HIRE A HACKER PRO

HIRE A HACKER PRO delivers elite ethical hacking education. Our certified instructors teach real-world penetration testing, reverse engineering, and defensive security strategies. Students learn to identify vulnerabilities, simulate attacks, and build unbreakable defenses. With 99.7% student success rate, our hands-on labs prepare you for CEH, OSCP, and real jobs. Join thousands who’ve launched cybersecurity careers. Learn today. Defend tomorrow.

Tipps für CISOs mit “Vertical-Switch-Ambitionen”.FotoDax | shutterstock.com In der Außenperspektive sollte es für Menschen, die es zum Chief Information Security Officer gebracht haben, eigentlich kein Problem sein, die Branche zu wechseln. In der Realität stellen viele Sicherheitsentscheider allerdings regelmäßig fest, dass das Gegenteil der Fall ist: Wenn man einmal in einer bestimmten Branche tätig ist, gestaltet es sich mitunter schwierig, wieder auszusteigen. Das liegt auch daran, dass Führungskräfte und Personalvermittler oft immer noch davon ausgehen, dass die Erfahrungswerte eines CISO lediglich innerhalb seines aktuellen Sektors von Nutzen sind. Allerdings hat die IT-Evolution der letzten 15 Jahre inzwischen zu einer zunehmenden branchenübergreifenden Standardisierung von Technologien geführt. Dennoch kommen CISOs, die etwa von der Fertigungs- in die Healthcare-Branche wechseln möchten, nicht umhin zu beweisen, dass ihre Fähigkeiten von einem Sektor auf den anderen übertragbar sind. In diesem Artikel lesen Sie, wie Sie das anstellen.   1. Wechsel strategisch anbahnen Die erste Voraussetzung, die Sicherheitsentscheider erfüllen sollten, um erfolgreich die Branche zu wechseln, ist, sich die nötige Anpassungsfähigkeit anzueignen. Das weiß Timothy Youngblood aus eigener Erfahrung. Der Sicherheitsspezialist war bereits bei mehreren großen US-Unternehmen als Sicherheitsentscheider tätig. Unter anderem war er auch der allererste Global CISO bei Dell. Zuerst lernte er die Herausforderungen verschiedener Branchen allerdings als Berater bei KPMG kennen: “Für meine Karriere habe ich viele wichtige Erkenntnisse aus meiner Zeit als Consultant mitgenommen. Etwa, dass jede Branche ihre eigenen Nuancen hat, aber die grundlegenden Sicherheitsprinzipien immer die gleichen sind.” Dabei die unterschiedlichen Branchenanforderungen zu durchdringen, habe ihn auch der Austausch mit branchenspezifischen ISACs vorangebracht (die vor allem in den USA verbreitet sind), so Youngblood: “Diese Gruppen ermöglichen den Austausch zwischen dem öffentlichen und dem privaten Sektor und bieten eine hervorragende Möglichkeit, zu verstehen, wie andere Branchen das gleiche Problem lösen.” CISOs ohne Consulting-Erfahrung (oder Zugang zu ISACs), die die Branche wechseln wollen, ist hingegen zu empfehlen, strategisch strukturelle Ähnlichkeiten zu identifizieren. Sal DiFranco, Managing Partner bei der Personalberatung DHR Global, erklärt: “Halten Sie Ausschau nach Sektoren, die ähnlich strukturiert sind wie ihre aktuelle Branche. Das gewährleistet in der Regel einen einfachen Übergang – oder kann der erste Schritt sein zu einem Wechsel in eine andere, eher ferne Branche.” Laut dem Manager könnten Sicherheitsentscheider aus der Pharmabranche ohne Weiteres ins Healthcare-Feld wechseln: “Natürlich gibt es zwischen den Unternehmen in diesen Bereichen viele Unterschiede. Aus technologischer Perspektive sind sie sich dennoch ähnlich: Es handelt sich in beiden Fällen um ein stark reguliertes Umfeld mit denselben strikten Anforderungen an die Technologie.” 2. Erfolge demonstrieren CISOs, die einer neuen Branche durchstarten möchten, sollten außerdem möglichst früh demonstrieren, dass ihre bisherigen Erfolge auch für das neue Unternehmen relevant sind. DiFranco erklärt: “Wenn das, was ein Job-Kandidat geleistet hat, auch auf die Ziele des neuen Unternehmens einzahlt, ist es wesentlich wahrscheinlicher, dass dieser eine Chance bekommt, sich zu beweisen. Es geht aber nicht nur um die Ergebnisse an sich, sondern auch darum, artikulieren zu können, wie man dieselben Resultate in der neuen Branche erzielen möchte.” Exakt diesen Ansatz verfolgte auch Youngblood erfolgreich, als er von seiner Position als CISO beim US-Konsumgüterriesen Kimberly-Clark zu McDonalds wechselte, wo er sich vor allem an die operativen Strukturen gewöhnen musste. Darüber hinaus hat der Sicherheitsspezialist jedoch auch gelernt, sich an branchenspezifische Bedrohungen anzupassen – etwa als CSO von T-Mobile: “In der TK-Branche ist etwa SIM-Swapping ein bedeutendes Problem. Den meisten Außenstehenden ist nicht bewusst, dass es sich hierbei um eine kriminelle Milliardenindustrie handelt, die in manchen Fällen auch staatlich finanziert wird.” Ein tiefgreifendes Verständnis der branchenspezifischen Risikolandschaft ist auch für Michael Meline, CEO und CISO beim Security-Dienstleister Cyber Self-Defense, entscheidend. Auch Meline weiß, wovon er spricht: Seine Karriere startete er ursprünglich in der Strafverfolgung, bevor er zunächst als Security-Profi in die Finanzindustrie und anschließend ins Gesundheitswesen wechselte. “Es gibt viele ähnliche Risiken – aber im Kern geht es immer um Risikomanagement. Wenn Sie demonstrieren können, dass Sie die jeweilige Risikolandschaft durchdringen, kann Ihnen das einen erheblichen Vorteil verschaffen.” 3. Analogien herstellen Aus Karriereperspektive ist das größte Risiko für CISOs und Sicherheitsentscheider, als Spezialist für eine einzige Branche angesehen zu werden. Marc Ashworth, CISO bei der US-amerikanischen First Bank, rät an dieser Stelle, den Fokus darauf zu legen, ein übertragbares Skillset zu demonstrieren: “Machen Sie sich bei jeder Bewerbung bewusst, dass die Grundsätze branchenunabhängig immer dieselben sind.” Meline fügt hinzu: “Es geht im Kern darum, Risiken zu identifizieren und geeignete Maßnahmen ergreifen, um diese zu mindern: Dazu müssen Sicherheitsentscheider in jeder Branche mit Stakeholdern aus allen Ebenen ihrer Organisation zusammenarbeiten und einen gemeinsamen Plan entwickeln, der den jeweiligen Anforderungen entspricht:“ Oder wie DiFranco es ausdrückt: “Essenziell ist es, Relevanz zu demonstrieren und dabei Analogien zu anderen Branchen herzustellen.” (fm) Sie wollen weitere interessante Beiträge rund um das Thema IT-Sicherheit lesen? Unser kostenloser Newsletter liefert Ihnen alles, was Sicherheitsentscheider und -experten wissen sollten, direkt in Ihre Inbox.

A high-severity security flaw has been disclosed in MongoDB that could allow unauthenticated users to read uninitialized heap memory. The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), has been described as a case of improper handling of length parameter inconsistency, which arises when a program fails to appropriately tackle scenarios where a length field is inconsistent with the

Document database vendor MongoDB has advised customers to update immediately following the discovery of a flaw that could allow unauthenticated users to read uninitialized heap memory. Designated CVE-2025-14847, the bug, mismatched length fields in zlib compressed protocol headers, could allow an attacker to execute arbitrary code and potentially seize control of a device. The flaw affects the following MongoDB and MongoDB Server versions: MongoDB 8.2.0 through 8.2.3 MongoDB 8.0.0 through 8.0.16 MongoDB 7.0.0 through 7.0.26 MongoDB 6.0.0 through 6.0.26 MongoDB 5.0.0 through 5.0.31 MongoDB 4.4.0 through 4.4.29 All MongoDB Server v4.2 versions All MongoDB Server v4.0 versions All MongoDB Server v3.6 versions In its advisory, MongoDB “strongly suggested” that users upgrade immediately to the patched versions of the software: MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30. However, it said, “if you cannot upgrade immediately, disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits zlib.” MongoDB, one of the most popular NoSQL document databases for developers, says it currently has more than 62,000 customers worldwide, including 70% of the Fortune 100. This article originally appeared on InfoWorld.

Trust Wallet is urging users to update its Google Chrome extension to the latest version following what it described as a "security incident" that led to the loss of approximately $7 million. The issue, the multi‑chain, non‑custodial cryptocurrency wallet service said, impacts version 2.68. The extension has about one million users, according to the Chrome Web Store listing. Users are advised to

A China-linked advanced persistent threat (APT) group has been attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India. The activity, Kaspersky said, was observed between November 2022 and November 2024. It has been linked to a

A critical security flaw has been disclosed in LangChain Core that could be exploited by an attacker to steal sensitive secrets and even influence large language model (LLM) responses through prompt injection. LangChain Core (i.e., langchain-core) is a core Python package that's part of the LangChain ecosystem, providing the core interfaces and model-agnostic abstractions for building

As cyberattacks grow more sophisticated and AI-powered threats escalate, enterprises are under pressure to evolve beyond traditional perimeter-based network security. Many are turning to Secure Access Service Edge (SASE), a cloud-native framework that converges network and security functions to protect distributed workforces, optimize network performance, and simplify management across multiple tools. SASE platforms typically include SD-WAN, secure web gateway (SWG), firewall as a service (FWaaS), cloud access security broker (CASB), and zero-trust network access (ZTNA). They can also encompass a growing list of additional features such as browser isolation, sandboxing and data loss prevention (DLP).  The overall SASE market is projected to climb from $15 billion in 2025 to $28.5 billion by 2028, according to Gartner. Deployments are split between single-vendor SASE platforms and dual-vendor approaches, the research firm says. With more enterprises adopting SASE architectures and a widening talent gap for security skills, IT professionals who can architect, deploy, and manage these converged platforms are in demand. SASE vendors are responding with certification programs aimed at validating these skills. A growing list of providers – including Cato Networks, Fortinet, Netskope, Palo Alto Networks and Zscaler – now offer credentials that help practitioners prove expertise in their platforms while keeping pace with the shift to cloud-delivered security. Here’s a snapshot of what they’re offering.  Cato Networks: Cato SASE Expert Level 1 Certification Overview: This introductory course validates a fundamental understanding of the SASE framework, including the drivers, value, architecture, use cases, and key network and security functions of SASE. It also offers the knowledge required to help an organization more toward SASE adoption. Target professional: This certification is ideal for IT professionals, network administrators, and security architects. Key skills: Certified individuals demonstrate proficiency with the Cato Management Application (CMA) and possess the technical expertise to operate, configure, and troubleshoot Cato SASE Cloud. The certification covers SASE essentials, including converged network and security functions in cloud native architectures. Exam specifics: Candidates take a two-to-three exam and must receive an 85% or higher to become certified. Cost: The self-paced SASE course and exam are free. Prerequisites: Candidates should have experience in cloud, networking, and security. Cato recommends candidates watch several SASE videos and read three SASE books to prepare for the exam. Note: Cato Networks offers several levels of SASE certifications. Cisco: Cisco Certified Network Professional (CCNP) Security Overview: While not specific to SASE, the CCNP Security certification proves skills in security infrastructure, including network, cloud, and content security, endpoint protection and detection, secure network access, visibility, and enforcement. Earning the CCNP Security certification proves an IT professional has the know-how to secure and protect networks. Target professional: IT professionals with three to five years of IT experience who work with Cisco security products. This is considered an intermediate-level certification for network and security professionals. Key skills: Certification holders demonstrate knowledge of identifying common threats and vulnerabilities, understanding encryption and virtual private networks, and implementing core security technologies. Exam specifics: The Cisco Certified Specials-Security Core exam, or SCOR exam, and the concentration exams make up the CCNP Security Certification. The core SCOR exam is 120 minutes long, and the concentration exam is 90 minutes long. A passing score generally falls within the range of 800 to 850 out of 1,000 points. Cost: $400 Prerequisites: There are no formal prerequisites, but three to five years of experience is recommended for this professional-level certification. Note: Cisco offers a SASE Solution Specialization as part of its partner program. Fortinet: Fortinet Certified Solution Specialist Secure Access Service Edge (FCSS SASE) Overview: The FCSS SASE certification confirms a candidate’s ability to design, manage, monitor, and troubleshoot Fortinet SASE solutions. The curriculum covers SASE infrastructures using advanced Fortinet technologies. Target professional: Cybersecurity professionals who require the expertise needed to design, manage, support, and analyze advanced Fortinet SASE solutions and who are working with FortiSASE solutions. Network security engineers and those professionals looking to specialize in SASE technologies are also good candidates. Key skills: This certification validates skills in designing, administering, monitoring, and troubleshooting Fortinet’s SASE solutions, covering areas such as SASE architecture, user onboarding, security posture and compliance, security profiles, SD-WAN deployments, and FortiSASE analytics and reporting. Exam specifics: The FortiSASE Administrator exam (FCSS_SASE_AD-24) is a 60-minute exam consisting of 30 questions with a pass/fail scoring system. To achieve this certification, candidates are required to pass two core exams within two years. Cost: $200 Prerequisites: Fortinet recommends taking the associated Network Security Expert (NSE) courses to prepare for the certification exams. Candidates should have foundational knowledge in network security and cybersecurity before trying to gain this professional-level certification. Fortinet provides study guides through its training portal. Note: The FCSS SASE certification consists of two parts: SD-WAN and SASE. The certification uses FortiSASE 25 and FortiOS 7.4 technologies. Netskope: Netskope SASE Accreditation Overview: Netskope’s SASE Accreditation program provides foundational theory and practical knowledge of SASE architecture and implementation with on-demand, self-paced learning modules and quizzes and optional, interactive technical labs for a more hands-on experience. Target professional: The program is designed for working practitioners and architects in cybersecurity, networking, and technology, including roles in system administration, network engineering, IT operations, and software development. Key skills: The accreditation focuses on core SASE and zero-trust concepts including cloud computing, and software-defined networking (SDN), as well as cloud security components such as Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA), Data Loss Prevention (DLP), and threat protection. Exam specifics: The 45-minute exam consists of 30 multiple-choice questions and requires an 80% to pass. Attendees are given two attempts to pass. Cost: Netskope offers this course and exam for free. Prerequisites: Attendees should have knowledge of security, network, and architectural principles. No coding or system administrative experience is required. Note: While sponsored by Netskope, the accreditation course and exam aim to be vendor-agnostic. Palo Alto Networks: Palo Alto Networks Certified Security Service Edge Engineer Overview: This certification validates experienced security service edge (SSE) engineers on their knowledge and skills in deployment configuration, and post-deployment management and configuration, as well as their ability to troubleshoot deployed Prisma Access environments. Target professional: The certification is designed for SSE and SASE engineers, Prisma Access Specialists, network and security engineers, professional service consultants, and technical support engineers responsible for security and optimizing network and cloud environments. Key skills: The certification validates experienced SSE engineers on their knowledge and skills in setting up and configuring Prisma Access and SSE solutions. It also verifies skills in ongoing administration and configuration management of deployed environments, as well as the ability to diagnose and resolve issues in deployed Prisma Access environments. Exam specifics: The exam consists of multiple-choice and scenario-based questions with 60 questions total, a duration of 90 minutes, and a passing score of 70%. Cost: $250 Prerequisites: There are no formal prerequisites; candidates should have solid knowledge of network security and security architecture principles and experience with SSE/SASE tools like ZTNA, CASB, and SWG. Note: This certification bridges the gap between outdated VPNs and AI-powered SASE. Versa Networks: Versa Certified Security Specialist Overview: This is Versa Networks’ entry-level SSE certification, designed to validate foundational knowledge of Security Service Edge architecture and the Versa platform. It serves as a stepping stone for network engineers looking to specialize in Versa’s SASE solutions. Target professional: Engineers who perform architect, engineering, or planning roles with Versa Security services for more than one year, with hands-on experience managing and operating Versa Secure SD-WAN Platforms. Key skills: This certification validates skills in administering Versa Security services on SD-WAN platforms, maintaining network security functions within the Versa ecosystem, and diagnosing and resolving security-related issues on Versa Secure SD-WAN platforms. Exam specifics: The exam consists of 60 multiple-choice questions that must be completed within the 90-minute timeframe, with a pass/fail result immediately available. Cost: $150 Prerequisites: Candidates must have also completed the Versa Certified SD-WAN Associate (VNX100) or Versa Certified Administrator – SD-WAN Specialist (VNX301) certification programs. Note: Versa Certifications are valid for two years. Zscaler: Zscaler Zero Trust Cyber Associate (ZTCA) Overview: ZTCA is a foundational zero-trust credentials aimed at validating knowledge around zero trust principles, architectures, and how they differ from legacy network security models. Target professional: This certification is for anyone wanting to learn the basics of zero trust and it is well-suited for candidates who are newer to zero-trust architectures or who want to formalize their foundational understanding before moving into vendor-specific roles. Key skills: This certification validates that candidates can recognize the differences between old/legacy architectures and zero-trust models and understand when a zero-trust approach offers advantages. It also teaches the core components of zero trust, such as identity, least privilege, microsegmentation, and continuous verification, and how they integrate into a holistic model. Exam specifics: The exam consists of 75 questions and runs for two hours, and candidates are allowed three attempts to pass.To earn the credential, candidates must complete the e-learning portion and pass the exam. Cost: $300 Prerequisites: Candidates must complete the five-hour e-learning course before taking the exam, and basic knowledge of networking and cybersecurity domains is required. Note: Zscaler issues a digital badge for its certifications that can be displayed on LinkedIn and other platforms.

It’s getting harder to tell where normal tech ends and malicious intent begins. Attackers are no longer just breaking in — they’re blending in, hijacking everyday tools, trusted apps, and even AI assistants. What used to feel like clear-cut “hacker stories” now looks more like a mirror of the systems we all use. This week’s findings show a pattern: precision, patience, and persuasion. The

The encrypted vault backups stolen from the 2022 LastPass data breach have enabled bad actors to take advantage of weak master passwords to crack them open and drain cryptocurrency assets as recently as late 2025, according to new findings from TRM Labs. The blockchain intelligence firm said evidence points to the involvement of Russian cybercriminal actors in the activity, with one of the

Fortinet on Wednesday said it observed "recent abuse" of a five-year-old security flaw in FortiOS SSL VPN in the wild under certain configurations. The vulnerability in question is CVE-2020-12812 (CVSS score: 5.2), an improper authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second factor of authentication if the

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2023-52163 (CVSS score: 8.8), relates to a case of command injection that allows post-authentication remote code

There are few research institutions in the world with the size and scope of the European Organization for Nuclear Research, CERN. Founded in 1954 by 12 European countries, the European Laboratory for Elementary Particle Physics is located in the Swiss town of Meyrin, in the canton of Geneva, although its facilities extend along the Franco-Swiss border. Among them is the Large Hadron Collider (LHC), the world’s largest particle accelerator. International collaboration is at the core of its origin: more than 3,500 people make up its permanent staff. A small village that expands to 17,000 when adding the scientific staff of around 950 institutions from more than 80 different countries that collaborate on projects at the center. In this homegrown ecosystem, IT risk management poses a challenge. “The main problem is that we are managing a huge organization,” explains Stefan Lüders, CERN’s CISO. “We are one of the most important particle physics research institutes on the planet. We do sophisticated and interesting things, which makes us a target for attacks from different communities.” He lists several of these potential threats: script kiddies or hackers with basic knowledge, who all pose a potential security risk; ransomware or data exfiltration; sabotage of CERN’s work; espionage actions and criminal groups trying to infiltrate through computers or other devices. “This is where people come in. Because we have a very large, heterogeneous and very fluctuating research community. There are many physicists who join the organization every year. They come in and leave to do their PhD, do research at CERN and then leave,” he describes, pointing to the challenge of “taking care of this community of users. The other challenge is the flexible and fast-developing world of IT.” This includes programming — importing open-source libraries, their security, etc. — and AI. “The more sophisticated AI becomes, the greater the likelihood that those AI-driven security or attack tools will try to infiltrate the organization.” Securing CERN How do you ensure effective implementation of cybersecurity initiatives that don’t disrupt scientific work? “You can’t,” Lüders asserts. “Cybersecurity is inconvenient. Let’s face it.” Lüders equates it to locking your front door or using your PIN to get cash out of the ATM; they can be annoying, but necessary. “We try to explain to our community why security measures are needed,” he says. “And if we adapt our security measures to our environment, people adopt them. Yes, it makes the research a little more complicated, but only a little.” Lüders insists on the research work factor. “We are not a bank. We don’t have billions of dollars. We are not a military base, which means we don’t have to protect a country. We do research, which means adapting the level of security and the level of academic freedom so that the two go hand in hand. And that’s an ongoing conversation with our user community.” This ranges from scientific personnel to industrial control systems management, IT or human resources. “To meet this challenge, it is essential to talk to people. That’s why, I insist, cybersecurity is a very sociological issue: talking to people, explaining to them why we do this.” For example, not everyone willingly uses multifactor authentication because “let’s face it, they’re a pain. It’s much easier to type in a password, and who even wants to type in a password? You just want to log in. But for protection needs, today we have passwords and multifactor authentication. So you explain to people what you’re protecting. We tell them why it’s important to protect their work, as well as research results. And the vast majority understand that you need a certain level of security,” he says. “But it’s a challenge because there are so many different cultures here, different nationalities, different opinions and thoughts, and different backgrounds. That’s what we are constantly trying to adapt to.” Stefan Lüders and Tim Bell of CERN.CERN Employing proprietary technology can introduce risks, according to Tim Bell, leader of CERN’s IT governance, risk and compliance section, who is responsible for business continuity and disaster recovery. “If you’re a visitor to a university, you’ll want to bring your laptop and use it at CERN. We can’t afford to remove these electronic devices upon arrival at the facility. It would be incompatible with the nature of the organization. The implication is that we must be able to implement BYOD-type security measures.” Because at the core of everything always remains the collaborative nature of CERN. “Academic papers, open science, freedom of research, are part of our core. Cybersecurity needs to adapt to this,” Lüders notes. “We have 200,000 devices on our network that are BYOD.” How then does the adaptation of cyber protection apply? “It’s called defense in depth,” explains the CISO. “We can’t install anything on these end devices because they don’t belong to us, (…) but we have network monitoring.” In this way, even if you don’t have direct access to each device, you are warned when something is being done against the center’s policies, both at the level of cybersecurity and inappropriate uses, such as employing the technology they provide for particular interests.” These measures also extend to obsolete systems, which the organization is able to assimilate because they have a network resilient enough that even if one piece of equipment is compromised, it won’t damage any other CERN systems. The legacy technology problem extends to the equipment needed for the physics experiments being performed at the center. “These are protected by dedicated networks, which allows the network protection to kick in and protect them against any kind of abuse,” Lüders explains. On IoT connected devices not designed with cybersecurity in mind, “a problem for all industries,” Lüders is blunt: “You will never get security in IoT devices.” His solution is to connect them to restricted network segments where they are not allowed to communicate with anything else, and then define destinations to which they can communicate. General framework This is part of a larger challenge: aligning the IT and OT sides so that security continuity is established throughout the organization. A challenge that goes through centralization. “Today the OT part, the controls systems at CERN, are using IT virtualization,” explains Lüders. “The strategy is to bring IT and control people together so that the control people can use the IT services to their advantage. From the technology department, a central system is provided with different functionalities for operations, as well as for other areas of the organization, accessible through a single point of entry. “That’s the power of centralization.” This system also includes new tools such as AI tools in LLM, where they have a working group in place to find the best way to employ them. “We are facing a big discovery and, later on, we will centralize it through a central IT service. And that’s how we do it with all technologies.” Just as the subjects they research at CERN are evolving, so is their IT governance framework. This has been keeping up with industry developments, Bell explains, hand in hand with audits that allow it to operate according to best practice. “The governance part is becoming more formal. In general, everything was well organized; it was just a matter of standardizing it and developing policy frameworks around it.” Despite the establishment of these standards, the result is the opposite of rigid, explains Bell, who exemplifies this with the case of a recent cybersecurity audit in which CERN was assessed against one of the international standards, which served to improve the level of maturity. “We are adopting a fairly flexible IT governance policy, learning from the experience of others in adopting industry standards.”

Cybersecurity researchers have discovered a new variant of a macOS information stealer called MacSync that's delivered by means of a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apple's Gatekeeper checks. "Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more

The fraudulent investment scheme known as Nomani has witnessed an increase by 62%, according to data from ESET, as campaigns distributing the threat have also expanded beyond Facebook to include other social media platforms, such as YouTube. The Slovak cybersecurity company said it blocked over 64,000 unique URLs associated with the threat this year. A majority of the detections originated from

Every year, cybercriminals find new ways to steal money and data from businesses. Breaching a business network, extracting sensitive data, and selling it on the dark web has become a reliable payday.  But in 2025, the data breaches that affected small and medium-sized businesses (SMBs) challenged our perceived wisdom about exactly which types of businesses cybercriminals are targeting.&nbsp

Security professionals hunting PoCs and exploit code on GitHub might soon walk into a trap, as attackers redirect a known RAT toward them. Researchers have uncovered a stealthy campaign in which the Webrat Trojan, known for months to hide inside game cheats and cracked software, is now posing as proof-of-concept exploit repositories on GitHub to trick unsuspecting security researchers. The clever decoy and the unexpected target set the campaign apart from typical malware distribution attacks. Kaspersky’s security analysts spotted this evolution where attackers uploaded seemingly legitimate vulnerability exploit code, complete with structured documentation, only to lure targets into downloading a backdoor. From Game cheats to GitHub exploits Webrat isn’t new. It has a history of hiding in plain sight under familiar lures like game cheat packages (including Rust, Counter-Strike, and Roblox) and cracked software installers. But in the latest campaign, dating back to at least as far as September 2025,  attackers started to change their approach by hosting repositories on GitHub that appear to offer exploit code for high-profile vulnerabilities with high CVSSv3 scores. The vulnerabilities they pushed exploits for included a critical heap-based buffer overflow in Internet Explorer (CVE-2025-59295/ CVSS 8.8), a max severity authentication bypass in a WordPress plugin (CVE-2025-10294/ CVSS 9.8), and an improper access control in Windows Remote Access Connection Manager (CVE-2025-59230/ CVSS 7.8). Apart from dumping the exploit code, the repositories included detailed sections with overviews of the vulnerability, system impact, install guides, usage steps, and even mitigation advice. The consistency of the format to a professional PoC writeup suggests the descriptions are machine-generated to avoid detection by seasoned professionals, Kaspersky researchers noted in a blog post. The malicious payload and behavior Beneath the polished README, the attackers dumped a password-protected ZIP linked in the repository. The archive password was hidden in file names, something easily missable by unsuspecting eyes. Inside, the key components include a decoy DLL, a batch file to launch the malware, and the primary executable (like rasmanesc.exe) capable of escalating privileges, disabling Windows Defender, and retrieving the real Webrat payload from hardcoded command-and-control (c2) servers. Once executed, Webrat installs a backdoor on the host system. The backdoor can exfiltrate credentials, access cryptocurrency wallets, spy through webcams and microphones, log keystrokes, and steal data from messaging apps like Telegram, Discord, and gaming platforms such as Steam. The capabilities amount to a full-blown surveillance and theft platform under the attacker’s control. Significance of the shift Researchers found the shift from tricking casual users with game cheats to targeting tech professionals with exploit code as notable as well as concerning. “They are targeting researchers who frequently rely on open sources to find and analyze code related to new vulnerabilities,” they said. However, experienced security researchers typically analyze such exploits within isolated environments like virtual machines or sandboxes, minimizing risk. Which is perhaps why the campaign is seen as deliberately tuned to target novices, including students, junior analysts, and those eager to explore PoCs without safe handling practices. “Cybersecurity professionals, especially inexperienced researchers and students, must remain vigilant when handling exploits and any potentially malicious files,” the researchers advised. “To prevent potential damage to work and personal devices containing sensitive information, we recommend analyzing these exploits and files within isolated environments like virtual machines or sandboxes.” The disclosure noted that Webrat itself hasn’t undergone any significant technical changes. Instead, attackers have reframed the risk by turning open-source curiosity into an attack surface.

NIS2 is symbolic of the core problem with European directives and regulations: They generate unnecessary red tape and too rarely have the desired effect. Whether it’s the Supply Chain Act, GDPR impact assessments, or the IT Security Act — the common theme is that companies have to produce mountains of documentation, something that neither increases actual security nor is realistically verifiable. A compliant entity is typically one that can provide comprehensive documentation of all processes and regular audits. This documentation is usually so detailed that its creation already entails an almost unreasonable effort, and manual review becomes practically impossible. Even if it were reviewed, the information would not be precise enough to demonstrate genuine security. Security should be included in the planning This leads to an absurd practice at many companies: The technical team builds functioning infrastructure, and separately, a compliance officer subsequently writes a lengthy justification as to why the solution is supposedly secure. That’s roughly equivalent to Volkswagen building a car and only afterwards someone writing 40 pages about why that car should meet safety standards. In real-world industry, of course, things work differently: Safety requirements are already integrated into the planning, minimum technological standards are defined, and quality processes automatically monitor implementation. Compliance results from technology — not from ring binders. In other areas, such as tax audits, this problem has long been recognized, and the automation of relevant processes is legally mandated (keyword: electronic cash register, audit-proof accounting software). This not only saves honest business owners enormous amounts of manual work but, above all, reduces the risk of fraud. Unfortunately, few things are implemented as consistently in Germany as the collection of our taxes. Unlike the issue of tax burden, companies should have an intrinsic interest in correctly implementing their IT security. The fine for a NIS2 violation can amount to up to €10 million or 2% of global annual revenue. The economic damage caused by successful cyberattacks is often existential and already amounts to hundreds of billions of euros per year. Even though it is not explicitly required by law, it is now possible — not least thanks to AI-supported tools — to automate security processes and their complete documentation to such an extent that security, compliance, and auditability can be combined in a single technical process. This not only saves resources but also increases actual security. An example of a SaaS application in the cloud shows what this can look like in detail. IT in transition: From text documents to declarative technology NIS2 essentially requires three things: concrete security measures; processes and guidelines for managing these measures; and robust evidence that they work in practice. Process documentation — that is, policies, responsibilities, and procedures — is not fundamentally new for most larger companies. ISO 27001-based information security management systems, HR processes, and management manuals have often been in place for years. Therefore, two levels are crucial for NIS2: the technical measures and the evidence that they are effective. This is precisely where the transformation of recent years becomes apparent. Previously, concepts, measures, and specifications for software and IT infrastructures were predominantly documented in text form. Program code was too complex, and configurations were scattered across files, ticketing systems, or in the minds of individual administrators. Documents were then written afterward — often by colleagues from other disciplines. This approach was problematic for two main reasons: It doesn’t scale in growing, distributed environments, and it doesn’t align with the goal of consistently automating technical processes. Modern systems therefore rely on methods such as test-driven or behavior-driven development and infrastructure as code (IaC), which — when consistently applied — largely replace text documentation. The technical specifications required by NIS2 can directly reference these artifacts: IaC definitions define encryption, network segments, or backup scenarios, and CI/CD pipelines deploy them to production in an audit-proof manner. Changes are thus not only described with technical precision, but also traceable chronologically via commits and deployments. Evidence for aspects that cannot be fully declared — such as the security of the software supply chain or the application code — can be mapped via security checks in the CI/CD pipeline and ongoing evaluation by SIEM and CNAPP systems. The following areas provide a particularly clear example of what this can look like in practice: Identity and access management Vulnerability management in the software supply chain and in monitoring Incident handling Reporting obligations Identity and access Management: Policies as code instead of Excel roles Identity and access management is one of the central pillars of NIS2. What’s required is not just “any” roles, but an access concept based on Need-to-Know, Least Privilege, and Separation of Duties. In practice, this can be effectively conceived in three levels: the deliberate granting of rights, a realistic lifecycle for these rights, and an architecture that prevents lateral movement as much as possible. Instead of managing permissions in Excel, admin UIs, and scattered wikis, roles and access rights are defined as “policies as code” or IaC — for example, as Terraform modules or JSON/YAML policies in a Git repository. All changes are made exclusively via merge requests and deployed through a CI/CD pipeline. This makes it clearly traceable who changed which permissions, who approved the change, and when it went live. The documentation and accountability requirements of NIS2 thus arise directly from Git history and pipeline logs, without anyone having to write additional Word documents. A role model alone does not guarantee the principle of least privilege. NIS2 requires that rights be regularly reviewed and unnecessary permissions removed. In cloud environments with hundreds of accounts, services, pods, and functions, this is virtually impossible to manage manually. This is where cloud identity entitlement management (CIEM) systems come in. They read all effective permissions from the environment, correlate them with audit logs, and show which rights are actually being used and where overprivileging exists. This is particularly crucial for non-human identities (service accounts, workloads), because this is precisely where very broad rights are often granted, which can later serve as a springboard for attackers. Some startups now even offer CIEM systems that can automatically generate IAM policies for the relevant roles using AI. Vulnerability management and software supply chain: SBOM instead of scanner PDF The second area that NIS2 and the new Implementing Regulation 2024/2690 for digital services are enshrining in law is vulnerability management in the company’s own code and supply chain. This requires regular vulnerability scans, procedures for assessment and prioritization, timely remediation of critical vulnerabilities, and regulated vulnerability handling and — where necessary — coordinated vulnerability disclosure. Cloud and SaaS providers also face additional supply chain obligations, for example, towards cloud, CI/CD, and registry service providers. In traditional vulnerability management, SCA, SAST, and DAST scanners are simply “dragged across everything.” The result is endless lists of findings, most of which are false positives or irrelevant to the specific system. This data then ends up in Excel spreadsheets or a vulnerability database, where teams try to prioritize. Especially with zero-day vulnerabilities, this leads to frantic ad-hoc analyses: Which of our components are affected? Is the vulnerability even exploitable in our architecture? What do we do until a patch is available? The modern approach is to consolidate all DevSecOps findings in a central system. Results from SCA, SAST, and DAST are combined there, enriched with context from the software bill of materials (SBOM), architecture, and exposure, and pre-filtered using AI. This drastically reduces false positives, leaving a significantly smaller set of truly relevant vulnerabilities, including an assessment of their criticality in the specific setup. These consolidated findings can be directly forwarded to ticketing systems and the SOC, where they are treated like incidents, tracked, and evaluated for NIS2 reports. This transforms a proliferating scanner output into a manageable process that reflects both legal requirements and operational realities. Monitoring, incident handling, and reporting center The third area where NIS2 quickly becomes a paper tiger is the combination of monitoring, incident response, and the new reporting requirements. The directive sets clear deadlines: early warning within 24 hours, a structured report after 72 hours, and a final report no later than one month. Many organizations are reacting by creating new templates, Excel spreadsheets, and reporting manuals — often largely detached from their existing SOC. In a critical situation, this means that the SOC tackles the incident while, simultaneously, an “NIS2 task force” tries to process information from tickets, emails, and ad-hoc chats so that it fits into a form. The result is duplicated work, loss of information, and reports that fill pages but reveal little about how well detection and response actually work. In a cloud SaaS environment, a different approach is possible: Instead of treating NIS2 reporting as a separate document project, a modern DevSecOps-based SOC is built, so that all security-relevant signals converge in one place from the outset: cloud infrastructure, CI/CD pipelines, applications, IdP, and IAM. The rules governing how this data is correlated, enriched, and transformed into incidents are defined and versioned as code. Threat detection and response logic, thresholds, and playbooks reside in the repository and are deployed via pipelines, just like application code. This allows for the automation of large portions of traditional SOC work: Raw logs are transformed into consistent, contextualized incidents without requiring manual copying and pasting of text snippets.  Cloud-native application protection platforms (CNAPP) and similar platforms simultaneously handle data storage and archiving, ensuring that the evidence of monitoring activity is generated within the system rather than through separate documentation loops. Machine learning and AI components further assist in reducing false positives, clustering similar events, and highlighting unusual patterns — allowing the SOC to focus on the few incidents that truly require attention. At the process level, playbooks and reporting channels remain important — but streamlined. An incident response playbook defines incident classes, escalation paths, and communication rules, including the criteria for when an incident is considered “NIS2 significant.” A reporting process governs who consolidates the information from the SOC and business units and submits it via the BSI reporting center. The actual documentation is also generated largely automatically here: Incident tickets contain a timeline, affected services, impact, cause, and measures; a “NIS2-relevant” indicator and a reporting status link them to external reports. Key performance indicators (KPIs) such as MTTD, MTTR, or the time between detection and initial reporting can be calculated directly from SIEM and IR data — precisely the metrics that reveal whether NIS2 is a lived process or just another drawer in the document cabinet. NIS2 as an architecture test, not just a documentation exercise NIS2 forces companies to explicitly define their security measures, processes, and documentation. This is inconvenient — ​​especially for organizations that have previously operated largely on an ad-hoc basis. Whether this becomes a mere formality or a genuine security improvement, however, depends not on the legal text, but on the architecture. Anyone attempting to simply “document away” the policy using Word, PowerPoint, and Excel will generate a lot of effort and little resilience. However, if IdP and IAM, CI/CD pipelines, SBOM and vulnerability tools, SIEM, and IR platforms are configured to provide the required controls and evidence almost incidentally, NIS2 compliance is achieved as a side effect of a modern security landscape.

ServiceNow has agreed to buy cybersecurity vendor Armis for $7.75 billion in cash, it announced Tuesday.  This builds on its December purchase of identity security vendor Veza, and the closing of its acquisition of AI vendor Moveworks. Analysts and cybersecurity practitioners mostly applauded the move, but cautioned that this could force CIOs and CISOs away from a best-of-breed strategy and into a classic suite approach, where the individual elements may be merely good enough. “This is an extension of what we have been seeing at the ERP application layer,” said Scott Bickley, an advisory fellow at the Info-Tech Research Group. “ServiceNow is basically saying ‘We don’t want to be a point solution. We want to be the platform by which you coordinate and solve all of your problems.’” Bickley noted that this trend has been ongoing for a few years, with many of the largest vendors trying to offer suites that deliver everything. “Microsoft was the initial poster child of this,” he said. “They are going to start to embed [AI and cybersecurity] capabilities into their suites and bundles, where you don’t necessarily have an opt-out solution. You will get ‘maybe good enough’ versus best of breed.” But looking at ServiceNow’s two other recent acquisitions, Veza and Moveworks, could suggest parallel strategies. “ServiceNow has hedged their bets without saying that they are hedging their bets,” Bickley said.  Pablo Stern, EVP and general manager of tech workflow products at ServiceNow, confirmed in an interview that the Armis acquisition is the largest in ServiceNow’s history. He added that the companies have been partnering “for well more than two years.” ServiceNow’s statement about the Armis deal described the two firms as creating “a unified, end-to-end security exposure and operations stack that can see, decide, and act across the entire technology footprint.” It said that it expects to fund the transaction through a combination of cash on hand and debt. The deal is expected to close in the second half of 2026, subject, as always, to regulatory approvals and closing conditions. Pressure from Agentic AI The statement quoted ServiceNow COO Amit Zavery suggesting that agentic developments are a key part of the strategy. “In the agentic AI era, intelligent trust and governance that span any cloud, any asset, any AI system, and any device are non-negotiable if companies want to scale AI for the long-term,” Zavery said in the announcement. “Together with Armis, we will deliver an industry-defining strategic cybersecurity shield for real-time, end-to-end proactive protection across all technology estates. Modern cyber risk doesn’t stay neatly confined to a single silo, and with security built into the ServiceNow AI Platform, neither will we.” The soaring popularity of autonomous agents that figure out on their own how to perform various tasks has concerned many cybersecurity executives, as the risk of security holes created by enterprise agentic trials is becoming clear.  Most cybersecurity practitioners saw the move as the latest indicator that CIOs and CISOs must rethink how they do their jobs, given how AI is forcing changes in data management and data leakage.  Visibility is the key “For decades, the CIO’s white whale has been a precise, real-time Configuration Management Database [CMDB]. Most are outdated the moment they are populated,” said Whisper Security CEO Kaveh Ranjbar. The Armis acquisition “is an admission that in an era of IoT, OT, and edge computing, you cannot rely on manual entry or standard agents anymore. The system of action needs to own the system of record for the unmanaged world. For CIOs, this signals that automated, continuous discovery is now the only acceptable standard for IT asset management. You can’t automate workflows on assets you don’t know exist.” The lesson, Ranjbar said, is different for the CISO. “CISOs have historically suffered from the swivel-chair problem: one screen shows the vulnerability and another screen is needed to patch it. This deal collapses that gap. It validates that visibility is the new perimeter. As OT and IT converge, the attack surface has become too complex for fragmented tools. CISOs should view this as a mandate to consolidate their visibility stacks.” Sanchit Vir Gogia, the chief analyst at Greyhound Research, agreed that this acquisition will likely accelerate IT and security structural changes.  “This acquisition represents a fundamental repositioning of ServiceNow from a coordination layer into an operational authority. Buying Armis is not about expanding a security portfolio. It is about owning the upstream constraint that determines whether modern enterprises can govern complexity at all,” Gogia said. But without knowing what is connected across IT, OT, IoT, and other physical environments, “workflow automation, AI governance, and risk prioritization all collapse into theatre,” he observed, adding that the deal could remove long standing fragmentation between discovery tools, CMDBs, service mapping, ticketing, change management, and remediation. “If executed well, it could finally address one of the enterprise’s most persistent failures,” he said. Gogia added, “continuous discovery tied to business context has the potential to turn the CMDB from a negotiated artefact into a living system. That would change how incidents are resolved, how changes are governed, how audits are passed, and how accountability is assigned.” Reveals architectural debt Given that the deal is not expected to be closed until next summer, executives should temper their timeline expectations. The 2026 second half closing date “implies a prolonged transition period where integration depth, roadmap clarity, and packaging decisions will evolve. CIOs should plan for ambiguity, not assume instant unification. Early value will come from visibility, [therefore] full platform value will take time,” Gogia said.  Another consultant, Yvette Schmitter, CEO of the Fusion Collective consulting firm, said the deal is sitting atop years of bad enterprise IT strategy. “This acquisition exposes more than ServiceNow’s strategy. It reveals the architectural debt hiding in every enterprise security stack that CIOs have been promising to address ‘next quarter’ for the past three years,” Schmitter said. “ServiceNow just signaled that platform plays will dominate over point solutions, and they’re willing to fund it with debt to move quickly while enterprises are still running budget committee meetings about tool sprawl.” She observed, “the valuation for Armis tells you the market assigns premium multiples to cyber-physical capabilities spanning IT, OT, and medical devices. Translation: that patchwork of legacy security tools you’ve been defending as ‘best of breed’ just became technical debt you can’t explain to the board. CIOs need to audit their current security tool sprawl and map total cost of ownership before vendors make that case for them with renewal pricing that reflects your lack of alternatives.” The question, she said, “is no longer whether to consolidate, but whether your organization controls the timing and terms of that consolidation.” Cybersecurity consultant Brian Levine, a former federal prosecutor who today serves as executive director of FormerGov, said that Armis executives were evaluating going public before they decided to accept the ServiceNow offer. “For Armis, skipping the IPO and joining ServiceNow is a signal that the market for standalone device‑security platforms is consolidating fast, and scale wins,” Levine said. “The line between workflow, risk, and security is disappearing, and ServiceNow wants to own the convergence point.”  Aaron Painter, CEO of authentication vendor Nametag, added that part of the IT confusion is that product names no longer mean what they once meant.  “Many of the workflows ServiceNow already automates are now security workflows, even if they’re still labeled as operations. Onboarding and offboarding, incident response, asset exceptions, vendor access, and change management all involve decisions that directly shape security outcomes,” Painter said. “Looked at alongside ServiceNow’s earlier acquisition of Veza, the strategy becomes clearer: ServiceNow is trying to connect asset visibility with identity and access intelligence, so the platform understands not just what devices exist, but who has access, why they have it, and whether that trust still makes sense over time.” This article originally appeared on CIO.com.

A ransomware expert lauded a recent crackdown on cybercrooks in Africa that resulted in the decryption of six ransomware strains, smashing of links to malicious websites, and hundreds of arrests as major action. “This may not be the same headline as taking down LockBit, but I think it is significant,” said Jon DiMaggio, chief security strategist, Analyst1 and co-author of an upcoming book on chasing ransomware gangs. “Because law enforcement can’t arrest Russian ransomware criminals, it’s smart to focus on areas of the world where we can make a difference and get people.” He was commenting on the statement today by Interpol that in Operation Sentinel, which ran between October 27 and November 27 of this year, law enforcement agencies in 19 African countries arrested 574 suspects, decrypted six ransomware variants, took down 6,000 malicious links, cracked a business email compromise scam that almost cost a major petroleum company $7.9 million, and recovered approximately $3 million. Interpol didn’t identify the ransomware strains that were decrypted. DiMaggio suspects they were modified variants of strains available on dark web sites. Important to disrupt gangs before they expand In describing the operation, Interpol cited efforts in multiple countries. In Ghana, it said that an unnamed financial institution, which saw 100TB of its data encrypted, was one of the victims. Ghanaian authorities conducted advanced malware analysis that led to the creation of a decryption tool and the recovery of nearly 30TB of the data. Ghanaian authorities also dismantled a major cyber-fraud network operating across Ghana and Nigeria that defrauded more than 200 victims of over $400,000. Using professionally designed websites and mobile apps, the scammers mimicked well-known fast-food brands, collecting payments but never delivering orders. Ten suspects were arrested in Ghana, and over 100 digital devices seized and 30 fraudulent servers taken offline.  In Benin, 43 malicious domains were taken down, and 4,318 social media accounts linked to extortion schemes and scams were shut down, leading to 106 arrests. And in Cameroon, law enforcement reacted quickly after two victims reported a scam involving an online vehicle sales platform. The phishing campaign was traced to a compromised server, and an emergency bank freeze was issued within hours. A ‘very good thing’ The fact that the same operation broke ransomware operations and a business email compromise (BEC) operation is “unique,” said DiMaggio, because most people think of Africa as the source of BEC and fraud scams. The fact that authorities are working to disrupt ransomware operations in Africa before they grow to the size of those run by gangs in other areas of the world “is a very good thing,” he said. Africa is “a few steps behind where the Russian ransomware scene is,” so targeting gangs there now before they grow bigger is important, he said. The breaking of a BEC operation could also be significant, he added, because, in aggregate, crooks around the world pull in more money from business email scams than from ransomware, DiMaggio said. Related content: RansomHouse strain upgraded Operation Sentinel is the second major anti-cybercrime operation in Africa this year. In August, Interpol announced the second stage of Operation Serengeti that saw the arrest of 1,209 people, the dismantling of over 11,400 malicious IT infrastructures, and the recovery of just over $97 million. This operation also dealt with high-impact cybercrimes including ransomware, online scams, and BEC scams. Other enforcement efforts These operations were among significant moves against threat actors globally in 2025. Operation Endgame, an ongoing international anti-botnet effort coordinated by Europol, went after threat actors subscribing to the Smokeloader pay-per-install botnet, took down some 300 servers behind the malware used to distribute ransomware, and, in November, took down or disrupted 1,025 servers including the Elysium botnet, the enabler of the Rhadamanthys infostealer and VenomRAT remote access trojan. Separately, authorities in the US, Finland, and the Netherlands teamed up to take down AVCheck, one of the largest counter-antivirus services used by criminals around the world. As well, the Five Eyes intelligence sharing group, consisting of the US, the UK, Canada, Australia, and New Zealand, accused China of supporting threat actors who are attacking critical infrastructure in a number of countries, and Microsoft got a court order allowing it to seize and block 2,300 domains behind the distribution of another infostealer, Lumma Stealer. Related content: Create a ransomware playbook that works An uphill battle Ed Dubrovsky, chief operating officer of incident response firm Cypfer, said the breaking of six ransomware strains is good news. But, he added, the cybercrime industry is more than ever focused on data theft as opposed to data encryption, and in some cases, data destruction after theft. “Law enforcement action against cybercrime is of critical importance,” he added. “Without some level of deterrence, and given the upside from a financial [perspective] and other motives, cybercrime would have been much more prevalent and impactful. “With that said, cybercrime is still a multibillion dollar market, and law enforcement suffers from limited resources and proper ongoing training. Some countries, such as the US, are far ahead of others from a sophistication and effectiveness perspective … Law enforcement is effective, partially, and in very specific areas of cybercrime, and in other areas, the effectiveness is still a work in progress.” Some threat actors have great IT expertise, he added, and are taking advantage of AI. “Therefore, I believe law enforcement is achieving great impact in reducing cybercrime while also fighting an uphill battle.” Attackers likely to expand efforts worldwide Christian Leuprecht, a Canadian university professor and expert on national security, cybercrime, and money laundering, noted Africa’s population is set to double in the next 25 years, and it has the youngest population structure of any continent. The combination of a highly innovative and increasingly sophisticated workforce in some of the most politically, economically, and socially unsustainable countries in the world will be likely to generate a host of sophisticated local threat actors vying for economic survival and prosperity, with a potentially global reach.  For now, he said, they are going after local targets, likely because they’re less resilient to attack and exploitation. But as local firms harden their cyber defenses, these African-based threat actors are bound to expand their operations globally.  More, better, and proactive local disruption and enforcement capacity against these threat actors is critical to prevent them from becoming global in scale, he said. “The scale and sophistication of cyberattacks across Africa are accelerating, especially against critical sectors like finance and energy,” Neal Jetton, Interpol’s director of cybercrime, said in a statement. “The outcomes from Operation Sentinel reflect the commitment of African law enforcement agencies, working in close coordination with international partners. Their actions have successfully protected livelihoods, secured sensitive personal data, and preserved critical infrastructure.” Operation Sentinel not only used the resources of law enforcement agencies, but also was assisted by efforts from cybersecurity companies including Team Cymru, The Shadowserver Foundation, Trend Micro, TRM Labs, and Uppsala Security. 

Cybersecurity thrives on diverse skills, not just coding and engineering. From writers to designers, there’s a place for you in this field. The post Who Does Cybersecurity Need? You! appeared first on Unit 42.

The MacSync Stealer macOS malware can now infect victims’ computers using what appears to be a legitimate application with minimal user interaction, according to Apple device management and security vendor Jamf. Until now, macOS campaigns needed to persuade users to launch infected applications through relatively intrusive techniques such as ClickFix social engineering or the expert user macOS ‘drag-to-terminal’ routine. MacSync Stealer, by contrast, is downloaded from an ordinary-looking utility URL as a code-signed and notarized Swift application. Once the user initiates installation, the dropper retrieves its malware payload script from a command-and-control server. One oddity is that the download still invites victims to launch it by right-clicking and opening, even though the signed executable does not technically need this for infection. The innovation lies with its deceptive provenance: because the malware is signed by what macOS deems to be a legitimate developer and has not shown up as malicious, no warnings or extra steps are needed. This draws attention to a weakness in Apple’s Gatekeeper security – criminals can constantly reformulate their malware to evade Apple’s automated detection and notarization system. This gives attackers a window for exploitation. According to Jamf, the malware’s certificate credential was only revoked after the company reported the issue to Apple. Sign of expansion MacSync Stealer is the latest example of an expanding number of economically motivated macOS malware. The purpose is to steal data from high-value users, including account credentials, API keys, and crypto wallet data. The malware’s origins lie with an earlier Mac infostealer, Mac.c Stealer, whose appeal was that it could be bought cheaply by budding cybercriminals. However, within weeks of its appearance in April, this was rebranded as MacSync and more advanced features were added. Another macOS stealer, the Odyssey infostealer, had also been observed using the same distribution technique. “While MacSync Stealer itself is not entirely new, this case highlights how its authors continue to evolve their delivery methods,” Jamf said. “This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications.” While the Mac malware “market” might appear small in volume compared to that for Windows, this largely reflects the fact that PCs remain the primary operating system used by businesses. Nevertheless, criminals have noticed that the extra development time required for Mac malware is increasingly worth it. Examples targeting enterprises and high-value individuals from 2025 include the macOS Ferret family and BlueNoroff social media campaigns associated with North Korean hackers, both connected to crypto theft. Another is the Atomic malware-as-a-service (MaaS) infostealer associated with Russian cybercriminals.

Cybersecurity researchers have discovered two malicious Google Chrome extensions with the same name and published by the same developer that come with capabilities to intercept traffic and capture user credentials. The extensions are advertised as a "multi-location network speed test plug-in" for developers and foreign trade personnel. Both the browser add-ons are available for download as of

Amazon’s chief security officer Stephen Schmidt writes that since April 2024, the company has stopped over 1800 job applications suspected of coming from North Korean agents. The number of applications linked to North Korea has also increased by about 27% per quarter in 2025. The purpose of the infiltration is said to be to obtain remote employment with foreign companies, mainly in the United States, and then transfer the income to North Korea’s weapons program. Amazon combines AI-based analysis with manual review to detect suspicious applications. Algorithms search for links to at-risk institutions, anomalies in applications, and geographic inconsistencies. Identities are verified through background checks, references, and structured interviews. According to Schmidt, the company has seen several recurring trends. Identity theft is becoming more sophisticated, with fraudsters posing as real developers. Hijacked LinkedIn accounts are being used to boost credibility, and AI and machine learning jobs are particularly vulnerable targets. Some operators use so-called “laptop farms” in the US to give the impression of local presence, and fake educational credentials from US universities are common. According to Amazon, even small details, such as phone numbers written with a country code of “1”, can help reveal fake profiles. Amazon says that the problem is likely to be industry-wide and urges other companies to review their identity verification practices and report suspicious cases to authorities such as the FBI. Related reading: North Korean group infiltrated 100-plus companies with imposter IT pros: CrowdStrike report How not to hire a North Korean IT spy North Korean hackers impersonated recruiters to steal credentials from over 1,500 developer systems North Korean fake IT workers up the ante in targeting tech firms

France’s postal service, La Poste, has been largely down for over twelve hours following a widespread network failure, reports The Register. All of La Poste’s IT systems are reportedly affected, including the website, the digital document service Digiposte, a digital ID service and the mobile app. It is still possible to handle cases over the counter. La Poste’s bank, Banque Postales, app and online services are also down. Payments and SMS verification should still work. La Poste has not said what caused the failure, but according to Le Monde Informatique it is a DDoS attack. It is unclear when the situation will be resolved and whether it could affect deliveries for Christmas.

Security firm Proofpoint has discovered that hackers have found a clever way to bypass multi-factor authentication (MFA) and thereby get their hands on accounts belonging to corporate users. In a nutshell, the hackers are using one-time codes from OAuth 2.0, an open standard that is supposed to be used to authenticate smart TVs and the like. Typically, the scammers pretend that a particular device needs a one-time code and get users to type the code into Microsoft’s authentication link. Once users do so, the hackers gain full access to their Microsoft 365 accounts with all their content. Both Russian and Chinese hackers have used this method, so there’s every reason for companies to tighten up their procedures. For additional reporting, see Hackers exploit Microsoft OAuth device codes to hijack enterprise accounts.

Outsourcing critical IT and cybersecurity once looked like a shortcut to efficiency. Today, it is a shortcut to systemic fragility. Breaches at one vendor now cascade across hundreds of organizations. A corporate decision framed as a cost-saving measure can trigger risks that extend across industries, even nations. The SolarWinds breach showed how a compromised supplier became a launchpad for global espionage. The MOVEit breach exposed how a single vulnerability could compromise sensitive data across governments, banks, and schools. If you sit on a board, lead a cyber function, or regulate markets, you can no longer treat outsourcing as a local concern. It is a systemic risk. Left ungoverned, outsourcing can magnify operational weaknesses, fuel cybercrime, and expose firms to geopolitical pressure. Left unchecked, it poses a threat to global economic security. This piece will guide you through the drivers of outsourcing, the risks it has unleashed, how these risks now escalate into systemic threats, the governance gap that enables them to thrive, and the responsibilities each stakeholder must shoulder. Why outsourcing took off The rise of outsourcing wasn’t a conspiracy. It was a rational response to competitive pressure. First came the economics. Outsourcing promised lower costs. A CIO could reduce headcount, offshore operations, and still meet budget targets without raising capital. Then came the talent squeeze. Security engineers were scarce. Outsourcing gave firms access to global pools of expertise. Cloud adoption turbocharged the trend. Instead of building everything in-house, firms leaned on managed services and third-party platforms to scale fast. Trust was often assumed, not engineered. The World Economic Forum has highlighted these “trust gaps.” Boards signed contracts with providers without embedding trust frameworks or demanding systemic assurances. Leaders gave vendors the keys to critical systems, with few checks on how those keys were safeguarded. You may save money and move faster. But if you fail to demand trust at the core, you inherit fragility. Risk categories of outsourced IT & cybersecurity When you outsource, responsibility shifts, but accountability never leaves you. The risks fall into clear categories. Operational risks The most basic risk is fragile continuity. In 2017, British Airways outsourced parts of its IT operations. A system outage grounded flights worldwide. The vendor contract delivered savings, but it also created single points of failure. When that single point snapped, the damage was immediate and global. A recent cyber-attack targeting airport check-in systems caused significant disruptions, including delays and system failures, across multiple European airports, such as Heathrow. It also reveals that the attack exploited vulnerabilities in shared infrastructure, raising serious concerns about the security of aviation support systems. Cyber risks SolarWinds remains the textbook case. Hackers compromised a widely used software update. Thousands of government agencies and Fortune 500 firms installed the backdoor, believing it came from a trusted vendor. MOVEit, a more recent breach, showed the same weakness in a different form: data transfer software was compromised, exposing millions of records across multiple jurisdictions. One weak vendor poisoned an entire ecosystem. AI-agent threats The rise of autonomous AI adds a new layer of complexity. WEF has flagged how cybercriminals are already deploying AI agents to automate attacks. Imagine outsourced IT monitored by tools vulnerable to hostile AI. A malicious agent can probe for weaknesses, adapt in real time, and exploit outsourced environments at scale. This is no longer science fiction; it is market reality. Compliance risks Cross-border outsourcing introduces accountability gaps. Regulators demand GDPR, DORA, or sector-specific compliance, but vendors spread data across multiple jurisdictions. When breaches occur, responsibility is blurred. Firms argue that vendors failed. Vendors say that clients misunderstood the model. Meanwhile, regulators and customers hold the original brand accountable. Geopolitical risks Outsourcing to hostile or unstable regions turns business contracts into national security concerns. In 2021, the Kaseya ransomware attack, launched through an IT management platform used by MSPs, spread through thousands of companies worldwide. The attackers operated from jurisdictions beyond the reach of effective law enforcement. Global security became hostage to one supply chain decision. Fresh case studies The risks are not historic. In 2023, hackers breached a Boeing subsidiary, disrupting the production of aircraft parts. A breach at UnitedHealth crippled healthcare payments across the US, leaving hospitals scrambling. These are not niche events. They serve as reminders that outsourcing can turn corporate risks into public crises. From local problems to systemic threats Outsourcing risks do not stay contained. They scale. SolarWinds showed how a single compromised supplier could infect the digital bloodstream of government and industry. The Colonial Pipeline ransomware attack disrupted fuel supply across the eastern United States. In 2025, ransomware at UnitedHealth halted healthcare reimbursements, disrupting a sector that affects millions. Economic disruption follows. Integrity360 has reported multiple 2025 global attacks with damages running into billions. A local failure in one vendor cascades through supply chains. If that vendor supports critical infrastructure, the consequences magnify. Global interdependencies make the weakest link the decisive one. Your cybersecurity posture may be robust. But if your vendor is compromised, you inherit their weakness. And if their subcontractor is compromised, the weakness doubles. This is why outsourcing is no longer a firm-level risk. It is systemic. The governance gap Why does this fragility persist? Because governance has lagged behind reality. Boards often focus on efficiency. They pressure executives to cut costs and accelerate digital adoption. But they fail to demand trust-based vendor oversight. They rarely ask how vendor risks are classified, monitored, or tested. They rarely challenge management on concentration risk. Regulators are fragmented. Some impose reporting rules. Others set sector-specific standards. But there is little global alignment. Cybercriminals exploit this patchwork. They attack through cross-border vendors, knowing compliance is reactive and uneven. CISOs face their own limits. They may demand audits, but their leverage over subcontractors is weak. Supply chain visibility fades after the first tier. Even when CISOs are aware of the risks, budget constraints, contracts, and governance inertia limit their ability to act. Add AI to the mix. Regulators have not yet prepared for AI-driven cybercrime. Many boards still view AI as an innovation story, rather than a threat multiplier. This blind spot will cost dearly when AI-driven attacks target outsourced environments. Towards responsible outsourcing Abandoning outsourcing is unrealistic. The task is to govern it responsibly. Trust by design. WEF has recommended embedding trust frameworks into outsourcing contracts. This means defining expectations for transparency, accountability, and resilience upfront. You cannot assume trust; you must structure it. AI resilience. Organizations must monitor outsourced environments for AI-agent threats. This requires investing in AI-native defenses, anomaly detection, and joint monitoring with vendors to ensure seamless integration. Vendor stress tests. Europe’s DORA and NIS2 regulations mandate stress testing of critical third parties. These should become global norms. Firms must treat vendors the way banks treat capital stress tests, by planning for failure before it occurs. Positive practices. Some firms are moving in the right direction. Banks are adopting multi-cloud strategies to reduce concentration risk. Zero-trust models ensure vendors only access what they need, when they need it. Continuous monitoring detects issues before they escalate and become more severe. The lesson is clear. Responsible outsourcing is not about cost arbitrage. It is about resilience design. Who must do what Risk ownership is collective. But responsibilities differ. Boards. You must demand trust-based vendor oversight. You cannot relegate vendor risk to a quarterly risk report; you must build it into governance charters. Demand resilience metrics. Approve investments in redundancy. Ask about the exit strategy in case a critical vendor fails. CISOs. You carry the operational burden. Map your critical vendor dependencies. Negotiate accountability clauses in SLAs. Do not accept vague promises. Push for real-time risk monitoring. Run tabletop exercises that include vendor failure scenarios. Integrate AI threat detection into third-party tracking. Regulators. You must align standards across borders. Fragmentation is a gift to cybercriminals. Mandate stress tests for systemic vendors. Demand transparency on subcontractors. Penalize opacity. Encourage information sharing across sectors. You cannot stop outsourcing, but you can ensure it is not blind outsourcing. Conclusion: Someone else can’t carry your risk Outsourcing will not disappear. In modern business, we weave it in, but if unmanaged, it risks systemic collapse. The new dimension is AI. Cybercriminals are deploying autonomous agents to probe outsourced ecosystems. At the same time, trust gaps persist. Organizations outsource without embedding frameworks of accountability. Boards chase efficiency. Regulators remain reactive. CISOs lack visibility. This is not sustainable. If outsourcing is to serve global competitiveness rather than undermine it, trust and resilience must be at its core. Boards must lead with oversight. CISOs must incorporate transparency into their contracts and monitoring processes. Regulators must harmonize and stress test. The choice is stark. Either you govern outsourcing with discipline, or outsourcing governs you with fragility. The elephant in the biz is not outsourcing itself. It is the delusion that someone else can carry your risk for you. This article is published as part of the Foundry Expert Contributor Network.Want to join?

A US federal securities class action lawsuit has alleged that South Korean ecommerce giant Coupang took nearly a month to disclose a massive data breach to regulators, violating SEC rules that require companies to report material cybersecurity incidents within four business days. The lawsuit, filed December 18, came just two days after Coupang finally submitted a Form 8-K disclosure to the Securities and Exchange Commission — 28 days after discovering the breach on November 18. The complaint alleges that CEO Bom Kim and CFO Gaurav Anand knew or recklessly disregarded that the company had “inadequate cybersecurity protocols” allowing a former employee to access customer data for nearly six months without detection. The breach exposed personal information from 33.7 million customer accounts, Coupang said. Disclosure deadline missed The SEC adopted cybersecurity disclosure rules in July 2023, requiring companies to disclose material incidents within four business days of determining materiality, under item 1.05 of Form 8-K. Companies can delay disclosure only if the US Attorney General determines it poses substantial national security or public safety risks. The complaint alleges that Coupang did not receive such an exemption. The company should have filed by November 24, following its November 18 discovery of the breach, but waited until December 16. Between discovery and disclosure, media reports prompted organizational upheaval. Park Dae-jun, CEO of Coupang’s South Korean operations, resigned December 10 after stating he would “take full responsibility for both the incident and the handling of the case.” Harold Rogers, Coupang’s general counsel and chief administrative officer, assumed the role of interim CEO of the Korean subsidiary. Coupang founder and CEO Bom Kim declined to appear at a South Korean parliamentary hearing about the breach, citing business obligations — a decision lawmakers condemned as a “systematic evasion of corporate responsibility.” Authentication keys left unrevoked after employee departure Investigators traced the breach to a former employee who retained valid authentication credentials after leaving the company in 2024, according to statements by South Korean lawmaker Choi Min-hee. The individual, a 43-year-old Chinese national, had worked on authentication management systems and joined Coupang in November 2022. Rep. Choi Min-hee, chair of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, released analysis results in a November 30 press release pointing to failures in basic security procedures. The company failed to renew or revoke signing keys — the cryptographic credentials used to issue access tokens—when the employee left. “Abandoning a long-term valid authentication key was not simply a deviation by an internal employee, but the result of organizational and structural problems at Coupang that neglected the authentication system,” Choi said in the press release. Coupang’s own information to lawmakers indicated the company set token signing key validity periods of five to ten years, with rotation periods varying by key type. Legal test case for SEC cybersecurity rules Legal observers noted the Coupang lawsuit appears to be among the first securities class actions directly challenging compliance with the SEC’s 2023 cybersecurity disclosure guidelines. “This is a specific reason why I find the new Coupang lawsuit particularly interesting, and that is because one of the suit’s major allegations is that the company allegedly failed to make the requisite disclosures under the SEC’s cybersecurity disclosure guidelines,” legal journal, The D&O Diary, wrote in an analysis of the case. The complaint also alleges Coupang made materially false statements in quarterly reports filed in August and November 2025. Those reports incorporated risk disclosures from the company’s 2024 Annual Report detailing encryption technology and security measures — statements the complaint said “materially understated Coupang’s risk of a material cybersecurity event.” When Coupang finally filed its Form 8-K, the company stated it had activated incident response procedures, blocked unauthorized access, and reported the incident to Korean authorities. The filing acknowledged Korean regulators “will potentially impose financial penalties” but said the company could not reasonably estimate losses. Regulatory scrutiny in South Korea In South Korea, Coupang faces potential fines up to 1.2 trillion won ($814 million) under the Personal Information Protection Act, which requires companies to notify regulators within 24 hours of discovering a breach and maintain appropriate safeguards. South Korean police raided Coupang’s Seoul headquarters twice as part of their investigation. President Lee Jae Myung called for expanded class action lawsuit provisions, saying “every Korean has been affected” by the breach affecting nearly two-thirds of the country’s 51.7 million population. The lawsuit seeks to establish a class of investors who purchased Coupang securities between August 6 and December 16. Multiple law firms have announced they are investigating similar claims. A case management conference is scheduled for March 20.

Security researchers have uncovered a malicious npm package that poses as a legitimate WhatsApp Web API library while quietly stealing messages, credentials, and contact data from developer environments. The package, identified as “lotusbail,” operates as a trojanized wrapper around a genuine WhatsApp client library and had accumulated more than 50k downloads by the time it was flagged by Koi Security. “With over 56000 downloads and functional code that actually works as advertised, it is the kind of dependency developers install without a second thought,” Koi researchers said in a blog post. “The package has been available on npm for 6 months and is still live at the time of writing.” Stolen data was encrypted and exfiltrated to attacker-controlled infrastructure, reducing the likelihood of detection by network monitoring tools. Even more concerning for enterprises is the fact that Lotusbail abuses WhatsApp’s multi-device pairing to maintain persistence on compromised accounts even after the package is removed. Legitimate API uses a proxy for threat According to the researchers, lotusbail initially didn’t appear to be anything more than a helpful fork of the legitimate “@whiskeysockets/baileys” library used for interacting with WhatsApp via WebSockets. Developers could install it, send messages, receive messages, and never notice anything wrong. Further probing, however, revealed an issue. The package wrapped the legitimate WhatsApp WebSocket client in a malicious proxy layer that transparently duplicated every operation, including the ones involving sensitive data. During authentication, the wrapper captured session tokens and keys. Every message flowing through the application was intercepted, logged, and prepared for covert transmission to attacker-controlled infrastructure. Additionally, the stolen information was protected en route. Rather than sending credentials and messages in plaintext, the malware employs a custom RSA encryption layer and multiple obfuscation strategies, making detection by network monitoring tools harder and allowing exfiltration to proceed under the radar. “The exfiltration server URL is buried in encrypted configuration strings, hidden inside compressed payloads,” the researchers noted. “The malware uses four layers of obfuscation: Unicode variable manipulation, LZString compression, Base-91 encoding, and AES encryption. The server location isn’t hardcoded anywhere visible.” Backdoor sticks around even after package removal Koi said the most significant component of the attack was its persistence. WhatsApp allows users to link multiple devices to a single account through a pairing process involving an 8-character code. The malicious lotusbail package hijacked this mechanism by embedding a hardcoded pairing code that effectively added the attacker’s device as a trusted endpoint on the user’s WhatsApp account. Even if developers or organizations later uninstalled the package, the attacker’s linked device remained connected. This allowed the attack to persist until the WhatsApp user manually unlinked all devices from the settings panel. Persistent access allows the attackers to continue reading messages, harvesting contacts, sending messages on behalf of victims, and downloading media long after the initial exposure. What must developers and defenders do? Koi disclosure noted that traditional safeguards, based on reputation metrics, metadata checks, or static scanning, fail when malicious logic mimics legitimate behavior. “The malware hides in the gap between ‘this code works’ and ‘this code does only what it claims’,” the researchers said, adding that such supply-chain threats require monitoring package behavior at runtime rather than relying on static checks alone. They recommended looking for (or relying on tools that can) warning signs, such as custom RSA encryption routines and dozens of embedded anti-debugging mechanisms in the malicious code. The package remains available on npm, with its most recent update published just five days ago. GitHub, which has owned npm since 2020, did not immediately respond to CSO’s request for comment.

A law enforcement operation coordinated by INTERPOL has led to the recovery of $3 million and the arrest of 574 suspects by authorities from 19 countries, amidst a continued crackdown on cybercrime networks in Africa. The coordinated effort, named Operation Sentinel, took place between October 27 and November 27, 2025, and mainly focused on business email compromise (BEC), digital extortion, and

A critical security vulnerability has been disclosed in the n8n workflow automation platform that, if successfully exploited, could result in arbitrary code execution under certain circumstances. The vulnerability, tracked as CVE-2025-68613, carries a CVSS score of 9.9 out of a maximum of 10.0. Security researcher Fatih Çelik has been credited with discovering and reporting the flaw. The package

Making the most of agentic AI is a top agenda item for many enterprises the coming year, as business executives are keen to deploy autonomous AI agents to revamp a range of business operations and workflows. The technology is nascent and, as with generative AI rollouts, CIOs are under pressure to move quickly with agentic AI strategies — a potential nightmare in making for CISOs charged with ensuring organizational security in the face of widespread agentic experimentation and deployment. A key area of concern is identity and authentication. Some security experts estimate that more than 95% of enterprises deploying or experimenting with autonomous agents are doing so without leveraging existing cybersecurity mechanisms — such as public key infrastructure (PKI) — to track, identify, and control their agents. This issue becomes even more dangerous due to the prevalence of agent-to-agent communications common to agentic AI rollouts. For agentic AI to work, AI agents must communicate autonomously with other agents to pass tasks, data, and context. Without sufficient identity management, authentication, and related cybersecurity measures in place, not only could an agent be controlled by a cybercriminal or state actor, but rogue agents could engage in a variety of prompt injection attacks with an unlimited number of legitimate agents. Should a hijacked agent communicate with an enterprise’s legitimate agents, detecting it and pulling its credentials will not be enough to halt the damage from legitimate agents following the rogue agent’s previous instructions.  And the likelihood of this knock-on effect isn’t trivial. Most robust authentication mechanisms today revoke and/or shut down credentials when bad behavior is detected. But behavioral analytics systems often need to witness acts of bad behavior before they can flag the problem to terminate the ID. Any actions previously initiated by the compromised agent will already be in motion across the agentic chain. Having a trail of every interaction and an automated system for contacting all legitimate agents that interacted with the rogue agent to tell them to disregard instructions from that agent — and alert IT security of any actions already taken on the rogue’s instructions — is the goal, but vendors have yet to address this need. Moreover, many security experts argue it’s too complex a problem to easily solve. “Because autonomous agents are increasingly able to execute real actions within an organization, if a malicious actor can affect the decision-making layer of an autonomous agent, the resulting damage could be exponentially greater than in a traditional breach scenario,”says Nik Kale, principal engineer at Cisco as well as a member of the Coalition for Secure AI (CoSAI) and ACM’s AI Security (AISec) program committee. The ever-expanding attack surface of autonomous agents “Because agents are programmed to follow instructions, they will likely follow a questionable instruction absent some mechanism to force the agent to slow its process to validate the safety of the request,” Kale says. “Humans have intuition and therefore often sense when something does not feel right. Agents do not possess this instinctual sense and thus will follow any request unless the system specifically prevents them from doing so.” Gary Longsine, CEO at IllumineX, agrees that the cybersecurity risks from uncontrolled agentic deployment is unlike anything CISOs have faced. “The attack surface of the AI agent could be thought of as essentially infinite, due to the natural language interface and the ability of the agent to summon a potentially vast array of other agentic systems,” Longsine says. DigiCert CTO Jason Sabin suggests the situation may be even worse because of how relatively easy it is to perform an agent hijacking. “Without robust agentic authentication, organizations risk deploying autonomous systems that can be hijacked with a single fake instruction,” Sabin claims.  Agentic AI’s identity crisis Authentication and agentic experts interviewed — three of whom estimate that less than 5% of enterprises experimenting with autonomous agents have deployed agentic identity systems — say the reasons for this lack of security hardening are varied. First, many of these efforts are effectively shadow IT, where a line of business (LOB) executive has authorized the proof of concept to see what these agents can do. In these cases, IT or cyber teams haven’t likely been involved, and so security hasn’t been a top priority for the POC. Second, many executives — including third-party business partners handling supply chain, distribution, or manufacturing — have historically cut corners for POCs because they are traditionally confined to sandboxes isolated from the enterprise’s live environments.  But agentic systems don’t work that way. To test their capabilities, they typically need to be released into the general environment.  The proper way to proceed is for every agent in your environment — whether IT authorized, LOB launched, or that of a third party — to be tracked and controlled by PKI identities from agentic authentication vendors. Extreme defense would include instructing all authorized agents to refuse communication from any agent without full identification. Unfortunately, autonomous agents — like their gen AI cousins — often ignore instructions (aka guardrails).  “Agentic-friendly encounters conflict with essential security principles. Enterprises cannot risk scenarios where agents autonomously discover each other, establish communication channels, and form transactional relationships,” says Kanwar Preet Singh Sandhu, who tracks cybersecurity strategies for Tata Consultancy Services. “When IT designs a system, its tasks and objectives should be clearly defined and restricted to those duties,” he adds. “While agent-to-agent encounters are technically possible, they pose serious risks to principles like least privilege and segregation of duties.For structured and planned collaboration or integration, organizations must follow stringent protocols such as MCP [Model Context Protocol] and A2A [Agent to Agent], which were created precisely for this purpose.” DigiCert’s Sabin says his interactions with enterprises revealed “little to none” creating identities for their autonomous agents. “Definitely less than 10%, probably less than 5%. There is a huge gap in identity.” Agentic IDs: Putting the genie back in the bottle Once agentic experiments begin without proper identities established, it’s far more difficult to add identity authentication later, Sabin notes. “How do we start adding in identity after the fact? They don’t have these processes established. The agent can and will be hijacked, compromised. You have to have a kill switch,” he says. “AI agents’ ability to verify who is issuing a command and whether that human/system has authority is one of the defining security issues of agentic AI.” To address that issue, CISOs will likely need to rethink identity, authentication, and privilege.  “What is truly challenging about this is that we are no longer determining how a human authenticates to a system. We are now asked to determine how an autonomous agent determines that the individual providing instructions is legitimate and that the instructions are within the expected pattern of action,” Cisco’s Kale says. “The shift to determining legitimacy based on the autonomous agent’s assessment of the human’s intent, rather than simply identifying the human, introduces a whole new range of risk factors that were never anticipated by traditional authentication methods.” Ishraq Khan, CEO of coding productivity tool vendor Kodezi, also believes CISOs are likely underestimating the security threats that exist within agentic AI systems. “Traditional authentication frameworks assume static identities and predictable request patterns. Autonomous agents create a new category of risk because they initiate actions independently, escalate behavior based on memory, and form new communication pathways on their own. The threat surface becomes dynamic, not static,” Khan says. “When agents update their own internal state, learn from prior interactions, or modify their role within a workflow, their identity from a security perspective changes over time. Most organizations are not prepared for agents whose capabilities and behavior evolve after authentication.” Khan adds: “A compromised agent can impersonate collaboration patterns, fabricate system state or manipulate other agents into cascading failures. This is not simply malware. It is a behavioral attack on decision-making.” Harish Peri, SVP and general manager of AI Security at Okta, puts it more directly: “This is not just an NHI problem. This is a recipe for disaster. It is a new kind of identity, a new kind of relentless user.” Regarding the problem of being unable to undo the damage when a hijacked agent gives malicious instructions to legitimate agents, Peri says it can be a challenging problem that no one seems to have solved yet. “If the risk signal is strong enough, we do have the capability to revoke not just the privilege but the access token,” Peri says. But “the real-time kind of chaining requires more thought.” Unwinding agent interactions will be a tall order One issue is that tracking interactions for backward chaining will require a massive amount of data to be captured from every agent in the enterprise environment. And given that autonomous agents act at non-human speed, a data warehouse for that activity will likely fill up quickly. “By the time the agent does something and identity gets revoked, all of the downstream agents have already interacted with that compromised agent. They have already accepted assignments and have already cued up its next step actions,” Cisco’s Kale explains. “There is no mechanism to propagate that revocation backwards. Kill switches are necessary but they are incomplete.” The process to go backwards to all contacted agents “sounds like a straightforward script. It looks easy until you try and do it properly,” he says. “You need to know every instruction an agent has issued and the hard part is deciding what to undo” — a scenario Kale likens to alert fatigue. “This could absolutely collapse from its own weight. This could all become noise and not security at that point.” Jason Soroko, a senior fellow at Sectigo, agrees that backward alerting of impacted agents “is nowhere near to being fully solved at this time.”  But he argues that agentic cybersecurity has inadvertently painted itself into a corner.  “A lot of autonomous AI agent authentication will rely on a simple API token to verify itself.  We have inadvertently built a weapon waiting for a stolen shared secret,” Soroko says. “To fix this, we must move beyond shared secrets to cryptographic proof of possession, ensuring the agent verifies the ‘who’ behind the command, not just the ‘concert wristband’ authenticator.”

The U.S. Federal Communications Commission (FCC) on Monday announced a ban on all drones and critical components made in a foreign country, citing national security concerns. To that end, the agency has added to its Covered List Uncrewed aircraft systems (UAS) and UAS critical components produced in a foreign country, and all communications and video surveillance equipment and services pursuant

Mit Hilfe von Cyber Risk Assessments können CISOs nicht nur das konkrete Risiko im Unternehmen ermitteln, sondern auch den Erfolg ihrer Arbeit sichtbar machen. Foto: Elnur – shutterstock.comAb einem gewissen Alter gehen viele Menschen regelmäßig zum Arzt für einen Check-up. Das ist sinnvoll und wird sogar von der Krankenkasse bezahlt. Auf diese Weise können Risiken und Gefahren frühzeitig erkannt und entsprechende Maßnahmen getroffen werden. Genauso verhält es sich in der Cybersicherheit: Regelmäßige Risikobewertungen helfen den Security-Teams, Schwachstellen und Optimierungspotenziale zu identifizieren. Dennoch werden solche Bewertungen nicht flächendeckend durchgeführt. Vorteile eines Cyber Risk Assessment Dabei haben CISOs folgende Vorteile, wenn sie Cybersecurity Risk Assessments in ihre Arbeit integrieren: Schwachstellen erkennen: Eine Cyberrisikobewertung hilft dabei, Sicherheitslücken in der IT-Infrastruktur, den Netzwerken und Systemen eines Unternehmens zu erkennen. Dies bietet die Möglichkeit, diese Schwachstellen zu beseitigen, bevor sie von Cyberkriminellen ausgenutzt werden können. Maßnahmen zum Risikomanagement priorisieren: Nicht jedes System ist kritisch, ebenso sind nicht alle Daten eines Unternehmens gleich wichtig. Die Ergebnisse des Risk Assessment verdeutlichen, welche Assets und Systeme am wichtigsten und dem höchsten Risiko eines Angriffs ausgesetzt sind. Auf dieser Basis können Sicherheitsverantwortliche ihre Maßnahmen priorisieren und damit ihre Ressourcen effektiver zuweisen, um die kritischsten Risiken zuerst anzugehen. Compliance-Anforderungen einhalten: Nahezu jedes Unternehmen muss verschiedene Vorschriften zum Datenschutz und zur Datensicherheit einhalten, etwa die DSGVO oder den Payment Card Industry Data Security Standard (PCI DSS). Zahlreiche dieser gesetzlichen Vorgaben verlangen explizit spezielle Risikobewertungen, etwa im Rahmen der DSGVO eine Datenschutz-Folgenabschätzung. Risk Assessments helfen, die Compliance-Anforderungen für verschiedene Vorschriften zu erfüllen. Auf diese Weise kann sichergestellt werden, dass die erforderlichen Sicherheitsstandards eingehalten und mögliche Geldbußen oder rechtliche Konsequenzen bei Verstößen vermieden werden. Intelligente Entscheidungen treffen und Kosten senken: Durch Cyber-Risikobewertungen erhalten Unternehmen ein umfassendes Verständnis ihrer Cyberrisiken. Zum einen können sie auf dieser Grundlage fundierte Entscheidungen über Strategien zur Risikominderung treffen und damit die Wahrscheinlichkeit eines erfolgreichen und kostspieligen Cyberangriffs reduzieren. Zum anderen sind sie in der Lage, zielgerichtete und damit effektivere Investitionen in ihre Cybersicherheit zu tätigen. Ein Blick auf das Datenrisiko Das Ziel der meisten Cyberangriffe sind die Daten eines Unternehmens – mit enorm kostspieligen Auswirkungen: So verursachte ein Datenvorfall laut dem Cost of a Data Breach Report 2025 von IBM im Durchschnitt einen Schaden von 4,44 Millionen US-Dollar. Deshalb lohnt sich ein besonderer Blick auf die Daten und das Risiko, dem sie ausgesetzt sind. Dies ist umso wichtiger, da Daten im Gegensatz zur Infrastruktur und anderen Systemen nicht “unkompromittierbar” sind. Server können neu eingerichtet, Cloud-Instanzen neu aufgebaut werden. Einmal entwendete Daten bleiben jedoch in den Händen von Cyberkriminellen. Hiervor schützen auch keine Backups. Welchen Risiken Daten im Allgemeinen ausgesetzt sind, zeigt eine Analyse von fast 10 Milliarden Cloud-Objekte im Rahmen von Datenrisikobewertungen bei mehr als 700 Unternehmen aus den verschiedensten Branchen weltweit. Demnach ist einer von zehn Datensätzen in der Cloud für alle Mitarbeitende zugänglich. Dies schafft einen internen Radius, der den potenziellen Schaden bei einem Ransomware-Angriff erheblich vergrößert. Aber auch eine fehlende Multi-Faktor-Authentifizierung (MFA) erleichtert es Angreifern, intern exponierte Daten zu kompromittieren: Microsoft hat festgestellt, dass mehr als 99 Prozent der kompromittierten Konten nicht über MFA verfügen. Fazit Diese allgemeinen Ergebnisse zeigen bereits die größten Problemfelder auf. Dennoch ist es wichtig, im Rahmen eines Datenrisiko-Assessments das individuelle Datenrisiko zu ermitteln und Schwachpunkte zu identifizieren. In aller Regel wissen die Unternehmen nicht, welche Daten sie überhaupt besitzen, wo sie gespeichert sind und wer Zugriff auf sie hat. Nur wenn man über diese grundlegenden Informationen verfügt, kann man sein Risiko erkennen und gezielte Maßnahmen ergreifen. Der Zeitaufwand ist dabei mit rund zwei bis vier Stunden überschaubar und liefert im Rahmen eines ausführlichen Reports sofort umsetzbare Empfehlungen. Darüber hinaus treten im Assessment-Prozess oftmals auch weitere Sicherheitsprobleme zutage, von laufenden Cyberangriffen bis hin zu Kerberos-Passwörtern, die bis zu 15 Jahre alt sind. Mit einer in regelmäßigen Abständen durchgeführten Cyberrisikobewertung, lassen sich deutlich nachvollziehbar Fortschritte im Bereich der Datensicherheit dokumentieren – auch für das Management. CISOs haben damit endlich ein Tool zur Verfügung, dass ihre Cybersecurity-Erfolge sichtbar macht. Lesetipp: Mit diesen vier Schritten minimieren Sie das Cyberrisiko

srcset="https://b2b-contenthub.com/wp-content/uploads/2025/12/shutterstock_1534065422.jpg?quality=50&strip=all 5007w, https://b2b-contenthub.com/wp-content/uploads/2025/12/shutterstock_1534065422.jpg?resize=300%2C168&quality=50&strip=all 300w, https://b2b-contenthub.com/wp-content/uploads/2025/12/shutterstock_1534065422.jpg?resize=768%2C432&quality=50&strip=all 768w, https://b2b-contenthub.com/wp-content/uploads/2025/12/shutterstock_1534065422.jpg?resize=1024%2C576&quality=50&strip=all 1024w, https://b2b-contenthub.com/wp-content/uploads/2025/12/shutterstock_1534065422.jpg?resize=1536%2C864&quality=50&strip=all 1536w, https://b2b-contenthub.com/wp-content/uploads/2025/12/shutterstock_1534065422.jpg?resize=2048%2C1152&quality=50&strip=all 2048w, https://b2b-contenthub.com/wp-content/uploads/2025/12/shutterstock_1534065422.jpg?resize=1240%2C697&quality=50&strip=all 1240w, https://b2b-contenthub.com/wp-content/uploads/2025/12/shutterstock_1534065422.jpg?resize=150%2C84&quality=50&strip=all 150w, https://b2b-contenthub.com/wp-content/uploads/2025/12/shutterstock_1534065422.jpg?resize=854%2C480&quality=50&strip=all 854w, https://b2b-contenthub.com/wp-content/uploads/2025/12/shutterstock_1534065422.jpg?resize=640%2C360&quality=50&strip=all 640w, https://b2b-contenthub.com/wp-content/uploads/2025/12/shutterstock_1534065422.jpg?resize=444%2C250&quality=50&strip=all 444w" width="1024" height="576" sizes="auto, (max-width: 1024px) 100vw, 1024px">Der Chief Trust Officer steht für einen Wandel von der Verteidigung von Systemen hin zur Sicherung der Glaubwürdigkeit.Watchara Ritjan – shutterstock.com Immer mehr Unternehmen heben Vertrauen als Unterscheidungsmerkmal für ihr Geschäft hervor. Durch Datenschutzverletzungen, Bedenken hinsichtlich der Produktsicherheit und Unsicherheiten in Bezug auf künstliche Intelligenz hat das Vertrauen der Kunden in den vergangenen Jahren stark gelitten. Wie aus dem Edelman Trust Barometer 2025 hervorgeht, ist das Vertrauen allgemein angeschlagen, insbesondere gegenüber Unternehmen und Führungskräften. Dies könnte sich jedoch ändern, da Unternehmen mit dem Chief Trust Officer (CTrO) eine neue Führungsposition schaffen. Um effektiv zu sein, muss diese Position mehr sein als nur ein umbenannter Sicherheitsbeauftragter und messbare Ergebnisse sowie konkrete Verbesserungen vorweisen können. Für CISOs stellt sich nun die Frage, inwiefern der CTrO mit der Sicherheit zusammenhängt. Könnte diese Position ihren nächsten Karriereschritt darstellen? Lesetipp: Ein neues Berufsbild für CISOs Was genau ist ein Chief Trust Officer? Die CISO-Funktion entstand, um die Verantwortung für die Sicherheit zu formalisieren, zunächst innerhalb von Finanzdienstleistungs- und Technologieunternehmen, bevor sie auf andere Sektoren ausgeweitet wurde. In ähnlicher Weise entstand die Funktion des Chief Trust Officers vor etwa einem Jahrzehnt, angeführt von B2B-Software- und Technologieunternehmen, die laut Forrester einer zunehmenden Kontrolle hinsichtlich der Sicherheit ihrer Produkte und Plattformen ausgesetzt waren. In den vergangenen zehn Jahren hat sich der Druck in Bezug auf Datenschutz, Sicherheit, Compliance, Risikomanagement und KI verstärkt. Als Reaktion darauf formalisieren einige Unternehmen das Vertrauen, indem sie die Verantwortung in einer einzigen C-Suite-Funktion festlegen. Laut einem Bericht von Forrester haben weltweit bereits 16 Unternehmen einen Chief Trust Officer. Dazu zählen vor allem Software- und Technologieanbieter wie Atlassian, Salesforce, NinjaOne und SAP. Die bisherige Amtszeit der CTrOs variiert von sechs Monaten bis hin zu fünf bis sechs Jahren. Chris Peake, Chief Trust Officer bei Gong, hat diese Position seit etwa drei Monaten inne, nachdem er zuvor als CISO bei Smartsheet und als Director of Trust and Customer Security bei ServiceNow tätig war. Er sieht darin eine Weiterentwicklung dieser Position, die ihren Ursprung im Bank- und Finanzwesen hat. Forrester beschreibt diese Position als die Übernahme der Verantwortung dafür, das Bekenntnis des Unternehmens zu Vertrauen authentisch und bewusst zu gestalten. Für Peake stehen Datenschutz, verantwortungsvoller Umgang mit Daten und Offenheit im Mittelpunkt seiner Rolle, insbesondere im Hinblick darauf, wie KI-Modelle trainiert und geschützt werden. „Wir müssen transparent sein. Wir müssen gut kommunizieren. Bei KI geht es beispielsweise darum, was wir mit diesen Daten machen. Wie wir unsere Modelle trainieren. Wie sie geschützt werden. Transparenz und Kommunikation in diesen Bereichen sind also entscheidende Säulen“. CISO und CTrO: Modell für eine funktionierende Partnerschaft? Da Kunden, Partner und Regulierungsbehörden mehr Offenheit und Sicherheit verlangen, sagen diejenigen, die die Rolle des CTrO ausüben, dass der Aufbau von Vertrauen die Antwort ist. Der Aufgabenbereich umfasst Sicherheit, Datenschutz, Compliance, Ethik, Kundensicherheit und interne Kultur. In der Regel ist der CISO weiterhin für Kontrollen und Schutz zuständig, während der Chief Trust Officer sich um Reputation, Ethik und Kundenvertrauen kümmert. Wenn Cybersicherheit dem CTrO unterstellt ist, bietet dies eine Möglichkeit, sich aus der IT und den konkurrierenden Prioritäten mit dem CIO herauszuhalten. Diese Partnerschaft positioniert die Sicherheit neu, von einer „Abteilung des Neins” zu einem Geschäftsbeschleuniger, bemerkt Forrester. Vinay Patel, Chief Trust and Security Officer bei Zendesk, stimmt zu, dass diese Rolle Vertrauen mit der Geschäftsstrategie in Einklang bringt. „Ein CISO schützt Systeme. Der Chief Trust Officer schützt das Vertrauen. Der eine schützt das Unternehmen, der andere schützt dessen Glaubwürdigkeit.” Eine zusätzliche Herausforderung besteht darin, dass der CTrO die Verantwortung für das Vertrauen in einer schwierigen Zeit trägt. Das Thema ist zu einem Problem für den Umsatz und den Ruf geworden. Patel betont, dass eine starke Ausrichtung zwischen dem Vertrauen der Kunden und der Geschäftsstrategie entscheidend ist. „Wenn Sie auf dem Markt, bei Ihren Partnern und Kunden keine Glaubwürdigkeit mehr haben, ist Ihre Geschäftsstrategie von vornherein zum Scheitern verurteilt“, erklärt er gegenüber CSO. Während zu den täglichen Aufgaben des CISO die Überprüfung des SOC, das Checken von Warnmeldungen, GRC, die Verwaltung anderer Sicherheitsvorgänge und die Berichterstattung an den Vorstand gehören, ist die Rolle des Chief Trust Officers laut Patel durchgängig mit dem Kundenvertrauen verknüpft. „Es geht darum, diese Vertrauensperspektive in die Entscheidungsfindung einzubeziehen und Kollegen und Partner dazu anzuregen, auf die gleiche Weise zu denken.“ Patels doppelter Titel signalisiert, dass er gleichermaßen Wert auf die Sicherheit der Plattform und die integre Verwaltung von Kundendaten legt. „Es war nicht nur wichtig zu zeigen, dass wir unsere Systeme gut schützen, sondern auch zu verdeutlichen, wie wichtig es ist, dieses Kundenvertrauen jeden Tag neu zu gewinnen und zu erneuern.“ In Gongs Modell wurden IT und Sicherheit zu einem einheitlichen Trust Office zusammengefasst, wobei der CISO an Peake berichtet. Seine Aufgaben umfassen Produktsicherheit, Compliance, Sicherheitsmaßnahmen (wie die Reaktion auf Vorfälle) und die Leitung eines Teams von Sicherheitsmitarbeitern vor Ort, die direkt mit den Kunden interagieren. Dieses Partnerschaftsmodell hilft dabei, komplexe technische Zusicherungen in Vertrauen auf Unternehmensebene umzusetzen und durch Offenheit und Empathie bei Vorfällen schnell wieder Vertrauen aufzubauen. Peake beschreibt seinen Ansatz als kooperativ und nach außen gerichtet, wobei er die Vertrauensfunktion als Brücke zwischen Kunden, Vertrieb und technischen Teams positioniert. Er fungiert als „Verbindungsglied“ zwischen den Erwartungen der Kunden und den Sicherheits- und KI-Praktiken des Unternehmens. Dabei konzentriert er sich darauf, eine sichere, stabile und widerstandsfähige Plattform zu schaffen, der Kunden vertrauen können und die über traditionelle Sicherheit und Compliance hinausgeht. „Wenn Sie einem Unternehmen vertrauen, werden Sie wieder zu ihm zurückkehren. Es besteht also ein klarer Zusammenhang zwischen der Förderung des Geschäfts und dem Vertrauen Ihrer Kunden”, so Peake. Der Zendesk-CTrO ist der Ansicht, dass diese Rolle über die Compliance hinausgeht und die menschliche Emotion des Vertrauens berührt.„Es entsteht durch die Verbindung zu den Kunden und nicht durch Kennzahlen.“ Aber wie riskant ist es, institutionelles Vertrauen zu besitzen? Peake ist sich der Belastung und Sichtbarkeit dieser Rolle bewusst und sagt, dass der CTrO in Krisenzeiten zum „Hüter der Ehrlichkeit“ wird. Wie operationalisiert man Vertrauen und vermeidet leere Vertrauenssignale? Es stellt sich auch die Frage, wie Organisationen Vertrauen operationalisieren – und kann es gemessen werden? Es gibt keine fertige Plattform, daher müssen CTrOs ihre eigenen Dashboards erstellen, in denen sie Kunden- und Mitarbeiterkennzahlen kombinieren. So können sie Trends verfolgen und frühe Anzeichen für einen Vertrauensverlust erkennen. Peake warnt davor, den Titel als Trend oder Hype zu behandeln – „der Beweis wird sich in unserem Verhalten und Handeln zeigen. Ich würde davon absehen, das Vertrauen selbst zu messen, und mich stattdessen auf die Indikatoren konzentrieren. Diese zeigen, ob wir vertrauenswürdig sind oder nicht.“ Er nutzt die Kundenstimmung, das Vertrauen in die Plattform und die Kundenbindung als zuverlässige Vertrauenssignale. „Das zeigt sich in einer nachlassenden Kundenstimmung oder darin, wie viel Vertrauen die Kunden in die Plattform haben und ob Sicherheitsbedenken uns daran hindern, neue Kunden zu gewinnen“, so Peake. Patel konzentriert sich auf robuste Prozesse wie verantwortungsvolle KI-Governance und die Validierung durch externe Benchmarks wie die ISO 42001-Zertifizierung für KI-Vertrauen und -Governance sowie die Arbeit an CSA STAR für KI. „Diese bieten Kunden und Stakeholdern einen Standardmaßstab, um zu bewerten, inwieweit ein Unternehmen über ein starkes Sicherheitsprogramm oder ein starkes KI-Vertrauens- und Governance-Programm verfügt.“ Auch Forrester warnt vor einer Übernahme des Titels ohne echte Veränderungen. Echte Verantwortlichkeit, so das Analystenhaus, erfordere die Unterstützung der Führungskräfte, abgestimmte Anreize und die Aufsicht durch den Vorstand, um Worte in messbare Taten umzusetzen. In einigen Fällen schaffen Unternehmen nach einem Vorfall die Position eines Vertrauensbeauftragten, um Kunden und dem breiteren Markt zu signalisieren, dass sie Vertrauen schätzen. Aber in ihrer Eile, ihre Reputation unter Beweis zu stellen, müssen sie mehr tun, als nur einen neuen Titel hinzuzufügen. Es gibt wesentliche Fragen, die Unternehmen beantworten müssen, sagt Peake. „Was ist unser grundlegendes Bedürfnis, um ein vertrauenswürdiges Unternehmen zu sein? Sie müssen sich überlegen, was das für Ihre Kunden bedeutet und wie Sie diese Lücke schließen können“, sagt er. Was ist mit dem Vorstand? Alle Institutionen müssen daran arbeiten, Vertrauen wieder aufzubauen, da ein höheres Vertrauensniveau mit besseren wirtschaftlichen Ergebnissen und mehr Wohlbefinden verbunden ist, wie der Edelman-Bericht feststellt. Alle Unternehmen müssen ihren Beitrag leisten, und das muss von oben geführt werden. Wenn Vertrauen ein grundlegender Wert des Unternehmens sein soll, muss die Rolle des Chief Trust Officers für den Vorstand sichtbar und rechenschaftspflichtig sein. Die meisten CTrOs berichten direkt an den CEO und überwachen häufig die Bereiche Sicherheit, Datenschutz und Compliance, wobei der CISO ihnen unterstellt ist oder ihnen zur Seite steht, wie Forrester herausfand. Die Positionierung von Vertrauen auf Führungsebene signalisiert, dass es sich um ein strategisches Thema handelt und nicht nur um ein technologisches Anliegen. „Wenn ich mit dem Vorstand kommuniziere, spreche ich über Dinge, die das Vertrauen der Kunden beeinflussen. Diese Punkte helfen dem Top-Management, Maßnahmen besser zu verstehen, als die Anzahl der behobenen Schwachstellen oder andere technische Fakten, die CISOs für den Vorstand übersetzen müssen.“ Ist der Chief Trust Officer der nächste Schritt für CISOs? Viele der ersten CTrOs waren ehemalige CISOs, was laut Forrester auf eine Entwicklung von Sicherheit und Compliance hin zu Reputation und Ethik hindeutet. Diese Position baut auf den Grundlagen des CISO auf, erfordert jedoch einen breiteren Fokus auf Empathie, Kommunikation und Kundenvertretung statt auf reine Risikominderung. Da sich Unternehmen durch vertrauenswürdige KI und verantwortungsvollen Umgang mit Daten von anderen abheben, könnte der CTrO genauso verbreitet werden wie der CISO. Peake glaubt, dass Vertrauen zu einer Grundlage für Geschäftsbeziehungen werden wird, insbesondere da bei den Kundenanliegen KI und Datenverwaltung dominierten. Peake bezeichnet dies als „evolutionären Schritt“ für Sicherheitsverantwortliche, dank seiner jahrelangen Kundenbindung sei dies ein natürlicher Übergang gewesen. Einige CISOs fungieren möglicherweise bereits de facto als Trust Officers, indem sie ohne formellen Titel mit externen Stakeholdern zusammenarbeiten und funktionsübergreifende Risikoprogramme leiten. Der Titel sollte jedoch nicht einfach eine Umbenennung der CISO-Rolle sein. Patel fordert, dass CISOs die Rolle des Chief Trust Officers weniger als Karriereschritt, sondern vielmehr als Chance betrachten, einen größeren Einfluss auf die Unternehmensstrategie zu nehmen. „Es ist eine Veränderung der Denkweise. Wenn das bei einem bestehenden CISO Anklang findet, ist das ein Zeichen für eine Berufung.“ (jm) Lesetipp: Vom CISO zum Chief Risk Architect

Fraudsters have started using AI to create fake documents claiming that artworks are genuine or legally owned, the Financial Times reports. According to art insurance brokers at Marsh, chatbots and big language models are being used to forge invoices, appraisal certificates and certificates of authenticity. In other cases, it has not been a case of deliberate fraud, but rather AI hallucinating false references to a work of art, which the owner has taken to be true. False documents are nothing new in the art world, but AI has made them more realistic and harder to detect. “AI makes something that’s been going on for a long time a little easier and a little faster. You don’t have to invent a professorial expert anymore — you can just let the AI do it for you,” Harry Smith of art valuation firm Gurr Johns told the Financial Times. To counter this trend, both insurers and appraisers are now trying to use AI themselves to review metadata and identify manipulation. More on AI’s impact on security: Human-in-the-loop isn’t enough: New attack turns AI safeguards into exploits AI startups leak sensitive credentials on GitHub, exposing models and training data AI hallucinations lead to a new cyber threat: Slopsquatting

Cybersecurity researchers have disclosed details of a new malicious package on the npm repository that works as a fully functional WhatsApp API, but also contains the ability to intercept every message and link the attacker's device to a victim's WhatsApp account. The package, named "lotusbail," has been downloaded over 56,000 times since it was first uploaded to the registry by a user named "

A collective of pirate activists say they gained access to 256 million rows of metadata and 86 million audio files, equivalent to around 300 terabytes of data, from Spotify, Billboard reports. The metadata, but no audio files, has been made publicly available through the open search engine Anna’s Archive. Anna’s Archive describes the project as an effort to “preserve the knowledge and culture of humanity” by creating a music archive for preservation purposes. Spotify itself has confirmed that it is investigating a breach in which a third party allegedly data scraped public metadata and unauthorizedly circumvented DRM protection to access certain audio files. More on hactivism: Don’t give hacktivists what they really want Hacktivism’s reemergence explained: Data drops and defacements for social justice London internet attack highlights confusing hacktivism movement

Cyber threats last week showed how attackers no longer need big hacks to cause big damage. They’re going after the everyday tools we trust most — firewalls, browser add-ons, and even smart TVs — turning small cracks into serious breaches. The real danger now isn’t just one major attack, but hundreds of quiet ones using the software and devices already inside our networks. Each trusted system can

Threat actors have been observed leveraging malicious dropper apps masquerading as legitimate applications to deliver an Android SMS stealer dubbed Wonderland in mobile attacks targeting users in Uzbekistan. "Previously, users received 'pure' Trojan APKs that acted as malware immediately upon installation," Group-IB said in an analysis published last week. "Now, adversaries increasingly deploy

Threat hunters have discerned new activity associated with an Iranian threat actor known as Infy (aka Prince of Persia), nearly five years after the hacking group was observed targeting victims in Sweden, the Netherlands, and Turkey. "The scale of Prince of Persia's activity is more significant than we originally anticipated," Tomer Bar, vice president of security research at SafeBreach, said

The U.S. Department of Justice (DoJ) this week announced the indictment of 54 individuals in connection with a multi-million dollar ATM jackpotting scheme. The large-scale conspiracy involved deploying malware named Ploutus to hack into automated teller machines (ATMs) across the U.S. and force them to dispense cash. The indicted members are alleged to be part of Tren de Aragua (TdA, Spanish for

A suspected Russia-aligned group has been attributed to a phishing campaign that employs device code authentication workflows to steal victims' Microsoft 365 credentials and conduct account takeover attacks. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government

Cybersecurity researchers have disclosed details of a new campaign that has used cracked software distribution sites as a distribution vector for a new version of a modular and stealthy loader known as CountLoader. The campaign "uses CountLoader as the initial tool in a multistage attack for access, evasion, and delivery of additional malware families," Cyderes Howler Cell Threat Intelligence

The Trump administration has pursued a staggering range of policy pivots this past year that threaten to weaken the nation’s ability and willingness to address a broad spectrum of technology challenges, from cybersecurity and privacy to countering disinformation, fraud and corruption. These shifts, along with the president’s efforts to restrict free speech and freedom of the press, have come at such a rapid clip that many readers probably aren’t even aware of them all.

WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks. Tracked as CVE-2025-14733 (CVSS score: 9.3), the vulnerability has been described as a case of out-of-bounds write affecting the iked process that could allow a remote unauthenticated attacker to execute arbitrary code. "This vulnerability affects both the

Authorities in Nigeria have announced the arrest of three "high-profile internet fraud suspects" who are alleged to have been involved in phishing attacks targeting major corporations, including the main developer behind the RaccoonO365 phishing-as-a-service (PhaaS) scheme. The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) said investigations conducted in collaboration with

Certain motherboard models from vendors like ASRock, ASUSTeK Computer, GIGABYTE, and MSI are affected by a security vulnerability that leaves them susceptible to early-boot direct memory access (DMA) attacks across architectures that implement a Unified Extensible Firmware Interface (UEFI) and input–output memory management unit (IOMMU). UEFI and IOMMU are designed to enforce a security

A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan. The end goal of these attacks is cyber espionage, Slovak cybersecurity company ESET said in a report published today. The threat activity cluster has been assessed to be active since at least September 2023. "

Hewlett Packard Enterprise (HPE) has resolved a maximum-severity security flaw in OneView Software that, if successfully exploited, could result in remote code execution. The critical vulnerability, assigned the CVE identifier CVE-2025-37164, carries a CVSS score of 10.0. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a