Category: InfoSec

Ransomware gangs seize a new hostage: your AWS S3 buckets

Source: OAuth token compromise hits Salesforce ecosystem again, Gainsight impacted | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4094475/ransomware-gangs-find-a-new-hostage-your-aws-s3-buckets.html

ONE SENTENCE SUMMARY:

Ransomware operators are targeting AWS S3 buckets by exploiting cloud-native encryption and key management services, prompting enhanced security measures.

MAIN POINTS:

  1. Ransomware is shifting from on-premises to cloud storage, especially targeting AWS S3 buckets.
  2. Attackers use cloud-native encryption, key management, rather than just data theft.
  3. Techniques evolve as organizations enhance cloud defenses, abusing services like encryption management.
  4. Attackers probe S3 setups, including AWS-managed and customer-provided key management systems.
  5. S3 buckets contain critical data, making them prime targets for ransomware attacks.
  6. Attackers aim for a “complete and irreversible lockout” of data using encryption mechanisms.
  7. Five S3 ransomware variants exploit AWS’s built-in encryption, especially SSE-KMS and SSE-C.
  8. Abuse of imported key material and external key stores allows attackers to control key management.
  9. Researchers recommend hardening S3 with stricter controls and monitoring for suspicious activities.
  10. An “assume breach” approach is vital, emphasizing comprehensive security and backup strategies.

TAKEAWAYS:

  1. Organizations must enhance security protocols around cloud storage, especially AWS S3.
  2. Understanding encryption abuse in cloud environments is crucial to prevent ransomware.
  3. Implementing least privilege access and protective controls is essential for data protection.
  4. Constant monitoring of cloud environments can detect potential ransomware activities.
  5. An “assume breach” mindset ensures preparedness against sophisticated ransomware strategies.

GlobalProtect VPN portals probed with 2.3 million scan sessions

Source: BleepingComputer

Author: Bill Toulas

URL: https://www.bleepingcomputer.com/news/security/globalprotect-vpn-portals-probed-with-23-million-scan-sessions/

ONE SENTENCE SUMMARY:

A coordinated campaign has spiked malicious scanning on Palo Alto Networks GlobalProtect VPN portals, amplifying security concerns significantly.

MAIN POINTS:

  1. Malicious activity targeting GlobalProtect VPN surged 40 times in one day.
  2. Activity began escalating on November 14, reaching a 90-day high.
  3. October saw a 500% increase in IPs scanning GlobalProtect, 91% suspicious.
  4. April reported 24,000 IPs targeting GlobalProtect, many suspicious.
  5. The surge linked to previous campaigns via fingerprints and timing.
  6. Primary attacks originated from ASNs in Germany and Canada.
  7. 2.3 million sessions targeted VPN logins between November 14 and 19.
  8. Attacks focused on US, Mexico, and Pakistan users.
  9. 80% of scanning spikes precede new security flaw disclosures.
  10. February saw active exploitation of vulnerabilities in Palo Alto Networks.

TAKEAWAYS:

  1. Coordinate security efforts to address escalating VPN portal threats.
  2. Track IP activity patterns to preempt future security disclosures.
  3. Recognize geographical attack concentration for better defense strategies.
  4. Identify imminent threats by examining historical scanning spikes.
  5. Utilize intelligence reports to inform security budget planning.

Velociraptor WSUS Exploitation, Pt. I: WSUS-Up?

Source: Huntress Blog

Author: unknown

URL: https://www.huntress.com/blog/velociraptor-misuse-part-one-wsus-up

ONE SENTENCE SUMMARY:

Threat actors exploited a WSUS vulnerability to install Velociraptor for remote access, increasing incidents of dual-use tool abuse.

MAIN POINTS:

  1. In November, threat actors exploited a WSUS vulnerability (CVE-2025-59287) to gain initial access.
  2. Velociraptor, an open-source tool, was used for command-and-control (C2) communications.
  3. Huntress SOC observed increased misuse of Velociraptor over recent months.
  4. The WSUS vulnerability was patched by Microsoft on October 23.
  5. Cisco Talos linked Velociraptor activity to a SharePoint vulnerability called ToolShell.
  6. Threat actors installed Velociraptor with a malicious MSI from s3.wasabisys.com.
  7. PowerShell commands were used post-installation for system discovery.
  8. Dual-use tools like Cobalt Strike and Mimikatz have been similarly abused.
  9. Velociraptor is part of a larger trend of legitimate tools being misused.
  10. Further insights on Velociraptor misuse will continue in part two of the series.

TAKEAWAYS:

  1. Vigilance is crucial as legitimate tools like Velociraptor are increasingly misused for attacks.
  2. Regular patching can mitigate vulnerabilities, like the recently addressed WSUS flaw.
  3. Velociraptor’s use in attacks highlights the need for careful monitoring of network tools.
  4. Understanding tool behavior and misuse patterns can enhance incident response strategies.
  5. Expect continued evolution in the misuse of dual-purpose open-source tools by threat actors.

Active Directory Trust Misclassification: Why Old Trusts Look Like Insecure External Trusts

Source: Tenable Blog

Author: Clément Notin

URL: https://www.tenable.com/blog/active-directory-trust-misclassification-why-old-trusts-look-like-insecure-external-trusts

ONE SENTENCE SUMMARY:

Tenable Research discovered Windows 2000 intra-forest trusts missing a key flag, impacting trust identification across upgraded Active Directory environments.

MAIN POINTS:

  1. Active Directory trusts originating from Windows 2000 may lack proper identification as intra-forest trusts.
  2. The TRUST_ATTRIBUTE_WITHIN_FOREST flag, introduced in Windows 2003, was not retroactively applied.
  3. Upgraded domains maintain zero trust attributes, misidentifying internal trusts as potentially insecure external ones.
  4. CrossRef objects can accurately determine if a trust is intra-forest or external.
  5. External trusts lack a dedicated flag, often appearing as trustAttributes=0.
  6. AD administrative tools may still identify correct trust types despite missing flags.
  7. Tenable conducted lab tests confirming the persistence of the legacy issue.
  8. The issue affects security-analysis tools by confusing internal and external trusts.
  9. New interpretation methods have been validated in real-world environments.
  10. Tenable’s discovery aims to improve trust management in legacy AD environments.

TAKEAWAYS:

  1. Windows 2000 intra-forest trusts may be misidentified due to absent flags.
  2. CrossRef objects offer a solution for identifying trust types.
  3. Upgrades do not resolve missing trust flags in older domains.
  4. Accurate trust interpretation is vital for exposure management tools.
  5. Awareness of this issue aids security professionals in managing legacy AD environments.

The Cloudflare Outage May Be a Security Roadmap

Source: Krebs on Security

Author: BrianKrebs

URL: https://krebsonsecurity.com/2025/11/the-cloudflare-outage-may-be-a-security-roadmap/

ONE SENTENCE SUMMARY:

Cloudflare’s outage revealed vulnerabilities, offering organizations insights into their reliance on its services for security and functionality.

MAIN POINTS:

  1. The Cloudflare outage briefly disrupted many major websites.
  2. Some customers managed to switch away from Cloudflare during the outage.
  3. Experts recommend reviewing web application firewall logs for vulnerabilities.
  4. Cloudflare effectively blocks malicious traffic but outages expose potential weaknesses.
  5. Companies should reevaluate security practices relying on Cloudflare protection.
  6. The outage served as a network penetration test opportunity for threat actors.
  7. Nicole Scott described the outage as a necessary stress test for organizations.
  8. Organizations should consider emergency DNS or routing changes and their implications.
  9. Cloudflare’s disruption was due to a database system permissions change, not an attack.
  10. Over-reliance on single providers like Cloudflare presents a significant risk.

TAKEAWAYS:

  1. Evaluate current reliance on Cloudflare for security protections.
  2. Review and analyze logs for vulnerabilities during outages.
  3. Develop intentional fallback plans for similar future incidents.
  4. Spread dependencies across multiple providers to prevent single points of failure.
  5. Monitor security controls continuously to prevent over-reliance on single solutions.

The confidence trap holding security back

Source: Help Net Security

Author: Anamarija Pogorelec

URL: https://www.helpnetsecurity.com/2025/11/20/immersive-cyber-readiness-gap-report/

ONE SENTENCE SUMMARY:

Organizations overestimate cyber readiness due to focusing on participation metrics instead of capabilities, resulting in a gap between confidence and actual performance.

MAIN POINTS:

  1. Security leaders feel prepared, but performance data reveals missed steps in scenarios.
  2. Confidence increases without a corresponding rise in capability and effectiveness.
  3. Readiness programs focus more on activity than true capability development.
  4. Training often centers on outdated, familiar threats rather than current intrusion tactics.
  5. Many security teams remain at basic skill levels, hindering progress.
  6. Business roles often excluded from simulations lead to poor coordination during incidents.
  7. Training usually aligns with compliance, not actual attack behaviors.
  8. AI-related threats are not adequately addressed in training exercises.
  9. Boards receive metrics that mask true capability, leading to a false sense of security.
  10. Effective readiness requires practicing under pressure with relevant, challenging scenarios.

TAKEAWAYS:

  1. Focus on developing true capabilities rather than merely tracking training participation.
  2. Incorporate current threat scenarios and advanced skills into training programs.
  3. Ensure business roles are included in incident response practice.
  4. Align training with real-world attacker behaviors rather than just compliance.
  5. Shift readiness evaluations from activity metrics to performance metrics.

More work for admins as Google patches latest zero-day Chrome vulnerability

Source: More work for admins as Google patches latest zero-day Chrome vulnerability | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4092287/more-work-for-admins-as-google-patches-latest-zero-day-chrome-vulnerability.html

ONE SENTENCE SUMMARY:

Google urgently patched a high-severity zero-day flaw in Chrome’s V8 engine, raising security concerns for other Chromium browsers.

MAIN POINTS:

  1. Google addressed a zero-day flaw in Chrome’s V8 JavaScript engine, identified as CVE-2025-13223.
  2. Clément Lecigne from Google’s Threat Analysis Group discovered the vulnerability.
  3. The flaw has a CVSS score of 8.8 and was actively exploited.
  4. It is a Type Confusion flaw affecting multiple Chromium-based browsers.
  5. Google’s usual policy restricts detail release until a majority are updated.
  6. The V8 engine is crucial for Chromium browsers, posing widespread risk.
  7. Enterprises are advised to urgently patch to Chrome version 142.0.7444.175/.176.
  8. Type Confusion flaws can lead to memory corruption or code execution.
  9. A separate V8 vulnerability, CVE-2025-13224, was patched simultaneously.
  10. Chrome has faced two other V8 zero days in 2025 alone.

TAKEAWAYS:

  1. Urgent patching of Chrome for enterprises is critical due to high-severity flaws.
  2. Type Confusion vulnerabilities in V8 can lead to serious security risks.
  3. Multiple Chromium browsers are affected, increasing the scope of risk.
  4. Enterprises face pressure to patch quickly due to zero-day vulnerabilities.
  5. Shared components like V8 increase the impact radius of attacks.

Healthcare Domains : The Prescription for Bypassing SSL Inspection

Source: SynerComm

Author: Brian Judd

URL: https://www.synercomm.com/healthcare-domains-the-prescription-for-bypassing-ssl-inspection/

ONE SENTENCE SUMMARY:

SSL inspection on firewalls is crucial but vulnerable to blind spots from privacy laws, especially in healthcare data protection.

MAIN POINTS:

  1. Next-gen firewalls with SSL inspection detect malicious traffic effectively.
  2. Privacy laws, like HIPAA, create exceptions for healthcare domains.
  3. These exceptions enable encrypted traffic to pass uninspected.
  4. URL categorization databases identify domains belonging to sensitive categories.
  5. SSL policies often exclude healthcare sites to protect patient data.
  6. Attackers exploit these exceptions to evade detection.
  7. Organizations should use selective logging and reputation-based whitelisting.
  8. Regular validation tests ensure SSL policies are enforced correctly.
  9. Periodic checks of bypass lists prevent outdated or inaccurate classifications.
  10. Exploitation of these exceptions is a known tactic for over 15 years.

TAKEAWAYS:

  1. SSL inspection is essential, but privacy exceptions weaken its effectiveness.
  2. Attackers exploit healthcare domain exceptions to avoid detection.
  3. Selective logging can mask data instead of disabling inspection.
  4. Whitelist based on domain reputation, not only category.
  5. Regular tests and checks are crucial to maintaining security.

Hunt What Hurts: The Pyramid of Pain

Source: Active Countermeasures

Author: Faan Rossouw

URL: https://www.activecountermeasures.com/hunt-what-hurts-the-pyramid-of-pain/

ONE SENTENCE SUMMARY:

Threat hunting involves proactively identifying threats by prioritizing behaviors hardest for adversaries to change, using models like the Pyramid of Pain.

MAIN POINTS:

  1. Threat hunting is proactive, exploring vast data without predefined alerts.
  2. The dilemma of infinite choice leads to paralysis without clear prioritization.
  3. Reactive hunting for known indicators is ineffective; focus should be on behaviors.
  4. The Pyramid of Pain helps prioritize adversary artifacts based on difficulty to alter.
  5. Hash values and IPs are easily changed by adversaries, offering limited hunting value.
  6. Human hunters excel in identifying patterns and behaviors, beyond automated detection.
  7. Tools and TTPs are significantly challenging for adversaries to change.
  8. Behavioral analysis of tools strengthens threat detection and resilience.
  9. Hunting should integrate findings back into automated systems for continuous improvement.
  10. Prioritization of difficult changes by adversaries enhances current and future threat defense.

TAKEAWAYS:

  1. Utilize frameworks like the Pyramid of Pain for strategic threat hunting.
  2. Focus on behaviors over indicators for lasting security improvements.
  3. Integrate human insights into automated systems to enhance defenses.
  4. Prioritize detection of TTPs for higher adversary disruption.
  5. Effective threat hunting involves creative hypothesis generation and contextual understanding.

Why your security strategy is failing before it even starts

Source: Help Net Security

Author: Mirko Zorz

URL: https://www.helpnetsecurity.com/2025/11/14/adnan-ahmed-ornua-cybersecurity-strategy-roadmap/

ONE SENTENCE SUMMARY:

Adnan Ahmed emphasizes aligning cybersecurity with business goals, focusing on risk management, resilience, zero trust principles, and security culture.

MAIN POINTS:

  1. Organizations often prioritize technology over risk, misaligning cybersecurity with business goals.
  2. Cybersecurity is fundamentally a business risk management function, not just a technical issue.
  3. Embedding cybersecurity into business objectives and understanding critical assets is crucial.
  4. Human error is a primary attack vector; employee awareness and training are essential.
  5. Compliance is necessary but does not ensure resilience against cyber threats.
  6. IT and OT environments both require comprehensive security measures in industries like food manufacturing.
  7. Third-party risk and comprehensive incident response plans are critical aspects.
  8. Aligning cybersecurity with business involves speaking the business’s language, not technical jargon.
  9. Emerging threats include IT and OT convergence, supply chain risks, and AI-powered attacks.
  10. A three-year strategy should prioritize asset risk, apply zero trust, and emphasize resilience beyond compliance.

TAKEAWAYS:

  1. Focus more on risk management than technology tools.
  2. Integrate cybersecurity into overall business objectives and operations.
  3. Build a security culture emphasizing employee awareness and training.
  4. Prioritize zero trust principles across IT and OT for robust defense.
  5. Develop and test incident response and business continuity plans.

Amazon Uncovers Attacks Exploited Cisco ISE and Citrix NetScaler as Zero-Day Flaws

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2025/11/amazon-uncovers-attacks-exploited-cisco.html

ONE SENTENCE SUMMARY:

Advanced threat actors exploited zero-day vulnerabilities in Cisco and Citrix products to deploy custom malware, highlighting critical security challenges.

MAIN POINTS:

  1. Amazon’s team discovered advanced threats exploiting then-zero-day flaws in Cisco and Citrix products.
  2. Attacks targeted identity and network access control infrastructure crucial for enterprise security.
  3. CVE-2025-5777 in Citrix allows attackers to bypass authentication; fixed in June 2025.
  4. CVE-2025-20337 in Cisco ISE enables remote code execution as root; fixed in July 2025.
  5. Exploitation led to custom malware disguised as a legitimate Cisco ISE component.
  6. The malware operates in memory, using techniques to evade detection like Java reflection and DES encryption.
  7. Attackers exhibited high resources, leveraging advanced exploits and bespoke tools.
  8. Threat actors continue targeting network edge appliances to breach networks.
  9. Importance emphasized on limiting access to privileged management portals to defend against attacks.
  10. Pre-authentication exploits demand comprehensive defense strategies for detecting unusual behavior.

TAKEAWAYS:

  1. Zero-day vulnerabilities pose significant risks to network security infrastructure.
  2. Custom-built malware shows sophisticated knowledge of enterprise systems.
  3. Defense-in-depth strategies are essential for protecting against advanced threats.
  4. Layered security and limiting privileged access can mitigate breach risks.
  5. Proactive detection and behavior analysis are critical in identifying anomalies.

Microsoft’s November 2025 Patch Tuesday Addresses 63 CVEs (CVE-2025-62215)

Source: Tenable Blog

Author: Research Special Operations

URL: https://www.tenable.com/blog/microsofts-november-2025-patch-tuesday-addresses-63-cves-cve-2025-62215

ONE SENTENCE SUMMARY:

Microsoft’s November 2025 Patch Tuesday addresses 63 CVEs, including one critical zero-day exploited vulnerability, to bolster security.

MAIN POINTS:

  1. November 2025 Patch Tuesday includes patches for 63 CVEs.
  2. Five vulnerabilities are rated critical, and 58 rated important.
  3. Key updates target Azure, Microsoft Dynamics, Office, and Windows components.
  4. Elevation of privilege vulnerabilities constitute 46% of patches.
  5. CVE-2025-62215 is a zero-day Windows Kernel EoP vulnerability.
  6. CVE-2025-62199 is a critical Microsoft Office RCE vulnerability.
  7. Three EoP vulnerabilities affect the Ancillary Function Driver for WinSock.
  8. CVE-2025-60724 is a GDI+ RCE vulnerability with a high CVSSv3 score.
  9. Patching systems promptly and regular vulnerability assessments are recommended.
  10. Tenable provides plugins and guidance for enhanced security management.

TAKEAWAYS:

  1. Address all critical and important vulnerabilities immediately.
  2. Focus on known exploited vulnerabilities like CVE-2025-62215.
  3. Be aware of Microsoft Office’s potential attack vectors.
  4. Regular vulnerability assessments are essential for security.
  5. Utilize resources from Tenable for thorough patch management.

Why you should purple team your SOC

Source: Why you should purple team your SOC | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4083612/the-soc-parachute-needs-more-than-packing-it-needs-practice.html

ONE SENTENCE SUMMARY:

Purple teaming should shift from a one-time exercise to a continuous, collaborative discipline enhancing SOC effectiveness through simplicity and learning.

MAIN POINTS:

  1. SOCs often fail due to being overloaded, reactive, and disconnected from actual breach methods.
  2. Purple teaming is typically treated as a one-off exercise instead of a continuous discipline.
  3. Purple teams should facilitate collaboration between red and blue teams for continual improvement.
  4. A single engagement creates false confidence without building real capability.
  5. Regular practice, similar to aviation, is key for maintaining SOC proficiency.
  6. Collaborative, not adversarial, approaches in purple teaming are crucial for learning and improvement.
  7. Focusing on simplicity enhances SOC defenses, reducing distracting metrics.
  8. Teaching the “why” alongside the “what” is essential for effective phishing awareness and SOC training.
  9. Effective SOCs operate like projects, with embedded project managers and delegated decision-making.
  10. Continuous learning, rather than complex defenses, is vital for SOC uplift and effectiveness.

TAKEAWAYS:

  1. Treat purple teaming as an ongoing discipline for SOC readiness.
  2. Emphasize collaboration over rivalry in purple teams for effective learning.
  3. Simplify metrics to enhance SOC focus and reduce noise.
  4. Implement project-based SOC models for better coordination and decision-making.
  5. Shift from defensive to inquisitive SOC strategies for continuous improvement.

Hidden Logic Bombs in Malware-Laced NuGet Packages Set to Detonate Years After Installation

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2025/11/hidden-logic-bombs-in-malware-laced.html

ONE SENTENCE SUMMARY:

Nine malicious NuGet packages are designed to sabotage database operations and industrial control systems with time-delayed payloads.

MAIN POINTS:

  1. Nine malicious packages were published by “shanhai666” in 2023 and 2024.
  2. The packages download payloads triggered on specific future dates, August 2027 and November 2028.
  3. Sharp7Extend is the most dangerous, targeting industrial PLCs with dual sabotage mechanisms.
  4. Packages were downloaded 9,488 times before being removed from NuGet.
  5. Malicious logic activates immediately post-installation, with termination stopping by June 2028.
  6. 80% chance of sabotaging write operations between 30-90 minutes after installation.
  7. Certain packages, like MCDbRepository, trigger on August 8, 2027, others on November 29, 2028.
  8. The attack uses C# extension methods for stealthy code injection.
  9. Attack attributed to a possible Chinese origin “shanhai666” based on source code analysis.
  10. The staggered trigger dates disguise attacks as random failures, complicating incident response.

TAKEAWAYS:

  1. Time-delayed payloads pose significant risks to database and industrial system security.
  2. Sharp7Extend’s clever use of immediacy and delay phases enhances its destructiveness.
  3. Malicious NuGet packages can easily blend into legitimate software environments.
  4. Sophisticated tactics make identifying and mitigating the attack challenging.
  5. Ensuring supply chain security requires rigorous verification and monitoring of software dependencies.

Cisco: Actively exploited firewall flaws now abused for DoS attacks

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/cisco-actively-exploited-firewall-flaws-now-abused-for-dos-attacks/

ONE SENTENCE SUMMARY:

Cisco has released updates to address vulnerabilities in ASA and FTD firewalls being exploited in attacks causing reboot loops.

MAIN POINTS:

  1. Cisco released security updates on September 25 for vulnerabilities CVE-2025-20362 and CVE-2025-20333.
  2. CVE-2025-20362 allows unauthenticated access to restricted URLs.
  3. CVE-2025-20333 enables remote code execution on vulnerable devices.
  4. Chained vulnerabilities let attackers gain full control over systems.
  5. CISA ordered federal agencies to secure or disconnect affected devices within 24 hours.
  6. Shadowserver tracks over 34,000 vulnerable ASA and FTD instances online.
  7. Vulnerabilities are exploited in denial of service (DoS) attacks.
  8. Attackers from the ArcaneDoor campaign are behind these exploits.
  9. Cisco fixed another critical vulnerability, CVE-2025-20363, in its IOS and firewall software.
  10. New security patches issued for Cisco Contact Center software to address critical flaws.

TAKEAWAYS:

  1. Immediate updates are crucial for securing Cisco firewall devices.
  2. Vulnerabilities can lead to severe consequences like denial of service attacks.
  3. Federal agencies are under strict directives to safeguard network security.
  4. Shadowserver’s tracking shows the widespread presence of vulnerable systems.
  5. Continued vigilance and patching are vital as new threats emerge.

HIPAA Cybersecurity Requirements Guide (2026) | Rivial Security

Source: Rivial Security Blog

Author: Lucas Hathaway

URL: https://www.rivialsecurity.com/blog/hipaa-cybersecurity-requirements-guide-2026-rivial-security

ONE SENTENCE SUMMARY:

The 2026 HIPAA update enhances cybersecurity by emphasizing risk analysis, continuous monitoring, and proactive breach prevention in healthcare.

MAIN POINTS:

  1. HIPAA’s 2026 update strengthens cybersecurity expectations on risk analysis, vulnerability scanning, and incident response.
  2. Organizations must transition from static audits to continuous risk monitoring and mitigation.
  3. Access control is crucial, with enforced MFA and least-privilege access as core expectations.
  4. HHS anticipates healthcare programs focusing more on resilience than mere compliance.
  5. HIPAA’s updated framework aims to prevent breaches rather than just fulfill regulatory requirements.
  6. Broad application includes healthcare providers, health plans, insurers, and their affiliates.
  7. Current requirements involve administrative, physical, and technical safeguards, including regular risk analyses.
  8. Future regulations emphasize a comprehensive technical inventory and continuous risk monitoring.
  9. Multifactor authentication and tighter identity management are critical for future compliance.
  10. Rivial Data Security offers tools for clear risk assessment, streamlined audits, and efficient compliance management.

TAKEAWAYS:

  1. Transition to continuous, proactive cybersecurity measures ahead of HIPAA’s 2026 update.
  2. Emphasize access control by maintaining up-to-date technical inventories and implementing MFA.
  3. Focus on resilience, not just compliance, to prevent breaches effectively.
  4. Future audits require ongoing risk assessments and advanced authentication protocols.
  5. Utilize platforms like Rivial for streamlined compliance and efficient security management.

Warning: Your 30-Day Patching SLA is Dead. Here’s How to Get it Back.

Source: cisotradecraft.substack.com

Author: CISO Tradecraft

URL: https://cisotradecraft.substack.com/p/warning-your-30-day-patching-sla?utm_medium=web

ONE SENTENCE SUMMARY:

Effective vulnerability management requires transforming processes, aligning incentives, and leveraging automation and AI to rapidly reduce patching times.

MAIN POINTS:

  1. The 99% security achievement often overlooks significant patching backlogs and outdated systems.
  2. CVE publication has doubled from 2020, increasing patching workload and exposing staff shortages.
  3. AI accelerates vulnerability exploitation, making old 30-day patching timelines obsolete.
  4. CISO must enforce full-stack awareness and align executive compensation with patching metrics.
  5. Shift from single vulnerability patching to end-to-end process optimization using lean principles.
  6. Quantify and address process inefficiencies by focusing on critical steps for rapid improvement.
  7. Use attack graphs over CVSS scores to prioritize vulnerability management effectively.
  8. Enforce zero-tolerance quality gates in source code pipelines for robust security.
  9. Deploy layered defenses and complex defense stacks to provide crucial security buffers.
  10. Leverage AI tools for rapid remediation to minimize developer effort and accelerate patching.

TAKEAWAYS:

  1. Aligning incentives such as bonuses with patching performance can drive significant organizational change.
  2. Process optimization and strategic automation are crucial for reducing patching times.
  3. Integrated security measures within code pipelines can prevent vulnerabilities effectively.
  4. Layered defenses and AI-powered remediation tools are essential for rapid vulnerability management.
  5. Comprehensive understanding and management of the full technology stack is critical for effective security.

Why Security and IT Disagree on Patching (and Why That’s a Good Thing)

Source: Tenable Blog

Author: Allison Eguchi

URL: https://www.tenable.com/blog/it-uptime-vs-cybersecurity-risk-the-patch-management-paradox

ONE SENTENCE SUMMARY:

Effective patch management requires integrating specialized tools for security and IT, transforming friction into seamless collaboration by preserving each team’s focus.

MAIN POINTS:

  1. Patching creates friction between security and IT due to differing priorities.
  2. Security focuses on risk reduction, while IT emphasizes uptime and stability.
  3. Manual processes and unsuitable tools exacerbate the friction.
  4. Ideal solutions offer “collaboration with validation,” integrating both teams’ needs.
  5. Tenable Patch Management provides visibility and context for seamless teamwork.
  6. Security identifies critical risks using prioritized data like VPR and ACR.
  7. IT uses specialized tools to implement patches without disrupting business operations.
  8. Integrated platforms enable automated workflows, eliminating manual spreadsheet processes.
  9. Closed-loop visibility ensures risk remediation is confirmed through subsequent security scans.
  10. Empowering each team with tailored tools creates a secure, stable environment.

TAKEAWAYS:

  1. Effective patch management hinges on specialized tools for security and IT.
  2. Integrated systems transform friction into productive collaboration.
  3. Automated workflows replace manual, error-prone processes.
  4. Security and IT maintain their distinct, crucial roles.
  5. A unified platform leads to a more secure and stable organization.

Why Microsegmentation Is Just a Dream for Many IT Teams

Source: BankInfoSecurity.com RSS Syndication

Author: unknown

URL: https://www.bankinfosecurity.com/microsegmentation-just-dream-for-many-teams-a-29951

ONE SENTENCE SUMMARY:

Microsegmentation faces challenges like operational complexity, policy maintenance, and audit issues, making full implementation difficult for many organizations.

MAIN POINTS:

  1. Microsegmentation aims to limit hackers’ movement by controlling network traffic between applications.
  2. Adoption faces operational complexity, policy drift, and mounting technical debt post-deployment.
  3. Automation shifts policy maintenance issues but doesn’t resolve dynamic nature of segmentation policies.
  4. IT and security teams experience increased policy changes and prolonged temporary exceptions.
  5. Regulatory compliance adds complexity with audit evidence difficult to produce from technical artifacts.
  6. Most organizations only partially achieve microsegmentation targets due to legacy systems and constraints.
  7. Poor documentation and unknown dependencies challenge segmentation of legacy applications.
  8. Vendors focus on intent-based policies and cross-functional team alignment to address deployment challenges.
  9. Automation is limited by insufficient inventory data and unclear policy logic ownership.
  10. Security architects need to design granular policies and prioritize based on risk.

TAKEAWAYS:

  1. Microsegmentation is complicated by evolving application environments and backend system complexities.
  2. Regulatory demands necessitate better connections between technical intent and audit requirements.
  3. Legacy systems significantly hinder full microsegmentation implementation.
  4. Successful implementation requires organizational alignment and cross-department cooperation.
  5. Effective policy design requires balancing simplicity and risk prioritization for easier maintenance.

Why can’t enterprises get a handle on the cloud misconfiguration problem?

Source: Why can’t enterprises get a handle on the cloud misconfiguration problem? | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4083736/why-cant-enterprises-get-a-handle-on-the-cloud-misconfiguration-problem.html

ONE SENTENCE SUMMARY:

Cloud security remains a significant issue with widespread misconfigurations, emphasizing the need for better inbuilt security measures and proactive management.

MAIN POINTS:

  1. Cloud configuration errors continue to expose enterprise data despite initial warnings seven years ago.
  2. A Qualys report highlights frequent misconfiguration in major cloud platforms, posing significant security risks.
  3. 28% of surveyed organizations experienced cloud or SaaS breaches in the past year.
  4. Many publicly accessible VMs lack encryption, increasing vulnerability.
  5. Proliferation of SaaS tools expands opportunities for configuration mistakes.
  6. Default insecure settings by cloud providers contribute to widespread security issues.
  7. Inadequate inclusion of cybersecurity teams in decision-making leads to afterthought security.
  8. The biggest configuration mistake involves lack of private network communication.
  9. Lack of MFA and encryption are major security concerns in cloud environments.
  10. Top cybersecurity practices include MFA, private networks, encryption, and continuous scanning.

TAKEAWAYS:

  1. Implement multi-factor authentication for all cloud access to prevent account takeovers.
  2. Default to private network communication to reduce exposure to public internet risks.
  3. Encrypt all sensitive data to protect against unauthorized access.
  4. Enforce least-privilege access controls to minimize overprivileged accounts.
  5. Use infrastructure as code to manage and audit changes systematically.

The Evolution of SOC Operations: How Continuous Exposure Management Transforms Security Operations

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2025/11/the-evolution-of-soc-operations-how.html

ONE SENTENCE SUMMARY:

Security Operations Centers benefit from integrating exposure management, enhancing alert accuracy and response efficiency against sophisticated threats.

MAIN POINTS:

  1. SOCs face alert overload, with many false positives and reactive detection challenges.
  2. Lack of context and narrow focus hinder traditional security tools’ effectiveness.
  3. Attackers use multiple techniques and exposures, often evading traditional detection.
  4. Exposure management platforms provide critical attack surface visibility and intelligence.
  5. Integration with existing tools enhances SOC workflows and threat investigations.
  6. Exposure intelligence transforms alert triage, investigation, and response precision.
  7. Continuous exposure management creates actionable threat intelligence for SOCs.
  8. Real-time context aids in understanding potential risks and attack paths.
  9. Precise response actions reduce disruption and enhance incident remediation.
  10. Future SOC success depends on exposure prevention and tailored threat responses.

TAKEAWAYS:

  1. Integrating exposure management increases SOC efficiency and reduces alert fatigue.
  2. Enhanced context allows more targeted and effective security responses.
  3. Understanding attack paths and exposures improves threat investigation and triage.
  4. SOCs benefit from proactive exposure reduction and tailored threat intelligence.
  5. Continuous learning from incidents strengthens future security capabilities.

What does aligning security to the business really mean?

Source: What does aligning security to the business really mean? | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4080670/what-does-aligning-security-to-the-business-really-mean.html

ONE SENTENCE SUMMARY:

Tim Sattler emphasizes the crucial role of aligning security with business strategy to harness AI and other technologies effectively.

MAIN POINTS:

  1. Tim Sattler integrates AI for strategic benefits at Jungheinrich AG, highlighting security’s evolving role.
  2. Security chiefs like Sattler are increasingly involved in AI conversations, focusing on opportunities beyond risks.
  3. Sattler emphasizes understanding both risks and benefits of new technologies like ChatGPT and quantum computing.
  4. Alignment between security and business strategies supports organizational goals, innovation, and growth.
  5. Research reveals many CISOs are not involved in strategic decisions, showing a need for greater alignment.
  6. Effective security-business alignment involves using business metrics to gauge security success.
  7. CISOs should adjust strategies based on business objectives, threats, and potential security incidents.
  8. Security’s early involvement in company initiatives reduces friction and enhances deployment trust.
  9. Successful alignment demonstrates security as a key player in operational support and risk management.
  10. Misalignment leads to reactive security measures, increased costs, and operational inefficiencies.

TAKEAWAYS:

  1. Aligning security with business strategies enhances both risk management and opportunity identification.
  2. CISOs play a pivotal role in integrating security within business initiatives from the outset.
  3. Early engagement and understanding business priorities are crucial for effective security practices.
  4. Misalignment can result in increased costs and missed strategic opportunities for organizations.
  5. Successful security-business alignment significantly contributes to enterprise-wide strategic initiatives.

Issue 5: What You Can’t See Can Still Hurt You

Source: Heatmaps to Histograms: Field Notes

Author: Tony Martin-Vegue

URL: https://substack.com/home/post/p-174805183

ONE SENTENCE SUMMARY:

This issue explores quantifying unprecedented risks, emphasizing scenario building, risk categorization, and focusing on practical risk analysis.

MAIN POINTS:

  1. Scenario-building chapter in the book emphasizes measurable, data-supported risk analysis.
  2. The book aims to make quantitative thinking accessible and understandable.
  3. Three types of unknown risks: unexperienced, unrealized, and inconceivable.
  4. “Unexperienced but Observable” risks can be quantified using external data.
  5. “Unrealized but Conceivable” risks require analogical reasoning for potential analysis.
  6. “Inconceivable and Unimaginable” risks focus on system resilience over prediction.
  7. Use structured expert judgment to quantify unknown risks.
  8. Focus on decisions influenced by analysis rather than over-polishing data precision.
  9. Risk analysis prioritizes actionable scenarios over remote, impractical ones.
  10. The philosophy of practical risk analysis focuses on meaningful, business-relevant scenarios.

TAKEAWAYS:

  1. Effective risk analysis combines measurable scenarios with practical reasoning.
  2. Unknown risks require different strategies based on their nature.
  3. Resilience is crucial when predictions are impossible.
  4. Clarifying what type of risk is faced guides effective analysis.
  5. The book is designed to simplify complex quantitative concepts for practitioners.

Cybersecurity management for boards: Metrics that matter

Source: Cybersecurity management for boards: Metrics that matter | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4081319/cybersecurity-management-for-boards-metrics-that-matter.html

ONE SENTENCE SUMMARY:

Boards need actionable cyber resilience metrics to evaluate financial impact, operational readiness, and strategic risk for effective governance.

MAIN POINTS:

  1. Ransomware can significantly disrupt operations without warning.
  2. Boards struggle with technical metrics, needing insights into business impact.
  3. Resilience-focused metrics improve clarity, alignment with business goals, and regulatory compliance.
  4. Financial metrics such as average incident cost and downtime are crucial.
  5. Governance indicators include regulatory violations and training completion.
  6. Operational metrics should track detection, response times, and system uptime.
  7. Strategic metrics assess future readiness, residual risk, and threat landscape.
  8. Metrics should drive resilience, not just reflect it.
  9. Boards require evidence of effective cyber governance, not involvement.
  10. Clear and meaningful metrics empower boards to govern cybersecurity successfully.

TAKEAWAYS:

  1. Shift focus from technical metrics to business impact and resilience.
  2. Prioritize metrics that align with continuity and financial goals.
  3. Use governance indicators to measure cultural and compliance health.
  4. Ensure strategic metrics predict and prepare for future cyber challenges.
  5. Regularly audit and refine board metrics to expose and address blind spots.

Quantifying Swiss Cheese: Bayesian Inference and Exploit Likelihood

Source: Medium

Author: Stephen Shaffer

URL: https://systemweakness.com/quantifying-swiss-cheese-the-bayesian-way-b2b512472d85

ONE SENTENCE SUMMARY:

The article discusses using EPSS and Bayesian inference to quantify and update exploit likelihood by measuring control effectiveness.

MAIN POINTS:

  1. EPSS predicts CVE exploitation likelihood within 30 days with scores from 0 to 1.
  2. EPSSg estimates the probability of at least one CVE exploitation on an asset.
  3. Swiss Cheese Model represents layers of defense, with each control as probabilistic filters.
  4. Bayesian inference helps update beliefs about control effectiveness using SME surveys.
  5. Control effectiveness rates determine a control’s success in preventing exploitations.
  6. Observations, like firewall logs, refine initial beliefs and tighten confidence intervals.
  7. Dynamic models update exploit likelihood as new evidence accumulates.
  8. FAIR-CAM provides a framework for understanding control influence on risk.
  9. Multiple controls can be modeled successively to refine exploit likelihood estimates.
  10. The approach allows for continuous risk assessment and informed decision-making.

TAKEAWAYS:

  1. EPSS and EPSSg assess global exploit pressure and asset-specific risk.
  2. Bayesian inference allows for evidence-based updates of control effectiveness.
  3. Control reliability is represented as probabilities and refined with real-world data.
  4. FAIR-CAM principles inform a structured approach to risk quantification.
  5. Continuous model updates enhance understanding and strategic vulnerability management.