CSOonline

BMI/ Laurin Schmid Deutschland und Israel haben nach Angaben des Bundesinnenministeriums erstmals gemeinsam die Abwehr eines schweren Cyberangriffs trainiert. Die Übung mit dem Namen “Blue Horizon” war demnach der erste konkrete Schritt aus dem Cyber- und Sicherheitspakt, den Bundesinnenminister Alexander Dobrindt (CSU) und Israels Ministerpräsident Benjamin Netanjahu kürzlich vereinbart hatten. “Cyberdome” soll vor Angriffen schützen Der Pakt sieht unter anderem eine enge Vernetzung der Sicherheitsbehörden beider Länder sowie eine noch engere Kooperation in den Bereichen Cyberkriminalität, Künstliche Intelligenz (KI) und Drohnenabwehr vor. Bei der Übung sollten sich Experten beider Seiten laut Innenministerium besser kennenlernen. Kern der Zusammenarbeit ist demnach der Aufbau eines deutschen “Cyberdomes”, angelehnt an das israelische Modell. Israel hat Erfahrung mit Cyberangriffen Der “Cyberdome” ist israelischen Angaben zufolge ein Verteidigungssystem, das unterschiedliche Daten zusammenführt und mit Hilfe von Künstlicher Intelligenz Schwachstellen oder auch Bedrohungen im Netz erkennt. Organisationen können auf diese Weise frühzeitig vor möglichen Hackerangriffen gewarnt werden. Israel gilt als Vorreiter im Bereich Cybersicherheit. Die oftmals iranischen Cyberattacken zielen Experten zufolge darauf, Israels Infrastruktur zu sabotieren, Daten zu sammeln sowie Falschnachrichten zu verbreiten. Israel arbeitet mit mehreren Verbündeten zusammen, um solche Angriffe abzuwehren. (dpa/jm) View the full article

BMI/ Laurin Schmid Deutschland und Israel haben nach Angaben des Bundesinnenministeriums erstmals gemeinsam die Abwehr eines schweren Cyberangriffs trainiert. Die Übung mit dem Namen “Blue Horizon” war demnach der erste konkrete Schritt aus dem Cyber- und Sicherheitspakt, den Bundesinnenminister Alexander Dobrindt (CSU) und Israels Ministerpräsident Benjamin Netanjahu kürzlich vereinbart hatten. “Cyberdome” soll vor Angriffen schützen Der Pakt sieht unter anderem eine enge Vernetzung der Sicherheitsbehörden beider Länder sowie eine noch engere Kooperation in den Bereichen Cyberkriminalität, Künstliche Intelligenz (KI) und Drohnenabwehr vor. Bei der Übung sollten sich Experten beider Seiten laut Innenministerium besser kennenlernen. Kern der Zusammenarbeit ist demnach der Aufbau eines deutschen “Cyberdomes”, angelehnt an das israelische Modell. Israel hat Erfahrung mit Cyberangriffen Der “Cyberdome” ist israelischen Angaben zufolge ein Verteidigungssystem, das unterschiedliche Daten zusammenführt und mit Hilfe von Künstlicher Intelligenz Schwachstellen oder auch Bedrohungen im Netz erkennt. Organisationen können auf diese Weise frühzeitig vor möglichen Hackerangriffen gewarnt werden. Israel gilt als Vorreiter im Bereich Cybersicherheit. Die oftmals iranischen Cyberattacken zielen Experten zufolge darauf, Israels Infrastruktur zu sabotieren, Daten zu sammeln sowie Falschnachrichten zu verbreiten. Israel arbeitet mit mehreren Verbündeten zusammen, um solche Angriffe abzuwehren. (dpa/jm) View the full article

IT security was a critical element of retired US Col. Barry Hensley’s 24-year military career as an Army Signal Officer, as he was often responsible for the engineering and installation of “military networks, whether in garrison or in support of combat troops deployed.” “The pinnacle of my military career was working with an elite group of cyber forces with the ultimate mission to operate and defend the military’s global communications network,” Hensley tells CSO. “It was during this period that I realized the severity of cybersecurity issues facing this [US] nation, and I wanted to commit my professional career to be part of the solution while continuing to fight the good fight.” Today, Hensley is the CSO of Brown & Brown, a global insurance brokerage, with the goal to help clients safeguard what matters most to them. CSO spoke to Barry Hensley about cybersecurity in the insurance industry, how to keep cyber professionals inspired, and more. How do organizations today perceive cybersecurity? Hensley: The awareness of cybersecurity risks is more consistent across industry today; but the degree of required call to action often varies greatly. Cybersecurity is foundational to any organization, especially where customer confidence and trust are essential. And part of that trust includes the security of the networks, the data, and the services we provide. It was not that long ago that organizations did not believe the risks were real or relevant to them. Times have changed as more organizations have either experienced a significant incident firsthand or have seen enough third- and fourth-party breach notifications to take up arms. All these events drive awareness and give credibility to the threats and associated risks. However, there is still a challenge in establishing an appropriate risk tolerance that drives the right investments in effective security controls, especially for budget constrained organizations. We also cannot forget the rise of government intervention and fines and other regulatory actions related to cybersecurity events that will influence those perceptions. What specific security risks are you facing in the insurance industry today? Threat actors today have a common theme, and that’s how they capitalize on their access. So, personally, I do not over-index on the vertical specific threats; it’s really about the data or access those organizations possess and its perceived value. Specific to the insurance industry, there may be information collected to inform a claim or policy that a threat actor might determine valuable even if it only refines their targeting efforts of others. However, we also cannot wish away the “idealist” or “ideologically motivated” threat actors that target the insurance industry because of historical misconceptions or animosity toward the industry. Specific to ransomware, threat actors are likely to target organizations that have a high likelihood of paying or be exploited. So, it’s as much about the data those organizations possess, not necessarily the industry verticals themselves, and the maturity of their security program. Threat actors want to expend the least number of resources for the highest return on investment, so they often target low-hanging fruit, which are, in many cases, the least mature security programs. Do you see your cybersecurity strategy changing in the next few years? Our strategy remains the same: focused security investments aligned to our risk tolerance, staying a step ahead of an increasingly active threat landscape. An example is the adoption of artificial intelligence hacking tools, clearly an illustration of the need to adapt. The question is, How do our security teams combat this advancement with our own AI strategy? How do we leverage AI to carry out those commodity tasks while unleashing our human teammates to focus on business context as it relates to the overall risk reduction and prioritization of training those AI models? So, imagine an AI security workforce that is led by human security subject-matter experts ensuring we have appropriate defenses at the right time and right place. An example would be conducting continuous penetration testing to find the gaps in our defenses that might otherwise go unnoticed. We do see the evolution of third- and fourth-party risk management, especially in how we validate our security partner’s maturity and resilience. The evolution of risk is partly based on third and fourth parties swapping their underlying technologies to reduce cost or increase efficiencies that a customer has little to no understanding of the risks that might expose. So, for the security functions we’re going to provide internally, we’ll focus on the basics and do them well. With the controls/functions we outsource, we must reimagine not only how we verify our partner environments but how do we actively participate to improve their security programs as well as ours. We cannot forget that much of cybersecurity is about doing the basics brilliantly. And in this case, those basics of building and securing an infrastructure that will still be leveraged for years to come. What do you do to retain cybersecurity professionals? Leadership is about how you inspire people to achieve or accomplish a shared vision beyond what they ever expected they could do. Leaders must first understand teammates’ passions and relevant skills to align them to achieve business goals. Getting their buy-in is key while clearly articulating where they fit in the overall vision. At Brown & Brown, we help others protect what is most valuable to them. To retain our top talent, we make sure our teammates understand where they fit into that mission. Our success story is based upon earning people’s business every day, and ensuring that our environment, networks, and data are secure is critical to building and retaining that trust. We need to demonstrate to our teammates just how integral they are to maintaining that trust in our customer relationships. We want them to wake up every day knowing that they play an important role not only in our security program, but also the broader Brown & Brown ecosystem. At Brown & Brown, we put the teammate first, as their expertise will always be a key differentiator. What are you most proud of? I am most proud of the inspiring team of security professionals that I work with each day. They always put the team before themselves, strive to be the very best at what they do, and always go the extra mile to ensure the security and protection of their teammates and the organization. I am truly blessed to be part of an amazing team whose work ethic and commitment to excellence are unparalleled in my experience. Are there any questions CISOs should be asking themselves? Are we assessing the most relevant risks, rather than the risks of yesterday? And, because we can get so wrapped up in the playbook that we ran in our last organization, how do we ensure the current playbook is relevant to the organization at hand? An example would be how much time we focus on phishing training, which burdens our teammates to be the first line of defense, where we could instead leverage anomaly-based detection to automate the detection and response actions. What are the biggest security challenges cybersecurity leaders are facing right now? Hensley: In this business, there is no single biggest challenge, but multiple, ever-evolving challenges that compete for our attention. A shared challenge across the entire cybersecurity community is having to be right 100% of the time in a world where threat actors are so agile, innovative, well-resourced, and advantaged with the element of surprise. Cybersecurity professionals also struggle with prioritizing their efforts while providing innovative solutions for their enterprises. Every cybersecurity leader must wrestle with the risks posed by new technologies; AI being just one of many. While there is no absolute “right” answer to the risk question, the age-old formula of mitigating threats against your most critical assets holds firm. Security teams have an ongoing mission to identify weaknesses, assess the likelihood of exploitation, and determine the resulting impact on the business. It’s a difficult but necessary step in the risk versus reward trade-off. What keeps you up at night? Hensley: The unknown. As I shared above, cybersecurity professionals must be right 100% of the time, while threat actors only need to exploit one unknown or unmitigated vulnerability, or take advantage of a single user with privileged access. Our risk modeling should invest in effective security controls to minimize the unknown threats as much as possible against our most critical assets. View the full article

Responsible disclosure is built on an assumption that “doing the right thing” will be met with timely action, fair treatment, and professional respect, if not a bounty award. Increasingly, that assumption is failing. And when it does, organizations alienate researchers and create regulatory, legal, and reputational risk. Over the past few years, security researchers have found themselves waiting months, sometimes more than a year, for companies to acknowledge responsibly disclosed vulnerabilities, even as the same flaws quietly put customers at risk. In several cases, frustration over silence, disputed severity assessments, or shifting scope boundaries pushed researchers toward public disclosure, legal escalation, or questionable behavior companies later characterized as extortion. As vulnerability reporting becomes slower, more bureaucratic, and less rewarding, the line between cooperative research and adversarial pressure is blurring. For CISOs, this is no longer an ethics debate. It is a governance and risk-management problem. A recent flashpoint Most recently, the React2Shell vulnerability (CVE-2025-55182) illustrated how responsible disclosure can work when the right structures are in place. The flaw was privately reported to the React maintainers on 29 November 2025. The disclosure triggered a coordinated response involving the React team, Next.js maintainers at Vercel, and major cloud providers including Amazon Web Services (AWS) and Cloudflare, allowing patches to be developed and tested ahead of public disclosure. Despite the prompt acknowledgment and remediation efforts, the vulnerability was quickly exploited in the wild. Responsibility for mitigation was effectively distributed across maintainers, framework integrators, and downstream users. Because React sits at the core of the modern web stack, the flaw rippled across development and security teams globally, highlighting how even well-handled disclosures can still produce widespread operational risk. React benefits from strong institutional support through the React Foundation and backing from multiple large technology companies. That support enables coordinated fixes, communication, and sustained maintenance. The more difficult question is what happens when a researcher uncovers a similarly critical flaw in a widely used open-source project that has no corporate backing, no formal security team, and no bounty program? In those cases, exploitation is clearly unethical, but reporting the issue often means unpaid labor with uncertain outcomes. The dilemma raised in practitioner circles after React2Shell was not about this specific incident, but about the broader incentive gap. If responsible disclosure offers neither compensation nor assurance of timely action, what realistically motivates researchers to continue doing the right thing? The question resonated not because it’s new, but rather that it reflects a growing disconnect between how vulnerability disclosure is supposed to function and how it increasingly does in practice. Enter the gray zone of ethical disclosure The result is a growing gray zone between ethical research and adversarial pressure. Based on years of reporting on disclosure disputes, that gray zone tends to emerge through a small set of recurring failure modes. Silent treatment and severity warfare: Researchers submit detailed reports and receive no response for months, or face disputes over CVE scope and CVSS scoring that turn technical discussions into negotiations. Researchers feel compelled to defend impact claims aggressively and to be taken seriously, while vendors push back against what they view as inflated risk. In some cases, bounty hunters preemptively elevate severity, anticipating resistance and delays. Process as denial of service: Automated scanners, AI-assisted fuzzing, and largely theoretical bugs increasingly flood maintainers and security teams with low-signal reports — a dynamic repeatedly highlighted by Daniel Stenberg, the founder of the cURL project. As a defensive response, maintainers demand ever more concrete proof of exploitability, raising the threshold for engagement even for legitimate findings. In some cases, projects begin questioning whether bug bounties meaningfully improve security, or simply externalize triage cost under the guise of incentives. Coercive escalation: Finally, when established disclosure channels appear unresponsive or dismissive, some researchers resort to public pressure, legal threats, or ethically ambiguous demonstrations to force action. Each of these failure modes seems rational in isolation. Together, they erode trust and steadily push responsible disclosure toward a more adversarial posture. Case studies from the fault line In 2025, a responsibly reported email spoofing flaw affecting a major delivery platform was deemed out of scope, triggering a dispute over severity and impact. The underlying issue was not whether the bug existed, but whether it crossed the organization’s internal threshold defining risk. The disclosure process stalled, and frustration escalated on both sides, with the vulnerability reporter barred from the bug bounty program over advances the company saw as extortion. A similar pattern appeared at a ride hailing company, where multiple researchers independently reported a flaw that allowed emails to be sent appearing to originate from the company’s domain. Despite clear reproduction steps and repeated follow-ups, the reports went unanswered for more than a year. Ethical disclosure was met not with remediation, but with silence. Elsewhere, disputes have emerged over overlapping CVE claims, with multiple parties arguing over attribution for the same underlying issue. What is meant to be a coordination mechanism instead became a contest for recognition, further distorting narratives. More troubling are cases where researchers crossed ethical boundaries entirely. For example, hijacking open-source libraries to harvest cloud credentials, or taking control of legitimate packages to embed job application messages, compromising downstream users in the process. Such actions are indefensible but are best understood as symptoms of a disclosure ecosystem that increasingly rewards escalation, visibility, or leverage over patience and cooperation. Why is this happening now? It would be easy to frame these disputes as a breakdown in professional norms, but what is happening beneath the surface is the convergence of several structural forces. Vulnerability report volume has surged. Automated scanners and AI-driven fuzzing tools now generate vast numbers of technically valid but operationally irrelevant findings. Maintainers and security teams are forced to triage at scale, often under significant time and resource constraints. At the same time, compliance pressures have hardened organizational responses. Once a CVE is reported, it is often treated as a problem by default, before context or exploitability is assessed. High severity scores can trigger build failures, audits, or executive escalation regardless of practical impact — a common frustration for developers using SCA tools that block builds over edge cases that ultimately need to be ignored or waived. CVSS scoring itself is mechanically calculated and intentionally environment-agnostic, meaning low-impact edge cases can score similarly to actively exploited flaws, contributing to alert fatigue and skepticism. Finally, open source infrastructure remains structurally underfunded. Many critical components are maintained by a small number of individuals with no obligation, or capacity, to absorb the operational cost imposed by global dependency chains. In this environment, demanding proof of real-world impact is a form of noise control, rather than hostility. That seemingly reasonable demand, however, has downstream consequences. When proof becomes unpaid consulting In many disputes, disclosure breaks down not because a vulnerability does not exist, but because proving its real-world impact requires environment-specific analysis that neither side budgeted for. Researchers are asked to build realistic PoCs, demonstrate exploit chains, or validate assumptions across configurations they do not control. Maintainers are asked to reason about downstream usage patterns far beyond their original design scope. Both are performing system-level analysis without compensation. Maintainers are justified in pushing back against low-signal reports. Researchers are justified in feeling that the bar for engagement keeps rising. The system offers no obvious place to send the cost. Why should CISOs care and what can they do? For cybersecurity leaders, the implications are concrete. When disclosure channels are perceived as slow, dismissive, or adversarial, researchers disengage. Some go quiet. Others escalate publicly. A few take ethically questionable paths. None of these outcomes improve security posture. In practice, most of the levers that determine these outcomes sit with software vendors, platform providers, and open-source stewards. In those environments, CISOs oversee product security incident response teams (PSIRTs), vulnerability intake, disclosure timelines, and researcher engagement. This is where incentives are set, researcher experience is shaped, and triage decisions determine whether cooperation compounds or collapses. For CISOs operating in vendor, platform, and open-source environments, there is no single fix. Outcomes improve materially when disclosure is treated as an operational function rather than a moral expectation. Practical steps that CISOs in this space can take include: Establish and honor service-level expectations for acknowledgement and triage, even when fixes take time. Assign clear ownership for the researcher experience, not just vulnerability intake. Publish severity triage criteria and document rationale when disagreeing with reports. Avoid treating CVSS scores as deployment gates without environmental context. Use third-party disclosure programs or coordinators to absorb overflow and reduce friction. Offer meaningful non-cash recognition where bounties are not feasible. Commit to upstreaming fixes when patching dependencies internally. Provide legal safe harbor language for good faith testing to reduce adversarial escalation. Fund the open-source dependencies your organization relies on, whether through sponsorship, contracts, or consortiums. Be explicit about what level of proof is expected and what isn’t. None of these steps require endorsing exploit sales or paying ransoms for vulnerabilities. They require acknowledging that ethical behavior does not scale on goodwill alone. For CISOs in healthcare, finance, education, and other consuming organizations, the risk manifests differently but no less acutely. When disclosure breaks down upstream, it surfaces downstream as delayed patches, brittle compensating controls, and security decisions driven by incomplete or distorted signals. Left unaddressed, those gaps can become governance failures. Organizations may be unable to explain why known vulnerabilities remained unpatched, why risk signals were discounted, or why vendor assurances were accepted without scrutiny. Enterprise CISOs influence this system through procurement requirements, vendor accountability, and how rigorously vulnerability data is contextualized before triggering disruption. Treating disclosure quality as a third-party risk factor is no longer optional. View the full article

Gorodenkoff | shutterstock.com In den letzten Jahren hat künstliche Intelligenz (KI) ihre Tentakel über die globale Technologielandschaft ausgebreitet. Das verdeutlicht unter anderem auch der zunehmende Einsatz von Automatisierung und autonomen Technologien in diversen Branchen und Sektoren. Und während die Welt noch mit dem Impact der KI ringt, steht mit Quantencomputing bereits das “next big thing” in den Startlöchern. Das Aufeinandertreffen dieser beiden Technologien verspricht, der nächste große technologische Schauplatz zu werden. Dieser könnte nicht nur Computing und Cybersicherheit, sondern sogar geopolitische Machtstrukturen entscheidend prägen. Denn während KI-Algorithmen dafür bekannt sind, Muster zu erkennen und aus den ihnen zugeführten Daten zu lernen, versprechen Quantencomputer, mehrere Wege gleichzeitig zu erkunden. Das legt nahe, dass mit der Technologie eine Revolution in Sachen Datenverarbeitung bevorsteht. Anstelle von Bits (0en und 1en), wie sie von KI-Systemen verwendet werden, nutzen Quantencomputer Qubits, die dank der Prinzipien der Superposition und Verschränkung gleichzeitig in mehreren Zuständen existieren können. So verspricht ein gut konzipiertes Quantensystem, Probleme in Mikrosekunden zu lösen, für die konventionelle Computer Jahre benötigen würden. Das könnte beispielsweise dazu beitragen, künftig manipulationssichere Kommunikationsinfrastrukturen zu etablieren – Stichwort Quantum Key Distribution (QKD). KI trifft Quantum Computing – ein zweischneidiges Schwert Je mehr Daten in einen KI-Algorithmus einfließen, desto besser sind im Regelfall die Ergebnisse. Besonders großangelegte KI-Systeme wie ChatGPT oder DeepMind AlphaFold haben jedoch regelmäßig mit den Grenzen zu kämpfen, die ihre zugrundeliegende Hardware aufwirft. Mit Quantencomputern würden sich diese Limitationen in Luft auflösen: Sie nutzen Quantum Machine Learning (QML), um etwa Muster zu erkennen oder Simulationen zu optimieren. Darüber hinaus macht das Konzept des QML-Trainings es sehr wahrscheinlich auch überflüssig, Echtzeit-Trainingsdaten über riesige Rechenzentren bereitzustellen. In der Praxis wird die Kapazität von Quantencomputern Ergebnisse in Mikrosekunden liefern. Das macht etwa globale Echtzeit-Klimasysteme und Real-Time-Finanzmarktsimulationen möglich. Doch die schöne neue Quanten-Zukunft hat auch eine dunkle Seite: Schließlich kann die Technologie auch von Cyberkriminellen als Waffe instrumentalisiert werden. Mit den resultierenden, quantengestützten Cyberbedrohungen könnten aktuelle Verschlüsselungsverfahren wie ECC, RSA oder AES ausgehebelt werden – wobei die beiden erstgenannten etwa von Finanzinstituten genutzt werden, um Online-Transaktionen abzusichern. Würden diese Encryption-Methoden kompromittiert, wäre die Vertraulichkeit verschlüsselter Daten passé. Der Tag, an dem es dazu kommt, bezeichnet man auch als „Q-Day“. Und es lauern noch weitere, quantengestützte Gefahren. So könnten Cyberkriminelle die Technologie etwa auch einsetzen, um: Passwörter zu knacken, digitale Zertifikate zu fälschen, oder Deepfakes von KI-Systemen zu erstellen. Der Weg in die Quanten-Zukunft Sowohl Unternehmen als auch Regierungsinstitutionen, bereiten sich bereits auf den Q-Day vor. Das britische National Cyber Security Centre (NCSC) verfolgt etwa einen stufenweisen Ansatz, um bis zum Jahr 2035 sämtliche seiner Systeme entsprechend zu härten. In den USA soll die Umstellung der nationalen Sicherheitssysteme ähnlich laufen – hier ist 2030 das Ziel. Diese Bemühungen sind ein proaktiver Verteidigungsansatz, der darauf fokussiert, quantenresistente Verschlüsselungsmodelle und adaptive Cybersicherheitsrichtlinien zu entwickeln, die die Sicherheit kryptografischer Schlüssel im nahenden Quantenzeitalter gewährleisten können. Weil auch Quanten-Systeme auf Wahrscheinlichkeiten basieren und nicht auf Gewissheiten, besteht die Herausforderung für diejenigen, die diese Innovationen entwickeln, nicht nur darin, die schnellsten und effizientesten Kombinationsmöglichkeiten von KI- und Quantensystemen aufzutun. Es geht dabei auch und insbesondere um das Thema Trust. Dieses Vertrauen müsste in Form von Cybersecurity Frameworks und -Regulierungen aufgebaut werden, die die Sicherheit, Transparenz und Governance optimieren. Das kann auch dazu beitragen, die Themenfelder Post-Quanten-Kryptografie, KI-Audits, Observability und Ethik anzugehen, die die Grundlage für widerstandsfähige digitale Ökosysteme bilden werden. Auch wenn KI und Quantencomputing die menschliche Intelligenz nicht ersetzen werden, werden ihre Spuren in nicht allzu ferner Zukunft überall zu sehen sein. Die eigentliche Frage ist dabei jedoch, ob sich unsere Gesellschaft an das Tempo dieser technologischen Entwicklungen anpassen kann – bevor sie von ihr beherrscht wird. Trotz aller positiven Aussichten ist die Gefahr groß, dass die Kombination aus Quantum Computing und KI die Grundlagen des digitalen Vertrauens und der Privatsphäre, auf denen moderne Gesellschaften beruhen, untergraben. Und angesichts des immer näher rückenden Q-Day steigt auch die Dringlichkeit, sich auf die Post-Quanten-Welt vorzubereiten. Für Unternehmen, Regierungen und Cybersicherheitsexperten heißt das in erster Linie, über die Innovation und den technologischen Fortschritt, den die Technologien mit sich bringen, hinauszublicken und die Resilienz in den Fokus zu nehmen. Das wird massive Investitionen erfordern, um ethische KI-Governance, Regulierungsrahmen und Vorschriften sowie Post-Quanten-Kryptografie-Standards in bestehenden Systemen zu fördern. (fm) Dieser Beitrag wurde im Rahmen des englischsprachigen Experten-Netzwerks von Foundry veröffentlicht. View the full article

View the full article

View the full article

IT software company Ivanti released patches for its Endpoint Manager Mobile (EPMM) product to fix two new remote code execution vulnerabilities already under attack in the wild. “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” the company said in a security advisory that identifies the new flaws as CVE-2026-1281 and CVE-2026-1340. Both issues are described by Ivanti as code injection issues that can be exploited without authentication and are rated 9.8 out of 10 on the CVSS severity scale. The flaws involve EPMM’s In-House Application Distribution and Android File Transfer Configuration features. Stand-alone patches and exploit details available Ivanti has not released new fully patched versions of EPMM, but rather version-specific stand-alone patches that need to be applied manually. The patches are packaged as rpm files and can be installed with the install rpm url [patch_url] command. The RPM_12.x.0.x patch is applicable to EPMM software versions 12.5.0.x, 12.6.0.x, and 12.7.0.x. It is also compatible with the older 12.3.0.x and 12.4.0.x versions. Meanwhile the RPM_12.x.1.x patch is applicable to versions 12.5.1.0 and 12.6.1.0. “The RPM script does not survive a version upgrade,” the company warns. “If after applying the RPM script to your appliance, you upgrade to a new version you will need to reinstall the RPM. The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0.” While the Ivanti Sentry gateway product that secures traffic between mobile devices and back-end enterprise systems is not directly affected by these vulnerabilities, EPMM appliances do have command execution permission on Sentry gateways. As such, if an EPMM deployment has been compromised, the attackers might have compromised Ivanti Sentry as well. Researchers from penetration testing firm WatchTowr reverse engineered the patches and were able to figure out where the vulnerabilities are located and how to exploit them. A detailed write-up is available on the company’s blog. Exploit detection and remediation Ivanti published a separate document with guidance on how to scan EPMM appliances for potential compromise through these vulnerabilities. First off, the Apache Access Log found at /var/log/httpd/https-access_log could have evidence of attempted or successful execution of these vulnerabilities. The company advises triaging logs with the ^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404 regular expression and looking for HTTP 404 error response codes as well as GET requests with parameters that have bash commands. “The most common is the introduction of, or modification of, malicious files to introduce web shell capabilities,” the company said. “Ivanti has commonly seen these changes target HTTP error pages, such as 401.jsp. Any requests to these pages with POST methods or with parameters should be considered highly suspicious. Analysts who are performing forensic inspection of the disk should also review for unexpected WAR or JAR files being introduced to the system.” One thing to note is that attackers regularly delete logs to hide their tracks and that on systems with high utilization the logs might be rotated multiple times a day. That’s why customers are strongly advised to use the Data Export features to forward logs from the EPMM appliance to their SIEM system or other log aggregators. For any appliance that you suspect may be impacted, Ivanti recommends reviewing: EPMM administrators for new or recently changed administrators Authentication configuration, including SSO and LDAP settings New pushed applications for mobile devices Configuration changes to applications you push to devices, including in-house applications New or recently modified policies Network configuration changes, including any network configuration or VPN configuration you push to mobile devices After restoring a compromised EPMM appliance from clean backups, customers should reset the password of any local EPMM accounts, reset the password of any LDAP and/or KDC service accounts used to perform lookups, revoke and replace the public certificate used on the EPMM deployment and reset the password for any other internal or external service accounts configured on the EPMM solution. Because EPMM has command execution on Sentry and Sentry is a product that routes traffic from mobile devices to internal network systems, the systems that Sentry can access should also be reviewed for signs of compromise. View the full article

If there’s one thing guaranteed to grab attention in the computer security world, it’s announcing yourself without fully explaining what it is you plan to do. This week, the Linux world got a taste of this enigmatic marketing ploy with the launch out of stealth of Berlin-based Linux security outfit Amutable. While its purpose is only vaguely defined in the launch announcement, nobody could accuse it of lacking ambition: it plans to bring “determinism and verifiable integrity to Linux systems” to address the operating system’s security weaknesses. Most tiny companies nobody has heard of would struggle to make the tactic work, but Amutable’s roster of founders is made up of several well-known Linux figures, headed by former Red Hat and Microsoft engineer Lennart Poettering as chief engineer. Best known as the developer of the contentious but widely used Linux UEFI boot manager systemd, he has alongside him two other ex-Microsoft employees, Chris Kühl as CEO, and Christian Brauner as CTO. A clue to Amutable’s plans lies in the announcement’s emphasis on some of its founders’ backgrounds in Kubernetes, runc, LXC, Incus, and containerd, all connected in different ways to the Linux container stack. Verifiable integrity Computing is full of security problems, and Linux is no exception to this rule, given convincing the protective free and open source software community of the wisdom of a radical new idea often turns out to be as big a challenge as the engineering itself. While Linux distros on desktop computers remain a niche, the technology’s invisible domination of online platforms and cloud container orchestration tools makes it the most important operating system in the world. That, not surprisingly, has made it a target for attacks, with cybercriminals taking advantage of vulnerabilities allowing privilege escalation, container escapes, and other exploits, as well as embedding backdoors in open source images across Linux’s complex supply chain. Judging from Amutable’s self-declared vision to bring “determinism and verifiable integrity to Linux system,” the founders see plenty of room for improvement. “Today’s infrastructure approaches security reactively. Software agents watch for vulnerabilities and intrusions; attackers refine their evasion. These defensive approaches are costly, brittle, and ineffective,” the company said. “Amutable’s mission is to deliver verifiable integrity to Linux workloads everywhere. We look forward to working towards this goal with the broader Linux community.” A cocktail of problems The issue presents a rich cocktail of problems, the underlying causes of which are the difficulty of verifying that an image is as its developers intended and hasn’t been tampered with, while also maintaining a verifiable system state. Even existing security tools are struggling to keep up, with a 2025 proof-of-concept showing that it was possible to bypass leading Linux runtime security tools. This is perhaps what Amutable’s founders mean when they describe the need to “replace heuristics with rigor” to achieve “verifiable integrity.” An image should be cryptographically verifiable in advance, including, ideally, a hash record of every stage of the boot process as well as running continuous checks against a signed file manifest. In other words, instead of looking for a rogue file or suspicious behavior after the fact, the system would be able to verify itself deterministically. The Introduction of this model of verifiability into Linux might have mitigated a range of incidents, including a 2023 attack where attackers exploited CVE-2022-42475 in Fortinet’s FortiOS SSL-VPN function to implant malware. Or a more recent vulnerability (CVE-2025-31133) in the runc Kubernetes container runtime that allowed attackers to break out of containers. Perhaps the issue’s biggest impact was from the infamous backdoor supply chain hack affecting the XZ Utils data compression library that was uncovered by chance in 2024. A common goal “Security of the IT infrastructure is one of the top concerns for decades, and immutability, verification and full coverage of software supply chain throughout the lifecycle of an operating system or complete infrastructure are important contributions to achieve this,” noted Matthias G. Eckermann, director of product management, Linux at SUSE. He pointed out that SUSE is already delivering on this in multiple ways, including its certified Software Supply Chain and its Immutable OS with Transactional Updates. “We are looking forward to hearing more from Amutable and collaborating with them on the common goal of improving resiliency and security of open-source infrastructure software,” he said. Technology not the only problem Right now, where this goes and how Amutable will make money is up in the air, but it will attract attention. “Security teams are trained to trust signed packages and verified sources. When the supply chain itself is compromised (like the XZ Utils backdoor in 2024), traditional security training doesn’t prepare defenders for that scenario,” commented Chris Porter, CEO of certification company Training Camp. “If they [Amutable] can simplify verification, it reduces the expertise burden on security teams who currently lack deep Linux platform knowledge.” However, technology isn’t the only problem. “As Linux dominates cloud infrastructure, enterprises need security professionals who understand boot integrity, code signing, and verification, skills that aren’t covered in most certification programs,” said Porter. View the full article

Summit Art Creations – shutterstock.com Die Illusion der eigenen Sicherheitszone Viele Unternehmen investieren heute erhebliche Mittel, um ihre interne IT abzusichern. Firewalls, Monitoring, Incident-Response-Pläne und Awareness-Programme sind etabliert. Gleichzeitig wächst eine gefährliche Illusion: Die Annahme, dass sich Risiken innerhalb der eigenen Systemgrenzen kontrollieren lassen. Die Realität sieht anders aus. Moderne Geschäftsmodelle sind ohne externe IT-Dienstleister, Cloud-Services, Softwarelieferanten und spezialisierte Subunternehmen kaum noch denkbar. Genau hier entstehen die größten Unsicherheiten. NIS2 greift diese Entwicklung auf und stellt klar, dass Cybersicherheit nicht an der eigenen Firewall endet. Die Richtlinie zwingt Unternehmen, ihre Lieferketten nicht nur technisch, sondern strategisch neu zu bewerten. Sie macht externe Abhängigkeiten zu einem integralen Bestandteil der Sicherheitsarchitektur und damit zu einer Führungsaufgabe. NIS2 verschiebt den Fokus von Systemen auf Abhängigkeiten Im Kern verfolgt NIS2 einen klaren Ansatz. Risiken sollen dort adressiert werden, wo sie tatsächlich entstehen. Statistiken und Incident-Analysen zeigen seit Jahren, dass Angriffe zunehmend über Drittparteien erfolgen. Software-Updates, Wartungszugänge oder ausgelagerte Services dienen als Einfallstore. NIS2 reagiert darauf, indem sie Lieferketten explizit in den Geltungsbereich aufnimmt. Unternehmen sind verpflichtet, Risiken in Bezug auf ihre direkten Dienstleister und auch auf nachgelagerte Subunternehmen zu bewerten. Entscheidend ist nicht mehr, ob ein Vorfall intern oder extern ausgelöst wird, sondern welche Auswirkungen er auf kritische Dienste hat. Damit verabschiedet sich die Regulierung von einem rein technischen Sicherheitsverständnis. Sie fordert ein strukturiertes Management von Abhängigkeiten, das Risiken sichtbar macht und steuerbar hält. Lesetipp: NIS2 umsetzen – ohne im Papierkrieg zu enden Warum Lieferketten besonders anfällig sind Die Supply Chain ist aus mehreren Gründen ein attraktives Ziel für Angreifer. Externe Partner verfügen häufig über privilegierte Zugänge, arbeiten mit sensiblen Daten oder sind tief in operative Prozesse eingebunden. Gleichzeitig unterliegen sie oft nicht denselben Sicherheitsstandards wie große Organisationen. Hinzu kommt eine strukturelle Intransparenz. Unternehmen wissen oft nicht, welche weiteren Dienstleister ihre Partner einsetzen oder wie Zugriffe technisch umgesetzt sind. Diese fehlende Sichtbarkeit führt zu einer fragmentierten Sicherheitslage, in der Risiken zwar bekannt sind, aber nicht quantifizierbar bleiben. NIS2 setzt genau hier an und verlangt nachvollziehbare Prozesse zur Identifikation, Bewertung und Überwachung dieser Risiken. Der Bruch mit traditioneller Compliance Viele Organisationen sind es gewohnt, regulatorische Anforderungen formal zu erfüllen. Fragebögen werden verschickt, Zertifikate abgelegt, Checklisten abgehakt. Dieses Vorgehen erzeugt Dokumentation, aber keine Sicherheit. NIS2 macht deutlich, dass formale Compliance nicht ausreicht. Die Richtlinie verlangt eine wirksame Umsetzung von Sicherheitsmaßnahmen und eine nachweisbare Kontrolle ihrer Wirksamkeit. Das betrifft auch und insbesondere externe Partner. Ein Sicherheitskonzept, das sich ausschließlich auf Selbstauskünfte stützt, wird den Anforderungen nicht mehr gerecht. Gefordert ist ein realistisches Bild der tatsächlichen Sicherheitsreife entlang der Lieferkette. Was NIS2 konkret von Unternehmen erwartet NIS2 formuliert keine technischen Detailvorgaben, sondern definiert klare Zielsetzungen. Unternehmen müssen Risiken identifizieren, priorisieren und angemessen behandeln. Für Lieferketten bedeutet das mehrere zentrale Aufgaben: Erstens müssen Abhängigkeiten systematisch erfasst werden. Welche Dienstleister sind für den Betrieb essenziell? Welche Daten verarbeiten sie? Welche Zugriffsrechte bestehen? Zweitens sind angemessene Sicherheitsanforderungen zu definieren. Diese müssen zum Risiko passen und vertraglich verankert sein. Drittens verlangt NIS2 eine kontinuierliche Überwachung. Risiken verändern sich. Geschäftsmodelle, Bedrohungslagen und technische Architekturen entwickeln sich weiter. Sicherheitsbewertungen dürfen daher kein einmaliges Projekt bleiben. Die Rolle des CISO unter NIS2 Für CISOs bedeutet NIS2 eine deutliche Erweiterung ihres Verantwortungsbereichs. Technische Exzellenz allein reicht nicht mehr aus. Gefragt sind Kommunikationsfähigkeit, Risikobewertung und die Fähigkeit, Sicherheitsanforderungen organisationsübergreifend durchzusetzen. Der CISO wird zum Vermittler zwischen Technik, Management, Einkauf und Recht. Er muss erklären, warum bestimmte Anforderungen notwendig sind, welche Risiken bestehen und welche Konsequenzen Untätigkeit haben kann. NIS2 stärkt diese Rolle, indem sie klare Verantwortlichkeiten definiert und die Bedeutung von Cybersicherheit auf Vorstandsebene verankert. Warum viele Lieferkettenbewertungen schief gehen In der Praxis scheitern Lieferkettenbewertungen häufig an folgenden drei Punkten: Fehlende Priorisierung: Unternehmen versuchen, alle Partner gleich zu behandeln und verlieren dabei den Fokus auf die wirklich kritischen Abhängigkeiten. Mangelnde Durchsetzbarkeit: Sicherheitsanforderungen werden formuliert, aber nicht überprüft oder bei Abweichungen konsequent eingefordert. Organisatorische Silos: Einkauf, IT und Recht agieren getrennt voneinander. Sicherheitsrisiken werden dadurch fragmentiert betrachtet und nicht ganzheitlich gesteuert. NIS2 macht deutlich, dass diese Ansätze nicht mehr ausreichen. Gefordert ist ein integriertes Risikomanagement. Kontrollmechanismen mit Substanz Wirksame Kontrolle bedeutet nicht maximale Bürokratie. Entscheidend ist die Qualität der Maßnahmen. Für kritische Partner können das regelmäßige technische Assessments, strukturierte Audits oder klar definierte Eskalationsprozesse sein. Wichtig ist, dass Unternehmen die Fähigkeit behalten, Risiken eigenständig zu bewerten und nicht vollständig an Dritte auszulagern. NIS2 verlangt Verantwortungsübernahme, keine Delegation. Kontrollmechanismen müssen zudem skalierbar sein. Nicht jeder Partner erfordert denselben Aufwand. Entscheidend ist die potenzielle Auswirkung eines Sicherheitsvorfalls. Lieferketten als strategischer Resilienzfaktor Unternehmen, die NIS2 als reine Compliance-Aufgabe betrachten, verschenken Potenzial. Eine realistische Bewertung von Lieferketten stärkt nicht nur die regulatorische Position, sondern erhöht die operative Stabilität. Transparente Abhängigkeiten, klare Sicherheitsanforderungen und funktionierende Kontrollprozesse reduzieren Ausfallrisiken und verbessern die Reaktionsfähigkeit im Ernstfall. Lieferketten werden damit vom Schwachpunkt zur strategischen Ressource. Fazit: NIS2 zwingt zur Ehrlichkeit NIS2 konfrontiert Unternehmen mit einer unbequemen Wahrheit. Cybersicherheit endet nicht an der eigenen Systemgrenze. Wer kritische Prozesse auslagert, bleibt dennoch verantwortlich. Die Richtlinie fordert einen ehrlichen Blick auf Abhängigkeiten, Risiken und eigene Steuerungsfähigkeit. Für CISOs ist das eine Herausforderung, aber auch eine Chance. Lieferketten sind unter NIS2 keine Randnotiz mehr. Sie sind der Prüfstein für wirksame Cybersicherheit und nachhaltige Resilienz. (jm) View the full article

Summit Art Creations – shutterstock.com Die Illusion der eigenen Sicherheitszone Viele Unternehmen investieren heute erhebliche Mittel, um ihre interne IT abzusichern. Firewalls, Monitoring, Incident-Response-Pläne und Awareness-Programme sind etabliert. Gleichzeitig wächst eine gefährliche Illusion: Die Annahme, dass sich Risiken innerhalb der eigenen Systemgrenzen kontrollieren lassen. Die Realität sieht anders aus. Moderne Geschäftsmodelle sind ohne externe IT-Dienstleister, Cloud-Services, Softwarelieferanten und spezialisierte Subunternehmen kaum noch denkbar. Genau hier entstehen die größten Unsicherheiten. NIS2 greift diese Entwicklung auf und stellt klar, dass Cybersicherheit nicht an der eigenen Firewall endet. Die Richtlinie zwingt Unternehmen, ihre Lieferketten nicht nur technisch, sondern strategisch neu zu bewerten. Sie macht externe Abhängigkeiten zu einem integralen Bestandteil der Sicherheitsarchitektur und damit zu einer Führungsaufgabe. NIS2 verschiebt den Fokus von Systemen auf Abhängigkeiten Im Kern verfolgt NIS2 einen klaren Ansatz. Risiken sollen dort adressiert werden, wo sie tatsächlich entstehen. Statistiken und Incident-Analysen zeigen seit Jahren, dass Angriffe zunehmend über Drittparteien erfolgen. Software-Updates, Wartungszugänge oder ausgelagerte Services dienen als Einfallstore. NIS2 reagiert darauf, indem sie Lieferketten explizit in den Geltungsbereich aufnimmt. Unternehmen sind verpflichtet, Risiken in Bezug auf ihre direkten Dienstleister und auch auf nachgelagerte Subunternehmen zu bewerten. Entscheidend ist nicht mehr, ob ein Vorfall intern oder extern ausgelöst wird, sondern welche Auswirkungen er auf kritische Dienste hat. Damit verabschiedet sich die Regulierung von einem rein technischen Sicherheitsverständnis. Sie fordert ein strukturiertes Management von Abhängigkeiten, das Risiken sichtbar macht und steuerbar hält. Lesetipp: NIS2 umsetzen – ohne im Papierkrieg zu enden Warum Lieferketten besonders anfällig sind Die Supply Chain ist aus mehreren Gründen ein attraktives Ziel für Angreifer. Externe Partner verfügen häufig über privilegierte Zugänge, arbeiten mit sensiblen Daten oder sind tief in operative Prozesse eingebunden. Gleichzeitig unterliegen sie oft nicht denselben Sicherheitsstandards wie große Organisationen. Hinzu kommt eine strukturelle Intransparenz. Unternehmen wissen oft nicht, welche weiteren Dienstleister ihre Partner einsetzen oder wie Zugriffe technisch umgesetzt sind. Diese fehlende Sichtbarkeit führt zu einer fragmentierten Sicherheitslage, in der Risiken zwar bekannt sind, aber nicht quantifizierbar bleiben. NIS2 setzt genau hier an und verlangt nachvollziehbare Prozesse zur Identifikation, Bewertung und Überwachung dieser Risiken. Der Bruch mit traditioneller Compliance Viele Organisationen sind es gewohnt, regulatorische Anforderungen formal zu erfüllen. Fragebögen werden verschickt, Zertifikate abgelegt, Checklisten abgehakt. Dieses Vorgehen erzeugt Dokumentation, aber keine Sicherheit. NIS2 macht deutlich, dass formale Compliance nicht ausreicht. Die Richtlinie verlangt eine wirksame Umsetzung von Sicherheitsmaßnahmen und eine nachweisbare Kontrolle ihrer Wirksamkeit. Das betrifft auch und insbesondere externe Partner. Ein Sicherheitskonzept, das sich ausschließlich auf Selbstauskünfte stützt, wird den Anforderungen nicht mehr gerecht. Gefordert ist ein realistisches Bild der tatsächlichen Sicherheitsreife entlang der Lieferkette. Was NIS2 konkret von Unternehmen erwartet NIS2 formuliert keine technischen Detailvorgaben, sondern definiert klare Zielsetzungen. Unternehmen müssen Risiken identifizieren, priorisieren und angemessen behandeln. Für Lieferketten bedeutet das mehrere zentrale Aufgaben: Erstens müssen Abhängigkeiten systematisch erfasst werden. Welche Dienstleister sind für den Betrieb essenziell? Welche Daten verarbeiten sie? Welche Zugriffsrechte bestehen? Zweitens sind angemessene Sicherheitsanforderungen zu definieren. Diese müssen zum Risiko passen und vertraglich verankert sein. Drittens verlangt NIS2 eine kontinuierliche Überwachung. Risiken verändern sich. Geschäftsmodelle, Bedrohungslagen und technische Architekturen entwickeln sich weiter. Sicherheitsbewertungen dürfen daher kein einmaliges Projekt bleiben. Die Rolle des CISO unter NIS2 Für CISOs bedeutet NIS2 eine deutliche Erweiterung ihres Verantwortungsbereichs. Technische Exzellenz allein reicht nicht mehr aus. Gefragt sind Kommunikationsfähigkeit, Risikobewertung und die Fähigkeit, Sicherheitsanforderungen organisationsübergreifend durchzusetzen. Der CISO wird zum Vermittler zwischen Technik, Management, Einkauf und Recht. Er muss erklären, warum bestimmte Anforderungen notwendig sind, welche Risiken bestehen und welche Konsequenzen Untätigkeit haben kann. NIS2 stärkt diese Rolle, indem sie klare Verantwortlichkeiten definiert und die Bedeutung von Cybersicherheit auf Vorstandsebene verankert. Warum viele Lieferkettenbewertungen schief gehen In der Praxis scheitern Lieferkettenbewertungen häufig an folgenden drei Punkten: Fehlende Priorisierung: Unternehmen versuchen, alle Partner gleich zu behandeln und verlieren dabei den Fokus auf die wirklich kritischen Abhängigkeiten. Mangelnde Durchsetzbarkeit: Sicherheitsanforderungen werden formuliert, aber nicht überprüft oder bei Abweichungen konsequent eingefordert. Organisatorische Silos: Einkauf, IT und Recht agieren getrennt voneinander. Sicherheitsrisiken werden dadurch fragmentiert betrachtet und nicht ganzheitlich gesteuert. NIS2 macht deutlich, dass diese Ansätze nicht mehr ausreichen. Gefordert ist ein integriertes Risikomanagement. Kontrollmechanismen mit Substanz Wirksame Kontrolle bedeutet nicht maximale Bürokratie. Entscheidend ist die Qualität der Maßnahmen. Für kritische Partner können das regelmäßige technische Assessments, strukturierte Audits oder klar definierte Eskalationsprozesse sein. Wichtig ist, dass Unternehmen die Fähigkeit behalten, Risiken eigenständig zu bewerten und nicht vollständig an Dritte auszulagern. NIS2 verlangt Verantwortungsübernahme, keine Delegation. Kontrollmechanismen müssen zudem skalierbar sein. Nicht jeder Partner erfordert denselben Aufwand. Entscheidend ist die potenzielle Auswirkung eines Sicherheitsvorfalls. Lieferketten als strategischer Resilienzfaktor Unternehmen, die NIS2 als reine Compliance-Aufgabe betrachten, verschenken Potenzial. Eine realistische Bewertung von Lieferketten stärkt nicht nur die regulatorische Position, sondern erhöht die operative Stabilität. Transparente Abhängigkeiten, klare Sicherheitsanforderungen und funktionierende Kontrollprozesse reduzieren Ausfallrisiken und verbessern die Reaktionsfähigkeit im Ernstfall. Lieferketten werden damit vom Schwachpunkt zur strategischen Ressource. Fazit: NIS2 zwingt zur Ehrlichkeit NIS2 konfrontiert Unternehmen mit einer unbequemen Wahrheit. Cybersicherheit endet nicht an der eigenen Systemgrenze. Wer kritische Prozesse auslagert, bleibt dennoch verantwortlich. Die Richtlinie fordert einen ehrlichen Blick auf Abhängigkeiten, Risiken und eigene Steuerungsfähigkeit. Für CISOs ist das eine Herausforderung, aber auch eine Chance. Lieferketten sind unter NIS2 keine Randnotiz mehr. Sie sind der Prüfstein für wirksame Cybersicherheit und nachhaltige Resilienz. (jm) View the full article

An Android malware campaign is reportedly abusing Hugging Face’s public hosting infrastructure to distribute a remote access trojan (RAT). The operation relies on social engineering, staged payload delivery, and abuse of Android permissions to achieve persistence over infected devices. According to Bitdefender Labs findings, the campaign begins with a seemingly legitimate Android application that acts as a dropper. Users encounter the lure through ads or pop-up prompts warning of fake infections. Once installed, the app fetches a second-stage payload hosted on Hugging Face, allowing the attackers to blend malicious traffic with legitimate developer activity and avoid immediate detection. The researchers have flagged the campaign, not just for its use of a trusted AI development platform, but also its scale and automation that includes thousands of unique Android packages, with new variants generated frequently to evade signature-based defenses. Scareware lure and dropper deployment The infection begins by tricking Android users into installing the malicious security app, “TrustBastion.” The app serves as a dropper, code that appears benign until it triggers the delivery of a more dangerous payload. “In the most likely scenario, a user encounters an advertisement or similar prompt claiming the phone is infected and urging the installation of a security platform, often presented as free and packed with ‘useful’ features,” the researchers said in a blog post. “When its website was online (trustbastion[.]com), it promised to detect scams and fraudulent SMSes, phishing, malware, and much more.” Once launched, the app immediately displays a prompt styled to look like an Android system or Google Play update notification, the interface many users are conditioned to trust. Accepting the “update” initiates a network request to an encrypted endpoint on the attacker’s infrastructure, which in turn redirects the victim to a Hugging Face dataset hosting a malicious APK. Abuse through smart hosting Hugging Face is a go-to platform for developers hosting machine learning models, datasets, and tooling. According to Bitdefender, the resource is now being leveraged to mask malicious downloads amidst legitimate activity. While the platform uses ClamAV scanning on uploads, these controls currently fall short of filtering out cleverly disguised malware repositories, the researchers noted. “Analysis of the Hugging Face repository revealed a high volume of commits over a short period of time,” the researchers said. “New payloads were generated roughly every 15 minutes. At the time of investigation, the repository was approximately 29 days old and had accumulated more than 6,000 commits.” The repository was eventually taken offline, but the operation resurfaced elsewhere with minor cosmetic changes, while the underlying code remained unchanged. Installation, permissions, and persistent RAT Once the second-stage payload installs, the application poses as a system component for a “Phone Security” feature and guides the user through enabling highly sensitive Android permissions. Among the requested permissions are Accessibility Services, screen recording, screen casting, and overlay display rights. Together, these give the malware extensive visibility into user interaction and the ability to capture on-screen content across apps. The researchers said these capabilities can be used to monitor and record user activity in real time, display fake authentication interfaces mimicking popular financial platforms (like Alipay and WeChat) to harvest credentials, capture lock screen patterns and biometric inputs, and exfiltrate harvested data back to an actor-controlled command and control (C2) server. Bitdefender said it contacted Hugging Face before publishing the disclosure, and the latter quickly took down the datasets containing malware. Hugging Face did not immediately respond to CSO’s request for comments. For additional support, Bitdefender has shared a list of indicators of compromise (IoCs), including dropper hashes, IPs, domains, and package names. View the full article

There is nothing like attending a face-to-face event for career networking and knowledge gathering, and we don’t have to tell you how helpful it can be to get a hands-on demo of a new tool or to have your questions answered by experts. Fortunately, plenty of great conferences are coming up in the months ahead. If keeping abreast of security trends and evolving threats is critical to your job — and we know it is — then attending some top-notch security conferences is on your must-do list for 2025. From major events to those that are more narrowly focused, this list from the editors of CSO, will help you find the security conferences that matter the most to you. We’ll keep it updated with new conferences so check back often. While we don’t expect this calendar to be comprehensive, we do aim to have it be highly relevant. If there’s something we’ve missed, let us know. You can email your additions, corrections and updates to Samira Sarraf>. February 2026 Cybersec Asia Shield your Core, Bangkok, Thailand: 4-5 February Intellic0n, Texas, US: 5-6 February CruiseCon, departs from Florida, US: 7-12 February HackCon, Oslo, Norway: 9-10 February #CS4CA ANZ, Perth, Australia: 10-11 February Planet Cyber Sec Conference, California, US: 11 February Detroit Cybersecurity Conference, Michigan, US: 19 February BSidesGalway, Galway, Ireland: 21 February Cosac APAC, Melbourne, Australia: 24-26 February St. Louis Futurecon Cybersecurity, Missouri, US: 26 February Malware and Reverse Engineering Conference MRE 2025, Melbourne, Australia: 26-27 February BSides Seattle, Washington State, US: 27-28 February BSides Ballarat, Melbourne, Australia: 28 Feb-1 March March 2026 Cloud & Cyber Security Expo, London, UK: 4-5 March @Hack, Montreal, Canada: 7-8 March Gartner Security & Risk Management Summit, Mumbai, India: 9- 10 March Gartner Identity & Access Management Summit, London, UK: 9-10 March Billington State and Local CyberSecurity Summit, Washington, DC, US: 9-11 March Critical Infrastructure Protection & Resilience North America, Louisiana, US: 10-12 March FutureCon Tampa, Florida, US: 12 March Next IT Security, Stockholm, Sweden: 12 March CyberBay 2026, Florida, US: 12-13 March Gartner Security & Risk Management Summit, Sydney, Australia: 16-17 March SANS OSINT Summit & Training, virtual and Virginia, US: 16-22 March SecureWorld Charlotte, North Carolina, US: 18 March FutureCon Philadelphia, Pennsylvania, US: 19 March ASIS Europe, Antwerp, Belgium: 23-25 March Security Leadership 2026, Utrecht, Netherlands: 24 March InCyber Forum Europe, Lille, France: 31 Mar – 2 April April 2026 Cyphercon, Wisconsin, US: 1-2 April Gartner Security & Risk Summit, Dubai, UAE: 5-7 April SecureWorld Boston, Massachusetts, US: 8-9 April SpecterOps SO-CON 2025, Virginia, US: 13-14 April Next IT Security, Amsterdam, Netherlands: 16 April Aus Gov Data Summit, Canberra, Australia: 21-23 April Black Hat Asia, Marina Bay Sands, Singapore: 21-24 April Third Party and Supply Chain Cyber Security Summit, Munich, Germany: 22-24 April SecureWorld Houston, Texas, US: 30 April May 2026 CyberSecFest SP, São Paulo, Brazil: May TBC View the full article

Cybersecurity guru Bruce Scheier is often quoted as saying, “People are the weakest link in the security chain.” No more accurate words have ever been spoken about cybersecurity. You can spend millions of dollars on firewalls, endpoint security tools, access controls, and data encryption, but one employee can cause a catastrophic security breach, simply by downloading a malicious file or clicking on a rogue link. Industry research indicates that 70% to 90% of breaches are the result of employees succumbing to social engineering, making skills-based errors, sharing sensitive data with shadow IT services, or through a compromise of a privileged user. Oh, and things seem to be getting worse as adversaries adopt sophisticated AI-based attacks like deepfakes. Of course, this problem is well known. As a countermeasure, organizations spent around $6 billion on security awareness training (SAT) in 2025. While some firms did so as a best practice, most did so to comply with industry or government regulations such as HIPAA (requires a “security awareness and training program” for all workforce members per 45 CFR § 164.308), GDPR (article 39(1)(b) tasks data protection officers with “awareness-raising and training of staff”), PCI (requirement 12.6 mandates a formal program to make all personnel aware of cardholder data security), and many others. Industry research indicates that SAT expenses will increase by an estimated 15% per year as organizations continue to invest in what Gartner calls “security behavior and culture programs.” The security awareness training paradox While security awareness training has become a CISO and HR staple, it continues to have questionable efficacy. Some organizations treat SAT as a checkbox exercise for regulatory compliance, with little regard to its value. Employees exacerbate this folly through “compliance theater,” clicking through tutorials as fast as possible to get them out of their way. Even studious employees can suffer from the “forgetting curve,” a psychological model that illustrates how information is lost over time when there is no attempt to retain it. In some cases, SAT can even be counterproductive. In some studies, employees who receive high grades with security awareness training become overly confident and complacent with their security behavior. In my humble opinion, there’s a disillusioning situation here I call the security awareness training paradox. Despite regulatory compliance requirements and significant investment, SAT seems to deliver marginal benefits. Clearly, SAT is broken — even with peripheral improvements like synthetic phishing tools. So, what’s needed? Over the next few years, organizations should shift from static/sporadic security training to an emerging discipline called human risk management (HRM). What is human risk management? HRM is defined as a cybersecurity strategy that identifies, measures, and reduces the risks caused by human behavior. Simply stated, security awareness training is about what employees know; HRM is about what they do (i.e., their actual cybersecurity behavior). To be more specific, HRM integrates into email security tools, web gateways, and identity and access management (IAM) systems to identify human vulnerabilities. Furthermore, it measures risk using behavioral data and pinpoints an organization’s riskiest users. HRM then seeks to mitigate these risks by applying targeted interventions such as micro-learning, simulations, or automated security controls. Finally, HRM monitors behavioral changes so organizations can track progress. There’s a misconception out there that HRM and SAT are different animals, so organizations interested in HRM must budget for both. Wrong. In fact, leading HRM solutions from vendors such as Fable Security, KnowBe4, and Mimecast offer HRM products chock full of standard SAT material. They even provide specific training support for regulatory compliance requirements. Democratizing security training with AI I know what you’re thinking. HRM sounds like the latest buzz term coined by the cybersecurity industry marketing glitterati. Yeah, kind of true, but generic HRM has an AI-based partner riding shotgun. And unlike general industry AI hype, there’s research and expert agreement that AI is well positioned to change education as we know it. In his book Co-Intelligence: Living and Working with AI, University of Pennsylvania professor Ethan Mollick suggests that AI will deliver personalized learning at scale where AI acts as a “Socratic tutor” that “nudges” students toward excellence, provides simulations and role plays, and offers persona-based learning. In an HRM context, a “nudge” can be thought of as continuous micro-learning. A user clicks on a malicious link and is guided toward an appropriate security lesson aimed at reinforcing good hygiene and behavior. Armed with AI, HRM will also understand habits and ways of learning. For example, Alice tends to learn best through written descriptions while Bob prefers watching videos. Leading HRM tools can also role play with users, gamifying cybersecurity training and playing on their competitive nature. Thus, HRM (with AI) has the potential to democratize expertise in a new and unique way. From an ROI perspective, HRM offers a much more granular approach to cyber-risk mitigation than standard SAT. CISOs and HR managers can report on improved cyber hygiene and behavior, rather than how many employees have been trained and past generic tests. Repeat offenders are not only identified but also provided with personalized training tools and attention. Ultimately, HRM makes it possible to show a direct correlation between training and a reduction in actual security incidents. To quote Aristotle, “We are what we repeatedly do. Excellence, then, is not an act, but a habit.” HRM is intended to personalize training to change behavior and habits. If Aristotle were a CISO, he’d surely see the logic in moving from generic SAT to HRM. View the full article

Shadow AI, the secret, unapproved use of AI by employees, isn’t going away. In fact, workers are getting more brazen, and their employers often don’t seem to care. In a new BlackFog survey, nearly half (49%) of workers admit to adopting AI tools without employer approval, many using free versions with which they are freely sharing sensitive enterprise data. But perhaps more alarmingly, a wide majority — 69% of presidents and C-suite members and 66% of directors and senior VPs — seem to be OK with this, prioritizing speed over privacy as they race to adopt AI tools. “The efficiency gains and personnel cost savings are too large to ignore, and override any security concerns,” said Darren Williams, BlackFog founder and CEO. The research is a “stark indication” of the wide use of unapproved AI tools in the enterprise, and also the “level of risk tolerance amongst employees and senior leaders.” Shadow AI by the numbers The survey of 2,000 workers at companies with more than 500 employees found that shadow AI is rampant, and not much is being done to rein it in. Of those surveyed, 86% said they use AI on a weekly basis at work, the most common use cases being in technical support, sales (such as email marketing), and contracts. But more than one-third of them admitted to using the free versions of company-approved tools, raising questions about where sensitive corporate data is being stored and processed. Furthermore: 51% have connected AI tools to work systems or apps without the approval or knowledge of IT; 63% believe it’s acceptable to use AI when there is no corporate-approved option or IT oversight; 60% say speed is worth the security risk; 21% think employers will simply “turn a blind eye” as long as they’re getting their work done. And the C-suite’s own use of shadow tools? That’s a little more difficult to gauge; they’re close-lipped about it, indicating a wider problem, Williams noted. “Senior executives often don’t want to admit they are using AI,” he said. Instead, they’re trying to prove how valuable they are without disclosing their own AI use. Just like workers elsewhere in the enterprise, “senior leaders are able to get more done faster than ever” with AI, he noted. For instance, he said, “you can draft a legal contract in seconds and get a lawyer to review, rather than spend weeks drafting and redrafting using external counsel.” Concerningly, when it comes to the tools workers are using, free versions tend to be the most popular. More than half (58%) of employees using non-approved tools rely on free versions, and 34% of those working at companies that do allow AI tools are also opting for the free version. “Non-paid is almost certainly worse because of the licensing and business models around them,” said Williams. “There is always a cost to using free tools; in this case it’s the value of your data.” And employees are not shy about loading sensitive data into unsanctioned AI tools: 33% admit to sharing enterprise research or datasets; 27% to revealing employee data (such as salary or performance tracking); 23% to inputting company financial information. This becomes dangerous because virtually all free tools use ingested data to train their models, and some of the lower-tiered paid tools do, too, Williams pointed out. “And,” he said, “you cannot get this information back.” Paid enterprise plans typically allow companies to turn off training on their data, but not always. Admins must check this with their large language model (LLM) providers. “The big problem is the loss of intellectual property,” said Williams. And threat actors can get access to this information to profile and target an organization, breach their networks, and exfiltrate confidential data for extortion. “The more data that is disclosed to LLMs, the more information is available [to threat actors] to build a better profile,” Williams noted. Enterprises must build policies around AI use Many CEOs have been mandating AI adoption and are allocating capital throughout the business for this purpose, Williams noted. Executives are looking for cost savings as a strategic advantage and a way to quickly return shareholder value. Unfortunately, security is an afterthought, he said. “Many companies have just chosen to ignore the problem, and have decided not to create a policy or see the value in paying for the technology, which is a very big mistake.” Organizations are “flying blind,” and 99% have no way of even knowing what is happening in their environments because there are no products in place to measure it, he observed. This should raise serious red flags for security teams, and there must be greater oversight and visibility into these security blind spots. Williams advised enterprises to audit what is going on inside their systems, measure the scope of the problem, define policies around AI use, and adopt governance frameworks to control it. Further, employees must be made aware of the risks. Many, CISOs included, don’t actually understand the extent of the problem and its broader implications. “Education is essential and doesn’t require a lot of work,” said Williams. On the other hand, implementing a policy and framework does, and enterprises first need to decide what risks they are willing to live with. Ultimately, he said, we are navigating an unprecedented time in history, with new technology advancing at such a rapid pace that the technologists themselves don’t even know where it is going. Enterprises must quickly understand the implications, and use AI responsibly to gain a strategic advantage. “Just as the industrial revolution and the internet changed the way we worked, AI is doing the same,” said Williams. “In fact, we expect this to be an even bigger shift than either of those transitions.” This article originally appeared on CIO.com. View the full article

Notorious extortion group ShinyHunters released tens of GB of files it claims to have stolen from dating apps Hinge, Match, OkCupid and Bumble. While there is no official confirmation about how the companies were breached, researchers believe the group’s activities triggered a recent Okta advisory about a rise in voice-based social engineering attacks supported by automated phishing kits. The latest data leak that impacts dating services and apps come after the group had recently posted files stolen from SoundCloud, CrunchBase, Betterment, CarMax, Edmuns.com, and Panera Bread, suggesting the list of victims could be or grow larger. CSO In operation since 2020, ShinyHunters, also tracked as UNC6040, has stolen data from many well-known brands and organizations over the years. The group’s known techniques involve impersonating IT staff to compromise employee accounts. Last September, security companies reported that ShinyHunters joined forces with two other notorious hacker groups, LAPSUS$ and Scattered Spider. The data dumps over the past week are likely the result of a much larger hacking spree the new collective has been engaged in recently. Security firm Silent Push detected new phishing infrastructure that matches the tactics, techniques, and procedures (TTPs) of SLSH (Scattered LAPSUS$ Hunters) being set up to target more than 100 high-value organizations in the past month. The infrastructure involves a “Live Phishing Panel” that allows attackers to perform a man-in-the-middle attack on login sessions in real-time with the goal of capturing credentials and multi-factor authentication (MFA) tokens for single sign-on (SSO) platforms, including Okta. “We are aware of claims being made online related to a recently identified security incident,” a Match Group spokesperson told CSO. “Match Group takes the safety and security of our users seriously and acted quickly to terminate the unauthorized access.” “We continue to investigate with the assistance of external cybersecurity experts,” the company said. “There is no indication that user log-in credentials, financial information, or private communications were accessed. We believe the incident affects a limited amount of user data, and we are already in the process of notifying individuals, as appropriate.” Bumble and Panera Bread did not respond to requests for comment. Phishing kits designed for voice attacks Okta warned last week about an increase in attacks against Okta, Microsoft, and Google accounts that are enabled by commercial phishing kits specifically designed to make voice-based social engineering attacks more effective. Phishing kits are collections of automated tools, scripts, and website templates that allow cybercriminals to create fake websites and launch credential-stealing attacks. However, when victims use MFA, the success of these tools can be quite low because the attackers can’t guess what type of MFA an account has enabled. Is it a code generated by a mobile app? Is it a code sent via SMS? Is it a push notification sent to their mobile device that they must tap on? Websites can offer multiple MFA options and it’s up to users and companies to configure them. But when combined with voice calling, also known as voice phishing or vishing, these attacks become much more powerful, because the attacker can test the user’s credentials in real-time on the legitimate site, see what MFA type they get prompted for, and modify their phishing page in real-time. “This real-time session orchestration provides a new level of control and visibility to the social engineer,” Okta researchers said. “If presented a push notification (type of MFA challenge), for example, an attacker can verbally tell the user to expect a push notification, and select an option from their C2 panel that directs their target’s browser to a new page that displays a message implying that that a push message has been sent, lending plausibility to what would ordinarily be a suspicious request for the user to accept a challenge the user didn’t initiate.” These hybrid attacks can also defeat one of the more powerful MFA techniques designed to counter the automated phishing of MFA codes: push notifications that ask users to input into their mobile authenticator app a number generated by the legitimate website, instead of inputting on the website a number generated by the app. This fails with automated attacks because if the user sees a phishing page instead of the legitimate website, they don’t know what number to enter inside their authenticator app. But an attacker on the phone with them can tell them — or can modify the phishing site on-the-fly to display the number they know the legitimate website expects. Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, told CSO that the vishing techniques described by Okta in its advisory align with ShinyHunters’ known TTPs: impersonating IT support, real-time MFA bypass via phishing kits, credential/session token theft, SaaS data exfiltration. Gal also noted that he checked the newly leaked data and it matches the named victim companies, which is consistent with previous ShinyHunters claims and releases. Mitigation The Okta report has links to previous advisories that include both indicators of compromise and TTPs for known actors targeting SSO logins. Meanwhile, Silent Push advises organizations to inform employees about the ongoing ShinyHunters attacks so they are on alert in case they do get contacted by callers. Companies should ask employees to verify IT support calls through an official out-of-band channel and should audit their operations support system (OSS) provider logs regularly for events indicating new devices being enrolled to accounts followed by logins from new IP addresses. View the full article

khunkornStudio – shutterstock.com Der State of Incident Response Report 2026 von Eye Security zeigt: Cyberangriffe auf Unternehmen erfolgen zunehmend unbemerkt und die Schäden entstehen innerhalb von Minuten. Demnach setzen die Angreifer inzwischen weniger darauf, Systeme zu hacken, sondern bestehende Zugänge ausnutzen. Identitätsbasierte Angriffe dominieren das Feld, wobei 97 Prozent dieser Vorfälle Passwörter betreffen. Der Missbrauch legitimer Konten ist eine Hauptursache für Cloud-Sicherheitsvorfälle und treibt das Geschäft von Initial-Access-Brokern an. Die Ergebnisse zeigen jedoch, dass die grundlegenden Methoden der Angreifer unverändert bleiben. „Auch im Jahr 2026 beginnt die Kompromittierung weiterhin mit Phishing, der Ausnutzung falsch konfigurierter oder anfälliger internetfähiger Systeme, Social Engineering oder Angriffen über die Software-Lieferkette“, erklärt Lodi Hensen, VP of Security Operations bei Eye Security. BEC-Angriffe besonders häufig Business-Email-Compromise (BEC) ist laut Studie die häufigste Angriffsform: Mehr als 70 Prozent der Vorfälle entfallen auf diesen Bereich. In 40 Prozent dieser Fälle diente Phishing als initiales Einfallstor. Den Analysten zufolge bleiben BEC-Angriffe ohne kontinuierliche Überwachung wochenlang unentdeckt. Darüber hinaus verdeutlicht die Studie, dass Ransomware weiterhin zu den größten Bedrohungen zählt. „Die Verbreitung von Ransomware-as-a-Service (RaaS), BuilderLeaks und Access-Broker-Marktplätzen hat die Eintrittsbarrieren gesenkt und ein professionelles Ökosystem geschaffen“, führen die Autoren aus. Der Report zeigt einen gefährlichen Trend: die Kommerzialisierung von Insider-Wissen. „Gruppen wie ShinyHunters rekrutieren aktiv Mitarbeitende, um Zugangsdaten zu kaufen. Damit verschwimmt die Grenze zwischen externem Angriff und Innentäter“, so die Sicherheitsforscher. „Für Ransomware-Akteure ist dieser eingekaufte Zugang oft schneller und verlässlicher als technisches Hacking.“ Besonders betroffen sind Unternehmen aus Industrie, Bauwesen sowie Transport und Logistik. Viele Ransomware-Angreifer kommen über alltägliche Schwachstellen: ungeschützte Anwendungen, unsichere Fernzugänge oder Phishing-E-Mails, über die Mitarbeitende unbewusst Zugangsdaten preisgeben. Für die Analyse wurden insgesamt 630 reale Sicherheitsvorfälle in Europa aus den Jahren 2023 bis 2025 ausgewertet, darunter viele aus Deutschland. View the full article

khunkornStudio – shutterstock.com Der State of Incident Response Report 2026 von Eye Security zeigt: Cyberangriffe auf Unternehmen erfolgen zunehmend unbemerkt und die Schäden entstehen innerhalb von Minuten. Demnach setzen die Angreifer inzwischen weniger darauf, Systeme zu hacken, sondern bestehende Zugänge ausnutzen. Identitätsbasierte Angriffe dominieren das Feld, wobei 97 Prozent dieser Vorfälle Passwörter betreffen. Der Missbrauch legitimer Konten ist eine Hauptursache für Cloud-Sicherheitsvorfälle und treibt das Geschäft von Initial-Access-Brokern an. Die Ergebnisse zeigen jedoch, dass die grundlegenden Methoden der Angreifer unverändert bleiben. „Auch im Jahr 2026 beginnt die Kompromittierung weiterhin mit Phishing, der Ausnutzung falsch konfigurierter oder anfälliger internetfähiger Systeme, Social Engineering oder Angriffen über die Software-Lieferkette“, erklärt Lodi Hensen, VP of Security Operations bei Eye Security. BEC-Angriffe besonders häufig Business-Email-Compromise (BEC) ist laut Studie die häufigste Angriffsform: Mehr als 70 Prozent der Vorfälle entfallen auf diesen Bereich. In 40 Prozent dieser Fälle diente Phishing als initiales Einfallstor. Den Analysten zufolge bleiben BEC-Angriffe ohne kontinuierliche Überwachung wochenlang unentdeckt. Darüber hinaus verdeutlicht die Studie, dass Ransomware weiterhin zu den größten Bedrohungen zählt. „Die Verbreitung von Ransomware-as-a-Service (RaaS), BuilderLeaks und Access-Broker-Marktplätzen hat die Eintrittsbarrieren gesenkt und ein professionelles Ökosystem geschaffen“, führen die Autoren aus. Der Report zeigt einen gefährlichen Trend: die Kommerzialisierung von Insider-Wissen. „Gruppen wie ShinyHunters rekrutieren aktiv Mitarbeitende, um Zugangsdaten zu kaufen. Damit verschwimmt die Grenze zwischen externem Angriff und Innentäter“, so die Sicherheitsforscher. „Für Ransomware-Akteure ist dieser eingekaufte Zugang oft schneller und verlässlicher als technisches Hacking.“ Besonders betroffen sind Unternehmen aus Industrie, Bauwesen sowie Transport und Logistik. Viele Ransomware-Angreifer kommen über alltägliche Schwachstellen: ungeschützte Anwendungen, unsichere Fernzugänge oder Phishing-E-Mails, über die Mitarbeitende unbewusst Zugangsdaten preisgeben. Für die Analyse wurden insgesamt 630 reale Sicherheitsvorfälle in Europa aus den Jahren 2023 bis 2025 ausgewertet, darunter viele aus Deutschland. View the full article

Two critical sandbox escape flaws in the popular n8n workflow automation platform are allowing authenticated users to achieve remote code execution on affected instances. According to new JFrog findings, sandboxing safeguards meant to contain untrusted workflow logic can be bypassed, exposing enterprise automation environments to full host compromise. Enterprises that rely on n8n to orchestrate integrations, automate internal processes, and streamline cloud services and on-prem systems are at risk. JFrog’s researchers said n8n’s sandboxing mechanism can fail in specific configurations when users evaluate expressions or run custom scripts. Sandbox escapes can expose sensitive credentials, APIs, and infrastructure from affected workflow engines. Expression engine sandbox escape enables JavaScript RCE One of the issues identified by JFrog affects n8n’s JavaScript expression engine, designed to evaluate user-supplied expressions during workflow execution safely. According to the researchers, flaws in how expressions are sanitized allow an attacker with permission to create or edit workflows to escape the sandbox and execute arbitrary JavaScript on the underlying host. JFrog explained in a blog post that the expressions engine’s protections can be bypassed by carefully crafted payloads that exploit assumptions in the sandboxing logic. Once escaped, the attacker is no longer limited to expression evaluation and can run arbitrary commands in the context of the n8n service. “When the expression engine encounters a {{}} block, it processes the enclosed content by bypassing it to a JavaScript Function constructor, which then executes the supplied code,” the researchers said. n8n uses an AST-based sandbox to neutralize dangerous JavaScript constructs before execution. A missed edge case in the outdated “with statement” allows attackers to bypass these checks and achieve arbitrary code execution. The vulnerability has been assigned CVE-2026-1470 and carries a critical severity rating of CVSS 9.9 out of 10, owing to the ease with which sandbox restrictions can be broken and the level of access gained post-exploitation. Python code node escape breaks isolation JFrog also identified a separate sandbox escape affecting n8n’s Python Code node when the platform is configured to use its “Internal” execution mode. In this case, restrictions intended to contain Python code execution can be bypassed, again allowing authenticated users to run arbitrary code outside the sandbox. The second issue, tracked as CVE-2026-0863, received a high severity rating of CVSS 8.5 out of 10. While the exploitation depends on specific configuration choices, JFrog noted that internal execution mode is commonly used in self-hosted enterprise deployments for performance and operational simplicity. The researchers demonstrated how Python sandbox constraints can be evaded, granting access to system resources that should be off-limits. Urgent need to update Both issues have been patched, and enterprises running n8n should ensure they are on updated versions. Until patches are applied, organizations are recommended to carefully review who has permissions to create or edit workflows, particularly in environments where n8n has access to internal networks, secrets, or privileged APIs. CVE-2026-1470 has been fixed in version 1.123.17, 2.4.5, and 2.5.1, while CVE-2026-0863 is resolved in version 1.123.14, 2.3.5, and 2.4.2. Upgrading to any of these versions mitigates the risk of exploitation, researchers noted. View the full article

The acting director of the US Cybersecurity and Infrastructure Security Agency uploaded sensitive government contracting documents to a public version of ChatGPT last summer, triggering automated security alerts and raising questions about AI governance at the agency responsible for defending federal networks and critical infrastructure. Madhu Gottumukkala, who has led CISA since May 2025, uploaded at least four documents marked “for official use only” to OpenAI’s ChatGPT platform between mid-July and early August, Politico reported. The documents contained contracting information not intended for public release. Cybersecurity sensors detected the activity in early August, generating several alerts in the first week alone, according to the report citing four Department of Homeland Security officials. The incident occurred despite Gottumukkala having personally requested special permission to use ChatGPT shortly after joining CISA. At the time, the AI tool was blocked for most DHS employees over concerns that sensitive information could be retained outside federal systems, the report added, citing the DHS officials. Data entered into the public version of ChatGPT can be incorporated into the model’s training data and exposed to hundreds of millions of users. Unlike DHS-approved AI tools with controls preventing inputs from leaving federal networks, the public ChatGPT retains uploaded information on OpenAI servers. Enterprise AI governance failures exposed The incident highlights systemic failures in how government agencies, and by extension, enterprises, manage AI tool exceptions for senior officials, security analysts said. “FOUO is not classified, but it is still sensitive government information,” said Arjun Chauhan, practice director at Everest Group. “Uploading it to a public AI tool creates real exposure: loss of data control, expanded exposure surface, secondary misuse risk, and policy boundary collapse.” The pattern mirrors early enterprise incidents where employees pasted confidential material into ChatGPT, Chauhan said. The critical difference is that controls reportedly existed at CISA, and the breach occurred through an exception pathway. “That highlights a core governance failure. Exceptions and senior access are often where AI controls break down.” Federal agencies now have AI policies and governance bodies, but the gap appears to be in execution rather than intent, according to Chauhan. Safe, approved AI tools are not always the default or most usable option, and enforcement varies by role and seniority. Sunil Varkey, advisor at Beagle Security, said the incident reflects a broader organizational challenge. “Leadership teams may reference these tools positively for learning, productivity, and communication refinement, which unintentionally normalizes their use,” he said. “As a result, such platforms have rapidly become de facto productivity applications without being treated with the governance rigor typically applied to enterprise systems handling sensitive information.” The tension between convenience and security often drives such incidents, Varkey added. Because “for official use only” data is not formally classified, users frequently underestimate its operational, contractual, or reputational impact. Jaishiv Prakash, director analyst at Gartner, said the biggest risk when officials upload FOUO-marked documents to public AI platforms is losing control over the data. “You have no visibility into how long it’s retained, whether it can ever be deleted, or if it becomes exposed during legal holds or discovery.” Organizations must provide employees with licensed, governed AI platforms featuring supplier-agreed data residency, strict no-training guarantees, and minimal retention, Prakash said. “Without that, people will continue turning to public AI tools out of convenience, putting sensitive information at risk.” Leadership credibility questioned The uploads triggered an internal DHS assessment involving the department’s then-acting general counsel Joseph Mazzara and chief information officer Antoine McCord, along with CISA’s chief information officer Robert Costello and chief counsel Spencer Fisher, the report said. The outcome has not been disclosed. According to the report, CISA spokesperson Marci McCarthy confirmed that Gottumukkala received approval to use ChatGPT under DHS safeguards and described the usage as “short-term and limited.” She said he last used the tool in mid-July 2025 under an authorized temporary exception and that CISA’s default policy blocks ChatGPT access unless an exception is granted. The fact that automated alerts triggered shows controls can detect misuse, analysts said, but the incident occurring at the leadership level raises accountability questions. “Because this involves the head of the civilian cybersecurity agency, the impact is largely reputational,” Chauhan said. “Leaders set behavioral norms. Deviations undermine compliance culture and weaken credibility when advising other agencies and critical infrastructure operators.” The ChatGPT incident adds to mounting controversies surrounding Gottumukkala’s brief tenure. In December, Politico reported that he failed a counterintelligence polygraph test in late July and that DHS subsequently suspended six career staffers, characterizing the polygraph as “unsanctioned.” CISA has lost a significant number of its workforce since the Trump administration took office, with personnel dropping from over 3,300 to around 2,200 through buyouts, early retirements, and layoffs. The agency faces proposed budget cuts of nearly $500 million for fiscal year 2026. Gottumukkala previously served as South Dakota’s chief information officer under then-Governor Kristi Noem, now DHS secretary. CISA did not immediately respond to a request for comment. View the full article

According to a recent report by law firm DLA Piper, organizations are increasingly being reported for violations of the General Data Protection Regulation (GDPR). According to the study, the average number of daily reports has risen above 400 for the first time since the GDPR came into force across the EU on May 25, 2018. With 443 reports of violations per day, the number in 2025 was 22% higher than the previous year. However, the data does not allow for any definitive conclusions about the causes of this increase, according to DLA Piper. The law firm believes that geopolitical tensions, the multitude of new technologies available to cyber threat actors, and a number of new laws mandating the reporting of security incidents are likely among the key factors. €1.2 billion in GDPR fines According to DLA Piper, the total amount of fines, at around €1.2 billion, was roughly the same as the previous year. However, this high sum also demonstrates that European data protection authorities remain willing to impose substantial fines. Since the GDPR came into effect, a total of €7.1 billion in fines has been levied. Broken down by country, Ireland, where US tech giants like Apple, Google, and Meta have their EU headquarters, once again leads the enforcement statistics: The total fines imposed by the Irish Data Protection Commission have reached €4.04 billion since the GDPR came into force in May 2018. This includes the highest fine ever imposed under the GDPR, amounting to €1.2 billion against Meta Platforms Ireland Ltd. Furthermore, in April 2025, TikTok Technology Ltd. was fined €530 million for transferring personal user data to China. However, DLA Piper points out that the risks of GDPR compliance are not limited to administrative fines. There is also the risk of subsequent claims for damages. Several landmark rulings by the CJEU and national European courts have addressed GDPR-related compensation claims — particularly regarding the requirements for claims for non-material damages. View the full article

The security community has offered broad support for the creation of an EU-hosted vulnerability database as a means of reducing dependence on US databases. However, some experts have expressed concerns that the potential fragmentation of security intelligence risks impeding rapid vulnerability identification and remediation. The Global Cybersecurity Vulnerability Enumeration database (GCVE.eu) aggregates vulnerability advisories from more than 25 public sources into a single, searchable resource. Entries are normalized, structured, and cross-referenced across identifiers (e.g., CVE IDs, GCVE IDs, vendor IDs). The platform is hosted by Computer Incident Response Center Luxembourg (CIRCL) in a Luxembourg-based data centre, with co-funding from the EU’s Federated European Team for Threat Analysis (FETTA) project. The emergence of GCVE.eu follows a funding scare that threatened the continuation of the long-established Common Vulnerabilities and Exposures (CVE) program last year. The CVE program — which underpins the US National Vulnerability (NVD) database — is operated by the Mitre Corp., with funding from the cyber division of the US Department of Homeland Security. Combatting flaw fragmentation: Mapping and interoperability Jaya Baloo, co-founder, COO, and CISO at vulnerability remediation startup AISLE, says that GCVE must prioritize mapping and interoperability with CVE entries in order to be viable. “Without enforceable interoperability commitments, ‘independent allocation’ becomes a polite way of saying defenders will need to check multiple incompatible systems to know if they’re vulnerable,” she says. David Lindner, CISO at application security vendor Contrast Security, agreed that GCVE poses a risk of creating a new silo that mirrors but doesn’t align with the NVD. “For a CISO the hard part is preventing identification collision where teams waste time triaging the same vulnerability under two different flags,” says Lindner. “To avoid this confusion and make the project viable the GCVE must prioritize an automated cross-mapping standard that bridges these databases in real-time.” Simply switching from the US-run NVD to a European GCVE fails to solve the problem of dependency but only succeeds in changing the location of the silo, according to Lindner. “Success requires a federated approach where vendors and researchers contribute to a unified intelligence layer ensuring that no matter which database claims the entry the industry sees a single actionable truth rather than a fragmented mess,” Lindner argues. Brian Blakley, CISO at Bellini Capital, warns that if GCVE offers only duplication without differentiation then it is liable to create a headache for security practitioners. “Most security teams are already struggling with noise,” Blakley notes. “Any new database really needs to improve data quality, timeliness, or context and not just replicate identifiers under a different flag.” GCVE has cross-vulnerability referencing built in, with both automated and human-curated mechanisms, an approach most experts quizzed by CSO would minimise confusion. Zbyněk Sopuch, CTO of data security vendor Safetica, was more upbeat arguing that GCVE is designed to be backwards compatible with CVE, so “existing data is preserved and independent entries are allowed.” “The gray areas arise in scope, ID formats, and fragmented tracking, and there are steps that the GSVE can take to ensure that critical data is shared and received,” says Sopuch. Coordinated disclosure Nik Kale, principal engineer and product architect at Cisco Systems, says GCVE’s main challenge comes from building a platform that the security community can rely on for coordinated disclosure and remediation. “Viability depends far more on governance than on the data itself,” Kale says. “That includes clear attribution rules, transparent CNA processes, predictable decision-making, and an explicit commitment to synchronization rather than fragmentation.” The US-run NVD system is long established so any parallel system must either federate cleanly with that existing infrastructure or provide clear operational advantages that justify switching, according to Kale. “Researchers will gravitate toward whichever system enables the fastest, most reliable coordinated disclosure,” says Kale. “Vendors, meanwhile, need confidence that vulnerability records will be handled consistently regardless of where they originate.” Representatives of the GCVE project told CSO that CIRCL has both the relevant experience, governance structures, and backing to make the database successful. “CIRCL has been operating multiple services and open-source projects for more than 15 years, with sustained financial and in-kind support from the public sector, private sector, and EU and international organisations,” they explain. “GCVE.eu implements a level of governance that enables efficient operation, rapid delivery, and, most importantly, distributed allocation of identifiers.” GCVE.eu has been fully functional and operational for several months. “We already deliver Vulnerability-Lookup as a complete open-source software and provide a reference database that facilitates the work of many organisations involved in vulnerability management,” GCVE tells CSO. Empowering security researchers Fabian Gasser of cybersecurity consultancy Cyway says that GCVE brings benefits in removing the single point of failure inherent in reliance on the US-led CVE system while democratising vulnerability publishing. GCVE gives “more of a voice to independent security researchers, who can now also agree or disagree with vendor-self-assessments,” according to Gasser. Daniel dos Santos, senior director and head of research at cybersecurity vendor Forescout, says that its research found a significant number of vulnerabilities without CVE IDs and even some that are exploited by threat actors. The GCVE has the potential to more quickly flag up exploited vulnerabilities. “The GCVE DB has the advantage of aggregating several sources of vulnerability information and having a decentralized system of numbering authorities,” according to dos Santos. Redundancy Dr. Ferhat Dikbiyik, chief research and intelligence officer at cyber risk intelligence firm Black Kite, says the launch of GCVE is welcome following the funding scares of 2025. “For years, we treated the US-led CVE system as an immutable backbone,” Dr. Dikbiyik says. “When that backbone showed signs of stress due to budget politics, the world realized that relying on a single, centralized thread for vulnerability tracking was a strategic risk.” Localized vulnerability databases are already a reality in other regions, such as China. “The Chinese platform is generally faster at indexing vendor disclosures and provides additional information compared to the US alternative,” says Martin Jartelius, AI product director at cybersecurity vendor Outpost24. For the GCVE to move from a regional project to a global standard, the focus must shift to integration with enterprise security tools, Dr. Dikbiyik argues. “A database is only as valuable as the tools that use it,” says Dr. Dikbiyik. “To make this project viable, we need to see security vendors, scanner providers, and GRC platforms treat the GCVE not as an extra feature, but as a core data source.” The GCVE is less about competition and more about ensuring continuity, so that vulnerability disclosures don’t hinge on a single point of failure, according to Crystal Morin, senior cybersecurity strategist at Sysdig. “The success of the EU [vulnerability database] will be measured by how it complements existing efforts and supports faster triage, a smaller backlog, risk prioritization, and consistent access to quality data for the security community,” Morin says. View the full article

Summit Art Creations – shutterstock.com Der Deutsche Städtetag hält den zur Abstimmung im Bundestag anstehenden Vorschlag der Koalition zum Schutz kritischer Infrastruktur für unzureichend. Der Entwurf von Union und SPD sieht für Unternehmen der kritischen Infrastruktur wie etwa große Energieversorger oder Verkehrsunternehmen strengere Verpflichtungen zum Schutz ihrer Anlagen vor. Vorgesehen sind neben Zugangsbeschränkungen und anderen praktischen Maßnahmen auch eine Pflicht zur Meldung sicherheitsrelevanter Vorfälle sowie Bußgelder bei Regelverstößen. Auch mittelgroße Anlagen in den Blick nehmen Den Städtetag stört, dass demnach zur kritischen Infrastruktur nur Einrichtungen zählen, die für die Gesamtversorgung in Deutschland wichtig sind und mehr als 500.000 Menschen versorgen. Der Hauptgeschäftsführer des kommunalen Spitzenverbands, Christian Schuchardt, sagte der Deutschen Presse-Agentur kurz vor der geplanten abschließenden Beratung zum sogenannten Kritis-Dachgesetz: “Der Angriff auf die Stromversorgung in Berlin hat erneut gezeigt, wie notwendig Krisenvorsorge und Schutzmaßnahmen sind.” Mindestmaß an Krisenvorsorge ist notwendig Der im Gesetzentwurf festgelegte Schwellenwert von 500.000 Einwohnern zur Einordnung von Einrichtungen als kritische Infrastruktur sei aber viel zu hoch. Auch in etwas kleineren Städten sollte ein Mindestmaß an Vorgaben zu Krisenplänen, Meldeketten und IT-Sicherheit verlangt werden. Schuchardt appellierte an den Bundestag, den Schwellenwert zu senken. In einer Stellungnahme aus dem November hatte sich der Städtetag dafür ausgesprochen, Einrichtungen, die mindestens 150.000 Einwohner versorgen, zur kritischen Infrastruktur im Sinne des Gesetzes zu zählen. Ausschuss nahm noch Änderungen vor Der Innenausschuss des Bundestages hatte zwar noch einige Änderungen an dem Entwurf der Bundesregierung beschlossen. Diese reichen jedoch aus Sicht des Deutschen Städtetags nicht aus. “Derzeit sieht der Gesetzentwurf lediglich eine Öffnungsklausel vor, die es den Ländern ermöglicht, zusätzliche Anlagen unterhalb dieses Schwellenwerts zu definieren”, sagte Schuchardt. Damit drohe wieder ein Flickenteppich. Notwendig sei eine bundesweite Regelung. Auch von anderer Seite wurde Kritik an dem Gesetzentwurf laut. Die Erste Parlamentarische Geschäftsführerin der Grünen-Bundestagsfraktion, Irene Mihalic, sagte dem Nachrichtenportal Web.de News: “Dieser Entwurf ist höchstens ein Vordach, aber kein Dach.” Holger Lösch, stellvertretender Hauptgeschäftsführer des Bundesverbands der Deutschen Industrie (BDI), teilte mit: “Angesichts der deutlich verschärften Bedrohungslage fällt das Gesetz klar hinter den sicherheitspolitisch notwendigen Anspruch zurück.” Weniger Transparenz soll es Angreifern schwerer machen Nach dem mutmaßlich linksextremistisch motivierten Brandanschlag auf die Stromversorgung, durch die im Südwesten Berlins Anfang Januar Zehntausende tagelang ohne Strom und Heizung waren, ist diskutiert worden, ob die Veröffentlichung von Informationen über die Netze der Energieversorger diese unnötig verwundbar machen. In dem nun beschlossenen Änderungsantrag wird die Bundesregierung aufgefordert, “bereits veröffentlichte, öffentlich zugängliche Infrastrukturinformationen zu überprüfen und, wo möglich, konsequent aus den öffentlich zugänglichen Bereichen zu entfernen”. Nach dem Koalitionsausschuss am Mittwochabend hatte auch Bundeskanzler Friedrich Merz (CDU) zu dem Thema angemerkt: “Wir müssen weg von der sehr weitgehenden Transparenz und hin zu mehr Resilienz.” (dpa/jm) View the full article

Summit Art Creations – shutterstock.com Der Deutsche Städtetag hält den zur Abstimmung im Bundestag anstehenden Vorschlag der Koalition zum Schutz kritischer Infrastruktur für unzureichend. Der Entwurf von Union und SPD sieht für Unternehmen der kritischen Infrastruktur wie etwa große Energieversorger oder Verkehrsunternehmen strengere Verpflichtungen zum Schutz ihrer Anlagen vor. Vorgesehen sind neben Zugangsbeschränkungen und anderen praktischen Maßnahmen auch eine Pflicht zur Meldung sicherheitsrelevanter Vorfälle sowie Bußgelder bei Regelverstößen. Auch mittelgroße Anlagen in den Blick nehmen Den Städtetag stört, dass demnach zur kritischen Infrastruktur nur Einrichtungen zählen, die für die Gesamtversorgung in Deutschland wichtig sind und mehr als 500.000 Menschen versorgen. Der Hauptgeschäftsführer des kommunalen Spitzenverbands, Christian Schuchardt, sagte der Deutschen Presse-Agentur kurz vor der geplanten abschließenden Beratung zum sogenannten Kritis-Dachgesetz: “Der Angriff auf die Stromversorgung in Berlin hat erneut gezeigt, wie notwendig Krisenvorsorge und Schutzmaßnahmen sind.” Mindestmaß an Krisenvorsorge ist notwendig Der im Gesetzentwurf festgelegte Schwellenwert von 500.000 Einwohnern zur Einordnung von Einrichtungen als kritische Infrastruktur sei aber viel zu hoch. Auch in etwas kleineren Städten sollte ein Mindestmaß an Vorgaben zu Krisenplänen, Meldeketten und IT-Sicherheit verlangt werden. Schuchardt appellierte an den Bundestag, den Schwellenwert zu senken. In einer Stellungnahme aus dem November hatte sich der Städtetag dafür ausgesprochen, Einrichtungen, die mindestens 150.000 Einwohner versorgen, zur kritischen Infrastruktur im Sinne des Gesetzes zu zählen. Ausschuss nahm noch Änderungen vor Der Innenausschuss des Bundestages hatte zwar noch einige Änderungen an dem Entwurf der Bundesregierung beschlossen. Diese reichen jedoch aus Sicht des Deutschen Städtetags nicht aus. “Derzeit sieht der Gesetzentwurf lediglich eine Öffnungsklausel vor, die es den Ländern ermöglicht, zusätzliche Anlagen unterhalb dieses Schwellenwerts zu definieren”, sagte Schuchardt. Damit drohe wieder ein Flickenteppich. Notwendig sei eine bundesweite Regelung. Auch von anderer Seite wurde Kritik an dem Gesetzentwurf laut. Die Erste Parlamentarische Geschäftsführerin der Grünen-Bundestagsfraktion, Irene Mihalic, sagte dem Nachrichtenportal Web.de News: “Dieser Entwurf ist höchstens ein Vordach, aber kein Dach.” Holger Lösch, stellvertretender Hauptgeschäftsführer des Bundesverbands der Deutschen Industrie (BDI), teilte mit: “Angesichts der deutlich verschärften Bedrohungslage fällt das Gesetz klar hinter den sicherheitspolitisch notwendigen Anspruch zurück.” Weniger Transparenz soll es Angreifern schwerer machen Nach dem mutmaßlich linksextremistisch motivierten Brandanschlag auf die Stromversorgung, durch die im Südwesten Berlins Anfang Januar Zehntausende tagelang ohne Strom und Heizung waren, ist diskutiert worden, ob die Veröffentlichung von Informationen über die Netze der Energieversorger diese unnötig verwundbar machen. In dem nun beschlossenen Änderungsantrag wird die Bundesregierung aufgefordert, “bereits veröffentlichte, öffentlich zugängliche Infrastrukturinformationen zu überprüfen und, wo möglich, konsequent aus den öffentlich zugänglichen Bereichen zu entfernen”. Nach dem Koalitionsausschuss am Mittwochabend hatte auch Bundeskanzler Friedrich Merz (CDU) zu dem Thema angemerkt: “Wir müssen weg von der sehr weitgehenden Transparenz und hin zu mehr Resilienz.” (dpa/jm) View the full article

For years, US cybersecurity guidance rested on a reassuring premise: New technologies introduce new wrinkles, but not fundamentally new problems. Artificial intelligence, according to that view, is still software, just faster, more complex, and more powerful. The controls that protect traditional systems, the thinking went, can largely be adapted to protect AI, too. That assumption surfaced at a recent National Institute of Standards and Technology (NIST) workshop on AI and cybersecurity. “AI systems in many ways are just smart software, fancy software with a little bit extra,” Victoria Pillitteri, supervisory computer scientist in the Computer Security Division at NIST, told attendees as she summarized that long-standing view. “That means we can leverage the robust body of [cybersecurity] knowledge that already exists with some modifications, with some considerations, but we do not and should not start from scratch,” she added. But as discussions during the event turned to AI agents and adversarial manipulation, that concept began to fray. Experts described ways in which AI strains the fundamental assumptions those frameworks rely on, namely that systems behave deterministically, that boundaries between components are stable, and that humans remain firmly in control. Those concerns are now moving beyond internal discussion and into public standards development. On Jan. 8, NIST’s Center for AI Standards and Innovation (CAISI) issued a formal Request for Information (RFI) on the secure practices and methodologies of AI agent systems, one of the most challenging aspects of AI when it comes to identity management and cybersecurity. The RFI focuses on AI systems capable of taking autonomous actions that affect real-world environments and explicitly asks for input on novel risks, security practices, assessment methods, and deployment constraints. For CISOs, what should matter is that NIST is shifting from a broad, principle-based AI risk management framework toward more operationally grounded expectations, especially for systems that act without constant human oversight. What is emerging across NIST’s AI-related cybersecurity work is a recognition that AI is no longer a distant or abstract governance issue, but a near-term security problem that the nation’s standards-setting body is trying to tackle in a multifaceted way. NIST’s wide-ranging cybersecurity and AI portfolio Although the purpose of the workshop was to solicit feedback specifically on NIST’s preliminary Cybersecurity Framework Profile for Artificial Intelligence (Cyber AI Profile), which is an adaptation of the community profiles emerging from NIST’s Cybersecurity Framework, experts addressed many other NIST practices and methodology initiatives that deal with AI-related threats and security opportunities. These efforts show how NIST is attacking AI security from multiple angles — development, deployment, identity, privacy, and adversarial abuse — and include: AI Risk Management Framework. Released on Jan. 26, 2023, NIST’s AI RMF was developed to better manage risks to individuals, organizations, and society associated with AI. “What we’re trying to do with the AI Risk Management Framework is understand how we trust AI, which operates in many ways differently in some of these tasks that we know very well,” particularly regarding how high-impact applications affect cybersecurity, Martin Stanley, principal researcher for AI and cybersecurity at NIST, said at the workshop. Center for AI Standards and Innovation (CAISI). NIST’s CAISI serves as the “industry’s primary point of contact within the US government to facilitate testing and collaborative research related to harnessing and securing the potential of commercial AI systems,” said Maia Hamin, a technical staff member of CAISI, the center that develops best practices and standards for improving AI security and collaboration. It also “leads evaluations and assessments of US and adversary AI systems, including adoption of foreign models, potential security vulnerabilities, or potential for foreign influence,” she told workshop attendees. NIST AI 100-2 E2025, Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations. This NIST report, published in March 2025,provides a taxonomy of concepts and defines terminology in the field of adversarial machine learning (AML). “Adversarial machine learning or adversarial AI is the field that studies attacks on AI systems that exploit the statistical and data-driven nature of this technology,” NIST research team supervisor Apostol Vassilev said at the workshop. “Hijacking, prompt injection, indirect prompt injection, data poisoning, all these things are part of the field of study of adversarial AI,” he clarified. Dioptra. Dioptra is a NIST software test platform for assessing the trustworthy characteristics of AI. “You have multiple dimensions along which you want to analyze these as you want to identify how accurate they are for a particular task,” Harold Booth, NIST supervisory computer scientist, said at the event. “You want to be able to identify how robust they are to various kinds of attacks,” Booth said. “You want to know how well they do against various kinds of data sets.” NIST SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile. The AI SSDF community profile adds “practices, tasks, recommendations, considerations, notes, and informative references that are specific to AI model development throughout the software development life cycle.” NIST’s Booth told the workshop attendees, “This particular profile is very focused on what is new with respect to doing development for AI systems. So all the concerns that exist for normal software development still pertain. But what we were really focused on was what’s new.” PETs Testbed. NIST’s PETs Testbed provides the capability to investigate privacy-enhancing technologies (PETs) and their respective suitability for specific use cases, helping organizations evaluate and manage privacy risks. Gary Howarth, who leads the privacy engineering program at NIST, said that within a few weeks, NIST will release a new version of its privacy framework that is complementary to AI risk management and cybersecurity threat modeling. NIST Special Publication 800-63 Digital Identity Guidelines. NIST recently updated its 2017 guidelines on digital identity to better embrace the process and technical requirements for meeting digital identity assurance levels, given the rapid pace of digital technical change. Ryan Galluzzo, identity program lead for NIST Applied Cybersecurity Division, stressed at the workshop that “AI agents are starting to change the kind of context and conversation around traditional cybersecurity controls. Within the context of this project, our intent is really to focus on those issues of access, those issues of how to identify agents that are operating within my enterprise. The limits of ‘AI is just software’ NIST’s instinct to frame AI as an extension of traditional software allows organizations to reuse familiar concepts — risk assessment, access control, logging, defense in depth — rather than starting from zero. Workshop participants repeatedly emphasized that many controls do transfer, at least in principle. But some experts argue that the analogy breaks down quickly in practice. AI systems behave probabilistically, not deterministically, they say. Their outputs depend on data that may change continuously after deployment. And in the case of agents, they may take actions that were not explicitly scripted in advance. For CISOs, the risk is not that AI is unrecognizable, but that it appears recognizable enough to lull organizations into applying controls mechanically. Treating AI as “just another application” can obscure new failure modes, particularly those involving indirect manipulation through data or prompts rather than direct exploitation of code. “AI agent systems really face a range of security threats and risks,” CAISI’s Hamin said at the workshop. “Some of these overlap with traditional software, but others kind of arise from the unique challenge of combining AI model outputs, which are non-deterministic, with the affordances and abilities of software tools.” CISOs should watch out for framework fatigue In kicking off the workshop, NIST senior policy advisor Katerina Megas explained that NIST reached out to the CISO community to ask them what they need in terms of AI security guidance. “Before we started down any path, we spoke to the CISO community, and we asked them, ‘So how are you all dealing with artificial intelligence? How is this affecting your day-to-day? Is this something that keeps you up at night?’ And overwhelmingly, the answer was yes, this is absolutely something that is top of mind for us. Our leadership is asking us, what are we doing?” she said at the event. But the CISOs also told NIST that they were overwhelmed with AI documentation. A lot of these publications had some overlap, but were not identical, Megas said. “If you were a consumer of all of these documents, it was very difficult for you to look at them and understand how they relate to what you are doing and also understand how to identify where two documents may be talking about the same thing and where they overlap.” “If the guidance is super long, then people may not actually use it,” one workshop attendee, Naveen Konrajankuppam Mahavishnu, co-founder and CTO at Aira Security, tells CSO, suggesting that much of the material can be reduced to more digestible components. “We can have a very detailed version, maybe a hundred pages long, but also have some sort of checklist that kind of summarizes the entire 100-page paper or something into a few pages where people can easily consume it, and then they can start implementing it,” Mahavishnu says. View the full article