Get to patching: Patch Tuesday updates. - CyberWire Daily

Summary7 min read

CyberWire Daily: Patch Tuesday Updates – May 14, 2025

Hosted by Dave Buettner from N2K Networks

Introduction

In the latest episode of CyberWire Daily, host Dave Buettner delivers a comprehensive briefing on the recent cybersecurity developments, with a particular focus on the latest Patch Tuesday. The episode also features an insightful interview with Neil Hair Brown, CEO of Storm Guidance, discussing the intricacies of cyber incident response and the future of the CVE program.

Patch Tuesday Highlights

May 14, 2025, marked another bustling Patch Tuesday, where major software vendors released critical updates to address numerous vulnerabilities. Here's a detailed breakdown:

Microsoft's Comprehensive Patch Release

Total Vulnerabilities Addressed: 78
Actively Exploited in the Wild: 50
Affected Products: Windows, Office, Azure, Microsoft Defender
Noteworthy Flaws:
- Azure DevOps Server: A zero-day vulnerability with a perfect CVSS score of 10.
- Critical Vulnerabilities: Six in total, including five remote code execution (RCE) flaws and one information disclosure bug.

SAP's Urgent Patches

Products Affected: NetWeaver Servers
Details: SAP released patches for a second zero-day vulnerability discovered during investigations into prior attacks fixed in April. Both flaws have been actively exploited, underscoring the necessity for immediate patch application.

Ivanti's Endpoint Manager Mobile Software

Vulnerabilities Patched:
- Authentication Bypass
- Arbitrary Code Execution via Crafted API Requests
Impact: These vulnerabilities allowed attackers to achieve unauthenticated RCE by chaining the two flaws together. Ivanti has urged all customers to update to the latest software versions to mitigate these threats.

Fortinet's Forta Voice Enterprise Phone System

Vulnerability: Critical remote code execution due to a stack-based overflow.
Affected Products: Forta Voice, Fortamail, Forta NDR, FortaRecorder, and FortaCamera.
Exploitation: Actively exploited through malicious HTTP requests, enabling unauthenticated attackers to execute arbitrary code.

Other Major Vendors:

Juniper Networks: Addressed nearly 90 bugs in its Secure Analytics platform, some dating back several years.
VMware: Fixed a high-severity cross-site scripting (XSS) flaw in the ARIA automation appliance and a medium-severity issue in VMware Tools.
Zoom: Resolved nine security defects, including a high-severity privilege escalation vulnerability.
Industrial Control Systems (ICS): Siemens, Schneider Electric, and Phoenix Contact issued advisories addressing various vulnerabilities, with some requiring only mitigations or workarounds.

Adobe's Extensive Patch Rollout

Total Vulnerabilities Fixed: At least 39 across various products.
Critical Updates: Seven critical flaws in Adobe ColdFusion could lead to arbitrary file system reads, code execution, and privilege escalation, each carrying a CVSS score of 9.1.

Dave Buettner emphasized, "This month's Patch Tuesday highlights the importance of timely updates across a broad spectrum of software and hardware. Organizations are urged to prioritize patching these vulnerabilities to safeguard against active threats."

Current Cybersecurity News

Undocumented Communication Devices in Chinese-Made Power Inverters

Authorities Involved: US Energy Officials
Findings: Undocumented communication devices discovered within Chinese-manufactured inverters and batteries used in solar panels, batteries, and EV chargers.
Risks: Potential to bypass firewalls, enabling remote disruptions or destruction of critical infrastructure.
Government Response: The US Department of Energy is enhancing supply chain transparency and security amid rising tensions with China. Countries like Lithuania and Estonia are already restricting Chinese inverters to protect their energy systems.

Intel CPU Branch Privilege Injection Flaw

Impact: Affects all Intel CPUs from the 9th generation onward.
Discovery: Researchers at ETH Zurich uncovered that speculative execution on Intel's branch predictors can leak sensitive kernel data through race conditions during privileged switches.
Exploitation: Bypasses Spectre version 2 mitigations, allowing attackers to access protected data such as hashed passwords.
Non-Impact Targets: AMD and ARM CPUs are not vulnerable to this specific flaw.

Marks & Spencer's Major Cyber Attack

Financial Impact: Potential claim of up to £100 million from cyber insurers.
Details: Significant cyber attack compromised customer data and disrupted operations for nearly three weeks.
Insurance Coverage: Allianz expected to cover at least the first £10 million, with additional coverage from Beasley.
Economic Consequences: Marks & Spencer's shares dropped by 16%, wiping out £1.3 billion from its market value.
Operational Impact: The breach led to halted online sales and supply issues in physical stores, with estimated losses exceeding £60 million.

Extradition of Lirodon Masurica

Nationality: Kosovan
Allegations: Operating BlackDB CC, an illegal online marketplace selling stolen account data and personal information.
Charges: Enabling fraud schemes, including tax fraud and identity theft.
Legal Proceedings: Arrested in December, appeared in a Tampa court, and faces up to 55 years in prison if convicted.

CISA Reverses Decision on Cybersecurity Alerts

Initial Announcement: CISA intended to prioritize social media, particularly X (formerly Twitter), for disseminating cybersecurity alerts.
Backlash: The cyber community criticized the move, arguing it could limit access to critical information.
Reversal: Following the backlash, CISA reinstated its commitment to maintaining cybersecurity alerts on its official website.
Implications: Highlights concerns over transparency and reliance on private platforms for public safety information, especially amid budget cuts and staffing shortages.

Guest Interview: Neil Hair Brown, CEO of Storm Guidance

Topic: Cyber Incident Response, Retainer Services, and the Future of the CVE Program

The Multifaceted Nature of Cyber Incident Response

Neil Hair Brown emphasized, “Cyber incidents or cyber incident response is actually a lot more than just the technical aspects.” He highlighted the importance of addressing non-technical areas such as legal affairs, crisis public relations, trauma counseling, and ransom negotiations. Brown pointed out that handling these aspects often falls outside the traditional scope of technical response plans.

The Importance of Preparation

When discussing preparation, Brown stated, "If you want to have a good outcome, organizations that are not prepared... they're still not going to have anywhere near the effectiveness of... more prepared [organizations]." He underscored the necessity for organizations to develop comprehensive incident response plans that encompass both strategic and operational elements. This includes conducting regular exercises to ensure plans are robust and can withstand the pressures of an actual incident.

Challenges with Managed Service Providers (MSPs)

Brown addressed the reliability of MSPs in incident response, noting potential conflicts of interest. “Some very careful thought has to be given... whether or not their providers would be conflicted if they were to help with the investigation.” He cautioned that MSPs involved in both providing security services and investigating incidents might lack the necessary independence to deliver clear and unbiased assessments.

Maximizing Investments in Retainer Services

Responding to concerns about the value of retainer services, Brown explained, "Good retainer services should provide a range of onboarding services... assimilation... risk assessment... proactive activities like staff awareness training, penetration testing, and cyber incident exercises.” He emphasized that even in the absence of an incident, organizations should leverage their retainer investments through ongoing proactive security measures.

CVE Program's 25th Anniversary and Future Prospects

In late March, the CVE (Common Vulnerabilities and Exposures) program celebrated its 25th anniversary. However, a leaked memo revealed that CISA had not renewed MITRE's funding contract, sparking concerns about the program's future. The memo indicated a critical 36-hour window before funding ceased, creating a "digital doomsday scenario" within the cybersecurity community.

Key Developments:

CISA's Reversal: Just 17 hours after the leak, CISA extended the contract for an additional 11 months, averting immediate crisis.
Emerging Alternatives:
- Europe's EU Vulnerability Database: Launched as a regional alternative.
- Luxembourg's Circle: Introduced the Global CVE Allocation system.
- CVE Foundation: Proposed a privately funded alternative aimed at ensuring global resilience and governance beyond a single US agency.

Controversies:

Conflict of Interest Allegations: Former CISA Director Jen Easterly criticized members of the CVE Foundation board for developing a rival while still overseeing the existing program.
Supporters' Perspective: Advocates argue that diversifying funding sources is essential for the program’s resilience, reducing dependence on any single entity susceptible to political or budgetary shifts.

MITRE's Stance:

MITRE remains committed to maintaining the CVE program, expressing gratitude for the support received and dedication to ensuring its continued operation despite the contractual uncertainties.

Industry Sentiment: Experts agree on the indispensable role of the CVE program in global vulnerability tracking. Whether through a more distributed model or under continued stewardship, the community recognizes that the CVE program remains a foundational element of cybersecurity infrastructure.

Conclusion

The May 14, 2025 episode of CyberWire Daily provides a thorough analysis of the latest cybersecurity vulnerabilities, ongoing threats, and critical industry developments. The in-depth discussion with Neil Hair Brown offers valuable insights into effective incident response strategies and the evolving landscape of vulnerability management. As the cybersecurity realm continues to advance, staying informed and prepared remains paramount for organizations worldwide.

For more detailed information on today's stories, visit dailybriefing@thecyberwire.com.

About the Podcast:

CyberWire Daily, hosted by Dave Buettner from N2K Networks, delivers daily cybersecurity news and expert analysis. Each episode features interviews with industry leaders from around the globe, providing listeners with the insights needed to stay ahead in the rapidly changing world of cybersecurity.

Note: This summary excludes advertisements, sponsorship messages, and non-content segments to focus solely on delivering the episode's core information and discussions.

Loading summary

Transcript15 lines

[00:02]
Dave Buettner
You're listening to the Cyberwire network, powered by N2K. Hey everybody, Dave here. I've talked about Deleteme before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites and and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now our listeners get a special 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K it was a busy patch Tuesday Investigators discover undocumented communications devices inside Chinese made power inverters. A newly discovered branch privilege injection flaw affects Intel CPUs a UK retailer may claim up to £100 million from its cyber insurers after a major cyber attack. A Kosovo national has been extradited to the US for alleged allegedly running an illegal online marketplace. CISA will continue alerts on its website following industry backlash. Our guest is Neil Hair Brown, CEO at Storm Guidance, discussing cyber incident response, retainer service provision and shoring up the future of the CVE program. Wednesday, May 14, 2025 I'm Dave Buettner and this is your CyberWire Intel Briefing. Thanks for joining us here today. It is great as always to have you with us. Yesterday marked May's patch Tuesday and Microsoft took center stage by addressing 78 vulnerabilities, including 50 days actively exploited in the wild. These critical flaws span across Windows, Office, Azure and Microsoft Defender. Notably, one of the zero days carries a perfect CVSS score of 10 impacting Azure DevOps Server. Additionally, six vulnerabilities are rated as critical, with five being remote code execution flaws and one an information disclosure bug. SAP has released patches for a second zero day vulnerability in its netweaver servers. This flaw was discovered during investigations into previous zero day attacks involving another vulnerability fixed back in April. Both vulnerabilities have been exploited in the wild, emphasizing the need for immediate patching. Ivanti has patched two vulnerabilities in its endpoint Manager mobile software that attackers have chained together to achieve unauthenticated remote code execution. The first is an authentication bypass and the second allows arbitrary code execution via crafted API requests. Ivanti urges customers to update to the latest versions to mitigate these threats. Fortinet has addressed a critical remote code execution vulnerability in its Forta Voice enterprise phone system. This stack based overflow flaw has been actively exploited, allowing unauthenticated attackers to execute arbitrary code through malicious HTTP requests. The vulnerability also affects Fortamail, Forta, NDR, FortaRecorder and FortaCamera. Juniper Networks VMware and Zoom have released patches for numerous vulnerabilities across their products. Juniper addressed nearly 90 bugs in its Secure analytics platform, some dating back several years. VMware fixed a high severity cross site scripting flaw in its ARIA automation appliance and a medium severity issue in VMware tools. Zoom resolved nine security defects in its workplace apps, including a high severity privilege escalation vulnerability. Industrial control system giants Siemens, Schneider Electric and Phoenix Contact have issued security advisories addressing vulnerabilities in their products. While most flaws have been patched, some only have mitigations or workarounds available. These advisories are crucial for organizations relying ON ICS infrastructure. Adobe's Patch Tuesday rollout includes fixes for at least 39 vulnerabilities across various products, and a significant update addresses seven critical flaws in Adobe Cold Fusion, which could lead to arbitrary file system reads, code execution and privilege escalation. These vulnerabilities carry a CVSS score of 9.1 out of 10, highlighting their severity overall. This month's patch Tuesday highlights the importance of timely updates across a broad spectrum of software and hardware. Organizations are urged to prioritize patching these vulnerabilities to safeguard against active threats. US Energy officials are investigating Chinese made inverters and batteries after discovering undocumented communication devices inside them, Reuters reports. These components, used widely in solar panels, batteries and EV chargers, could bypass firewalls and pose risks to the power grid, experts warn. They could enable remote disruptions or even destruction of infrastructure. While such devices are built for remote maintenance, some found had hidden capabilities not listed in manuals. The US Department of Energy is working to tighten transparency and supply chain security as tensions with China grow, utilities and lawmakers are pushing to limit reliance on Chinese technology in critical infrastructure. Some nations like Lithuania and Estonia are already taking steps to ban or restrict Chinese inverters to protect energy systems from foreign control. A newly discovered branch privilege injection flaw affects all Intel CPUs from the 9th generation onward. Researchers at ETH Zurich found that speculative execution on Intel's branch predictors can leak sensitive kernel data to user level attackers by exploiting race conditions during privileged switches. Their exploit bypasses Spectre version 2 mitigations and successfully reads protected data like hashed passwords. Non Intel CPUs tested, including AMD and ARM, are not vulnerable. Intel CPUs before 9th gen may still be at risk from older Spectre variants. UK retailer Marks & Spencer may claim up to 100 million pounds from its cyber insurers after a major cyber attack compromised some customer data and disrupted operations for nearly three weeks, the Financial Times reports. Allianz is expected to cover at least the first 10 million pounds, with Beasley also potentially liable, while Ms. Confirmed that no payment details or passwords are exposed by personal data like contact info and order history may have been the attack halted online sales and caused supply issues in food stores, with estimated losses exceeding 60 million pounds. Since disclosing the breach on April 27, Ms. Shares have dropped 16%, wiping 1.3 billion pounds off its market value. The company's insurance policies, arranged by wtw, is expected to cover both direct and third party losses. Experts warn premiums could rise if Ms. Fails to show stronger risk management in future renewals. Lirodon Masurica, a 33 year old Kosovo national, has been extradited to the US for allegedly running BlackDB CC, an illegal online marketplace selling stolen account data and personal information. Known online as BlackDB, Masurica is accused of enabling fraud schemes, including tax fraud and identity theft. Arrested in December, he appeared in a Tampa court and remains in custody. Kosovo authorities seized digital devices and cryptocurrency during the arrest. If convicted, Masurica faces up to 55 years in prison. CISA reversed its decision to scale back cybersecurity alerts on its website following backlash and confusion from the cyber community. Initially, CISA announced it would prioritize social media, particularly X Twitter, for updates, claiming it would enhance user experience. Critics argued this shift could limit access to critical information, including threat alerts and vulnerability disclosures. CISA's website has long been a trusted source for urgent cyber threat guidance, especially as the agency faces budget cuts and staffing shortages. The move raised concerns about transparency and reliance on private platforms for public safety information. Under scrutiny from Congress and amid potential $500 million in budget reductions, CISA has paused changes to reassess how to best communicate with stakeholders while maintaining its commitment to dot gov platforms for verified alert. Coming up after the break My conversation with Neil Hair Brown, CEO at Storm Guidance. We're discussing cyber incident response, retainer service provision and shoring up the future of the CVE program. Stay with us. And now a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com. let's be real. Navigating security compliance can feel like assembling IKEA furniture without the instructions. You know you need it, but it takes forever and you're never quite sure if you've done it right. That's where Vanta comes in. Vanta is a trust management platform that automates up to 90% of the work for frameworks like SoC2, ISO 27001 and HIPAA, getting you audit ready in weeks, not months. Whether you're a founder, an engineer, or managing IT and security for the first time, Vanta helps you prove your security posture without taking over your Life. More than 10,000 companies, including names like Atlassian and Quora, trust Vanta to monitor compliance, streamline risk, and speed up security reviews by up to five times. And the roi. A recent IDC report found Vanta saves businesses over half a million dollars a year and pays for itself in just three months. For a limited time, you can get $1,000 off vanta@vanta.com cyber that's v a n t a dot com cyber Neil Hair Brown is CEO at Storm Guidance and in today's sponsored Industry Voices discussion, we're talking about cyber incident response retainer service provision.
[13:45]
Neil Hair Brown
Many organizations are approaching incident response. Well, many organizations are not approaching incident response planning, unfortunately, but those those that are approaching incident response planning are tending to look to the standards. There have been some pretty good standards in cyber incident response for a number of years now. I've been in cyber for 40 years now and I started cyber incident investigations in 96. And even back then the first computer emergency response team out of Carnegie Mellon had published their initial thoughts on what makes good cyber incident response. And so that's been developed over the years. One of the areas which I think is largely missing from the standards is the appreciation that cyber incidents or cyber incident response is actually a lot more than Just the technical aspects. And this is something which for the last 12 years now, we've been managing or responding to incidents on behalf of cyber insurers. Over a thousand incidents in the last decade. And there are, there really is a large amount of work that has to be done with those organizations that are suffering from incidents in the non technical areas, such as the legal, legal side of things, the crisis PR side of things, trauma counseling, ransom negotiation. These are all things which are, if you like, outside of the scope of technical. And that's when it comes to planning. That's something which many organizations need to embrace as part of their cyber incident response plans. Those organizations that are a little bit more mature, I would say, certainly those that have got well developed business continuity plans, they are very well advised to, if you like, adapt those business continuity plans to incorporate cyber incidents as well.
[16:03]
Dave Buettner
As, you know, inherent in the name incident response, I think, is that folks come at this in a reactive way. I guess that's understandable. But how does that approach affect the.
[16:17]
Neil Hair Brown
Outcomes here when it comes to actually dealing with incidents on the fly? So, you know, when incidents actually occur, we tend to find that many organizations are, they have not prepared, certainly they've not prepared adequately enough for cyber incidents. And so oftentimes they will, that will be the point at which they will call in the specialists or certainly seek to call in the specialists. Those specialists may be provided if they have cyber insurance or they might be seeking to acquire that expertise just commercially from cyber incident response teams such as ourselves. And so that, if you like, I think, as you've already alluded to, is not the ideal situation. Certainly we deal with many incidents where the senior management is the first time that they've ever met the IT or operational folks in their own organization. And so that kind of really underlines the need to prepare for cyber incidents and to prepare for the reactive state. Certainly if you want to have a good outcome, organizations that are not prepared, even if they are using highly experienced professional cyber incident responders, they're still not going to have anywhere near the effectiveness of, you know, the good outcomes that they would have if they had actually been much more prepared.
[17:53]
Dave Buettner
What does that preparation look like and how should the security team make the case to the executives that preparation is a worthwhile investment.
[18:07]
Neil Hair Brown
So when it comes to the preparation side of things, again, it really is important to think outside the box. So having a written plan is a great thing, but making sure that it's going to survive first contact is the second thing. So ensuring that you've actually had an exercise of your plan is very important. Also, ensuring that the plan caters for both the strategic senior management aspects of managing a cyber incident and the operational sort of technical aspects as well. And we find that most organizations work more effectively if they actually separate those two groups of folks when they have an incident or when they're actually having an exercise. So that because that's actually the most efficient way of managing things, you tend to find that you might have senior management that want to get involved or understand some of the technicalities. And generally being when you're in the middle of a cyber incident, that isn't the right time to do that. And similarly, sometimes you get some of the technical folks wanting to become legal experts, and that equally is not the right time. So it's always best to actually keep those two groups apart, but have a coordinator that is working with those two groups to make sure that the requirements of the strategic group are properly conveyed to the operational group and the results are passed back so they can make some informed decisions. So this is all part of the actual preparedness. And then you can also have some specific preparedness workshops. So for instance, forensic preparedness. So having a good idea of the various technologies that you're using, what the tech stack looks like and what the ability for those technologies is to actually record evidential items and to make sure that that evidence, whether it's in the format, whether it's in logs, or whether it's in other forensic artifacts that could be produced during an incident, and to make sure that those are preserved. So this is something which is very important to actually talk through ahead of times so that you can make sure that you have a really effective response when an incident occurs.
[20:31]
Dave Buettner
You mentioned that many organizations come at this as a technical challenge, and that certainly makes sense. But you also mentioned that there are a lot of other things at play here. And one thing that caught my ear was this notion of helping people deal with the trauma of an event like this. Explain the importance of that.
[20:54]
Neil Hair Brown
That's one of the major losses that we see organizations suffering from. And it's a loss which is not immediately felt by the organization or indeed the individuals that are tasked with the response. Bearing in mind the response isn't just purely technical. So we're not just talking about just the IT folks here. We can be talking about management as well, and even senior executives. But the post traumatic stress that those participants feel, those responders feel, once the incident has sort of been dealt with, can sometimes be quite significant. We've dealt with a number of incidents, for instance, where members of staff have been deceived into giving up credentials or into actually making payments, that kind of thing. And that kind of, you know, that sits very heavily with them. And it's generally the case that unless an organization does something to recognize that and to offer them the support that they will need, that they could be looking at those staff leaving within a relatively short period of time after the incident has taken place.
[22:07]
Dave Buettner
In this world where so many organizations have moved their operations to the cloud or they're relying on managed service providers, I can imagine that they are looking to rely on those organizations if there is an incident to help with the recovery, Is that a sensible plan? Does that make sense? How reliable are they as a support network?
[22:37]
Neil Hair Brown
Very good question. I think it does need, and this again, kind of underlines the need for preparation because it really needs some thought as to what roles an organization would want their service providers to play in the event of an incident. There's no doubt that if systems or data have to be recovered, then it may well be that the expertise that their MSPs are offering and the familiarity that they have with the client systems and data is such that they would be the ideal person to help with that recovery. When it comes to the investigation aspects, though, some very careful thought has to be given there as to whether or not their providers would be conflicted if they were to help with the investigation. Consider, for instance, if a managed security services provider or a straight MSP that's providing some kind of security services as part of their overall package would actually, if they were then tasked to actually perform an investigation, and it happened that the very controls that those organizations should have been putting in place had failed in some way, perhaps an MSSP that should have been monitoring systems failed in their ability to do that properly. Are they going to actually reveal that? Are they truly independent when it comes to that investigation? Are they going to give the organization that kind of clarity on the initial point of compromise, etc. So it's very important to give that some consideration. And certainly we've come across many cases now where MSPs who are appointed to do the investigation part of the incident response are indeed conflicted. And they are rather opaque with helping the organization to understand what went wrong and how it went wrong.
[24:43]
Dave Buettner
There's kind of this old joke in cybersecurity about the security professional standing in front of the board of directors and saying, hey, we spent all this money and congratulations, nothing happened. And the board scratches their head and said, well, why are we spending all this money, if people are investing in a retainer with an organization like yours, how do they leverage that investment proactively?
[25:15]
Neil Hair Brown
So certainly I would say all good retainer services should provide a range of onboarding services. So this is separate from the actual incident response time that is set aside in case an incident does occur. And those onboarding activities should include, as we've already discussed, some kind of preparatory support. We perform something called assimilation, where we sort of take a lot of time to understand a client's tech stack, what their points of contact are, which regulations apply, you know, what their legal obligations are, et cetera, et cetera, lots and lots of points. And so I would say good retainer service should have some onboarding activities, maybe a risk assessment, maybe some attack surface scanning, that kind of stuff. Then there is the investment itself into actual, into the time that may be required should an incident occur. And that time would be used at different rates depending on the skills that would be needed should an incident occur. So, you know, you may have a different rate for a senior legal advisor, for instance, than you would for a forensic investigator. So, yeah, having a way to actually make sure that that is all dealt with as part of the process. And then thirdly, and very importantly, as you've already said, if an incident does not occur, then how is a client going to maximize their investment? And so the best process is that they should be able to see 100% of their investment and that should be converted into the ability to undertake proactive activities. So for instance, staff awareness training, penetration testing, maybe cyber incident exercise, all of these things can, can actually be a way for clients to get a maximum out of their investment.
[27:16]
Dave Buettner
That's Neil Hare Brown, CEO at Storm Guidance. For more information about cyber incident response retainer service provision, you can find a link in our show notes. What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets. With bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with attack patterns. Path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by SpectreOps. Head to SpectreOps IO today to learn more Spectre ops. See your attack paths the way adversaries do foreign. And finally, in late March, mitre marked the 25th anniversary of the CVE program the cornerstone of global vulnerability tracking and every security pro's favorite database to grumble about while secretly relying on it daily. For a brief, jittery moment in April, it looked like this quarter century run might come to an abrupt, awkward end. A leaked memo revealed that the Cybersecurity and Infrastructure Security Agency had not renewed mitre's funding contract. The memo gave everyone a very specific countdown, about 36 hours until the lights went out. Analysts, vendors and researchers, all highly trained to manage risk, suddenly found themselves in a digital doomsday scenario. One expert said it was the 11th hour, 59th minute. It gave a doomsday feel. Then, just 17 hours later, CISA reversed course and issued an 11 month contract extension. Crisis averted mostly. The near miss did more than rattle nerves. It kicked off a rapid rethink of who should control, Fund and Future Proof, one of the Internet's most essential public services. Enter a cast of new players. Europe Beta launched its own EU vulnerability database. Luxembourg's Circle debuted the Global CVE Allocation system. And several CVE board members introduced plans for a new CVE Foundation, a privately funded alternative aimed at global resilience and governance beyond a single US Agency. That last move stirred controversy. Former CISA Director Jen Easterly publicly criticized CVE foundation board members for secretly building a rival while still overseeing the current program, calling it a conflict of interest. Meanwhile, supporters argue that relying on a single funder, especially one with a volatile budget and shifting political winds, is just bad business. You want resilience, said one expert, not a cliffhanger every fiscal year. As for mitre, they're staying the course, grateful for the overwhelming support and committed to keeping CVE running smoothly, contract drama notwithstanding. Still, the takeaway was the CVE program may be a public good, but it's not immune to bureaucratic entropy, whether it evolves into a broader, more distributed model or continues under its current stewardship. One thing is no one wants to live in a world without it. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in rapid the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes we're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
[32:49]
Neil Hair Brown
Foreign.
[33:00]
Dave Buettner
And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire.