Dave Shackleford

Are #cybersecurity incidents growing more costly? Cyentia Institute's recent Information Risk Insights Study points to a 15-fold increase in the cost of #incidents and #databreaches over the last 15 years. The chart on the left shows the distribution of known/reported financial losses from incidents across the time period of study. The typical (median) incident costs about $600K, while more extreme (95th percentile) losses swell to $32M. Note that the chart uses a log scale, so the tail of large losses is a lot longer than it appears. The chart on the right trends the escalating costs of cyber events over time. Median losses from a security incident have absolutely exploded over the last 15 years, rising 15-fold from $190K to almost $3 million! The cost of extreme events has also risen substantially (~5x). So, yeah—cyber events are definitely growing more costly. That said, this picture looks a lot different among different types and sizes of organizations. How are cyber losses trending for orgs like yours? Download the full IRIS 2025 to find out! Link in the comments.

102

15 Comments

I haven't seen any announcement about this, but the PCI Security Standards Council has published an update in the last few days to the "Guidance for PCI DSS Requirements 6.4.3 and 11.6.1" Information Supplement. In the original version, it said "Note that PCI DSS Requirements 6.4.3 and 11.6.1 do not apply to merchants with webpages that redirect to a TPSP’s page (for example, via an HTTP 30x redirect, a meta redirect tag, or a JavaScript redirect)." That's been removed, and in its place it now says "Note that, where scripts are used as part of a redirection mechanism, PCI DSS Requirements 6.4.3 and 11.6.1 will apply to those scripts." The thing is, by fully-redirecting to a PCI DSS-compliant payment service provider or processor to take payments, the merchant doesn't have a payment page - and it's only the payment page (or parent page when iframes are used) that these requirements apply to. While I think protecting all JavaScript on a website is a really good security best practice - whether that's using CSP+SRI, Jscrambler's Webpage Integrity product, or something else, I'm currently scratching my head as to how this change to the guidance - which "does not replace or supersede requirements in any PCI SSC Standard" - currently applies. I'm curious to hear what others think...

54

17 Comments

2024 set in motion major changes for certificate lifespans and DCV. In this Root Causes Podcast lookback episode Jason Soroko and I discuss the Apple 47-day proposal, stepping down certificate term, public versus private CA use cases, DCV reuse periods, MPIC, WHOIS, and other topics. Audio: https://lnkd.in/gH3Z-adY Video: https://lnkd.in/gN_VpVPy #pki #security

29

New - Investigating Hy-Vee’s massive data breach, Hudson Rock identified critical employees infected by infostealers, compromising Atlassian (Confluence and Jira) credentials. This likely enabled this Stormous group 53GB data heist. (tl;dr below) New Blog (4 minutes read) - https://lnkd.in/dPZYU_-f TL;DR: On June 23, 2025, Stormous breached Hy-Vee’s Atlassian accounts, stealing 53GB of sensitive data, including infrastructure diagrams and operational details. Hudson Rock’s research uncovered an infostealer infections Hy-Vee employee devices, exposing credentials that likely granted attackers access, fueling one of 2025’s boldest retail breaches.

37

Self-Healing IAM Systems - A Business Centric Framework 🚀"The Identity Navigator" Podcast - New Episode Alert🚀   A self-healing IAM system enhances enterprise security by automating identity governance, mitigating operational risks, and ensuring adaptive security resilience.  By leveraging this framework organizations can create dynamic, self-correcting identity frameworks that reduce administrative overhead and improve security posture. Self-healing mechanisms ensure robust access management by automatically detecting and mitigating disruptions, policy misconfigurations, or security anomalies.   https://lnkd.in/ecm7Bz8V   Tune in now and let's check them out together 🎧🔍   #TheIdentityNavigator #IAM #Podcast #TechTalk #IdentityAndAccessManagement #IAM

36

2 Comments

Recorded Future investigates how Russia’s intelligence services maintain controlled impunity over cybercriminal groups, identifying direct links, indirect affiliations, and tacit agreements that provide plausible deniability while supporting state objectives. Blog: https://lnkd.in/eAdzpAUZ PDF: https://lnkd.in/eFTDTvbB #RecordedFuture #cyber #threatintelligence #infosec #CTI #Russia #cybercrime #espionage #DarkCovenant

62

1 Comment

CMMC Level 2 Assessment Objective: Privacy & Security Notices PRACTICE: Organizations must provide privacy and security notices consistent with applicable rules for controlled unclassified information (CUI). ASSESSMENT: System use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems. Users may be required to click to agree to the displayed requirements of using the system each time they log on to the machine. This agreement can be used in the civil and/or criminal prosecution of an attacker that violates the terms. Be prepared! Your assessor could ask to 🔍 EXAMINE privacy and security policies and procedures addressing system use notification. 🗣 INTERVIEW system or network administrators. 📝 TEST mechanisms implementing system use notification. (CMMC Assessment Guide: Level 2 Version 2.13, page 34) #CMMC #DoD #cybersecurity #NIST #InformationSecurity

64

You might be feeling frustrated by the endless struggle of getting Sigma detection rules to work seamlessly in your open-source SIEM stack. It probably feels like every new rule demands manual conversions, special configs, and a ton of guesswork. It can be exhausting--and I’ve definitely been there. In this walkthrough I introduce how we can incorporate Velociraptor DFIR to solve our Sigma challenge. I share how I set up automated scans, tackled noisy detections, and fed alerts into my incident-response workflow (CoPilot). https://lnkd.in/gX5-X_mN

89

3 Comments

K-12 Cybersecurity Insider | 8/25/2025 In this edition: * When SSO and MFA Aren't Enough: Hidden Credential Risk in K-12 * L.A. Schools Telehealth Vendor Waited 8 Months to Report Breach * If a 14-year-old could hack them, how weak was security for 400,000 confidential student records? * K12 SIX Announces 2025-26 Steering Committee Read more and sign up to get it delivered straight to your inbox: https://lnkd.in/enaKAHCb #edtech #edusec K12 SIX

26

1 Comment

Stop whining about how much CMMC costs; It pales in comparison to the costs of not adequately defending your networks, and not just for you but all the taxpayers funding it. CMMC is about compliance and real security. While nation-state espionage represents a significant threat to the Defense Industrial Base, cybercrime presents the most immediate and operationally disruptive risk to your organization's daily operations and long-term viability. Cybercrimes occur every 39 seconds—translating to 2,244 incidents per minute and 3.2 million attacks daily. In 2022, 49% of US internet users experienced cybercrime. Global cybercrime damages are projected to reach $10.5 trillion annually by 2025, up from $3 trillion in 2015—making cybercrime the world's third-largest economy, trailing only the United States and China. Data theft for extortion has become nearly ubiquitous in modern cybercrime operations. Any Department of Defense data you have failed to properly identify, classify, and protect walks right out the door with along with all your other data. Whether the threat actor is China, Russia, or a financially motivated cybercriminal group, the result is the same: you have lost control of data critical to national security; and you will have to report it to the DoD along with your other stakeholders. Additionally, inaccurate Self-Assessment reporting to the DoD carries serious consequences and it is time we started treating it as such. When you sign a DFARS clause, you are making a commitment to the government and fellow taxpayers that you will maintain adequate cybersecurity controls. Achieving CMMC Compliance is not just a regulatory requirement but critical to safeguarding national security data. Knowingly or unknowingly providing false information about your cybersecurity posture can be considered breach of contract and potentially a charge under the False Claims Act. One of the most pressing challenges facing defense contractors is identifying and securing Controlled Unclassified Information (CUI) within their environments. Many organizations struggle with culling through millions of files to locate and properly protect all CUI they have been entrusted to safeguard. The first question is whether you have CUI in your environment, the second question is whether you know where it is and how to protect it before it's too late. P.S. If you are not completely confident on where you really are in compliance and actual security, we are happy to help with any or all of it. #capeendeavors #teramis #cmmc #cybersecurity #cyberthreats

34

1 Comment