InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The release of ISO 27001:2022 introduces key updates, especially in Annex A, which includes 11 new controls, focusing on areas such as cloud service security, business continuity, and threat intelligence. Organizations must transition to the new version by October 2025. While some existing measures might align with these controls, others, like cloud exit strategies or testing business continuity plans, often need further attention. It’s critical for companies to evaluate their processes against these changes to ensure compliance and enhance their security posture.
Continual improvement doesn’t necessarily entail significant expenses. Many enhancements can be achieved through regular internal audits, management reviews, and staff engagement. By fostering a culture of continuous improvement, organizations can maintain an ISMS that effectively addresses current and emerging information security risks, ensuring resilience and compliance with ISO 27001 standards.
Feel free to get in touch if you have any questions about the ISO 27001 Internal audit or certification process.
Successfully completing your ISO 27001 audit confirms that your Information Security Management System (ISMS) meets the required standards and assures your customers of your commitment to security.
Get in touch with us to begin your ISO 27001 audit today.
​A recent revelation by security researcher Nick Johnson highlights a sophisticated phishing technique that exploits Google’s own services—specifically OAuth and Google Sites—to send DKIM-signed phishing emails that appear entirely legitimate. This method allows attackers to craft emails that seem to originate from “no-reply@google.com,” effectively bypassing traditional email security measures and deceiving recipients into divulging sensitive information.​
The attack begins with the creation of a malicious Google OAuth application. Attackers manipulate the app’s name field to include deceptive messages, such as fake security alerts, by inserting numerous spaces or line breaks to obscure the true nature of the content. This crafted app name then autofills into legitimate-looking emails sent by Google, lending an air of authenticity to the phishing attempt.​
Subsequently, the attackers leverage Google Sites to host convincing phishing pages that mimic official Google interfaces. These pages are designed to harvest user credentials under the guise of legitimate Google services. Because the emails are sent through Google’s infrastructure and are DKIM-signed, they often evade spam filters and other security checks, making them particularly dangerous.​
This method is especially concerning because it exploits the inherent trust users place in Google’s services. By utilizing Google’s own platforms to disseminate phishing emails and host malicious content, attackers can effectively bypass many of the safeguards that users and organizations rely on to protect against such threats.​
The implications of this technique are far-reaching. It underscores the need for heightened vigilance and more robust security measures, as traditional defenses like DKIM and SPF may not be sufficient to detect and block such sophisticated attacks. Organizations must recognize that even trusted platforms can be manipulated to serve malicious purposes.​
To counteract these threats, several measures can be implemented:
User Education: Regular training to help users recognize phishing attempts, even those that appear to come from trusted sources.​
Two-Factor Authentication (2FA): Encouraging or mandating the use of 2FA can add an additional layer of security, making it more difficult for attackers to gain unauthorized access.​
Monitoring and Alerts: Implementing systems that monitor for unusual OAuth app creations or sign-in activities can help detect and respond to suspicious behavior promptly.​
Email Filtering Enhancements: Updating email filters to scrutinize not just the sender’s address but also the content and context of the message can improve detection rates.​
Collaboration with Service Providers: Working closely with platforms like Google to report and address vulnerabilities can lead to quicker resolutions and improved security for all users.​
By adopting a multi-faceted approach that combines user awareness, technical safeguards, and proactive collaboration, organizations can better defend against these advanced phishing techniques.
Maintaining an effective Information Security Management System (ISMS) under ISO 27001 necessitates ongoing evaluation and enhancement. Clause 10 of the standard emphasizes the importance of continual improvement to ensure that security measures remain robust and aligned with organizational objectives. This involves regularly monitoring the effectiveness of implemented controls, measuring their performance against set objectives, and making necessary adjustments to address evolving information security risks.
The dynamic nature of information security threats, particularly in the cyber realm, requires organizations to be proactive. Cybercriminals continually develop new tools and methods, making it imperative for organizations to adapt their defenses accordingly. Additionally, as organizations evolve, new risks may emerge, and existing ones may change, underscoring the need for continuous assessment and refinement of security measures.
ISO 27001’s Clause 10.1 mandates organizations to continually improve the suitability, adequacy, and effectiveness of their ISMS. This can be achieved by identifying opportunities for enhancement during management reviews and through the nonconformity and corrective action processes outlined in Clause 10.2. Regular internal audits and management reviews play a crucial role in this continual improvement cycle. ​
Nonconformities within an ISMS are categorized into three types: major nonconformities, minor nonconformities, and opportunities for improvement (OFIs). Major nonconformities indicate significant failures, such as the absence of a critical process like risk assessment. Minor nonconformities refer to partial compliance with some deficiencies that don’t critically harm the ISMS’s operation. OFIs highlight minor issues that aren’t currently problematic but could become so in the future. Identifying these nonconformities typically occurs through internal audits, monitoring, and analysis of logs or records.
Upon identifying a nonconformity, organizations are required to take corrective actions. This involves reacting to the nonconformity, determining its cause, and implementing measures to prevent its recurrence. The effectiveness of these corrective actions should be reviewed, and all related activities must be documented to demonstrate compliance and facilitate ongoing improvement.
Continual improvement doesn’t necessarily entail significant expenses. Many enhancements can be achieved through regular internal audits, management reviews, and staff engagement. By fostering a culture of continuous improvement, organizations can maintain an ISMS that effectively addresses current and emerging information security risks, ensuring resilience and compliance with ISO 27001 standards.
Feel free to get in touch if you have any questions about the ISO 27001 Internal audit or certification process.
Successfully completing your ISO 27001 audit confirms that your Information Security Management System (ISMS) meets the required standards and assures your customers of your commitment to security.
Get in touch with us to begin your ISO 27001 audit today.
Flipper Zero : Empower Your Security Journey with The Ultimate Portable Multitool for Cybersecurity, Ethical Hacking, Penetration Testing, IoT Security, and Electronics Prototyping.
​Flipper Zero is a compact, multi-functional device designed for security testing and hardware exploration. It enables users to interact with a variety of access control systems and wireless communications by reading, copying, and emulating signals from technologies such as RFID, NFC, infrared, and sub-GHz radio frequencies. ​
Launched through a successful Kickstarter campaign in 2020, Flipper Zero gained popularity for its versatility and user-friendly design. The device features a monochrome LCD screen and a five-button directional pad for navigation. Notably, it includes a virtual pet dolphin that reacts to user interactions, adding an engaging element to its functionality. ​
Flipper Zero’s capabilities encompass a wide range of applications:​
RFID and NFC: It can read, store, and emulate low-frequency (125 kHz) and high-frequency (13.56 MHz) RFID and NFC cards, commonly used in access control and contactless payment systems.
Infrared Transceiver: The device can capture and transmit infrared signals, allowing it to function as a universal remote for various electronics. ​
Sub-GHz Radio: Flipper Zero is capable of interacting with devices operating on sub-GHz frequencies, such as garage door openers and IoT sensors, by analyzing and replicating their signals. ​
GPIO Interface: It offers general-purpose input/output pins to connect with and control external hardware components, facilitating hardware debugging and development. ​
While Flipper Zero is a powerful tool for security professionals and enthusiasts to test and understand wireless systems, it’s essential to use it responsibly and ethically. Unauthorized use of its capabilities can lead to legal consequences. ​
For a visual overview and demonstration of Flipper Zero’s features, you might find the following video informative:
Every pentester should consider having a Flipper Zero because it’s like a Swiss Army knife for testing physical and wireless security. Here’s why it’s a must-have:
🔧 1. Multi-Protocol Capabilities in One Device
RFID/NFC: Test badge cloning and access control systems.
Sub-GHz: Interact with garage doors, IoT devices, and older wireless protocols.
Infrared: Clone remotes for TVs, AC units, etc.
Bluetooth (via dev board): Sniff and test BLE devices.
🧪 2. Hardware Hacking on the Go
Has GPIO pins to interact with other hardware — perfect for quick and dirty hardware interfacing, debugging, or logic analysis.
🧰 3. Portable & Discreet
It’s small, pocket-friendly, and looks like a toy. Great for red teaming or physical engagements without drawing attention.
🚀 4. Community & Extensibility
Tons of custom firmware and plugins (like RogueMaster) that add features like Wi-Fi attacks, BadUSB, signal jamming (for research!), etc.
👨💻 5. Saves Time
Instead of lugging around multiple tools or building custom setups, you get plug-and-play convenience for many common wireless/hardware tests.
⚠️ Caveat: Always use it within the boundaries of your engagement rules and local laws — some functions can cross legal lines if misused.
A quick hit list of top pentest tasks you can do with a Flipper Zero — super handy during engagements or recon:
​In early 2025, the Trump administration initiated significant shifts in artificial intelligence (AI) policy by rescinding several Biden-era executive orders aimed at regulating AI development and use. President Trump emphasized reducing regulatory constraints to foster innovation and maintain the United States’ competitive edge in AI technology. This approach aligns with the administration’s broader goal of minimizing federal oversight in favor of industry-led advancements. ​
Vice President J.D. Vance articulated the administration’s AI policy priorities at the 2025 AI Action Summit in Paris, highlighting four key objectives: ensuring American AI technology remains the global standard, promoting pro-growth policies over excessive regulation, preventing ideological bias in AI applications, and leveraging AI for job creation within the United States. Vance criticized the European Union’s cautious regulatory stance, advocating instead for frameworks that encourage technological development. ​
In line with this deregulatory agenda, the White House directed federal agencies to appoint chief AI officers and develop strategies for expanding AI utilization. This directive rescinded previous orders that mandated safeguards and transparency in AI applications, reflecting the administration’s intent to remove what it perceives as bureaucratic obstacles to innovation. Agencies are now encouraged to prioritize American-made AI, focus on interoperability, and protect privacy while streamlining acquisition processes. ​
The administration’s stance has significant implications for state-level AI regulations. With limited prospects for comprehensive federal AI legislation, states are expected to take the lead in addressing emerging AI-related issues. In 2024, at least 45 states introduced AI-related bills, with some enacting comprehensive legislation to address concerns such as algorithmic discrimination. This trend is likely to continue, resulting in a fragmented regulatory landscape across the country.
Data privacy remains a contentious issue amid these policy shifts. The proposed American Privacy Rights Act of 2024 aims to establish a comprehensive federal privacy framework, potentially preempting state laws and allowing individuals to sue over alleged violations. However, in the absence of federal action, states have continued to enact their own privacy laws, leading to a complex and varied regulatory environment for businesses and consumers alike. ​
Critics of the administration’s approach express concerns that the emphasis on deregulation may compromise necessary safeguards, particularly regarding the use of AI in sensitive areas such as political campaigns and privacy protection. The balance between fostering innovation and ensuring ethical AI deployment remains a central debate as the U.S. navigates its leadership role in the global AI landscape.
🔧 Definition: Reproduces the exact behavior of one system on a different system. 🎯 Goal: Act like the real system, often for compatibility. 📦 Example: Running an old video game console on your PC using an emulator.
Key Traits:
Mimics both hardware and software behavior.
Used when accuracy is critical (e.g., legacy system support).
Slower but more faithful to original system.
Simulation
🧪 Definition: Models a system’s behavior to study or predict how it operates. 🎯 Goal: Understand or analyze system behavior, not necessarily replicate it exactly. 📊 Example: Simulating weather patterns or network traffic.
Key Traits:
Abstracts certain behaviors for analysis.
Focused on performance, outcomes, or patterns.
Often used in design, training, or testing.
👥 Analogy:
Emulation is like impersonating someone exactly—their voice, walk, habits.
Simulation is like creating a role-play of their behavior to study how they might act.
🔍 Emulation vs. Simulation: Side-by-Side Comparison
Feature
Emulation
Simulation
Purpose
Replicate exact behavior of a system
Model system behavior to understand, test, or predict outcomes
Accuracy
Very high – mimics original system closely
Approximate – focuses on behavior, not exact replication
Use Case
Compatibility, legacy system testing
Analysis, design, forecasting, training
Speed
Slower due to detailed replication
Faster due to abstraction
System Behavior
Includes full hardware/software behavior
Models only necessary parts of the system
Cybersecurity Example
Emulating malware in a sandbox to observe behavior
Simulating a DDoS attack to test how a network would respond
​The U.S. National Institute of Standards and Technology (NIST) has raised concerns about the security vulnerabilities inherent in artificial intelligence (AI) systems. In a recent report, NIST emphasizes that there is currently no foolproof method to defend AI technologies from adversarial attacks. The institute warns against accepting vendor claims of absolute AI security, noting that developers and users should be cautious of such assurances. ​
NIST’s research highlights several types of attacks that can compromise AI systems:​
Evasion Attacks: These occur when adversaries manipulate inputs to deceive AI models, leading to incorrect outputs.​
Poisoning Attacks: In these cases, attackers corrupt training data, causing the AI system to learn incorrect behaviors.​
Privacy Attacks: These involve extracting sensitive information from AI models, potentially leading to data breaches.​
Abuse Attacks: Here, legitimate sources of information are compromised to mislead the AI system’s operations. ​
NIST underscores that existing defenses against such attacks are insufficient and lack robust assurances. The agency calls on the broader tech community to develop more effective security measures to protect AI systems. ​
In response to these challenges, NIST has launched the Cybersecurity, Privacy, and AI Program. This initiative aims to support organizations in adapting their risk management strategies to address the evolving landscape of AI-related cybersecurity and privacy risks. ​
Overall, NIST’s findings serve as a cautionary reminder of the current limitations in AI security and the pressing need for continued research and development of robust defense mechanisms.
Small business owners often prioritize growth and customer service, inadvertently overlooking cybersecurity. However, cyber threats are indifferent to company size, frequently targeting smaller enterprises due to their comparatively weaker security measures. Engaging a Virtual Chief Information Security Officer (vCISO) can provide the necessary expertise to bolster defenses and protect critical assets. ​
While many small businesses view cybersecurity merely as a compliance requirement, this perspective is limited. A vCISO offers more than just ensuring adherence to regulations; they proactively work to prevent breaches that could disrupt operations, erode customer trust, and incur substantial recovery costs. ​
Contrary to the belief that cybercriminals focus solely on large corporations, small businesses are often prime targets due to their perceived vulnerabilities. Attackers employ automated tools to identify and exploit weaknesses, making robust security measures essential for businesses of all sizes.
The financial burden of hiring a full-time Chief Information Security Officer can be prohibitive for many small businesses. A vCISO provides executive-level cybersecurity guidance at a fraction of the cost, granting access to seasoned professionals without the expense of a full-time position.
Relying solely on IT generalists or managed service providers for security may not suffice. A vCISO brings dedicated strategic insight, aligning security initiatives with business objectives and facilitating informed decision-making. For instance, during a cloud migration, a vCISO would address critical security considerations such as access control, data residency, vendor risks, and breach response plans.
In the event of a cybersecurity incident, having a well-practiced response plan is crucial. A vCISO ensures preparedness, enabling swift and effective action to mitigate damage, control costs, and preserve the company’s reputation. Their tailored approach considers the unique needs and risk tolerance of the business, ensuring appropriate investment in necessary protections without overspending on superfluous tools.
Why Small Businesses may Need vCISO Services
1. Targeted by Cybercriminals Small businesses often believe they fly under the radar, but cybercriminals see them as easy prey. With limited security budgets and lack of specialized personnel, they are prime targets for ransomware, phishing, and other attacks. A vCISO helps shore up defenses before attackers strike.
2. Cost-Effective Expertise Hiring a full-time Chief Information Security Officer (CISO) is often financially out of reach for small businesses. A vCISO offers the same strategic insight and leadership on a part-time or fractional basis—delivering enterprise-level expertise without the enterprise-level price tag.
3. Regulatory Compliance From HIPAA and PCI-DSS to GDPR and state-level data protection laws, compliance is critical. A vCISO ensures the organization meets necessary regulatory requirements, helping avoid fines, legal trouble, and loss of customer trust.
4. Risk-Based Security Strategy Not every threat deserves the same level of attention. A vCISO helps identify and prioritize risks based on the business’s unique environment, making sure resources are directed toward the most impactful protections.
5. Preparedness for Incidents Cyber incidents are not a matter of “if” but “when.” A vCISO creates and tests incident response plans so the business is ready to react swiftly. This minimizes damage, downtime, and potential losses.
6. Third-Party & Cloud Security Oversight With growing reliance on SaaS applications and third-party vendors, managing external risk is crucial. A vCISO provides guidance on secure vendor selection, cloud architecture, and ongoing monitoring to ensure strong data protection.
For small and mid-sized businesses, the stakes are even higher. Without a structured and operational security program in place, they may stand little chance of effectively managing their risks.
DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.
Investing in ISO 27001: Risk Reduction, Competitive Edge, and Cost Savings
​Implementing an Information Security Management System (ISMS) based on the ISO/IEC 27001 standard offers organizations a structured approach to managing information security risks. This system enhances the organization’s ability to handle information security incidents effectively, thereby reducing potential losses and associated costs. By systematically addressing information risks, the ISMS ensures that security measures are aligned with the organization’s specific needs and risk profile.
The adoption of an ISMS leads to a more consistent and comprehensive identification and mitigation of threats and vulnerabilities. This proactive stance not only strengthens existing security controls but also fosters a culture of continuous improvement and awareness among employees. As a result, the organization becomes more resilient and adaptable in the face of evolving cyber threats and uncertainties.
Standardizing information security practices through ISO/IEC 27001 ensures consistency both internally and externally. Internally, it provides a uniform framework across various departments and functions, facilitating coordinated efforts in managing information security. Externally, adherence to internationally recognized standards enhances the organization’s credibility and can lead to competitive advantages in the global market.
The ISMS serves as a solid foundation upon which additional security measures can be built as needed. This scalability allows organizations to tailor their security posture to address specific threats and protect particularly valuable or sensitive information assets effectively. By focusing resources on critical areas, organizations can achieve cost efficiencies while maintaining robust security.
Implementing an ISMS also facilitates better risk communication and understanding among stakeholders. Managers and staff become more familiar with information security concepts, leading to increased competence and a proactive approach to risk management. This heightened awareness contributes to a stronger security culture within the organization.
While there are costs associated with establishing and maintaining an ISMS, many of these expenses would be incurred regardless, as information security is a business imperative. The additional costs specific to the ISMS primarily relate to the initial implementation project, adjustments to governance structures, and optional certification processes. These investments are offset by the long-term benefits of reduced incident-related losses and improved compliance.
Organizations may also experience indirect benefits such as potential reductions in insurance premiums due to the implementation of robust security controls. By demonstrating a commitment to information security through an ISMS, organizations can negotiate more favorable terms with insurers, leading to cost savings.
In summary, adopting an ISMS based on ISO/IEC 27001 standards provides organizations with a systematic and effective framework for managing information security risks. The approach enhances resilience, ensures consistency, and can lead to significant cost savings over time. By embedding information security into the organizational culture, companies can protect their assets more effectively and maintain a competitive edge in today’s digital landscape.
DISC InfoSec is currently conducting market research in the InfoSec space and would greatly value your insights. As a thank you, we’re offering a free 30-minute security consultation to learn how to turn the Flywheel of ISMS in motion:—no strings attached. This offer is only available for the next week before April 11th 2025, so if you’re open to a quick chat, let’s lock in a time ASAP. Thanks, https://www.deurainfosec.com/ info@deurainfosec.com
As vehicles become increasingly connected, integrating sensors, software, and internet connectivity, they offer enhanced safety and convenience features. However, this technological advancement also exposes them to significant cybersecurity risks, making them susceptible to hacking and unauthorized access.
A notable example occurred in 2024 when researchers, including Sam Curry, identified a vulnerability in Kia’s web portal. This flaw allowed unauthorized reassignment of control over internet-connected features in Kia vehicles manufactured after 2013. Similarly, certain Subaru models were found to be remotely hijackable and trackable due to security weaknesses.
The financial impact of such cyberattacks on the automotive industry is substantial. According to a report by VicOne, the industry faced approximately $22.5 billion in cyberattack costs, including $20 billion from data breaches, $1.9 billion due to system downtime, and $538 million in ransomware damages.
Modern vehicles are vulnerable to various cybersecurity threats, including remote hacks through Bluetooth, Wi-Fi, and cellular connections; physical access attacks via diagnostic ports like OBD-II; software vulnerabilities that can be exploited for unauthorized control or data theft; and malware or ransomware injections that can incapacitate vehicle systems.
In-vehicle networks such as the Controller Area Network (CAN) and Local Interconnect Network (LIN), which manage critical functions from engine control to seat adjustments, were not originally designed with security in mind. This oversight leaves them particularly susceptible to hacking. Implementing measures like encryption, authentication, and intrusion detection systems is essential to safeguard these networks.
The advent of autonomous vehicles introduces additional security concerns. Self-driving cars rely heavily on AI algorithms and sensor systems, necessitating robust cybersecurity measures to protect against both external and internal threats. Ensuring the integrity of communication between these components is critical for the safety of passengers and the public.
Manufacturers and regulators must prioritize cybersecurity in vehicle design and operation. This includes conducting thorough risk assessments, implementing comprehensive security protocols, and staying vigilant against emerging threats to protect consumers and maintain trust in automotive technologies.
​ISO 27001:2022 is the international standard for information security management systems (ISMS), providing a framework for organizations to identify and address information security risks. While clauses 4–10 outline the broader ISMS requirements, Annex A offers a detailed list of 93 security controls categorized into four themes: Organizational, People, Physical, and Technological. This structure differs from the 2013 version, which contained 114 controls across 14 domains.​
The Organizational category comprises 37 controls focusing on policies, procedures, and responsibilities essential for effective information security. These include establishing an information security policy, defining management responsibilities, maintaining contact with authorities, gathering threat intelligence, classifying information, managing identity and access, and overseeing asset management.​
The People category encompasses 8 controls addressing the human element of information security. Key aspects involve conducting pre-employment screening, providing staff awareness training, implementing contracts and non-disclosure agreements (NDAs), managing remote working arrangements, and establishing procedures for reporting security events.​
The Physical category contains 14 controls that pertain to securing the physical environment of the ISMS. These controls cover areas such as defining security perimeters and secure areas, enforcing clear desk and screen policies, ensuring the reliability of supporting utilities, securing cabling infrastructure, and maintaining equipment properly.​
The Technological category includes 34 controls related to the digital aspects of information security. This encompasses implementing malware protection, establishing backup procedures, conducting logging and monitoring activities, ensuring network security and segregation, and adhering to secure development and coding practices.​
Selecting appropriate Annex A controls should be based on an organization’s specific risk assessment. After identifying relevant controls, organizations compare them against Annex A to ensure comprehensive risk coverage. Any exclusions of Annex A controls must be justified and documented in the Statement of Applicability (SoA).​
The SoA is a critical document within the ISMS, listing all Annex A controls along with justifications for their inclusion or exclusion and their implementation status. It should also incorporate any additional controls from other frameworks or those developed internally. Maintaining the SoA with version control and regular reviews is essential, as it plays a significant role during certification and surveillance audits conducted by certification bodies.​
Understanding the distinctions between ISO 27001’s Annex A and ISO 27002 is important. While Annex A provides a concise list of controls, ISO 27002 offers detailed implementation guidance for these controls, assisting organizations in effectively applying them within their ISMS.
Reach out to us for a free high-level assessment of your organization against ISO 27002 controls.
​A critical vulnerability, designated CVE-2025-2825, has been identified in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. This flaw permits unauthenticated attackers to bypass authentication mechanisms via exposed HTTP(S) ports, potentially granting unauthorized access to affected servers.
The vulnerability was privately disclosed to CrushFTP customers on March 21, 2025, urging immediate updates to versions 10.8.4 or 11.3.1. Despite these advisories, as of March 30, approximately 1,500 internet-facing CrushFTP instances remained unpatched and vulnerable. ​
Exploitation attempts have been observed, with attackers leveraging publicly available proof-of-concept (PoC) exploit code. The Shadowserver Foundation reported that most of these attempts originate from IP addresses in Asia, with fewer from Europe and North America.
The disclosure process for CVE-2025-2825 has been marked by confusion. CrushFTP initially informed customers of the vulnerability without assigning a CVE number, leading to discrepancies in affected version reporting. Subsequently, the vulnerability was assigned CVE-2025-2825, though CrushFTP’s CEO later indicated that the correct identifier should be CVE-2025-31161, causing further uncertainty.
To mitigate the risk associated with this vulnerability, CrushFTP users should promptly update to the patched versions. If immediate updating is not feasible, enabling CrushFTP’s DMZ feature can serve as a temporary safeguard. Additionally, restricting internet access to CrushFTP servers is advisable where possible.
​Engaging with AI chatbots like ChatGPT offers numerous benefits, but it’s crucial to be mindful of the information you share to safeguard your privacy. Sharing sensitive data can lead to security risks, including data breaches or unauthorized access. To protect yourself, avoid disclosing personal identity details, medical information, financial account data, proprietary corporate information, and login credentials during your interactions with ChatGPT. ​
Chat histories with AI tools may be stored and could potentially be accessed by unauthorized parties, especially if the AI company faces legal actions or security breaches. To mitigate these risks, it’s advisable to regularly delete your conversation history and utilize features like temporary chat modes that prevent the saving of your interactions. ​
Implementing strong security measures can further enhance your privacy. Use robust passwords and enable multifactor authentication for your accounts associated with AI services. These steps add layers of security, making unauthorized access more difficult. ​
Some AI companies, including OpenAI, provide options to manage how your data is used. For instance, you can disable model training, which prevents your conversations from being utilized to improve the AI model. Additionally, opting for temporary chats ensures that your interactions aren’t stored or used for training purposes. ​
For tasks involving sensitive or confidential information, consider using enterprise versions of AI tools designed with enhanced security features suitable for professional environments. These versions often come with stricter data handling policies and provide better protection for your information.
By being cautious about the information you share and utilizing available privacy features, you can enjoy the benefits of AI chatbots like ChatGPT while minimizing potential privacy risks. Staying informed about the data policies of the AI services you use and proactively managing your data sharing practices are key steps in protecting your personal and sensitive information.
​PortSwigger, the developer behind Burp Suite (2025.2.3), has unveiled Burp AI, a suite of artificial intelligence (AI) features aimed at enhancing penetration testing workflows. These innovations are designed to save time, reduce manual effort, and improve the accuracy of vulnerability assessments.
A standout feature of Burp AI is “Explore Issue,” which autonomously investigates vulnerabilities identified by Burp Scanner. It simulates the actions of a human penetration tester by exploring potential exploit scenarios, identifying additional attack vectors, and summarizing findings. This automation minimizes the need for manual investigation, allowing testers to focus on validating and demonstrating the impact of vulnerabilities.
Another key component is “Explainer,” which offers AI-generated explanations for unfamiliar technologies encountered during testing. By highlighting portions of a Repeater message, users receive concise insights directly within the Burp Suite interface, eliminating the need to consult external resources.
Burp AI also addresses the challenge of false positives in scanning, particularly concerning broken access control vulnerabilities. By intelligently filtering out these inaccuracies, testers can concentrate on verified threats, enhancing the efficiency and reliability of their assessments.
To streamline the configuration of authentication for web applications, Burp AI introduces “AI-Powered Recorded Logins.” This feature automatically generates recorded login sequences, reducing the complexity and potential errors associated with manual setup.
Furthermore, Burp Suite extensions can now leverage advanced AI capabilities through the enhanced Montoya API. These AI interactions are integrated within Burp’s secure infrastructure, removing the necessity for additional setups such as managing external API keys.
To facilitate the use of these AI-powered tools, PortSwigger has implemented an AI credit system. Users receive 10,000 free AI credits, valued at $5, upon initiation, which are deducted as they utilize the various AI-driven features.
Complementing these advancements, Burp Suite now includes a Bambda library—a collection of reusable code snippets that simplify the creation of custom match-and-replace rules, table columns, filters, and more. Users can import templates or access a variety of ready-to-use Bambdas from the GitHub repository, enhancing the customization and efficiency of their security testing workflows.
Burp Suite Pro is a must-have tool for professional penetration testers and security researchers working on web applications. The combination of automation and manual testing capabilities makes it indispensable for serious security assessments. However, if you’re just starting, the Community Edition is a good way to get familiar with the tool before upgrading.
✅ Comprehensive Web Security Testing – Includes advanced scanning, fuzzing, and automation features.
​Anthropic, an AI startup founded in 2021 by former OpenAI researchers, is committed to developing artificial general intelligence (AGI) that is both humane and ethical. Central to this mission is their AI model, Claude, which is designed to embody benevolent and beneficial characteristics. Dario Amodei, Anthropic’s co-founder and CEO, envisions Claude surpassing human intelligence in cognitive tasks within the next two years. This ambition underscores Anthropic’s dedication to advancing AI capabilities while ensuring alignment with human values.
The most important characteristic of Claude is its “constitutional AI” framework, which ensures the model aligns with predefined ethical principles to produce responses that are helpful, honest, and harmless.
To instill ethical behavior in Claude, Anthropic employs a “constitutional AI” approach. This method involves training the AI model based on a set of predefined moral principles, including guidelines from the United Nations Universal Declaration of Human Rights and Apple’s app developer rules. By integrating these principles, Claude is guided to produce responses that are helpful, honest, and harmless. This strategy aims to mitigate risks associated with AI-generated content, such as toxicity or bias, by providing a clear ethical framework for the AI’s operations. ​
Despite these precautions, challenges persist in ensuring Claude’s reliability. Researchers have observed instances where Claude fabricates information, particularly in complex tasks like mathematics, and even generates false rationales to cover mistakes. Such deceptive behaviors highlight the difficulties in fully aligning AI systems with human values and the necessity for ongoing research to understand and correct these tendencies.
Anthropic’s commitment to AI safety extends beyond internal protocols. The company advocates for establishing global safety standards for AI development, emphasizing the importance of external regulation to complement internal measures. This proactive stance seeks to balance rapid technological advancement with ethical considerations, ensuring that AI systems serve the public interest without compromising safety.
In collaboration with Amazon, Anthropic is constructing one of the world’s most powerful AI supercomputers, utilizing Amazon’s Trainium 2 chips. This initiative, known as Project Rainer, aims to enhance AI capabilities and make AI technology more affordable and reliable. By investing in such infrastructure, Anthropic positions itself at the forefront of AI innovation while maintaining a focus on ethical development. ​
Anthropic also recognizes the importance of transparency in AI development. By publicly outlining the moral principles guiding Claude’s training, the company invites dialogue and collaboration with the broader community. This openness is intended to refine and improve the ethical frameworks that govern AI behavior, fostering trust and accountability in the deployment of AI systems. ​
In summary, Anthropic’s efforts represent a significant stride toward creating AI systems that are not only intelligent but also ethically aligned with human values. Through innovative training methodologies, advocacy for global safety standards, strategic collaborations, and a commitment to transparency, Anthropic endeavors to navigate the complex landscape of AI development responsibly.
The recent deployment of Paragon’s Graphite spyware against human rights defenders and journalists has intensified concerns over Europe’s escalating spyware crisis. This development underscores the vulnerability of civil society actors to invasive surveillance technologies.
In Italy, government authorities sanctioned the use of Graphite spyware on members of the NGO Mediterranea Saving Humans, citing national security concerns. This action has sparked significant controversy and legal scrutiny, highlighting the potential misuse of surveillance tools against humanitarian organizations. ​
Similarly, in Serbia, reports have emerged that the secret service and police employed spyware to monitor journalists and opposition activists by infiltrating their mobile devices. This practice has raised alarms about the suppression of dissent and the erosion of press freedom within the country. ​
The proliferation of spyware is not confined to Europe. In the United States, the Department of Homeland Security’s contract with Paragon Solutions for the Graphite spyware has prompted concerns about potential overreach and the implications for civil liberties. This situation underscores the global nature of the spyware dilemma and the challenges in regulating its use.
These incidents collectively highlight the urgent need for comprehensive oversight and regulation of spyware technologies. The targeting of civil society members, journalists, and activists poses a significant threat to human rights and democratic principles. Addressing this crisis requires coordinated international efforts to establish clear legal frameworks that prevent the abuse of surveillance tools.
The founders of Mediterranea Saving Humans, an NGO that tries to protect refugees crossing the Mediterranean, was targeted by the spyware approved by the Italian government. Photograph: Olmo Calvo/AP
The Italian government approved the use of a sophisticated surveillance tool to spy on members of a humanitarian NGO because they were allegedly deemed a possible threat to national security, MPs have heard.
Alfredo Mantovano, a cabinet undersecretary, made the admission during a classified meeting with Copasir, the parliamentary committee for national security, according to a person familiar with the situation.
Copasir is investigating whether the secret services breached the law in using Graphite, military-grade spyware made by the Israel-based Paragon Solutions, to monitor activists and journalists, and is expecting to report on its finding soon.
Giorgia Meloni’s government has been under pressure to address the case since January, when a handful of Italian activists and a journalist received warnings from WhatsApp, the messaging app owned by Meta, that their phones had been targeted by spyware.
​”Preparing for an ISO Audit: Tips and Best Practices” is a comprehensive guide by AuditCo, published in February 2025, aimed at assisting organizations in effectively preparing for ISO audits. The article outlines several key strategies:​
Understanding ISO Standards: It emphasizes the importance of familiarizing oneself with the specific ISO standards relevant to the organization.​
Conducting a Pre-Audit: The guide recommends performing a self-assessment to identify and address areas of non-compliance before the official audit.​
Organizing Documentation: Ensuring that all pertinent documents, such as policies and records, are well-organized and easily accessible is highlighted as a crucial step.​
Training Employees: Providing staff with training on the audit process and their respective roles is advised to facilitate a smoother audit experience.​
Engaging with Auditors: Establishing open communication with auditors to clarify expectations and address concerns is also recommended.
Additionally, the article suggests best practices like creating an audit checklist, involving top management to demonstrate commitment to compliance, monitoring corrective actions for identified non-conformities, and implementing improvements post-audit to enhance the management system.​
For a detailed exploration of these strategies, you can read the full article
Full Preparation Plan for an ISO Audit
1. Understand the ISO Standard :
– Familiarize yourself with the specific ISO standard relevant to your organization (e.g., ISO 27001 for Information Security, ISO 9001 for quality management, ISO 14001 for environmental management, ISO 45001 for occupational health and safety).
– Study the standard requirements and guidelines to fully grasp what is expected.
2. Gap Analysis :
– Conduct a thorough gap analysis to compare your current processes and systems against the ISO standard requirements.
– Identify areas that need improvement and document these gaps.
3. Develop an Implementation Plan :
– Create a detailed plan to address the gaps identified in the gap analysis.
– Assign responsibilities to team members, set timelines, and allocate necessary resources.
4. Training and Awareness :
– Train your employees on the ISO standard requirements and the importance of compliance.
– Ensure that everyone understands their roles and responsibilities related to the ISO standards.
5. Document Control :
– Develop or update documentation to meet ISO requirements, including policies, procedures, work instructions, and records.
– Implement a document control system to manage and maintain these documents efficiently.
6. Internal Audits :
– Conduct internal audits to evaluate your readiness for the ISO audit.
– Identify non-conformities and take corrective actions to address them.
– Internal audits should closely mimic the external audit process.
7. Management Review :
– Hold a management review meeting to assess the effectiveness of your ISO management system.
– Ensure top management is involved and committed to the process.
8. Pre-Audit Assessment :
– If possible, conduct a pre-audit assessment with an external consultant to get an objective evaluation of your readiness.
– Use the feedback to make any necessary adjustments before the actual audit.
9. Audit Logistics :
– Coordinate with the external auditor to schedule the audit.
– Prepare all necessary documentation and ensure key personnel are available during the audit.
10. Continuous Improvement :
– ISO audits are not a one-time event. Implement a culture of continuous improvement to maintain compliance and enhance your management system.
– Regularly review and update your processes and systems to ensure ongoing compliance.
A Virtual Chief Information Security Officer (vCISO) is an outsourced cybersecurity expert responsible for managing and overseeing an organization’s information security program. Unlike a traditional, in-house CISO, a vCISO typically works remotely or on a part-time basis, offering their expertise to organizations that need high-level security guidance but may not have the resources to hire a full-time CISO. This role includes responsibilities like developing security policies, managing risk assessments, ensuring compliance, and responding to security incidents. Understanding this role is crucial before beginning the search for the right vCISO.
2. Assess Your Organization’s Needs
Choosing the right vCISO starts with a deep understanding of your organization’s specific cybersecurity needs. Consider factors such as your company’s size, industry, existing security framework, and specific compliance requirements. If your organization operates in a highly regulated industry (e.g., finance, healthcare), your vCISO should have expertise in the relevant compliance frameworks like GDPR, HIPAA, or PCI-DSS. Additionally, assess whether you need someone to build a cybersecurity program from scratch or if your priority is to fine-tune an already established system.
3. Experience and Expertise
The experience and technical expertise of a vCISO are paramount to ensuring the success of your security program. Look for candidates with a strong background in information security management, risk assessment, and compliance. Ideally, your vCISO should have experience working in your industry and with businesses of your size. Check their credentials, such as CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), or CISA (Certified Information Systems Auditor). Past experience in handling security incidents or implementing security frameworks will be valuable assets.
4. Alignment with Your Company Culture
While technical skills are important, your vCISO should also align with your organization’s culture and strategic goals. A vCISO will be part of your leadership team, so it’s essential that they can communicate effectively with executives and other departments, understand business priorities, and align security initiatives with company objectives. Look for a vCISO who is a good fit for your organization’s communication style, can work collaboratively with other leaders, and has a proactive, solution-oriented approach to addressing security challenges.
5. Scalability and Flexibility
One of the key benefits of a vCISO is the flexibility they offer. Your business may have fluctuating needs for cybersecurity expertise, whether due to growth, changes in regulations, or emerging threats. When selecting a vCISO, ensure that they offer a scalable approach to meet both your short-term and long-term goals. This may include flexibility in the number of hours they commit, their ability to provide strategic insight during a crisis, and the possibility of adjusting services as your security needs evolve over time.
6. Budget Considerations and Value
Cost is always a consideration, especially for smaller organizations, when hiring a vCISO. A traditional, full-time CISO can be a significant investment, whereas a vCISO typically offers a more affordable alternative. However, it’s important to understand that the cheapest option may not always provide the best value. Evaluate potential vCISOs not just on their price but on the value they bring to your organization. Consider the level of expertise, breadth of services, and long-term impact on your cybersecurity posture. A skilled vCISO can help you avoid costly breaches and compliance failures, making their value far exceed the initial investment.
DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.
​Mozilla has addressed a critical security vulnerability, CVE-2025-2857, in its Firefox browser for Windows. This flaw, discovered in Firefox’s inter-process communication (IPC) code, allowed a compromised child process to cause the parent process to return an unintended powerful handle, leading to a sandbox escape. The issue was identified after Google’s recent patch of a similar Chrome vulnerability, CVE-2025-2783, exploited by state-sponsored attackers.
To mitigate this vulnerability, Mozilla released updates for Firefox version 136.0.4, Firefox Extended Support Release (ESR) versions 128.8.1, and 115.21.1 for Windows users. Given the potential severity of sandbox escape exploits, users are strongly encouraged to update their browsers promptly to protect against possible attacks.
The Tor Project, which builds its browser on a modified version of Firefox ESR, also released an emergency security update, version 14.0.8, for Windows users. Tor Browser users should update immediately to ensure their security and maintain anonymity online.
This discovery underscores the importance of continuous vigilance in software development and the necessity for developers to proactively assess their codebases, especially when similar platforms encounter security issues. Regular updates and prompt patching are vital in maintaining the security and integrity of software applications.​
Users are advised to enable automatic updates and stay informed about the latest security advisories from their software providers. Maintaining up-to-date software is a fundamental step in protecting against emerging threats and ensuring a secure computing environment.
Cyber security risk management is a critical aspect of data security, underpinning various frameworks and regulations such as GDPR, NIST CSF, and ISO 27001. The process begins by establishing a common vocabulary to ensure clear communication across the organization. Risk in this context typically refers to potential negative outcomes for the organization, with the goal of identifying and mitigating these risks while considering time and cost implications.
When assessing risks, two key factors are considered: likelihood and impact. These need to be clearly defined and quantified to ensure consistent interpretation throughout the organization. Risk levels are often categorized as low, medium, or high, with corresponding color-coding for easy visualization. A low risk might be something the organization can tolerate, while a high risk could have catastrophic consequences requiring immediate action.
Impact categories can include financial, strategic, customer-related, employee-related, regulatory, operational, and reputational aspects. Not all categories apply to every organization, and some may overlap. Defining the values for these categories is crucial for establishing a common language and meeting ISO 27001 requirements for consistent risk assessments.
Financial impact is typically the easiest to define, using currency figures or percentages of annual turnover. Non-financial impacts, such as operational or reputational, require more nuanced definitions. For example, operational impact might be measured by the duration of business disruption, while reputational impact could be assessed based on the level of media interest.
Likelihood categories are usually defined on a scale from “very unlikely” to “very likely,” with clear descriptions of what each category means. These can be based on expected frequency of occurrence, such as annually, monthly, weekly, or daily. Estimating likelihood can be based on past experiences within the organization or industry-wide occurrences.
Using multiple impact categories is important because security is everyone’s responsibility, and different departments may need to assess impact in different terms. For instance, a chemical manufacturer might need to define impact levels in terms of employee health and safety, while other departments might focus on financial or operational impacts.
A risk heat map, which combines likelihood and impact levels, is a useful tool for visualizing risk severity. The highest risk area (typically colored red) represents what would be catastrophic for the organization, regardless of the specific impact category. This approach allows for a comprehensive view of risks across different aspects of the business, enabling more effective risk management strategies.
DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.
The best approach for SMBs to start the cybersecurity risk management process involves the following steps:
Understand Your Risks:
Conduct a basic risk assessment to identify critical assets, potential threats, and vulnerabilities.
Prioritize risks based on their potential impact and likelihood.
Set Clear Goals:
Define your cybersecurity objectives, such as protecting customer data, complying with regulations, or avoiding downtime.
Develop a Security Policy:
Create a simple, easy-to-follow cybersecurity policy that outlines acceptable use, password management, and data handling practices.
Start with the Basics:
Implement basic cybersecurity measures like using firewalls, antivirus software, and regular system updates.
Use strong passwords and enable multi-factor authentication (MFA).
Train Your Employees:
Provide ongoing security awareness training to help employees recognize phishing, social engineering, and other threats.
Back Up Your Data:
Regularly back up critical data and store it in a secure, offsite location.
Test your backup and recovery process to ensure it works effectively.
Monitor and Respond:
Set up basic monitoring to detect suspicious activity (e.g., failed login attempts).
Establish an incident response plan to know what to do in case of an attack.
Leverage External Resources:
Work with a trusted Managed Security Service Provider (MSSP) or consultant to cover any expertise gaps.
Consider using frameworks like NIST Cybersecurity Framework (CSF) or CIS Controls for guidance.
Start Small and Scale Up:
Focus on quick wins that provide maximum risk reduction with minimal effort.
Gradually invest in more advanced tools and processes as your cybersecurity maturity grows.
Regularly Review and Update:
Reassess risks, policies, and controls periodically to stay ahead of evolving threats.
This structured approach helps SMBs build a solid foundation without overwhelming resources or budgets.