings für Sie zusammengetragen. Acronis Einer der wenigen Backup- und Recovery-Spezialisten, der auch im Bereich Cyber Recovery tätig ist, ist Acronis. Das Unternehmen bietet dazu zwei umfassende Plattformen an: Cyber Protect und Cyber Protect Cloud. Bei beiden Plattformen liefern KI-gestützte Antimalware, Endpoint Detection und Response sowie E-Mail-Security die Grundlage, um Angriffe möglichst frühzeitig zu erkennen. Ein weiteres, bemerkenswertes Feature der Acronis-Plattformen: Sie bieten forensische Backups, bei denen nicht nur die Festplatte, sondern auch ein Memory Dump und Schlüsselinformationen über laufende Prozesse erfasst werden. Zudem haben Sie die Möglichkeit, Dateien mit Zertifikaten digital zu signieren. Cohesity Unterschiedliche Cyber-Recovery-Anforderungen adressiert der Sicherheitsanbieter Cohesity mit seinen Offerings. Im Dezember 2024 hat der Anbieter das Data-Protection-Geschäft von Veritas übernommen. Data Protect verspricht Schutz für eine Vielzahl von Workloads – im Wesentlichen durch unveränderliche Snapshots mit strikter Konsistenz in Verbindung mit einem optimierten Wiederherstellungsprozess, um Systemressourcen schnell und effizient wiederherzustellen. Bestandteil des Cohesity-Portfolios ist auch das SaaS-Angebot FortKnox. Das Cyber-Vaulting-Tool bringt Features wie flexible Recovery-Ziele und granulare Datenerfassung mit – und identifiziert zuverlässig Punkte zur Systemwiederherstellung. Commvault Auch Commvault verfügt über einen umfassenden Katalog von Produkten. Einige davon decken dabei auch den Bereich Cyber Recovery ab. Zum Beispiel: die Cyber-Deception-Plattform Threatwise und die Risiko-Monitoring-Plattform Security IQ. Gemeinsame Features der Cyber-Recovery-Systeme von Commvault sind zum Beispiel Immutable und Air-Gap-Backups sowie Zero-Trust-Prinzipien. Sämtliche Komponenten werden dabei von der hauseigenen Metallic AI unterstützt. Sie soll unter anderem die Anomalieerkennung erleichtern. Dell In erster Linie ist Dell ein Hardware-Unternehmen. Dennoch haben die Amerikaner auch eine Reihe von Software-Tools im Angebot, die einer vollständigen Cyber-Recovery-Lösung zuträglich sein können – etwa PowerProtect Cyber Recovery. Die Software isoliert kritische Daten, um sie vor potenziellen Angriffen zu schützen und nutzt parallel Machine Learning, um verdächtige Aktivitäten und sichere Wiederherstellungspunkte zu identifizieren. Darüber hinaus bietet Dell auch PowerProtect-Appliances und Dienstleistungen an, um Ihre Cyber-Recovery-Bemühungen abzurunden. Druva In Sachen Bekanntheitsgrad kann Druva vielleicht nicht unbedingt mithalten, dafür aber, wenn es um Cyber-Recovery-Funktionen geht. Das Cloud-basierte Kontroll-Panel von Druva ermöglicht einen einheitlichen Überblick über den Schutzstatus von Cloud- und On-Prem-Workloads. Der hauseigene KI-Assistent Dru unterstützt die Anwender dabei, wenn es darum geht, Backups zu managen, Fehler zu beheben und historische Prozesse zu überprüfen. Druva kombiniert diese Orchestrierung mit kuratierten Snapshots und detaillierten Einblicken in den Verlauf der Datei(ver)änderungen – mit Fokus auf bösartige Vorgänge wie Infektionen mit Malware oder Datenverschlüsselung. Werden solche festgestellt, bietet die Plattform flexible Recovery-Optionen wie System-Rollback, Snapshots in Quarantäne oder Wiederherstellung in einer Sandbox-Umgebung. Eine Lizenz für Druva beinhaltet außerdem Zugang zu professionellen Dienstleistungen in den Bereichen: Weiterbildungen, Fire Drill Testing, Playbook-Entwicklung und Incident Response. Quest Dieser langjährige Anbieter von IT-Management-Software hat diverse Cyber-Recovery-Komponenten im Angebot. Zum Beispiel: NetVault Plus, ein Backup- und Recovery-System, das auf den Schutz vor Ransomware, Replikation für Disaster Recovery und Continuous Data Protection (CDP) ausgelegt ist. KACE Cloud, das mit Device Patching und Endpoint Management zwei wichtige Komponenten moderner Sicherheits-Stacks abdeckt. Darüber hinaus bietet Quest auch mehrere Lösungen an, die ihren Schwerpunkt auf den Schutz von Azure Active Directory und Microsoft Entra legen. Zwei erwähnenswerte Lösungen sind in diesem Bereich: Recovery Manager for AD Disaster Recovery Edition, das den Wiederherstellungsprozess von Active Directory auf Forest-Ebene automatisiert. SpecterOps BloodHound Enterprise, das Active Directory auf Schwachstellen und potenzielle Angriffspfade analysiert und entsprechende Maßnahmen zur Verfügung stellt, um das Sicherheitsniveau zu erhöhen. Rubrik Auch Datensicherheitsspezialist Rubrik kann dazu beitragen, die Mehrheit der Punkte auf der Cyber-Recovery-Checkliste abzuhaken: Threat Containment identifiziert Malware und infizierte Dateien, isoliert diese und erleichtert die Wiederherstellung von sauberen Files, was das Risiko deutlich reduziert, während des Prozesses kompromittierte Dateien wiedereinzuführen. Letztere lassen sich für forensische Überprüfungen (mit limitierten Berechtigungen, um einen versehentlichen Restore zu verhindern) aufbewahren. Rubrik Cloud Vault bietet Air-Gapped-Backups im Rahmen einer vollständig verwalteten Plattform. Das erleichtert Implementierung und Management langfristig. Die hauseigenen Datenanalyse-Tools bewerten den Dateiinhalt und die Backup-Aktivität und wenden Klassifizierungsregeln auf die Backups an. Dabei fallen auch potenziell sensible Daten, die nicht vollständig geschützt sind, nicht unter den Tisch. Ein Sahnehäubchen in Form von (kostenfreiem) Zugriff auf das Ransomware Response Team von Rubrik gibt es obendrein. Veeam Veeam ist noch nicht so lange im Backup- und Recovery-Business aktiv wie einige andere Anbieter in diesem Artikel – hat sich seinen Platz in der Cyber-Recovery-Top-Ten aber redlich verdient. Das Unternehmen bietet unter dem Banner seiner Data Platform mehrere Lösungen an, die Schlüsselelemente der Cyber-Recovery-Anforderungen abdecken: Veeam Backup & Replication bietet Schutz vor Ransomware, unveränderliche Backups und CDP mit Point-in-Time-Recovery. Veeam ONE ermöglicht es, Bedrohungen “proaktiv” abzuwehren, indem verdächtige Aktivitäten frühzeitig erkannt werden. Dazu kommt ein umfassender Überblick über den Datensicherungsstatus. Veeam Recovery Orchestrator automatisiert Wiederherstellungstests und -orchestrierung mit wiederholbaren Workflows. Zerto Der Sicherheitsanbieter Zerto wurde im Jahr 2021 von HPE aufgekauft und legt seinen Fokus auf Cloud- und virtuelle Umgebungen. Dabei integriert die Lösung eng mit Hypervisoren, um Workloads vollumfänglich abzusichern. Die Plattform bietet einige erwähnenswerte Funktionen. Beispielsweise erkennt sie Verschlüsselungsvorgänge in laufenden virtuellen Maschinen. Das Journaling-System von Zerto erfasst Schreibvorgänge dabei mithilfe von CDP und ermöglicht bei Bedarf eine granulare Wiederherstellung. Verdächtige Aktivitäten werden aufgezeichnet und mithilfe einer Entropieberechnung ausgewertet, um Fehlalarme zu verhindern. (fm) View the full article

  10. Microsoft leads takedown of Tycoon2FA phishing service infrastructure

    CSOonline posted a techarticle in Security
    The infrastructure hosting the Tycoon2FA service, which Europol said was among the largest phishing operations worldwide, has been taken down by a coalition of IT companies and law enforcement agencies. At least temporarily, this removes access to one more tool for evading multifactor authentication defenses from threat actors. Europol, which coordinated the operation, said Wednesday that the technical disruption was led by Microsoft, which got a US court order to seize 330 active domains that powered Tycoon2FA’s core infrastructure, including its control panels and fraudulent login pages. At the same time, law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom seized the service’s infrastructure in their countries. Other IT companies involved in the operation included Cloudflare, Coinbase, Intel471, Proofpoint, the Shadowserver Foundation, SpyCloud, and Trend Micro. Microsoft noted that, by mid‑2025, Tycoon2FA accounted for approximately 62% of all phishing attempts that it alone had blocked; at one point it intercepted more than 30 million emails in a single month. It believes that Tycoon2FA, sold to threat actors as a phishing-as-a-service operation, is linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers. [Related content: US, Microsoft crush Lumma Stealer] The company said that Tycoon2FA combined convincing phishing templates, realistic landing pages, and real‑time capture of credentials and authentication codes into an easy‑to‑use package that scaled quickly. “By lowering the technical barrier to entry, it allowed criminals with limited expertise to run sophisticated impersonation campaigns,” Microsoft said in a blog. It noted that Tycoon2FA’s platform enabled threat actors to impersonate trusted brands by mimicking sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail, as well as allowing threat actors using its service to establish persistence. Criminals could also access sensitive information, even after passwords were reset, by intercepting session cookies generated during the authentication process while simultaneously capturing user credentials, unless active sessions and tokens were explicitly revoked. The intercepted multi-factor authentication (MFA) codes were subsequently relayed through Tycoon2FA’s proxy servers to the authenticating service. Don’t be complacent: Experts This takedown is the latest in a series of IT industry and law enforcement co-operative efforts to go after criminals’ IT infrastructure. However, experts warned CSOs and infosec leaders not to become complacent. Cybercrime is so lucrative that either a distribution of this tool will pop up elsewhere, or another tool will take its place. “Phishing tools designed to bypass reverse proxies continue to evolve,” noted Robert Beggs, head of Canadian incident response firm Digital Defence. “Commercial variations such as EvilProxy are commonly found in the wild, and open source toolkits like EvilGinx, Modlishka, EvilPunch are becoming the go-to option for attackers.” Johannes Ullrich, dean of research at the SANS Institute, noted that access brokers like Tycoon2FA are typically less sensitive to domain takedowns than malware operators who use domains for their command-and-control infrastructure. “It will likely take them a bit of time to rebuild domains to use in their operation,” he said in an email, “but I doubt they will disappear. On the other hand, there is reason to cheer: at least a temporary reprieve from Tycoon2FA phishing emails.” He added, “CSOs should, however, focus on identity security, in particular phishing-resistant authentication technologies. Multi-factor authentication is not sufficient if it is still susceptible to phishing. A recently developed tool, Starkiller, added yet another option for attackers to exploit insufficient MFA configurations.” [Related content: DOJ seizes 41 Russian controlled domains] Beggs pointed out that Tycoon2FA owes its success to being a simple to use system based on a reverse proxy. This configuration allows it to bypass the two-factor authentication that most organizations rely on to provide protection against phishing attacks, he said. The reverse proxy allows the hostile program, the attacker, to virtually sit in the middle of a transaction, and intercept access credentials and cookies. Stringent defenses needed CSOs must employ stringent defenses against tools that use reverse proxies, Beggs said, including strengthening email filtering by enforcing DMARC, DKIM, and SPF; enforcing secure session handling at the edge by using client-bound session tokens tied to device or TLS certificates; ensuring continuous validation by issuing a new challenge when the device fingerprint changes and by using short-lived cookies; monitoring network traffic for signs of man-in-the-middle behaviors such as inconsistent host headers, proxy-added headers, and timing discrepancies between client and server flows; and adopting phishing-resistant MFA with tools like FIDO2/WebAuthn hardware keys, passkeys, or certificate-based authentication. Because authentication is bound to the origin (domain) and the cryptographic challenges cannot be replayed through a reverse proxy, these methods cannot be proxied, he added. How the service worked Tycoon2FA phishing services were advertised and sold to cybercriminals on applications like Telegram and Signal, Microsoft said in a separate blog. Prices ranged, but phishing kits started at $120 for 10 days of access to an administrative panel, which served as a single dashboard for configuring, tracking, and refining campaigns. For defenders who don’t know how comprehensive these criminal SaaS operations can be, here’s an outline of Tycoon2FA’s service: Campaign operators could configure a broad set of campaign parameters that control how phishing content is delivered and presented to targets. Key settings include lure template selection and branding customization, redirection routing, MFA interception behavior, CAPTCHA appearance and logic, attachment generation, and exfiltration configuration. Tycoon2FA generated large numbers of subdomains for individual phishing campaigns, used them briefly, then dropped them and spun up new ones. They could also configure how the malicious content is delivered. Options include generating EML files, PDFs, and QR codes, offering multiple ways to package and distribute phishing lures. Operators could track valid and invalid sign-in attempts, MFA usage, and session cookie capture, with victim data organized by attributes such as targeted service, browser, location, and authentication status. Captured credentials and session cookies could be viewed or downloaded directly within the panel and/or forwarded to Telegram for near‑real‑time monitoring. “Tycoon2FA illustrated the evolution of phishing kits in response to rising enterprise defenses, adapting its lures, infrastructure, and evasion techniques to stay ahead of detection,” said Microsoft. “As organizations increasingly adopt MFA, attackers are shifting to tools that target the authentication process itself, instead of attempting to circumvent it. Coupled with affordability, scalability, and ease of use, Tycoon2FA posed a persistent and significant threat to both consumer and enterprise accounts, especially those that rely on MFA as a primary safeguard.” View the full article

  11. Why AI, Zero Trust, and modern security require deep visibility

    CSOonline posted a techarticle in Security
    AI. Automation. Zero Trust. They dominate every security strategy document. But there’s a truth sitting underneath all three: none of them work without deep, trustworthy visibility. You can’t continuously verify identities without knowing how they behave. You can’t train AI on incomplete data and expect accurate detection. You can’t automate response if every decision is built on inference instead of evidence. And we believe this is exactly what an October 2025 commissioned study conducted by Forrester Consulting on behalf of NETSCOUT confirms. Visibility is no longer a tool category, it’s a strategic requirement According to the study: 72% of organizations say NAV is essential for proactive threat hunting and reactive incident response 69% say a NAV solution is vital to their threat detection and incident response process This isn’t about adding more gadgets to the SOC. It’s about strengthening the foundation that the SOC stands on. When visibility is weak, every advanced capability becomes unstable: AI guesses Zero Trust misclassifies Automated response becomes dangerous Threat hunting becomes inefficient TDIR slows down Modern security needs reliable, high-fidelity input. Without it, innovation collapses on contact. The cost of building the future on a weak foundation Executives often assume advanced technologies will “fix” visibility. In reality, they depend on it. AI can’t correlate what it can’t see. Zero Trust can’t validate what it can’t interpret. Orchestration can’t automate decisions it doesn’t fully understand. This is why thought-leading organizations are shifting their strategy: not diving deeper into tools but investing in the visibility that enables them. Where Omnis Cyber Intelligence fits This future-ready foundation is exactly where Omnis Cyber Intelligence provides leverage, not because it replaces AI or Zero Trust, but because it supports them. Omnis Cyber Intelligence delivers the kind of high-integrity data those systems depend on: Trusted packet-level visibility for AI models that require strong ground truth Behavioral analytics that strengthen Zero Trust validation Unified hybrid visibility that consolidates evidence across environments Context-rich metadata that accelerates automated workflows Retrospective investigation capabilities for threat hunting teams Omnis Cyber Intelligence becomes the “clarity layer” beneath modern security, not the star of the strategy, but the reason the strategy works. The leaders who win will be the ones who see clearly The future of cybersecurity is already arriving, and it’s arriving fast. But speed without clarity creates fragility. Organizations that build AI, Zero Trust, and SOC modernization on top of strong visibility will accelerate safely. Those who build on top of guesswork will move fast, until something breaks. Forrester’s research underscores the shift. Omnis Cyber Intelligence aligns naturally with the direction the industry is heading. The question for leaders isn’t whether they need modern visibility. It’s whether they have enough of it to support the future they’re building. Read the commissioned Forrester Consulting Opportunity Snapshot Learn more about Omnis Cyber Intelligence View the full article

  12. Why AI, Zero Trust, and modern security require deep visibility

    CSOonline posted a techarticle in Security
    AI. Automation. Zero Trust. They dominate every security strategy document. But there’s a truth sitting underneath all three: none of them work without deep, trustworthy visibility. You can’t continuously verify identities without knowing how they behave. You can’t train AI on incomplete data and expect accurate detection. You can’t automate response if every decision is built on inference instead of evidence. And we believe this is exactly what an October 2025 commissioned study conducted by Forrester Consulting on behalf of NETSCOUT confirms. Visibility is no longer a tool category, it’s a strategic requirement According to the study: 72% of organizations say NAV is essential for proactive threat hunting and reactive incident response 69% say a NAV solution is vital to their threat detection and incident response process This isn’t about adding more gadgets to the SOC. It’s about strengthening the foundation that the SOC stands on. When visibility is weak, every advanced capability becomes unstable: AI guesses Zero Trust misclassifies Automated response becomes dangerous Threat hunting becomes inefficient TDIR slows down Modern security needs reliable, high-fidelity input. Without it, innovation collapses on contact. The cost of building the future on a weak foundation Executives often assume advanced technologies will “fix” visibility. In reality, they depend on it. AI can’t correlate what it can’t see. Zero Trust can’t validate what it can’t interpret. Orchestration can’t automate decisions it doesn’t fully understand. This is why thought-leading organizations are shifting their strategy: not diving deeper into tools but investing in the visibility that enables them. Where Omnis Cyber Intelligence fits This future-ready foundation is exactly where Omnis Cyber Intelligence provides leverage, not because it replaces AI or Zero Trust, but because it supports them. Omnis Cyber Intelligence delivers the kind of high-integrity data those systems depend on: Trusted packet-level visibility for AI models that require strong ground truth Behavioral analytics that strengthen Zero Trust validation Unified hybrid visibility that consolidates evidence across environments Context-rich metadata that accelerates automated workflows Retrospective investigation capabilities for threat hunting teams Omnis Cyber Intelligence becomes the “clarity layer” beneath modern security, not the star of the strategy, but the reason the strategy works. The leaders who win will be the ones who see clearly The future of cybersecurity is already arriving, and it’s arriving fast. But speed without clarity creates fragility. Organizations that build AI, Zero Trust, and SOC modernization on top of strong visibility will accelerate safely. Those who build on top of guesswork will move fast, until something breaks. Forrester’s research underscores the shift. Omnis Cyber Intelligence aligns naturally with the direction the industry is heading. The question for leaders isn’t whether they need modern visibility. It’s whether they have enough of it to support the future they’re building. Read the commissioned Forrester Consulting Opportunity Snapshot Learn more about Omnis Cyber Intelligence View the full article

  13. The 10-hour problem: How visibility gaps are burning out the SOC

    CSOonline posted a techarticle in Security
    Security teams aren’t drowning because the threats improved. They’re drowning because the visibility got worse. The October 2025 commissioned Forrester Consulting study conducted on behalf of NETSCOUT surfaces a problem that every analyst already knows: 61% of survey respondents say their analysts spend more than ten hours a week in the “analyze” phase alone. This isn’t a time-management issue. It’s a clarity issue. Why analysts are overwhelmed Most investigations start the same way: An alert fires The context is partial The data is dispersed The logs are incomplete The analyst starts correlating manually This is the invisible cost of poor visibility. Every alert becomes a puzzle, and analysts become professional puzzle-solvers. But puzzles don’t scale. Not when attacks move faster than your reconstruction speed. The hidden cost of insufficient NAV The Forrester study shows that teams lacking strong Network Analysis and Visibility capabilities struggle to: Achieve holistic visibility Understand lateral movement Reduce time spent in the analyze phase Integrate NAV into their broader security ecosystem These weaknesses compound into more alerts, more manual work, and more analyst fatigue. And fatigue isn’t just a human problem. It’s a security problem. Tired teams miss things. Burned-out analysts quit. Turnover destroys institutional knowledge. Response becomes slower, not faster. The fastest way to reduce SOC burnout isn’t more people, it’s more clarity When analysts have reliable evidence from the start: Alerts become easier to validate Investigations shrink from hours to minutes TDIR becomes streamlined Confidence increases Stress decreases Better visibility creates better humans. Because the job becomes about judgment, not assembly. Where Omnis Cyber Intelligence fits This is where platforms like Omnis Cyber Intelligence quietly change the day-to-day reality for analysts: not by adding new workflows, but by eliminating unnecessary ones. Omnis Cyber Intelligence delivers what analysts need most: Packet-level truth they can trust Correlated metadata that explains behavior, not just records it Three-click investigations that turn hunting from a chore, into a capability Hybrid visibility so analysts don’t have to stitch together cloud and on-prem traffic by hand When investigations begin with clarity instead of chaos, burnout fades. Not because the work became easier, but because it became understandable. The SOC of the future will be built on visibility If leaders want to retain talent, reduce noise, and accelerate response, the fix isn’t superficial. It’s structural. Better visibility → better investigations → better morale → better resilience. The Forrester study makes the scale of the problem clear. We believe solutions like Omnis Cyber Intelligence make the path forward practical. Read the commissioned Forrester Consulting Opportunity Snapshot Learn more about Omnis Cyber Intelligence View the full article

  14. The 10-hour problem: How visibility gaps are burning out the SOC

    CSOonline posted a techarticle in Security
    Security teams aren’t drowning because the threats improved. They’re drowning because the visibility got worse. The October 2025 commissioned Forrester Consulting study conducted on behalf of NETSCOUT surfaces a problem that every analyst already knows: 61% of survey respondents say their analysts spend more than ten hours a week in the “analyze” phase alone. This isn’t a time-management issue. It’s a clarity issue. Why analysts are overwhelmed Most investigations start the same way: An alert fires The context is partial The data is dispersed The logs are incomplete The analyst starts correlating manually This is the invisible cost of poor visibility. Every alert becomes a puzzle, and analysts become professional puzzle-solvers. But puzzles don’t scale. Not when attacks move faster than your reconstruction speed. The hidden cost of insufficient NAV The Forrester study shows that teams lacking strong Network Analysis and Visibility capabilities struggle to: Achieve holistic visibility Understand lateral movement Reduce time spent in the analyze phase Integrate NAV into their broader security ecosystem These weaknesses compound into more alerts, more manual work, and more analyst fatigue. And fatigue isn’t just a human problem. It’s a security problem. Tired teams miss things. Burned-out analysts quit. Turnover destroys institutional knowledge. Response becomes slower, not faster. The fastest way to reduce SOC burnout isn’t more people, it’s more clarity When analysts have reliable evidence from the start: Alerts become easier to validate Investigations shrink from hours to minutes TDIR becomes streamlined Confidence increases Stress decreases Better visibility creates better humans. Because the job becomes about judgment, not assembly. Where Omnis Cyber Intelligence fits This is where platforms like Omnis Cyber Intelligence quietly change the day-to-day reality for analysts: not by adding new workflows, but by eliminating unnecessary ones. Omnis Cyber Intelligence delivers what analysts need most: Packet-level truth they can trust Correlated metadata that explains behavior, not just records it Three-click investigations that turn hunting from a chore, into a capability Hybrid visibility so analysts don’t have to stitch together cloud and on-prem traffic by hand When investigations begin with clarity instead of chaos, burnout fades. Not because the work became easier, but because it became understandable. The SOC of the future will be built on visibility If leaders want to retain talent, reduce noise, and accelerate response, the fix isn’t superficial. It’s structural. Better visibility → better investigations → better morale → better resilience. The Forrester study makes the scale of the problem clear. We believe solutions like Omnis Cyber Intelligence make the path forward practical. Read the commissioned Forrester Consulting Opportunity Snapshot Learn more about Omnis Cyber Intelligence View the full article

  15. Iranian cyberattacks fail to materialize but threat remains acute

    CSOonline posted a techarticle in Security
    Five days into US and Israel’s war with Iran, the worst predictions for cyber-retaliation have yet to materialize. But Iran has built one of the world’s most active cyber operations, which means this is likely a temporary reprieve, experts warn. At the weekend, both the UK National Cyber Security Centre (NCSC) and the Canadian Centre for Cyber Security (CCCS) issued general warnings of the threat posed by Iranian cyber campaigns. The US Cybersecurity and Infrastructure Security Agency (CISA), meanwhile, has yet to update its last warning, from October. “There is almost certainly a heightened risk of indirect cyber threat for those organizations and entities who have a presence, or supply chains, in the Middle East,” said the NCSC, stating the obvious. Canada’s CCCS was at least willing to set out some of the possibilities: “Iran will very likely use its cyber program to respond to the joint US and Israel combat operations against Iran,” it said. The agency urged organizations to look beyond the background noise of opportunistic DDoS attacks and other low-level cyber-activity for more sinister threats such as ransomware and destructive wiper attacks. The general nature of the warnings underlines the problem of alert fatigue: If attacks are an ever-present threat, what should organizations pay attention to? Does the arrival of kinetic war change this, or simply alter its timescale? APTs and wiper malware Security companies are rarely shy about advertising Iranian threats. Despite this, the consensus is that Iranian cyber-retaliation has so far been surprisingly mild. This might simply be a period of adjustment caused by disruption to Iran’s energy and Internet infrastructure, they caution. To date, active groups divide into three overlapping categories; those primarily targeting Middle-Eastern infrastructure, those oriented towards targets in the West — which includes specialized advanced persistent threat (APT) groups — and smaller proxies based outside of Iran whose targeting is unpredictable. On March 2, Palo Alto’s Unit 42 said, “State-aligned cyber units may be acting in operational isolation, which could result in deviations from previously established patterns. Additionally, Iranian command and control degradation may also lead to tactical autonomy for cells outside of Iran.” DDoS represents the biggest immediate threat. So far, this has not come to pass on any scale, with Cloudflare CEO Mathew Prince tweeting on X on Sunday that Iranian-linked DDoS attacks were actually down. This was despite CrowdStrike reports that the Hydro Kitten group had issued DDoS threats against the US banking sector, which led to short-term disruption. Security company Radware detected 149 DDoS attacks that appeared to be connected to Iran between February 28 and March 2, the majority targeting government entities in the Middle East. All but a tiny percentage were driven by just three hacktivist groups, Keymous+, DieNet, and Conquerors Electronic Army, the company said. Destructive ‘wiper’ attacks are a more pressing worry. The precedent for this is the Infamous Iranian Shamoon malware of 2012 that wiped 30,000 workstations at oil company Saudi Aramco. While attempted follow-up attacks have also targeted the energy sector the danger is that in a time of war any target will do, in the US or elsewhere. Security vendor Anomali warned, “Iran’s wiper arsenal includes 15+ families (ZeroCleare, Meteor, Dustman, DEADWOOD, Apostle, BFG Agonizer, MultiLayer, PartialWasher).” The biggest concerns are high-profile APT groups associated with the Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS) which have a proven track record of attacks. This includes APT35/APT42 (Charming Kitten, Phosphorous), and APT 33 (Elfin Team). Curiously, one of the most active Iranian APTs, APT34 (OilRig), appear to have gone silent, having not been detected for a week. “This likely indicates covert pre-positioning, not inactivity,” said Anomali. Security company Tenable has published a useful summary of the most important Iranian threat groups which discusses the tools, techniques and procedures of each. Targeting and response According to Adrian Cheek, a senior cybercrime researcher at Canadian threat intelligence company Flare, the most at-risk sectors are critical infrastructure, including the defense and government supply chain, financial services, energy, and healthcare. “Water, energy, and healthcare sectors are currently the most exposed. These sectors combine high targeting priority with weak baseline security, particularly in operational technology environments. Financial services face high targeting priorities but generally have stronger defenses,” said Cheek. Iranian groups will first look for known weaknesses in operational technology and industrial control systems. “Every US multinational with Gulf region operations should brief regional personnel on heightened physical and cyber threats. Implement phishing-resistant MFA (FIDO2/WebAuthn) where possible. Remove unmanaged Remote Monitoring and Management (RMM) tools,” he said. Organizations should also urgently monitor for wiper malware whilst ensuring endpoint systems are primed to detect Shamoon variants while patching the VPN and other edge devices, another favored Iranian target, Cheek said. A big unknown is the effect AI might have on this type of conflict, suggested Dean Valentine, CEO of application security company ZeroPath. “The advent of frontier models with strong cybersecurity capabilities lowers the floor for participation in destructive cyberattacks. Before this year there were only a few countries that were heavily active in cyberspace. Now any country or criminal organization can get a team of 5 to 10 not-particularly-skilled engineers together and do major damage,” he said. While Iran’s offensive cyber-capability had been greatly reduced by US and Israeli attacks, AI was quietly putting potent disruption into the hands of more geographically distributed groups, he warned. “All of this means that in the near future poor countries like Iran are probably going to be much more capable of lashing out, by taking down large fractions of our internet infrastructure.” View the full article

  16. Anthropic AI ultimatums and IP theft: The unspoken risk

    CSOonline posted a techarticle in Security
    Two recent high-profile events concerning Anthropic’s Claude AI underscore a little-discussed risk at the heart of the enterprise’s rush to capitalize on leading AI capabilities. The first incident involved a China-based extraction campaign against Anthropic’s intellectual property. The second was the Trump administration’s banning of Claude for federal use after the company resisted US demands to alter its guardrails. To be sure, Claude isn’t the problem, and Anthropic isn’t the villain. The company and product themselves aren’t the issue. The problem is that frontier AI models now attract two very different kinds of pressure simultaneously: illegal extraction by foreign actors who want to study and replicate their behavior, and lawful demands from domestic customers who want to reshape that behavior for their own missions. Both forces operate within their own incentives. Both are real. And both create conditions that CISOs must factor into any decision to deploy these systems inside their enterprise. Neutrality of frontier AI no longer exists Frontier AI models no longer operate in a neutral space. They sit inside an environment where foreign actors are collecting information about and against them at scale, and where major domestic customers are attempting to steer their behavior for mission needs. Neither dynamic makes Anthropic a villain, and neither makes Claude a compromised asset. What it does mean is that the geopolitical insulation these systems once enjoyed is gone. The environment around them has become part of the risk surface, and CISOs now have to account for pressures acting on the model long before it ever reaches their enterprise. China’s extraction campaign: A targeting operation, not a curiosity Anthropic’s disclosure that three China‑based AI companies (DeepSeek, Moonshot AI, and MiniMax) ran more than 16 million interactions through roughly 24,000 fraudulent accounts is not a story about model misuse. It is a story about targeting. These campaigns went straight at Claude’s most sensitive capabilities: agentic reasoning, tool use, and coding. That is not random sampling; that is structured collection. I’ve spent enough time in the world of targeting to recognize this pattern immediately, and you don’t need my level of experience to see it. When an adversary can observe a system at scale, they can map its strengths, seams, and predictable behaviors. China now has that behavioral telemetry for Claude, and they will use it to tune their own systems and to shape offensive operations against environments where Claude‑like models are deployed. And Claude is not the only system in China’s targeting sights. The same actors have used similar high‑volume extraction methods against other frontier models, including Google’s Gemini and OpenAI’s ChatGPT. They generate enough interaction data to understand how these systems think and where they can be pressured. Anthropic’s callout does the entire community a service by raising the caution flag where it is both high and visible. The implication is straightforward: Frontier models are now intelligence surfaces. US government pressure: Direct, immediate, and operationally significant The pressure on the other side of Claude came from the US government, and it was direct. Senior defense officials made clear they wanted the ability to direct Claude toward mission uses that would require altering or removing the guardrails Anthropic had put in place around autonomous weapons and broad‑scale surveillance. Anthropic CEO Dario Amodei responded with two concerns that matter for anyone responsible for risk: AI systems do not have the human fail-safe of refusing an improper order, and using AI to process the full stream of public conversation raises constitutional and civil‑liberties questions that the company was not willing to ignore. Those points explain why Anthropic declined. The government’s reaction was swift. It announced that Claude would be removed from all government systems with a six‑month phase‑out and labeled Anthropic a supply‑chain risk. The company’s own statement highlighted the tension: Claude was simultaneously described as a potential security liability and as a system important enough to warrant extraordinary measures to reshape its behavior. For CISOs, the takeaway is not about who is right. It is that a frontier model already embedded in classified networks, intelligence workflows, and operational planning can be subjected to external pressure that would materially alter its behavior for every downstream customer. Two pressures, one structural exposure China’s extraction campaign and the US government’s direct pressure on Anthropic came from opposite directions and for entirely different reasons, but the operational effect is the same: both forces act on the model from outside the enterprise. Neither pressure says anything about the quality of the model or the integrity of the vendor. What it shows is that frontier AI has entered a phase where external actors are working hard to influence how these systems operate. For CISOs, this is the point that matters. A model can be profiled, studied, or pressured long before it reaches your environment, and those upstream forces can shape how it performs once it is inside your ecosystem. The risk is that any frontier model operating at this level of capability will draw the same attention and the same attempts to steer its behavior. The environment around these systems is now contested space, and that exposure travels with the model wherever it is deployed. AI vendors’ response Once the government announced its plan to remove Claude from federal systems, other vendors moved quickly to occupy the space. OpenAI was first out of the gate, publicizing a new arrangement to bring its model onto classified networks. Sam Altman later added a measured comment in a CNBC interview, noting his discomfort with heavy‑handed pressure on AI companies while still positioning OpenAI as a ready alternative. It was a clear signal: The opportunity was open, and OpenAI intended to take it. xAI followed with its own approval for classified deployment, with Grok slated for initial rollout in early 2026. Elon Musk framed Anthropic in adversarial terms, but the rhetoric is secondary to the operational reality: The government wanted additional options, and the vendor ecosystem delivered them without hesitation. For CISOs, the lesson is straightforward: When one supplier declines to adjust a model to meet a major customer’s expectations, another supplier will step forward immediately. The pressure doesn’t dissipate. The pressure shifts to the next model in line. That dynamic is now part of the operating environment for any enterprise relying on frontier AI. The new operating reality Frontier AI now sits inside an environment shaped by forces the enterprise does not control. Vendors are making decisions under those external pressures, and the effects travel downstream. None of these means the models are broken or untrustworthy. It means they are operating inside a landscape where external actors have leverage, intent, and visibility. For CISOs, the adjustment is to treat these systems as high‑value dependencies exposed to upstream influence. The model you deploy is not just the artifact you receive; it is the product of the pressures acting on the vendor and the attention the model attracts once it demonstrates capability. The task is to build enough visibility and monitoring to understand when those forces begin to show up in your own environment. View the full article

  17. How to know you’re a real-deal CSO — and whether that job opening truly seeks one

    CSOonline posted a techarticle in Security
    Recruiters of senior-level IT professionals often say that a truly skilled and experienced CSO is among the hardest of all IT roles to fill. The reason is due to the increased responsibility placed on these key employees, who are often part of the C-suite and may even report directly to the CEO. Unfortunately, this can place significant pressure on an organization to hire quickly, perhaps short-changing the vetting process. Likewise, security pros might be tempted to oversell their skills and knowledge, and mislead an employer on what value they can truly bring to the role. With both scenarios in mind, CSO asked senior technical recruiters and current CSOs how individuals and organizations alike can avoid CSO title inflation and know whether an IT security leader is the “real deal.” Shared insights reveal that a successful CSO is someone equally proficient in technology solutions, business processes, and communication strategies. “A strong leader moves past security for security’s sake and masters risk choreography, which requires the combination of technical fluency and executive judgment,” explains Kanani Breckenridge, CEO and headhuntress at San Diego-based Kismet Search. “Strong IT security leaders understand the threat landscape deeply enough to make informed decisions and don’t hide behind jargon,” she adds. “Their real value shows up in risk prioritization, clear communication with nontechnical stakeholders, and the ability to translate security into business outcomes. They know when to escalate, when to say no, and when ‘good enough’ is actually the right call.” Additionally, top-level CSOs understand that their value isn’t in saying “no,” but in engineering the “yes,” Breckenridge explains. They understand their job is not to eliminate risk but to ensure the organization takes the right risks to stay competitive. Dangers of giving the wrong IT security pro too much clout The biggest risk, Breckenridge explains, is false confidence, where the organization believes it is safer than it actually is. Beyond the waste of budget, it creates fragility. An inflated leader often builds a “culture of compliance” rather than a “culture of security.” Ultimately, it leaves the company vulnerable to a what Breckenridge calls a “double failure”: You have a massive breach despite having spent lots of money — and having been granted the CSO title. One example of how an organization may hire or promote the wrong CSO is when they become enamored with security and product technology evangelists who can define and deploy best-in-class security frameworks and architectures. But these individuals may lack a cohesive strategy in integrated communications, collaborative spirit, hiring, comprehensive training, or general business practices, explains Doug Wald, vice president of recruiting at staffing firm Executive Alliance. Wald says such a mistake is likely to occur when hiring teams focus too much on the security solutions and architectural needs at hand. They may fail to consider the imperatives of a top-line security leader to define, deploy, and optimize mission-critical program development — such as consistent employee and team trainings, legal engagements for privacy, vendor vetting, business continuity, and change processes — as major pillars of a comprehensive security strategy. “Unfortunately, it is more common than most people would imagine, which is why I get hired to find a replacement,” Breckenridge explains. “It often manifests as ‘crisis-driven authority.’ After a major industry breach, boards often panic and grant a CSO emergency powers. If that leader lacks the maturity to wield that influence, they create a ‘security-industrial complex’ within the company, which can often be expensive, bloated, and disconnected from the product roadmap and IT landscape.” Striking the right balance of experience and responsibility Mark G. McCreary, partner and chief AI and IT security officer at Boston-based legal firm Fox Rothschild LLP, has seen both extremes: security being completely sidelined and security professionals given excessive, unjustified authority. In some firms, a newly appointed CSO might be positioned as a gatekeeper without the necessary governance, run books, or partner alignment to justify that veto power, McCreary explains. This imbalance becomes evident when policies exist, but the firm hasn’t practiced who does what under pressure — whether it’s legal and crisis response, technical actions, communications, or client outreach. Mature organizations proactively assign and rehearse these roles. Breckenridge agrees, saying, “Many so-called CSOs have never really owned a budget or led through a major data or security incident.” Considering the high stakes, why would any organization run the risk of hiring an under-experienced CSO? Usually it’s a mix of timing, optics, or a defensive hire that can be more externally driven than what makes sense internally, Breckenridge explains. For example, an organization may use a CSO title as “audit bait” to satisfy regulators or insurance carriers. In other cases, it’s a retention play; a talented technical architect is given a C-level title to keep them from being poached, despite them having no experience in P&L management, board governance, or organizational design. Call it a case of title before mandate, McCreary says. A new title might be created to satisfy client questionnaires or for marketing purposes, but the actual authority, budget, and scope of responsibility haven’t caught up. Experience and skills a CSO should rightly have Cutting through the hype, what should a top-notch CSO bring to the role? “A strong leader balances risk and revenue. A true CSO can translate complex cyber, privacy, and AI risks into specific client and matter risks, explaining them in business terms that a partnership easily understands,” McCreary says. In the case of legal firm Fox Rothschild, this means connecting threats directly to issues like conflicts, privilege, Outside Counsel Guidelines, and ultimately, client trust. “Effective governance needs to be operational from day one,” McCreary says. “Policy shouldn’t just sit on a shelf; it must be directly linked to practical playbooks, clearly defined roles, and escalation paths that the business regularly practices. Think incident response policies, cyber event frameworks, and data-breach playbooks all working together. How a CSO can recognize they may have an inflated title A CSO “imposter gap,” as Breckenridge calls it, usually appears in the boardroom, and when the individual spends more time delivering authority and decisions than delivering outcomes. “If you find yourself speaking only in technical vulnerabilities rather than business liabilities, you’re likely a director with a CSO title.” As many firms have different job architectures, title standing may also be dependent on the organization, their size and market segment, and overall functions and responsibilities of an IT security professional, Wald explains. Generally speaking, titles should be based on more commonly held competitive benchmarks in the market. “Usually, when entering into a role, IT security professionals are aware of the title that they are pursuing. It would be contingent on the hiring company to maintain the consistency of the role’s functions rather than evolve into a function that isn’t reflective of the initially stated title and tasks,” Wald says. To ensure that an employer and a CSO candidate are on the same page, Wald says the security pro “should be encouraged to speak to other immediate team members and partner stakeholders in product strategy, operations, business, finance, and legal teams — to gain insight and perspective on the prospects, needs, roadmap, and related touchpoints to help come to a consensus on the viability of that opportunity.” How CSOs can be sure they’re the ‘real deal’ IT security leaders can know you’re the real deal when the business seeks your counsel on non-security issues and you are comfortable being challenged regarding other business decisions, Breckenridge explains. “When a business unit leader asks for your input on a new market entry or an M&A deal because they value your risk-adjusted perspective, you’ve arrived,” Breckenridge says. “You also know you’re ready when you can comfortably accept ‘informed risk’ and feel like you’re fine signing off on a known vulnerability because the business value of a launch outweighs the technical debt.” Other sure signs that you deserve the title: You can confidently execute the plan. You’re able to initiate an incident call, follow the firm’s IR policy, and execute the breach playbook without creating privilege problems or ethical‑wall violations, McCreary explains. “You’ve established a cadence that truly moves the needle. You lead security standups and actively participate in AI task forces or subcommittees where decisions result in tangible outcomes, like new policies, controls, or training,” McCreary says. “You effectively educate your stakeholders. You deliver training and practical AI and infosec guidance that the organization genuinely uses.” Assuring oneself, and the organization, that all is well in the role To demonstrate both to themselves and the organization that they are right for the role, CSOs should ensure that security strategy, processes, and protective measures are being met, while showing very tight integrations with program leaders in legal, privacy, compliance, and integration and vendor relationships, Wald says. In the era of the SEC’s new disclosure rules, title inflation is no longer cosmetic, Breckenridge says. It’s a material risk. Holding a CSO title without real authority, budget, or program ownership exposes individuals to accountability for failures they don’t control. “The strongest security leaders I see are wary of titles without mandate. They care about scope, outcomes, and access, not optics,” Breckenridge says. To prove their worth, CSOs should move the needle from “incident-free days” to “resiliency metrics,” Breckenridge explains. “Prove that when things break — which inevitably they will — the recovery time is decreasing and the blast radius is shrinking,” Breckenridge says. “When you can show that security is a frictionless part of the CI/CD pipeline rather than a gate at the end, the organization will trust that the function is healthy. And, peers will seek their input early rather than late, which is often the strongest signal of credibility.” From a recruiting and career path standpoint, Breckenridge says inflated titles also distort long-term career trajectory. When abilities don’t match the title, it shows up quickly in future interviews, especially at the executive level where outcomes, governance, and credibility matter more than labels. “The key point being that the market is an objective judge,” Breckenridge says. “When leaders interview for their next role, they’re assessed on what they’ve actually owned, influenced, and delivered. Inflated titles tend to deflate fast when examined against real outcomes and operating experience.” View the full article

  18. AI-powered attack kits go open source, and CyberStrikeAI may be just the beginning

    CSOonline posted a techarticle in Security
    AI is making it ever easier for bad actors to launch attacks, and a newly-identified open source platform, CyberStrikeAI, seems to be lowering the bar even further. The platform packages end-to-end attack automation into a single AI-native orchestration engine, and is linked to the threat actor behind the recent campaign that breached hundreds of Fortinet FortiGate firewalls. That developer is believed to have “some ties” to the Chinese government, according to research from cybersecurity company Team Cymru. According to its GitHub repository, CyberStrikeAI ships with 100-plus curated tools covering “the whole kill chain.” It comprises an “intelligent” orchestration engine, role-based testing with predefined security roles, a system featuring what it calls specialized testing skills, and “comprehensive” lifecycle management capabilities, the researchers said. This type of easy-to-use tool is increasingly giving threat actors of all kinds, including novices, the ability to launch attacks with just a few quick keystrokes. “The adoption of CyberStrikeAI is poised to accelerate, representing a concerning evolution in the proliferation of AI-augmented offensive security tools,” Will Thomas, a senior threat intelligence advisor at Team Cymru, warned in a blog post. Providing end-to-end automation On its GitHub page, CyberStrikeAI claims it is an “auditable, traceable, and collaborative testing environment for security teams.” It features native Model Context Protocol (MCP), so it can easily connect with external data, tools, and systems without requiring separate integrations. It says it supports end-to-end automation, “from conversational commands to vulnerability discovery, attack-chain analysis, knowledge retrieval, and result visualization.” The GitHub page outlines the product highlights: 100-plus prebuilt tool recipes and a human-readable YAML-based extension system; Attack-chain graph, risk scoring, and “step-by-step replay”; Password-protected web user interfaces (UIs) and audit logs; A knowledge base with vector search, hybrid retrieval, and searchable archives; Vulnerability management with create, read, update, delete (CRUD) operations, severity tracking, status workflow, and statistics; Batch task management that can organize task queues and add and execute multiple tasks sequentially. In addition, integrated chatbots, dubbed DingTalk and Lark, allow users to talk to CyberStrikeAI from their mobile devices. CyberStrikeAI’s tooling supports a full attack chain, and includes network and vulnerability scanning; web and app testing; password cracking; exploitation and post-exploitation frameworks; container, cloud, and API security; subdomain enumeration (used to uncover vulnerabilities); capture the flag (CTF) utilities; and forensic and binary analysis. A dashboard helps users quickly understand core features and current state. Basic users can perform quick start one-command deployment, while more advanced users can dive into more complex tasks. These include predefined role-based testing (pen testing, CTF, web app scanning), custom prompts and tool restrictions, skills systems (with 20-plus skills, including SQL injection and API security) that can be called on demand by AI agents, tool orchestrations and extensions, and attack chain intelligence. “Making this kind of tooling available as public open source, given its sophistication and the ability to cause real harm, is irresponsible,” said David Shipley of Beauceron Security. “This is a whole new ballgame from past tools that can be used by ethical hackers and security researchers responsibly.” Prediction: a proliferation of AI-augmented offensive security tools CyberStrikeAI’s GitHub activities suggest its developer, known as Ed1s0nZ, interacts with Chinese private sector firms with known ties to the Chinese Ministry of State Security (MSS). Between January 20 and 26, the Team Cymru researchers observed 21 unique IP addresses running CyberStrikeAI, with servers primarily hosted in China, Singapore, and Hong Kong. This indicates a “sharp increase in operational usage” since the GitHub repository was created in November 2025, Team Cymru’s Thomas noted. “As adversaries increasingly embrace AI-native orchestration engines, we expect to see a rise in automated, AI-driven targeting of vulnerable edge devices,” including firewalls and VPN appliances, he warned. In the near future, defenders must prepare for an environment where tools like this, and other “AI-assisted privilege escalation projects,” lower the barrier to entry for complex network exploitation, he cautioned. Beauceron’s Shipley added: “We truly have opened Pandora’s Box and a lot of organizations are going to be harmed. There’s no way they can keep up with this.” It’s analogous to going “from muskets to AK-47s,” he noted, and the knee-jerk reactions from lawmakers will harm even good faith research efforts. “We’re in a lot of trouble in 2026, and this is only one of the tools hitting the streets.” View the full article

  19. OAuth phishers make ‘check where the link points’ advice ineffective

    CSOonline posted a techarticle in Security
    Microsoft has warned that phishers are exploiting a built-in behavior of the OAuth authentication protocol to redirect victims to malware, using links that point to legitimate identity provider domains such as Microsoft Entra ID and Google Workspace. The links look safe but ultimately lead somewhere that isn’t. “OAuth includes a legitimate feature that allows identity providers to redirect users to a specific landing page under certain conditions, typically in error scenarios or other defined flows,” Microsoft’s Defender Security Research Team wrote in a blog post. “Attackers can abuse this native functionality by crafting URLs with popular identity providers, such as Entra ID or Google Workspace, that use manipulated parameters or associated malicious applications to redirect users to attacker-controlled landing pages.” The company said it has disabled several malicious OAuth applications linked to the activity but warned that related campaigns are continuing and require ongoing monitoring. How the attack works The attack starts with a phishing email, with observed lures impersonating e-signature requests, HR communications, Microsoft Teams meeting invites, and password reset alerts, the malicious links embedded either in the email body or inside a PDF attachment, Microsoft researchers wrote in the blog post. The link points to a real OAuth authorization endpoint but is built with deliberately broken parameters. Attackers use a “prompt=none” value, requesting a silent authentication with no login screen, and pair it with an invalid scope value. The combination is designed to fail. When it does, the identity provider redirects the user’s browser to a URI registered by the attacker. “Although this behavior is standards-compliant, adversaries can abuse it to redirect users through trusted authorization endpoints to attacker-controlled destinations,” the researchers wrote in the blog post. The technique represents a structural shift in how attackers approach identity, said Greyhound Research chief analyst Sanchit Vir Gogia. “The first hop is real. The browser is behaving correctly. The identity provider is behaving correctly. The trust signal is authentic,” he said. “This shifts phishing from deception at the brand layer to manipulation at the workflow layer.” In one campaign Microsoft detailed in the blog post, the redirect delivered a ZIP archive containing a malicious shortcut file to the victim’s device. Opening the file triggered a PowerShell script that ran reconnaissance commands and ultimately connected to an attacker-controlled server, the post said. Microsoft described the subsequent activity as consistent with pre-ransomware behavior. Other campaigns the blog post detailed routed victims to adversary-in-the-middle frameworks such as EvilProxy to harvest credentials and session cookies. Context, not the URL, is the new red flag Sakshi Grover, Senior Research Manager at IDC Asia/Pacific, said the longstanding advice to hover over a link and verify its domain was built for an era of lookalike domains and that it no longer holds in environments where authentication flows routinely pass through trusted identity providers. “Organizations should shift awareness messaging from ‘check the link’ to ‘validate the context,’” she said. “Employees should be trained to question whether an authentication request was expected, whether it aligns with a current business activity, and whether the application is requesting permissions that make sense.” Gogia said enterprises need to go further and change the underlying behavior entirely. “Never initiate authentication journeys from unsolicited inbound links,” he said. “Authentication should begin from controlled starting points, not from email triggers.” He added that reporting unexpected login journeys must be made frictionless, and that speed of reporting is more valuable than confidence in personal judgment. The governance gap attackers exploit Both analysts pointed to OAuth application governance as the deeper structural gap this campaign exploits. Grover of IDC said governance maturity remains uneven across enterprises. “Broad default consent settings and limited monitoring of redirect URIs remain common, particularly in environments where cloud and SaaS adoption have outpaced identity governance controls,” she said. The scale of the problem is easy to underestimate, according to Gogia of Greyhound Research. “Every SaaS integration, automation workflow, and collaboration tool may require an application registration. Over time, tenants accumulate hundreds or thousands of registered apps. Redirect URIs are configured during setup and rarely revisited,” he said. “Telemetry exists. Interpretation does not.” Microsoft said in the blog post that organizations should restrict user consent to third-party OAuth applications, audit app permissions regularly, and remove applications that are unused or over-privileged. The post also published 16 client IDs linked to the threat actors’ malicious applications and a list of initial redirection URLs as indicators of compromise. KQL hunting queries for Microsoft Defender XDR customers are included in the post to help identify related activity across email, identity, and endpoint signals. The technique will remain effective for as long as enterprises leave these gaps unaddressed, Gogia warned. “It does not require breaking encryption,” he said. “It requires exploiting administrative complacency.” View the full article

  20. Jetzt Staats-CISO werden – für unter 160.000 Euro

    CSOonline posted a techarticle in Security
    Das britische Government Communications Headquarters (GCHQ) in Cheltenham, England. GCHQ Eine aktuelle Stellenausschreibung sorgt in der Branche für Kopfschütteln. Sie legt nahe, dass manche hochrangigen Regierungsstellen offenbar nicht ganz mit der Realität des heutigen Cybersecurity-Arbeitsmarktes Schritt halten. Dabei ist gut dokumentiert, dass weltweit erheblicher Bedarf an IT-Sicherheitsexperten besteht. Laut einer aktuellen Umfrage von ISC2 sind 33 Prozent der Unternehmen nicht in der Lage, ihre Security-Teams ausreichend zu besetzen. Die Folge dieses Fachkräftemangels: Entsprechend qualifizierte Spezialisten werden in der Privatwirtschaft in der Regel sehr gut bezahlt – wobei der Staatsdienst in Großbritannien hier offenbar eine Ausnahme bildet. Viel Verantwortung, wenig(er) Geld Das britische Government Communications Headquarters (GCHQ), quasi das Pendant zur US-amerikanischen National Security Agency (NSA), sucht derzeit einen Chief Information Security Officer (CISO). Die Position wird in der Ausschreibung als „eine der einflussreichsten Führungsrollen im Bereich Cybersicherheit im Vereinigten Königreich“ beschrieben. Das maximale Jahresgehalt liegt bei 130.000 britischen Pfund, was umgerechnet etwa 150.000 bis 155.000 Euro sind. Aktienoptionen oder andere Zusatzvergütungen, wie man sie aus der Industrie kennt, sind nicht vorgesehen. Gefordert werden für diesen CISO-Job unter anderem „Expertise in der Absicherung von Cloud-Umgebungen und neuen Technologien im Rahmen von Digitalisierungsprogrammen sowie ein fundiertes Verständnis regulatorischer Compliance-Frameworks (etwa NIST, ISO 27001, DSGVO und GovS 007“. Darüber hinaus sind Zertifizierungen wie CISSP, CISM oder CCISO besonders erwünscht. Die Ausschreibung unterstreicht zugleich die strategische Bedeutung der Rolle: „Als CISO arbeiten Sie mit Kolleginnen und Kollegen daran, die Cyber- und Informationssicherheitsstrategie der Organisation festzulegen und umzusetzen. Dabei gilt es, das richtige Gleichgewicht zwischen Leistungsfähigkeit, akzeptablem Risiko und technologischem Fortschritt zu finden. Sie integrieren Security-Governance in komplexe, behördenübergreifende Entscheidungsprozesse und stellen sicher, dass Informationsrisiken wirksam gemanagt werden.“ Es ist ein gewaltiges Maß an Verantwortung für eine erfahrene Führungskraft in einer Organisation, die dafür zuständig ist, ein ganzes Land vor Cyberkriminellen und feindlich gesinnten Staaten zu schützen. Dafür zahlt man in Großbritannien allerdings lediglich ein Gehalt, das in etwa dem eines Security-Architekten in einem mittelgroßen US-Unternehmen entspricht. (mb) View the full article

  21. Studie: Hacker legen Betrieb bei vielen Unternehmen lahm

    CSOonline posted a techarticle in Security
    Studio-M – shutterstock.com Hacker haben im vergangenen Jahr bei vielen Unternehmen in Deutschland Schäden angerichtet. Das zeigt eine repräsentative Befragung des Zentrums für Europäische Wirtschaftsforschung (ZEW) aus Mannheim, die der Deutschen Presse-Agentur vorliegt. In der Informationswirtschaft, die unter anderem IT- und Mediendienstleister umfasst, gab ungefähr jedes siebte Unternehmen an, 2025 Schäden durch Cyberangriffe erlitten zu haben. In der Industrie war es etwa jede achte Firma. Größere Firmen sind demnach eher betroffen: Unternehmen mit mindestens 100 Beschäftigten meldeten im vergangenen Jahr häufiger Schäden – in der Informationswirtschaft ein Fünftel, in der Industrie 17 Prozent. Große Unternehmen besonders im Fokus Für die Geschäftsabläufe der meisten Unternehmen sind Studienleiter Daniel Erdsiek zufolge möglichst reibungslos funktionierende IT-Systeme essenziell. «Der jüngste Hackerangriff auf die Deutsche Bahn verdeutlicht aber, welchen Cyberbedrohungen Unternehmen hierbei täglich ausgesetzt sind», teilte er mit. Die Deutsche Bahn (DB) war im Februar einem großangelegten Cyberangriff ausgesetzt – mit Auswirkungen auf die Buchungs- und Auskunftssysteme des Konzerns. Betroffen waren sowohl die Buchungsapp DB-Navigator als auch die Internetseite bahn.de. Aber auch andere Unternehmen berichten immer wieder von Hackerattacken. Stillstand als häufigste Folge Am häufigsten berichteten die Unternehmen in der ZEW-Befragung, dass durch die Angriffe der Betrieb unterbrochen wurde. In der Informationswirtschaft kam das etwas häufiger (9 Prozent) vor als in der Industrie (7 Prozent). Finanzielle Verluste, Lösegeldforderungen und der Abfluss sensibler Daten meldeten die Firmen ebenfalls, allerdings in geringerem Umfang. An der Umfrage beteiligten sich im Dezember und Januar rund 1.100 Unternehmen. View the full article

  22. Epic Fury introduces new layer of enterprise risk

    CSOonline posted a techarticle in Security
    Operation Epic Fury — the US administration’s sustained kinetic pressure on core Iranian regime assets — introduces a new layer of operational risk for every multinational with people, assets, or dependencies in the Middle East region and beyond. The immediate briefings from Washington — early damage assessments, stated intent, geopolitical framing, and situational updates and reporting — are useful for understanding what is transpiring but they do not account for the operational exposure that surfaces the moment hostilities begin. Decades of watching similar events, most recently in Ukraine, show a consistent pattern: Enterprises often experience the operational impact of such actions before governments complete their assessments. CISOs, CSOs, and chief risk officers now own that expanded risk surface across personnel, infrastructure, travel, and digital posture. Enterprise emergency action groups should already be validating assumptions and aligning organizational plans as conditions evolve. Today, however, that work becomes mandatory. This is a posture adjustment moment for all organizations that could be impacted by Operation Epic Fury and Iran’s response, not a wait and see moment. Iran’s retaliatory toolkit Iran retains a broad and durable set of tools it can use to impose cost on US and Western interests. These capabilities are not theoretical. They are active, distributed, and proven across multiple regions and time periods. Enterprise risk and security teams need to understand that these capabilities span several domains: Physical attacks on US-linked locations through direct action or partner groups. We are already seeing Iranian missile launches into a variety of nations in the region. Cyber operations that include disruptive activity, targeted intrusions, credential and access harvesting, destructive malware deployment, and the use of compromised infrastructure to support broader influence or operational objectives. Proxy networks across the Middle East provide reach, deniability, and flexibility. These extend beyond militias to organizations such as Hezbollah. Targeted attacks and assassination plots conducted selectively to create political or psychological pressure. Misinformation, disinformation, and influence activity designed to shape narratives or create friction. A global diaspora that, while overwhelmingly uninvolved, includes individuals who may be more susceptible to pressure or outreach from Iranian services. These capabilities translate directly into enterprise‑level exposure across personnel, infrastructure, travel, and digital posture. This is the baseline. It is the capability set that informs every section that follows. The question for the enterprise is not whether Iran can retaliate, but which combination of these tools it chooses to employ and where these actions will surface first. Cyber and risk leaders’ immediate next steps Here are some guidelines on how CISOs, CSOs, and chief risk officers should respond to the new layer of risks introduced by Operation Epic Fury across the following key domains: Personnel: Experience in conflict‑adjacent environments taught me that employees under stress behave according to circumstance, not policy. Once the conflict involves the region or country where your personnel are located, your workforce becomes part of the risk surface. Confirmed reports from Bahrain, for example, show apartment buildings being damaged by Iranian drones, an illustration of how quickly civilian areas can become affected. Generic safety or travel briefings are no longer adequate. If you have employees and families in the area of conflict, you must have evacuation triggers and structured wellness checks for all staff and travelers. Those most likely to be affected must be included in the planning phase, because on‑the‑ground reality is indispensable. Resilience comes from preparation, not optimism. Essential services: Water, power, fuel, and other critical lifeline infrastructure are attractive targets for groups seeking to disrupt regional stability. The daily resilience demonstrated in Ukraine shows a clear pattern: The organizations that remained operational were the ones able to source material to repair or replace what failed. The question is simple. If your personnel lose water, power, or communications for two weeks, what is your plan, and who owns execution? The same logic applies to mobility and movement. Travel: Travel is one of the earliest indicators of rising operational risk, and it becomes a liability long before leadership labels it as such. Years of intelligence assessments and Iran’s demonstrated capability require a different lens on all authorized international travel. In post‑incident reviews, the pattern is consistent: Once tensions rise or conflict begins, civil aviation and maritime logistics become targeted, high‑impact levers for creating economic and political pressure. They are symbolic, visible, and deeply tied to global business operations. Any itinerary that transits the Gulf or relies on regional airspace or shipping lanes carries elevated risk. Interference events, diversions, seizures, and delays do not need to be widespread to create operational disruption. Clear thresholds for pausing travel or adjusting operations must be in place. This is the moment to validate assumptions, confirm who owns the call, and ensure travel policies match the conditions that actually exist. The digital domain follows the same pattern, often with even less warning. Cybersecurity: Iran’s cyber capability is not speculative; it is documented across years of joint advisories from CISA, FBI, NSA, and their international partners. Iranian state‑aligned actors routinely target poorly secured networks, internet‑connected devices, and critical infrastructure, often exploiting edge appliances, outdated software, and weak credentials. They have conducted disruptive operations against operational technology (OT) devices and have collaborated with ransomware affiliates to turn initial access into revenue or leverage. Their pattern is consistent with what I have written for years: They favor targets of opportunity, they blend symbolic disruption with credential harvesting and access development, and they use compromised infrastructure to support broader influence or operational objectives. They also work social networks to compromise or recruit insiders, often under a false flag. And when required, they take the time to target, assess, and execute with patience and intent. Iran is a patient adversary. The practical point is simple: Iran’s cyber activity accelerates during periods of geopolitical tension, and enterprises with exposed services, unpatched infrastructure, or unmanaged edge devices become part of the accessible attack surface. Preparation is key This is a period for disciplined preparation, not alarm. The organizations that fare best are the ones that adjust early and execute with clarity. See also: Iran’s partial internet shutdown may be a windfall for cybersecurity intel Iran-linked MuddyWater APT deploys Rust-based implant in latest campaign Iranian APT hacks helped direct missile strikes in Israel and the Red Sea View the full article

  23. Studie: Hacker legen Betrieb bei vielen Unternehmen lahm

    CSOonline posted a techarticle in Security
    Studio-M – shutterstock.com Hacker haben im vergangenen Jahr bei vielen Unternehmen in Deutschland Schäden angerichtet. Das zeigt eine repräsentative Befragung des Zentrums für Europäische Wirtschaftsforschung (ZEW) aus Mannheim, die der Deutschen Presse-Agentur vorliegt. In der Informationswirtschaft, die unter anderem IT- und Mediendienstleister umfasst, gab ungefähr jedes siebte Unternehmen an, 2025 Schäden durch Cyberangriffe erlitten zu haben. In der Industrie war es etwa jede achte Firma. Größere Firmen sind demnach eher betroffen: Unternehmen mit mindestens 100 Beschäftigten meldeten im vergangenen Jahr häufiger Schäden – in der Informationswirtschaft ein Fünftel, in der Industrie 17 Prozent. Große Unternehmen besonders im Fokus Für die Geschäftsabläufe der meisten Unternehmen sind Studienleiter Daniel Erdsiek zufolge möglichst reibungslos funktionierende IT-Systeme essenziell. «Der jüngste Hackerangriff auf die Deutsche Bahn verdeutlicht aber, welchen Cyberbedrohungen Unternehmen hierbei täglich ausgesetzt sind», teilte er mit. Die Deutsche Bahn (DB) war im Februar einem großangelegten Cyberangriff ausgesetzt – mit Auswirkungen auf die Buchungs- und Auskunftssysteme des Konzerns. Betroffen waren sowohl die Buchungsapp DB-Navigator als auch die Internetseite bahn.de. Aber auch andere Unternehmen berichten immer wieder von Hackerattacken. Stillstand als häufigste Folge Am häufigsten berichteten die Unternehmen in der ZEW-Befragung, dass durch die Angriffe der Betrieb unterbrochen wurde. In der Informationswirtschaft kam das etwas häufiger (9 Prozent) vor als in der Industrie (7 Prozent). Finanzielle Verluste, Lösegeldforderungen und der Abfluss sensibler Daten meldeten die Firmen ebenfalls, allerdings in geringerem Umfang. An der Umfrage beteiligten sich im Dezember und Januar rund 1.100 Unternehmen. View the full article

  24. 7 factors impacting the cyber skills gap

    CSOonline posted a techarticle in Security
    Individuals with strong cybersecurity skills are in high demand. That’s no secret. What’s most important is the fact that the shortage is preventing many enterprises from building sustainable cybersecurity talent pipelines. According to World Economic Forum statistics, only 14% of organizations are confident they have the people and skills required to meet their cybersecurity objectives. Here’s a quick rundown of seven factors that are impacting security leaders’ abilities to ensure they have the cybersecurity skills their organizations need. 1. Restricted budgets, increased burnout Budget cuts often drive a security team shortage, says Sameer Ansari, global CISO solutions leader at enterprise consulting firm Protiviti. “CISOs are being asked to do more with less,” he states. Ansari also notes a growing burnout trend, one that sees existing cybersecurity talent increasingly searching for other opportunities due to the high stress and always-on mentality needed by competent cyber professionals. “Increasing threat complexity is also a challenge CISOs face when trying to source new talent,” he adds. Given the fact that the expert shortage isn’t likely to abate soon, many CISOs are now turning to managed services, Ansari says. “We’re hearing from a number of clients that there are certain operational services they’re looking to outsource so they don’t have to worry about dealing with attrition or sourcing talent.” Ansari reports that he’s also encountering a growing number of CISOs who are looking internally to fill security roles, seeing if they can retrain software engineers, for example, to gain additional cybersecurity skills to fill-in talent gaps. 2. Emerging technologies New technologies, particularly AI, are contributing to a cyber landscape that’s evolving so quickly it’s hard for even highly skilled cybersecurity professionals to pace, says Dan Lohrmann, CISO at enterprise strategy and consulting firm Presidio. AI-driven threats keep moving the target, allowing cybercriminals to attack with unprecedented levels of speed and agility, Lohrmann says. “New AI defense tools also require fresh skillsets, forcing cybersecurity professionals to either learn how to operate and work alongside a new system or be left behind.” He adds that the cybersecurity skills gap is especially pronounced in the public sector, due to hiring freezes, budget cuts, and various cyber grants drying up. Lohrmann notes that CISOs often fail to frame the skills gap as a business risk. “They neglect to properly communicate its consequences to the board and executive leadership.” Other big mistakes, he notes, is neglecting to take care of the skilled cyber workers they already have and setting unrealistic job requirements. 3. Conflicting expectations Employers and potential security team candidates often aren’t on the same page, and that mismatch in expectations is the driving force behind the perceived skills gap, says Brandyn Fisher, security services director at Centric Consulting. “Organizations often rigidly pursue candidates with a ‘picture perfect’ profile, expecting senior expertise at compensation levels that don’t match the needed experience,” he states. “On the flip side, some candidates expect high salaries and specialized work immediately after graduation.” Remarkably, despite over a decade of talk about a cyber skills gap, organizations still manage to fill roles. “This suggests that the real challenge is misaligned expectations, not a lack of capable professionals,” Fisher says. He believes that employers need to be realistic about what they are requesting and what they are offering. “Candidates, likewise, should understand the value they bring and the experience they still need to build,” Fisher advises. “Resetting expectations on both sides will help close this gap.” 4. Outdated thinking, strategies, or operations CISOs play a strategic role in managing cyber risk, but narrowing the skills gap requires a multi-disciplinary approach, says Adi Karisik, vice president and CTO of intelligence and cyber at systems engineering and technical services firm Amentum. Many organizations resist change, often adhering to outdated processes developed decades ago, Karisik states. “For instance, decision-making may hinge on legacy systems designed by individuals who have long since retired, leaving critical operations vulnerable and slow to adapt.” Organizations must embrace cultural change and modernization, Karisik advises. “Cyber threats will not wait for industries to catch up,” he warns. “To stay ahead, businesses must invest in cultivating a workforce that’s not only skilled, but also capable of responding dynamically to the ever-changing demands of cybersecurity.” 5. Skills and training mismatches The single biggest skills gap driver is the mismatch between how cybersecurity talent is traditionally trained and the abilities CISOs actually need, says Ron Delfine, executive director of the career center at Carnegie Mellon University’s Heinz College. The most effective CISOs focus on building skills internally, Delfine says. “From a career development perspective, this means investing in interdisciplinary education that blends cybersecurity, management, and policy, as well as developing internal talent through structured upskilling and leadership pathways, not just external hiring and creating teams with complementary skill sets.” Failing to build and maintain a strong cybersecurity team can lead to relying on a small number of senior leaders, Delfine says. It can also increase staff burnout. “All of these factors can lead to slower incident response and recovery due to poor cross-functional coordination as well as difficulty justifying security investments to executives and boards,” he says. 6. Systemic cyber strategy disconnects The cybersecurity skills gap has moved beyond being a hiring challenge to become a direct operational risk, warns Yash Patel, a senior security engineer at Microsoft. “While organizations continue to invest in advanced security tools, many lack the human capability required to operate, interpret, and adapt those tools effectively,” he explains. “The result is a widening disconnect between security intent and security outcomes.” Successful CISOs focus on building capability, not just headcount, Patel states. This means hiring based on curiosity and problem-solving ability, investing in hands-on learning, and creating environments in which teams can practice investigations and threat analysis. “Embedding security knowledge across IT and engineering functions also helps reduce dependency on a small group of specialists,” he says. Operationally, the cyber skills gap creates weak and fragile defenses. “Tools may be deployed correctly, but detections are poorly tuned, incidents are addressed superficially, and root causes remain unresolved,” Patel warns. “Many breaches occur not because controls were missing, but because teams lacked the expertise to act on early warning signs.” 7. Failing to simplify and scale Top CISOs accept two facts up front: Teams will always be somewhat understaffed and that the threat landscape is moving at lightning speed, says Aman Sirohi, CISO at data security firm Cyberhaven. The most effective CISOs don’t try to hire their way out, Sirohi says. “Instead, they narrow the gap by scaling the team through automation, simplifying security operations, improving signal-to-noise, and leveraging AI,” he states. “The fastest path forward is simplifying the environment, engineering repeatable security outcomes, and using technology to turn people into force multipliers.” View the full article

  25. Das gehört in Ihr Security-Toolset

    CSOonline posted a techarticle in Security
    Gorodenkoff | shutterstock.com Sicherheitsentscheider sind mit einer sich kontinuierlich verändernden Bedrohungslandschaft, einem zunehmend strengeren, regulatorischen Umfeld und immer komplexeren IT-Infrastrukturen konfrontiert. Auch deshalb wird die Qualität ihrer Sicherheits-Toolsets immer wichtiger. Das Problem ist nur, dass die Bandbreite der heute verfügbaren Cybersecurity-Lösungen überwältigend ist. Für zusätzliche Verwirrung sorgen dabei nicht nur diverse Buzzwords, sondern auch diverse Überschneidungsbereiche der unterschiedlichen Tool-Kategorien. Im Folgenden lesen Sie, welche Art von Security-Lösungen für Unternehmen obligatorisch sind – und warum. 13 essenzielle Security-Tools für Unternehmen 1. Extended Detection and Response (XDR) KI-gestützte XDR-Lösungen entwickeln sich zu einer tragenden Säule der „Next Generation“-Security. Allerdings ist diese Tool-Kategorie sowohl schwer abzugrenzen als auch zu definieren. Extended-Detection-and-Response-Lösungen arbeiten am Top-Funnel und identifizieren Bedrohungen in Netzwerken, Endpunkten oder der Cloud, indem sie die Sicherheits-Tools, die im Unternehmen zum Einsatz kommen automatisieren oder integrieren. Laut Forrester Research können Bedrohungen so besser identifiziert und analysiert werden. Zudem verbessert sich dank Echtzeit-Features auch die Fähigkeit, auf Threats zu reagieren. Werden die XDR-Funktionen ausgelagert, spricht man von Managed Detection and Response – MDR. XDR auf KI-Basis ist ein effektives Threat-Intelligence- und Vulnerability-Management-Tool und kann dazu beitragen, Attacken auf Unternehmensnetzwerke abzuwehren. In der Regel kommen XDR-Tools in Kombination mit Firewalls zum Einsatz. Das soll gewährleisten, Bedrohungen zu identifizieren und priorisieren, sobald sie im Netzwerk sind. Die Zielsetzung besteht allgemein darin, den Großteil der Threats in (nahezu) Echtzeit und ohne manuelle Verifizierung zu blockieren. 2. Multifaktor-Authentifizierung (MFA) Nicht nur für den Schutz von Endpunkten sind MFA-Lösungen längst unverzichtbar geworden. Auch viele Cyberversicherer setzen MFA inzwischen für den Zugang zu ihren Policen voraus. Das verlangt den Benutzern ab, sich zusätzlich zu authentifizieren, sobald sie auf ein Konto oder eine Applikation zugreifen möchten. Dazu kommen beispielsweise externe Security-Keys, mobile Authentifizierungs-Apps oder SMS-Codes zum Einsatz. Eine adaptive MFA-Lösung erfordert hingegen nur dann eine zusätzliche Authentifizierung, wenn Benutzerinteraktionen als risikobehaftet eingestuft werden. Im Vergleich zur einfachen Benutzerauthentifizierung mit Benutzername und Passwort ist die Multifaktor-Authentifizierung die sicherere und effizientere Methode. 3. Network Access Control (NAC) NAC befähigt Unternehmen dazu, Sicherheitsrichtlinien durchzusetzen, sobald Devices oder Benutzer versuchen, auf ihr Netzwerk zugreifen. Das sorgt für einen klaren Blick darauf, wer sich von wo aus anmeldet und gewährleistet, dass die verbundenen Devices über die nötigen Sicherheits-Updates und Kontrollmaßnahmen verfügen, bevor rollenbasierter Zugriff auf Unternehmensressourcen gewährt wird. Angesichts immer komplexerer IT-Infrastrukturen und neuen Regulierungen ist der Blick auf alle mit dem Unternehmensnetzwerk verbundenen Geräte sowie einheitliche Zugriffskontrollen unabdingbar. Das Gros der NAC-Anbieter hat seine Produkte dabei auf die wachsende Zahl von Mobile- und IoT-Devices ausgelegt. 4. Data Loss Prevention (DLP) DLP-Tools sorgen dafür, dass sensible Unternehmensdaten (unabsichtlich oder absichtlich) nicht nach außen dringen. Dazu überwachen diese Werkzeuge den Netzwerk-Traffic auf bestimmte Datenelemente oder Muster (beispielsweise Kreditkarteninformationen) und alarmieren Administratoren, wenn das Risiko eines Datenabflusses besteht. Diverse Produkte im Bereich Data Loss Prevention sind außerdem darauf konzipiert, auch vor Cloud-basierten Datenlecks zu schützen. Entsprechend ist eine DLP-Lösung ein essenzielles Werkzeug, um cyberkriminelle Aktivitäten im Netzwerk zu erkennen. Darüber hinaus ist diese Kategorie jedoch auch von entscheidender Bedeutung, um Insider-Bedrohungen zu identifizieren. Angesichts der Bußgelder, die bei einem Datenschutzverstoß drohen, ist eine effiziente Data Loss Prevention Software auch in monetärer Hinsicht eine lohnende Investition. 5. Firewall Eine Firewall filtert auf der Grundlage definierter Regeln (die von Administratoren festgelegt werden) den Netzwerkverkehr. Das erhöht den Schutz vor Malware, nicht autorisierten Anmeldeversuchen und anderen Bedrohungen. Über eine Firewall-Lösung erhalten Unternehmen die Möglichkeit, ihren Traffic anhand diverser verschiedener Kriterien zu filtern – beispielsweise IP-Ranges, URLs oder Ports. Moderne Firewall-Produkte gehen längst über die reine Perimeter-Schutzfunktion hinaus und bieten erweiterten, Client-seitigen Schutz. Dabei nutzen State-of-the-Art-Lösungen auch Machine Learning (ML) und künstliche Intelligenz (KI), um Muster oder Anomalien in Echtzeit zu erkennen und automatisiert darauf zu reagieren. Das kann dazu beitragen, potenzielle Schäden erheblich zu minimieren oder vollständig abzuwenden. 6. Intrusion Prevention Systems (IPS) Bei Intrusion-Prevention-Systemen handelt es sich um eine „Inline“-Technologie, die in der Regel „hinter“ der Firewall eingesetzt wird, um schadhafte Datenpakete im Traffic automatisch zu löschen. Dazu kommen weitere, proaktive Maßnahmen, um Bedrohungen weiter einzudämmen, etwa Netzwerk-Scans und Reporting-Funktionen zu potenziellen Bedrohungen. Ein IPS ergänzt und erweitert also Firewalls und andere Netzwerk-Verteidigungssysteme. Dabei kann diese Kategorie von Lösung die Reaktionszeit auf Sicherheitsvorfälle potenziell erheblich verkürzen und damit Schaden vom Unternehmen abwenden. 7. Identity and Access Management (IAM) Um den Benutzerzugriff auf Systeme und Daten zu kontrollieren, kommen Unternehmen an IAM nicht vorbei. Diese Lösungen stellen sicher, dass ausschließlich autorisierte Personen auf die Ressourcen zugreifen können, die sie benötigen. Das funktioniert im Regelfall über rollenbasierte Zugriffsrechte. Weil immer mehr Applikationen und Daten in die Cloud migriert werden, entwickelt sich die Benutzeridentität zum neuen Perimeter. Entsprechend wichtig ist es, eine IAM-Lösung einzusetzen. Diese wird inzwischen auch im Rahmen diverser Cyberversicherungspolicen vorausgesetzt. 8. Cloud Access Security Broker (CASB) CASBs ermöglichen es Unternehmen, Sicherheitsrichtlinien für Benutzer durchzusetzen, die auf Cloud-basierte Services zugreifen. Diese Lösungen können On-Premises oder in der Cloud eingesetzt werden und „sitzen“ zwischen Cloud-Dienstanbieter und Benutzer. Das ermöglicht eine ganze Reihe von Sicherheitsverfahren mit Blick auf Authentifizierung, Autorisierung und Malware-Abwehr. Hinzu kommen zahlreiche neue, KI-basierte Features, die Unternehmen dabei unterstützen, SaaS-Anwendungen und -Daten abzusichern und Compliance-Vorgaben zu erfüllen. Darüber hinaus sind CASB-Lösungen auch hilfreich, um Identitäten und Authentifizierungs-Prozesse über mehrere Cloud-Anwendungen hinweg zu managen. 9. Anti-Malware-Tools Anti-Malware-Software wird oft mit Antivirus-Lösungen gleichgesetzt, allerdings unterscheiden sich diese Kategorien funktional. Denn Anti-Malware-Produkte schützen nicht nur vor Viren und Würmern, sondern auch vor anderen Threats wie Spyware, Ransomware, und Trojanern. Inzwischen haben Anti-Malware-Tools der Enterprise-Klasse eigenständige Antivirus-Angebote weitgehend ersetzt. Das macht auch Sinn, denn klassische Computerviren sind längst nicht mehr die größte Bedrohung für Unternehmen, auch wenn sie lästig sein können. Cryptomining und insbesondere Ransomware machen inzwischen den Großteil der Angriffe aus, die auf Client-Ebene durch Malware initiiert werden. 10. Mobile Threat Defense Um mobile Devices vor Cyberangriffen und Datenverlust zu schützen, sollten im Enterprise-Umfeld Tools aus der Kategorie Mobile Threat Defense eingesetzt werden. Laut den Analysten von Gartner definiert sich diese Produktkategorie dadurch, dass sie mobile Geräte auf Anwendungs-, Netzwerk- und Device-Ebene schützen kann. Für so gut wie alle Unternehmen stellt es eine Herausforderung dar, Mobilgeräte zu managen – egal, ob es dabei um Unternehmens- oder Privatgeräte geht. Lösungen aus dem Bereich Enterprise Mobility Management (EMM) oder Mobile Device Management (MDM)-Angebot verfügen oft nicht über die nötigen Detection- und Prevention-Funktionen, um Mobile-Bedrohungen den Wind aus den Segeln zu nehmen. 11. Backup und Disaster Recovery Lösungen im Bereich Backup und Disaster Recovery sind im Unternehmensumfeld bekanntermaßen Pflicht. Sie stehen in zahlreichen Ausformungen zur Verfügung, beispielsweise auf lokaler Ebene, über die Cloud oder als Air-Gapped-Lösungen. Unerlässlich ist diese Tool-Kategorie beispielsweise, um Daten nach einem Ransomware-Angriff sicher wiederherstellen zu können. Sogenannte Bare-Metal-Restores (BMRs) aus der Cloud sind dabei unter Umständen für manche Unternehmen noch Neuland. Diese Lösungen sind dem Umstand geschuldet, dass Geschwindigkeit ein wichtiger Faktor ist, wenn es um die Recovery geht. Diesbezüglich haben sich Cloud-basierte BMRs in den vergangenen Jahren erheblich weiterentwickelt. Auch sichere, verschlüsselte Backups sind inzwischen ein Faktor, um eine Cyberversicherungspolice in Anspruch nehmen zu können. 12. Incident Response Incident-Response-Systeme sind von entscheidender Bedeutung, um Data Breaches zu erkennen und zu gewährleisten, dass bei der Reaktion auf Sicherheitsvorfälle vorab definierte Prozesse in Kraft treten, um Daten zu schützen, Informationen für die IT-Forensik zu bewahren und alle relevanten Stakeholder informiert zu halten. Und zwar in der richtigen Reihenfolge. Systeme dieser Art können – je nach Branche – erforderlich sein, um Compliance-Regelungen zu erfüllen. Auch mit Blick auf Cyberversicherungen werden Incident-Response-Lösungen oft vorausgesetzt. 13. AI-SPM Getrieben vom weiterhin um sich greifenden KI-Hype wollen diverse Unternehmen die Technologie möglichst schnell implementieren – und verzichten dafür darauf, ihre Initiativen mit einer sicherheitstechnisch stabilen Grundlage auszustatten. Das setzt das Unternehmen und seine Daten neuen Schwachstellen und Bedrohungen aus. Diese adressiert die Tool-Kategorie AI Security Posture Management – kurz AI-SPM. AI Security Posture Management konzentriert sich darauf, die Integrität und Sicherheit von KI- und ML-Systemen zu gewährleisten. Dabei umfasst AI-SPM Strategien, Tools und Techniken, um Daten, Pipelines, Applikationen und Services mit Blick auf ihre Sicherheitslage zu überwachen, zu bewerten und zu optimieren. Das kann beispielsweise verhindern, dass sensible Daten in KI-Modelle einfließen oder gewährleisten, Governance-Richtlinien für Business-Anwender durchzusetzen. (fm) View the full article

Account

Navigation

Search

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.