Evan Schuman's Stories in CSO

European authorities say AI can use personal data without consent for training

The European Data Protection Board advised national regulators to allow personal data to be used for AI training, as long as the final product doesn’t reveal personal information. Read full story

Amazon refuses Microsoft 365 deployment because of lax cybersecurity

Security executives applaud Amazon for publicly shaming Microsoft security, although some suspect it is a thinly veiled AWS sales pitch. Read full story

European law enforcement breaks high-end encryption app used by suspects

A group of European law enforcement agencies broke a cyberthief-created secure messaging app and monitored their discussions in real time. The implications for CISOs: However little you now trust encryption, trust it a lot less. Read full story

FBI pierces 'anonymity' of cryptocurrency, secret domain registrars in Scattered Spider probe

When the US Justice Department unsealed documents on Wednesday revealing the arrests of key Scattered Spider suspects, it showed how easily they were able to cut through the gang's anonymization efforts. Read full story

NIST publishes timeline for quantum-resistant cryptography, but enterprises must move faster

NIST wants agencies to move off current encryption by 2035, but analysts say that enterprises cannot wait nearly that long; state actors are expected to achieve quantum at scale by 2028. Read full story

Microsoft Authenticator passkey support to be native in January

In statements that some labeled vague and confusing, Microsoft further embraced passkeys — and is decidedly not embracing CISOs who don’t want them. Read full story

Do the Marriott cybersecurity settlements send the wrong message to CISOs, CFOs?

This CSO piece covers Marriott's settlement with both the Federal Trade Commission and almost every American state to partially close the loop on the fallout from three major data breaches between 2014 and 2020 impacting more than 344 million customers. But the terms of the settlements are worrying some cybersecurity executives. Read full story

Encryption backdoor debates rage across the planet, promising a difficult 2025 for CISOs

The European Union is now arguing various versions of encryption backdoor rules, but they are not expected to agree on much. Their members, though, are likely to each create their own contradictory rules. Read full story

FCC orders T-Mobile to deliver zero trust and better MFA

This CSO piece covers a consent decree negotiated between the agency and the telco, T-Mobile also promised to more heavily invest in cybersecurity overall. Read full story

Microsoft privilege escalation issue forces the debate: 'When is something a security hole?'

This CSO piece covers recent news that Fortra has announced what it dubs a Microsoft security hole. There is no dispute that the privilege escalation issue exists, but there is much argument over whether it's a flaw. Read full story

Personhood: Cybersecurity's next great authentication battle as AI improves

This CSO piece discusses the ability to differentiate bots from humans is becoming increasingly critical. Near infinite scalability of fake AI humans on the cheap makes human impersonation an awfully powerful weapon for bad actors. Read full story

Microsoft fixes Authenticator design flaw after eight years overwriting accounts

This CSO piece examines the latest confirmation from Microsoft. It has finally fixed a vexing glitch that locked Authenticator users out of their accounts — something just about every other authenticator app has avoided since inception. Read full story

Dutch regulator fines Clearview €30 million… or more

This CSO piece examines how the Dutch data protection authority is considering pursuing the face recognition company's directors for privacy violations next. Read full story

8 cloud security gotchas most CISOs miss

This CSO piece looks at the typical enterprise leveraging a dozen cloud vendors globally, there are plenty of ways for security nightmares to sneak in. Here are a few lesser-known issues that could haunt you. Read full story

CrowdStrike questions could give CISOs pause — with options available

This CSO piece looks at the unanswered questions regarding CrowdStrike's processes that led to a global Windows outage strike at central issues of trust, transparency, validation, and interdependency for CISOs, which could result in a rethink given the stakes and ease of defection. Read full story

Design flaw has Microsoft Authenticator overwriting MFA accounts, locking users out

This CSO piece looks at how the Microsoft Authenticator experience can go beyond momentary frustration to full-blown panic as end-users become locked out of their accounts. Despite user complaints for years, no fix has been issued, leaving IT experts wondering, 'Why would you pick Microsoft?' Read full story

Will the public nature of ransom payments change CISO strategy over whether to pay?

This CSO piece looks into reports identifying a $75 million ransom payment made in March by a Fortune 50 company raise some questions. Read full story

NHIs may be your biggest — and most neglected — security hole

This CSO piece looks at an increase in attackers seeking out non-human identities, as ultra-easy onramps to everything of value in your enterprise. The solution? Stop treating NHIs as though they are another human end-user. Read full story

Federal judge greenlights securities fraud charges against SolarWinds and its CISO

This CSO piece looks at the SEC lawsuit against SolarWinds where the court dismissed most of the SEC's charges, the by far most serious charge – securities fraud by both the company and its CISO – survived. CISOs have little reason to celebrate. Read full story

What savvy hiring execs look for in a CISO today

This CSO piece looks at how the CISO role is undergoing a sea change, requiring a range of seemingly contradictory skills and experiences. Here's how experts see the role evolving — and how hiring execs assess the blend of "Mother Teresa and a kamikaze pilot," as one CIO puts it, necessary to succeed as a CISO today. Read full story

AT&T confirms arrest in data breach of more than 110 million customers

This CSO piece looks at first cybersecurity incident where the Justice Department initially allowed an enterprise to not disclose. Read full story

Spam blocklist SORBS shuts down after over two decades

This CSO piece looks at how the service was unsustainable but those in the email deliverability industry expressed mixed feelings about the closure. Read full story

FBI offers to share 7,000 LockBit ransomware decryption keys with CISOs

This CSO piece looks at how it's not clear how many of the decryption keys are still viable, but it's likely to be a boon for many enterprise victims who did not pay the ransom. Read full story

Major service tag security problems reported in Microsoft Azure

This CSO piece examines how Microsoft has opted not to fix the issue reported by Tenable Research, but many defend that decision, arguing that this should be decided by CISOs based on their environment. Read full story

SEC rule for finance firms boosts disclosure requirements

This CSO piece examines the amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. Read full story

US deploys commerce and communications against cyber threats, Blinken says

This CSO piece looks at how the US government is moving to address the challenges of quantum computing, cloud strategies, and generative AI, Anthony Blinken said in a speech that was light on specifics. Read full story

Marriott admits it falsely claimed for five years it was using encryption during 2018 breach

This CSO piece examines Marriot's revelation in a court case around a massive 2018 data breach that it had been using secure hash algorithm 1 and not the much more secure AES-1 encryption as it had earlier maintained. Read full story

US supreme court ruling suggests change in cybersecurity disclosure process

This CSO piece examines how the decision puts pressure on CISOs and those crafting SEC filings as wording could be judged as "half-truths" and considered misleading. Read full story

Will generative AI kill KYC authentication?

This CSO piece looks at how generative AI can create fake documents and personal histories that fool common know-your-customer authentication practices. Read full story

Is your cloud security strategy ready for LLMs?

This CSO piece looks at existing cloud security practices, platforms, and tools that will only go so far in protecting organizations from threats inherent to the use of AI's large language models. Read full story

Rise of the cyber CPA: What it means for CISOs

This CSO piece answers the question: New accountant certification rules starting January 2024 could deliver many new cybersecurity-trained accountants. Is this good or bad news for CISOs? Read full story

How US SEC legal actions put CISOs at risk and what to do about it

This CSO story looks at how CISOs could find themselves in a painful Catch-22 situation when the US Securities and Exchange Commission's new cybersecurity rules are enacted in December. Read full story

6 new ways threat actors will attack in 2021

This CSO story looks at cyber criminals leveraging improved capabilities and vulnerabilities introduced during the COVID crisis to improve the efficiency of their attacks. Read full story