This week’s Department of Know is hosted by Rich Stroffolino with guests Keith Townsend, Keith Townsend, host CTO Advisor Podcast, founder of The Advisor Bench, and creator of the Virtual CTO Advisor; and Howard Holton, CEO, GigaOm
Missed the live show? Check it out on YouTube
CISO Series The Department of Know is live every Monday at 4:00 p.m. ET. Join us each week by registering for the open discussion at CISOSeries.com
Overconfidence is the new zero-day
A new report from Immersive shows cybersecurity teams are overconfident but underprepared. Across 1.8 million simulated exercises, participants averaged 22% accuracy and took 29 hours to contain infections. Readiness scores have flatlined since 2023, with many teams practicing outdated scenarios and excluding non-technical roles, which undermines coordination. Confidence often exceeds actual skill, and metrics like training completion mask capability gaps. The report urges orgs to shift from assumption-based confidence to evidence-backed readiness, continuously testing skills against evolving threats including AI-enabled attacks.
Azure hit by DDoS using 500K IPs
Microsoft reported that its Azure network was hit by a 15.72 Tbps DDoS attack from more than 500,000 IPs, launched by the Aisuru botnet. The attack targeted an Australian IP and peaked at 3.64 billion packets per second using high-rate UDP floods. Aisuru, a Turbo Mirai-class IoT botnet, exploits vulnerable home routers, IP cameras, and DVRs, and has previously conducted record-breaking attacks, including a 22.2 Tbps assault mitigated by Cloudflare.
FCC to torch rules from Salt Typhoon
The FCC is set to vote on scrapping former cybersecurity rules imposed after the 2024 Salt Typhoon attacks, which required telecoms to implement basic security controls like MFA, role-based access, and patching. The FCC, under the current administration, argues the rules were legally overreaching and ineffective, favoring a collaborative, voluntary approach with industry and federal agencies instead. Salt Typhoon, a China-linked cyberespionage campaign, compromised U.S. government, telecom, and university networks, affecting sensitive data from millions globally.
Huge thanks to our episode sponsor, KnowBe4
That’s why KnowBe4’s Human Risk Management platform allows you to measure, quantify and actually reduce human risk across your organization.
With AI-powered risk scoring, automated coaching and reporting, HRM+ helps you surface your highest risk users and reduce the risk of data breaches and cyberattacks proactively.
Ready to move from awareness to action? Request a demo of HRM+ today at knowbe4.com.
Cloudflare blames database
Cloudflare’s worst outage since 2019 knocked major websites offline for hours on Tuesday, and the company now says it wasn’t a cyberattack (like originally thought) but an internal configuration error. A database permissions change caused Cloudflare’s Bot Management system to generate an oversized feature file that repeatedly crashed its core proxy, leading to widespread 5xx errors across the network. The outage impacted major companies like X, Uber, Canva, and ChatGPT with traffic back to normal by mid-afternoon and Cloudflare’s CEO apologizing for the disruption.
(Bleeping Computer), (Dark Reading)
Canadian regulators say schools share blame for PowerSchool hack
The information and privacy commissioners for the provinces of Ontario and Alberta released their investigative findings on the massive PowerSchool data leak and faulted the school systems for missteps such as “not putting privacy and security-related provisions in their contracts with the education software firm and failing to effectively monitor and oversee PowerSchool’s security guardrails, particularly in regard to multifactor authentication.” Schools also did not have appropriate breach response plans ready to go, the report said. The breach, which affected schools and students across the U.S. and Canada was the result of the actions of a Massachusetts college student, who pleaded guilty and received a four-year sentence in October.
(Cision Canada, The Register, The Record)
SEC drops remaining claims on 2020 SolarWinds hack
It wasn’t the first software supply chain attack, but the 2020 attack that saw malicious code inserted into SolarWinds Orion software put a giant spotlight on the issue. In the aftermath of the breach, the US Securities and Exchange Commission brought charges against the company and it’s CISO Tim Brown in 2023, alleging fraud and internal control failures. Most of those charges were dismissed by a ruling from the U.S. District Court for the Southern District of New York in 2024, citing prior regulatory filing from the company. On Thursday the SEC disclosed Thursday that it has now dismissed its case against SolarWinds and Brown entirely. In a statement, SolarWinds said it hoped the dismissal “eases the concerns many CISOs have voiced about this case and the potential chilling effect it threatened to impose on their work.”
(CRN)
Paired Story
SalesForce warns of data breach after third party activity
This warning was released last Wednesday evening after the company discovered unusual activity related to a third-party application called Gainsight, a platform designed to help customers track sales data and customer information. Salesforce emphasized that there was no indication that the issue resulted from any vulnerability in the Salesforce platform. Instead, the activity appears to be related to the app’s external connection to Salesforce,” the company said. Although the doctors behind this have not been confirmed, it appears that this may be yet another attack by affiliates of the scattered spider, shiny hunters group.
Cox Enterprises discloses Oracle E-Business Suite data breach
The telecommunications giant is notifying impacted individuals of a data breach that exposed their personal data. The hackers breached the company network in August after exploiting a zero-day flaw in Oracle E-Business Suite. The company, however, did not detect the intrusion until late September following an internal investigation. No attackers have been named, but the Cl0p ransomware has taken credit for exploiting a CVE numbered as a zero-day vulnerability (CVE-2025-61882), long before Oracle released a patch on October 5. Cox The company has not specified what types of data were exposed.
AI is too risky to insure, say insurers
According to the Financial Times news outlet, major insurers such as AIG, Great American, and WR Berkley are “asking U.S. regulators for permission to exclude AI-related liabilities from corporate policies,” which one underwriter describes as “too much of a black box.” The fear, they say, is of thousands of simultaneous claims when a widely used AI model makes a mistake. The article quotes one executive from the insurance company Aon as saying, “insurers can handle a $400 million loss to one company. What they can’t handle is an agentic AI mishap that triggers 10,000 losses at once.” The article cites examples of the types of events that are spooking insurers. These include, Google’s AI Overview falsely accusing a solar company of legal troubles, triggering a $110 million lawsuit back in March; Air Canada being forced to honor a discount invented by its chatbot, and the infamous $25 million deepfake heist that happened to the London-based design engineering firm Arup last year.