By Shira Landau, Editor-in-Chief,


Halloween is a widely celebrated holiday in the U.S. Seventy-three percent of Americans intend to celebrate Halloween this year, and U.S. consumers are expected to spend roughly $4.1 billion on dress-up costumes alone.

While the holiday has dark historic origins, it has largely evolved into a festive celebration that focuses on the thrills and chills from spooky costumes, haunted houses, scary movies, ghoulish tales and things that go ‘bump’ in the night. Fear is front-and-center, but the slow-burn supernatural stimuli can be devilishly fun, enjoyable and spook-takular.

Here at CyberTalk, we enjoy a good Halloween hoot as much as the next person, but we would also like to help you steer clear of spine-chilling online Halloween trickery. Your Halloween doesn’t need to include nightmarish cyber security scenarios.

This Halloween, stay safe with these pro tips.

1. Phishing. Halloween brings out the trick-or-treaters, along with the cyber criminals. The latter leverage Halloween to launch new cyber attacks designed to deceive everyday internet users into revealing passwords, sharing files, or downloading malware. For hackers, the trick is to get unsuspecting individuals to click, and the treat is business or personal identity theft, intellectual property theft or other online ills.

This Halloween, avoid new terrors, reduce risk and increase resiliency. Apply anti-phishing software across devices, employ artificial intelligence that can auto-detect anomalies, upgrade firewalls, and reappraise incident response protocols.

2. Spam emails. Hair-raising Halloween-themed spam emails are not uncommon. Hackers sometimes send the same emails year-after-year, and they’re as effective the 5th time around as they are the first. The subject lines may say “Halloween sale,” and advertise pirated goods or bogus deals, or messages may lure eager festival-of-frights revelers with Halloween-themed quizzes, surveys, and links to online videos.

Take control of the inbox. Minimize mischief by investing in anti-spam and email security software.

3. Software updates. Merciless miscreants can worm their way into network systems via unresolved software vulnerabilities. In some cases, cyber criminals then lurk in systems for days, weeks or years, eventually launching savage cyber attacks that often include much-dreaded ransomware.

By installing security patches and other updates on a regular basis, you can prevent cyber criminals from gaining a foothold in systems and accessing data, deliverables or delicate information.

4. Endpoint security. Old traditions die hard, but modernize your endpoint security to strengthen your overall security posture. Evaluate solutions for complex, cloud-based business environments that address unprecedented, sophisticated Gen V attacks. An elegant endpoint security solution can prevent some of the most frightful and haunting witchy-ness on Halloween and year-round.

5. Employee education. Costume contests, bone-chilling breakfasts, and desk decorating competitions are all part of creative office-based Halloween fun, but none are perhaps as critically important as educating around hacker-based hocus pocus. Advancing your organization’s employee awareness programming can help keep your enterprise protected 24/7/365.

Cyber threats can stab an organization in the back and make everyone’s blood boil. But the cat is out of the bag – Your organization can avoid a frightening affair or a beastly blowout by putting the pro-tips listed above into practice. After all, tricksters could tie up your infrastructure like so many strawberry twist Twizzlers, rendering your Halloween more spooky-season-haunting than fun.

Transform your organization’s cyber security routine and have a wonderfully Happy Halloween!

Lastly, discover new trends, expert interviews, and so much more – subscribe to the newsletter.

Cyber Security Awareness Month insights and analysis – CyberTalk

Congressman Bennie G. Thompson (MS-2) is an elected member of the United States House of Representatives from Mississippi’s 2nd Congressional District. He is a native of Bolton, Mississippi, and considers it an honor to walk the path Mississippi civil rights icons paved decades ago.

Serving his 15th term in the United States House of Representatives, Congressman Thompson has spent his entire career fighting to improve the lives of all people. He is the longest-serving African American elected official in the State of Mississippi and the lone Democrat in the Mississippi Congressional Delegation. 

Most recently, Congressman Thompson received the Chairman’s Award during the 2023 NAACP Image Award. The honor recognizes Thompson’s advocacy for civil rights.

In this interview, U.S. Congressman Bennie G. Thompson (MS-2), Ranking Member, House Committee on Homeland Security, discusses the state of cyber security, both in the U.S. and internationally. He addresses national security, ransomware threats, emerging legislation, “target-rich, resource poor” industries, capacity building efforts across the globe and so much more. Don’t miss this!

How does the U.S. plan to bolster cyber security resilience, amidst an increasingly hostile threat landscape, over the next 6-12 months?

Together with Congress, the Biden-Harris Administration has charted an ambitious course to rapidly evolve how the nation approaches cyber security and has worked to mature collaboration between the Federal government, its state and local partners, and the private sector. From Day 1, the Administration has galvanized efforts to enhance public-private partnerships in the face of rapidly evolving international dynamics – from Russia’s invasion of Ukraine, to China’s ambitions regarding Taiwan, to the role cyber tactics may play following Hamas’s heinous attacks against Israel.

CISA’s Shields Up campaign, especially during the early days of Russia’s invasion of Ukraine, serves as a roadmap for how to respond to the cyber security threats we face from China and Iran. Enhanced collaboration with the private sector will enable us to support efforts to defend the networks of our allies abroad and our government and critical infrastructure networks at home.

We must also be vigilant about information operations. Reporting indicates that China is engaging in new disinformation tactics aimed at sowing discord among the American public. Both China and Iran have leveraged influence operations following Hamas’s attacks against Israel to either malign the Biden Administration’s response or curry favor for Hamas, respectively. Unfortunately, my colleagues on the right have attempted to turn conversations about how to deal with the national security threat associated with information operations into another third rail of politics. We cannot let that happen, and we must work to ensure the public is resilient to lies our adversaries pedal by ensuring they have access to accurate, reliable information. Increased transparency a critical component of confronting information operations.

On the Homeland Security Committee, my top priority is to ensure that cyber security remains a bipartisan priority and that my colleagues on the other side of the aisle do not turn CISA into a political hot potato. It is true that Congress has greatly expanded CISA’s budget and authorities while Democrats controlled the House. Those increases reflected long overdue investments in CISA’s critical mission: defending and making resilient Federal networks and critical infrastructure. As our adversaries grow bolder in their ambitions in cyber space, we cannot afford to cut CISA’s budget or attack its authorities.

Should the U.S. revise its approach to ransomware threats, given their potential to disrupt vital American organizations and the economy?

The Biden Administration has implemented many significant changes in how the U.S. approaches ransomware threats. These include disrupting ransomware gangs and taking more proactive steps to help support victims. Programs like CISA’s Pre-Ransomware Notification Initiative also show promise.  Such programs reach out to victims to let them know that their networks may have been breached before ransomware actors encrypt or steal data.

I am hopeful that implementation of the Cyber Incident Reporting for Critical Infrastructure Act will help CISA gain the information necessary to better support such initiatives. Ultimately, while efforts to dismantle ransomware gang networks, prosecute hackers, and disrupt attacks are important, so long as countries like Russia shelter ransomware actors, the threat will remain. Implementing CISA’s vision of secure-by-design and secure-by-default technology will be essential to improving organizations’ defenses.

How can new or emerging legislation assist with cyber protection for critical infrastructure sectors?

During the 116th and 117th Congresses, we provided CISA with several new authorities to enhance the security of critical infrastructure.  Congresswoman Yvette Clarke led three of them: The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), legislation authorizing CISA’s CyberSentry Program, and the State and Local Cybersecurity Improvement Act. Together, these pieces of legislation dramatically improve the Federal government’s visibility in terms of activity happening on critical infrastructure networks, enabling us to detect malicious cyber campaigns earlier and better understand the tactics of our adversaries.  In turn, this will allow us to prioritize security investments and provide much-needed resources to State and local governments. Additionally, current Subcommittee Ranking Member Swalwell enacted legislation to improve cyber security training for the industrial control systems (ICS) workforce.

Getting these bills enacted was important, but ensuring that they are implemented effectively is even more. From an oversight perspective, we will be laser focused on implementation of CIRCIA. We expect that the Notice of Proposed Rulemaking (NPRM) which is due out early next year, will identify the appropriate scope of covered entities and adequately contemplate the need to harmonize incident reporting requirements across the Federal government.

Building upon the progress made in previous Congresses, Subcommittee Ranking Member Swalwell has been working on legislation to formally authorize CISA’s Joint Cyber Defense Collaborative (JCDC).  The JCDC has been the hub of public-private collaboration since its inception, but most notably during the Shields Up campaign following Russia’s invasion of Ukraine and the disclosure of the Log4j vulnerability. Ranking Member Swalwell has worked closely with stakeholders on this bill, and the formalized structure, governance, and accountability measures included in it will ensure that the JCDC continues to serve as a productive hub for public-private collaboration for years to come.

Considering the fact that the private sector controls nearly 90% of critical U.S. networks, what strategies do you propose to assist resource-strapped sectors, like energy and water, in strengthening their cyber security defenses against possible threats?

I have been concerned about “target-rich, resource poor” sectors for quite some time. When I was Chair of the Committee last Congress, I held a hearing focusing on building resilience in the water sector at the Full Committee level and we also heard from water sector stakeholders at the subcommittee level. The witnesses’ insights were invaluable. They told us the Federal government needs to better tailor and streamline the cyber security advice and guidance for “target rich, resource poor” entities that do not have the workforce to absorb volumes of unnecessary information. We also learned that there is a real workforce and training shortage, which is why passing Mr. Swalwell’s industrial control systems workforce training bill was so important.

Moving forward, CISA and its federal partners must make sure “target-rich, resource poor” entities are aware of the free resources and support they provide and ensure that those resources provide security value. The President’s budget submissions have contemplated a Critical Infrastructure Cybersecurity Grant Program, but we have not seen a legislative proposal. I think there is value in the Federal government investing in the cyber security “target-rich, resource poor” entities we rely on every day, and would be interested to understand how the Administration thinks such a grant program could be structured.

How do you envision the U.S. collaborating with international partners in order to address emerging cyber threats and to enhance resilience on a global scale?

One of the key pillars of the new National Cybersecurity Strategy is forging international partnerships. Implementing that effort requires recognizing that our allies around the world are all at different levels of sophistication with regard to cyber security. For those like our Five Eyes partners and other allies with advanced cyber security skills, information sharing has been crucial to developing cyber security advisories and identifying emerging cyber threats. For others, the focus must be on simply building up a baseline cyber security capacity. Just as we work to protect critical infrastructure in the United States, the Covid-19 pandemic highlighted that with global supply chains, disruptions to critical infrastructure elsewhere can also cause significant disruption here at home. We aim to work with our allies and trading partners to improve cyber resilience globally and to make us more secure.

Do you believe that joint cyber exercises and response drills, conducted in partnership with international allies, should be expanded to better prepare for coordinated cyber threats? How can such exercises advance collective cyber resilience?

Russia’s invasion of Ukraine has demonstrated the value of investing in partner countries’ cyber defense capacity and how international cooperation can improve cyber resilience. Expanding participation in joint cyber exercises with allies should help us build on the lessons learned in the Ukraine experience so we can be better prepared for coordinated cyber threats globally. In particular, expanded exercises with partners and allies in Asia should be part of our strategy for preparing for the potential for future coordinated cyber activity in the region. 

How can both the government and private sectors support capacity building efforts in developing nations in order to enhance their cyber security capabilities and to shrink the global risk landscape?

There are many countries in the world that lack the resources for adequate cyber defenses, and we have seen examples of ransomware gangs taking advantage of this limitation. The potential impact is even greater in the event of attacks by nation-state actors against a developing nation. The Biden Administration has increased investment in building up capacity in countries like Costa Rica. I hope to see a sustained effort in providing resources and trainings to help developing countries better secure their networks, including in areas like sub-Saharan Africa, where resources are particularly limited. Additionally, an aspect of building up countries’ cyber capabilities should include expanding law enforcement capacity in partner countries who want to target ransomware gangs and other cyber criminals that may operate in their countries. The private sector should definitely step up to provide trainings in developing countries and by working to develop cyber security products and secure-by-design technology that is affordable for a broad range of countries.

In honor of Cyber Security Awareness Month, what takeaway messages would you like to share with the cyber security community?

Cyber security is a team sport. There is plenty of work to be done and everyone has a role to play – from Congress to the Administration, State and local partners, the private sector, and the public.

To Congress, I urge my colleagues to continue to support and fund CISA’s critical cyber security work. Sound cyber security policy must remain a bipartisan priority and we cannot allow it to be politicized.

I encourage the private sector to continue to engage with Congress and the Administration as cyber security policy continues to evolve. The cyber security legislation we enacted over the past two Congresses benefited enormously from private sector engagement and feedback, and we need continued collaboration to get policies right to reduce systemic cyber security risk.

And to the public, do not be intimidated by cyber security – as a practice or as a profession. Good cyber hygiene does not have to be hard, expensive, or time consuming. Keeping software up to date, enabling MFA, and avoiding phishing are low-cost, high-value ways to stay safe online. We also have a very concerning cyber workforce shortage. Cyber security careers are good careers.  Many do not require a 4-year degree or any degree at all. Training is available, and we are working to make it more accessible.

Dangerous new malware cracks encrypted government USBs – CyberTalk


In the Asia-Pacific (APAC) region, a newly discovered malware has compromised “secure” USB drives, enabling theft of information from government endpoints. Called TetrisPhantom, the malware is believed to have operated covertly for several years.

If USB drives seem old-school, government organizations still frequently use these removable drives in order to securely store and transfer data. In theory, this type of attack could affect government entities nearly anywhere in the world.

How it works

To ensure USB-drive security, USB drives have an encrypted partition, whose files can only be accessed via a password and through specialized software. This allows for the safe transfer of data between systems, including on air-gapped endpoints.

TetrisPhantom relies on sophisticated techniques and procedures, including virtualization-based software obfuscation for malware components, low-level communication with the USB drive using direct SCSI commands, and self-replication through connected and secure USB drives.

As a result, the malware can propagate to air-gapped systems and inject code into a legitimate access management program on a USB drive, which functions as a loader for the malware on a new machine.

Additional payloads

TetrisPhantom can deploy additional payloads. Some of these have information-stealing and file-theft capabilities.

And once the systems have been breached, threat actors can introduce other malicious files into ecosystems.

Campaign goals

The goals of the campaign appear centered around extracting sensitive data from APAC region governments. Attacks targeting government agencies have spiked in recent years, with the greatest uptick across the past three years, according to cyber security research.

At present, it’s unclear as to which governments may have been affected by this threat or if nation-state actors were behind the attack.

Nation-state actors often seek intel pertaining to their adversaries’ political maneuvers, spheres of influence, short-range, mid-term and long-term goals.

TetrisPhantom is believed to have been created by highly skilled and uniquely capable threat actors.

APT threats

This disclosure around theft of government data in the APAC region unfolds against the backdrop of another attempt to target government entities…

An advanced persistent threat (APT) actor has been linked to a variety of attacks targeting government organizations, military contractors, universities and hospitals in Russia via spear phishing emails.

In these attacks, the threat actor has initiated a multi-level infection scheme which ultimately allows for file exfiltration and uses arbitrary command execution to gain system control.

Preventing attacks

To prevent targeted attacks like TetrisPhantom (and similar), pursue a proactive cyber security approach.

  • Maintain up-to-date software
  •  Provide relevant education and encourage employee awareness
  • Ensure that your organization has real-time threat intelligence
  • Upskill your teams so that they operate at a more elite level
  • Leverage endpoint detection and response solutions

Increase your cyber security preparedness and resilience. For more insights into the latest threats, please see’s past coverage. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the newsletter.

20 characteristics of highly effective cyber security leaders – CyberTalk


Every cyber security leader aspires to be a top performer. However, an industry analysis reveals that a mere 12% of cyber security leaders earn the distinction of being “highly effective”.

In this article, we’ll explore the key attributes that distinguish exceptional security leaders, empowering you to determine how to best convey your capabilities, hone your skills, and make an outstanding impact in the field.

20 characteristics of highly effective cyber security leaders

1. Technical prowess. Exceptional security leaders exhibit a nuanced technical understanding of the systems and technologies that they manage and safeguard. This knowledge is, of course, the bedrock upon which decisions and strategies are built.

2. Strategic thinking. After surveying the landscape in a new environment, security leaders need to take a strategic approach. From prioritizing risk assessments, to developing a comprehensive plan and engaging other departments, strategic thinking is crucial in order to stay ahead of hackers.

3. Hacker mindset. When security leaders understand how attackers think, the tools that they use, their approaches, and their favorite targets, it becomes less difficult to protect an increasingly complex attack surface.

4. Innovative. While maintaining a careful balance in relation to security risks, CISOs and cyber security leaders must be willing to explore and experiment with new technologies.

5. Adaptability. Given that threats evolve rapidly, adaptability is crucial. Highly effective leaders can quickly pivot, ensuring that preventative measures and defenses continuously remain updated, relevant and effective.

6. Resourcefulness. This quality can be developed by gaining knowledge around how to use security tools most effectively, knowing the strengths and weaknesses of those on the team, and identifying cost-saving measures.

7. Ethical mindset. Organizations that store sensitive data and/or personal information are obligated to ensure that ethical approaches are taken in regard to data loss prevention, reporting and compliance, among other things. Security leaders set the standards and need to be able to make ethical decisions.

8. Communication skills. Security leaders must effectively convey security concerns to stakeholders; from the board, to senior management, to rank-and-file employees. Good communication skills enable security leaders to make the importance of cyber security universally understood.

9. Proactive. This is a hallmark of a strong security leader. Proactive leaders address vulnerabilities preemptively, reducing the organization’s exposure.

10. Doesn’t assume. Effective leaders prioritize active listening, fact-finding, empathy and external perspective seeking in order to make informed decisions. By avoiding assumptions, security leaders create a culture of evidence-based decision-making.

11. Metrics-minded. Embracing a metrics-driven approach empowers leaders to adapt and refine security measures, ensuring a continuous push towards greater organizational security.

12. Increases ROI on security. Exceptional leaders in cyber security demonstrate a tangible return on investments, effectively communicating how investments translate into risk mitigation, cost savings and a stronger overall cyber security posture.

13. Introspective. Introspection helps ensure that actions and behaviors are not only consistent with one’s internal values, but that they’re also in full alignment with expectations and business needs.

14. Emotional intelligence. Security leaders can develop a more cyber savvy workforce by using emotional intelligence to address ‘the human factors’ that contribute to cyber risks.

15. Business acumen. Top cyber security leaders bridge the gap between cyber security and business by aligning security measures with the organization’s strategic goals; highlighting how security is an enabler of business success.

16. Inclusive. By creating an environment in which all voices are heard, leaders can create stronger cyber security plans and outcomes.

17. Ecosystem protection. Effective cyber security leaders recognize that an organization doesn’t exist in isolation and that its security is intrinsically connected to that of its vendors and partners. A comprehensive and collaborative approach here makes it significantly more difficult for cyber threats to get through.

18. Crisis management skills. Cyber crises are major challenges. To contend with such situations, leaders need to be able to make decisions, activate plans, and have teams execute in a timely manner and so much more.

19. Life-long learner. The best cyber security professionals are always “hungry” for new knowledge. A life-long learner approach enables security professionals to continuously attempt to remain ahead of cyber criminals, no matter how speedy, sleuthing and sophisticated they become.

20. Tenacity. Finally, modern CISOs need to maintain a tenacious or determined approach, as cyber security often lacks quick fixes. Thus, it’s essential that CISOs take the long view and continue protecting the organization, no matter how tough things get.

More information

In a digital landscape where the cost of security breaches is ever-increasing, the pursuit of leadership excellence is an imperative. By honing these characteristics, cyber security leaders can play an even more impactful role in safeguarding organizations.

Discover more CISO and cyber security leadership insights via’s past coverage. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the newsletter.

Another 23andMe breach might affect millions worldwide – CyberTalk


The genetics company 23andMe is looking into another data leak. A few weeks ago, a hacker published a trove of stolen user data on the internet. On Tuesday, the same hacker claimed to have leaked another 4 million genetic profiles, posting this latest tranche of data on the hacking site BreachForums.

Data leak legitimacy

“We are currently reviewing the data to determine if it is legitimate,” says Katie Watson, Vice President of Communications for 23andMe. “Our investigation is ongoing and if we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information.”

In relation to the previous data leak, 23andMe has ascertained that the data was legitimate, and that it affected the platform’s DNA Relatives feature, which allows users to match with potential genetic relatives on the platform.

The most recent leak also involves 23andMe’s DNA Relatives feature. The hacker responsible for the leak may have extracted and exploited information about individuals with whom a person has been genetically matched.

Why stolen genetic data is such a big deal

Genetic data contains highly personal and sensitive information about a person’s genetic makeup, ancestry, family relations, and health conditions, among other things.

As an article in the journal Nature points out, “Whether for profit, blackmail or simply mischief, DNA thieves can wreak havoc on their victims’ lives.”

Hackers could attempt to sell genetic data back to users for a ransom, threatening to publish sensitive information (ancestry, health status, children born out of wedlock…etc.) widely if payment is not made.

And as one reply to a Verge comments thread half-jokingly suggested, “insurance companies will buy out your info, then refuse to sell you insurance based on your genetics.”

If that prospect sounds ludicrous, in the U.S., only a handful of states have laws that restrict disability and life insurance underwriters from using a person’s genetic information to create policies, although health insurers are barred from the practice.

Emergent class-action lawsuits

The data leaks have spurred a set of class action lawsuits against 23andMe, including five in California, where the company maintains headquarters.

In one case, plaintiffs allege that the company failed to apply “adequate and reasonable cybersecurity procedures and protocols necessary to protect victims’ PII”.

Among other things, the suit also alleges that 23andMe ignored users’ rights, didn’t adequately secure data systems from unauthorized intrusions, and did not monitor its networks, which would have enabled the company to discover the intrusion sooner.

Claims in three of the other lawsuits are very similar in nature. One suit brought claims for negligence, invasion of privacy, breach of contract and breach of implied contract.

If this breach affects you…

23andMe users have been urged to change their passwords and to enable multi-factor authentication on their accounts.

Consumers can also request for 23andMe to delete an account, stop using personal data in new research studies, and destroy the genetic sample originally submitted.

However, during the deletion process, 23andMe informs customers that the company and its partner lab will maintain “genetic information, date-of-birth and sex” after the account is deleted, per state and federal legal requirements.

A company spokesperson has said that the retained data simply isn’t tied to an individuals’ name. Nonetheless, so-called anonymous genetic data can, in some cases, be re-identified.

For more on this story, click here. Lastly, to receive timely cyber security insights, expert reports, and cutting-edge analyses each week, please sign up for the newsletter.

With ‘Dual Ransomware’ attacks, elevate your prevention strategy – CyberTalk

Eddie Doyle guides enterprise organizations and corporate leaders to solve challenges in an engaging manner, championing his customers’ projects to fruition through inspirational leadership and deeply provocative thought. As a keynote speaker, Eddie reaches that “Aha!” moment with his audiences, revealing simple, actionable truths to solve problems.

Earlier this month, the U.S. Federal Bureau of Investigation (FBI) issued a warning about new ransomware threat actor tactics. Specifically, the FBI described ‘Dual Ransomware Attacks’ (not to be confused with double ransomware attacks), where threat actors compromise a victim with one strain of ransomware, and within 48 hours to 10 days, deploy a secondary strain of ransomware, resulting in additional damage.

In this interview, we speak with Global Cyber Security Strategist, Edwin Doyle, about the issue. Get in-depth insights into the nature of dual ransomware threats, find out about how they could impact decisions around security solutions, and learn about essential dual ransomware prevention measures, enabling you to drive strong cyber security outcomes.

What have you seen in terms of dual ransomware attacks?

Ransomware threat actors are competing to eat their own lunch. Because many ransomware threat actors are eyeing the same companies as potential targets, they’re trying to ‘outdo’ one another with their tactics and thus gain an advantage.

I suspect that as organizations start to realize that they’re going to be targeted multiple times in a sort of “competition” by these threat actors, that will increase the probability of victims resisting ransomware payments.

If organizations are going to be affected by ransomware multiple times, how can they even afford to keep up with ransomware payments? What other choice do they have besides strengthening cyber security measures and leveraging techniques that enable them to move past ransomware?

If anything, what makes these attacks particularly problematic?

One issue is that these ransomware threat actors are deploying different variants of ransomware across the life of the attack. To-date, the types of ransomware observed within dual ransomware attacks include AvosLocker, Diamond, Hive Karakurt, LockBit, Quantum and Royal.

Deployment of different combinations of the above has resulted in complex blends of data encryption, exfiltration and extortion. It’s also meant that the amount of technology needed to contend with and untangle all of this is extensive.

I think what’s going to happen is that end users are going to need to push themselves toward a multi-vendor approach if they don’t have a vendor that has a superior Indicators of Compromise
(IoC) library.

And vendors will have to demonstrate that their IoC library has resistance against a variety of advanced ransomware strains. If vendors can prove that, customers are likely going to be better off with just few vendors, so that they can highlight incidents from their SIEM effectively.

Alternatively, this could play out in such a way where customers scramble to hire multiple vendors, hoping that all of the IOCs from these vendors will cover the ransomware variants deployed within these new dual ransomware attacks. However, the problem with that, of course, is it’s going to lead to a lot more noise – because, the more vendors that an organization has, the more overrun and overwhelmed the SIEM, reporting and alerting is going to be.

Is there anything that organizations should do in order to prevent these types of threats?

As far as prevention goes, it’s much like brushing teeth. It demands routine and consistent effort. However, I think people don’t particularly like brushing their teeth, do they? While cyber security professionals may not always find basic cyber hygiene measures exciting, they’re essential when it comes to taking a proactive approach. But to be even more specific:

  • Endpoint security. Prevent ransomware intrusions by using endpoint security software. Stop malicious encryption; deploy endpoint protection.
  • Off-site and offline backups. Air-gapped backups that are that are tested in tabletop exercises are essential. I mentioned ‘tested in tabletops’ because so many people have backup systems put into play, but don’t visit them for six months, only to belatedly realize that the systems may become overwhelmed.It’s important to have monthly or quarterly tabletop exercises, so that you can do a mock test of bringing your backups into fruition.
  • Obviously, blocking common forms of entry with things like VPN and an RDP console.
  • Intrusion detection would likely be another one. That’s more of an MDR conversation.

Is there anything else that you’d like to share with the Cyber Talk audience in relation to dual ransomware threats?

Second ransomware attacks often appear within 48 hours of the first attack, although the interim between attacks may be as long as 10 days.

I would say that, again, security leaders will see results from security initiatives if they’re consistent. It’s about ‘brushing teeth,’ so to speak. It’s about patching regularly and taking care the basics well.

Going back to tabletop exercises – What should organizations do if ransomware threats strike twice in quick succession? You’ll know the answer if it’s been included in your tabletop exercises!

The potential for dual ransomware attacks is likely something that cyber leaders haven’t previously considered including in tabletop exercises. Nonetheless, they should certainly include dual ransomware incidents in tabletops.

For more insights from Global Cyber Security Strategist Edwin Doyle, please see’s past coverage. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the newsletter.

Strategic readiness: Effectively preparing for NIS2 compliance – CyberTalk

By Shira Landau, Editor-in-Chief,


As we near the final stretch of Cyber Security Awareness Month, it’s time to expand our focus beyond passwords and multi-factor authentication (although they’re important too).  

Within the U.K., France and Germany, just a handful of organizations (34%) are prepared for the EU’s updated Network and Information Security Directive (NIS2). Three-quarters of organizations have yet to fully address the five core compliance requirements.

Enacted in January of 2023, the deadline by which member states must comply is October 24th 2024. If that looks like a long time from now, there’s a lot to comply with…

What is NIS2?

In 2016, the EU passed the original NIS Directive, which became law in most member states by 2018. However, the original directive drew criticism due to its ambiguity, as it resulted in divergent interpretations across EU nations.

NIS2 is an update to the rules, but it’s also more than that. It will function as an overhaul of past rules, helping to ensure that cyber security measures are unified, robust and adaptive.

The legislation applies to all organizations with over 250 employees and an annual turnover of €10 million or more.

NIS2 enterprise complacency

Thus far, organizations have been relatively slow to comply. This may be the case because compliance involves investments in technologies, personnel, training programs and administrative functions.

In terms of progress against requirements, the breakdown below illustrates where organizations are in their compliance journeys:

  • 80% of organizations still need to properly secure their supply chains.
  • 76% of organizations still need to assess the efficiency of existing cyber security protocols.
  • 76% of organizations still need to implement HR security.
  • 74% of organizations need to add new risk management measures.
  • 72% of organizations still need to offer cyber security training to staff.

Experts warn against enterprise complacency when it comes to addressing these areas, as each one takes an average of 5 months to fully address.

NIS2 compliance failure

Inability to comply with the NIS2 Directive can result in fines of up to €10m ($10.5m) or 2% of an organization’s global annual revenue.

Organizations are advised to plan well across the next few months, and to avoid the same mistakes that many made in failing to adequately prepare for GDPR.

The financial penalties aren’t mere punitive measures; risks of non-compliance go beyond financial loss. Non-compliance can result in the revocation of operating licenses and can expose executives to personal liability.

Expert recommendations

Rather than viewing NIS2 as a bureaucratic hurdle to be cleared, consider this a transformative opportunity through which to significantly strengthen cyber security measures, thereby mitigating multi-dimensional risks and increasing overall resilience.

Due to the complexity and wide-ranging implications of the NIS2 Directive, external consultation with legal advisors and cyber security experts can provide invaluable insights.

See the NIS2 Directive as the ultimate CISO wishlist. Embrace the Directive in order to drive lasting improvements, which can position organizations as leaders in a digital world where security and trust are irreplaceable.

For more on NIS2, please see’s past interview with Check Point’s VP of Engineering, Peter Sandkuijl. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the newsletter.

The convergence of ZTNA, mobile devices & identity management

Augusto Morales is a Technology Lead (Threat Solutions) at Check Point Software Technologies. He is based in Dallas, Texas, and has been working in cyber security since 2006. He got his PhD/Msc in Telematics System Engineering from the Technical University of Madrid, Spain and he is also Senior Member of the IEEE. Author of more than 15 research papers focused on mobile services. He holds professional certifications such as CISSP, CCSP and others.

In our increasingly interconnected digital domain, the convergence of Zero Trust Network Architecture (ZTNA), mobile devices and identity management has emerged as a critical focal point within cyber security. At-a-glance, these three elements may seem unrelated, but the rising prevalence of mobile devices as key tools for user and system authentication, often through multi-factor authentication, has blurred the lines between them.

In this interview with expert Augusto Morales, we delve into the security challenges and opportunities arising from this convergence. Don’t miss this!

1. How does the convergence of ZTNA, mobile devices and identity management impact the overall security posture of an organization?

At first glance, these three components—ZTNA, mobile devices, and identity management—seem to belong to different areas of cyber security. However, due to the increasing use of mobile devices as conduits to identify users and systems through methods like MFA, the lack of visibility between the interactions increases the attack surface for organizations.

For example, in a hypothetical scenario, a mobile device gets compromised because of a malicious application or an event, like smishing. Device compromise poses a risk to users’ identities. The core concept of ZTNA proposes that organizations should actively monitor deviations from baseline policies during sessions. In other words, if a mobile threat detection system exists, it should enforce controls to prevent these attacks. The current challenge has to do with the exploitation of Multi-Factor Authentication (MFA) mechanisms by malicious actors.

Another common example is seen among organizations that, in providing MFA, allow users to accept a push notification to confirm their identities. Cyber criminals take advantage of this by sending numerous MFA requests, a practice known as MFA bombing, to end-users until users accept and unintentionally authenticate the criminals.

MFA bombing, a.k.a. MFA fatigue, also presents other challenges. Some concepts within ZTNA address the situation, such as by inspecting behavioral and environmental attributes like geo-location. However, problems can arise when the human element is involved, and implementing ZTNA is not always possible due to privacy, technical, and regulatory constraints, such as BYOD, the impossibility of applying TLS inspection, and GDPR.

The paragraphs above describe examples of convergence and the challenges involved in achieving ZTNA. There are also initiatives aimed at reducing the cyber attack surface in these convergences. As a result, this topic will become something that organizations should address at the architectural level.

2. What are the implications of Bring Your Own Device (BYOD) policies in the context of ZTNA and identities for governments?

The popularity of BYOD is increasing; however, there is a limited ability to implement security controls and achieve ZTNA with a tolerance and risk level that’s acceptable for most companies. This challenge spans private and public organizations, as well as governments.

For instance, governments are accelerating the use of digital identities, particularly in the European Union. The basic idea is to use our mobile phones to prove who we are instead of relying on physical cards. This means that cyber criminals might start targeting mobile devices more often, as they are now crucial for verifying identities in government and private activities.

Imagine if cyber criminals were to steal a digital driver’s license; they could use it to impersonate individuals and carry out malicious actions, like taking out legitimate loans or even boarding planes.

Hackers could also steal identities to mislead authorities during cyber crime investigations. The same applies to data tampering. This situation could pose a very risky scenario for users, resembling what has been seen in financial institutions, where despite 40 years of research, industry consortiums, and billions of dollars invested, cloned cards, ATM hijackings, and recent abuses of AI to harvest financial data still persist.

The problem is that BYOD implementations haven’t received as much attention as they should have in terms of access control. Protecting private phones is complicated because organizations need to find a balance between keeping user information private and ensuring the protection of company data and identities. The entire industry is still figuring out whether it should prioritize security over convenience.

Based on our experience in many customer engagements, we have noticed difficulties in implementing cyber security concepts in the mobile world. For example, security controls like encrypted data-in-motion inspection pose problems, as certificate pinning is now widely implemented in applications. Therefore, it is imperative to understand how the mobile ecosystem works and how to implement reference architectures and guidelines provided by NIST.

Another related challenge is associated with the world of mobile software. It is essential to understand how and when to apply ZTNA principles to mobile software and its execution in non-trusted environments, such as the mobile OS itself or the network.

3. In the context of identity management, what are the best practices for ensuring strong authentication and authorization controls for mobile users accessing corporate resources under a zero trust model?

The recommendations that we consistently convey to our customers are closely tied to their business use cases and how to provide both protection and convenience. It is also crucial to assess the maturity, comprehension, and applicability of ZTNA and, lastly, the applicable mobile strategy (e.g., BYOD, CYOD, and COPE). Nevertheless, we can outline some generic best practices below:

A) Implement MFA company-wide for users and systems. This applies to all forms of Private Access, VPN, or SaaS applications.

B) Implement number or code matching.

C) Protect the enrollment process and use physical means to verify the legitimacy of the parties involved. For instance, a combination of voice, location, physical presence, and specific out-of-band knowledge can be utilized.

D) When possible, apply Mobile Threat Defense, or include self-protection features in applications that manage or interact with sensitive data at-rest and data in-motion.

E) Review default configurations and adapt them to meet the required identity governance policies. In the case of mobile phones, posture management helps continuously validate changes in software, such as CVEs and unsecured settings.

F) Identify anomalies in authorization and access control, particularly for SaaS applications.

4. How can organization balance user convenience and cyber security when implementing multi-factor authentication (MFA) for mobile users in a Zero Trust environment?

There are technical methods to protect mobile devices as the primary MFA mechanism. In some cases, maintaining this balance can be achieved through a thorough assessment of the attack surface. For instance, many companies use SMS as an MFA mechanism. In such cases, a Mobile Threat Defense solution like Harmony Mobile can inspect SMS messages and proactively identify potential malicious links. In other cases, it can notify cyber security staff if vulnerable applications are installed, enabling proactive conditional access enforcement.

To strike a balance between convenience and security while protecting MFA on mobile phones, we recommend three approaches:

  1. Implement a Mobile Threat Defense (MTD) solution, such as Harmony Mobile. This control helps thwart attacks targeting MFA, even new techniques like “quishing” It monitors the network for potential Man-in-the-Middle attacks and deviations in the quality of the mobile OS that could compromise the integrity of the MFA workflow, such as with rooted or jailbroken phones. Additionally, MTD can identify malicious campaigns targeting high-profile individuals, which is particularly relevant in today’s environment where criminals employ AI-driven “vishing” attacks.
  2. Utilize Mobile Application Management (MAM), where applications are managed via Mobile Device Management (MDM), and posture checks are continuously conducted by a Mobile Threat Defense (MTD) solution. In cases of violations, especially in BYOD scenarios, MTD can alert risky states to managed applications. As a result, these apps can cease providing access to MFA mechanisms like push notifications and password-less methods. A common example is the use of Microsoft Authenticator for MFA, known for its convenience. The MTD can block access to the service’s IP addresses and domains if continuous validation is necessary and a violation is detected. This aligns with one of the key tenets of ZTNA.
  3. Incorporate a secure engine within the app providing the MFA mechanism. This is especially suitable for BYOD environments. Harmony App Protect is an example of this control. In this mode, the MFA independently monitors the network conditions and the mobile OS. It halts any authentication process in case of violations. This approach offers benefits in terms of privacy and user convenience as it doesn’t require additional software. The ZTNA policy decision point (PEP) and policy enforcement points (PEP) run locally on the phone based on pre-established policies to control the MFA workflow. However, a potential drawback of this method is its inflexibility regarding policy changes, such as IoC/IoA updates or containment policies, which may necessitate a new application update. Additionally, it could impact incident management plans and business continuity, requiring user interaction.

5. What are the potential risks and benefits of integrating mobile device biometrics (e.g., fingerprint or facial recognition) as part of the identity verification process within a ZTNA strategy?

The entire mobile ecosystem and society have demonstrated that biometrics are the de facto method for identity verification. When available, biometrics offer distinct advantages over traditional validation methods. However, it’s essential to understand that the triad of authentication factors – something you are, something you know, and something you have – should always be combined. Relying solely on biometrics can create a false sense of security. Studies, such as this one and this one, have shown that even real-time attacks on biometrics are possible. Therefore, it is crucial to consistently apply a defense-in-depth approach.

The ZTNA strategy can depend on continuous diagnostics and mitigation, as well as threat intelligence feeds to assess the likelihood of a mobile attack. Both Android and iOS have implemented hardware mechanisms to protect the Secure Enclave and biometric data from tampering and exfiltration. In the case of Android, due to OS fragmentation, addressing vulnerabilities at the hardware level is more challenging, which increases overall risk. There have been instances where vulnerabilities in system-on-chip components were exploited, raising the risk of privilege escalation. Such situations could compromise the identity verification process.

6. Is there anything else that you would like to share with the audience?

The industry and security practitioners should collaborate to address the security perception offered by certain actors. There is no single silver bullet provided by a “mobile ZTNA product” that can solve identity management. A ZTNA strategy will always depend on how well mobile data flows are understood and how much visibility is maintained over the entire mobile ecosystem, which grows in complexity each day. This ecosystem encompasses applications, APIs, backends, mobile OS, and, of course, the human element. It may seem overwhelming, but a good starting point is to apply proven mobile security practices to common use cases.

5 ransomware tabletop exercise recommendations – CyberTalk


Ransomware attacks can have devastating consequences for organizations. In the last 12 months alone, ransomware attacks have increased by more than 37%, with an average ransomware payment demand in excess of $5 million.

Proactively preparing for ransomware attacks can limit the impact of actual ransomware incidents. Ransomware tabletop exercises are critical pieces of any strategy designed to bolster ransomware and cyber readiness.

In this article, discover 5 ransomware tabletop exercise recommendations that can help you protect your organization from this formidable threat.

What is a ransomware tabletop exercise?

A ransomware tabletop exercise provides a practical framework through which leaders and teams can prepare for and understand their roles in incident response.

In more concrete terms, a ransomware tabletop exercise involves imagining a threat scenario, allowing stakeholders to problem-solve, mitigating the fictitious incident’s impact, and updating the response strategy accordingly.

In most cases, a facilitator ensures a collaborative approach, moderates any discussions, provides scenario updates, and asks appropriate follow-up questions.

5 ransomware tabletop recommendations

1. Education and preparation. All employees involved in ransomware exercises should know why and how an organization might encounter a ransomware incident. If the tabletop exercise spans beyond the cyber security team, information pertaining to key terminology, the purpose of activities, and related procedure documents should be distributed to all.
The more that participants understand about the context of a ransomware tabletop exercise, the more supportive and responsive they’ll be during the exercise itself.

2. Collaborative environment. An often overlooked aspect of tabletop exercises is the development of a stress-free, no-fault learning environment where everyone feels comfortable speaking up and providing input. Facilitators should explain that the idea is to evaluate systems, capabilities and processes with the shared goal of enhancing the organization’s cyber security posture. Be sure to set the right tone for your ransomware tabletop exercise.

3. Realistic scenarios. At the heart of any effective tabletop exercise is a realistic scenario. For example, a realistic scenario might involve a ransomware attack that starts with a phishing email and that leads to the encryption of sensitive customer data. The scenario should progress through breach discovery, notification of law-enforcement, a ransom demand, restoration of systems from backups and/or the decision-making process around whether or not to pay a ransom.

4. Scenario variations. Ahead of time, exercise leaders should come up with multiple, plausible ‘wrenches’ that can be thrown into the exercise itself. For instance, in one scenario, the ransom demand could be exorbitant. In another scenario, a second ransomware attack that relies on a different strain of ransomware, could occur within 24 hours. Variations enable teams to adapt to unexpected circumstances and to test different aspects of the incident response plan.

5. Post-exercise evaluation. Once the walk-through concludes, conduct a thorough evaluation. In so doing, identify team strengths, areas for improvement and revise the incident response plan accordingly. Consider:

  • What worked well during the exercise?
  • Where were there communication snags, if any?
  • Did the team adhere to set policies and procedures?
  • How did any unexpected challenges impact the response?

As noted earlier, the main purpose of a ransomware tabletop exercise is to allow an organization to enhance its cyber security preparedness. Insights gained from post-exercise evaluation will allow for fine-tuning of plans.

Further thoughts

In an environment where ransomware attacks are growing in volume and sophistication, organizations can’t afford to be unprepared. Ransomware tabletop exercises serve as proactive approach in fortifying defenses and ensuring a coordinated response in the event of a real incident.

The five recommendations in this article can help your organization strengthen resilience against ransomware threats and minimize an attack’s impact.

For more cyber resilience insights, please see’s CISO’s Guide to Resilience eBook. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the newsletter.

What is email sandboxing? – CyberTalk

By George Mack, Content Marketing Manager, Check Point.

Nearly all employees use email, making it an attractive attack vector for hackers.

If you want to improve your organization’s security, then relying solely on your email service provider’s spam filters is not enough. You’ll need to augment your spam filters with an additional layer of email security, which typically includes sandboxing. Without sandboxing, your users are likely to click on emails containing spam, phishing attacks, ransomware, and other cyber attacks.

What is email sandboxing?

Sandboxing is a technique that acts a security check. It involves creating a secure, isolated environment for running potentially malicious software or files. This controlled environment, often referred to as a “sandbox,” allows cyber security software to run suspicious programs without exposing the system or network to the actual threat while behavior is analyzed. If deemed safe, then the file, URL, or code is allowed to pass through to the end-user.

Here’s a real-life example to illustrate sandboxing. In the past, a king would hire tasters to test each dish before he consumed it. If the king’s subject experienced illness, then the illness was contained without spreading to the king, and the food was thrown away. If the food resulted in no ill-effects, then the test was passed, and the food was deemed safe for the king to eat.

In this analogy, the king’s food represents the potentially malicious URL or file; the food taster acts as the “sandbox” for the king’s food; and the king represents your computer or operating system.

Regarding email, email sandboxing is a feature that’s used to test suspicious files that are attached to emails or check potentially malicious links. After you implement email sandboxing, every email must pass the sandboxing test before delivering to the inbox. The links will be checked, and all files will be downloaded and analyzed inside the sandbox. Any spam or malicious emails will also be filtered out.

Is email sandboxing necessary?

According to Gartner’s Market Guide for Email Security, email is still the most common attack vector. Forty percent of ransomware attacks are initiated through email, and 19% of data breaches are caused by stolen credentials, many of which are gathered through email-borne phishing attacks. And according to the Anti Phishing Work Group, the number of phishing attacks has grown by more than 150% per year since 2019. Clearly, email threats are not going away.

Email sandboxing is used to identify and block these threats. If it identifies a zero-day threat, then the sandbox’s threat intelligence is passed along to all other users of the security software who have a corresponding threat intelligence feed.

What are the benefits of email sandboxing?

Using a sandbox provides several key benefits:

  • Host device protection: Sandbox environments preserve the integrity of your host devices and operating systems by isolating potentially malicious software, preventing any harm to your core system.
  • Zero-day threat isolation: Sandboxing offers a safeguard against zero-day threats by quarantining and neutralizing them within a secure environment.
  • Attachment and link assessment: When dealing with email attachments and links from unknown sources, email sandboxing allows for thorough testing in order to detect potential threats before they are delivered to users’ inboxes.
  • Data breach prevention: Sandboxing can prevent data breaches that often result from when an employee falls victim to a phishing page and gives up his or her account credentials.

How do you implement sandboxing?

Check Point’s Harmony Email & Collaboration security solution is an invaluable tool for businesses of all sizes. It provides evasion-resistant CPU-level sandbox that blocks first-time seen malware and keeps you protected from the most advanced cyber threats.

It also equips your organization with comprehensive protection against the latest email threats, such as phishing, malware, and ransomware. With its advanced security features, Harmony Email & Collaboration can help businesses protect their data and ensure compliance with regulations.

For more email security insights, please see’s past coverage. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the newsletter.