The Cyber Monitoring Centre (CMC) aims to establish a ‘consistent and objective framework’ to provide clarity to enterprise insurance buyers.
A UK body backed by the cyber insurance industry is seeking to establish a framework to classify the severity of cyber incidents affecting UK organisations.
The Cyber Monitoring Centre (CMC) — an independent nonprofit organisation launched last week — aims to create a standardised scale for measuring the impact of cyber incidents from one (least severe) to five (most severe).
A wide range of data and analysis will be used to assess and categorise incidents against the framework, which measures severity based on the proportion of UK organisations affected and the overall financial impact.
Edward Lewis, CEO of cybersecurity consultancy CyXcel, told CSO that the focus of CMC is on the needs of insurance buyers, rather than the industry itself.
“The CMC evolved from market reactions to the Lloyd’s cyber war bulletin, which faced backlash for its conflation of systemic cyber risk with cyber war, as well the ambiguity and attribution challenges posed by the associated model clauses which followed it,” Lewis explained.
Insurance marketplace Lloyd’s of London put forward a policy requiring insurance group members to exclude liability for losses arising from state-backed cyberattacks from 2023. The measure, which was controversial even when it was introduced, remains contentious.
Lewis continued: “While large global companies with deep pockets may weather disputes over attribution and accept delays in cyber policy payouts, small and medium-sized businesses cannot afford such delays. These businesses need rapid support, particularly financial support, in a measure of days not the weeks, months, or even years that insurers, lawyers, and brokers could end up arguing about attribution and whether a loss is excluded from cover.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
CISOs are trained to fix problems. Lawyers are trained to find them. The two must work together to address complex challenges like breaches, compliance, or the ethics of emerging technologies.
There’s a joke that’s been floating around boardrooms for years: “What’s the difference between lawyers and engineers? Lawyers don’t think they’re engineers.”
This light-hearted jab highlights a fundamental difference between the two professions. Engineers, and by extension CISOs, focus on building and fixing things, learning a wide array of skills, sometimes sticking their hands into technologies nobody trained them to handle. Lawyers, on the other hand, aim to find problems, navigate gray areas, and anticipate risks.
While these differences might seem like a recipe for conflict between the two professions, they can often lead to a strong partnership. By combining their skills, these two groups can navigate the ever-evolving intersection of technology, innovation, and regulation.
Cybersecurity and data breaches are not just technical issues,” says Michael Welch, former CISO and managing director at MorganFranklin Consulting. “They can be intertwined with legal, regulatory, and reputational risks that require a collaborative, proactive approach.
While the relationship between CISOs and their legal teams is essential, things don’t always go smoothly. Differing priorities and communication gaps can create tensions or even lead to conflict. However, strengthening this partnership is not just beneficial — it’s critical for the organization’s ability to manage risks and respond to complex cybersecurity and compliance challenges. And CISOs can do a few things to make this partnership work.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.csoonline.com/article/3811937/cisos-stop-trying-to-do-the-lawyers-job.html
The media company Lee Enterprises said a “cybersecurity event” had created havoc at dozens of its newspapers, prompting some to publish shorter editions or not print at all.
Newspapers across the country owned by the news media company Lee Enterprises were unable to print, had problems with their websites and published smaller issues after a cyberattack last week, the company said.
In a statement emailed on Sunday, Lee Enterprises said that the company was facing disruptions to its daily operations because of a “cybersecurity event,” and that it had notified law enforcement.
Lee Enterprises is the parent company of more than 70 daily newspapers, such as The St. Louis Post-Dispatch, and nearly 350 weekly and specialty publications in 25 states, including Alabama, New York and Oregon. The company did not say how the attack happened or who was behind it.
We are now focused on determining what information — if any — may have been affected by the situation,” the company said.We are working to complete this investigation as quickly and thoroughly as possible, but these types of investigations are complex and time-consuming, with many taking several weeks or longer to complete.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source :https://www.nytimes.com/2025/02/09/business/media/newspaper-cyberattack-lee-enterprises.html
Honeypots are another tool in the toolbox for proactive cybersecurity leaders looking to get insight into what the bad guys are doing and help mitigate organizational risks.
In cybersecurity, we spend a lot of time focusing on preventative controls — patching vulnerabilities, implementing secure configurations, and performing other “best practices” to mitigate risk to our organizations. These are great and necessary, but something must be said about getting an up close and personal look at real-world malicious activities and adversarial behavior.
One of the best ways to do this is to use honeypots. The National Institute of Standards and Technology (NIST) defines honeypots as: “A system or system resource that is designed to be attractive to potential crackers and intruders, like honey is attractive to bears.” It’s an amusing — and appropriate — coincidence that many advanced persistent threat groups have the word “bear” in their names.
Honeypots generally refer to entire systems or environments. Honeytokens, on the other hand, are often specific files, data, and other objects that are used similarly, serving as decoys to entice malicious actors and gain valuable information about them. That said, for this article, and to avoid granular differences, we will broadly use the term honeypots.
Why use a honeypot?
Preventative controls are critical, aligning with industry trends and broader intelligence from groups such as Information Sharing and Analysis Centers (ISAC), but there are a number of valuable reasons to also use honeypots (and the associated honeytokens), not the least of which is that very little can compare to direct threat intelligence drawn from your own organization, operational environment, and systems.
Cybersecurity defenders can use honeypots to get direct insight into the various tools, techniques, and procedures (TTP) of malicious actors targeting their organization by utilizing honeypots and their variants.
Honeypots are often deployed in a constrained and controlled environment within a broader organizational architecture. This lets defenders capture specific forensic evidence for analysis and further research and provide crucial early risk indicators. These may be attempts to probe networked resources, access sensitive data, or exploit vulnerable systems.
This is especially useful given we know from CISA’s recent report that the most commonly exploited vulnerabilities are increasingly zero-days, meaning they weren’t known publicly at the time of exploitation. Hence, organizations need additional indicators and insight beyond known exploitation attempts and activity vulnerabilities.
The insights gained through honeypots can be used by defenders to adopt additional security measures or modify existing security controls and tooling to account for the malicious activities they actually observe.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Collaborating with startups, acting as advisors and supporting innovators are some of the ways security leaders can play their part in fostering innovation in cybersecurity.
Cybersecurity leaders have an advantage when it comes to innovation given their front seat facing new and old threats. That is why many CISOs are playing an active role in shaping emerging solutions, which also gives them a clear understanding of where current solutions fall short.
“CISOs can play a part in supporting innovation by shaping solutions that address these gaps,” says Shahar Maor, Fullpath CISO, who’s engaged with numerous startups to explore emerging technologies, co-develop features, and test products in real-world scenarios.
While the rewards can be significant, there are some ground rules. CISOs must know the risks of adopting untested solutions, keeping in mind their organization’s priorities and learning how to evaluate new tools and technologies. “We also ensure both parties have clear, shared goals from the start, so we avoid misunderstandings and set everyone up for success,” Maor tells CSO.
Nonetheless, helping drive innovation can lead to advancements in new security solutions and help CISOs in protecting their organization.
Partnering with startups
With threats evolving every day, organizations are finding that many existing solutions fall short, according to Nicole Perlroth, managing partner of Silver Buckshot Ventures, author and former cybersecurity journalist with The New York Times. This creates more of an appetite to partner with startups because they see potential in gaining access to tailored solutions. “Startups are looking at novel ways to address threats because clearly the old approaches aren’t stopping the attacks that are coming in every day,” she says.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
From traditional investigative methods to zero-day exploits, authorities have a range of techniques at their disposal, including digital searches at borders, which could present concerns for CISOs.
Accessing data on encrypted devices might seem like something out of a hacker or spy movie, but for law enforcement, it’s a very real challenge.
The issue is of relevance to CISOs and other security professionals because workers on sales trips or attending conferences overseas might face demands to decrypt devices and present their contents at border crossings.
Chinese border agents, for example, may use specialized equipment to extract data from devices, even if locked or encrypted.
Contrary to films, brute forcing an AES encryption key or similar encryption technologies is impractical — at least pending the advent of powerful enough quantum computers.
Modern encryption is pretty solid, but luckily for law enforcement and spy agencies the software and people using it are pretty fallible.
Access requests
Gaining access to a suspect’s mobile phone or computer is a high priority for law enforcement.
When a mobile device is seized, law enforcement can request the PIN, password, or biometric data from the suspect to access the phone if they believe it contains evidence relevant to an investigation.
In England and Wales, if the suspect refuses, the police can give a notice for compliance, and a further refusal is in itself a criminal offence under the Regulation of Investigatory Powers Act (RIPA).
“If access is not gained, law enforcement use forensic tools and software to unlock, decrypt, and extract critical digital evidence from a mobile phone or computer,” says James Farrell, an associate at cyber security consultancy CyXcel. “However, there are challenges on newer devices and success can depend on the version of operating system being used.”
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Meta’s large language model (LLM) framework, Llama, suffers a typical open-source coding oversight, potentially allowing arbitrary code execution on servers leading to resource theft, data breaches, and AI model takeover.
The flaw, tracked as CVE-2024-50050, is a critical deserialization bug belonging to a class of vulnerabilities arising from the improper use of the open-source library (pyzmq) in AI frameworks.
“The Oligo research team has discovered a critical vulnerability in meta-llama, an open-source framework from Meta for building and deploying Gen AI applications,” said Oligo’s security researchers in a blog post. “The vulnerability, CVE-2024-50050 enables attackers to execute arbitrary code on the llama-stack inference server from the network.”
Following Oligo’s report on the flaw, Meta’s security team promptly patched Llama Stack, by switching the serialization format for socket communication from pickle to JSON.
A typical AI-framework flaw
According to Oligo’s research, a number of open-source AI frameworks leverage an open-source messaging library (pyzmq) in an “unsafe way”, allowing remote code execution.
The problem stems from Llama Stack using pickle, a Python module for serialization and deserialization of Python objects, within its “inference API” implementation, a functionality Llama has for organizations to bring their own ML models into the application pipeline.
Pickle, which automatically deserializes Python objects, is inherently capable of executing arbitrary codes while deserializing untrusted data (crafted) sent by attackers, particularly with exposed pyzmq (a Python binding for ZeroMQ) implementation.
“In scenarios where the ZeroMQ socket is exposed over the network, attackers could exploit this vulnerability by sending crafted malicious objects to the socket,” the researchers said, adding that unpickling these objects could allow attackers to “achieve arbitrary code execution (RCE) on the host machine.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.csoonline.com/article/3810362/a-pickle-in-metas-llm-code-could-allow-rce-attacks.html
