Why Do not We Demand This?

One of many Largest Mysteries in Cybersecurity: Why Do not We Demand This?

By Roger Grimes

“The issue is way, a lot worse than most individuals acknowledge.”

One of many greatest enduring mysteries for me in cybersecurity is why most cybersecurity curricula do not train safe coding to programmers.

I’ve no actual solutions, solely hypothesis.

Safe coding has many different names, together with safe by design, safety improvement lifecycle, but it surely signifies that the people concerned within the improvement of software program, companies and firmware, are given coaching in tips on how to keep away from inserting frequent safety vulnerabilities.

Widespread vulnerability varieties embody buffer overflows, insecure enter dealing with, hard-coding authentication credentials, listing traversal errors, cross-site scripting, and many others. The OWASP Prime Ten record is a superb record of a few of the commonest points.

Some programming points, like buffer overflows, could be solved through the use of “reminiscence sort protected” programming languages when doable and sensible. Non-memory sort protected languages are concerned in as much as 70% of generally exploited vulnerabilities.

Safe coding means giving programmers and others within the improvement stream, previous or new to the career, schooling about these frequent vulnerabilities and tips on how to keep away from them. Like several safety problem, it takes a mix of schooling, insurance policies and instruments. And like most pc safety challenges, schooling is commonly the weakest hyperlink when the instruments aren’t extra protecting.

I’ve tried for years to get universities and school curricula so as to add safe coding instruction as a required a part of their curriculum or as a separate required devoted class. It looks like a no brainer. And but, nearly no programming curriculum does. There are a couple of, however not many.

And let me say that I do not train programming for a dwelling. I am trying from the surface in.

[CONTINUED] On the KnowBe4 Weblog:
https://weblog.knowbe4.com/one-of-the-biggest-mysteries-in-cybersecurity-why-dont-we-teach-or-demand-secure

[Live Demo] Ridiculously Straightforward AI-Powered Safety Consciousness Coaching and Phishing

Phishing and social engineering stay the #1 cyber risk to your group, with 68% of knowledge breaches attributable to human error. Your safety workforce wants a simple approach to ship personalised coaching—that is exactly what our AI Protection Brokers present.

Be part of us for a demo showcasing KnowBe4’s modern strategy to human danger administration with agentic AI that delivers personalised, related and adaptive safety consciousness coaching with minimal admin effort.

See how simple it’s to coach and phish your customers with KnowBe4’ HRM+ platform:

• SmartRisk Agent™ – Generate actionable information and metrics that can assist you decrease your group’s human danger rating
• Template Generator Agent – Create convincing phishing simulations, together with Callback Phishing, that mimic actual threats. The Beneficial Touchdown Pages Agent then suggests acceptable touchdown pages primarily based on AI-generated templates
• Automated Coaching Agent – Mechanically establish high-risk customers and assign personalised coaching
• Data Refresher Agent and Coverage Quizzes Agent – Reinforce your safety program and organizational insurance policies
• Enhanced Government Experiences – Observe person actions, visualize developments, obtain widgets, and enhance looking/sorting to offer deeper insights and streamline collaboration

See how these highly effective AI-driven options work collectively to dramatically cut back your group’s danger whereas saving your workforce useful time.

Date/Time: THIS WEEK, Thursday, September 11 @ 2:00 PM (ET)

Save My Spot:
https://information.knowbe4.com/ksat-demo-3?partnerref=CHN3

Hospitals Must Put together for AI-Powered Phishing Assaults

Healthcare organizations should be ready for a rise in AI-assisted phishing assaults, in accordance with Zack Martin, Senior Coverage Advisor at Venable.

In an article for HIT Advisor, Martin defined that AI has made phishing assaults extra convincing and simpler to launch, posing a heightened danger to healthcare organizations.

“Within the second half of 2024, phishing incidents surged by greater than 700 % – a spike that coincided with the mainstream adoption of generative AI instruments,” Martin says. “These instruments are actually getting used to create convincing emails, pretend login pages and impersonation campaigns that concentrate on each sufferers and employees. And in healthcare, the place digital literacy can fluctuate extensively and information is very delicate, the results could be extreme, resulting in information breaches, ransomware and system outages.”

Healthcare entities have a singular assault floor that makes them significantly susceptible to social engineering assaults. Hospitals additionally face a heightened danger from ransomware assaults, since disruptions can have an effect on affected person care and put lives in danger.

“Hospitals and clinics serve a mixture of inside customers and exterior customers – from workers logging into medical methods to sufferers and relations accessing portals,” Martin writes. “Many of those customers could also be unfamiliar with phishing techniques and may very well be extra prone to belief realistic-looking login prompts or pressing alerts.

“The mixture of accessible AI instruments and a digitally inexperienced person base creates an ideal storm for credential theft.” Martin concludes that worker consciousness coaching can provide healthcare orgs a crucial layer of protection towards these assaults.

“A very efficient identity-first safety technique additionally contains steady person schooling,” Martin writes. “Phishing emails – particularly these enhanced by generative AI – can idiot even essentially the most skilled professionals. Common consciousness campaigns and simulated phishing workouts may help employees develop a reflex for recognizing pretend emails, verifying URLs, and reporting suspicious exercise shortly.”

KnowBe4 empowers your workforce to make smarter safety selections day-after-day. Over 70,000 organizations worldwide belief the KnowBe4 HRM+ platform to strengthen their safety tradition and cut back human danger.

Weblog publish with hyperlinks:
https://weblog.knowbe4.com/hospitals-need-to-prepare-for-ai-powered-phishing-attacks

A New Period of E mail Protection: The Energy of KnowBe4 and Microsoft Defender for Workplace 365

Uncover how KnowBe4 and Microsoft Defender for Workplace 365 are remodeling e-mail safety and discover the facility of the brand new integration.

Be part of our reside demo with Murali Natarajan, Principal Product Supervisor at Microsoft, and Stuart Clark, Vice President of Product Technique at KnowBe4, to see how KnowBe4’s superior risk detection capabilities and Microsoft’s Built-in Cloud E mail Safety (ICES) ecosystem work collectively to create an unmatched protection towards at present’s most subtle e-mail threats.

Throughout this session, you will discover ways to:

• Seamlessly combine KnowBe4 Defend with Microsoft’s safety controls for unified quarantine, constant coverage enforcement and complete visibility
• Leverage the mixed strengths of KnowBe4’s specialised AI detection and Microsoft Defender, guaranteeing the strongest verdict at all times wins for superior risk prevention
• Simplify deployment, cut back complexity and get rid of separate quarantine methods by way of seamless integration with Microsoft instruments
• Undertake Microsoft’s latest framework early, guaranteeing compatibility with future developments and unlocking co-marketing alternatives
• Allow your safety groups to analyze, reply to and remediate threats by way of acquainted Microsoft interfaces whereas harnessing KnowBe4’s superior detection capabilities

Date/Time: Wednesday, September 10 @ 1:00 PM (ET)

Save My Spot:
https://information.knowbe4.com/knowbe4-microsoft-defender?partnerref=CHNP2

A Warrant Is Out for Your Arrest

An excellent frequent voice telephone name phishing rip-off (i.e., vishing) is when the scammer calls you and pretends to be a legislation enforcement official with a warrant on your arrest for not answering a court docket jury responsibility summons.

Relying on the supply you utilize and the authorized jurisdiction concerned (e.g., state, federal, county), as a lot as 20% – 40% of people that obtain a summons to seem in court docket as a part of a jury (or Grand Jury) ignore it. They see it and throw it away.

They knowingly throw it away, not eager to disrupt their life or profession to take a day or probably weeks out of their life to be a part of a court docket jury. I get it. It may be sudden, disrupting and you’ll spend hours a day ready to be referred to as as a part of a jury, solely to not be chosen.

Ignoring a jury summons and never exhibiting up for jury choice is a violation of the legislation and may simply end in severe penalties. If you’re a authorized citizen, it is your authorized and moral responsibility to serve on a jury when referred to as (in nations with citizen juries). However the general public who get them and ignore them, achieve this with out ever being harassed by the courts or legislation enforcement.

It makes jury scofflaws good potential phishing victims.

The scammers (normally half of a giant name middle) have your telephone quantity, identify, tackle and know what county you’re in. Then they name you, fake to be the sheriff’s division or police division and inform you that you’ve got an impressive warrant and that you may be arrested and pay an enormous wonderful.

However…they’ll provide to allow you to pay the wonderful over the telephone and keep away from arrest, utilizing bank cards or reward playing cards bought from a retailer.

Who would ever imagine that legislation enforcement would allow them to pay a wonderful utilizing store-purchased reward playing cards? Loads of scared individuals who had been at all times nervous about throwing away that jury summons. The protection is straightforward.

If anybody calls claiming to be from legislation enforcement or the court docket system, ask them for the case quantity (which they’ll normally present) after which inform them you’ll lookup their telephone quantity utilizing a good supply (by no means name again the telephone quantity they offer you)…and more often than not they’ll both threaten you with coming to arrest you another time or just cling up. Most cling up after they notice the potential sufferer is onto their scheme.

Lots of people studying this would possibly assume they’d by no means fall for this rip-off. However folks do. If it is not you, it may very well be a member of the family or good friend. I believe we’re all prone to the precise rip-off on the proper second in our lives.

You possibly can assist folks keep away from this rip-off by letting them understand it exists. And for those who get a jury summons, do not throw it away.

Weblog publish with hyperlinks:
https://weblog.knowbe4.com/a-warrant-is-out-for-your-arrest

Degree Up Your Methods for Cybersecurity Consciousness Month

Cybersecurity Consciousness Month is simply across the nook, and it is time to plan your October marketing campaign! Whereas it is an thrilling alternative, it may also be difficult. How do you flip obligatory safety consciousness right into a enjoyable and interesting marketing campaign that really reduces human danger?

Be part of Erich Kron, CISO Advisor at KnowBe4, as he exhibits you precisely tips on how to do it. You will uncover tips on how to leverage KnowBe4’s ready-to-use equipment to run a whole themed marketing campaign all through October. We have finished the heavy lifting so you possibly can concentrate on what issues most: constructing a stronger safety tradition that lasts.

On this enjoyable and sensible session, you will study:

• Methods to clarify cyber threats to customers in methods they will relate to and perceive of their each day work
• Actual examples and artistic marketing campaign concepts exhibiting how admins have created wildly profitable cybersecurity consciousness campaigns
• Easy gamification strategies that rework passive studying into aggressive enjoyable
• Methods to choose the precise coaching modules that entertain whereas they educate and why it issues
• Methods to preserve momentum and engagement lengthy after Cybersecurity Consciousness Month ends

Be part of us to get sensible instruments and artistic concepts that may make your Cybersecurity Consciousness Month marketing campaign the discuss of the group whereas dramatically decreasing your human danger. Register now and earn CPE credit score for attending!

Date/Time: Wednesday, September 17 @ 2:00 PM (ET)

Cannot attend reside? No worries — register now and you’ll obtain a hyperlink to view the presentation on-demand afterwards.

Save My Spot:
https://information.knowbe4.com/level-up-your-strategies?partnerref=CHN

Report: AI Can Now Automate Total Assault Chains

Menace actors can now use AI instruments to automate total assault operations, in accordance with a brand new report from Anthropic.

The corporate says an attacker abused its Claude AI software to create a hacking and extortion marketing campaign that compromised not less than seventeen organizations. The attacker used Claude to conduct reconnaissance, preliminary entry, malware improvement, information exfiltration and extortion evaluation.

“A cybercriminal used Claude Code to conduct a scaled information extortion operation throughout a number of worldwide targets in a brief timeframe,” the researchers write. “This risk actor leveraged Claude’s code execution surroundings to automate reconnaissance, credential harvesting, and community penetration at scale, probably affecting not less than 17 distinct organizations in simply the final month throughout authorities, healthcare, emergency companies, and non secular establishments.”

The attacker was in a position to steal “healthcare information, monetary data, authorities credentials, and different delicate data, with direct ransom calls for often exceeding $500,000.”

Anthropic additionally noticed a Chinese language state-sponsored APT abusing Claude to help in a profitable espionage marketing campaign concentrating on Vietnamese vital infrastructure.

“The actor built-in Claude as an assistant throughout 12 of 14 MITRE ATT&CK techniques, utilizing it as a technical advisor, code developer, safety analyst, and operational advisor all through their marketing campaign,” the researchers write. “The actor seems to have compromised main Vietnamese telecommunications suppliers, authorities databases, and agricultural administration methods.”

Moreover, the researchers noticed AI-assisted assaults launched by North Korean and Russian APTs, in addition to ransomware gangs, romance scammers, and malware builders.

Anthropic has banned the accounts related to this exercise and is engaged on methods to forestall such abuse sooner or later. Nevertheless, organizations ought to anticipate attackers to proceed to leverage AI of their operations, and these assaults will solely develop extra subtle because the expertise improves.

Weblog publish with hyperlinks:
https://weblog.knowbe4.com/report-ai-can-now-automate-entire-attack-chains

Let’s keep protected on the market.

Heat regards,

Stu Sjouwerman, SACP
Government Chairman
KnowBe4, Inc.

PS: Your KnowBe4 Compliance Plus Contemporary Content material Updates from August 2025
https://weblog.knowbe4.com/your-knowbe4-compliance-plus-fresh-content-updates-from-august-2025

PPS: ChatGPT Glossary: 56 AI Phrases Everybody Ought to Know:
https://www.cnet.com/tech/services-and-software/chatgpt-glossary-56-ai-terms-everyone-should-know/

You possibly can learn CyberheistNews on-line at our Weblog
https://weblog.knowbe4.com/cyberheistnews-vol-15-36-one-of-the-biggest-mysteries-in-cybersecurity-why-dont-we-demand-this

Warning: New Spear Phishing Marketing campaign Targets Executives

Researchers at Stripe warn of a wave of spear phishing assaults concentrating on C-suite workers and senior management throughout a variety of industries.

The emails pose as OneDrive document-sharing notifications with topic strains like “Wage modification” or “FIN_SALARY.” If a person clicks the hyperlink, they’re going to be taken to a spoofed Microsoft Workplace/OneDrive login web page designed to steal their credentials.

The researchers notice that “[b]oth the e-mail physique and phishing web page are custom-made with the recipient’s identify and firm particulars to reinforce credibility.”

Apparently, the phishing emails use obfuscated button textual content to keep away from detection by safety filters. For instance, the phrase “Open” is surrounded by random characters which can be invisible to customers in gentle mode.

“When the preliminary e-mail is seen in Gentle Mode, the buttons seem as ‘Open’ and ‘Share,'” the researchers clarify. “In Darkish Mode, hid padding turns into seen, exposing randomized alphanumeric strings comparable to twPOpenHuxv and gQShareojxYI.

“This breaks up high-value set off phrases like ‘Open’ and ‘Share,’ decreasing the chance of detection by safe e-mail gateways that apply string- or regex-based guidelines.”

Stripe presents the next suggestions to assist organizations defend themselves towards these assaults:

• “Consciousness for executives and assistants – Be sure that these almost certainly to be focused perceive this marketing campaign. The actor is utilizing practical ‘wage modification’ topic strains and personalised firm particulars to extend credibility.
• Skepticism round sudden paperwork – Remind employees to be cautious when receiving hyperlinks or paperwork regarding HR, payroll, or wage issues, significantly when despatched externally.
• Reporting suspicious emails – Make it clear tips on how to escalate suspicious messages shortly inside what you are promoting. The quicker these are reported to your safety useful resource, the faster they will take motion to guard others.
• Help employees coaching – Government assistants and shut colleagues are additionally high-value targets. Guarantee they obtain the identical degree of consciousness coaching and help as C-suite members.”

KnowBe4 empowers your workforce to make smarter safety selections day-after-day. Over 70,000 organizations worldwide belief the KnowBe4 HRM+ platform to strengthen their safety tradition and cut back human danger.

Stripe has the story:
https://stripeolt.com/knowledge-hub/expert-intel/analysing-targeted-spearphishing/

Attackers Can Bypass AI Security Measures to Carry Out Convincing Scams

Researchers at Rutgers College have demonstrated that AI brokers can be utilized to hold out subtle scams from begin to end, Assist Internet Safety stories.

The method, dubbed “ScamAgent,” bypasses AI security measures by breaking the rip-off into separate steps. “ScamAgent integrates pure language era, contextual reminiscence, goal-driven planning, and text-to-speech (TTS) synthesis to conduct full rip-off conversations with out requiring steady human enter,” the researchers write.

“Not like easy immediate injections, ScamAgent constructs persistent personas, maintains conversational context, and makes use of deception methods that unfold over time. This design permits it to bypass current security guardrails by decomposing dangerous duties into benign subgoals and leveraging contextual carryover to keep away from triggering filters.”

The researchers notice that AI-generated voice assaults could bypass conventional defenses towards rip-off calls.

“Analysis on rip-off name detection and protection primarily focuses on audio evaluation, caller identification, and person conduct utilizing acoustic and name metadata options,” the researchers clarify. “Nevertheless, these approaches typically assume human-generated calls quite than AI-synthesized dialogues.

“The rise of LLM-driven assaults represents a brand new class of risk that mixes linguistic deception, multi-turn planning, and artificial voice era, demanding novel detection and mitigation strategies.”

Whereas the researchers targeted on voice-based scams, they notice that comparable strategies can be utilized to launch numerous forms of social engineering assaults.

“Though ScamAgent was designed to simulate rip-off name era, the strategies employed generalize properly to different misuse domains,” the researchers write. “These embody phishing assaults, medical misinformation, impersonation of trusted establishments and manipulation of interactive methods comparable to buyer help bots.

“The agent’s planning mechanism, which permits it to deconstruct objectives and regulate its technique mid-dialogue, poses a big problem to conventional static moderation strategies.”

Attackers will at all times discover methods to abuse new expertise for malicious functions, and customers should be ready for a surge in AI-assisted social engineering assaults. KnowBe4 allows your workforce to make smarter safety selections day-after-day.

Assist Internet Safety has the story:
https://www.helpnetsecurity.com/2025/08/28/scamagent-ai-threats-scam-calls/