In cybersecurity, too often, the emphasis is placed on advanced technology meant to shield digital infrastructure from external threats. Yet, an equally crucial — and underestimated — factor lies at the heart of all digital interactions: the human mind. Behind every breach is a calculated manipulation, and behind every defense, a strategic response. The psychology of cyber crime, the resilience of security professionals and the behaviors of everyday users combine to form the human element of cybersecurity. Arguably, it’s the most unpredictable and influential variable in our digital defenses.

To truly understand cybersecurity is to understand the human mind — both as a weapon and as a shield.

Peering into the mind of a cyber criminal

At the core of every cyberattack is a human, driven not just by code but by complex motivations and psychological impulses. Cyber criminals aren’t merely technologists. They are people with intentions, convictions, emotions and specific psychological profiles that drive their actions. Financial gain remains a primary incentive to launch attacks like ransomware. But some are also driven by ideological motives, or they relish the chance to outsmart advanced defenses so they can later brag about it in dark web forums.

Many cyber criminals share distinct personality traits: an inclination for risk-taking, problem-solving prowess and an indifference to ethical boundaries. Furthermore, the physical and digital distance inherent in online crime can create a psychological disconnect, minimizing the moral weight of their actions. This environment enables cyber criminals to justify their behavior in ways they might not if they had to face their victims in person. Equipped with these psychological “advantages,” cyber criminals excel in social engineering tactics. They manipulate people instead of systems to gain unauthorized access.

Exploiting the human factor with social engineering

One of the most powerful weapons in a cyber criminal’s arsenal isn’t high-tech malware but the vulnerability of the human mind. Social engineering attacks, like phishing, vishing (voice phishing) and smishing (SMS phishing), exploit non-technological human factors like trust, fear, urgency and curiosity. And these tactics are alarmingly effective. A recent report from Verizon found that the human element factored into 68% of data breaches, underscoring the vulnerability of human interactions.

Phishing attacks, for instance, are designed to create a sense of urgency, fear or curiosity. Attackers manipulate users into clicking malicious links or revealing sensitive information. The success of these attacks depends on creating a false sense of trust and authority, preying on our innate tendencies. Understanding these methods is not only crucial for developing technical countermeasures but also for educating users to resist psychological manipulation.

The mental fortitude of cyber professionals

Defending against cyber threats requires more than solid technical skills; it demands resilience, ethical conviction and a keen understanding of human behavior. Cyber professionals operate in a high-stakes environment and face unrelenting pressure. Mental resilience enables them to rapidly respond to breaches, restore security and learn from the incident.

Creativity and adaptability are also indispensable in cybersecurity. As cyber criminals constantly refine their tactics, security professionals need to anticipate these moves. They, too, must innovate by developing new countermeasures before an attack even occurs. Like a chess match, staying ahead of intruders requires ingenuity that goes beyond technical skills. The best security teams have the ability to see beyond conventional approaches and the courage to pioneer novel defenses.

Finally, ethics play a defining role, particularly as security professionals are entrusted with sensitive data and powerful tools. Through misuse or negligence, these secrets and tools could cause substantial harm. Adherence to a strong ethical code serves as a psychological anchor, helping cyber pros to navigate the moral complexities of their work while prioritizing user privacy and security.

In a nutshell, working as a cybersecurity professional is one of the hardest jobs on earth.

Building a psychologically aware cybersecurity strategy

A truly effective cybersecurity strategy doesn’t just block attacks; it anticipates and adapts to human behavior. Therefore, aligning security measures with natural human tendencies can elevate an organization’s defenses significantly. This works better than relying on users to remember overly complex protocols.

For instance, training and awareness programs that incorporate psychological insights are far more impactful than traditional “box-ticking” sessions. The principles of Nudge Theory, which employs subtle prompts to influence behavior, offer a potent alternative. Well-designed programs make secure behaviors easy, attractive and timely. This guides employees toward safer practices without the punitive undertones that can breed resentment and resistance.

Creating a culture of psychological safety within an organization can also encourage employees to address security concerns proactively. When people feel safe discussing potential threats and even mistakes, the early identification of risks and a collective commitment to security becomes second nature. This “human firewall” effect, where individuals collectively protect digital assets, strengthens organizational resilience.

Behavioral analytics: The fusion of psychology and technology

User behavior analytics is where technology meets psychology in a powerful way. By analyzing behavioral patterns and detecting deviations, organizations can preemptively identify potential threats. This approach operates on the principle that individuals, even in digital spaces, follow predictable patterns. Behavioral analytics can detect anomalous behaviors — such as a sudden attempt to access restricted files or logins at unusual times — signaling a potential breach.

This combination of psychology and technology allows for dynamic, adaptive security measures that can catch threats early, often before they escalate into full-fledged incidents. By weaving human insight into the fabric of digital security, behavioral analytics represents a major step forward in cybersecurity defenses.

Rethinking the rhetoric of cybersecurity

The cybersecurity industry has long relied on fear-driven messaging to encourage secure behavior. However, experts argue that this approach, while effective in the short term, may actually discourage engagement in the long run. By using dramatic language to describe threats, the industry may be creating a sense of helplessness among the general public. Portraying cybersecurity as a field too complex and overwhelming for normal individuals to understand promotes failure.

Instead, fostering a sense of civic responsibility can empower anyone to participate in cybersecurity efforts. When people understand that their actions contribute to a safer online community, they’re more likely to engage in secure practices. Reframing cybersecurity as a shared responsibility rather than a source of fear can transform public engagement with online security.

Bridging technology and psychology for a secure future

Today, cybersecurity is no longer solely a technical issue — it is a fundamentally human one. Security strategies must weave technology and psychology together to create a comprehensive defense that accounts for both system vulnerabilities and human behavior. Cyber criminals leverage psychological tactics to manipulate individuals. A deeper understanding of this will make security stronger. Meanwhile, cybersecurity professionals rely on their mental resilience, creativity and ethical fortitude to counter these threats.

From training programs based on psychological principles to implementing behavioral analytics, incorporating human insights into cybersecurity strategies leads to a more adaptive and robust defense. By embracing psychology alongside technological advancements, we can transform cybersecurity from a reactive discipline into a proactive, resilient force.

The post Hacking the mind: Why psychology matters to cybersecurity appeared first on Security Intelligence.

The modern corporate landscape is marked by rapid digital change, heightened cybersecurity threats and an evolving regulatory environment. At the nexus of these pressures sits the chief information security officer (CISO), a role that has gained newfound influence and responsibility.

The recent Deloitte Global Future of Cyber Survey underscores this shift, revealing that “being more cyber mature does not make organizations immune to threats; it makes them more resilient when they occur, enabling critical business continuity.” High-cyber-maturity organizations increasingly integrate cybersecurity risk strategies, security practices and trust-building approaches into their business and technology transformations. And it’s all enabled by a cyber-savvy C-suite and influential CISOs.

Let’s explore how cyber maturity enhances resilience, why cyber is now being integrated into broader business budgets and what organizations can do to bolster their business continuity.

The expanding role of CISOs in corporate strategy

Historically, CISOs were typically siloed within the IT department, focusing on technical and operational aspects of cybersecurity. However, as threats have evolved, so has the role of the CISO. According to Deloitte’s report, about one-third of organizations have seen a significant increase in CISO involvement in strategic conversations about business-critical technology decisions. Furthermore, approximately one in five CISOs now report directly to the CEO, marking a shift toward greater business alignment and visibility. This expanded role places CISOs alongside other senior leaders to guide decisions on digital transformation, cloud security, and supply chain resilience.

Emily Mossburg, Deloitte’s global cyber leader, notes that “many boards and C-suites now require or need further knowledge into potential threats, security vulnerabilities, risk scenarios and actions needed for greater resilience.” CISOs are increasingly tasked with not only understanding these complex cyber landscapes but also translating them into language that senior leadership and boards can act upon.

Cybersecurity as an integral business strategy

In high-cyber-maturity organizations, cybersecurity is embedded across operations, facilitating a seamless alignment between risk management and business goals. According to Deloitte, these organizations are more resilient when incidents occur, enabling critical business continuity by preparing for and swiftly responding to cyber threats. This proactive integration is not limited to IT. It extends into every function that touches digital infrastructure — from operations and finance to customer experience and product innovation.

In modern digitally interconnected ecosystems, a cyber incident affecting one partner could impact the entire supply chain. High-cyber-maturity organizations anticipate these risks by establishing protocols and response measures that enable them to recover quickly, ensuring continuity across all critical operations. Companies with lower cyber maturity, on the other hand, face longer recovery times and can suffer more severe impacts on their revenue, brand reputation and operational capabilities.

This integration of cybersecurity into broader strategic goals reflects a more nuanced understanding of cyber resilience. Instead of viewing cybersecurity solely as a cost center, leaders increasingly recognize it as a foundational element of business value and continuity. This understanding translates into better allocation of resources and a more balanced approach to cyber risk management.

Evolving cybersecurity budgets

As cybersecurity gains prominence within business strategy, budget allocations are changing to reflect its importance across multiple areas. Deloitte’s findings indicate that many organizations are beginning to integrate cybersecurity spending with other budgets, such as digital transformation, IT programs and cloud investments. This shift acknowledges the cross-functional impact of cybersecurity, particularly in organizations with complex, interconnected digital ecosystems.

The trend is mirrored by a recent IANS and Artico Search survey, which reported an 8% increase in cybersecurity spending this year, up from 6% in 2023. While modest, this increase suggests that organizations recognize the need for sustained investment in cyber resilience to keep pace with emerging threats, especially as AI and automation reshape the cyber landscape.

Integrating cybersecurity with broader budgets also aligns with the CISO’s role in risk quantification and value communication. Techniques such as the FAIR (Factor Analysis of Information Risk) model allow CISOs to translate cybersecurity risks into financial metrics, making it easier to justify investments and demonstrate ROI to the C-suite.

Navigating regulatory mandates and disclosure requirements

Regulatory mandates are also shaping the evolving role of the CISO and cybersecurity’s integration into corporate strategy. With the U.S. Securities and Exchange Commission (SEC) now requiring companies to disclose material cyber incidents and provide insights into their cyber strategy, CISOs are under pressure to ensure regulatory compliance. This disclosure requirement applies to both U.S.-based and foreign companies trading on U.S. markets, reinforcing cybersecurity’s critical role across global business operations.

The SEC’s regulatory emphasis on transparency has heightened the importance of cybersecurity within boardrooms, leading senior executives to turn to CISOs for guidance on managing risks and compliance. Beyond U.S. markets, regulatory authorities worldwide are implementing frameworks and standards that require companies to report cyber incidents, particularly as ransomware and other cyberattacks have grown more prevalent. In addition to regulatory compliance, the reputation and operational continuity tied to regulatory adherence have pushed CISOs to develop comprehensive cybersecurity strategies that align with overall business goals.

Steps to building a cyber-resilient organization

High-cyber-maturity organizations demonstrate that integrating cybersecurity into business strategy requires more than technical defenses; it demands a multi-dimensional approach encompassing governance, culture and operational resilience. Here are several key areas where organizations can focus to build a cyber-resilient structure:

1. Leadership and governance: Effective cybersecurity governance starts at the top. Organizations should establish clear reporting structures where CISOs communicate directly with the CEO or board. This positioning emphasizes cybersecurity’s strategic importance and enables informed decision-making at the highest levels.

2. Risk management practices: Proactive risk management means identifying, assessing and mitigating cyber risks in line with business objectives. High-cyber-maturity organizations use both quantitative and qualitative methods to understand and prioritize risks, creating a structured approach to vulnerability management that could impact operations.

3. Incident response and recovery: Resilient organizations are not just prepared for incidents; they are equipped to recover swiftly and minimize impact. Robust incident response plans, regularly tested and updated, are essential for ensuring that organizations can maintain continuity even amid significant cyber events. These plans should involve cross-functional teams and clear communication channels to coordinate an efficient response.

4. Continuous improvement and innovation: Cybersecurity is a dynamic field where continuous improvement is critical. Organizations should prioritize regular evaluations and updates to their cybersecurity measures, allowing them to stay ahead of evolving threats. As AI, automation and other technologies emerge, adopting them to enhance cybersecurity capabilities—such as anomaly detection and automated incident response — can further boost resilience.

CISOs take the lead

In the evolving landscape of cyber threats, the role of the CISO is becoming more integral to organizational resilience and business continuity. High-cyber-maturity organizations are leading the way, integrating cybersecurity into their strategic goals and recognizing that it is not merely an IT function but a business-critical priority. By aligning cybersecurity spending with broader business budgets, they can enhance resilience and drive long-term value.

The post CISOs drive the intersection between cyber maturity and business continuity appeared first on Security Intelligence.

As ransomware attacks continue to escalate, their toll is often measured in data loss and financial strain. But what about the loss of human life? Nowhere is the ransomware threat more acute than in the healthcare sector, where patients’ lives are literally on the line.

Since 2015, there has been a staggering increase in ransomware attacks on healthcare facilities. And the impacts are severe: Diverted emergency services, delayed critical treatments and even fatalities. Meanwhile, the pledge some ransomware groups made during the COVID-19 pandemic to avoid attacking healthcare providers has been abandoned. It’s clear that hospitals are now fair game.

Ransomware attacks on the healthcare sector cause real harm to patients, impacting survival rates and threatening other critical services. And ransomware targeting other critical infrastructure carries serious implications for public health and safety.

Ransomware in life-and-death situations

Hospitals depend heavily on digital systems for managing patient care. When a ransomware attack strikes, these systems go offline, with often tragic results. Research highlights the risks: There’s been a 300% increase in ransomware attacks on healthcare since 2015. This led to a spike in emergency cases, including strokes and cardiac arrests, at hospitals overwhelmed by patients diverted from facilities hit by cyberattacks.

A study by the University of California San Diego showed that ransomware attacks on hospitals cause a spillover effect. This means neighboring hospitals see a surge in patients, leading to cardiac arrest cases jumping 81%. Survival rates also dropped for those cardiac arrest cases.

One recent example is the ransomware attack on Synnovis, a pathology services provider to the NHS in London. The attack caused problems with blood tests and transfusions, delaying crucial cancer treatments and elective procedures across several hospitals. This disruption illustrates a common trend in healthcare-related ransomware incidents: Delayed testing and procedures can become life-threatening as time-sensitive treatments are postponed or missed altogether.

In another study of two urban emergency departments adjacent to a healthcare organization under attack, researchers noted significant increases in patient volume, longer waiting times and increases in patient “left without being seen” rates. These delays, according to the study, underscore the need for a disaster response approach for such incidents.

In some cases, the tragic consequences of ransomware in healthcare have been documented in legal proceedings. In 2020, a woman sued an Alabama hospital, claiming that a ransomware attack had contributed to the death of her newborn daughter. The hospital’s computer systems were offline during delivery, preventing access to critical monitoring tools and allegedly leading to severe birth complications. While the case has been settled, it raises the question of whether similar events may have occurred without public awareness.

Ransomware impacts beyond healthcare

While the healthcare sector’s vulnerability to ransomware is uniquely tragic, critical infrastructure sectors are also facing increased risks. When Colonial Pipeline, a major fuel distributor, was hit by ransomware in 2021, it led to fuel shortages across the Eastern U.S. Though no direct fatalities were reported, the panic that ensued may have resulted in at least one fatal car accident as people rushed to stockpile fuel.

In critical infrastructure sectors, the potential for loss of life or injury is significant. Attacks on power grids, water supplies and transportation systems could have severe consequences. Researchers warn that a ransomware attack on an energy grid, for example, could disrupt power to hospitals, emergency services and vulnerable populations, putting lives at risk. If the healthcare industry can serve as a lesson, the fallout from critical infrastructure attacks is not a hypothetical but a looming possibility.

How ransomware threats exploit vulnerabilities in healthcare

Healthcare facilities are attractive targets for ransomware for several reasons. First, they hold a wealth of sensitive patient data, including medical histories, personal information and financial details. The cost of downtime in healthcare is especially high. When health centers are crippled by ransomware, people’s lives are at stake, making hospitals more likely to pay a ransom quickly. Healthcare ransomware incidents result in an average payment of $4.4 million, according to recent studies from the second quarter of 2024.

Additionally, healthcare facilities often use complex and outdated infrastructure, relying on an assortment of vendors and legacy systems that can be difficult to secure. A lack of centralized cybersecurity across networks further increases vulnerabilities, allowing ransomware groups to infiltrate systems and cause cascading disruptions.

Evidence of ransomware’s lethal potential

Although establishing a direct causal link between ransomware attacks and fatalities can be complicated, recent data provides compelling insights. One analysis estimates that from 2016 to 2021, between 42 and 67 Medicare patients died as a result of ransomware attacks. And this doesn’t include private insurer data. Research also highlights the broader health impacts, including reduced care quality and delayed treatments. During cyber incidents, hospitals often resort to manual processes that lack the safety checks and efficiency of electronic health records, increasing the risk of error and missed diagnoses.

The problem isn’t limited to fatalities. Ransomware-induced delays can exacerbate health issues, resulting in long-term complications and higher healthcare costs. A delayed diagnosis can mean the difference between life and death for conditions like heart disease, stroke and sepsis. Ransomware attacks may, therefore, lead to excess deaths, even if the connection is indirect.

The need for resilience against ransomware attacks

To mitigate the impact of ransomware on patient care, some hospitals have begun implementing ransomware response protocols, such as Children’s National Hospital’s “Code Dark” procedures. These response protocols are designed to maintain continuity of care when systems are down, including clear instructions for manual record-keeping, communication protocols and patient triage. Yet, these steps can only go so far. True resilience requires proactive measures like employee training, layered security controls and frequent system backups to minimize disruption.

As ransomware attacks grow more sophisticated, many in the cybersecurity industry argue for policy changes to address the threat. One critical need is better data sharing among healthcare facilities, cybersecurity experts and government agencies to track trends and respond quickly. Governments also need to classify healthcare cybersecurity as a matter of national security, allocating resources and support to help facilities improve resilience against ransomware and other cyber threats.

Addressing the growing ransomware threat

The threats to the healthcare sector provide a stark reminder of the broader risks ransomware poses to society. While healthcare providers are uniquely vulnerable, other critical infrastructure sectors are increasingly at risk. As demonstrated by the Colonial Pipeline incident, the ripple effects of ransomware can be felt across entire regions, affecting services as fundamental as fuel, water and transportation.

For cybersecurity professionals, the rise in ransomware attacks on critical services calls for a proactive approach to defense. This includes advocating for stronger industry standards, encouraging the use of robust cybersecurity tools and supporting cross-sector collaboration to prepare for and respond to attacks. The goal is clear: To minimize the risk that ransomware claims lives, either directly or through delayed access to essential services.

The post When ransomware kills: Attacks on healthcare facilities appeared first on Security Intelligence.

The nature of cyber warfare has evolved rapidly over the last decade, forcing the world’s governments and industries to reimagine their cybersecurity strategies. While deterrence and reactive defenses once dominated the conversation, the emergence of cyber persistence — actively hunting down threats before they materialize — has become the new frontier. This shift, spearheaded by the United States and rapidly adopted by its allies, highlights the realization that defense alone is no longer enough to secure cyberspace.

The momentum behind this proactive cyber strategy can be found in America’s Defend Forward initiative, the rise of cyber persistence among U.S. allies and the successful takedowns of infamous groups like LockBit ransomware. Meanwhile, the broader implications of this shift are revealed in the U.S. Department of State’s focus on digital solidarity in contrast to digital sovereignty.

Cyber persistence: A strategic pivot

The idea of cyber persistence, as opposed to cyber deterrence, is reshaping global cybersecurity efforts. Traditional deterrence theory, which aims to dissuade adversaries through the promise of retaliation, has failed to address the complexities of cyber criminal behavior. Malicious cyber actors, including state-sponsored entities and organized crime groups, continue to exploit vulnerabilities, which leads to critical infrastructure compromise, sensitive data theft and government or corporate network disruption.

In response, the U.S. Department of Defense 2023 Cyber Strategy reinforced the country’s commitment to “Defend Forward,” a proactive approach designed to directly disrupt adversaries’ operations. This strategy empowers cybersecurity forces to identify malicious activities before they escalate, track adversaries and take action to prevent or mitigate attacks. U.S. allies like the United Kingdom, Japan, Canada and the Netherlands have subsequently adopted similar strategies. They’ve all come to realize that cyberspace requires constant vigilance and operational persistence to stay ahead of evolving threats.

As the U.S. DoD outlines, engaging adversaries early in planning is essential to creating a more secure cyberspace. This involves tracking the capabilities and intentions of malicious actors and degrading their ability to act. Such a proactive stance requires cooperation, coordination and trust among allies. This is especially true since cyber campaigns often involve joint operations where one nation may invite another into its networks to assist in defense.

The shift from deterrence to persistent engagement

Increasingly, nations like the UK and the Netherlands are taking proactive measures to combat cyber threats by operationalizing cyber persistence. For example, the UK’s National Cyber Strategy highlights the importance of actively tackling adversaries’ cyber dependencies and emphasizing the need for persistent engagement in cyberspace. Further examples of this shift include Japan’s efforts to introduce active cyber defense and Canada’s participation in “Hunt Forward” operations. Both aim to actively search for and disarm malicious actors.

NATO has also acknowledged the necessity of a more proactive cyber stance. The 2022 NATO Strategic Concept recognizes that cyberspace is “contested at all times.” The document explicitly states that the cumulative effect of cyber activities could reach the level of an armed attack, potentially triggering NATO’s mutual defense obligations under Article 5. This signals the acceptance of cyber persistence as a critical aspect of national and collective security.

While deterrence remains a core strategy for nuclear and conventional warfare, it is becoming clear that in cyberspace, persistence — constantly identifying, mitigating and neutralizing threats — is critical to preventing large-scale cyber incidents.

The LockBit ransomware takedown: A case study in persistence

The February 2024 takedown of the LockBit ransomware group under Operation Cronos serves as a prime example of how persistent cyber strategies can effectively neutralize significant threats. LockBit, one of the most prolific Ransomware-as-a-Service (RaaS) groups, was responsible for approximately a quarter of all ransomware attacks in 2023. This included attacks on hospitals and other critical services during the COVID-19 pandemic.

Operation Cronos, a coordinated international effort, resulted in significant arrests, sanctions and the seizure of LockBit’s operational infrastructure. This was not just a technical takedown but a broader effort to undermine the group’s viability. Law enforcement agencies managed to access LockBit’s internal communications, expose its affiliates and disrupt its financial networks. This cumulative disruption severely damaged the group’s reputation, making it difficult for them to regain support within the cyber crime community.

While LockBit’s ringleader, known as “LockBitSupp,” has tried to claim the group’s resurgence, analysis shows that the law enforcement operation has had lasting effects. The exposure of the group’s inner workings has sowed distrust among affiliates, with many distancing themselves from the group. The takedown’s success demonstrates the power of cyber persistence, as it involved not only technical measures but also strategic psychological operations aimed at eroding the group’s support base.

Digital solidarity vs. digital sovereignty

At the heart of the United States’ international cyber strategy lies the concept of digital solidarity, which stands in stark contrast to the protectionist policies of digital sovereignty. Digital solidarity promotes collaboration and mutual support among nations, emphasizing the need for a secure, inclusive and resilient digital ecosystem. This strategy, unveiled in the U.S. Department of State’s 2024 International Cyberspace and Digital Policy Strategy, advocates for building international coalitions, aligning regulatory frameworks and fostering a free flow of data across borders.

The key pillars of digital solidarity include promoting an inclusive digital ecosystem, aligning governance approaches to data and advancing responsible state behavior in cyberspace. These efforts aim to ensure that all nations, especially emerging economies, have access to secure digital infrastructure and that global cooperation can thwart cyber threats through shared intelligence and mutual defense efforts.

In contrast, digital sovereignty emphasizes national control over digital infrastructure and data. Countries that adopt this stance seek to protect their digital assets by restricting foreign access to their markets and mandating data localization. While proponents argue that this approach can reduce dependence on foreign technology and enhance security, critics warn that it fragments the global digital ecosystem and makes it harder to respond collectively to cyber threats.

The tension between digital solidarity and digital sovereignty has significant implications for global cybersecurity. As the world’s digital infrastructure becomes more interconnected, the U.S. and its allies argue that collaboration, not isolation, is the key to addressing the complex cyber challenges of the future.

The future of proactive cyber defense

The shift from deterrence to persistence in cyberspace represents a new era of proactive cyber defense. By identifying vulnerabilities, disrupting adversaries’ operations and engaging in continuous cyber campaigns, the U.S. and its allies are reshaping the way nations approach cybersecurity.

Operations like the LockBit takedown underscore the effectiveness of this strategy. Plus, the emphasis on digital solidarity highlights the importance of international cooperation in creating a safer and more resilient digital ecosystem. As cyber threats continue to evolve, the persistence approach will likely become a cornerstone of modern cybersecurity. The goal is to ensure that nations can stay ahead of their adversaries and secure the future of cyberspace.

The post Taking the fight to the enemy: Cyber persistence strategy gains momentum appeared first on Security Intelligence.

The threat of cyberattacks against critical infrastructure in the United States has evolved beyond data theft and espionage. Intruders are already entrenched in the nation’s most vital systems, waiting to unleash attacks. For instance, CISA has raised alarms about Volt Typhoon, a state-sponsored hacking group that has infiltrated critical infrastructure networks. Their goal? To establish a foothold and prepare for potentially crippling attacks that could disrupt essential services across the nation.

Volt Typhoon embodies a threat far beyond everyday cyber crime. It indicates the dangerous reality of cyber pre-positioning — a tactic that allows cyber actors to infiltrate systems, maintain persistence and potentially launch massively destructive operations. With lifeline sectors such as communications, energy, transportation and water and wastewater systems under threat, the question is no longer if attackers are embedded within U.S. infrastructure but how deeply they have rooted themselves. And the implications directly impact national security.

Nation-state pre-positioning goes beyond espionage

Employed by nation-state actors, pre-positioning goes beyond mere intelligence gathering. By silently lurking within critical infrastructure networks, actors gain the capability to wreak havoc at a moment’s notice. These intrusions, particularly in sectors like water systems and energy grids, serve little espionage value, per Anne Neuberger, the Deputy National Security Adviser for Cyber and Emerging Technologies. This indicates that the infiltrations are likely precursors to far more disruptive objectives.

Volt Typhoon’s methodical approach has allowed them to infiltrate U.S. systems for extended periods — up to five years in some cases — without detection. They’ve targeted the infrastructure that millions of Americans depend on daily. In a time of heightened geopolitical tension, a well-timed cyberattack could grind vital systems to a halt, leaving the nation vulnerable to cascading failures across multiple sectors. The fallout could be unprecedented, impacting national security, the economy and everyday life.

Volt Typhoon’s tactical mastery

Volt Typhoon is no ordinary hacking group. This state-sponsored entity has displayed a level of sophistication that challenges even the most robust cybersecurity defenses. Through its living-off-the-land (LOTL) tactics, the group exploits legitimate network administration tools, blending seamlessly with normal traffic and making detection extremely difficult. Their use of known vulnerabilities in public-facing devices such as routers and VPNs allows them to gain access, while compromised administrator credentials give them the power to burrow deeper into networks and assess operational technology (OT) systems.

The group’s calculated patience is noteworthy. Instead of seeking short-term gains, they carefully study their targets and gain an understanding of the nuances of the systems they infiltrate. In one case, Volt Typhoon spent nine months moving laterally through a water utility’s network, gaining access to crucial OT assets, including water treatment plants and electrical substations. These infiltrations are more than a technical breach — they represent a looming threat to physical infrastructure that could manifest in catastrophic failures.

The FOCAL Plan’s strategic response

In the face of these threats, CISA has developed a robust response: the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan. This strategic framework aims to shore up federal cybersecurity defenses by driving coordinated action across agencies. The FOCAL Plan outlines how federal agencies can adopt best practices to defend against pre-positioning and other sophisticated cyber threats, promoting a holistic approach from prevention to incident response.

The FOCAL Plan focuses on five critical areas: asset management, vulnerability management, defensible architecture, cyber supply chain risk management and incident detection and response. Each area plays a crucial role in safeguarding federal systems from persistent threats like Volt Typhoon:

1. Asset management: Without knowing what assets exist within an organization, it is impossible to protect them. The FOCAL Plan emphasizes comprehensive, continuous visibility into all IT and OT assets to ensure that any unauthorized access can be detected and mitigated quickly.

2. Vulnerability management: Regular vulnerability scanning and timely patching prevent hackers from exploiting known weaknesses, shutting down one of their primary entry points.

3. Defensible architecture: Organizations must build resilience into systems, assuming that attacks will happen. This includes implementing zero trust principles to restrict lateral movement within networks and limit the damage attackers can do, even if they gain access.

4. Supply chain risk management: This addresses the growing reliance on third-party vendors. With many cyberattacks exploiting vulnerabilities in third-party systems, the FOCAL Plan emphasizes the need for agencies to closely monitor their supply chains and ensure that their vendors adhere to strict cybersecurity protocols.

5. Incident detection and response: This is the FOCAL Plan’s approach to real-time cyber defense. CISA urges agencies to deploy advanced tools like endpoint detection and response (EDR) systems, which can identify and respond to threats before they cause significant damage. The ability to share threat intelligence and coordinate responses across federal agencies is essential for ensuring that the government can act swiftly in the event of an attack.

Mitigation urgency and action

The threat landscape outlined by Volt Typhoon’s actions calls for an urgent response — not just from federal agencies but from every organization that operates critical infrastructure. The key to stopping attackers from exploiting pre-positioned access is to adopt a mentality of constant vigilance and proactive threat hunting. It’s not enough to react to attacks after they happen. Organizations must actively hunt for threats, continually monitor their systems and act quickly to patch vulnerabilities before they can be exploited.

CISA’s FOCAL Plan provides a framework, but it is up to individual organizations to implement these measures at every level. Regular security audits, comprehensive asset management and adherence to the latest cybersecurity best practices are non-negotiable. Organizations must be prepared for the reality of an attack, ensuring that they have backup systems in place. It’s vital to practice incident response through tabletop exercises and maintain open communication channels with CISA and other federal agencies.

The harsh reality is that many organizations may already have pre-positioned attackers within their networks. The objective now is to limit the damage they can do and to ensure that attackers cannot trigger even more widespread disruption.

The clock is ticking

The presence of cyber actors like Volt Typhoon in U.S. critical infrastructure is not hypothetical — it’s happening now, and the consequences of inaction could be devastating. The ability of these attackers to remain hidden within networks for years, studying their targets and preparing for destructive actions, underscores the importance of robust, proactive cybersecurity measures.

The FOCAL Plan is a step in the right direction, but the fight against pre-positioned cyber actors is far from over. It will require a sustained, coordinated effort between federal agencies, private organizations and international allies to ensure that U.S. critical infrastructure is protected and remains resilient.

The post Are attackers already embedded in U.S. critical infrastructure networks? appeared first on Security Intelligence.

As we near the end of 2024, ransomware remains a dominant and evolving threat against any organization. Cyber criminals are more sophisticated and creative than ever. They integrate new technologies, leverage geopolitical tensions and even use legal regulations to their advantage.

What once seemed like a disruptive but relatively straightforward crime has evolved into a multi-layered, global challenge that continues to threaten businesses and governments alike.

Let’s take a look at the state of ransomware today. We’ll focus on how cyber criminals are changing tactics, relying on AI technology, exploiting legal frameworks and more.

AI supercharges phishing and social engineering

One of the most significant developments in the ransomware landscape has been the use of artificial intelligence (AI) to enhance phishing and social engineering attacks. Historically, phishing emails often contained obvious signs of fraud — misspelled words, poor grammar and generic messaging. However, new generative AI tools can craft highly personalized and professional-looking emails, which has drastically changed the game. This likely explains why phishing attack volumes and success rates have been rising since phishing campaigns are easier to generate and are more convincing than ever.

AI allows threat actors to mine vast amounts of data to craft convincing emails targeting specific individuals or organizations. These emails may contain contextual information that makes them seem legitimate, significantly increasing the likelihood of success. The ability to deliver such precise attacks is why ransomware has been particularly devastating to industries like healthcare, where any disruption can have life-threatening consequences.

Additionally, AI-generated deepfake technology has begun to play a role in social engineering. Cyber criminals can now create audio and video deepfakes of company executives to trick employees into transferring money or revealing sensitive information. This has made detecting fraud much harder, and organizations are finding it increasingly difficult to protect against such attacks.

Weaponizing disclosure rules

Ransomware groups are not just relying on technical means to pressure victims into paying ransoms — they are also manipulating legal regulations to their advantage. One of the most striking developments in 2024 has been the weaponization of disclosure rules, specifically those issued by the U.S. Securities and Exchange Commission (SEC).

A recent high-profile case involved the ransomware group BlackCat/ALPHV filing a formal SEC complaint against a digital lending service provider. After exfiltrating the company’s files, the group allegedly reported to the SEC that the provider failed to comply with regulations that require organizations to disclose any cybersecurity incident within four business days. This added “legal” tactic was designed to pressure victims into paying the ransom to avoid financial penalties or reputational damage.

This disturbing incident shows that ransomware groups will use anything, even government regulations, as leverage. “Threat actors are using the regulations to put more pressure on the victims. This is quite an interesting trend,” said Ifigeneia Lella, a cybersecurity expert at the European Union Agency for Cybersecurity (ENISA). It is a chilling reminder that legal frameworks, while intended to protect the public and promote transparency, can be manipulated by bad actors to further their own malicious agendas.

Living-off-the-land attacks fly under the radar

As per the ENISA Threat Landscape 2024 report, the past year saw increasing use of “living-off-the-land” (LOTL) techniques by cyber criminals. LOTL attacks involve using tools and software that already exist within a victim’s system, making it harder for security teams to detect malicious activity. Instead of relying on external malware that can be flagged by antivirus software, attackers leverage legitimate administrative tools like PowerShell or Windows Management Instrumentation (WMI) to execute their attacks.

For example, PLAY, a multi-extortion ransomware group, often uses off-the-shelf tools like Cobalt Strike, Empire and Mimikatz for discovery and lateral movement within a target’s network. By avoiding the introduction of new, suspicious software, attackers can evade detection for longer periods, often until it’s too late for the victim to respond effectively. This shift towards LOTL techniques represents an ongoing challenge for cybersecurity professionals, as traditional antivirus solutions are becoming less effective against these subtle attacks.

Ransomware, geopolitical tensions and hacktivism

In addition to technological advancements, ransomware is increasingly being used as a weapon of geopolitical influence and hacktivism. Cyber criminals are no longer just motivated by financial gain; some are using malware to further political agendas, destabilize governments or create chaos in certain regions.

The ENISA report emphasized how geopolitical tensions are converging with ransomware attacks. For instance, during the Russia-Ukraine conflict, ransomware groups targeted critical infrastructure in Ukraine and other countries allied with Ukraine. These attacks weren’t necessarily financially motivated but rather politically driven. The aim was to disrupt national operations or cripple key sectors like energy, health care and transportation.

Hacktivist groups are also joining forces with ransomware gangs to push their own ideological goals. For example, attacks on public administration and transportation sectors have increased, often tied to specific political events or global movements. As cyber crime becomes more politicized, organizations and governments must recognize that ransomware is no longer just a financial threat but also a tool of disruption on the global stage. And given the increased geopolitical tensions across the globe, these types of attacks are increasingly common.

Attack rates and most targeted industries

Despite global efforts to curb ransomware, the number of ransomware attacks continues to rise. According to the Ransomware Tracker, the number of victims posted on extortion sites spiked in May 2024 to 450, up from 328 in April, making it one of the most active months over the last few years.

Industries like healthcare, public administration, transportation and finance are among the most targeted. These sectors are particularly vulnerable due to their reliance on digital infrastructure and the severe consequences of operational downtime. For example, the U.S. Department of Health and Human Services reported a 256% increase in hacking-related breaches in healthcare over the past five years, underscoring the sector’s heightened vulnerability.

The rising costs of ransomware

The financial impact of ransomware continues to grow in 2024, with costs extending beyond ransom payments. According to one industry report, the average recovery cost for ransomware victims in state and local governments is $2.73 million, more than double the amount reported in 2023. These costs include not only ransom payments but also expenses related to downtime, lost data, operational disruption and reputational damage.

The ransom demands themselves are also skyrocketing. The report states that the average ransom demand for state and local governments is now $3.3 million, with some demands exceeding $5 million. Globally, industries like healthcare, energy and education are seeing similar trends. Even worse, high ransom demands and significant recovery costs can cripple or even shut down smaller organizations.

A grim landscape, but there’s hope

The ransomware landscape in 2024 is one of increasing complexity. With AI-driven phishing campaigns, living-off-the-land techniques, the exploitation of legal frameworks and the merging of geopolitical tensions, the stakes have never been higher. However, advancements in AI cybersecurity tools and a growing awareness of these evolving tactics provide pathways for improving defenses.

As cyber criminals adapt and innovate, so too must cybersecurity professionals and organizations. Proactive measures like vulnerability management, employing robust backup strategies and investing in incident response capabilities are essential in combating this ever-present threat. Ransomware may continue to evolve, but so too can the tools and strategies used to fight it.

The post The current state of ransomware: Weaponizing disclosure rules and more appeared first on Security Intelligence.

A recent CISA red team assessment of a United States critical infrastructure organization revealed systemic vulnerabilities in modern cybersecurity. Among the most pressing issues was a heavy reliance on endpoint detection and response (EDR) solutions, paired with a lack of network-level protections.

These findings underscore a familiar challenge: Why do organizations place so much trust in EDR alone, and what must change to address its shortcomings?

EDR’s double-edged sword

A cornerstone of cyber resilience strategy, EDR solutions are prized for their ability to monitor endpoints for malicious activity. But as the CISA report demonstrated, this reliance can become a liability when paired with inadequate network defenses. Here’s why:

1. Tunnel vision on endpoints: EDR excels at identifying threats on individual devices but struggles with network-wide attacks. This leaves gaps when hackers exploit lateral movement or unusual data transfers — activities that often require network-level visibility to detect.
2. Playing catch-up with threats: Traditional EDR tools depend on recognizing known indicators of compromise (IOCs). Advanced attackers can easily sidestep these tools by using novel techniques or blending in with legitimate activity.
3. Blind spots in legacy systems: Legacy environments often go unnoticed by EDR, giving attackers free rein. In the CISA case, these systems allowed the red team to persist for months undetected.
4. Overwhelmed defenders: Even when EDR generates alerts, security teams can become desensitized by a flood of notifications. As seen in the CISA assessment, critical warnings can slip through the cracks simply because defenders are too stretched to respond.

Common EDR pain points

The challenges highlighted in the CISA report mirror broader issues organizations face with EDR:

• Detection without context: EDR tools often spot anomalies on endpoints but fail to connect the dots across the broader network. This lack of context can leave organizations blind to coordinated attacks.
• Weak network integration: Without network-layer defenses, EDR struggles to identify malicious activities like unusual traffic patterns or data exfiltration, key tactics in advanced breaches.
• Fragmented systems: Many organizations operate a patchwork of security tools, leaving critical gaps in coverage and making it harder to correlate data across endpoints, networks and cloud environments.

The next evolution of EDR

Recognizing these shortcomings, cybersecurity is rapidly evolving beyond traditional EDR. Here’s how:

1. Extended detection and response (XDR): XDR takes EDR to the next level by integrating endpoint, network and cloud data into a single platform. This broader scope allows organizations to see the full attack picture and respond more effectively.
2. AI-driven insights: Cutting-edge EDR solutions now harness machine learning to detect subtle behavioral anomalies. By identifying deviations from normal activity, these tools catch threats even when no IOCs exist.
3. Zero trust security: Zero trust architectures take endpoint defense a step further by ensuring no device or user is trusted by default. This integration of endpoint, identity and network security reduces dependence on EDR alone.
4. Network visibility: Modern EDR tools are incorporating network traffic analysis to close the gaps identified in the CISA report. Monitoring traffic for anomalies, such as unusual data flows or external connections, bolsters defenses.
5. Cloud-native solutions: As businesses embrace hybrid and cloud environments, EDR is evolving to provide seamless coverage across on-premises and cloud systems, addressing vulnerabilities in these critical areas.

Why do gaps persist?

Even with these advancements, many organizations struggle to fully address EDR’s limitations:

• Resource strains: Small security teams often lack the bandwidth or expertise to implement and manage advanced solutions like XDR.
• Budget constraints: Upgrading to integrated platforms or modernizing legacy systems can be costly.
• Legacy challenges: Outdated environments remain vulnerable, acting as weak points that attackers can exploit.
• Leadership missteps: As the CISA report pointed out, organizations sometimes deprioritize known vulnerabilities, leaving critical gaps unaddressed.

Building a more resilient future

The CISA red team findings are a wake-up call: Endpoint protection alone is no longer enough. To outsmart today’s sophisticated adversaries, organizations must adopt a layered defense strategy that integrates endpoint, network and cloud security. Solutions like XDR, zero trust principles and advanced behavioral analysis offer a path forward — but they require strategic investments and cultural shifts.

The post Insights from CISA’s red team findings and the evolution of EDR appeared first on Security Intelligence.

On September 25, CISA issued a stark reminder that critical infrastructure remains a primary target for cyberattacks. Vulnerable systems in industrial sectors, including water utilities, continue to be exploited due to poor cyber hygiene practices. Using unsophisticated methods like brute-force attacks and leveraging default passwords, threat actors have repeatedly managed to compromise operational technology (OT) and industrial control systems (ICS).

Attacks on the industrial sector have been particularly costly. The 2024 IBM Cost of a Data Breach report found the average total cost of a data breach in the industrial sector was $5.56 million — an 18% increase for the industry compared to 2023. This represents the highest data breach cost increase of all industries surveyed in the report, rising by an average of $830,000 per breach over last year.

Ongoing vulnerabilities pose a serious threat to public safety and national security, especially as water systems and other critical infrastructure providers remain underprepared in the current threat landscape. Let’s take a closer look at the current state of critical infrastructure security, highlighting recent incidents, efforts to address vulnerabilities and the need for further collaboration between the government and private sectors.

Arkansas City Water Treatment Facility attacked

The cybersecurity incident at the Arkansas City Water Treatment Facility on September 22 exemplifies the growing risks. While city officials emphasized that the water supply remained safe and no disruption to service occurred, the breach still forced the facility to switch to manual operations. The incident is currently under investigation, with local authorities and cybersecurity experts collaborating to resolve the issue and prevent further attacks. But the Arkansas City breach is not an isolated incident; it mirrors a larger trend of attacks on water systems.

CISA has issued multiple warnings regarding the susceptibility of water and wastewater systems to cyber threats. Intruders often exploit outdated and unsecured OT and ICS environments, where systems are exposed to the internet or still using default credentials. This means cyber criminals can gain access using relatively simple techniques, which raises concerns about the overall preparedness of critical infrastructure operators.

CISA warnings and hacktivist activity

CISA’s September alert is not the first indication of the heightened threat to water and other critical infrastructure providers. Earlier in 2024, the agency warned that Russia-affiliated hacktivists were actively targeting ICS and OT environments in U.S. critical infrastructure facilities. Water systems, dams and sectors, such as energy and food, were particularly vulnerable to these attacks.

The situation worsened with the rise of the Cyber Army of Russia Reborn, a hacktivist group tied to Advanced Persistent Threat 44 (APT44), commonly known as Sandworm. The group has been quite busy exploiting weak cybersecurity postures of smaller water systems that lack adequate cyber defense resources.

According to Keith Lunden of Mandiant, “We expect these attacks to continue for the foreseeable future given the lack of dedicated cybersecurity personnel for many small- and mid-sized organizations operating OT.” Unfortunately, hacktivist groups have exploited these gaps with relative ease. And without rapid intervention, these attacks will likely continue.

The State and Local Cybersecurity Grant Program (SLCGP)

Amidst the growing cyber threats, the U.S. Department of Homeland Security (DHS) has recognized the need for more support for state and local government cybersecurity. In fiscal year 2024, DHS announced the allocation of $280 million in grant funding for the State and Local Cybersecurity Grant Program (SLCGP). This funding aims to assist state, local, tribal and territorial governments in enhancing their cyber resilience. A special emphasis has been placed on protecting critical infrastructure systems like water utilities, energy grids and emergency services.

These grants will help organizations improve monitoring systems, patch vulnerabilities and implement critical cybersecurity measures such as multi-factor authentication and regular system audits. In states like Michigan, for example, government agencies are already working with local water utilities to provide cybersecurity training and support. The DHS funding could greatly expand these efforts, offering a much-needed boost to the security posture of critical infrastructure providers.

The Cyberspace Solarium Commission

In 2019, the Cyberspace Solarium Commission (CSC) was established by the U.S. Congress to develop a national cyber defense strategy. Currently, approximately 80% of its recommendations have been implemented. However, a final push is needed to address critical gaps, particularly regarding private-sector collaboration and insurance reforms.

One major challenge is identifying the “minimum security burdens” for systemically important entities critical to national security. This would ensure that high-priority infrastructure providers, such as key transportation systems and water utilities, receive the necessary support to prevent catastrophic events.

The CSC also highlighted the need to develop an economic continuity plan for cyber events. This would be nothing less than an incident response and resilience plan to protect the U.S. economy in the face of a major cyberattack. The commission also emphasized the need for better information sharing between government agencies, private industries and international partners to protect critical infrastructure from evolving cyber threats.

During a recent panel discussion, Senator Angus King, co-chair of CSC 2.0, pointed to the difficulties of building trust between the government and private sectors. Private entities own and operate the majority of the nation’s critical infrastructure, but historical tensions make collaboration challenging. King noted that the situation mirrors early tensions that existed between state officials and CISA. Nonetheless, the collaboration between private industry and government is essential to address the growing threat to critical infrastructure.

The state of critical infrastructure cybersecurity

The cybersecurity posture of U.S. critical infrastructure remains a concern. As seen in attacks like the Arkansas City Water Treatment Facility and other incidents targeting internet service providers, threat actors are increasingly focusing on essential services. These attacks are not limited to small municipalities. Larger-scale infrastructure providers, including ISPs and managed service providers, have also been targets.

The FBI recently disclosed that China-linked hackers compromised more than 260,000 network devices, underscoring the scale of the problem. Meanwhile, attacks attributed to the Chinese government have targeted ISPs and managed service providers through vulnerabilities in Versa Networks’ SD-WAN software, demonstrating the growing sophistication of these threats.

While the U.S. government is actively working to improve critical infrastructure cybersecurity, the attacks on water treatment systems and other essential services clearly reveal that more needs to be done. The DHS grant program and the recommendations of the Cyberspace Solarium Commission represent critical steps in this effort, but collaboration between government, private industry and international partners will be key to building a resilient defense against evolving threats.

The safety of critical infrastructure remains a pressing concern. Recent events should serve as a wake-up call for operators, policymakers and the public to take action before a cyberattack occurs that impacts human life and health. Undoubtedly, the threats are real — and any meaningful response requires a concerted effort.

The post Is the water safe? The state of critical infrastructure cybersecurity appeared first on Security Intelligence.

Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces.

AI in every pocket

Having sophisticated AI at your fingertips isn’t just a leap in personal technology; it’s a seismic shift in how industries will evolve. By enabling real-time decision-making, mobile artificial intelligence can streamline everything from personalized notifications to productivity tools, making AI a ubiquitous companion in daily life. But what happens when AI that draws from “personal context” is compromised? Could this create a bonanza of social engineering and malicious exploits?

The risks of real-time AI processing

Apple Intelligence thrives on real-time personalization — analyzing user interactions to refine notifications, messaging and decision-making. While this enhances the user experience, it’s a double-edged sword. If attackers compromise these systems, the AI’s ability to customize notifications or prioritize messages could become a weapon. Malicious actors could manipulate AI to inject fraudulent messages or notifications, potentially duping users into disclosing sensitive information.

These risks aren’t hypothetical. For example, security researchers have exposed how hidden data in images can deceive AI into taking unintended actions — a stark reminder of how intelligent systems remain susceptible to creative exploitation.

In the new, real-time AI age, AI cybersecurity must address several risks, such as:

1. Privacy concerns: Continuous data collection and analysis can lead to unauthorized access or misuse of personal information. For instance, AI-powered virtual assistants that capture frequent screenshots to personalize user experiences have raised significant privacy issues.
2. Security vulnerabilities: Real-time AI systems can be susceptible to cyberattacks, especially if they process sensitive data without robust security measures. The rapid evolution of AI introduces new vulnerabilities, necessitating strong data protection mechanisms.
3. Bias and discrimination: AI models trained on biased data can perpetuate or even amplify existing prejudices, leading to unfair outcomes in real-time applications. Addressing these biases is crucial to ensure equitable AI deployment.
4. Lack of transparency: Real-time decision-making by AI systems can be opaque, making it challenging to understand or challenge outcomes, especially in critical areas like healthcare or criminal justice. This opacity can undermine trust and accountability.
5. Operational risks: Dependence on real-time AI can lead to overreliance on automated systems, potentially resulting in operational failures if the AI system malfunctions or provides incorrect outputs. Ensuring human oversight is essential to mitigate such risks.

Privacy: Apple’s ace in the hole

Unlike many competitors, Apple processes much of its AI functionality on-device, leveraging its latest A18 and A18 Pro chips, specifically designed for high-performance, energy-efficient machine learning. For tasks requiring greater computational power, Apple employs Private Cloud Compute, a system that processes data securely without storing or exposing it to third parties.

Apple’s long-standing reputation for prioritizing privacy gives it a competitive edge. Yet, even with robust safeguards, no system is infallible. Compromised AI features — especially those tied to messaging and notifications — could become a goldmine for social engineering schemes, threatening the very trust that Apple has built its brand upon.

Economic upside vs. security downside

The economic scale of this innovation is staggering, as it pushes companies to adopt AI-driven solutions to stay competitive. However, this proliferation amplifies security challenges. The widespread adoption of real-time AI raises the stakes for all users, from everyday consumers to enterprise-level stakeholders.

To stay ahead of potential threats, Apple has expanded its Security Bounty Program, offering rewards of up to $1 million for identifying vulnerabilities in its AI systems. This proactive approach underscores the company’s commitment to evolving alongside emerging threats.

The AI double-edged sword

The arrival of Apple Intelligence is a watershed moment in consumer technology. It promises unparalleled convenience and personalization while also highlighting the inherent risks of entrusting critical processes to AI. Apple’s dedication to privacy offers a significant buffer against these risks, but the rapid evolution of AI demands constant vigilance.

The question isn’t whether AI will become an integral part of our lives — it already has. The real challenge lies in ensuring that this technology remains a force for good, safeguarding the trust and security of those who rely on it. As Apple paves the way for AI in the consumer market, the balance between innovation and protection has never been more critical.

The post Apple Intelligence raises stakes in privacy and security appeared first on Security Intelligence.

Rhode Island is grappling with the fallout of a significant ransomware attack that has compromised the personal information of hundreds of thousands of residents enrolled in the state’s health and social services programs. Officials confirmed the attack on the RIBridges system—the state’s central platform for benefits like Medicaid and SNAP—after hackers infiltrated the system on December 5, planting malicious software and threatening to release sensitive data unless a ransom is paid.

Governor Dan McKee, addressing the media, called the attack “alarming” and urged residents to take immediate precautions to protect their information. Compromised data includes Social Security numbers, banking details, addresses and dates of birth. “This breach is a stark reminder of the vulnerabilities in government IT systems,” McKee said. “We are working with Deloitte and law enforcement to contain the damage and restore public trust.”

Timeline of the attack

The cyberattack began on December 5, when Deloitte, the developer and maintainer of RIBridges, alerted state officials to suspicious activity. Initially, it was unclear whether sensitive data had been accessed. Over the following days, Deloitte implemented additional security measures while investigating the breach.

On December 10, hackers provided a screenshot of file folders as proof of their access, prompting Deloitte to confirm that the RIBridges system had been compromised. Further analysis revealed a high probability that the stolen files contained personally identifiable information (PII). By December 13, Deloitte identified malicious code within the system, leading the state to shut down RIBridges to mitigate further damage and begin remediation.

How the attackers gained access

While the exact infiltration method remains under investigation, early findings suggest that the attackers exploited vulnerabilities in the system’s architecture, likely through phishing emails targeting administrative accounts or unpatched software weaknesses. The malware deployed by the cyber criminals enabled unauthorized access and allowed the attackers to exfiltrate data unnoticed for several days.

This breach has highlighted persistent security challenges in government IT systems, which often struggle to keep pace with evolving cyber threats. RIBridges, developed in 2016 under the Unified Health Infrastructure Project (UHIP), has faced years of technical and operational issues, including public criticism for its vulnerabilities.

Impact on residents and state operations

The breach has far-reaching implications for Rhode Island’s residents and government services. Programs impacted include Medicaid, SNAP, Temporary Assistance for Needy Families (TANF) and health insurance purchased through HealthSource RI. The RIBridges system’s offline status has forced the state to resort to manual processing for December benefits and January payments, creating delays and disruptions for thousands of families.

State officials have contracted Experian to provide free credit monitoring to affected residents and set up a dedicated call center to offer guidance. McKee also urged residents to take proactive steps, including freezing their credit, updating passwords and enabling multi-factor authentication.

Comparisons to other state-level ransomware attacks

Rhode Island is not the first state to be targeted by a ransomware attack on its central systems. In 2019, Texas faced a coordinated ransomware assault that impacted 22 local entities, including state-run agencies, though its centralized IT infrastructure mitigated the spread. Similarly, Colorado’s Department of Transportation suffered a ransomware attack in 2018, which disrupted operations and required weeks to fully resolve.

These incidents underscore the growing threat of ransomware to state governments. Unlike attacks on local municipalities, state-level breaches can potentially disrupt critical systems serving millions of residents, amplifying the stakes for government cybersecurity teams.

What comes next?

The FBI and other federal agencies are assisting in the investigation, while Deloitte works to remediate the vulnerabilities and restore RIBridges. Meanwhile, negotiations between the state’s representatives and the cyber criminals are ongoing, though officials have not disclosed the ransom amount or whether they intend to pay it.

“That conversation is going on directly with Deloitte and the cyber criminals. That’s how this process works, we’re learning a little bit about it,” McKee said. “But we’re being notified of the progress on it, and ultimately, it does end up with that decision with me.”

The attack has reignited calls for stronger cybersecurity measures in government IT systems. Experts recommend adopting zero trust security models, conducting regular vulnerability assessments and increasing investments in cybersecurity infrastructure to prevent future breaches.

“This breach is a wake-up call,” says Brian Tardiff, Rhode Island’s Chief Digital Officer. “We need to ensure that our systems are resilient against increasingly sophisticated cyber threats. The stakes are too high to do otherwise.”

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

The post Ransomware attack on Rhode Island health system exposes data of hundreds of thousands appeared first on Security Intelligence.