Skip to content
View in the app

A better way to browse. Learn more.

hosang I.T.

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

CSOonline

Members
  • Joined

  • Last visited

    Never

Everything posted by CSOonline

  1. hotocosmos1 – shutterstock.com Die Bundesregierung will auf Cyberangriffe künftig offensiver reagieren. “Wir werden zurückschlagen, auch im Ausland. Wir werden Angreifer stören und ihre Infrastruktur zerstören”, sagte Bundesinnenminister Alexander Dobrindt (CSU) der «Süddeutschen Zeitung». Deutschland werde die Schwelle für solche Schritte niedrig ansetzen. Verantwortlich für solche Gegenschläge sollen laut Dobrindt Geheimdienste und das Bundeskriminalamt gemeinsam sein. Um die Arbeit der verschiedenen Ebenen besser zu koordinieren, plane das Innenministerium ein neues Abwehrzentrum gegen hybride Gefahren, das derzeit vom Bundesamt für Verfassungsschutz vorbereitet werde und im Laufe dieses Jahres seine Arbeit aufnehmen solle. Geheimdienste sollen neue Befugnisse bekommen Dobrindt beklagte, Deutschland erlebe ständig Cyberangriffe – auf Institutionen, Infrastruktur und Unternehmen. Oft gingen die Attacken von Gruppen aus, die Verbindungen zu staatlichen Geheimdiensten hätten und von diesen finanziert würden, so der CSU-Politiker mit Blick auf hybride Angriffe aus Russland und anderen Teilen der Welt. “Das können wir nicht hinnehmen.” Deutschlands Geheimdienste sollen Dobrindt zufolge auch bei der Informationsbeschaffung und weiteren Aktivitäten neue Befugnisse bekommen. “Wir waren zu lange abhängig von den Informationen anderer. Für mich ist klar: Wir brauchen auch eine Zeitenwende bei den Geheimdiensten”, sagte er. Er wolle den Diensten ermöglichen, selbst an mehr Informationen zu kommen und auch operativ zu handeln. Bereits im ersten Halbjahr werde er dafür Gesetze vorlegen. (dpa/jm) View the full article
  2. Last year was defined by AI hype, new attack models, and intensifying global tensions. As 2026 begins, security teams are asking what the next phase will look like. Will AI continue to accelerate risk, or will controls and governance finally catch up? CSO spoke to 10 security leaders about their predictions and aspirations for 2026. Governance scrambles to keep pace with AI As AI becomes deeply embedded in day-to-day business operations, security leaders are being pushed to scale governance models far faster than before. For Barry Hensley, CSO at Brown & Brown, this translates to strengthening data guardrails by expanding data loss protection and monitoring, tightening identity controls, and introducing governance across both human and machine identities. That push towards structure and oversight is also reshaping how organizations define security at scale. As United Airlines CISO Deneen DeFiore puts it, 2026 security will be less about perimeter defense and more about operational resilience at scale. “Threat actors will increasingly use generative AI to automate reconnaissance, social engineering, and exploit chaining, while defenders will rely on AI to prioritize risk, accelerate detection, and reduce response times,” she says. “The differentiator won’t be whether organizations use AI, but how well they govern, tune, and trust it.” Meanwhile, Repurpose It CISO Noel Toal predicts that AI risk frameworks will increasingly reach board level. He believes these frameworks will give directors the structure and confidence to ask harder questions about AI exposure, triggering audits and help unlock long-needed security funding. DeFiore also expects governance conversations to shift beyond traditional risk management and towards continuous cyber resilience. “Boards and regulators are already asking not just, ‘Can you prevent an attack?’ but “Can you continue operating when one happens?’” She believes that changes will drive deeper investment in identity security, segmentation, recovery testing, and third-party resilience rather than point solutions. AI agents to reshape the threat landscape But those same AI technologies are also changing the threat landscape. Toal points to a recent Anthropic report that documented the first large-scale AI-enabled cyberattack as an early warning sign. “I guarantee attackers will be more focused on using AI agents for what they want than a lot of businesses, because businesses in general are still very slow to adopt AI agents.” In response, Toal says organizations will need to secure their ownAI agents with the same rigor applied to human users. “We’ll have to treat internal AI agents as identities, and monitor what they access, when they run, and whether their behavior makes sense,” he says. Without that shift, he cautions, organizations risk unleashing tools inside their networks that attackers could readily turn against them. Challenger CISO Katie Payten agrees the rise of agentic AI fundamentally expands the identity attack surface. “The perimeter isn’t just the external perimeter anymore; identity is the perimeter.” She adds that as organizations deploy AI agents internally, governance must extend beyond human users. “Knowing what your agent has access to, how it’s making decisions, and taking responsibility for that will be essential.” As AI becomes more deeply integrated, the sensitive data these systems rely on will become “an increasingly attractive target”, with more AI-enabled attack methods “poised to occupy a growing share of the threat landscape,” according to Michael Garvin, CISO at Jaggaer. As a result, he believes data security posture management will also become more important. “Because AI depends on large volumes of high-quality, sensitive data, organizations will need better visibility into how that data is accessed, classified, and protected.” For Gergana Winzer, partner and cyber security mid-market lead at KPMG, the real threat with AI is not just scale, but autonomy. She warns that AI-driven attacks will increasingly make their own target and execution decisions, reducing the need for human involvement. “Everything can be automated today, not only on the side of companies, but also on the side of the criminals,” she says, raising questions about how AI-enabled threats could extend beyond the digital realm into the physical world through AI-powered drones, for instance. Security teams will consolidate visibility and automate response When asked about what else 2026 could mean for the global security industry, Ramsay Healthcare CISO Manal Al-Sharif believes AI will play a crucial role in helping consolidate telemetry into a single view. “When you bring everything in, it’s easy to triage and prioritize,” she says. “Having that single point of view means you’re correlating everything at the same time, so you know where you’re exposed most … [and] before those threats become incidents.” Garvin expects security strategies to evolve inside SOCs as AI becomes more embedded. “The biggest shift will be the deeper integration of AI into defensive security operations. Organizations will increasingly invest in securing AI models and data pipelines, and they will evolve penetration testing and adversarial testing approaches to evaluate AI systems with the same rigor applied to traditional applications.” Nadia Veeran-Patel, CISO at LRMG, has already seen this reshape incident workflows firsthand. “Our analysts were looking at incidents individually as they came through as alerts, but when AI brought them together as a collection, you suddenly realize those alerts are actually a series of events that led to something bigger.” DeFiore also expects a fundamental shift in how security teams operate day to day. In 2026, she wants teams spending less time reacting to alerts and more time on anticipation and enablement, by using automation, better data, and tighter integration with IT and business partners to reduce friction and accelerate decision-making. She adds what’s equally important is continued investment in people and culture. “Technology evolves quickly, but resilient organizations are built by teams that are well-trained, empowered, and aligned to a shared mission,” she says. “Creating clarity around risk ownership and decision-making is just as critical as any tool we deploy. Ultimately, success looks like a security program that enables innovation, withstands disruption, and earns trust at every level of the organization, from the boardroom to the front line.” Toal expects AI-driven orchestration to become a defining feature of modern SOCs in 2026, as AI increasingly isolates compromised endpoints, blocks malicious IPs, rolls back ransomware in real time, and maps an attacker’s path. “The mean time to response would be vastly reduced. Instead of taking hours to respond to an incident, you could start to respond hopefully within seconds … [and] engage properly.” SMEs will become prime targets amid rising automation Winzer adds 2026 will mark a decisive shift, with SMEs becoming primary targets for ransomware. According to the 2025 Verizon data breach report, ransomware made up 44% of all breaches globally, and SMEs represented a disproportionate percentage of victims. “Why? Because they’re easy now … the rationale is they have limited security maturity and they cannot absorb outages, so they end up paying [the ransomware], even though the government is saying, ‘Don’t pay’. But it’s really difficult for them to negotiate because they don’t have the budget to put proper recovery plans in place.” Winzer warns that AI-driven reconnaissance is accelerating this trend. “AI today is very capable. You can press a button and very quickly do a huge amount of damage within a few seconds.” Combined with gaps in mid-market MSSP coverage, which are “not necessarily as complete”, she says that makes it very easy for the attackers to go after SMEs. Veeran-Patel has seen a similar escalation in criminal tactics. “We have seen attackers routinely employing what we call triple extortion, where they combine not only data encryption, data leaking/extortion, and also leveraging third parties, like customers, regulators, and vendors, to put pressure on their victims to pay the ransoms.” Even so, Winzer is cautiously optimistic that vendors will begin delivering more tailored solutions to the mid-market. “They did not do before. Now they’re realizing this is a huge target, and it’s also an opportunity to provide services.” Supply chains remain vulnerable as nation-state activity intensifies Winzer sees critical infrastructure as a primary cyber battlefield. Operational environments are “far more reachable,” she says, due to IT/OT convergence, cloud-connected control systems, and remote-access pathways that remain exposed even when partial segmentation exists. Payten warns that data risk is increasingly hidden within complex supply chains, as organizations rely on expanding ecosystems of third-party and SaaS providers. That reliance, she says, quietly compounds exposure. “We’re using so many third parties, and those third parties use their own third parties; they become fourth parties,” she says. The challenge is not just assessing vendors at the point of engagement but maintaining visibility over where sensitive data ultimately resides. “You can’t outsource your accountability,” Payten says. “You still own the data.” Healthcare and local councils remain high-risk targets as well, driven by low cyber budgets, sensitive population data and the high cost of downtime, Winzer adds. “Before [attackers] were going after the cash only. But now they’re looking at reputational damage, because that causes organizations to pay faster.” Veeran-Patel expects nation-state pressure to intensify too, warning that geopolitical conflict is increasingly being played out in cyberspace. “Cyber warfare is a real thing,” she says. “Wars are no longer going to be fought on the front lines with soldiers on the ground. They are likely going to be fought with buttons.” Her concern is that many governments are still not treating the risk with the level of urgency it requires, despite signs of critical infrastructure in developing nations already being taken offline by hostile actors. Vendors must deliver secure-by-design products Al-Sharif believes 2026 will be the year when the industry confronts a long-ignored truth that non-malicious insiders are not the main problem. “My issue is with the technology makers,” she says. “They still give me a car with no brake, no lock, no seatbelts. They sell it to me and find a way for me to sign away my rights … my issue is that technology makers need to be held accountable for creating flawed technology.” She predicts insecure defaults will become untenable as incidents continue to trace back to weak authentication and outdated access controls. She says the problem is especially visible in healthcare, where connected devices still arrive with default passwords and cannot be patched without voiding warranties. “I want the government to make sure there’s a way to measure how secure those devices are before I connect a life support machine to them.” Payten echoes concerns about insecure defaults and poorly secured connected devices. From routers to smart appliances, she highlights default credentials and weak configurations remain widespread. “There are still people with default passwords on their routers … and now there are so many connected devices.” Now is the time to prepare for post-quantum cryptography Zoe Hearn, head of cybersecurity strategy and governance at Insignia Financial, says rising expectations from customers, regulators, and governments are pushing organizations to take a more proactive role in preparing for the post-quantum era. She points out how simply complying with emerging standards will not be enough. “With quantum-vulnerable encryption set to be phased out by 2030, now is the time to invest in future-ready security infrastructure,” she says. For Hearn, the shift demands leadership, not just technical uplift, as quantum risk increasingly becomes a board-level conversation. Timothy Youngblood, CISO in residence at Astrix Security and former CISO at McDonald’s and T-Mobile, shares the same concern. He expects progressive enterprises to begin mapping their quantum security in preparation of the mainstream arrival of the technology. “The more progressive enterprises are going to start to assess their quantum security gaps, who are the partners that they need to address that,” he says. “It has the potential to be another Y2K. It’s a slow-moving Y2K. Of course, people are going to be caught off guard whenever quantum becomes mainstream, and that’s coming. It’s time to assess what the strategies are.” Toal believes boards will soon pay closer attention to quantum risk as well. He notes that attackers are already harvesting encrypted data today in anticipation of future decryption. “It might still be slightly behind AI recognition, but I think boards are going to realize they have a longer-term problem,” he says. Auditors, he predicts, will begin raising quantum preparedness in security reviews, forcing it onto roadmaps. “If they’re not addressing the fact that a minor breach today could become a major problem in the near future, that’s a gap boards will need to reckon with.” View the full article
  3. Last year was defined by AI hype, new attack models, and intensifying global tensions. As 2026 begins, security teams are asking what the next phase will look like. Will AI continue to accelerate risk, or will controls and governance finally catch up? CSO spoke to 10 security leaders about their predictions and aspirations for 2026. Governance scrambles to keep pace with AI As AI becomes deeply embedded in day-to-day business operations, security leaders are being pushed to scale governance models far faster than before. For Barry Hensley, CISO at Brown & Brown Insurance, this translates to strengthening data guardrails by expanding data loss protection and monitoring, tightening identity controls, and introducing governance across both human and machine identities. That push towards structure and oversight is also reshaping how organizations define security at scale. As United Airlines CISO Deneen DeFiore puts it, 2026 security will be less about perimeter defense and more about operational resilience at scale. “Threat actors will increasingly use generative AI to automate reconnaissance, social engineering, and exploit chaining, while defenders will rely on AI to prioritize risk, accelerate detection, and reduce response times,” she says. “The differentiator won’t be whether organizations use AI, but how well they govern, tune, and trust it.” Meanwhile, Repurpose It CISO Noel Toal predicts that AI risk frameworks will increasingly reach board level. He believes these frameworks will give directors the structure and confidence to ask harder questions about AI exposure, triggering audits and help unlock long-needed security funding. DeFiore also expects governance conversations to shift beyond traditional risk management and towards continuous cyber resilience. “Boards and regulators are already asking not just, ‘Can you prevent an attack?’ but “Can you continue operating when one happens?’” She believes that changes will drive deeper investment in identity security, segmentation, recovery testing, and third-party resilience rather than point solutions. AI agents to reshape the threat landscape But those same AI technologies are also changing the threat landscape. Toal points to a recent Anthropic report that documented the first large-scale AI-enabled cyberattack as an early warning sign. “I guarantee attackers will be more focused on using AI agents for what they want than a lot of businesses, because businesses in general are still very slow to adopt AI agents.” In response, Toal says organizations will need to secure their ownAI agents with the same rigor applied to human users. “We’ll have to treat internal AI agents as identities, and monitor what they access, when they run, and whether their behavior makes sense,” he says. Without that shift, he cautions, organizations risk unleashing tools inside their networks that attackers could readily turn against them. Challenger CISO Katie Payten agrees the rise of agentic AI fundamentally expands the identity attack surface. “The perimeter isn’t just the external perimeter anymore; identity is the perimeter.” She adds that as organizations deploy AI agents internally, governance must extend beyond human users. “Knowing what your agent has access to, how it’s making decisions, and taking responsibility for that will be essential.” As AI becomes more deeply integrated, the sensitive data these systems rely on will become “an increasingly attractive target”, with more AI-enabled attack methods “poised to occupy a growing share of the threat landscape,” according to Michael Garvin, CISO at Jaggaer. As a result, he believes data security posture management will also become more important. “Because AI depends on large volumes of high-quality, sensitive data, organizations will need better visibility into how that data is accessed, classified, and protected.” For Gergana Winzer, partner and cyber security mid-market lead at KPMG, the real threat with AI is not just scale, but autonomy. She warns that AI-driven attacks will increasingly make their own target and execution decisions, reducing the need for human involvement. “Everything can be automated today, not only on the side of companies, but also on the side of the criminals,” she says, raising questions about how AI-enabled threats could extend beyond the digital realm into the physical world through AI-powered drones, for instance. Security teams will consolidate visibility and automate response When asked about what else 2026 could mean for the global security industry, Ramsay Healthcare CISO Manal Al-Sharif believes AI will play a crucial role in helping consolidate telemetry into a single view. “When you bring everything in, it’s easy to triage and prioritize,” she says. “Having that single point of view means you’re correlating everything at the same time, so you know where you’re exposed most … [and] before those threats become incidents.” Garvin expects security strategies to evolve inside SOCs as AI becomes more embedded. “The biggest shift will be the deeper integration of AI into defensive security operations. Organizations will increasingly invest in securing AI models and data pipelines, and they will evolve penetration testing and adversarial testing approaches to evaluate AI systems with the same rigor applied to traditional applications.” Nadia Veeran-Patel, CISO at LRMG, has already seen this reshape incident workflows firsthand. “Our analysts were looking at incidents individually as they came through as alerts, but when AI brought them together as a collection, you suddenly realize those alerts are actually a series of events that led to something bigger.” DeFiore also expects a fundamental shift in how security teams operate day to day. In 2026, she wants teams spending less time reacting to alerts and more time on anticipation and enablement, by using automation, better data, and tighter integration with IT and business partners to reduce friction and accelerate decision-making. She adds what’s equally important is continued investment in people and culture. “Technology evolves quickly, but resilient organizations are built by teams that are well-trained, empowered, and aligned to a shared mission,” she says. “Creating clarity around risk ownership and decision-making is just as critical as any tool we deploy. Ultimately, success looks like a security program that enables innovation, withstands disruption, and earns trust at every level of the organization, from the boardroom to the front line.” Toal expects AI-driven orchestration to become a defining feature of modern SOCs in 2026, as AI increasingly isolates compromised endpoints, blocks malicious IPs, rolls back ransomware in real time, and maps an attacker’s path. “The mean time to response would be vastly reduced. Instead of taking hours to respond to an incident, you could start to respond hopefully within seconds … [and] engage properly.” SMEs will become prime targets amid rising automation Winzer adds 2026 will mark a decisive shift, with SMEs becoming primary targets for ransomware. According to the 2025 Verizon data breach report, ransomware made up 44% of all breaches globally, and SMEs represented a disproportionate percentage of victims. “Why? Because they’re easy now … the rationale is they have limited security maturity and they cannot absorb outages, so they end up paying [the ransomware], even though the government is saying, ‘Don’t pay’. But it’s really difficult for them to negotiate because they don’t have the budget to put proper recovery plans in place.” Winzer warns that AI-driven reconnaissance is accelerating this trend. “AI today is very capable. You can press a button and very quickly do a huge amount of damage within a few seconds.” Combined with gaps in mid-market MSSP coverage, which are “not necessarily as complete”, she says that makes it very easy for the attackers to go after SMEs. Veeran-Patel has seen a similar escalation in criminal tactics. “We have seen attackers routinely employing what we call triple extortion, where they combine not only data encryption, data leaking/extortion, and also leveraging third parties, like customers, regulators, and vendors, to put pressure on their victims to pay the ransoms.” Even so, Winzer is cautiously optimistic that vendors will begin delivering more tailored solutions to the mid-market. “They did not do before. Now they’re realizing this is a huge target, and it’s also an opportunity to provide services.” Supply chains remain vulnerable as nation-state activity intensifies Winzer sees critical infrastructure as a primary cyber battlefield. Operational environments are “far more reachable,” she says, due to IT/OT convergence, cloud-connected control systems, and remote-access pathways that remain exposed even when partial segmentation exists. Payten warns that data risk is increasingly hidden within complex supply chains, as organizations rely on expanding ecosystems of third-party and SaaS providers. That reliance, she says, quietly compounds exposure. “We’re using so many third parties, and those third parties use their own third parties; they become fourth parties,” she says. The challenge is not just assessing vendors at the point of engagement but maintaining visibility over where sensitive data ultimately resides. “You can’t outsource your accountability,” Payten says. “You still own the data.” Healthcare and local councils remain high-risk targets as well, driven by low cyber budgets, sensitive population data and the high cost of downtime, Winzer adds. “Before [attackers] were going after the cash only. But now they’re looking at reputational damage, because that causes organizations to pay faster.” Veeran-Patel expects nation-state pressure to intensify too, warning that geopolitical conflict is increasingly being played out in cyberspace. “Cyber warfare is a real thing,” she says. “Wars are no longer going to be fought on the front lines with soldiers on the ground. They are likely going to be fought with buttons.” Her concern is that many governments are still not treating the risk with the level of urgency it requires, despite signs of critical infrastructure in developing nations already being taken offline by hostile actors. Vendors must deliver secure-by-design products Al-Sharif believes 2026 will be the year when the industry confronts a long-ignored truth that non-malicious insiders are not the main problem. “My issue is with the technology makers,” she says. “They still give me a car with no brake, no lock, no seatbelts. They sell it to me and find a way for me to sign away my rights … my issue is that technology makers need to be held accountable for creating flawed technology.” She predicts insecure defaults will become untenable as incidents continue to trace back to weak authentication and outdated access controls. She says the problem is especially visible in healthcare, where connected devices still arrive with default passwords and cannot be patched without voiding warranties. “I want the government to make sure there’s a way to measure how secure those devices are before I connect a life support machine to them.” Payten echoes concerns about insecure defaults and poorly secured connected devices. From routers to smart appliances, she highlights default credentials and weak configurations remain widespread. “There are still people with default passwords on their routers … and now there are so many connected devices.” Now is the time to prepare for post-quantum cryptography Zoe Hearn, head of cybersecurity strategy and governance at Insignia Financial, says rising expectations from customers, regulators, and governments are pushing organizations to take a more proactive role in preparing for the post-quantum era. She points out how simply complying with emerging standards will not be enough. “With quantum-vulnerable encryption set to be phased out by 2030, now is the time to invest in future-ready security infrastructure,” she says. For Hearn, the shift demands leadership, not just technical uplift, as quantum risk increasingly becomes a board-level conversation. Timothy Youngblood, CISO in residence at Astrix Security and former CISO at McDonald’s and T-Mobile, shares the same concern. He expects progressive enterprises to begin mapping their quantum security in preparation of the mainstream arrival of the technology. “The more progressive enterprises are going to start to assess their quantum security gaps, who are the partners that they need to address that,” he says. “It has the potential to be another Y2K. It’s a slow-moving Y2K. Of course, people are going to be caught off guard whenever quantum becomes mainstream, and that’s coming. It’s time to assess what the strategies are.” Toal believes boards will soon pay closer attention to quantum risk as well. He notes that attackers are already harvesting encrypted data today in anticipation of future decryption. “It might still be slightly behind AI recognition, but I think boards are going to realize they have a longer-term problem,” he says. Auditors, he predicts, will begin raising quantum preparedness in security reviews, forcing it onto roadmaps. “If they’re not addressing the fact that a minor breach today could become a major problem in the near future, that’s a gap boards will need to reckon with.” View the full article
  4. Fortinet has confirmed that a new attack campaign observed recently against customer devices is exploiting an unpatched issue to bypass authentication. The new attacks are different from a previous campaign seen in December that targeted two vulnerabilities related to FortiCloud single sign-on (SSO) authentication. “Recently, a small number of customers reported unexpected login activity occurring on their devices, which appeared very similar to the previous issue,” the Fortinet product security team said in a blog post. “However, in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path.” Fortinet is currently working on fixing the new issue, which impacts not only FortiCloud SSO, but all SAML SSO implementations. It’s worth noting that FortiCloud SSO is not enabled by default on devices but can become enabled when an administrator registers the device with FortiCare product support from the device’s management interface. Reports of similar attacks Fortinet patched two improper cryptographic signature verification issues, CVE-2025-59718 and CVE-2025-59719, in December. These flaws could be exploited to bypass authentication on devices with FortiCloud SSO enabled by sending specially crafted SAML messages. Soon after the patches were released, attackers reverse engineered them and launched a campaign to extract configuration files from vulnerable devices. Those files included hashed credentials for other user accounts and details that would allow network mapping. This week, researchers from security firm Arctic Wolf reported seeing a new attack campaign that started around Jan. 15 in which attackers similarly extracted firewall configurations but also used their access to create new generic accounts and give VPN access to them. The company noted at the time that it was unsure whether this activity was related to the two December vulnerabilities or to a new zero-day vulnerability. Fortinet has now confirmed the latter. The December flaws affected FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager, so it’s reasonable to assume the new issue impacts the same devices. The Fortinet blog post references the same indicators of compromise listed in the Arctic Wolf report, namely malicious accounts created with the email addresses [email protected] and [email protected]. Other admin accounts are created with the names: audit, backup, itadmin, secadmin, and support. Mitigation If these or other IOCs such as IP addresses are identified in configurations or the device logs, the system and its configuration should be considered compromised. Fortinet recommends updating the device to the latest available software release, restoring a configuration from a clean backup, and rotating all credentials, including any LDAP/AD accounts that may be connected to the FortiGate devices. The setting “Allow administrative login using FortiCloud SSO” should be set to off, but if any third-party SSO systems are enabled they can still be abused. Administrative access should not be enabled from the Internet for network-edge devices, so Fortinet PSIRT shared a policy configuration that restricts access to the administrative interface only to specific subnets of IP addresses. View the full article
  5. Cybercriminals have built structured criminal groups with an organizational model similar to that of a legitimate business. “Cybercrime has become industrialized, a return on investment (ROI)-oriented economy, focused on speed and monetization,” according to Martin Zugec, Bitdefender’s director of technical solutions. Zugec explains that this modus operandi of cybercriminal groups is characterized by a high degree of specialization, which includes initial access brokers or ransomware-as-a-service (RaaS) affiliates. “Today, sophistication is not measured by the complexity of the tools, but by the simplicity and speed of the execution chain,” says Zugec. This change requires a shift from a threat detection-based approach to one focused on prevention. “Detection has become a commodity that attackers routinely evade so organizations must go beyond reactive monitoring,” says Zugec. “The goal should be to break attackers’ playbooks and make internal environments inherently hostile to them through proactive hardening that eliminates the operational space they need to succeed.” The business of cybercrime isn’t new “Cybercrime has been operating as an industry for years, meaning it has become professionalized and attacks have been modularized,” says Guillermo Fernández, director of sales engineering for southern Europe at WatchGuard Technologies. In practice, this means that it is no longer necessary for a single attacker to know how to do everything, but rather that the crime is divided into specialties (some steal and resell credentials, others develop and maintain ransomware, others provide infrastructure and negotiation, etc.) and all of this is packaged into models as a service, as we see in the case of ransomware-as-a-service. “This lowers the barrier to entry and reduces the cost of attacking, which explains why we are seeing more and more campaigns and higher volumes,” says Fernández. In addition, AI helps accelerate the scale and sophistication of some phases or tasks, such as reconnaissance, personalization of deceptions, or automation of parts of the process. How big is it? “The global economic impact of cybercrime is close to $10 trillion. If it were a country’s economy, it would be one of the three world powers, behind only the United States and China. For organizations, this means that it is not enough to react to incidents. Defense must take the same business approach: anticipation, risk management, operational continuity, and resilience by design,” says Juan Francisco Moreda, director of /fsafe, Fibratel’s cybersecurity unit. As a result, cybercrime has become a fully industrialized criminal economy, according to Moreda. “Today we are talking about highly specialized organizations, with as-a-service models (ransomware, phishing, malware), their own supply chains, and a clear focus on profitability and scalability.” That is why Martín Trullás, director of Advanced Solutions at Ingram Micro Spain, believes that cybercrime operates with well-organized structures, different professional profiles in its ranks, short- and long-term objectives, and financing that allows it to improve its model with new technology and new strategies to achieve the success of its operations. “Cybercriminals are no longer isolated individuals with computer skills and a desire for quick and easy money, but actors who, in some cases, appear to have state support to use them as part of a struggle that transcends the economic and digital spheres and often enters the realm of geopolitics.” However, in his opinion, there are still simple gangs of cybercriminals whose goal is money or data, which they then turn into profit by reselling it to third parties. “What’s happening is that they now have better access to more powerful technologies with which they can streamline their operations, attacking with greater speed and in a massive and scalable way. This changes the approach to cyber defense: we can no longer be reactive, equipping companies and users with different levels of ‘shields’ and sitting back to wait for the attack to repel it, but rather we must take action,” Trullás adds. That is why Trullás believes that the best cyber defense strategy must combine passive security with active monitoring of the entire digital ecosystem of the company or user, to reduce the time taken to detect and respond to an incident to limit damage. Evolution of the security strategy Alessandro Armenia, global head of cybersecurity at ReeVo, believes that three key aspects are emerging in the current landscape: “First, attacks are no longer isolated events, but coordinated, in some cases automated, operations that often originate within the organizations themselves, for example, due to human error or exposed credentials. Second, the time factor plays a decisive role: even today, many companies realize they are under attack when it is already too late. Finally, the attack surface is growing faster than companies’ ability to manage it.” As a result, the defense strategy must also evolve. “It can no longer be based solely on compliance or one-off interventions, but must be continuous, structured, and resilience-oriented,” Armenia explains. And that’s despite the fact that companies have the necessary tools to manage their attack surface. “Where they often fail is in the governance model: cybersecurity continues to be approached as a series of isolated compliance exercises over time, and it is precisely in the gaps between one exercise and another that the attacker manages to infiltrate and carry out the attack.” Because the reality is: an IT outage becomes a serious problem when the company does not have a plan. “A prepared organization, with defined and tested procedures, is able to recover in a matter of minutes; those that are not prepared run the risk of losing hours, days, and, in some cases, their reputation,” Armenia concludes. As a result, cybercriminals now have organizational models similar to those of companies. “You can see that there are different types of profiles in these groups, depending on the size of the organization, from the more technical ones, who work in a coordinated team, to the more commercial ones, who are in charge of dealing with victims when negotiation is necessary,” warns David Sancho, senior threat researcher at Trend Micro. Furthermore, Sancho explains that they often also have people who are responsible for selling the product created to partners or customers, which in the business world would correspond to the channel or the marketing. This is already a reality.” Established groups Abraham Vázquez, pre-sales engineer at Infinigate Iberia, gives examples such as the DragonForce or Anubis groups, which “operate as genuine criminal service providers, offering infrastructure, management panels, technical support, and different extortion models. It is a highly fragmented ecosystem, but at the same time very resilient, capable of adapting and regenerating quickly.” This leads him to conclude that the main implication for defense is that it is no longer enough to react to the final attack. “It is necessary to disrupt the entire criminal chain, reinforcing identity as a central pillar of security, prioritizing proper credential hygiene, greater telemetry capabilities, and rapid containment mechanisms that limit the impact from the early stages of the attack,” Vázquez adds. And the outlook is not promising. “According to the World Economic Forum, the cybercrime economy will continue to grow, reaching $23 trillion by 2027. Industrialized ransomware, automated fraud networks, and converging crime models will drive this growth,” says Gorka Sainz, director of systems engineering at Fortinet Iberia. The role of AI and automation “AI is the new fuel for the criminal economy. It allows them to scale attacks as if they were marketingcampaigns, “argues Salvador Sánchez Taboada of CyberProofUST. A glance at the business landscape is enough to see that artificial intelligence has become a real multiplier of scale for the criminal economy, enabling the generation of highly granular and personalized phishing campaigns on demand, as Abraham Vázquez argues. “This includes everything from deepfakes of executives to increasingly evasive malware, supported by tools such as WormGPT or FraudGPT. Thanks to these capabilities, attacks are more credible, difficult to detect, and easy to replicate.” As an example, CrowdStrike’s Threat Hunting report 2025 reveals how cybercriminals are targeting the tools used to build AI agents. “Their goal is to gain access, steal credentials, and deploy malware, highlighting how autonomous systems and non-human identities are a key part of today’s enterprise attack surface and a growing enabler of large-scale automated attacks,” says Álvaro del Hoy, technology strategist at CrowdStrike. Add to this, that criminal groups are integrating generative AI directly into ransomware, “using it to automatically create variants and optimize processes such as executing attacks, negotiating with victims, and extortion strategies,” says Abraham Vázquez On the other hand, automation is key to streamlining access, lifecycle, and permission processes, but it also recognizes that attackers seek to exploit identities and privileges at scale, says Albert Barnwell, director of sales for Iberia at CyberArk. “This means that offensive automation allows cybercriminals to move faster and exploit compromised identities without friction. Thus, organizations must respond with defensive automation, especially in the management of identity lifecycle, permissions, and rights,” Barnwell adds. We are already reaching a point where the entire attack cycle can be automated through orchestration: agents who investigate a company and its employees (including social media footprints, interests, and potential weaknesses), others who generate highly targeted and convincing phishing, and chains that lead to malware infection, according to Guillermo Fernández. “From there, the malware itself can learn about the environment and find out what tools and defenses are in place within the company in order to adjust its technique and maximize its impact,” he says. And this doesn’t stop at initial access, as even extortion can be automated. It is even possible for the ransom negotiation to be carried out by a bot that adapts its discourse and conditions based on the responses to squeeze out the payment. Martin Zugec says AI is not a magic bullet for attackers. While it has significantly helped to scale social engineering attacks, removing language barriers and improving the quality of decoys, these tools are not particularly useful for the heavier work of an intrusion. “We see very little evidence that AI is successfully replacing human expertise in vulnerability research or exploit development. The RaaS ecosystem relies on trust and human ingenuity. The main drivers of successful attacks continue to be hackers and affiliates who operate manually and navigate complex networks. The question is not what AI is capable of doing in theory, but whether it makes sense from an economic standpoint. For a professional threat actor, the cost of managing, adjusting, and securing an AI framework often outweighs the efficiency gains over traditional and proven hacking techniques,” Zugec elaborates. Main threats and attack vectors in 2026 The current geopolitical context does not invite optimism either. Carlos Castañeda-Marroquin, head of pre-sales and business development at Serval Networks, believes that “in 2026, we will see an increase in hybrid threats driven by geopolitical tensions, where cyberspace is used as an extension of economic and strategic conflicts between states and related groups. This will translate into espionage, digital sabotage, and disinformation campaigns targeting both critical infrastructure and key industrial sectors.” The theft of credentials and tokens, the use of infostealers, or the abuse of valid access, combined with a greater emphasis on malware-free techniques and hands-on-keyboard activity, have been gaining ground in recent months, according to David López García, director of operations at Factum. All of this leads, in many cases, to system intrusions that evolve into ransomware and extortion, with increasingly shorter, more automated attack cycles that are clearly aimed at operational and economic impact. López García also warns that in 2026, the extended perimeter and relationships with third parties will gain prominence. “Faced with a larger surface area of exposure, cybercriminals find more opportunities to exploit configurations, identities, and external dependencies, with a greater likelihood of finding a breach in the supply chain.” Consequently, the challenge for organizations is no longer just to protect their systems but to effectively govern an interconnected digital ecosystem, where trust becomes one of the most critical assets and having solid solutions or allies is an operational necessity. In terms of attack vectors, Guillermo Fernández believes that vulnerabilities and weak configurations in remote access and VPNs will continue to be prominent, in addition to the compromise of SaaS tools (accounts, permissions, integrations). “And on the human front, social engineering will become even more effective with advanced phishing and image and voice deepfakes, increasing the risk of fraud. Likewise, we will see more impersonation and initial access. WatchGuard also anticipates that 2026 may be the year of the first agent-based AI-orchestrated end-to-end breach, bringing offensive automation to ‘machine speed,'” Fernández says. Are companies investing enough in cyber defenses? A ‘cybersecurity poverty line’ that affects not only budgets, but the availability of strategic leadership and capabilities to define roadmaps, understand key metrics, and evolve toward maturity goals, is an existing issue according to Rafe Pilling, director of threat intelligence at Sophos X-Ops. “The strong performance of the cybersecurity market does not eliminate the fundamental gap between real risk and management perception. Sophos predicts that many of the most serious disruptions in 2026 will not be the result of sophisticated techniques, but of basic security hygiene failures that are entirely preventable,” he explains. Pilling argues that the reality is that having a CISO in a company is now a luxury, highlighting the magnitude of the specialized talent deficit. Companies must understand cyber resilience as a strategic priority at the management level and not just as a technological challenge. This gap between available capabilities and real threats explains why most organizations lack the visibility, controls, and expertise necessary to defend themselves effectively against a highly industrialized criminal ecosystem. What is clear is that as cyber threats increase, organizations are facing the reality that security attacks are not just a possibility, but a certainty. “At the same time, it is estimated that there is a global shortage of more than 4.7 million qualified professionals, which means that critical security positions are not being filled when they are most needed,” says Gorka Sainz. “There remains a clear gap in effectiveness,” says Abraham Vázquez. In his opinion, “many organizations still lack real visibility into their risk exposure, boards of directors maintain a limited level of confidence in defensive capabilities, and third parties continue to play a significant role, being involved in approximately 30% of security breaches.” On the other hand, there is still a gap between the complexity of the environment (hybrid, SaaS, multi-cloud) and the maturity of identity controls. Likewise, many organizations still do not consistently apply intelligent privilege controls, while the need to automate the identity and permission lifecycle indicates that current investment is not always sufficient or well targeted. And not only does this gap exist, but there is also a cultural gap, as Salvador Sánchez Taboada points out. “Many management teams see cybersecurity as an expense, not as a lifesaver,” he acknowledges. In Spain and Latin America, we are working to change that view, relying on integration through AI between existing risk plans and new threats: investing in resilience is like investing in good foundations before building a house. Every change of cycle reminds us that the invisible—like foundations—supports everything we value.” Increased spending “is often diverted toward AI hype and supposedly miraculous solutions driven by marketing, rather than addressing real risks,” argues Martin Zugec. That’s why he believes attackers have evolved toward simpler, harder-to-detect techniques, such as LOTL or ClickFix, which weaponize legitimate system tools and user interactions to bypass security layers. “This disconnect between where defenders invest and how attackers evolve is a dangerous trend, clearly visible when comparing the findings of real forensic investigations with the narratives popularized in professional networks. This disconnect is reckless,” he warns. CISO priorities In this context, CISOs are forced to continually rethink their defense strategies. “Beyond having solid internal teams and adequate prevention tools, it is increasingly necessary to complement these capabilities with trusted technology partners and insurers capable of managing cyber risk in a more holistic way,” says Vincent Nguyen, director of cybersecurity at Stoïk. As attackers professionalize and scale their operations, Nguyen believes that effective defense requires a proactive and integrated approach that combines advanced cybersecurity solutions, risk transfer through cyber insurance, and operational support when an incident occurs. “Strategic partners with a cross-functional view of risk can accompany organizations before, during, and after an attack, strengthening resilience without replacing internal security leadership,” he adds. In any case, Martín Trullas acknowledges that there is no single winning strategy for the CISO, but rather a set of different strategies focused on different areas. “On the one hand, identity security must be strengthened, as it can become a gateway for more serious attacks. And this identity security should no longer be understood only as ‘human identity’ but must also focus on the identity of connected devices, which can also become vectors for attack,” he explains. “At the same time, it is necessary to implement organizational and mindset changes within the company: proper governance, cybersecurity training for all employees, promotion of best practices to reduce risks, and a culture of proactivity to reduce detection and response time in the event of an attack. The entire company must be involved in these processes, because leaving cybersecurity as the sole responsibility of the CISO or the department on duty is a mistake that can be very costly.” Of course, this requires CISOs to have the right resources. “And they don’t have it easy, with often unrealistic expectations that cause them to experience signs of burnout,” says Fernando Anaya, general manager of Proofpoint for Spain and Portugal. Anaya cites this data: “In Spain, 51% of security managers say they still lack the necessary means to meet their objectives. Similarly, it is crucial to strengthen incident response capabilities, especially considering that a third of Spanish organizations admit to being unprepared. A much more proactive approach is also needed to foster a culture of cybersecurity that goes beyond simply trusting users and includes concrete and effective actions to reduce data loss. The pressure on CISOs is increasing as these resource constraints are combined with such a rapidly changing threat environment, making it imperative that they work to align themselves strategically with their organizations’ boards of directors, seeking a shared vision that ensures the necessary support and appropriate decision-making. At the same time, Abraham Vázquez believes that it will be essential to advance zero–trust models and perimeter hardening, eliminating legacy VPNs and accelerating patching processes in edge environments, as well as ensuring proven resilience through immutable backups and isolated recovery environments. “The automation of detection and response, supported by SOAR and AI platforms, will enable the cycle between detection and containment to be closed efficiently, effectively reducing response times. Added to this is the need for more mature third-party and supply chain management, based on continuous assessment of cybersecurity posture and minimal but relevant telemetry.” “It will be key to conduct internal crisis management exercises that consider realistic scenarios, such as ransomware attacks without payment, fraud using deepfakes of management, or outages of critical suppliers.” View the full article
  6. We’re proud to share that NETSCOUT has been recognized for industry-leading excellence in network detection and response (NDR). This acknowledgment, from Quadrant Knowledge Solutions’ 2025 SPARK Matrix™ for NDR, highlights what our customers already know: NETSCOUT delivers unmatched visibility, precision, and forensic depth across the world’s most complex digital ecosystems. Below are the strengths that set us apart and continue to define our leadership. The visibility gap no one wants to talk about Many organizations still rely on flow-based data or siloed tools that provide snapshots rather than full context. These tools can tell you that something happened; but not what, not how, and not why. This is where visibility breaks down. This is where attacks hide. This is where risk grows quietly. NETSCOUT’s Omnis Cyber Intelligence closes this critical gap with a simple yet powerful idea: If you can’t see every signal, you can’t trust any conclusion. Turning packets into understanding Our proprietary Adaptive Service Intelligence (ASI) technology doesn’t just collect packets; it interprets them via patented deep packet inspection (DPI) at scale capabilities. At up to 100 Gbps, ASI transforms raw traffic into enriched Layer 2–7 metadata that reveals behavior, intent, and impact with a level of precision that flow-based tools simply can’t match. Machine learning, signatures, threat intelligence, and behavioral analytics all become more effective when powered by truth at the packet level. The result? Fewer false positives, deeper context, stronger investigations, and faster answers. Visibility becomes clarity. Clarity becomes confidence. Confidence becomes resilience. Forensics that tell the full story, not just the ending A security event is never just a single moment, it’s a sequence—one that can start long before an alert fires, especially in a zero-day threat scenario. NETSCOUT’s continuous packet capture provides stored history that is independent of detection, so teams can explore that sequence from its earliest footprint to its last, to truly understand what happened before the alert. This empowers analysts to not just understand what happened but also to reconstruct, retrace, and re-imagine the incident with complete fidelity. In an era where attackers live off the land, pivot silently, and operate in encrypted channels, this kind of longitudinal visibility isn’t optional; it’s essential. A borderless approach to modern visibility Hybrid cloud. Remote work. Containerization. Encryption. Operational technology (OT) and Internet of Things (IoT) sprawl. The perimeter hasn’t just dissolved; it has dissolved everywhere at once. That’s why NETSCOUT champions Visibility Without Borders, ensuring every corner of the network (physical, virtual, or cloud-based) speaks the same language of packet-level truth. Whether it’s east-west traffic in a data center or encrypted communication from a remote site, the story remains intact and readable. Where other tools stop at infrastructure boundaries, NETSCOUT keeps going. The future favors the fully informed As networks evolve, attackers adapt. As security stacks expand, complexity grows. But the organizations that win will be the ones that can see clearly, connect the dots instantly, and understand their environments deeply enough to act decisively. That future belongs to those with true visibility—the kind only NETSCOUT can deliver. Leadership in NDR isn’t just something we’ve earned; it’s something we’ve engineered through decades of innovation, relentless focus on packet intelligence, and a commitment to helping organizations see what others can’t. And we’re just getting started. Read the report here. Learn more about Omnis Cyber Intelligence. View the full article
  7. In today’s digital landscape, encrypted traffic is the norm—not the exception. While encryption such as Transport Layer Security (TLS) 1.3 protects user privacy and data integrity, it also presents a growing challenge for security teams: How do you defend against threats hidden inside encrypted traffic without overwhelming your systems? The challenge of encrypted DDoS attacks Threat actors are always looking for ways to circumvent modern defenses, and one of the most popular distributed denial-of-service (DDoS) attack methods is to hide the attacks in what looks like ordinary traffic. Enormous amounts of internet traffic now rely on Hypertext Transfer Protocol Secure (HTTPS). Since decrypting TLS 1.3 traffic typically requires proxy-based solutions—which are resource-intensive—many security products struggle to inspect encrypted sessions effectively. This blind spot makes encrypted DDoS attacks harder to detect and mitigate. Block first, ask questions later One way to minimize the impact of encrypted attack traffic is to simply drop it before decrypting. There are several methods we employ to filter out the garbage quickly and efficiently: Known source blocking: Many attackers are now using open internet proxies to hide the source of their HTTPS attacks. We constantly track these sources, and our ATLAS Intelligence Feed (AIF)-powered countermeasure can block them automatically. TLS attack prevention: This countermeasure looks at the TLS handshake (pre-encryption) and can block TLS sessions that don’t follow standard user behaviors​. TCP connection limiting: This countermeasure looks at TCP connection behavior from each source. Sources opening too many connections or engaging in abusive behaviors over TCP can be blocked. Rate-based protections: Usually, attackers will be sending more traffic than legitimate users, and these protections can distinguish and block those sources automatically​. Selective decryption: This is used to decrypt and deal with more-advanced attacks, when encrypted traffic behavior mimics legitimate users. Why full decryption isn’t always the answer Decrypting all traffic isn’t practical. It’s computationally expensive and can quickly exhaust system resources. What’s needed is a smarter approach—one that focuses decryption efforts only where it’s truly necessary. NETSCOUT’s solution: Selective decryption NETSCOUT’s Arbor Edge Defense (AED) offers a powerful solution via selective decryption. Positioned at the network edge, AED intelligently decides which traffic to decrypt based on threat indicators and client validation. Here’s how it works: Intelligent decryption: As the traffic enters, AED identifies valid client traffic and passes it on without requiring decryption. Suspicious traffic decryption: Only non-validated encrypted traffic is decrypted and analyzed for DDoS threats. Customizable decryption: Users can enable decryption for specific protection groups or levels, allowing targeted inspection without wasting resources. NETSCOUT Benefits of selection decryption Efficient resource use: Focuses decryption on suspicious traffic, preserving system performance Scalable protection: Enables high-scale defense against encrypted threats without compromising throughput Flexible configuration: Tailors decryption policies to match the needs of different services and threat levels Conclusion As encrypted traffic continues to grow, so does the need for smarter security solutions. NETSCOUT AED’s selective decryption approach empowers organizations to defend against encrypted DDoS attacks efficiently and effectively—without sacrificing performance. Learn more about Arbor Edge Defense. View the full article
  8. VGMT Die Geschäftsstelle sowie die Mobilitätszentrale der Verkehrsgesellschaft Main-Tauber (VGMT) sind derzeit geschlossen und weder telefonisch noch per E-Mail erreichbar. Wie die Organisation kürzlich mitteilte, steckt eine Cyberattacke dahinter. Demnach haben die Täter die Server und Daten des Unternehmens verschlüsselt. Ob Daten gestohlen wurden, ist bisher unklar. Der Mitteilung zufolge sind die Ermittlungen in dem Fall noch nicht abgeschlossen. Weitere Details zu dem Angriff gibt es derzeit nicht. „Die Verkehrsgesellschaft und das Landratsamt arbeiten unter Hochdruck daran, die Probleme zu lösen“, versichert VGMT-Geschäftsführer Thorsten Haas. Ziel sei es, schnellstmöglich zumindest einen eingeschränkten Service der Mobilitätszentrale und der VGMT-Geschäftsstelle zu ermöglichen. ÖPNV nicht betroffen Daran anschließend will die VGMT Schritt für Schritt unter weiter erhöhten Sicherheitsvorkehrungen zum regulären Betrieb zurückkehren. Wie lange das dauert, sei derzeit noch nicht absehbar, heißt es vonseiten der VGMT. Der Öffentliche Nahverkehr ist jedoch nicht von dem Vorfall betroffen. Um den Fall aufzuklären, wurde die Cybersicherheitsagentur des Landes Baden-Württemberg und die Polizei eingeschaltet hinzugezogen. Zudem untersuchen die IT-Spezialisten des Landratsamtes und eines Anbieters den Fall. „Aus rechtlichen Gründen verfügt die VGMT über ein eigenes IT-Netzwerk, das von dem der Landkreisverwaltung vollständig getrennt ist“, erklärt die Verkehrsgesellschaft. Dadurch sei die Verwaltung von dem Angriff verschont geblieben. View the full article
  9. VGMT Die Geschäftsstelle sowie die Mobilitätszentrale der Verkehrsgesellschaft Main-Tauber (VGMT) sind derzeit geschlossen und weder telefonisch noch per E-Mail erreichbar. Wie die Organisation kürzlich mitteilte, steckt eine Cyberattacke dahinter. Demnach haben die Täter die Server und Daten des Unternehmens verschlüsselt. Ob Daten gestohlen wurden, ist bisher unklar. Der Mitteilung zufolge sind die Ermittlungen in dem Fall noch nicht abgeschlossen. Weitere Details zu dem Angriff gibt es derzeit nicht. „Die Verkehrsgesellschaft und das Landratsamt arbeiten unter Hochdruck daran, die Probleme zu lösen“, versichert VGMT-Geschäftsführer Thorsten Haas. Ziel sei es, schnellstmöglich zumindest einen eingeschränkten Service der Mobilitätszentrale und der VGMT-Geschäftsstelle zu ermöglichen. ÖPNV nicht betroffen Daran anschließend will die VGMT Schritt für Schritt unter weiter erhöhten Sicherheitsvorkehrungen zum regulären Betrieb zurückkehren. Wie lange das dauert, sei derzeit noch nicht absehbar, heißt es vonseiten der VGMT. Der Öffentliche Nahverkehr ist jedoch nicht von dem Vorfall betroffen. Um den Fall aufzuklären, wurde die Cybersicherheitsagentur des Landes Baden-Württemberg und die Polizei eingeschaltet hinzugezogen. Zudem untersuchen die IT-Spezialisten des Landratsamtes und eines Anbieters den Fall. „Aus rechtlichen Gründen verfügt die VGMT über ein eigenes IT-Netzwerk, das von dem der Landkreisverwaltung vollständig getrennt ist“, erklärt die Verkehrsgesellschaft. Dadurch sei die Verwaltung von dem Angriff verschont geblieben. View the full article
  10. Andrii Yalanskyi – shutterstock.com Was wäre, wenn das größte Sicherheitsrisiko Ihrer Organisation bereits einen Mitarbeitendenausweis besitzt, legitim angemeldet ist und genau weiß, wie interne Prozesse funktionieren? Diese Frage ist unbequem, aber sie markiert den Ausgangspunkt für eine längst überfällige Auseinandersetzung mit Insider-Bedrohungen. Insider Threats – der blinde Fleck Ob auf Fachkonferenzen oder in unternehmensinternen Meetings: Wenn über Sicherheitsrisiken gesprochen wird, richtet sich der Blick fast immer reflexartig nach außen. Auf Hackergruppen und Cyberkriminelle, auf ausländische Nachrichtendienste, auf Anhänger politischer oder religiöser Gruppen und auf wirtschaftliche Konkurrenten. Die eigenen Beschäftigten kommen als Tätergruppe in der Betrachtung kaum vor. Innentäter sind in vielen Organisationen immer noch ein Tabu-Thema, gelten allenfalls als Randphänomen und einzelne „schwarze Schafe“. Diese Annahme ist bequem – und gleichzeitig hoch gefährlich. Denn sie verstellt den Blick auf ein Risiko, das strukturell, vielschichtig und hoch wirksam ist. Dass Insider-Bedrohungen ein systematisches Sicherheitsrisiko sind, belegen empirische Daten. In einer Bitkom-Umfrage aus dem Jahr 2025 berichteten 48 Prozent der deutschen Unternehmen, dass Fälle von Datendiebstahl, Industriespionage oder Sabotage auf eigene Mitarbeitende zurückzuführen waren. Bei 25 Prozent der Unternehmen waren es unabsichtlich handelnde (ehemalige) Beschäftigte, bei 23 Prozent vorsätzlich handelnde (ehemalige) Beschäftigte. Nach Angriffen von organisierten Kriminellen und Banden (68 Prozent) sind Insider-Vergehen damit die zweithäufigsten Delikte. Andere Statistiken zeigen, dass bereits 61 Prozent der Organisationen weltweit einen Insider-Vorfall identifiziert haben und dies bei 29 Prozent zu einem Sicherheitsvorfall führte. Diese Zahlen machen deutlich: Eine Sicherheitsstrategie, die den Fokus ausschließlich auf externe Bedrohungen legt, ist gefährlich lückenhaft. Insider-Risiken sind ein relevanter Teil der Bedrohungslandschaft und müssen in Risikoanalysen systematisch mitgedacht werden. Insider-Gefahren werden unterschätzt Die soziale Organisation ist ein grundlegendes Merkmal der menschlichen Evolution. Seit jeher haben sich Menschen zu Gruppen zusammengeschlossen, um gemeinsam zu jagen, Wissen zu teilen und sich gegen Bedrohungen zu verteidigen. Teil einer Gruppe zu sein, bedeutete Schutz vor Gefahren von außen und konnte das Überleben sichern. Basis für all das war gegenseitiges Vertrauen innerhalb der Gruppe. Auch heute bildet Vertrauen die Grundlage für das Funktionieren einer Organisation. Es ist Ausgangspunkt für eine konstruktive, effiziente und erfolgreiche Zusammenarbeit. Um ihre Arbeitsaufgaben zu erfüllen, benötigen Mitarbeitende Zutritt zum Firmengelände, Zugang zu Datenbanken und Bestellsystemen sowie Zugriff auf Informationen über Produkte, Prozesse, Lieferanten, Dienstleister und Kunden. Arbeitgeber statten Beschäftigte dazu mit den notwendigen Berechtigungen aus und vertrauen im Gegenzug auf die Loyalität und Integrität ihrer Mitarbeitenden. Das sich jemand von innen bewusst und vorsätzlich gegen die eigene Organisation wenden könnte, ist für viele Menschen dabei nicht vorstellbar und moralisch schlichtweg verwerflich. Die Folge: Die Gefahr wird ausgeblendet. Blindes Vertrauen macht Organisationen jedoch verwundbar. Insider-Bedrohungen sind gefährlich Insider verfügen über legitime Berechtigungen und haben ein tiefes Wissen über Infrastruktur, Systeme, Prozesse und Stakeholder. Gleichzeitig haben sie auch die Schwachstellen einer Organisation sehr genau im Blick. Sie kennen kritische Assets, wissen, wo sensible Daten liegen oder welche Prozesse besonders verwundbar sind. Insider wissen zudem, welche Kontrollmechanismen existieren und welche nicht. Auch kennen sie sich damit aus, wie sie Sicherheitslücken ausnutzen und Kontrollen umgehen können. Das ist ein struktureller Vorteil aller Insider. Doch erst die missbräuchliche Verwendung von Berechtigungen macht einen Insider zum Innentäter. Diese zu erkennen ist allerdings schwierig, weil ihre Handlungen unauffällig und legitim wirken. Zugriffe erfolgen mit gültigen Berechtigungen, Prozesse werden formal eingehalten, Auffälligkeiten sind subtil. Klassische Sicherheitsmechanismen schlagen hier oft nicht an. So können Innentäter oftmals über einen längeren Zeitraum agieren, ohne entdeckt zu werden. Typische vorsätzliche Angriffsformen von innen sind Betrug, Diebstahl von Informationen und physischen Gütern, Spionage, Sabotage sowie Gewalt. Die Auslöser für diese Taten sind vielfältig und reichen von emotionalen und situativen Belastungen, Unzufriedenheit und Frust, Opportunismus, finanziellen Interessen bis hin zu Loyalitätskonflikten. Neben solchen illoyalen Insidern gibt es zudem professionell eingeschleuste Innentäter, die beispielsweise im Auftrag eines ausländischen Nachrichtendienstes agieren. Im Gegensatz zu diesen beiden Tätergruppen gibt es eine dritte Personengruppe: Das sind Beschäftigte, die zum Beispiel in der Hektik des Alltags auf einen Link in einer Phishing-E-Mail klicken, aus Nachlässigkeit eine E-Mail an einen falschen Adressaten senden oder von der Firma nicht zugelassene KI-Tools verwenden, um Arbeitszeit zu sparen. Ob man bei dieser letzten Gruppe, die ohne böswillige Absicht und kriminelle Energie handelt, von Innentätern sprechen und diese so behandeln kann und will, muss jede Organisation für sich selbst definieren. Das Schadensausmaß bei Angriffen von innen kann massiv sein. Schäden durch Innentäter wirken häufig nachhaltiger als externe Angriffe, sowohl finanziell, reputativ als auch organisatorisch. Je nach Schwere des Angriffs kann zudem ein organisationales Trauma entstehen, zum Beispiel nach einem Amoklauf. Klassische Sicherheitsmaßnahmen reichen nicht aus Technische Systeme leisten einen wichtigen Beitrag zur Erkennung von Insider-Risiken, stoßen dabei jedoch an klare Grenzen. Tools wie Identity and Access Management (IAM), Data Loss Prevention (DLP) oder User and Entity Behaviour Analytics (UEBA) können Auffälligkeiten und Abweichungen identifizieren, nicht jedoch die dahinterliegenden Emotionen, Motive oder Intentionen. Technik kann damit Hinweise liefern und Symptome sichtbar machen, doch ein erheblicher Teil von Insider-Bedrohungen bleibt für technische Systeme unsichtbar. Denken Sie an den Diebstahl von Papierakten, die Installation von Mini-Kameras zur Überwachung von Computerbildschirmen oder die Sabotage von physischer Infrastruktur. Insider-Bedrohungen sind komplex und keinesfalls ein reines IT-Thema. Auch andere Abteilungen wie die Unternehmenssicherheit, HR, Compliance, Legal, interne Kommunikation und das Management sind relevante Stakeholder. Ein weiteres zentrales Problem ist die fehlende klare Risk Ownership für Insider Threats. Während der Schutz vor externen Angriffen in vielen Organisationen fest verankert ist – oft mit eigenen Abteilungen, klar definierten Verantwortlichkeiten und etablierten Prozessen – fehlt ein vergleichbares Pendant für Bedrohungen aus dem Inneren häufig vollständig. Ohne eindeutige Zuständigkeit lassen sich Insider-Risiken weder systematisch bewerten noch präventiv steuern. Die Folge von Technikfixierung, Silodenken und fehlender Zuständigkeit: Punktuelle Einzelmaßnahmen wie strengere Zugriffsrechte, zusätzliche Kontrollen und neue Tools. Diese Maßnahmen sind nicht falsch, aber sie bilden nur ein isoliertes Fragment eines systematischen Risikomanagements. Was ein moderner Umgang mit Insider Threats bedeutet Die Unsicherheit im Umgang mit Insider-Bedrohungen zeigt sich auch in Umfragen: Während es unter Cybersecurity-Experten einen deutlichen Anstieg der Besorgnis über böswillige Insider, von 60 Prozent im Jahr 2019 auf 74 Prozent im Jahr 2024, gibt, haben nur 29 Prozent der Befragten das Gefühl, über die richtigen Werkzeuge zum Schutz ihrer Organisation zu verfügen. Was oftmals fehlt, ist eine übergreifende Perspektive: Welche Risiken sind für uns wirklich kritisch? Wie fügt sich das Thema in bestehende Risiko-, Governance- und Prozessstrukturen ein? Wer trägt Verantwortung? Ein zeitgemäßer Umgang mit Insider-Bedrohungen beginnt nicht mit Misstrauen, sondern mit Risikobewusstsein. Es geht nicht darum, Mitarbeitende unter Generalverdacht zu stellen, sondern Risiken systematisch zu verstehen und verantwortungsvoll zu steuern. Zentral ist der Perspektivwechsel: von Reaktion zu Prävention, von Einzelfällen zu Strukturen, von Technik zu Organisation. Ein moderner Ansatz verbindet Kultur, Struktur und Verantwortung. Er stärkt Vertrauen und Compliance, indem klare Regeln und Prozesse etabliert werden. Außerdem ermöglicht er nachhaltige Resilienz, statt nur auf Vorfälle zu reagieren. Der Appell ist eindeutig: Wegsehen erhöht das Risiko. Hinschauen schafft Handlungsfähigkeit. Fazit: Warum jetzt gehandelt werden muss Innentätermanagement ist kein Produkt und kein Kontrollregime. Es ist ein menschenzentrierter Managementansatz, der Vertrauen schützt, indem er Risiken transparent macht und bewusst adressiert. Mit den europäischen Richtlinien NIS2 und CER rückt das Risikomanagement stärker in den Fokus. Noch immer wird Sicherheit häufig als eine Art Außenverteidigung verstanden. Was dabei oft übersehen wird: Ein erheblicher Teil der Risiken entsteht innerhalb von Organisationen. Innentätermanagement ist damit keine optionale Ergänzung mehr, sondern Teil verantwortungsvoller Unternehmenssteuerung. Die entscheidende Frage lautet nicht, ob Insider-Risiken existieren, sondern ob Organisationen bereit sind, sie bewusst zu managen. (jm) View the full article
  11. Andrii Yalanskyi – shutterstock.com Was wäre, wenn das größte Sicherheitsrisiko Ihrer Organisation bereits einen Mitarbeitendenausweis besitzt, legitim angemeldet ist und genau weiß, wie interne Prozesse funktionieren? Diese Frage ist unbequem, aber sie markiert den Ausgangspunkt für eine längst überfällige Auseinandersetzung mit Insider-Bedrohungen. Insider Threats – der blinde Fleck Ob auf Fachkonferenzen oder in unternehmensinternen Meetings: Wenn über Sicherheitsrisiken gesprochen wird, richtet sich der Blick fast immer reflexartig nach außen. Auf Hackergruppen und Cyberkriminelle, auf ausländische Nachrichtendienste, auf Anhänger politischer oder religiöser Gruppen und auf wirtschaftliche Konkurrenten. Die eigenen Beschäftigten kommen als Tätergruppe in der Betrachtung kaum vor. Innentäter sind in vielen Organisationen immer noch ein Tabu-Thema, gelten allenfalls als Randphänomen und einzelne „schwarze Schafe“. Diese Annahme ist bequem – und gleichzeitig hoch gefährlich. Denn sie verstellt den Blick auf ein Risiko, das strukturell, vielschichtig und hoch wirksam ist. Dass Insider-Bedrohungen ein systematisches Sicherheitsrisiko sind, belegen empirische Daten. In einer Bitkom-Umfrage aus dem Jahr 2025 berichteten 48 Prozent der deutschen Unternehmen, dass Fälle von Datendiebstahl, Industriespionage oder Sabotage auf eigene Mitarbeitende zurückzuführen waren. Bei 25 Prozent der Unternehmen waren es unabsichtlich handelnde (ehemalige) Beschäftigte, bei 23 Prozent vorsätzlich handelnde (ehemalige) Beschäftigte. Nach Angriffen von organisierten Kriminellen und Banden (68 Prozent) sind Insider-Vergehen damit die zweithäufigsten Delikte. Andere Statistiken zeigen, dass bereits 61 Prozent der Organisationen weltweit einen Insider-Vorfall identifiziert haben und dies bei 29 Prozent zu einem Sicherheitsvorfall führte. Diese Zahlen machen deutlich: Eine Sicherheitsstrategie, die den Fokus ausschließlich auf externe Bedrohungen legt, ist gefährlich lückenhaft. Insider-Risiken sind ein relevanter Teil der Bedrohungslandschaft und müssen in Risikoanalysen systematisch mitgedacht werden. Insider-Gefahren werden unterschätzt Die soziale Organisation ist ein grundlegendes Merkmal der menschlichen Evolution. Seit jeher haben sich Menschen zu Gruppen zusammengeschlossen, um gemeinsam zu jagen, Wissen zu teilen und sich gegen Bedrohungen zu verteidigen. Teil einer Gruppe zu sein, bedeutete Schutz vor Gefahren von außen und konnte das Überleben sichern. Basis für all das war gegenseitiges Vertrauen innerhalb der Gruppe. Auch heute bildet Vertrauen die Grundlage für das Funktionieren einer Organisation. Es ist Ausgangspunkt für eine konstruktive, effiziente und erfolgreiche Zusammenarbeit. Um ihre Arbeitsaufgaben zu erfüllen, benötigen Mitarbeitende Zutritt zum Firmengelände, Zugang zu Datenbanken und Bestellsystemen sowie Zugriff auf Informationen über Produkte, Prozesse, Lieferanten, Dienstleister und Kunden. Arbeitgeber statten Beschäftigte dazu mit den notwendigen Berechtigungen aus und vertrauen im Gegenzug auf die Loyalität und Integrität ihrer Mitarbeitenden. Das sich jemand von innen bewusst und vorsätzlich gegen die eigene Organisation wenden könnte, ist für viele Menschen dabei nicht vorstellbar und moralisch schlichtweg verwerflich. Die Folge: Die Gefahr wird ausgeblendet. Blindes Vertrauen macht Organisationen jedoch verwundbar. Insider-Bedrohungen sind gefährlich Insider verfügen über legitime Berechtigungen und haben ein tiefes Wissen über Infrastruktur, Systeme, Prozesse und Stakeholder. Gleichzeitig haben sie auch die Schwachstellen einer Organisation sehr genau im Blick. Sie kennen kritische Assets, wissen, wo sensible Daten liegen oder welche Prozesse besonders verwundbar sind. Insider wissen zudem, welche Kontrollmechanismen existieren und welche nicht. Auch kennen sie sich damit aus, wie sie Sicherheitslücken ausnutzen und Kontrollen umgehen können. Das ist ein struktureller Vorteil aller Insider. Doch erst die missbräuchliche Verwendung von Berechtigungen macht einen Insider zum Innentäter. Diese zu erkennen ist allerdings schwierig, weil ihre Handlungen unauffällig und legitim wirken. Zugriffe erfolgen mit gültigen Berechtigungen, Prozesse werden formal eingehalten, Auffälligkeiten sind subtil. Klassische Sicherheitsmechanismen schlagen hier oft nicht an. So können Innentäter oftmals über einen längeren Zeitraum agieren, ohne entdeckt zu werden. Typische vorsätzliche Angriffsformen von innen sind Betrug, Diebstahl von Informationen und physischen Gütern, Spionage, Sabotage sowie Gewalt. Die Auslöser für diese Taten sind vielfältig und reichen von emotionalen und situativen Belastungen, Unzufriedenheit und Frust, Opportunismus, finanziellen Interessen bis hin zu Loyalitätskonflikten. Neben solchen illoyalen Insidern gibt es zudem professionell eingeschleuste Innentäter, die beispielsweise im Auftrag eines ausländischen Nachrichtendienstes agieren. Im Gegensatz zu diesen beiden Tätergruppen gibt es eine dritte Personengruppe: Das sind Beschäftigte, die zum Beispiel in der Hektik des Alltags auf einen Link in einer Phishing-E-Mail klicken, aus Nachlässigkeit eine E-Mail an einen falschen Adressaten senden oder von der Firma nicht zugelassene KI-Tools verwenden, um Arbeitszeit zu sparen. Ob man bei dieser letzten Gruppe, die ohne böswillige Absicht und kriminelle Energie handelt, von Innentätern sprechen und diese so behandeln kann und will, muss jede Organisation für sich selbst definieren. Das Schadensausmaß bei Angriffen von innen kann massiv sein. Schäden durch Innentäter wirken häufig nachhaltiger als externe Angriffe, sowohl finanziell, reputativ als auch organisatorisch. Je nach Schwere des Angriffs kann zudem ein organisationales Trauma entstehen, zum Beispiel nach einem Amoklauf. Klassische Sicherheitsmaßnahmen reichen nicht aus Technische Systeme leisten einen wichtigen Beitrag zur Erkennung von Insider-Risiken, stoßen dabei jedoch an klare Grenzen. Tools wie Identity and Access Management (IAM), Data Loss Prevention (DLP) oder User and Entity Behaviour Analytics (UEBA) können Auffälligkeiten und Abweichungen identifizieren, nicht jedoch die dahinterliegenden Emotionen, Motive oder Intentionen. Technik kann damit Hinweise liefern und Symptome sichtbar machen, doch ein erheblicher Teil von Insider-Bedrohungen bleibt für technische Systeme unsichtbar. Denken Sie an den Diebstahl von Papierakten, die Installation von Mini-Kameras zur Überwachung von Computerbildschirmen oder die Sabotage von physischer Infrastruktur. Insider-Bedrohungen sind komplex und keinesfalls ein reines IT-Thema. Auch andere Abteilungen wie die Unternehmenssicherheit, HR, Compliance, Legal, interne Kommunikation und das Management sind relevante Stakeholder. Ein weiteres zentrales Problem ist die fehlende klare Risk Ownership für Insider Threats. Während der Schutz vor externen Angriffen in vielen Organisationen fest verankert ist – oft mit eigenen Abteilungen, klar definierten Verantwortlichkeiten und etablierten Prozessen – fehlt ein vergleichbares Pendant für Bedrohungen aus dem Inneren häufig vollständig. Ohne eindeutige Zuständigkeit lassen sich Insider-Risiken weder systematisch bewerten noch präventiv steuern. Die Folge von Technikfixierung, Silodenken und fehlender Zuständigkeit: Punktuelle Einzelmaßnahmen wie strengere Zugriffsrechte, zusätzliche Kontrollen und neue Tools. Diese Maßnahmen sind nicht falsch, aber sie bilden nur ein isoliertes Fragment eines systematischen Risikomanagements. Was ein moderner Umgang mit Insider Threats bedeutet Die Unsicherheit im Umgang mit Insider-Bedrohungen zeigt sich auch in Umfragen: Während es unter Cybersecurity-Experten einen deutlichen Anstieg der Besorgnis über böswillige Insider, von 60 Prozent im Jahr 2019 auf 74 Prozent im Jahr 2024, gibt, haben nur 29 Prozent der Befragten das Gefühl, über die richtigen Werkzeuge zum Schutz ihrer Organisation zu verfügen. Was oftmals fehlt, ist eine übergreifende Perspektive: Welche Risiken sind für uns wirklich kritisch? Wie fügt sich das Thema in bestehende Risiko-, Governance- und Prozessstrukturen ein? Wer trägt Verantwortung? Ein zeitgemäßer Umgang mit Insider-Bedrohungen beginnt nicht mit Misstrauen, sondern mit Risikobewusstsein. Es geht nicht darum, Mitarbeitende unter Generalverdacht zu stellen, sondern Risiken systematisch zu verstehen und verantwortungsvoll zu steuern. Zentral ist der Perspektivwechsel: von Reaktion zu Prävention, von Einzelfällen zu Strukturen, von Technik zu Organisation. Ein moderner Ansatz verbindet Kultur, Struktur und Verantwortung. Er stärkt Vertrauen und Compliance, indem klare Regeln und Prozesse etabliert werden. Außerdem ermöglicht er nachhaltige Resilienz, statt nur auf Vorfälle zu reagieren. Der Appell ist eindeutig: Wegsehen erhöht das Risiko. Hinschauen schafft Handlungsfähigkeit. Fazit: Warum jetzt gehandelt werden muss Innentätermanagement ist kein Produkt und kein Kontrollregime. Es ist ein menschenzentrierter Managementansatz, der Vertrauen schützt, indem er Risiken transparent macht und bewusst adressiert. Mit den europäischen Richtlinien NIS2 und CER rückt das Risikomanagement stärker in den Fokus. Noch immer wird Sicherheit häufig als eine Art Außenverteidigung verstanden. Was dabei oft übersehen wird: Ein erheblicher Teil der Risiken entsteht innerhalb von Organisationen. Innentätermanagement ist damit keine optionale Ergänzung mehr, sondern Teil verantwortungsvoller Unternehmenssteuerung. Die entscheidende Frage lautet nicht, ob Insider-Risiken existieren, sondern ob Organisationen bereit sind, sie bewusst zu managen. (jm) View the full article
  12. Lesen Sie, worauf es bei der Zusammenarbeit zwischen Ihrem IT-Security- und Engineering-Team ankommt. Foto: Lipik Stock Media – shutterstock.com Security-Teams bestehen in erster Linie aus Mitarbeitern, die für den Betrieb und die Einhaltung von Vorschriften und Richtlinien zuständig sind. IT-Sicherheitstechnik-Teams, neudeutsch Security-Engineering-Teams, hingegen sind Konstrukteure. Sie entwickeln Dienste, automatisieren Prozesse und optimieren Bereitstellungen, um das zentrale IT-Sicherheitsteam und seine Stakeholder zu unterstützen. Das Security-Engineering-Team bestehen in der Regel aus Software- und Infrastrukturingenieuren, Architekten und Produktmanagern. Technische Fähigkeiten im Bereich IT-Sicherheitstechnik Security Engineering ist im Wesentlichen eine technische Disziplin, so dass eines der grundlegenden Elemente dieser Rolle natürlich in der Technologie verwurzelt ist. Dies sind die wesentlichen Fähigkeiten, die CISOs in ihren Security-Engineering-Teams vermitteln und entwickeln sollten: Verstehen des technischen Umfelds Dass es von entscheidender Bedeutung ist, die technische Umgebung zu verstehen und in ihr zu arbeiten, scheint eine Selbstverständlichkeit zu sein. Doch wenn ein Unternehmen beispielsweise Dienste in Kubernetes bereitstellt und das Technikteam noch nie mit Containern gearbeitet hat, ist das ein Problem. Ein hohes Maß an technischem Verständnis der gesamten IT-Umgebung wirkt sich positiv auf das Security-Team aus. Ein Kontrapunkt dazu ist die Förderung eines vielfältigen Teams in Bezug auf die Fähigkeiten, Problemlösungsperspektiven und Erfahrungsstufen in den verschiedenen Bereichen eines Unternehmens. Es gibt natürlich viele Möglichkeiten, diese Vielfalt in einem Team anzustreben und zu fördern, vom Geschlecht und der ethnischen Zugehörigkeit über den Bildungshintergrund bis hin zu früheren Berufserfahrungen und dem Alter. Diversität kann die kreative Energie eines Teams stark erhöhen, wenn Ideen in Frage gestellt, debattiert und wiederholt werden. Allerdings sollten Führungskräfte mit der Vielfalt an Perspektiven und Erfahrungen sorgfältig umgehen. Ein übermäßiges Maß an Variation und Reibung im Denk- und Kooperationsprozess kann zum Gegenteil der gewünschten Wirkung führen. Häufig kommt es zu einer Analyse-Paralyse, bei der die Teams in einem Zustand des Nachdenkens über das Tun statt des Tuns stecken bleiben. Ein ähnlicher Zustand, der sich aus übermäßig unterschiedlichen Teams ergeben kann, ist eine komplexe Reihe von voneinander abhängigen Ergebnissen, die miteinander verbundene Fehlerbedingungen aufweisen. Den gesamten Stack beherrschen IT-Sicherheitstechnikteams sollten in der Lage sein, die von ihnen entwickelten Dienste zu erstellen und zu betreiben. Dieses Maß an Eigenverantwortung innerhalb einer Gruppe ist aus Sicht der technischen Kompetenz und aus kultureller Sicht von entscheidender Bedeutung, da es den Ton in Bezug auf die Verantwortlichkeit angibt. Technisch gesehen wird ein Team, das in der Lage ist, seine Dienste selbst zu verwalten, die Infrastruktur, die CI/CD-Tools, die Security-Tools, den Anwendungscode, die Deployments und die von einem Dienst ausgehenden operativen Telemetriedaten kompetent verwalten. Darüber hinaus sind die Fähigkeiten, die hinter der Unterstützung durch ein Team stehen, in hohem Maße übertragbar, um andere Gruppen im Unternehmen zu unterstützen. Das Entwicklererlebnis miteinbeziehen (DevX) Security-Teams, die das Entwickler-Tool DevX verstehen, annehmen und optimieren, werden wahrscheinlich besser zusammenarbeiten. Darüber hinaus wird ein besonderer Schwerpunkt auf der Beseitigung von Reibungsverlusten liegen. Reibung führt dazu, dass Dinge länger dauern und mehr kosten, dass sich Lernzyklen verlängern und dass Frustration auftritt. Weniger Reibung wird dazu führen, dass die Dinge im Allgemeinen viel besser ablaufen. Manchmal sind Reibungen aber auch notwendig und sollten gewollt sein. Ein Beispiel ist eine erzwungene Codeüberprüfung von kritischem Code, bevor er zusammengeführt wird. Wenn diese Unterbrechung, Überprüfung und Zusammenführung auf einer bewussten Entscheidung beruht, ist das eine gerechtfertigte, bewusste Reibung. Wenn das IT-Sicherheitsteam Reibungsverluste im Freigabeprozess von Entwicklern anstrebt, sollten diese auf spezifischen Anforderungen beruhen, zum Beispiel auf einer Compliance-Kontrolle, die eine manuelle Überprüfung als Teil des Change Managements vorschreibt. Diese Kontrollen sollten nicht unüberlegt eingesetzt werden. Die Reibungsverluste, die den Entwicklern entstehen, stellen Nachteile dar, die jedes vom IT-Sicherheitsteam in Betracht gezogene, nicht definierte Risiko aufwiegen könnten. IT-Sicherheitsteams, die die Erfahrung der Entwickler als oberste Priorität betrachten, müssen die Werkzeuge und Abläufe verstehen, die für das Schreiben von Qualitätssoftware auf verschiedenen Ebenen des Stacks erforderlich sind. Die Übernahme dieser Denkweise, bei der der Entwickler im Vordergrund steht, erfordert möglicherweise Kenntnisse im Bereich Infrastruktur oder Plattform-Engineering. Andererseits kann sich der Output eines IT-Sicherheitstechnik-Teams auf andere auswirken, die ebenfalls mit der Automatisierung von Arbeitsabläufen, der Verbindung von Diensten untereinander und im Wesentlichen mit der gemeinsamen Instrumentierung einer immer größer werdenden Umgebung beschäftigt sind. All diese Arbeiten helfen den Entwicklern, schneller und mit weniger Reibungsverlusten zu arbeiten. Resultat sind mehr Flexibilität und ein schnelleres Deployment. Unabhängig davon ist dies eine Eigenschaft und ein Leitfaden, von dem ein Security-Engineering-Tem in seiner Produktivität profitiert und das Einfühlungsvermögen derer, denen es dient, fördert und kultiviert. Fähigkeiten zur Führung und Zusammenarbeit in der Sicherheitstechnik Security-Entwickler-Teams arbeiten nicht im luftleeren Raum, unabhängig von ihrem Umfang und ihrer Projektauslastung. Die Arbeit an der Seite und im Dienste anderer ist ein wesentlicher Bestandteil des Auftrags. Sie ist ein notwendiger Teil des Ganzen und hilft anderen, erfolgreiche Ergebnisse zu erzielen. Kommunizieren und zusammenarbeiten Die Mitglieder des Security-Engineering-Teams sollten in der Lage sein, miteinander und mit den Beteiligten außerhalb der Gruppe zu kommunizieren. Darüber hinaus sollten sie die Fähigkeit besitzen, gut zusammenzuarbeiten, um die gemeinsamen Ziele zu erreichen. Verstehen der Probleme, der Reibungspunkte, der Beschränkungen und der Möglichkeiten der IT-sicherheitsorientierten Entwicklung. Letztendlich ist es wichtiger, die richtigen Dinge zu tun, als einfach nur effizient zu arbeiten. All diese Fragen müssen durch gezielte Kommunikation und Zusammenarbeit erforscht werden. Dies kann sich in menschenzentrierten Gestaltungsprinzipien, matrixbasierten Ressourcen oder einer auf Teamtopologien basierenden Ausrichtung manifestieren. Natürlich gibt es kein Patentrezept für die Kommunikation und Zusammenarbeit in und zwischen Teams. Unabhängig von der Herangehensweise sind Vertrauensbildung, Einfühlungsvermögen, Interesse an gemeinsamen Zielen und die Bereitschaft, den eigenen Stolz zugunsten der Mission zurückzustellen, die Grundlage. Führen und andere beeinflussen Seth Godin, Bestsellerautor und Marketingexperte, vertritt die Ansicht, dass jeder eine Führungspersönlichkeit sein kann – es ist eine Entscheidung, kein Titel. Es geht um das Zusammentreffen von Ideen, eine Lücke in der Richtung und jemanden, der motiviert genug ist, sich zu engagieren. Der Erfolg von Security-Engineering-Teams ist, wie bei anderen Cybersecurity-Bereichen auch, von anderen abhängig. Er ist jedoch unabhängig von der Leistung des Teams, so optimal diese auch sein mag. Anders ausgedrückt: Man kann nicht einfach etwas bauen und dann gehen. Sie müssen anderen zuhören, sie einbeziehen, sie zur Übernahme bewegen und vieles mehr. All das erfordert Führung. Genauer gesagt, Führung ohne Autorität. Die Mitglieder eines leistungsstarken Teams sollten in der Lage sein, das IT-Sicherheitstechnikteam selbst zu leiten und außerhalb der Gruppe Einfluss aufzubauen und zu nutzen. Das kann mit anderen Beteiligten oder mit internen Kunden eines Dienstes geschehen. Führen ohne Autorität bringt das Team dem Erfolg näher. Starke Beziehungen, organisatorisches Wissen und Kontext sowie technisches Fachwissen sollte zusammengebracht werden, um andere zu beeinflussen. Soft Skills für Sicherheitsingenieure Die Fähigkeiten eines Security Engineers und des gesamten Teams sollten über Kommunikation und Zusammenarbeit hinausgehen. In diesem Zusammenhang bezieht sich der Begriff “Soft Skills” auf die zahlreichen nichttechnischen Fähigkeiten, die eher nach innen gerichtet sind und die technischen Fähigkeiten ergänzen. Zeit- und Prioritätenmanagement Security-Entwickler werden immer viel zu tun haben. Die technischen Fähigkeiten führen dazu, dass häufig Anfragen zum Erstellen, Härten, Patchen oder allgemein zum Einmischen in die Software einer Umgebung eingehen werden. Zeit ist eine universelle Einschränkung für alle Teams. Aus diesem Grund müssen sowohl Einzelpersonen als auch Teams effektiver darin werden, Prioritäten zu setzen. Effizient zu sein, aber die falschen Dinge zu tun, bringt keinen Fortschritt. Es gibt viele Techniken, um Arbeit zu priorisieren, Wert gegen Komplexität abzuwägen und sich auf die Kundenzufriedenheit zu konzentrieren oder verschiedene Faktoren zu gewichten. Kunden- und Compliance-Anforderungen sind oft die treibende Kraft hinter den Prioritäten des Teams. Die Art der Prioritätensetzung ist weniger wichtig als die rücksichtslose Einhaltung der Prioritäten und der Schutz vor dem endlosen Ansturm von Anfragen, die mehr wertvolle Zeit in Anspruch nehmen. Anpassungsfähigkeit Security-Engineering-Teams sollten in der Lage sein, sich an veränderte Anforderungen, Technologien und Umstände anzupassen. Anpassungsfähigkeit bedeutet mehr als die Priorisierung einer Aufgabe gegenüber einer anderen: Entscheiden ist die Anpassung der Herangehensweise an ein Problem auf der Grundlage der Bedürfnisse der Beteiligten. IT-Sicherheitstechnikteams müssen sich an die Eigenverantwortung auf der Grundlage des Teamwachstums und der sich ändernden Bedürfnisse der Interessengruppen sowie an die bewusste Einbeziehung einer vielfältigen Gruppe von Stimmen in den Problemlösungsprozess anpassen. Der Nutzen für die Beteiligten und die gesamte IT-Sicherheitsorganisation liegt dabei in der Agilität und Flexibilität. Ein agiles Team ist ein widerstandsfähigeres Team. Kontinuierliches Lernen Ein Team, das in der Lage ist, ständig neue Fähigkeiten, organisatorische Zusammenhänge, Richtlinien und Arbeitsweisen zu erlernen, ist in der heutigen schnelllebigen Welt unbedingt notwendig. So sollten sich Mitglieder des Security Engineering-Teams ständig weiterentwickeln, sich selbst erneuern und auf bestehenden mentalen Modellen und Erfahrungen aufbauen. Dieses Konstrukt mentaler Modelle ermöglicht es Menschen, in Situationen einzutreten, die ähnliche Eigenschaften aufweisen wie etwas, an dem sie zuvor gearbeitet haben, und damit zu beginnen, etwas beizutragen, zu erforschen und zu tun. Kontinuierliches Lernen kann sich auch auf die Kultur in einer Organisation auswirken. Wissen führt zum Austausch, Austausch führt zu Diskussionen und die Diskussion über neue Dinge weckt Interesse und Gespräche. Diese kollektive Entwicklung der mentalen Modelle, die das Unternehmen durchdringen, und der Art und Weise, wie Teams mit IT-Sicherheit umgehen und sich darauf beziehen, bringt die Kultur der Zusammenarbeit voran. Die Arbeit in diesem hoch spezialisierten Bereich bedeutet nicht, dass sich ein leistungsstarkes Team nur auf die Technologie konzentrieren kann. Menschen, die Erforschung von Problemen, der Aufbau von Beziehungen und die Festlegung von Prioritäten sind allesamt wesentliche Bestandteile eines leistungsstarken Sicherheitstechnikteams. Achten Sie beim Aufbau Ihres Teams darauf, diese Elemente zu investieren und zu pflegen. (jm) Lesetipp: Fehlendes Knowhow – eine Gefahr für die Anwendungssicherheit Dieser Beitrag basiert auf einem Artikel unserer US-Schwesterpublikation CSO Online. View the full article
  13. Twelve US companies hit by the INC ransomware group were able to recover encrypted data after a cybersecurity firm discovered the cloud storage infrastructure where the gang stockpiled what it stole. Researchers at Florida-based Cyber Centaurs said Thursday they took advantage of a lapse in operational security by the gang: They found artifacts left behind by Restic, an legitimate open source backup utility the gang uses to encrypt and exfiltrate victim data into cloud storage environments it controls. Assuming the gang regularly re-uses Restic-based infrastructure led to finding an unnamed cloud storage provider where stolen data was dumped. Unfortunately, Andrew von Ramin Mapp, Cyber Centaurs’ managing principal, admits that his firm’s work likely was no more than an “inconvenience” to the gang, because it can easily rent new cloud infrastructure. But, he said, there are lessons for CSOs and infosec leaders from its efforts: scrutinize and audit your backups. If you have a regular backup schedule, is there unexpected or unexplained activity? Von Ramin Mapp notes that crooks are known to time data exfiltration to match corporate off-site backups as a way to hide their work; monitor for encrypted data leaving your environments and see where it goes. Does this data go to an unexpected IP address? make sure backup software and servers are updated as soon as patches are released. Crooks take advantage of unpatched software of any kind, including backup applications. “Probably very few” infosec leaders realize that their own backup software is used against them, von Ramin Mapp said. According to Trend Micro, the INC gang emerged in July 2023. A Linux version of its ransomware binary was seen five months later. A common tactic in its early years was to leverage vulnerabilities in Citrix Netscaler ADC and Netscaler Gateway, and researchers at Check Point Software also say the gang uses spear-phishing campaigns to capture user credentials. According to Cyber Centaurs, in smaller or flatter networks, INC operators often rely on Restic for data exfiltration prior to encryption; in larger or more complex environments, the gang favors using the backup infrastructure, such as Veeam, that’s already in place. Cyber Centaurs was called in when a US customer’s endpoint detection and response software alerted it to an active ransomware execution on a production SQL Server. The process was quickly isolated, and it was found to be the RainINC variant. Looking deeper, though, investigators found that multiple systems contained traces of Restic, which included renamed binaries, PowerShell scripts staging Restic execution to an S3-style cloud bucket infrastructure, repository configuration variables, and file-list driven backup commands. While Restic wasn’t used for exfiltration in this particular attack, Cyber Centaurs suspected the gang regularly used it, based on patterns seen in other incidents. It also suspected the infrastructure the crooks used was unlikely to be dismantled even after negotiations ended or payments were made by corporate victims. With that in mind, the incident response team developed a custom enumeration script to identify certain patterns that identify S3-style cloud bucket infrastructure that the stolen data might be going to. The script ran through a curated list of candidate repository identifiers derived from previously observed Restic artifacts. For each candidate, environment variables were set to match the configuration style used by the threat actor, including the repository endpoint and encryption password. Restic was then instructed to list available snapshots in a structured format, enabling investigators to analyze results without interacting with the underlying data. The script explicitly avoided any operation that could alter a suspect repository or be interpreted as destructive. What the researchers did conduct was forensic enumeration, not intrusion, Cyber Centaurs stresses. “The repositories were accessed using the attacker’s own tooling and configuration semantics, without exploitation, modification, or disruption,” its report says. “By treating the attacker’s infrastructure as evidentiary material rather than a target, investigators were able to safely validate the hypothesis of persistent, multi-victim storage, and lay the groundwork for what would become a rare and large-scale data recovery effort.” What it discovered were stolen datasets belonging to 12 unnamed and unconnected firms hit in separate INC ransomware attacks. While the data was encrypted, Cyber Centaurs could use Restic for decryption because it was the encryption vehicle. Then it contacted law enforcement agencies to validate the stolen data’s source. The report includes indicators of compromise and tools used by INC, including AnyDesk, a remote access application. The report also notes that threat actors abusing Restic often rename the binary (for example, to winupdate.exe) and rely on legitimate execution paths to avoid suspicion. A simple and effective detection technique is to look for Restic execution outside expected backup contexts, especially from system directories or user-writable locations, and to pair that with known hashes where available. Jon DiMaggio, head of XFIL Cyber and a specialist in ransomware attacks, said that what’s significant in this investigation isn’t just that stolen data from 12 companies was recovered, but that researchers exposed how ransomware groups reuse infrastructure across multiple victims. “Most ransomware incidents end once you contain the encryption and restore systems,” he said in an email. “This case shows the real value is in following the attacker’s operational patterns to find what they left behind. It’s a reminder that ransomware is a business model, not one-off attacks, and that means there are opportunities to disrupt it at scale.” Defenders shouldn’t count on lapses like the one made by INC to rescue them from attacks, however. In its report, Cyber Centaurs says this was an opening “that would not normally exist in a typical ransomware response.” But, it adds, if there are mistakes, defenders may be able to capitalize on them. In an interview, von Ramin Mapp cautioned that lowering the risk of being hit by ransomware isn’t easy. Attackers will respond to every tactic defenders use, he said. It will help, he noted, if victim firms refuse to pay ransoms and thus take away the financial reward gang depend on. “One thing I often recommend to organizations,” he added, “is to have a baseline of the read and write output on your servers and network shares. If ransomware is being deployed, you will see a drastic increase in these cycles.” View the full article
  14. Computers with Telnet open are in immediate danger of being compromised due to a critical vulnerability that allows attackers to bypass authentication. The Telnet remote access protocol has long been superseded by the more secure and encrypted SSH, but many IoT and embedded devices have continued to ship with Telnet exposed on the LAN interface for debugging purposes over the years. Making things worse, the vulnerability, now tracked as CVE-2026-24061, is trivial to exploit remotely, and because it has existed in the codebase for the past 11 years since version 1.9.3, it likely impacts many devices that are no longer supported and will not receive firmware updates. Trivial exploitation “The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter,” Simon Josefsson, a GNU contributor who submitted the patch, said on the OSS-SEC mailing list. “If the client supplies a carefully crafted USER environment value being the string “-f root”, and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes.” In other words, the exploit is achieved with the simple command: USER=‘-f root’ telnet -a [host_ip]. This not only works against remote systems, but it can also serve as a privilege escalation exploit on the local machine if the telnet service (telnetd) is running. Telnet is part of inetutils, the GNU network utilities package shipped with all Linux and other UNIX-based systems. Users are advised to deploy the patch as soon as possible or update to a patched version offered by their distribution. As a temporary mitigation, users are advised to either disable the telnet service entirely or filter access to it to only allow white-listed IP addresses. Scan enterprise networks The Telnet server should never be exposed to the internet in this day and age, but misconfigured servers and IoT devices that have it enabled continue to exist. These will be easily compromised by IoT worms and botnet malware. Malicious traffic monitoring service GreyNoise is already seeing attempts to exploit this vulnerability. It’s more common to find Telnet exposed inside local networks, despite the fact that, given that it’s an obsolete program, it shouldn’t be used at all. Organizations should scan their networks and immediately isolate and firewall Telnet-enabled devices because all it takes is a malware infection on any other computer on the network for attackers to have an opportunity to exploit them. Executing this attack doesn’t require any special privileges, as low-privileged users can typically initiate telnet connections. View the full article
  15. Spanish online electronics retailer PcComponentes has denied a hacker’s claims to have stolen data on its customers. Hackrisk.io, a strategic cyber threat intelligence platform developed and maintained by Hackmanac, reported that a malicious actor using the alias ‘daghetiaw’ claimed to have hacked the e-commerce company, adding that it was attempting to verify the claim. According to Hackrisk.io, the hacker allegedly stole data relating to 16.3 million people, including tax identification numbers, orders, invoices, addresses, contact details, Zendesk tickets, credit card metadata, IP addresses, and purchase information. The platform notes that the hacker has shared a sample of 500,000 lines as proof of the data theft from PcComponentes. CSO contacted PCComponentes, which issued a statement explaining that there had been no unauthorized access to its databases or internal systems. “What we have detected is a phenomenon known in cybersecurity as credential stuffing. This means that a third party has used email addresses and passwords obtained from security breaches in compromised databases outside of PcComponentes,” the statement said, adding, “The categories of data affected are: name, surname, ID number (in cases where the customer has entered it), address, IP, email, and telephone number.” PcComponentes said, “The figure of 16 million customers allegedly affected is false, as the number of active accounts on PcComponentes is significantly lower. Furthermore, the illegitimate access has not been widespread, meaning that only some customers have been affected.” It also explained that bank details have not been compromised in any case, “since PcComponentes does not store them, but only keeps a security code (token) that is used to identify the payment, but does not allow the card to be viewed or charges to be made on its own. This code has no value outside the payment system and cannot be used fraudulently. For this reason, there is no risk of bank details being stolen”; nor are customer passwords, as “they are never stored in our database. Instead, they are converted into a secret, encrypted code (hash). This code is irreversible, which means that neither we nor anyone else can see the original password.” Finally, PcComponentes reports that it has implemented a series of measures aimed at minimizing the impact of this incident, which “significantly strengthen account protection and reduce the risk of illegitimate access from compromised databases outside PcComponentes that are published on the internet.” This article originally appeared on Computerworld/CSO España. View the full article
  16. fadfebrian – shutterstock.com Der Regensburger IT-Dienstleister Conceptnet informiert derzeit auf seiner Internetseite über eine technische Störung, die durch einen Ransomware-Angriff verursacht wurde. Berichten zufolge haben sich die Täter um den 13. Januar 2026 Zugriff auf die IT-Infrastruktur des Unternehmens verschafft. „Dabei wurden zentrale Systeme – darunter Web- und E-Mail-Server – verschlüsselt“, erklärt das Unternehmen. Wiederherstellung der Systeme dauert an Der Angriff sei umgehend erkannt, isoliert und den zuständigen Stellen gemeldet worden, heißt es. „Externe IT-Forensik-Spezialisten arbeiten seitdem gemeinsam mit unserem Team mit höchster Priorität an der Analyse und Wiederherstellung der betroffenen Systeme“, versichert der IT-Dienstleister. Es sei jedoch noch nicht absehbar, ob und wann eine komplette Wiederinbetriebnahme aller Systeme möglich sein wird. Nach eigenen Angaben betreut Conceptnet insgesamt rund 500 Kunden. Von dem Angriff betroffen sind unter anderem der Energieversorger REWAG, das Stadtwerk Regensburg und der SSV Jahn Regensburg. Man habe zahlreiche provisorische Websites eingerichtet und online gebracht, um die Zeit bis zur regulären Wiederherstellung zu überbrücken, so der IT-Dienstleister. Wie die Mittelbayerischen Zeitung berichtet, kam bei dem Angriff möglicherweise auch eine KI zum Einsatz. Auch eine Lösegeldforderung steht demnach im Raum. View the full article
  17. Cisco has released patches for a critical remote code execution vulnerability in its unified communications products that attackers are actively exploiting. The US Cybersecurity and Infrastructure Security Agency has added the flaw to its Known Exploited Vulnerabilities catalog, confirming the exploitation. Cisco disclosed CVE-2026-20045 along with patches for Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. The company assigned the vulnerability a “Critical” severity rating despite its CVSS score of 8.2. “Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates,” the company said in its advisory. “The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.” CISA’s addition of the vulnerability to its KEV catalog confirms attackers are exploiting it in the wild. “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA said in its alert. This is the second actively exploited Cisco vulnerability CISA has added to its KEV catalog in recent weeks. Last week, the agency added CVE-2025-20393, affecting Cisco’s AsyncOS software. “Other collaboration products, including Contact Center Enterprise, Emergency Responder, Finesse, Unified Intelligence Center, and Unified Contact Center Express, are not vulnerable to CVE-2026-20045,” the advisory added. Root-level compromise with no user interaction The vulnerability stems from improper validation of user-supplied input in HTTP requests. “An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device,” Cisco explained in the advisory. “A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.” The attack requires no user interaction and can be carried out by unauthenticated remote attackers, making it particularly dangerous for internet-facing unified communications deployments, the advisory added. Cisco’s Product Security Incident Response Team added that it is “aware of attempted exploitation of this vulnerability in the wild,” underscoring the urgency of patching. No workarounds available Cisco confirmed in the advisory that there are no workarounds or mitigations available for CVE-2026-20045. The company has released fixes specific to each product version. For Unified Communications Manager, IM&P, SME, and Webex Calling Dedicated Instance running version 14, the company suggested administrators can upgrade to version 14SU5 or apply a version-specific patch file. Organizations running version 15 can apply version-specific patches for 15SU2 and 15SU3a, with a full release of version 15SU4 expected in March 2026, the company added. Unity Connection administrators have similar options, with version-specific patch files available for releases 14SU4 and 15SU3. Organizations still running version 12.5 face a harder choice: Cisco won’t release patches for this version and recommends migrating to a supported release. “Customers are advised to migrate to a supported release that includes the fix for this vulnerability,” Cisco said in the advisory. Patches are version-specific, and administrators should consult the README files attached to each patch for deployment details, the advisory added. Federal agencies face a deadline CISA’s inclusion of CVE-2026-20045 in the KEV catalog triggers mandatory remediation timelines for Federal Civilian Executive Branch agencies under Binding Operational Directive 22-01. Federal agencies must patch the vulnerability within two weeks of its January 21 addition to the catalog. While BOD 22-01 applies specifically to federal agencies, CISA “strongly recommends” that all organizations treat KEV-listed vulnerabilities as high-priority patching targets. The catalog tracks flaws with confirmed active exploitation, making them significantly more likely to be weaponized against a broader range of targets. How to patch Cisco said organizations should check for signs of potential compromise on all internet-accessible instances after applying mitigations. The company advised administrators to review system logs and configurations for any unauthorized changes or suspicious activity that may indicate prior exploitation. For organizations unable to immediately upgrade to fixed releases, the company said version-specific patch files offer an interim remediation option. However, Cisco noted that patches must match the exact software version running on the device, and administrators should verify compatibility before deployment. View the full article
  18. Cisco has released patches for a critical remote code execution vulnerability in its unified communications products that attackers are actively exploiting. The US Cybersecurity and Infrastructure Security Agency has added the flaw to its Known Exploited Vulnerabilities catalog, confirming the exploitation. Cisco disclosed CVE-2026-20045 along with patches for Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. The company assigned the vulnerability a “Critical” severity rating despite its CVSS score of 8.2. [ Related: More Cisco news and insights ] “Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates,” the company said in its advisory. “The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.” CISA’s addition of the vulnerability to its KEV catalog confirms attackers are exploiting it in the wild. “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA said in its alert. This is the second actively exploited Cisco vulnerability CISA has added to its KEV catalog in recent weeks. Last week, the agency added CVE-2025-20393, affecting Cisco’s AsyncOS software. “Other collaboration products, including Contact Center Enterprise, Emergency Responder, Finesse, Unified Intelligence Center, and Unified Contact Center Express, are not vulnerable to CVE-2026-20045,” the advisory added. Root-level compromise with no user interaction The vulnerability stems from improper validation of user-supplied input in HTTP requests. “An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device,” Cisco explained in the advisory. “A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.” The attack requires no user interaction and can be carried out by unauthenticated remote attackers, making it particularly dangerous for internet-facing unified communications deployments, the advisory added. Cisco’s Product Security Incident Response Team added that it is “aware of attempted exploitation of this vulnerability in the wild,” underscoring the urgency of patching. No workarounds available Cisco confirmed in the advisory that there are no workarounds or mitigations available for CVE-2026-20045. The company has released fixes specific to each product version. For Unified Communications Manager, IM&P, SME, and Webex Calling Dedicated Instance running version 14, the company suggested administrators can upgrade to version 14SU5 or apply a version-specific patch file. Organizations running version 15 can apply version-specific patches for 15SU2 and 15SU3a, with a full release of version 15SU4 expected in March 2026, the company added. Unity Connection administrators have similar options, with version-specific patch files available for releases 14SU4 and 15SU3. Organizations still running version 12.5 face a harder choice: Cisco won’t release patches for this version and recommends migrating to a supported release. “Customers are advised to migrate to a supported release that includes the fix for this vulnerability,” Cisco said in the advisory. Patches are version-specific, and administrators should consult the README files attached to each patch for deployment details, the advisory added. Federal agencies face a deadline CISA’s inclusion of CVE-2026-20045 in the KEV catalog triggers mandatory remediation timelines for Federal Civilian Executive Branch agencies under Binding Operational Directive 22-01. Federal agencies must patch the vulnerability within two weeks of its January 21 addition to the catalog. While BOD 22-01 applies specifically to federal agencies, CISA “strongly recommends” that all organizations treat KEV-listed vulnerabilities as high-priority patching targets. The catalog tracks flaws with confirmed active exploitation, making them significantly more likely to be weaponized against a broader range of targets. How to patch Cisco said organizations should check for signs of potential compromise on all internet-accessible instances after applying mitigations. The company advised administrators to review system logs and configurations for any unauthorized changes or suspicious activity that may indicate prior exploitation. For organizations unable to immediately upgrade to fixed releases, the company said version-specific patch files offer an interim remediation option. However, Cisco noted that patches must match the exact software version running on the device, and administrators should verify compatibility before deployment. More Cisco news: Cisco’s 2026 agenda prioritizes AI-ready infrastructure, connectivity Cisco finally patches seven-week-old zero-day flaw in Secure Email Gateway products Cisco routers knocked out due to Cloudflare DNS change Cisco identifies vulnerability in ISE network access control devices Attackers bring their own passwords to Cisco and Palo Alto VPNs Cisco confirms zero-day exploitation of Secure Email products Cisco defines AI security framework for enterprise protection Cisco initiative targets device security Key takeaways from Cisco Partner Summit AI networking demand fueled Cisco’s upbeat Q1 financial Cisco launches AI infrastructure, AI practitioner certifications View the full article
  19. VoidLink, the high-impact Linux malware framework disclosed last week, is back under scrutiny for claims that the bulk of its development was done by artificial intelligence (AI). According to the follow-up analysis from Check Point Research (CPR), which first disclosed VoidLink, the malware was not merely assisted by AI tooling but was largely planned, structured, and written through AI-driven processes. “CPR believes a new era of AI-generated malware has begun,” the researchers said in a blog post. “VoidLink stands as the first evidently documented case of this era, as a truly advanced malware framework authored almost entirely by AI, like under the direction of a single individual.” VoidLink was initially disclosed as a modular Linux malware framework capable of operating across cloud and containerized environments. The latest claims of AI acting as its primary author compresses months of engineering work into a matter of days, the researchers noted. While no active large-scale exploitation tied to VoidLink has yet been reported, the prospect of a much lower barrier to producing complex malware at speed could be concerning for defenders. Evidence points to AI-led development Check Point researchers traced VoidLink’s origins to late 2025, when early development samples began appearing in telemetry. What stood out was not just the malware’s modular design, but the presence of structured development documentation typically associated with organized software projects. The researchers identified sprint-style plans, detailed technical specifications, and task breakdowns that appeared to be generated programmatically rather than authored manually. Code comments, architectural consistency, and repetitive implementation patterns further suggested that an AI system was responsible for producing large portions of the framework. Additionally, as per Check Point’s analysis, VoidLink grew to tens of thousands of lines of code in under a week, a pace that would be difficult for even a skilled development team to sustain. While a human operator likely guided the process, AI handled much of the execution, generating code, refining modules, and accelerating iteration cycles. Unlike previous examples of AI-assisted malware, which often relied on basic scripts and reused open-sourced components, AI appears to have driven end-to-end development of VoidLink. What VoidLink signals for enterprise security Check Point’s analysis frames the malware as an important indicator of how threat development itself is changing. The researchers emphasize that the significance of VoidLink lies less in its current deployment and more in how quickly it was created using AI-driven processes. VoidLink is designed to operate on Linux systems commonly found in servers, cloud workloads, and containerized environments. Its modular structure allows components to be developed, replaced, or extended independently, a design choice that aligns with long-term development rather than a single-use attack. According to the researchers, this approach reflects a level of planning typically associated with well-resourced threat actors. It was also emphasized that AI-assisted development significantly reduced the time and effort required to produce a complex malware framework like VoidLink. What would normally require coordinated teams and extended development cycles was condensed into a rapid, largely automated process. This lowers the barrier to creating sophisticated malware and may enable smaller or less experienced actors to build tools previously out of reach, the researchers argued. While mitigation efforts around VoidLink continue to focus on hardening Linux and cloud environments, improving runtime visibility, and detecting suspicious or unknown binaries, Check Point cautioned that the broader risk extends beyond this single framework. The development techniques observed in VoidLink, particularly extensive use of AI to plan and generate malware components, could be easily replicated, potentially shortening development cycles of future threats. View the full article
  20. IB Photography – shutterstock.com Im Jahr 2010 war Office 365 eine einfache Suite mit Office-Anwendungen und zusätzlicher E-Mail-Funktion. Das hat sich 15 Jahre später mit Microsoft 365 geändert: Die Suite ist ein wesentliches Element in den Bereichen Kommunikation, Zusammenarbeit und Sicherheit. Dienste wie Entra, Intune, Exchange, Defender, Teams und SharePoint verfügen über Tausende von Konfigurationsdetails, die dafür sorgen, dass Unternehmen reibungslos und sicher laufen. Wenn diese verloren gehen, versehentlich gelöscht oder absichtlich geändert werden, hat das enorme Auswirkungen auf die Geschäftsabläufe. Dabei geht es um weit mehr als nur um Daten. Die Tenant-Konfigurationen sind die Blaupause für den Betrieb der M365-Umgebung. Einfach ausgedrückt: Wenn der Microsoft-365-Tenant ausfällt, fällt auch der Geschäftsbetrieb aus. Trotz dieser enormen Bedeutung der Tenant-Konfigurationen ist in der IT-Welt eine Fehlannahme weit verbreitet: Rund die Hälfte aller IT-Verantwortlichen geht fälschlicherweise davon aus, dass die nativen Backup-Lösungen von Microsoft einen umfassenden Schutz für wichtige Tenant-Konfigurationen, -Einstellungen und -Richtlinien bieten. Um es deutlich zu sagen: Microsoft sichert die Konfigurationen nicht und kann sie folglich auch nicht wiederherstellen. Dies liegt gemäß dem Modell der „shared responsibility“ in der Verantwortung der Anwender. Die Bedeutung der Tenant-Konfigurationen Tenant-Konfigurationen sind die digitale Grundlage für die Sicherheitslage und die betriebliche Integrität eines Unternehmens. Sie umfassen über 10.000 einzigartige Richtlinienelemente für kritische Dienste. Sie regeln den Benutzerzugriff, die Compliance und das Anwendungsverhalten, also alles, was für den reibungslosen Ablauf eines Unternehmens unerlässlich ist: Sicherheitseinstellungen: Diese erste Verteidigungslinie umfasst Richtlinien für den bedingten Zugriff, die festlegen, wer von wo aus auf was zugreifen darf, sowie Regeln für die Multi-Faktor-Authentifizierung (MFA). Gehen diese Einstellungen verloren oder werden sie manipuliert, haben Angreifer ein leichtes Spiel und können Perimeter-Kontrollen einfach umgehen. Identitätsmanagement: Nahezu jedes Unternehmen (95 Prozent) war in den vergangenen 18 Monaten von einer Cloud-bezogenen Sicherheitsverletzung betroffen, wobei die meisten davon auf unsichere Identitäten zurückgeführt werden konnten. Benutzer- und Gruppeneinstellungen, Administratorrollen und App-Berechtigungen in Entra ID (ehemals Azure AD) bilden den Kern der Identitätssicherheit. Wenn diese kompromittiert werden, bricht das gesamte Framework zusammen. Compliance-Richtlinien: In regulierten Branchen ist der Nachweis der Regeltreue unverzichtbar. Policies zum Schutz vor Datenverlust (Data Loss Prevention, DLP) verhindern, dass sensible Informationen das Unternehmen verlassen, während Aufbewahrungsrichtlinien sicherstellen, dass Daten für rechtliche und Prüfungszwecke aufbewahrt werden. Kann ein Unternehmen die Einhaltung der Vorgaben nicht nachweisen, drohen empfindliche Strafen. Einstellungen für die Zusammenarbeit: Richtlinien in Teams, SharePoint und Exchange regeln die externe Freigabe, den Gastzugriff und den Datenfluss. Wenn diese Einstellungen fehlen oder falsch konfiguriert sind, riskieren Unternehmen eine unkontrollierte Offenlegung von Daten. Dadurch vergrößert sich die Angriffsfläche erheblich. Die Integrität dieser Einstellungen ist das Rückgrat jeder Zero-Trust-Architektur. Ohne korrekte Konfigurationen lassen sich weder das Least-Privilege-Prinzip durchsetzen noch die Compliance einhalten. Entsprechend ist der Verlust der Konfigurationen keine bloße Unannehmlichkeit, sondern bedeutet einen erheblichen Kontrollverlust über die gesamte digitale Infrastruktur. Häufig übersehen, aber essenziell Das Fehlen von Konfigurations-Backups ist nicht nur eine potenzielle Security-Katastrophe, sondern spiegelt auch ein fundamentales Missverständnis darüber wider, was Microsoft 365 eigentlich ist. Dabei handelt es sich eben nicht um eine einfache Lösung. Vielleicht kann man es sich wie ein Glas Wasser vorstellen: Der Tenant ist das Glas und das Wasser sind die Daten. Nicht alle Vorfälle, die Konfigurationen gefährden, sind gleich schwerwiegend. Auf der einen Seite des Spektrums können geringfügige Manipulationen an wichtigen Konfigurationen zwar ärgerlich sein, stellen jedoch keine existenzielle Bedrohung für das Unternehmen dar. Auf der anderen Seite könnten Sicherheitsverantwortliche damit konfrontiert werden, dass die Identitätsinfrastruktur und Sicherheitsvorkehrungen großflächig gelöscht worden, was eine Katastrophe mit potenziell existenzbedrohenden Folgen für das Unternehmen darstellt. Treten kleinere Fehlkonfigurationen auf, wie zum Beispiel versehentlich geänderten Berechtigungen eines einzelnen Benutzers, kann die Fehlerbehebung zwar Stunden dauern, stellt aber letztlich keine existenzielle Krise für das Unternehmen dar. Es ist vergleichbar mit einem angestoßenen Glas: Man kann es problemlos und ohne Risiko nutzen, auch wenn es nicht ideal ist. Wenn ein fehlerhaftes PowerShell-Skript einen bestimmten Dienst für eine begrenzte Anzahl von Benutzern unterbricht, verlangsamt dies die Produktivität und führt zu Störungen des Geschäftsbetriebs. Allerdings kann das Skript wiederhergestellt werden, auch wenn der Ausfall unbequem und zeitaufwändig ist. Dies ist vergleichbar mit einem gesprungenen Glas. Es ist zwar noch verwendbar, aber das Risiko für die Stabilität des Glases steigt. Ein vollständiger Verlust der Tenant-Konfigurationen führt schließlich zu massiven Ausfallzeiten und bedeutet für Unternehmen ohne Konfigurations-Backups das reine Chaos. Bedeutende Richtlinien wie Authentifizierung, E-Mail-Fluss oder Zugriffskontrolle wurden beschädigt, manipuliert oder versehentlich gelöscht, wodurch der gesamte digitale Arbeitsbereich unbrauchbar ist. Das Glas ist zerschellt. Erst wenn ein neues zur Verfügung steht, also der Tenant auf sichere Weise wiederhergestellt wurde, kann man auch wieder mit den Daten arbeiten (also das Wasser einfüllen, ohne dass es gleich wieder irgendwo ausläuft). Ohne Konfigurations-Backups, einschließlich Richtlinien, Berechtigungseinstellungen und Benutzerrollen, können Unternehmen nur mit enorm hohem Zeit- und Ressourcenaufwand zum sicheren Ausgangszustand zurückkehren. Deshalb führt an einem intelligenten Konfigurations-Backup kein Weg vorbei. Seit Jahren ist die Sicherung kritischer Daten für Unternehmen eine Selbstverständlichkeit. Es ist höchste Zeit, dass auch die Sicherung des Tenants flächendeckend umgesetzt wird. (jm) View the full article
  21. IB Photography – shutterstock.com Im Jahr 2010 war Office 365 eine einfache Suite mit Office-Anwendungen und zusätzlicher E-Mail-Funktion. Das hat sich 15 Jahre später mit Microsoft 365 geändert: Die Suite ist ein wesentliches Element in den Bereichen Kommunikation, Zusammenarbeit und Sicherheit. Dienste wie Entra, Intune, Exchange, Defender, Teams und SharePoint verfügen über Tausende von Konfigurationsdetails, die dafür sorgen, dass Unternehmen reibungslos und sicher laufen. Wenn diese verloren gehen, versehentlich gelöscht oder absichtlich geändert werden, hat das enorme Auswirkungen auf die Geschäftsabläufe. Dabei geht es um weit mehr als nur um Daten. Die Tenant-Konfigurationen sind die Blaupause für den Betrieb der M365-Umgebung. Einfach ausgedrückt: Wenn der Microsoft-365-Tenant ausfällt, fällt auch der Geschäftsbetrieb aus. Trotz dieser enormen Bedeutung der Tenant-Konfigurationen ist in der IT-Welt eine Fehlannahme weit verbreitet: Rund die Hälfte aller IT-Verantwortlichen geht fälschlicherweise davon aus, dass die nativen Backup-Lösungen von Microsoft einen umfassenden Schutz für wichtige Tenant-Konfigurationen, -Einstellungen und -Richtlinien bieten. Um es deutlich zu sagen: Microsoft sichert die Konfigurationen nicht und kann sie folglich auch nicht wiederherstellen. Dies liegt gemäß dem Modell der „shared responsibility“ in der Verantwortung der Anwender. Die Bedeutung der Tenant-Konfigurationen Tenant-Konfigurationen sind die digitale Grundlage für die Sicherheitslage und die betriebliche Integrität eines Unternehmens. Sie umfassen über 10.000 einzigartige Richtlinienelemente für kritische Dienste. Sie regeln den Benutzerzugriff, die Compliance und das Anwendungsverhalten, also alles, was für den reibungslosen Ablauf eines Unternehmens unerlässlich ist: Sicherheitseinstellungen: Diese erste Verteidigungslinie umfasst Richtlinien für den bedingten Zugriff, die festlegen, wer von wo aus auf was zugreifen darf, sowie Regeln für die Multi-Faktor-Authentifizierung (MFA). Gehen diese Einstellungen verloren oder werden sie manipuliert, haben Angreifer ein leichtes Spiel und können Perimeter-Kontrollen einfach umgehen. Identitätsmanagement: Nahezu jedes Unternehmen (95 Prozent) war in den vergangenen 18 Monaten von einer Cloud-bezogenen Sicherheitsverletzung betroffen, wobei die meisten davon auf unsichere Identitäten zurückgeführt werden konnten. Benutzer- und Gruppeneinstellungen, Administratorrollen und App-Berechtigungen in Entra ID (ehemals Azure AD) bilden den Kern der Identitätssicherheit. Wenn diese kompromittiert werden, bricht das gesamte Framework zusammen. Compliance-Richtlinien: In regulierten Branchen ist der Nachweis der Regeltreue unverzichtbar. Policies zum Schutz vor Datenverlust (Data Loss Prevention, DLP) verhindern, dass sensible Informationen das Unternehmen verlassen, während Aufbewahrungsrichtlinien sicherstellen, dass Daten für rechtliche und Prüfungszwecke aufbewahrt werden. Kann ein Unternehmen die Einhaltung der Vorgaben nicht nachweisen, drohen empfindliche Strafen. Einstellungen für die Zusammenarbeit: Richtlinien in Teams, SharePoint und Exchange regeln die externe Freigabe, den Gastzugriff und den Datenfluss. Wenn diese Einstellungen fehlen oder falsch konfiguriert sind, riskieren Unternehmen eine unkontrollierte Offenlegung von Daten. Dadurch vergrößert sich die Angriffsfläche erheblich. Die Integrität dieser Einstellungen ist das Rückgrat jeder Zero-Trust-Architektur. Ohne korrekte Konfigurationen lassen sich weder das Least-Privilege-Prinzip durchsetzen noch die Compliance einhalten. Entsprechend ist der Verlust der Konfigurationen keine bloße Unannehmlichkeit, sondern bedeutet einen erheblichen Kontrollverlust über die gesamte digitale Infrastruktur. Häufig übersehen, aber essenziell Das Fehlen von Konfigurations-Backups ist nicht nur eine potenzielle Security-Katastrophe, sondern spiegelt auch ein fundamentales Missverständnis darüber wider, was Microsoft 365 eigentlich ist. Dabei handelt es sich eben nicht um eine einfache Lösung. Vielleicht kann man es sich wie ein Glas Wasser vorstellen: Der Tenant ist das Glas und das Wasser sind die Daten. Nicht alle Vorfälle, die Konfigurationen gefährden, sind gleich schwerwiegend. Auf der einen Seite des Spektrums können geringfügige Manipulationen an wichtigen Konfigurationen zwar ärgerlich sein, stellen jedoch keine existenzielle Bedrohung für das Unternehmen dar. Auf der anderen Seite könnten Sicherheitsverantwortliche damit konfrontiert werden, dass die Identitätsinfrastruktur und Sicherheitsvorkehrungen großflächig gelöscht worden, was eine Katastrophe mit potenziell existenzbedrohenden Folgen für das Unternehmen darstellt. Treten kleinere Fehlkonfigurationen auf, wie zum Beispiel versehentlich geänderten Berechtigungen eines einzelnen Benutzers, kann die Fehlerbehebung zwar Stunden dauern, stellt aber letztlich keine existenzielle Krise für das Unternehmen dar. Es ist vergleichbar mit einem angestoßenen Glas: Man kann es problemlos und ohne Risiko nutzen, auch wenn es nicht ideal ist. Wenn ein fehlerhaftes PowerShell-Skript einen bestimmten Dienst für eine begrenzte Anzahl von Benutzern unterbricht, verlangsamt dies die Produktivität und führt zu Störungen des Geschäftsbetriebs. Allerdings kann das Skript wiederhergestellt werden, auch wenn der Ausfall unbequem und zeitaufwändig ist. Dies ist vergleichbar mit einem gesprungenen Glas. Es ist zwar noch verwendbar, aber das Risiko für die Stabilität des Glases steigt. Ein vollständiger Verlust der Tenant-Konfigurationen führt schließlich zu massiven Ausfallzeiten und bedeutet für Unternehmen ohne Konfigurations-Backups das reine Chaos. Bedeutende Richtlinien wie Authentifizierung, E-Mail-Fluss oder Zugriffskontrolle wurden beschädigt, manipuliert oder versehentlich gelöscht, wodurch der gesamte digitale Arbeitsbereich unbrauchbar ist. Das Glas ist zerschellt. Erst wenn ein neues zur Verfügung steht, also der Tenant auf sichere Weise wiederhergestellt wurde, kann man auch wieder mit den Daten arbeiten (also das Wasser einfüllen, ohne dass es gleich wieder irgendwo ausläuft). Ohne Konfigurations-Backups, einschließlich Richtlinien, Berechtigungseinstellungen und Benutzerrollen, können Unternehmen nur mit enorm hohem Zeit- und Ressourcenaufwand zum sicheren Ausgangszustand zurückkehren. Deshalb führt an einem intelligenten Konfigurations-Backup kein Weg vorbei. Seit Jahren ist die Sicherung kritischer Daten für Unternehmen eine Selbstverständlichkeit. Es ist höchste Zeit, dass auch die Sicherung des Tenants flächendeckend umgesetzt wird. (jm) View the full article
  22. CISO’s are increasingly turning to AI-enabled security technologies to augment their organizations’ cyber defense and extend the capabilities of their teams. According to Foundry’s latest Security Priorities Study, 73% of security decision-makers are now more likely to consider a security solution that uses artificial intelligence, up from 59% the year prior. CISOs plan to leverage AI in a range of security functions, including malware detection, threat detection, anomaly detection, real-time risk prediction, and audit and compliance. They are also eyeing AI for automating security responses, performing authentication, ensuring data loss prevention, and improving enterprise system visibility. CSO Survey respondents cited AI-enabled benefits such as faster detection of unknown threats, accelerating response times, and automating security tasks to reduce employee workload. The findings are in line with an October 2025 study from management consultancy PwC, which found AI ahead of cloud security and data protection as the top cybersecurity investment priority for enterprises over the next 12 months. But cutting through the hype to ensure AI investments have optimal impact remains an issue. Experts quizzed by CSO said that security leaders should prioritize AI investment over the next 12 to 18 months to boost anomaly detection, enhance identity and access management, and automate response, but they should also be aware of potential pitfalls such as hallucinations, over-reliance on AI, and governance gaps when implementing AI in their security strategies. Cutting through the noise Oliver Newbury, chief strategy officer at cyber resilience vendor Halcyon and previously CISO at Barclays, tells CSO that the “strongest uses of AI in security are the ones that improve visibility and reduce noise.” “Teams need clearer signals, earlier warnings, and quicker routes to certainty in the middle of an unfolding incident,” Newbury says. “AI that can sift large volumes of activity, highlight meaningful patterns, and present them in a way that analysts can act on immediately is where organizations see real benefit.” Newbury adds: “These capabilities help shorten investigation time and support faster, confident decision-making during high-pressure situations.” A human-led approach is no longer sufficient to deal with the increased complexity and volume of threats, many security experts contend. Strategic use of AI technology has the potential to recognize patterns of attack and offer analysts the ability to cut through the noise and make better decisions, freeing up time and resources to deal with higher-value security work and move beyond constant firefighting. “Most security teams are overloaded, and not because they lack tools, but because they lack time and clear signals,” Newbury says. “AI earns its keep in the areas where speed and pattern recognition genuinely outperform manual effort: behavioral anomaly detection, early-stage threat indicators, and the subtle identity-related activity that often precedes a ransomware event.” Check against delivery David Tyler, founder of tech consultancy Outlier Technology, warns that some vendors slap the label ‘AI’ on existing capabilities while adding a higher price tag combined with solid product development and real advances from others. “A lot of what’s being sold as breakthrough AI is actually decades-old technology finally being implemented properly; this isn’t necessarily bad, as good product management matters as much as novel algorithms,” Tyler says. “But if a vendor’s ‘AI security solution’ appeared overnight in the last couple of years, you’re probably looking at rebranding rather than genuine capability building.” CSO / Foundry CSOs should be asking how long the vendor has been investing in these capabilities and what their product evolution looks like, according to Tyler. “Companies that have been building graph-based correlation, adaptive baselining, and behavioral analytics for a decade are very different from those who just added an AI chat function to their user interface and called it innovation,” Tyler says. Dr. Andrew Bolster, senior manager of R&D at application security vendor Black Duck, also warns CISOs about vendors slapping neural networks onto existing tools without fixing underlying data quality issues. “Your AI-powered authentication system is only as good as your identity data hygiene,” Dr. Bolster says. “Your AI-powered malware detection is only as good as your sample corpus quality and labelling accuracy.” Dr Bolster adds: “Before signing contracts for AI security platforms, audit your data governance maturity.” Bolster also argues that CISOs themselves should focus more on how to build an AI-ready security data platform rather than which security tools they need to buy. “CISOs should invest in data mesh architectures that treat security telemetry as a first-class data product with defined ownership, quality SLAs [service level agreements], and standardized schemes,” he says. Building an AI security platform Merlin Gillespie, operations director at managed security services provider Cybanetix, sees the AI security market maturing — and moving away from point solutions that offer reduced operational expenditure toward a more integrated approach. Gillespie warns that this shift creates fresh challenges for security leaders. “These days every security tool has a layer of AI ‘assistance’ but instead of simplifying operations this is creating overlapping tools, inconsistent reporting, and unclear provenance of data,” according to Gillespie. “The learning is that AI-labelled tools are helpful but aren’t a solution in themselves.” The exercise most organizations face is classifying which processes are eligible for automation, and which of these are enhanced by the determinism and reasoning of AI, Gillespie advises. “Security teams should apply the same top-down analysis used across their wider business to support software and personnel efficiency, rather than being led by vendor tooling which can result in further siloing,” Gillespie says. Potential pitfalls Halcyon’s Newbury warned that these issues were far from the only potential pitfalls that come from deploying AI systems. For example, over-reliance on AI systems can lead to greater risk. “AI shouldn’t replace the fundamentals such as asset management, patching, identity governance, proper segmentation, or tested recovery plans,” Newbury says. “Those disciplines matter even more as attackers adopt AI at speed.” Issues inherited from the inadequate training of AI systems can also create problems. “AI systems can easily inherit blind spots if they’re trained on narrow or unrealistic datasets,” he says. “CISOs must understand how models are trained and where their assumptions break down.” Ransomware remains the clearest test of whether AI investment is being prioritized in the right places, Newbury argues. “Most modern [ransomware] incidents are effectively identity-based attacks,” Newbury says. “Attackers are logging in rather than ‘hacking in,’ often armed with credentials harvested at scale by infostealers.” Newbury adds: “As adversaries fold AI into their operations, you’ll see more of these attacks landing faster and hitting harder. That makes the resilience question far more urgent.” Newbury concludes: “AI is worth the investment but only where it sharpens decision-making, reduces noise, and gives teams the time and clarity to act before a problem becomes a crisis.” View the full article
  23. Lately, the Curl code library has been receiving a lot of AI-generated reports from users hoping to receive financial compensation from the tool’s bug bounty program. Going through all the reports has taken up so many resources that Curl has decided to eliminate compensation for bug hunters altogether. “AI slop and generally bad reports have only increased even more recently, so we have to make an attempt to slow down the river so as not to drown,” Curl’s chief administrator Daniel Stenberg said in a comment to Elektroniktidningen. Over the years, Curl has distributed a total of $101,020 in compensation for bug hunter reports. Curl is not alone in enduring the significant changes in the bounty industry due to AI-powered bug hunting, which democratizes and accelerates vulnerability discovery while also taxing bug bounty programs with false positives and “AI slop.” View the full article
  24. A critical two-factor authentication bypass vulnerability in the Community and Enterprise editions of the GitLab application development platform has to be patched immediately, say experts. The hole is one of five vulnerabilities patched Wednesday as part of new versions of GitLab. Three are ranked High in severity, including the 2FA bypass issue, while the other two are ranked Medium in severity. GitLab says the 2FA hole, CVE-2026-0723, if exploited on an unpatched system, could allow an individual with knowledge of a victim’s ID credentials to bypass two-factor authentication by submitting forged device responses. It’s this hole that has drawn the attention of experts, because of the implications. The goal of multifactor authentication is to protect login accounts with an extra verification step in case usernames and passwords are stolen. If a threat actor can access an account, they can do almost unlimited damage to IT systems. In the case of GitLab, if critical code is sitting in a developer’s account, a threat actor could compromise it, notes David Shipley, head of Canadian-based security awareness training firm Beauceron Security. If that code is to be used in software that can be downloaded or sold to other organizations, then inserted malware could be spread in a supply chain attack. The latest example, Shipley said, is the Shai-Hulud worm, which is spreading because a developer’s account in the npm registry was hacked. If the code contains cloud secrets, he added, the threat actor could gain access to cloud platforms like Azure, Amazon Web Service, or Google Cloud Platform. Discovery of the 2FA bypass hole “is a reminder that these [security] controls are important,” Shipley said in an interview. “They absolutely help reduce a number of risks: Brute force attacks, password spraying, and so forth. But they will never be infallible. “This is not the first time someone has found a clever way to get around 2FA challenges. We have a whole series of attacks around session cookie capture which are also designed to defeat 2FA. So it’s important to remember this when someone drops some Silver Bullet thinking that ‘This magic solution solves it [authentication]’ or ‘That’s the bad MFA. Here’s the new MFA.’ And I include [trusting only] Yubikeys,” he said. “Yubikeys are amazing. They’re the next generation of 2FA. But because they are made for humans, eventually they will have some flaws.” Even if there weren’t flaws in these controls, employees might be tricked into giving up credentials through social engineering, he added. It would be easier for an attacker to use techniques like phishing to collect user credentials rather than forge a device credential to exploit this particular 2FA bypass, said Johannes Ullrich, dean of research at the SANS Institute. But, he added, once the attacker has access to valid passwords, they can log in to the GitLab server and perform actions on the source code — download it, alter it or delete it — just as a legitimate user would. What infosec leaders need to do This is why Cybersecurity 101 — layered defense — is vital for identity and access management, Shipley said. That includes forcing employees to have long, unique login passwords, monitoring the network for unusual activity (for example, if someone gets in without an MFA challenge recorded) and, in case all fails, an incident response plan. MFA bypass vulnerabilities are very common, noted Ullrich. “The core problem is usually that MFA was added later to an existing product,” he said, “and some features may not properly check if MFA was successfully completed.” When testing a multifactor authentication solution, infosec leaders should always verify that an application has not marked authentication as completed after the username and password were verified. Enabling MFA should not relax password requirements, he asserted. Users must still pick unique, secure passwords and use password managers to manage them. Secure passwords will mostly mitigate any MFA failures, Ullrich said. Any vulnerability found in GitLab is significant, he added. GitLab is typically used by organizations concerned enough about the confidentiality of their code that they want to run the platform on premises. GitLab ‘strongly’ recommends upgrades In describing the patches released Wednesday, GitLab said it “strongly” recommends all self managed GitLab installations be upgraded to one of the three new versions (18.8.2, 18.7.2, 18.6.4) for GitLab Community Edition (CE) and Enterprise Edition (EE). Those using GitLab.com or GitLab Dedicated – a single tenant software-as-a-service version – don’t have to take any action. The other vulnerabilities fixed in Wednesday’s updates are: CVE-2025-13927, a denial of service issue in Jira Connect integration. If exploited on an unpatched system, it could allow an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authentication data. It carries a CVSS severity score of 7.5; CVE-2025-13928, an incorrect authorization issue. If exploited on an unpatched system, it could allow an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints. It carries a CVSS severity score of 7.5; CVE-2025-13335, an infinite loop issue in Wiki redirects. Under certain circumstances, this hole could allow an authenticated user to create a denial of service condition by configuring malformed Wiki documents that bypass cycle detection. It has a CVSS score of 6.5; CVE-2026-1102 – a denial of service issue in an API endpoint that could allow an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests. It has a CVSS score of 5.3. In keeping with standard GitLab practice, details of the security vulnerabilities will be made public on an issue tracker 30 days after the release in which they were patched. The new versions also include bug fixes, some of which, GitLab said, may include database migrations. In cases of single-node instances, a patch will cause downtime during the upgrade. In the case of multi-node instances, admins who follow proper GitLab zero-downtime upgrade procedures can apply a patch without downtime. View the full article
  25. Internal testing, product demonstrations, and security training are critical practices in cybersecurity, giving defenders and everyday users the tools and wherewithal to prevent and respond to enterprise threats. However, according to new research from Pentera Labs, when left in default or misconfigured states, these “test” and “demo” environments are yet another entry point for attackers — and the issue even affects leading security companies and Fortune 500 companies that should know better. Researchers discovered that popular public training apps like Hackazon, Damn Vulnerable Web Application (DVWA), and OWASP Juice Shop have been frequently left accessible to the public internet, inadvertently exposing top vendors including Palo Alto Networks, Cloudflare, and F5. “This is not theoretical research,” Noam Yaffe, Pentera’s senior researcher and offensive security team lead, wrote in a technical blog post. His team discovered “clear evidence” that these attack vectors are being exploited in the wild to enable crypto miners, webshells, and persistence mechanisms. The attackers are believed to be of Eastern European origin. “This research proves that labeling something as ‘training’ or ‘dev’ doesn’t make it invisible to attackers,” Yaffe noted. “If it’s on the internet and it has cloud credentials, it’s a target.” Exposing crown jewels through seemingly harmless labs After identifying an exposed instance of Hackazon, a free, intentionally vulnerable test site developed by Deloitte, during a routine cloud security assessment for a client, Yaffe performed a five-step hunt for exposed apps. His team uncovered 1,926 “verified, live, and vulnerable applications,” more than half of which were running on enterprise-owned infrastructure on AWS, Azure, and Google Cloud platforms. They then discovered 109 exposed credential sets, many accessible via a low-priority lab environment, tied to overly-privileged identity access management (IAM) roles. These often granted “far more access” than a ‘training’ app should, Yaffe explained, and provided attackers: Administrator-level access to cloud accounts, as well as full access to S3 buckets, GCS, and Azure Blob Storage; The ability to launch and destruct compute resources and read and write to secrets managers; Permissions to interact with container registries where images are stored, shared, and deployed. Attackers maintained persistent access, moved laterally across networks, exploited cloud credentials and other sensitive information, and crypto-mined victim infrastructure. Further, Pentera’s researchers easily discovered active secrets such as Slack keys, GitHub tokens, and Docker Hub credentials, as well as real user data and proprietary source code. Alarmingly, in DVWA, 54% of instances discovered still used the default credentials ‘admin:password,’ and attackers could downgrade security settings in a single click (from “impossible” to “low”), making every built-in vulnerability “trivially exploitable,” Yaffe noted. “What began as a harmless lab could lead directly to an organization’s crown jewels,” he said. Real-world exploitations In one real-world instance, Pentera’s team discovered a misconfigured buggy web application (bWAPP) linked to Cloudflare cloud accounts running on Google Cloud Platform (GCP). bWAPP is a free, open source, deliberately insecure web app used for training purposes. Querying GCP’s metadata services, the researchers were able to impersonate default service accounts and gain read access to “hundreds” of storage buckets. Similarly, a DVWA linked to F5’s cloud accounts was found running on a GCP instance, again allowing the researchers to access numerous storage buckets containing logs and metric data. In addition, a misconfigured Palo Alto-linked DVWA app was identified running on AWS; Yaffe and his team used the attached IAM role and temporary credentials to gain full administrative access to the AWS account. Researchers also exfiltrated OAuth tokens for a GCP service account to assume its identity, and list and access specific bucket content. For instance, one “cloud_build” bucket stored .tgz files that attackers could easily download. The account was managed by an admin email and violated least privilege because it contained policy permission, Yaffe explained. “Even though this was a ‘dev’/ ‘training’ account, it contained highly sensitive secrets, credentials, and API tokens,” he said. In assessing these misconfigured, vulnerable applications, his team found “clear evidence” that they were already being fully exploited in the wild. Roughly 20% of the DVWA instances they discovered contained artifacts deployed by malicious actors, including: XMRig Crypto Miner actively running, sending proceeds to attacker-controlled wallets, and configured to run silently without user knowledge; A “sophisticated” watchdog script that maintained persistence even after a compromise had been discovered. This featured self-recovery, automated downloads, encrypted payload delivery, evidence deletion, and kill switches that threat actors could use to easily shut down operations; A PHP webshell that granted attackers the ability to read, write, delete, upload and download files; run operating system (OS) commands and scripts on remote machines; and access credentials, API keys, and other secrets embedded in source code. All discoveries were responsibly disclosed to the impacted organizations and were subsequently mitigated prior to publication, Yaffe emphasized. “These weren’t isolated incidents; they represented an organized, ongoing exploitation campaign,” he warned. What enterprises can do now To defend against this widespread threat, Yaffe and his team developed SigInt, a Python-based, large language model (LLM)-powered autonomous reconnaissance framework. The tool, which is available on GitHub, generates fingerprint signatures directly from a live target or GitHub repository, searches for matches, and applies confidence scoring. It also incorporates IP intelligence, cloud provider detection, attribution data, and provides analysis to support further investigation. Beyond this, Yaffe advised enterprises to “inventory everything” to establish a complete, up-to-date picture of all cloud resources, including ‘temporary’ and ‘test deployments,’ perform regular audits to scan for exposed services, and apply least privilege. “Never attach broad IAM roles to training or demo environments,” he said. Further, defenders should isolate training environments from production networks and apply the same monitoring and alerting to them as production environments, restrict their outbound internet access, document and enforce changes to default credentials pre-deployment, and set controls that expire temporary testing environments after a specified timeframe. “If it doesn’t have an end date, it will run forever,” Yaffe noted. Ultimately, he emphasized: “These are fixable problems. Basic hygiene … would have prevented every case we found.” View the full article

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.