Information Security Buzz

07/05/2026

After a cyberattack, the instinct is to restore operations as fast as possible. That instinct can cost you the evidence needed to understand what actually happened.

Digital forensics is what fills that gap. It traces how attackers got in, how far they moved, and which gaps made it possible. Without that work, organisations tend to patch the obvious and leave the actual entry points intact.

Nazy Fouladirad, President and COO of Tevora, covers the full post-incident forensics process and what good recovery planning looks like when the investigation is done.

🔗 Learn more: https://informationsecuritybuzz.com/understanding-digital-forensics-after-a-cyber-incident/

Investigating past events reveals the "how" and "why" of a breach, helping prevent future occurrences. Explore how digital forensics aids this.

07/05/2026

The security industry's central assumption has changed: from keeping attackers out, to planning for the moment they get in.

In healthcare, that shift carries clinical consequences. A ransomware event at a hospital isn't an IT outage. It's a question of whether the ED can triage, whether the ICU can administer medication, whether surgery can proceed.

Errol Weiss, CSO at Health-ISAC, shares why cyber recovery and clinical continuity need to be treated as the same plan, and why most organisations still separate them.

🔗 Read more: https://informationsecuritybuzz.com/recovery-is-the-new-prevention-qa-with-errol-weiss/

In a Q&A Errol Weiss explains why treating attacks as inevitable changes everything, why hospitals need to think like emergency rooms during a ransomware event, and what the pace of AI means for defenders already stretched thin.

07/05/2026

Trellix has disclosed unauthorised access to a portion of its source code repository. It has not specified which portion, and says its investigation is ongoing. No evidence so far that code was released, its distribution process was affected, or that the code has been exploited.

Ben Ronallo, Director of Security Operations at Black Duck, suspects this may be connected to earlier compromises rather than a standalone incident. His read: cybersecurity companies are under sustained scrutiny, and one weak link in a supply chain is often enough for attackers to get further than anyone anticipated.

🔗 Full story: https://informationsecuritybuzz.com/trelix-admits-breach-portion-of-source-code/

Trellix has disclosed unauthorized access to a portion of its source code repository. Read more...

06/05/2026

SOC analysts are drowning in alerts, so low-severity ones get closed or ignored. That's operationally sensible. It's also how a meaningful number of confirmed incidents get through.

Mitchem B., Field CISO at Intezer, has been looking at what lives inside those deprioritized queues. His finding: a notable portion of real security incidents started as alerts that someone decided weren't worth investigating that day.

The problem isn't just workload. Severity scores are built to reduce noise, and early attacker behaviour, credential testing, quiet reconnaissance, low-and-slow persistence, is specifically designed to look like noise.

By the time the signal becomes undeniable, the attacker has had time to move.

🔗 Read to find out what SOC teams can do about it: https://informationsecuritybuzz.com/the-threats-hiding-in-low-severity-alerts/

Alert fatigue is a key challenge in security. Ignoring low-severity alerts may be practical, but threats can still lurk in them. Read more...

06/05/2026

Security researcher has found that Microsoft Edge decrypts every saved password at browser startup and holds all of them in cleartext memory for the entire session. Every credential. From the moment Edge opens.

Uzair Gadit (Secure.com) and Ted Miracco (Approov Mobile Security) weighed in on what that actually means in practice.

🔗 Learn more: https://informationsecuritybuzz.com/microsoft-edge-holding-credentials-in-plaintext/

A researcher has found that Microsoft Edge decrypts every saved password at startup and holds all of them in process memory. Read more...

06/05/2026

CISA is reportedly weighing a cut to vulnerability patching deadlines for government agencies. From two to three weeks, down to 72 hours.

The pressure behind it: AI systems that can go from patch release to working exploit in hours, not days.

Four experts shared their thoughts: Doc McConnell (Finite State), Noelle Murata (Xcape, Inc.), Jacob Krell (Suzu Labs), Sunil Gottumukkala (Averlon)

🔗 Learn more: https://informationsecuritybuzz.com/us-weighs-slashing-vulnerability-patching-deadlines/

There are discussions in US cybersecurity circles to radically shorten the time given to government agencies to fix software vulnerabilities. Read more...

05/05/2026

Here's something the cybersecurity industry doesn't talk about enough.

When a real incident hits, we're talking ransomware, wipers, full BCDR chaos, the stress is on a completely different level to anything most people have prepared for.

No phones, no email, no playbooks. Regulators and executives are calling at once. Years of ignored recommendations suddenly very relevant.

James Blake at Cohesity, has been through hundreds of these. The people holding the actual knowledge often don't make it to the other side of the incident. And because no one ever wrote any of it down, the capability leaves with them.

The issue is obvious, yet many people choose to ignore it. We spoke to James about it in full.

📄 Read the article: https://informationsecuritybuzz.com/the-new-rules-of-war-have-no-rules/

▶️ Watch on YouTube: https://youtu.be/syqwDVOEN0c?si=L8nIjGC7wsaGrbOj

05/05/2026

Iranian cyber operations have shifted from isolated incidents to sustained campaigns, and what makes them effective is their use of the same tools organisations rely on every day.

Hüseyin Can Yüceel of Picus Security has written a clear-eyed look at how these intrusions unfold inside enterprise networks. The playbook involves credential theft over malware, DNS tunneling through trusted infrastructure, native Windows tools that blend into normal activity, perimeter exploitation that bypasses phishing entirely, and supply chain access through managed service providers.

The common thread across all of it is that discovering these attackers is less about spotting unfamiliar malware and more about noticing when something familiar starts behaving unexpectedly. That's a harder problem for most security teams.

🔗 Read more: https://informationsecuritybuzz.com/how-iranian-cyber-intrusions-unfold-inside-enterprise-networks/

Iranian cyber operations have gone from being disruptive single events to ongoing campaigns against governments, infrastructure providers, technology

05/05/2026

CISA has added CVE-2026-31431, known as Copy Fail, to its Known Exploited Vulnerabilities catalog, and if your organisation runs Linux, this one deserves your immediate attention.

The vulnerability has been present in virtually every major Linux distribution since 2017, and the public exploit is both reliable and trivially simple to run. A single Python script is enough to go from an unprivileged local account to root on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16.

Experts weigh in: Vishal Agarwal (Averlon), Jacob Krell (Suzu Labs), Mayuresh Dani (Qualys), Ryan McCurdy (Liquibase), Uzair Gadit (Secure.com), David Brumley (Bugcrowd), Jason Soroko (Sectigo)

Patch your kernel now, and if you can't patch immediately, disable the vulnerable module.

🔗 Read more: https://informationsecuritybuzz.com/copy-fail-actively-exploited-linux-flaw/

CISA has added Linux kernel vulnerability CVE-2026-31431, also known as Copy Fail, to the Known Exploited Vulnerabilities (KEVs). Read more...

04/05/2026

Your security team probably knows exactly who accessed your CRM last Tuesday. But ask them what's happening with the thousands of hours of video your organisation stores, and the answer is usually a shrug.

Danielle K. writes that visual data is the blind spot most security teams haven't dealt with yet, and the regulatory window to get ahead of it is closing. GDPR, HIPAA, BIPA, and a coordinated 2026 statement from 61 data protection authorities are all pointing in the same direction: facial data in video is biometric data, and it needs to be treated that way.

The practical fix exists. The security prioritisation, in most organisations, still isn't.

🔗 Learn more: https://informationsecuritybuzz.com/visual-data-is-the-blind-spot-in-enterprise-security/

Enterprise security has a blind spot: video. While databases are locked down, sensitive faces in footage often go unredacted. See why this is the next big risk.

30/04/2026

Your company has never signed up for a war. That doesn't mean you're not in one.

James Blake, VP of Global Cyber Resiliency Strategy at Cohesity, makes a point in our latest interview that's hard to shake: even if you have no connection to a defence contractor or a government, you can still become collateral damage in a state-sponsored cyber attack.

The Iran conflict isn't just a geopolitical story. It's a live look at what happens when the lines between military targets and everyday business operations stop existing.

Watch the full interview: https://www.youtube.com/watch?v=syqwDVOEN0c

Read the full article: https://informationsecuritybuzz.com/the-new-rules-of-war-have-no-rules/