Happy Sunday!
I hope this Brief finds you well and ready to tackle the week ahead.
In this edition, I am covering:
- Google's AI agent discovers a significant SQLite vulnerability, marking a milestone in AI-powered security research
- AWS Security Specialty certification leads the pack with average salaries reaching $203,597
- Palo Alto Networks alerts users about a potential RCE vulnerability in PAN-OS management interface
And much more.
Fabric by BlackStork
Fabric Platform streamlines cybersecurity reporting processes, offering a comprehensive solution for teams seeking efficiency and consistency.
INDUSTRY NEWS
Palo Alto Networks Warns of Potential RCE Vulnerability in PAN-OS Management Interface
-
Palo Alto Networks has issued an informational advisory about a potential remote code execution vulnerability in the PAN-OS management interface, although specifics are currently unknown.
-
The company recommends customers properly configure the management interface per best practices, such as isolating it on a dedicated VLAN, using jump servers, limiting inbound IPs, and only allowing secure protocols like SSH and HTTPS.
-
This follows the addition of a now-patched critical authentication bypass flaw (CVE-2024-5910) in Palo Alto Networks Expedition to CISA's Known Exploited Vulnerabilities catalog, which could lead to admin account takeover.
Cybercriminals Exploit DocuSign APIs to Send Authentic-Looking Fake Invoices
-
Wallarm security researchers report that cybercriminals are using legitimate, paid DocuSign accounts and templates to send fake invoices that appear authentic, bypassing email and anti-spam filters.
-
The fake invoices, often impersonating well-known software companies like Norton, contain accurate pricing and additional charges, tricking users into e-signing and authorizing payments to attackers' bank accounts.
-
Attackers are automating the process using DocuSign's APIs, such as the Envelopes: create API, allowing them to send large volumes of fraudulent invoices with minimal manual intervention, abusing the platform's API-friendly environment.
AWS CDK Vulnerability Allowed Account Takeover via Missing S3 Bucket
-
Security researchers Ofek Itach and Yakir Kadkoda discovered a security issue in the AWS Cloud Development Kit (CDK) that could allow an attacker to gain administrative access to a target AWS account, resulting in a full account takeover.
-
The researchers found that approximately 1% of AWS CDK users were susceptible to this attack vector due to the manual deletion of their deployment artifact S3 bucket(s) created during the CDK bootstrapping process.
-
AWS addressed the issue in CDK version v2.149.0 by adding a condition to the bootstrap file-publish role, ensuring it only trusts buckets within the user's account. However, user action is required if CDK version v2.148.1 or earlier was used.
LEADERSHIP INSIGHTS
Alert Fatigue Persists in Cybersecurity Despite Decades of Efforts
-
Anton Chuvakin, the author, discusses how alert fatigue has been a persistent problem in cybersecurity SOCs since the 1970s, despite the industry changing rapidly.
-
Several factors contribute to the endurance of alert fatigue, including increasing data volumes, environment complexity, number of security tools, and threat activity.
-
Surveys reveal SOC teams are overwhelmed by the sheer volume of alerts, with 62% of an average 3,832 daily alerts being ignored, and over 80% being false positives.
NIST Launches Human-Centric Cybersecurity Initiative to Improve Security Design
-
NIST established a new Community of Interest focusing on human-centered cybersecurity, aiming to make security more effective by considering user needs and behaviors rather than treating humans as the weak link.
-
Research shows the traditional approach of restricting user behavior is failing - 68% of breaches in 2023 involved human elements. Organizations are urged to implement behavioral analytics and security monitoring while reducing security burdens on users.
-
Gartner predicts 50% of large enterprises will adopt human-centric security by 2027, focusing on creating a positive security culture through threat simulations, automation, and reward systems for reporting incidents.
AI-Assisted Investigation Tools Alone Do Not Constitute an AI SOC
-
Andrew Green questions the notion that LLM-aided investigation tools alone can be considered an "AI SOC", arguing that a fully automated SOC requires a comprehensive set of supporting functions.
-
For a SOC to become as autonomous as possible, it needs components such as ingestion and storage, detection engine, manual threat hunting, anomaly detection, and automation, orchestration, and response.
-
Vendors like Dropzone AI, Prophet Security, Radiant Security, and Culminate offer standalone assisted and automated investigation tools, but their future trajectory may involve being acquired by wider security operations platform providers or expanding their capabilities to include response.
CAREER DEVELOPMENT
AWS Certified Security Specialty Tops Highest-Paying IT Certifications for 2025
-
Skillsoft's annual IT Skills and Salary report reveals the top 20 highest-paying IT certifications for 2025, with AWS Certified Security - Specialty leading the pack at an average salary of $203,597.
-
Other top-paying certifications include Google Cloud - Professional Cloud Architect ($190,204), Nutanix Certified Professional - Multicloud Infrastructure ($175,409), and Certified Cloud Security Professional ($171,524).
-
The list highlights the growing importance of cybersecurity and cloud skills, with certifications from AWS, Google Cloud, Cisco, (ISC)², ISACA, and Microsoft dominating the rankings.
Redditors Share Tips for Making the Most of a Goldman Sachs Cybersecurity Internship
-
Redditor who landed their dream cybersecurity internship at Goldman Sachs sought advice on how to make the most of the opportunity, and the community chimed in with helpful responses.
-
One Redditor, who interned at a FAANG company, emphasized the importance of networking, being friendly, and communicating with your team, sharing a story of how the most social intern was the only one to receive a return offer despite others being more technically skilled.
-
Other tips included taking initiative to set up interviews with people in higher-level IT or cyber jobs who can recommend you internally, asking questions about their career paths, building a LinkedIn profile early on, and connecting with hiring managers and talent acquisition professionals at companies you may want to work for in the future.
CISO Job Exodus: 24% Actively Seeking New Positions, 50% Open to Offers
-
Survey reveals growing burnout among security leaders, with nearly one-quarter actively job hunting and half willing to consider new opportunities, driven by emerging threats and personal liability concerns.
-
Limited career advancement opportunities within organizations force CISOs to look externally, with typical tenure averaging only 18-24 months before seeking new positions.
-
Rising concerns about job security, as 77% of CISOs fear termination following a major breach, leading some to consider alternative roles such as virtual CISO positions to reduce stress.
Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.
AI & SECURITY
Google Project Zero Discovers Exploitable Stack Buffer Underflow in SQLite Using AI
-
Google Project Zero researchers used their AI agent "Big Sleep" to discover an exploitable stack buffer underflow vulnerability in the widely-used open source database engine SQLite.
-
The vulnerability was found and reported to SQLite developers in early October, who fixed it the same day before it appeared in an official release, so SQLite users were not impacted.
-
The researchers believe this is the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software, demonstrating the potential for AI to help defenders find bugs that are difficult or impossible to find through traditional fuzzing techniques.
Developing Secure Software Course Teaches Fundamentals for Countering Attacks
-
The Linux Foundation's "Developing Secure Software" (LFD121) course, developed by the Open Source Security Foundation (OpenSSF), focuses on teaching software developers, DevOps professionals, and engineers the basics of developing software hardened against attacks.
-
The course covers topics such as secure design principles, securely selecting and acquiring reused software (including open source), input validation, secure data processing, calling other programs securely, and verification techniques like static and dynamic analysis.
-
It also delves into more specialized topics like threat modeling and applying cryptographic capabilities, aiming to enable developers to create systems that are harder to successfully attack, reduce damage from successful attacks, and speed up vulnerability remediation.
Apple Launches $1M Bug Bounty Program for Private Cloud Compute Security
-
Apple is offering rewards up to $1 million for researchers who can identify vulnerabilities in their new Private Cloud Compute (PCC) platform, with specific bounties ranging from $50,000 to $250,000 for different types of security breaches.
-
The company has released a Virtual Research Environment (VRE) allowing security researchers to analyze PCC on Apple Silicon Macs, complete with tools for code inspection and log verification.
-
The PCC infrastructure will handle complex AI processing requests as part of Apple's Intelligence features, with initial rollout beginning in iOS 18.1 and expanding through 2025.
MARKET UPDATES
Fortinet Launches AI-Powered FortiDLP for Automated Data Protection
-
Fortinet has introduced FortiDLP, a new standalone endpoint DLP solution that expands its data protection portfolio, leveraging technology from its acquisition of Next DLP.
-
FortiDLP provides automated data movement tracking, cloud application monitoring, and endpoint protection mechanisms that work both online and offline, integrating with the Fortinet Security Fabric.
-
The platform automatically classifies sensitive data at the point of access, tracks and controls data egress, and includes a customizable database of over 500 predefined data patterns and policies for simplified deployment.
Noma Security Emerges from Stealth with $32M to Secure AI Lifecycle
-
Noma Security, based in Tel Aviv, Israel, has raised $32 million in Series A funding led by Ballistic Ventures to protect the data and lifecycle of emerging gen-AI applications.
-
The Noma platform covers the entire Data & AI Lifecycle, addressing new risks like misconfigured data pipelines, vulnerable and malicious open source models, prompt injection, and jailbreaking.
-
Founded by former members of the IDF's 8200 intelligence unit, Noma aims to provide a single platform for end-to-end security in the AI development process, extending to production with real-time monitoring, blocking, sensitive data masking, and alerting.
CrowdStrike to Acquire Adaptive Shield for Comprehensive SaaS Security
-
CrowdStrike announces agreement to acquire Adaptive Shield, a leader in SaaS Security, to provide unified protection against identity-based attacks across the modern cloud ecosystem.
-
The acquisition will enable CrowdStrike to deliver comprehensive SaaS Security Posture Management (SSPM), GenAI Application Security Control, and unified hybrid identity and cloud security.
-
The combination of Adaptive Shield and CrowdStrike Falcon® Identity Protection will provide customers with comprehensive identity protection across SaaS, on-premises Active Directory, and cloud-based environments.
TOOLS
Nuke My LUKS
A simple network-based panic button designed to overwrite the LUKS header with random data and shutdown the computer in case of an emergency situation. This tool can be useful for activists, human right workers and others that face an adversary, such as law enforcement, that can coerce the subject to disclose the encryption passwords for the computer's hard drives.
DorkSearch
AI-powered Google Dorking Assistant: This tool helps users create effective Dork queries for searching sensitive information on the internet.
CloudGoat
CloudGoat is Rhino Security Labs' 'Vulnerable by Design' AWS deployment tool that allows users to hone their cloud cybersecurity skills through 'capture-the-flag' style scenarios.
Before you go
If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!
For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.
Best,
Nikoloz