This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Bethany De Lude, CISO emeritus, The Carlyle Group
Missed the live show? Check it out on YouTube
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Secure by Design leaders leave CISA
Two of the chief architects of CISA’s Secure by Design initiatives announced they were leaving the agency. Senior technical advisor Bob Lord joined CISA in 2022 to head up the initiative. In his departure post, he said he will keep “contributing” to Secure by Design work after a short break. Senior advisor Lauren Zabierek joined CISA in 2023, calling the initiative “one of the most meaningful experiences of my career, one that truly embodies the spirit of public-private partnership and both interagency and international collaboration.” Acting CISA director Bridget Bean said the agency will “continue to urge companies to develop products that are secure by design.”
Microsoft’s latest security progress report
When the Cyber Safety Review Board investigated Microsoft’s 2023 Exchange Online breach, it concluded that the intrusion by China-linked Storm-0558 was “preventable” and the result of a cascade of operational failures, including poor key management, inadequate logging, and a deprioritized security culture. Microsoft launched its Secure Future Initiative (SFI) as a result and has now issued its second progress report. The report shows that Microsoft implemented phishing-resistant MFA, now covering 92% of employee accounts, 99% of production assets are now inventoried, token validation has shifted to hardened SDKs, and over 6 million inactive tenants have been removed. The progress report goes into details about technical and cultural shifts in how Microsoft handles security, but the CSRB recommendations around transparency and victim notification process refinements remain largely incomplete.
Today’s LLMs craft exploits from patches at lightning speed
Large language models like OpenAI’s GPT-4 and Anthropic’s Claude Sonnet 3.7 are accelerating the time it takes to create working exploits after a vulnerability disclosure. A researcher at ProDefense demonstrated that AI could analyze code patches, identify security flaws, and generate proof-of-concept attack scripts quickly, reducing a defenders’ response time. Experts warn this rapid automation is also shrinking reaction windows for cybersecurity teams.
The FBI issues its 2024 IC3 report
Yesterday the FBI issued the 25th installment of its annual Internet Crime Complaint Center (IC3) report. The report revealed that IC3 recorded a new high for reported losses last year, reaching an astounding $16.6 billion. IC3 also received over 850,000 complaints, up 33% from 2023. Cyber-enabled fraud accounted for a staggering $13.7 billion of those losses and accounted for 40% ICC’s complaint volume. People over age 60 suffered the most significant financial losses coming in at over $4.8 billion, a 43% increase from 2023. To end on a positive note, the FBI said, last year, cyber fraud-related arrests increased 700% to 215 through 11 joint operations with other local law enforcement agencies.
Huge thanks to our sponsor, Dropzone AI
British companies told to hold in-person interviews to thwart North Korea job scammers
After finding it too difficult to pursue the job finding scam in the U.S., North Korean operatives are now focusing on Europe and especially the UK to seek out remote work with the goal of accessing sensitive data as well as cash. They are often assisted by co-conspirators who hold physical addresses in the country. John Hultquist, the chief analyst at Google’s Threat Intelligence group, told the UK news outlet The Guardian, “many of the remedies are in the hands of the HR department, which usually has very little experience dealing with a covert state adversary.” He added that companies “need to do a better job checking physical identities and ensuring the person you’re talking to is who they claim to be. This scheme usually breaks down when the actor is asked to go on camera or come into the office for an interview.”
Third-party breaches double in a year
According to Verizon’s Data Breach Investigations Report (DBIR) released this past Wednesday, “the proportion of breaches involving third parties rose from 15 percent in last year’s dataset to 30 percent in this year’s report.” The report suggests cybercriminals are “increasingly looking at organizations such as accountants and law firms as ways to reach their intended targets.” Verizon adds that “vendors and other business partners are expanding the attack surface by failing to enforce proper access controls, including preventing credential misuse. In particular, weak third-party practices continue to expose organizations to downstream risks.”
Attackers hit security device defects hard in 2024
Attackers are increasingly exploiting security flaws in edge devices like VPNs, firewalls, and routers, according to Mandiant’s latest M-Trends report. In 2024, exploits accounted for one-third of all initial attack methods, with the four most targeted vulnerabilities found in these critical devices. Many of these were zero-day exploits, and nearly half of all observed exploitations targeted edge devices. These tools, meant to protect networks, often lack third-party security support, making organizations vulnerable. Attacks have affected major companies and government agencies, with notable increases in espionage activity from Russian and Chinese actors, according to Google’s Threat Intelligence Group.