Microsoft has disclosed details of a large-scale malvertising campaign that's estimated to have impacted over one million devices globally as part of what it said is an opportunistic attack designed to steal sensitive information.
The tech giant, which detected the activity in early December 2024, is tracking it under the broader umbrella Storm-0408, a moniker used for a set of threat actors
In July of 2024, cybersecurity software company CrowdStrike pushed an update to millions of computers around the world. The update, which should have been perfunctory, caused widespread chaos as computers at airlines, hospitals, and other critical industries began to crash, one after the other.
Flights were canceled or delayed at airports worldwide. Banks, hotels, hospitals, emergency services, and even television stations all experienced disruptions. Experts estimate the global cost of the outage to be in the billions of dollars. It is the most dramatic example in recent history of the interconnectedness and interdependence of online systems and how a single point of failure can bring it all crashing down.
It also served as a wake-up call. Given how connected our systems are, it’s only a matter of time before another crash occurs. To avoid falling victim, businesses must take this threat seriously — and learn how to mitigate risks.
The risk
The reality of our interconnected world is that everything is getting smarter. Take the electrical grid, for example. The grid used to use discrete, hardwired systems that were physically isolated from one another. But today’s grid is “smart”, with single, ruggedized gateways running multiple systems. It has to manage the fragile balance between demand and supply. Because today’s grid is significantly smarter, it inherently is more vulnerable.
Interconnectedness has even caused something as seemingly innocent as a hospital coffee shop to become a risk. The same WiFi that is offered to visitors and patients in the lobby coffee shop is connected to critical hospital systems including those that house personal identifiable information (PID); these systems are prime targets for attack. This is not hypothetical; I witnessed a demonstration where someone used a hospital’s coffee shop WiFi to access a patient’s medication dispenser. It was both terrifying and effective.
Shrinkage
Organizations have spent too much time and too many resources on reducing the probability of an attack and not enough on mitigating the impact. With a breach being inevitable the goal must be maintaining service delivery even in the face of a cyber event, this can be done by identifying the Minimum Viable Operation (MVO). MVO looks at the absolute minimum number of whatever systems that need to maintain operation in order to provide service. Cyber resilience strategies should be built around these systems to ensure they remain operational in the event of an attack.
Consider, for example, how retailers handle shoplifting. Stores expect to lose products in any given period due to theft; it’s called “shrinkage.” Shrinkage refers to the discrepancy between the inventory a store should have and what it actually has. The difference is usually caused by shoplifting. Retail stores account for this shrinkage and plan for it. Since they know they can’t stop 100% of shoplifters, they write off the anticipated loss when they calculate their financials. It’s the cost of doing business.
While it is not realistic to expect businesses to simply accept data and system loss, they can take a page from the retail industry given that, like shoplifting, breaches are inevitable. Taking an MVO approach, organizations should focus efforts on making their systems breach-tolerant versus attempting to prevent every attack – something that is unrealistic given the ever-evolving threat landscape. Identify systems that need to be protected, protect those systems, and then segment everything else. Write off losses as shrinkage and move on.
The CrowdStrike outage underscored not only the vulnerabilities inherent in our interconnected systems but also the urgent need for cohesive, practical guidance to manage these risks. As systems become increasingly complex and interconnected, ensuring resilience is essential, yet many organizations are left to navigate a regulatory landscape that’s anything but straightforward.
Regulations
In theory, regulations should make us safer. That’s their intent, anyway, to stipulate how and when organizations should address cyber issues. Yet, existing regulations can’t prevent all incidents from occurring, as the CrowdStrike outage proved. And passing new regulations isn’t the answer either as too many can lead to a confusing mess of rules and very little direction on how to follow them.
Organizations in the U.S., for example, are caught in a nightmare web of cyber regulations. There are national, state, and local regulators, multiple industry regulators, CISA, NSA, etc. This leads to overregulation and a severe lack of solutions.
According to the 2024 ISC2 Cybersecurity Workforce Study, 67% of respondents indicated they had a staffing shortage this year. There simply aren’t enough cybersecurity professionals to tackle the jobs that already exist. Excessive regulations create even more work, which will simply not get done because of a lack of staff.
Cyber regulations should be prescriptive, like in many other parts of the world, where one regulator oversees the entire industry. No system is perfect, but simpler is generally better. At the very least, our web of regulators could talk to each other to ensure there’s no overlap.
Regulators should do more to help organizations achieve compliance without simply issuing new requirements. They can create all the legislation they want, but if that doesn’t come with the necessary people and funds, the organizations remain vulnerable to an attack.
The way forward
This brings us back to MVO. In a world where cyberattacks are a given, and regulations come without the funds and advice to help ensure you are not breached, your best way forward is mitigating against risk. And the first priority is to keep your service functioning.
One way to do that is to identify what you’re mitigating against. Where are your risk vectors? Your supply chain? Third parties? Many organizations have a huge number of third parties in their operations. Identify these and control what they have access to. It’s difficult to enforce an adequate level of compliance on third parties, so you have to mitigate the risks they actually pose.
I recall a conversation I had with a cybersecurity professional at a major bank. They told me the way they handled risk was to start a list. At the top of the list was the worst thing that could happen, and from there on down were slightly worse things. Then, they’d start mitigating against the items at the top of the list and work their way down until they ran out of money. It’s not ideal, but that’s how many organizations work.
If the CrowdStrike crash taught us anything, it’s that systems with a single point of failure will, eventually, fail. The more connected they are, the bigger the failure will be.
By designing the network focused on resilience instead of prevention the ability to maintain services will be increased.
Now imagine that the CrowdStrike crash was the result of a malicious act. How much bigger would the damage have been? The UK government estimates the economic impact of a successful attack on the critical national infrastructure could be equal to that of Covid. We should consider that a wake-up call.
The post Avoiding the Single Point of Failure appeared first on Cybersecurity Insiders.
AI-driven cyberattacks are rapidly escalating, with a vast majority of security professionals reporting encounters and anticipating a surge, while struggling with detection
Are you tired of dealing with outdated security tools that never seem to give you the full picture? You’re not alone.
Many organizations struggle with piecing together scattered information, leaving your apps vulnerable to modern threats. That’s why we’re excited to introduce a smarter, unified approach: Application Security Posture Management (ASPM).
ASPM brings together the best of both
The U.S. Cybersecurity and Infrastructure Security Agency will continue its offensive operations against foreign threats, including Russia, after allegations U.S. Cyber Command was ordered to halt its efforts against Russia, Industrial Cyber reports. CISA said there "has been no change in our posture. Any reporting to the contrary is fake and undermines our national security."
Full story
Access on-demand webinar here
Avoid a $100,000/month Compliance Disaster
March 31, 2025: The Clock is Ticking. What if a single overlooked script could cost your business $100,000 per month in non-compliance fines? PCI DSS v4 is coming, and businesses handling payment card data must be prepared.
Beyond fines, non-compliance exposes businesses to web skimming, third-party script attacks, and
As states weigh passing children's online safety legislation, another battle is building among Big Tech firms over potential age verification obligations, The Wall Street Journal reports. Apple, Google and Meta are among the potential covered entities arguing whether verification obligations should fall on individual apps and platforms or extend to the app stores facilitating on-device access.
Full story
The U.S. National Institute for Standards and Technology finalized guidelines for evaluating differential privacy guarantees. The guidance focuses on better understanding differential privacy application and common pitfalls stemming from the mathematical framework when differential privacy is used in practice.
Full story
A coalition of civil society organizations sent a letter to U.S. Director of National Intelligence Tulsi Gabbard highlighting concerns about the reauthorization of Section 702 of the Foreign Intelligence Surveillance Act. The organizations urged Gabbard to work with them to provide information on what data is collected and stored about U.S. citizens under Section 702 of FISA to improve transparency.
Full story
Cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI) repository that's equipped to steal a victim's Ethereum private keys by impersonating popular libraries.
The package in question is set-utils, which has received 1,077 downloads to date. It's no longer available for download from the official registry.
"Disguised as a simple utility for Python