Akhib Nayaz

Clorox is suing Cognizant for $380M. The reason? A 2023 cyberattack that crippled their operations, allegedly caused by poor help desk controls and a botched incident response. - This wasn’t just a breach. It disrupted supply chains, damaged customer trust, and is now turning into a legal battle with one vendor blaming the other. As security professionals, we often say: "Third-party risk is your risk." But too often, those warnings get ignored… until it’s too late. This case raises questions that CISOs and boards must be asking: - Are our vendors following the same standards we require internally? - How strong are our controls against social engineering, especially at the help desk? - Do we have contractual clarity around incident response ownership? Link to the full article is in the comments. #Cybersecurity #RiskManagement #GRC #InfoSec #CISOs

99

27 Kommentare

Compliance didn’t create hardened images—better scanners did. If you're operating in a regulated space (or will be soon, thanks to the CRA), you know the pain: you have to justify every vulnerability. That includes the thousands of "negligible" CVEs sitting in bloated base images. The container base image math is simple: Alpine: 16 packages, 6 vulnerabilities Debian: 78 packages, 46 vulnerabilities The influx of new hardened image vendors isn't a mandate, it's a necessity. Minimal bases cut the noise, slash compliance overhead, and allow your security team to focus on the vulnerabilities that actually matter. After Anchore partnership announcement with Chainguard this week, I wrote up why hardened images are now the default starting line for continuous compliance (link in the first comment)

133

9 Kommentare

AI Security Incidents forensics report A year or two ago we constantly heard the same question literally from everyone. "yeah, AI can be vulnerable but are there real incidents already?" we almost ended up paying cybercriminals to perform one ... oh cmon! just joking ;) Now especially last month news were bombarded with quite profound AI security incidents from Asana AI to the latest Amazon Q. It felt like someone in the galaxy knew that we are preparing a report and decided to add a few lines ;) Long story short, we at Adversa AI just released the Top AI Security Incidents (2025 Edition) — a detailed, real-world report that shows how AI systems are actually failing in practice, and what security teams can do to stop it. Show it to your CISO next time if he will ask about real AI attacks. From chatbots leaking personal info, to agents triggering unauthorized crypto transfers, to cross-tenant data exposure via MCP — the incidents are real, and the impact is serious. ↓ Some key points: — Prompt injection caused 35.3% of all documented cases. — Even simple prompts led to $100K+ in real losses. — GenAI was involved in 70.6% of incidents — but Agentic AI caused the most dangerous ones. — Many failures happened outside the model — in Models, memory, MCP and the logic between components. What’s inside: - Vivid visualizations to expose where AI systems are failing — by time, type, sector, and severity. - Data Across Layers: Timelines, exploit complexity matrices, and stack-wide failure maps reveal how attacks evolve - 17 real examples, clearly explained. - A look at how the attacks worked. - Steps teams can take to prevent similar issues. References to AI Security initiatives from OWASP GenAI Security Project , Coalition for Secure AI, Cloud Security Alliance, MITRE ATLAS. Steve Wilson, Christina Liaghati, PhD, Daniele Catteddu, Omar Santos, David LaBianca, Ken Huang, CISSP, Anton Chuvakin, Kapil R. R., Michael Coates → Download the full report: https://lnkd.in/dcFASFcG If you’re building, deploying, or protecting AI systems — this report is for you. Let me know what you think or feel free to share with others who might find it useful. #AIsecurity #GenAISecurity #AgenticAISecurity #CISO #AIRedTeaming #Cybersecurity

45

19 Kommentare

0.8 seconds to hack the gun safe: manager codes, encryption keys, and debug ports of the strongbox lock. 🗄️👨🏽‍🏭💥💵 Security experts Mark Omo and James Rowley shared their highly interesting research last week on safes from Liberty Safe - a US government contractor and a popular manufacturer of gun storage safes. The analog version of the lock was quite secure; researchers were unable to find any vulnerabilities there. But there is a digital version of the lock, named “Prologic” - and this part of the presentation is fun and full of very interesting bugs. Some interesting facts that caught my eye: 🗄️ In earlier versions of the locks, the master key was shared with law enforcement authorities. 🗄️ The person who sells or installs your safe will have a maager code to open it (in case you forget your code). At the end of the day, those safes are not very safe, huh? More detail: Cash, Drugs, and Guns: Why Your Safes Aren't Safe [PDF]: https://lnkd.in/dVJJvU2E #technology #guns #infosec #hacking #research #cybersecurity #embedded #future #safety #tech

465

49 Kommentare

Zscaler’s ThreatLabz report highlights some big ransomware trends: - 146% increase in ransomware attacks blocked by Zscaler’s cloud - 70% rise in public extortion cases - 238 TB of data stolen - 935% increase in Oil & Gas sector attacks Press release: https://bit.ly/44VOMUY

56

2 Kommentare

Fraud is one of the most enduring challenges in cybercrime—constantly shifting as adversaries grow more sophisticated.     I’m inspired by how Microsoft's Central Fraud and Abuse Risk (CFAR) team meets this challenge with both innovation and heart, redefining resilience, grounded in their commitment to keep users safe.      In CFAR’s new whitepaper, they share three powerful lessons from their journey—insights every organization can use to strengthen trust and security. 💜 Take a look: https://lnkd.in/gyFwdiTR

118

5 Kommentare