Featured

Monthly Round Up for the month of April 2024

Boat Data Breach Exposes Personal Information of Over 7.5 Million Users

Amit Gupta-led startup Boat has reportedly witnessed a major data breach incident. The private details of over 7.5 million customers have made their way onto the dark web. This includes sensitive information like names, addresses, phone numbers, email addresses, and customer IDs. As per a report by Forbes, an individual under the name ‘ShopifyGUY’ claimed to have breached the data of boAt Lifestyle, a company known for its audio products and smartwatches. The hacker shared files containing the personal information of customers, totalling 7.5 million entries.

RBI’s action on Kotak Mahindra Bank

The Reserve Bank of India (RBI) directed Kotak Mahindra Bank Limited (KMBL) to cease with immediate effect from onboarding new customers through online and mobile banking channels and issuing fresh credit cards. The reason given by the RBI for such an action is because serious deficiencies and non-compliances in certain specified areas were observed.

As per the RBI’s press release, serious deficiencies and non-compliances were observed in the areas of IT inventory management, user access management, vendor risk management, data security, data leak prevention strategy, business continuity and disaster recovery rigour and drill, etc.

ICICI Bank blocks 17,000 credit cards after data breach

ICICI Bank has blocked 17,000 credit cards after a technical glitch in its mobile banking application ‘iMobile’ led users to complain about being able to view other customers’ card details, including co-branded cards.

In response, ICICI Bank said that about 17,000 new credit cards which were issued in the past few days were “erroneously mapped in our digital channels to wrong users”. These cards constitute about 0.1 per cent of the bank’s credit card portfolio.

Featured

Near Field Communication (NFC)

Near Field Communication, or NFC, is a short-range wireless communication technology that enables devices to interact with each other within a close proximity, typically within a few centimeters. It operates at a frequency of 13.56 MHz and can be used for various applications, such as contactless payment systems, secure access control, and data sharing between devices like smartphones, tablets, and other compatible gadgets.

How NFC works

When two NFC-enabled devices are brought close to each other, a connection is established, and they can exchange data with each other. This communication is enabled through NFC Tags and NFC Readers. NFC Tags are small integrated circuits that store and transmit data, while NFC Readers are devices capable of reading the data stored in NFC Tags.

NFC Modes

NFC operates primarily in three modes:

  • Reader/Writer Mode: This mode enables the NFC device to read or write data from or to NFC Tags. For example, you can scan an NFC Tag on a poster to access more information about a product or service.
  • Peer-to-Peer Mode: This mode allows two NFC-enabled devices to exchange information directly. Examples include sharing data such as contact information, photos, or connecting devices for multiplayer gaming.
  • Card Emulation Mode: This mode allows an NFC device to act like a smart card or access card, enabling contactless payment and secure access control applications.

Security Concerns

While NFC brings convenience through its numerous applications, it also poses security risks, and it’s essential to be aware of these. Some possible concerns include:

  • Eavesdropping: Attackers can potentially intercept data exchange between NFC devices if they manage to get into the communication range.
  • Data manipulation: Attackers might alter or manipulate the data exchanged between the devices.
  • Unauthorized access: An attacker can potentially exploit a vulnerability in your device, and gain unauthorized access to sensitive information.

Security Best Practices

To minimize the risks associated with NFC, follow these best practices:

  • Keep your device’s firmware and applications updated to minimize known vulnerabilities.
  • Use strong and unique passwords for secure NFC applications and services.
  • Turn off NFC when not in use to prevent unauthorized access.
  • Be cautious when scanning unknown NFC Tags and interacting with unfamiliar devices.
  • Ensure you’re using trusted and secure apps to handle your NFC transactions.

In conclusion, understanding the basics of NFC and adhering to security best practices will help ensure that you can safely and effectively use this innovative technology.

Featured

Prerequisites To Start Ethical Hacking

Skills required to become an Ethical Hacker or Information Security Analyst.

  1. Computer Networking Skills
  2. General Computing Skills
  3. Linux Knowledge
  4. Programming Knowledge
  5. Database Management Systems(DBMS)
  6. Wireless Technology
  7. Patience (Most important)

Computer Networking Skills

Understanding networking concepts and protocols like SSH, FTP, OSI Model, how a packet travels according to OSI model, etc.

General Computing Skills

Theses skills basically includes ones knowledge and ability to perform basic computing tasks. For example: Reporting is one of the most important and critical job to perform.

Mostly required skills are MS office, Emails, Database management, Web, Enterprise System, etc.

Linux Knowledge

Now-a-days most of the web servers are running on Linux Operating System, once you gain access to these systems the Linux knowledge will help you to escalate permission.

Programming Knowledge

Not all but some common languages like: Python, SQL and C will be quite sufficient to proceed. But there is no limit as such for programming languages.

This knowledge will help you to proceed further in exploit making.

Database Management Systems

Database Management System or DBMS is the place where managing of data takes place and with right knowledge one can penetrate to database that will lead to data breach.

Wireless Technology

Since in todays era Wi-Fi and other methods of wireless connectivity is increasing the attack vector for any attacker also increases. So a good knowledge of WEP, WPA, WPA2, etc. will be required.

Patience

There are many times where you will not be able to find any security issue. But remember that you will get to learn a lot from that.

CCSK Domain 6 – Security Monitoring

1. Cloud Monitoring – Why It’s Hard

Monitoring is more complex in the cloud due to:

A. Management Plane

  • Most critical layer—console/API/CLI control everything.
  • Must monitor closely because management plane actions = highest risk.

B. High Velocity

  • Cloud changes rapidly → need automation & real-time detection.

C. Distribution & Segregation

  • Resources are spread everywhere.
  • Need centralization of logs for effective monitoring.

D. Cloud Sprawl

  • Multiple CSPs, multiple workloads → complexity increases.

E. Shared Responsibility Model

  • Some monitoring tasks = CSP
  • Some = CSC
  • Varies by service model (IaaS vs PaaS vs SaaS)

2. Logs vs Events

A. Logs

  • Full detailed records (CRUD operations)
  • Stored long-term
  • May have delivery delays

B. Events

  • Only key changes (CUD)
  • Short-lived
  • Faster (seconds) → ideal for rapid response

3. Security Posture Management

Goes beyond logs by analyzing the configuration state of cloud environments.

Includes:

A. Management Plane Logs

  • Console/API/CLI changes
  • Examples: AWS CloudTrail, Azure Audit Logs

B. Service Logs

  • Service-specific (e.g., Load Balancer logs, storage access logs)

C. Resource Logs

  • Show provisioning, config changes, system events
  • VM, DB, SDN logs

4. Cloud-Native Tools (CNAPP Components)

A. CSPM – Cloud Security Posture Management

  • Detects misconfigurations
  • Compliance monitoring
  • Continuous scanning

B. CWPP – Cloud Workload Protection Platform

  • Scans VMs, containers, Kubernetes, serverless for vulnerabilities

C. DSPM – Data Security Posture Management

  • Data discovery, classification
  • Encryption enforcement
  • Detects excessive permissions on data

D. ASPM – Application Security Posture Management

  • Integrates security across SDLC
  • Supports Dev/Sec/Ops collaboration

E. CIEM – Cloud Infrastructure Entitlement Management

  • Manages permissions & least privilege
  • Ideal for controlling identity sprawl

F. CDR – Cloud Detection & Response

  • Detects cloud-specific threats
  • Uses analytics, threat intel, ML

G. SSPM – SaaS Security Posture Management

  • Manages SaaS app configuration & access

5. Critical Events to Monitor

(From CIS AWS Benchmarks)

A. Access Management

  • Unauthorized API calls
  • Console login without MFA
  • IAM policy changes
  • Root account usage
  • Key deletion/scheduling deletion

B. Resource Management

  • S3 bucket policy changes
  • Security group changes
  • NACL changes
  • VPC changes
  • Gateway changes

C. Logging & Monitoring

  • Logging configuration changes
  • Console authentication failures

6. Cloud Telemetry Sources

Telemetry includes:

  • Management plane logs
  • Service logs
  • Resource logs
  • Network logs
  • Application telemetry
  • Performance metrics

Purpose: Visibility, detection, response, audit, compliance

7. Log Collection Architectures

A. Challenges

  • Storage cost
  • Export/egress cost
  • CSP retention limits
  • Need integration into SIEM

B. Solutions

  • Option 1: Keep logs in CSP
    • Cheaper
    • But limited analytics
    • Harder to correlate with on-prem logs
  • Option 2: Export logs
    • Enables better SIEM correlation
    • Expensive due to egress + storage

8. Cascading Log Architecture

A hierarchical log management model where:

  • Dev / Test / Prod send logs → Centralized Log System
  • Central system sends relevant logs → Security/Audit Account
  • Then forwarded into SIEM

Benefits:

  • Centralization
  • Segregation of environments
  • Better visibility and incident response

9. AI for Security Monitoring

AI/ML enhances:

A. Anomaly Detection

  • Behavioral analysis
  • Detects unusual patterns quickly

B. Threat Intelligence/Hunting

  • Correlates huge data volumes
  • Identifies emerging threats

C. Automated Response

  • Faster containment
  • Reduced human workload

D. Analyst Assistance

  • Enrich logs
  • Patch vulnerabilities
  • Simulate attacks
  • Reduce alert fatigue

Flashcards: https://quizlet.com/in/1108708280/ccsk-domain-6-security-monitoring-flash-cards/?i=4jehw4&x=1qqt

CCSK Domain 5 — Identity & Access Management

Why IAM Matters in Cloud

IAM is the new perimeter in cloud security.

Most cloud breaches happen due to misconfigured IAM (too much access or weak authentication).

How IAM Differs in Cloud

PointMeaning
Spans multiple organizationsUsers access many cloud services; trust must extend across orgs.
Different IAM models per CSPAWS IAM ≠ Azure AD ≠ GCP IAM. Adds complexity.
Unified cloud consoles exposed to internetMakes misconfiguration dangerous.

Result: Identity Federation becomes necessary and privileged access must be tightly controlled.

Key IAM Terms

TermMeaning
IdentityWho the entity is (attributes).
AuthenticationProving the identity (password, OTP, biometric).
AuthorizationWhat the identity is allowed to do.
EntitlementsMapping identities to permissions.
RoleA set of permissions based on job or function.
EntityUser, service, device, app accessing the system.
PersonaCategorizing user types to assign roles.

Access Control Models

ModelIdeaGood for
RBAC (Role-Based)Access based on job rolesStandard enterprise use
ABAC (Attribute-Based)Access depends on attributes (user + device + resource + context)Dynamic, zero-trust
PBAC (Policy-Based)Access decision defined in machine-readable policiesLarge-scale cloud environments

Exam Trick: PBAC enforces RBAC and ABAC via policies.

Identity Federation & SSO

Allows users to log in once and access multiple services.

TermMeaning
IdP (Identity Provider)Authenticates the user (e.g., Azure AD, Okta).
Relying Party / Service ProviderAccepts user identity from IdP (e.g., Salesforce).
AssertionThe identity information IdP sends to the RP.

Common Federation Protocols

ProtocolUseNotes
SAMLEnterprise SSOXML, mainly browser-based web apps
OAuth 2.0Authorization for APIsDoes not authenticate identity
OIDCAuthentication on top of OAuthCommon for modern cloud/mobile apps

Exam Tip:

  • OAuth = Authorization
  • OIDC = Authentication
  • SAML = Enterprise Web SSO

Identity Architecture Approaches

ModelDescriptionProsCons
Hub-and-SpokeCentral broker connects to all servicesStrong governanceNeeds central IdP setup
Free-formDirect connection from internal directory to cloudSimple initiallyHard to scale, weak governance

Authentication (MFA is Mandatory in Cloud)

Types of MFA:

TypeStrengthNotes
Hard TokenStrongestHardware security key (e.g., YubiKey)
Soft Token (TOTP Apps)StrongGoogle Authenticator, Authy
SMS OTPWeakVulnerable to SIM swap
BiometricsMediumDepends on device security

Passwordless: FIDO / Passkeys → resistant to phishing

BUT: Not recommended for cloud admin accounts.

Authorization & Entitlements in Cloud

  • Use least privilege
  • Grant just-in-time (JIT) access for admins
  • Review roles and privileges regularly
  • Use resource tagging to enable ABAC

Privileged Identity & Access Management (PIM & PAM)

TermPurpose
PIMManages who is a privileged user
PAMControls how they access systems

Key Features:

  • MFA required
  • Session recording
  • Credential vaulting
  • Temporary admin privileges (no permanent admin accounts)

Golden Exam Takeaways

  • Identity is the new security boundary in cloud.
  • SSO + Federation reduce credential sprawl.
  • Always use MFA for cloud access.
  • Prefer PBAC + ABAC for cloud scalability.
  • Use PIM/PAM to control high-privilege accounts.
  • Avoid overly broad IAM policies (e.g., “*:*”).

Flashcards for practice: https://quizlet.com/in/1108708277/ccsk-domain-5-iam-flash-cards/?i=4jehw4&x=1jqt

October 2025: Major Data Breaches and Cyber Attacks

Apple now offers $2 million for zero-click RCE vulnerabilities

Apple is announcing a major expansion and redesign of its bug bounty program, doubling maximum payouts, adding new research categories, and introducing a more transparent reward structure.

Since the program launched in 2020, Apple has awarded $35 million to 800 security researchers, the company paying $500,000 for some of the submitted reports.

The highest reward has been doubled to $2 million, for reporting vulnerabilities that can lead to zero-click (no user interaction) remote compromise, similar to mercenary spyware attacks. However, payouts can go as high as $5 million through the bonus system.

The tech giant expects that the increased awards will have an additional impact on the development of sophisticated attack chains from spyware vendors, as researchers will be more incentivized to find and report security issues.

Over 266,000 F5 BIG-IP instances exposed to remote attacks

Internet security nonprofit Shadowserver Foundation has found more than 266,000 F5 BIG-IP instances exposed online after the security breach disclosed by cybersecurity company F5 this week.

The company revealed on Wednesday that nation-state hackers breached its network and stole source code and information on undisclosed BIG-IP security flaws, but found no evidence that the attackers had leaked or exploited the undisclosed vulnerabilities in attacks.

The same day, F5 also issued patches to address 44 vulnerabilities (including the ones stolen in the cyberattack) and urged customers to update their devices as soon as possible.

Compromised F5 BIG-IP appliances can also allow threat actors to steal credentials and Application Programming Interface (API) keys, move laterally within targets’ networks, and establish persistence.

F5 is a Fortune 500 tech giant that provides cybersecurity, application delivery networking (ADN), and services to over 23,000 customers worldwide, including 48 of the Fortune 50 companies.

Auction giant Sotheby’s says data breach exposed financial information

Major international auction house Sotheby’s is notifying individuals of a data breach incident on its systems where threat actors stole sensitive information, including financial details.

The hack was detected on July 24 and the investigtion took two months to determine they type of data stolen and the individuals impacted as a result.

Sotheby’s is a leading global auction house for fine art and high-value items, as well as an asset-backed lending services provider.

“Sotheby’s discovered a cybersecurity incident that may have involved certain employee information. Upon discovery of the incident, we immediately launched an investigation in cooperation with leading data protection and response experts and law enforcement. The company is notifying all impacted individuals appropriately in line with our requirements. We take the security of company and individual information very seriously and continue to work diligently to protect our systems and data.” – Said by a Sotheby’s spokesperson

American Airlines Subsidiary Envoy Compromised in Oracle Hacking Campaign

A new campaign has emerged that weaponizes Microsoft’s familiar branding to lure unsuspecting users into a sophisticated tech support scam.

Victims receive a seemingly legitimate email, complete with Microsoft’s official logo, claiming there is an important financial transaction or security alert requiring immediate attention.

The message prompts recipients to click a link under the guise of confirming identity or resolving an urgent issue.

Cofense analysts noted that the threat actors have refined their social engineering tactics by combining payment lures with deceptive UI overlays to maximize impact.

Upon clicking the link, users are redirected through a faux CAPTCHA challenge designed to mimic a trusted verification process.

EY Data Leak – Massive 4TB SQL Server Backup Exposed Publicly on Microsoft Azure

Cybersecurity firm Neo Security discovered a 4TB SQL Server backup belonging to accounting giant Ernst & Young (EY) publicly accessible on Microsoft Azure during a routine scan.

Neo Security’s lead researcher identified a 4TB publicly exposed file during passive network analysis. The file’s .BAK extension indicated a full SQL Server database backup, likely containing sensitive data such as schemas, user information, API keys, credentials, and authentication tokens.

“Neo Security’s lead researcher discovered the file while examining passive network traffic with low-level tools. A simple HEAD request designed to retrieve metadata without downloading content revealed a massive size: 4 terabytes of data, which is equivalent to millions of documents or the contents of an entire library.”

Advertising giant Dentsu reports data breach at subsidiary Merkle

A sophisticated rootkit targeting GNU/Linux systems has emerged, leveraging advanced eBPF (extended Berkeley Packet Filter) technology to conceal malicious activities and evade traditional monitoring tools.

The threat, known as LinkPro, was discovered during a digital forensic investigation of a compromised AWS-hosted infrastructure, where it functioned as a stealthy backdoor with capabilities ranging from process hiding to remote activation via magic packets.

The infection chain began with a vulnerable Jenkins server (CVE-2024-23897) exposed to the internet.

Threat actors deployed a malicious Docker image named kvlnt/vv across several Amazon EKS Kubernetes clusters, containing a VPN proxy tool, a downloader malware called vGet, and the LinkPro rootkit.

The Docker configuration allowed full filesystem access with root privileges, enabling container escape and credential harvesting from other pods.

Beer Maker Asahi Shuts Down Production Due to Cyberattack

Japanese beer and beverage giant Asahi Group Holdings has been forced to halt production at its domestic factories as a result of a cyberattack that struck on Monday.

Asahi, known for its popular brands such as Asahi Super Dry Beer, Nikka Whisky, and Mitsuya Cider, has yet to resume operations across its network of 30 plants in Japan.

The company revealed it is still assessing whether all factories have completely stopped production.

A company spokesperson explained on Tuesday that production remains offline, and there is currently no clear estimate for when operations will be restored.

This interruption follows a system outage caused by the cyberattack, which impacted not only production but also critical business functions including order processing, shipping, and call center operations within Asahi’s group companies in Japan.

Despite the extensive disruption, Asahi confirmed that so far there has been no evidence that personal information was leaked as a result of the incident.

The company is continuing to investigate the full scope of the attack and the level of damage to its operations.

Volkswagen Allegedly Hacked in Ransomware Attack as 8Base Claims Data Leak

Volkswagen Group is investigating claims from the 8Base ransomware group, which asserts it has stolen sensitive company data.

While the German automaker has stated that its core IT systems are secure, its response leaves open the possibility of a breach through a third-party supplier, raising concerns about the full extent of the incident.

In response to the allegations, a spokesperson for Volkswagen confirmed the company was aware of the “incident.” However, they emphasized that there was no impact on Volkswagen’s primary IT infrastructure.

This statement suggests that the point of entry may have been a connected entity, such as a supplier, partner, or subsidiary.

With 153 production plants globally and renowned brands including Audi, Porsche, and Lamborghini under its umbrella, any data exposure represents a significant risk. The company has not confirmed if any customer data was compromised during the incident.

Under the EU’s General Data Protection Regulation (GDPR), a substantiated breach could lead to substantial fines.

Capita Fined £14 Million After Data Breach Exposes 6.6 Million Users

The UK’s Information Commissioner’s Office has imposed a £14 million penalty on Capita following a major cyber attack in March 2023 that exposed the personal information of 6.6 million people.

The fine was split between Capita plc, which received £8 million, and its subsidiary Capita Pension Solutions Limited, which was fined £6 million.

The breach compromised sensitive data belonging to millions of people, including pension records, staff information, and customer details from over 600 organisations that Capita supports.

For many victims, the stolen information included financial data, criminal records, and other sensitive personal details.

The attack particularly affected pension scheme providers, with 325 organisations experiencing data exposure through Capita Pension Solutions Limited.

KFC Venezuela Suffers Alleged Data Breach Exposing 1 Million Customer Records

A threat actor is claiming responsibility for a data breach at KFC’s Venezuela operations, offering for sale a database containing the personal and order information of more than one million customers.

The sale was advertised on a dark web forum on October 8, 2025, where the seller posted a 405 MB CSV file containing exactly 1,067,291 rows of data.

If genuine, this large-scale compromise could put affected customers at serious risk of fraud and identity theft.

According to the threat actor’s forum post, the breached database includes personally identifiable information such as full names, phone numbers, and email addresses.

Complete delivery addresses are also part of the leak. In addition to contact details, the file contains payment method data, exchange rate information used in transactions, and full records of ordered items with quantities and unit prices.

The combination of personal and financial details could enable highly targeted phishing campaigns and sophisticated scams that leverage order history and genuine customer information to convince victims to share even more sensitive data.

Discord Data Breach Exposes 1.5 TB of Data and 2 Million Government ID Photos

The popular communication platform Discord is confronting a major extortion attempt after cybercriminals breached one of its third-party customer service providers, compromising sensitive user data including government identification photos used for age verification.

Threat actors claim to have exfiltrated 1.5 terabytes of sensitive information, including over 2.1 million government-issued identification photos.

However, Discord disputes these figures, stating that approximately 70,000 users had their ID photos exposed during the September 20, 2025 incident.

The breach did not directly target Discord’s infrastructure but instead compromised customer support systems managed by Zendesk, a third-party vendor.

Attackers gained unauthorized access for 58 hours by compromising the account of a support agent employed by an outsourced business process provider.

The notorious cybercrime group Scattered Lapsus$ Hunters (SLH) has claimed responsibility for the attack, publicly taunting Discord while demanding ransom payment.

The stolen information primarily affects users who previously contacted Discord’s Customer Support or Trust & Safety teams.

Compromised data includes user names, Discord usernames, email addresses, and limited billing information such as payment methods and the last four digits of credit card numbers. Additionally, customer service message exchanges and user IP addresses were exposed.

The most concerning aspect involves the theft of government identification images, including driver’s licenses and passports, submitted by users appealing age-related account restrictions.

While attackers claim to possess 2,185,151 ID photos affecting 5.5 million users across 8.4 million support tickets, Discord maintains these figures are inflated as part of the extortion scheme.

Discord has refused to pay the demanded ransom and immediately terminated its partnership with the compromised vendor upon discovering the breach.

BK Technologies Data Breach, IT Systems Compromised, Data Stolen

BK Technologies Corporation, a Florida-based communications equipment manufacturer, disclosed a significant cybersecurity incident that compromised its IT systems and potentially exposed employee data.

The company filed an SEC Form 8-K on October 6, 2025, revealing that attackers gained unauthorized access to sensitive information in late September.

The cyberattack was first detected on September 20, 2025, when BK Technologies identified suspicious activity within its information technology infrastructure.

Upon discovery, the company immediately launched containment procedures, isolating affected systems and engaging external cybersecurity experts to investigate the incident.

The Nevada-based corporation, which trades on NYSE American under ticker symbol BKTI, acted swiftly to prevent further unauthorized access and began comprehensive remediation efforts.

The investigation revealed that an unauthorized third party successfully infiltrated the company’s network and acquired access to non-public information.

Massive Tata Motors Data Leak Exposes 70+ TB of Sensitive Information

Tata Motors, India’s largest automaker and a major player in the global automotive industry, suffered a catastrophic data exposure that revealed over 70 terabytes of sensitive information through multiple security failures.

The breaches, discovered in 2023, involved exposed AWS credentials on public-facing websites, encrypted keys that were easily decrypted, a Tableau backdoor with zero authentication requirements, and an unprotected API key from fleet management systems.

Each vulnerability independently posed serious risks, but together they created a perfect storm that could have allowed attackers to access customer databases, financial records, invoice data, fleet information spanning decades, and critical administrative systems.

The first critical vulnerability emerged from E-Dukaan, Tata Motors’ spare parts e-commerce platform. Security researchers discovered plaintext AWS access keys hardcoded directly in the website’s source code.

The security issues were reported to Tata Motors through India’s Computer Emergency Response Team (CERT-IN) on August 8, 2023, but remediation proved frustratingly slow.

While Tata Motors acknowledged receipt and claimed remediation by September 1, follow-up verification revealed that only 2 out of 4 issues had been addressed and AWS keys remained active on both websites.

It took until January 2024 for the company to fully revoke the exposed credentials after months of back-and-forth communication clarifying specific remediation steps.

These vulnerabilities demonstrated that even major international corporations can succumb to fundamental security mistakes like hardcoding credentials, using pointless client-side encryption, and implementing authentication systems with serious logical flaws.

For customers purchasing vehicles from Tata Motors, these breaches raised serious questions about data protection standards at major automotive organizations.

Hyundai AutoEver Confirms Data Breach Exposing Personal Data, Including SSNs and License Info

The UK’s Information Commissioner’s Office has imposed a £14 million penalty on Capita following a major cyber attack in March 2023 that exposed the personal information of 6.6 million people.

The fine was split between Capita plc, which received £8 million, and its subsidiary Capita Pension Solutions Limited, which was fined £6 million.

The breach compromised sensitive data belonging to millions of people, including pension records, staff information, and customer details from over 600 organisations that Capita supports.

For many victims, the stolen information included financial data, criminal records, and other sensitive personal details.

The attack particularly affected pension scheme providers, with 325 organisations experiencing data exposure through Capita Pension Solutions Limited.

Network Terminology

Virtual Local Area Network (VLAN)

A VLAN, or Virtual Local Area Network, is a logical segmentation of a physical network allowing multiple groups of devices to be separated into distinct broadcast domains even if they share the same physical infrastructure.

In simple words, imagine you have a big school with lots of classrooms and many kids.

Now, sometimes teachers want kids from different classes not to mix up — for example, one class might be learning math and another is learning art.

But all the classrooms are still in the same school building — they just need to stay separate so things don’t get messy.

How VLANs Work

  • VLANs are implemented in network switches through VLAN tagging so that only devices with the same VLAN tag can interact directly.
  • Network administrators can partition a single switched network into multiple, isolated virtual networks based on roles, functions, or other requirements.
  • Access and traffic controls are managed using configured VLAN IDs—devices in different VLANs cannot communicate unless routes are explicitly created.

Demilitarized Zone

A DMZ (Demilitarized Zone) in computer networks is a small, separate area that sits between your private network and the public internet.

It’s used to add extra security — letting outsiders access certain public services (like a website, email, or game server) without giving them access to your private internal network.

Imagine you have a house (that’s your computer network). Inside your house, you have your family — these are your private computers and data that you want to keep safe.

Outside, there’s the big scary world (the internet) where strangers live.

Now, you don’t want strangers walking straight into your house, right? But sometimes, you do want to talk to them safely, like when you order pizza.

So, you make a fenced yard in front of your house — a safe middle area where guests can come, but they can’t go inside your home.

That fenced yard is called a DMZ (Demilitarized Zone) in computer terms.

Address Resolution Protocol (ARP)

Address Resolution Protocol (ARP) is a crucial mechanism used in networking that allows the Internet Protocol (IP) to map an IP address to a corresponding physical address, commonly known as a Media Access Control (MAC) address. This protocol is essential for enabling devices within a Local Area Network (LAN) to communicate by translating IP addresses into specific hardware addresses.

Imagine you’re at a big birthday party 🎉 with lots of kids. Everyone has a name (like Aayush, Riya, Sam) — but no one knows where anyone is sitting.

Now, you want to give a balloon to Riya. You know her name, but not where she’s sitting. So you shout:

“Hey! Who is Riya? Where are you?”

Then Riya raises her hand and says,

“I’m Riya! I’m sitting here!”

Now you know where to go and give her the balloon.

Dynamic Host Configuration Protocol (DHCP)

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used to automatically assign IP addresses and other network configuration details, such as subnet masks, default gateways, and DNS servers, to devices on a network. When a device, such as a computer or smartphone, connects to a network, it sends a request to the DHCP server, which then dynamically assigns an available IP address from a defined range and provides the necessary configuration information. This process simplifies network management by eliminating the need for manual IP address assignment and reduces the risk of IP conflicts, ensuring that devices can seamlessly join the network and communicate with other devices and services.

Imagine you walk into a big party with lots of chairs. But you don’t know which chair is yours. So, there’s a friendly helper at the door (that’s the DHCP server) who says:

“Hey! Welcome! Here’s your chair — number 12. Sit there and enjoy!”

In computers, when your phone, laptop, or tablet joins a Wi-Fi network, it also needs a “chair” — that’s an IP address (a special number that helps it talk to other devices).

So the Dynamic Host Configuration Protocol (DHCP) is like that friendly helper who:

  1. Gives each device its own IP address automatically.
  2. Keeps track of who got which address.
  3. Takes back the address when the device leaves, so someone else can use it later.

In short:

DHCP is a system that helps devices join the network easily by giving them their “seat number” — their IP address — without you having to do anything!

Domain Name System (DNS)

The Domain Name System (DNS) is a fundamental protocol of the internet that translates human-readable domain names, like www.example.com, into IP addresses, such as 192.0.2.1, which are used by computers to locate and communicate with each other. Essentially, DNS acts as the internet’s phonebook, enabling users to access websites and services without needing to memorize numerical IP addresses. When a user types a domain name into a browser, a DNS query is sent to a DNS server, which then resolves the domain into its corresponding IP address, allowing the browser to connect to the appropriate server. DNS is crucial for the functionality of the internet, as it underpins virtually all online activities by ensuring that requests are routed to the correct destinations.

Network Address Translation (NAT)

Network Address Translation (NAT) is a method used to modify IP address information in packet headers while they are in transit across a network. NAT allows multiple devices on a private network to share a single public IP address for accessing external resources, helping conserve the limited number of available public IP addresses. It also enhances security by hiding internal IP addresses from the public internet. 

CCSK Domain 4 Notes: Organization Management

Introduction

  • Purpose: Manage and secure the entire cloud footprint (multi-cloud, hybrid, and SaaS).
  • Cloud sprawl (growth through mergers, acquisitions, etc.) creates management complexity.
  • Goals:
  • Manage organization-level security.
  • Use hierarchy for structured deployment control.
  • Understand hybrid & multi-cloud management.

Organization Hierarchy Models

Key Terms:

LevelAWSAzureGCP
OrganizationOrganizationTenantOrganization
GroupOrganizational Unit (OU)Management GroupFolder
DeploymentAccountSubscriptionProject
  • Organization: Top-level structure in CSP.
  • Group: Collection of deployments (logical isolation).
  • Deployment: Individual, isolated environment.

Benefits: Segmentation, reduced “blast radius,” logical separation, and compliance alignment.

Key Capabilities in Cloud Hierarchy

All major CSPs offer:

  1. Groups → Create isolation hierarchy.
  2. Policies → Define what services or APIs are allowed/blocked.
  3. Centralized IAM → Federated identity management across deployments.
  4. Shared Security Services → Central logging, monitoring, and governance.

Landing Zone / Account Factory:

  • Automates account setup with pre-configured security, compliance, and governance controls.
  • Ensures consistency across multiple deployments.

Building Hierarchies (Three Models)

ModelDescriptionStrength
Business Unit & App-BasedBU → App → EnvAligns IAM with org units
Environment-BasedEnv (Prod, Dev, Test) → BU → AppSimplifies policy mgmt
Geography-BasedRegion → BU → EnvMeets regional compliance needs

Hybrid approach often works best — mix based on organization needs.

Organization-Level Security

Goal: Control cloud footprint & maintain acceptable risk without hindering agility.

Identity Management

  • Minimize root access.
  • Restrict who can create deployments.
  • Use landing zones/account factories for consistent setup.

Policy Scopes

  1. Organization-wide: Affects all deployments (rarely used due to broad scope).
  2. Group-level: Commonly used; cumulative & restrictive.
  3. Deployment-level: For specific, fine-grained needs.

Policy Use Cases

  • Enable/disable unapproved services.
  • Block risky API calls.
  • Restrict regions for compliance.
  • Enforce IP-based access controls.

Shared Organization Services

Used across deployments for consistency and visibility:

  • Centralized IAM → unified access control.
  • Centralized Logging → forward telemetry to SIEM or security data lake.
  • Threat Detection → detect malicious activities in real time.
  • Cost Management → tagging policies for accountability.
  • Account Factories → IaC-based automated secure deployment setup.

Hybrid Cloud Management

Definition: Integration of on-prem data centers with public cloud.

Security Goals:

  1. IAM: A compromised identity can affect both environments.
  2. Network Security: Prevent misconfigurations & overexposure.

Best Practices:

  • Avoid “connection sprawl.”
  • Use a central bastion network to manage all hybrid connections.
  • Keep security controls distinct for cloud vs. on-prem; don’t normalize.

Multi-Cloud Management

Definition: Use of multiple IaaS/PaaS CSPs (AWS, Azure, GCP).

Challenges: High complexity, different tooling, and greater security overhead.

Strategies:

  1. Single Provider: Consolidate into one CSP.
  2. Primary/Secondary: Main provider + limited secondary (for special cases).
  3. Full Multi-Cloud: Equal support for all CSPs — requires advanced maturity.

Best Practice: Mature security in one CSP before expanding to others.

Container Misconception:

  • Containers increase workload portability — NOT infrastructure portability.
  • Shared services (DB, queues, etc.) are not easily portable.

Tooling & Staffing for Multi-Cloud

  • Each CSP requires dedicated expertise.
  • Use Managed Service Providers (MSPs) for support, but accountability stays with CSC.
  • Ensure MSP aligns with CSC’s governance and security strategy.

SaaS Management in Hybrid & Multi-Cloud

Challenges:

  • Many SaaS vendors with varying security levels.
  • Uncontrolled integrations = data exposure.

Best Practices:

  • Maintain a SaaS registry (approved vendors & data categories).
  • Require justification for duplicates.
  • Evaluate SaaS vendors before approval.
  • Control integrations & data flows between SaaS apps.

Key Tools:

  1. Federated Identity Brokers – Centralized access for multiple SaaS apps.
  2. CASB (Cloud Access Security Broker) – Visibility & enforcement over SaaS use.
  3. API Gateways – Manage and secure inter-SaaS data flows.

Flashcards: https://quizlet.com/in/1101683851/ccsk-domain-4-flash-cards/?i=4jehw4&x=1qqt

September 2025: Major Data Breaches and Cyber Attacks

Jaguar Land Rover cyberattack deepens, with prolonged production outage, supply chain fallout

Jaguar Land Rover (JLR), the U.K.-based automaker owned by Tata Motors, has extended production shutdowns after a cyberattack that disrupted global operations, halted manufacturing, and sent ripples across its supply chain. The company has shut down its IT networks in response to the attack. Industry sources have, in the meantime, warned that the disruption could last into November. A hacker group known for social-engineering campaigns has claimed responsibility. 

“Today we have informed colleagues, suppliers and partners that we have extended the current pause in our production until Wednesday 24th September 2025,” according to a Tuesday statement from Jaguar Land Rover. “We have taken this decision as our forensic investigation of the cyber incident continues, and as we consider the different stages of the controlled restart of our global operations, which will take time.” 

The statement added, “We are very sorry for the continued disruption this incident is causing and we will continue to update as the investigation progresses.”

Volvo Group Discloses Data Breach After Ransomware Attack on HR Supplier

Volvo Group North America has begun notifying employees and associates about a data breach that exposed their personal information, including names and Social Security numbers.

The security incident did not originate within Volvo’s own networks but was the result of a ransomware attack on one of its third-party human resources software suppliers, a company named Miljdata. The breach highlights the persistent and growing risks associated with supply chain vulnerabilities.

According to the data breach notification letter, the initial security incident targeting Miljdata occurred on August 20, 2025. The HR software provider first became aware of the ransomware attack three days later, on August 23.

It wasn’t until September 2, 2025, that Miljdata determined that data belonging to Volvo Group personnel had been compromised in the attack. Miljdata informed Volvo Group of the exposure on the same day.

Volvo has emphasized that its own internal systems were not compromised as part of this event and that the breach was contained within the environment of its supplier.

Tenable Data Breach Confirmed -Customer Contact Details Compromised

Tenable, a well-known cybersecurity company, has confirmed that it was affected by a recent large-scale data theft campaign. The attack targeted Salesforce and Salesloft Drift integrations, and Tenable was one of the organizations caught up in the incident.

The company stressed that while customer contact details were accessed, Tenable products and the data inside those products were not impacted.

According to Tenable, the breach involved unauthorized access to its Salesforce system. The exposed information included subject lines and short descriptions submitted by customers when opening support cases.

Additionally, standard business contact information, such as customer names, email addresses, phone numbers, and location details, was also accessed. At this point, the company stated there is no evidence that this information has been misused.

Wealthsimple Data Breach – User Information Leaked Online

Canadian financial technology company Wealthsimple disclosed a data security incident on September 5, 2025, revealing that personal information belonging to less than one percent of its clients was accessed without authorization.

The breach, which was detected on August 30, has prompted the company to implement enhanced security measures and offer comprehensive support to affected customers.

Wealthsimple’s security team acted quickly after discovering the incident, containing the issue within a few hours of detection.

The breach originated from a compromised software package developed by a trusted third-party vendor, which allowed unauthorized access to client data for a brief period.

  • Incident detected and contained within hours on August 30, 2025.
  • External security experts brought in for thorough investigation.
  • All client accounts remained secure throughout the incident.
  • No passwords compromised or funds accessed during breach.

Despite the security incident, the company emphasized that all client accounts remain secure and fully protected. No passwords were compromised, and crucially, no funds were accessed or stolen during the breach.

The financial platform’s core security infrastructure remained intact, ensuring that only affected clients could access their own accounts.

Cornwell Quality Tools Suffers Data Breach, 100,000 User Records Exposed

Cornwell Quality Tools, a leading automotive and industrial tool supplier, has confirmed a significant data breach that compromised the personal information of 103,782 individuals.

The cybersecurity incident occurred on December 12, 2024, when unauthorized attackers gained access to the company’s computer network, exposing sensitive customer data including names, Social Security numbers, medical information, and financial account details.

The unauthorized intrusion into Cornwell’s systems resulted in the exposure of both personally identifiable information (PII) and protected health information (PHI).

The compromised data encompassed a wide range of sensitive information that could potentially be used for identity theft and financial fraud.

The breach affected over 100,000 individuals who had their personal data stored within Cornwell’s network infrastructure.

Following the discovery of the security incident, Cornwell initiated an investigation to determine the scope and impact of the breach.

The company worked to secure their systems and assess what information was accessed during the unauthorized intrusion.

Harrods Cyberattack Exposes 430,000 Customer Records in Latest Data Breach

Luxury department store Harrods recently disclosed a data breach, in which, hackers stole information linked to approximately 430,000 customer records. The Harrods data breach has prompted the retailer to inform affected individuals and relevant authorities while stressing that no payment details or passwords were compromised during the incident.

According to a statement from the retailer, the Harrods data breach involved data accessed through a third-party provider, not the store’s own systems. The stolen information primarily consisted of basic personal details such as names and contact information provided by customers.

Additional data related to marketing preferences, loyalty cards, and partnerships with other companies, including Harrods’ co-branded cards, was also taken. However, the company emphasized that this information is unlikely to be correctly interpreted by unauthorized parties.

Harrods confirmed it would not engage with the threat actors behind the breach. “Our focus remains on informing and supporting our customers,” a spokesperson said. “We have informed all relevant authorities and will continue to cooperate with them.”

Intel Internal Data Breach for 270k Workers

Heads-up to my Intel and former Intel colleagues — a data breach has been discovered that exposed information on 270k workers. The good news, is that the data was probably not very sensitive as it was the internal system used to order business cards. 

Other sites that were compromised were a project listing, vendor supplier, and hierarchy management site. Insights about who is working on which projects and their reporting structures could offer focused attackers’ information to assist with targeting of people for social engineering attacks.

What is embarrassing is the security researchers found that Intel was using hardcoded passwords to protect these sites and misconfigured encryption that was easily bypassed.

The vulnerability researcher, Eaton, followed ethical standards and reported these to Intel last year. Intel closed the vulnerabilities this year.

Qualys Confirms Data Breach – Hackers Accessed Salesforce Data in Supply Chain Attack

Qualys has confirmed it was impacted by a widespread supply chain attack that targeted the Salesloft Drift marketing platform, resulting in unauthorized access to a portion of its Salesforce data.

The breach originated from a sophisticated cyberattack campaign targeting Salesloft Drift, a third-party Software-as-a-Service (SaaS) application used by Qualys to automate sales workflows and manage marketing leads.

According to the company, the attackers successfully stole OAuth authentication tokens that connected the Drift application to Qualys’s Salesforce instance. The malicious actors then used these tokens to gain unauthorized access.

Qualys specified that the access was limited to some information within its Salesforce environment, which is primarily used for managing leads and contact information.

The company confirmed in its statement that the attack did not compromise its foundational security infrastructure. There was no impact on the Qualys production environments, including its shared and private platforms, codebase, or any customer data hosted on the Qualys Cloud Platform. Furthermore, all Qualys platforms, agents, and scanners remained fully functional with no operational disruptions.

Cyberattack hits European airports: Heathrow delays, 50% Brussels flights to be cancelled, Delhi issues advisory

Travellers across Europe faced a weekend of disruption on Friday, 19 September, after airports including London Heathrow, Berlin Brandenburg and Brussels were hit by flight delays and cancellations following a cyber-attack.

The attack, believed to be a ransomware strike on aviation IT provider Collins Aerospace, targeted its widely used check-in technology. The failure forced several airports to revert to manual systems, leaving thousands of passengers stranded, resulting in queues and backlogs. While travel has largely returned to normal, the incident underlines the importance of building cyber resilience into our critical infrastructure.

Airports, in particular, pose significant cyber risks due to their complexity and highly digitized processes. As a critical part of a nation’s infrastructure, the approach to securing them must reflect the reality that no system is entirely secure – a point acknowledged in the World Economic Forum’s report, The Cyber Resilience Compass. This means that the focus cannot solely be on preventing attacks. It is equally vital to build resilience to ensure that when attacks do happen, their impact is minimized and critical services are maintained. This dual approach is crucial for safeguarding passenger safety, maintaining public trust and enabling long-term growth.

CCSK Domain 3 Notes: Risk, Audit and Compliance

This domain covers evaluating cloud service providers (CSPs) and establishing cloud risk registries, discussing compliance requirements, and introducing tools for governance and risk management.

3.1. Cloud Risk Management

Key Concepts in Risk

  • Asset: A valuable target, e.g., cloud storage bucket with customer personal information.
  • Threat Actor (Attacker): The entity targeting the asset.
  • Vulnerability: A weakness of an asset, e.g., a misconfigured storage bucket. This is an attack vector for the attacker.
  • Risk: The potential for a negative outcome, such as personal data leaking and the company getting fined, or data becoming unavailable/corrupted.
  • Control/Countermeasure: A way to reduce risk (e.g., a policy that prevents storage buckets from being accessible to a threat actor).
  • Threat Modeling: The process of understanding important assets and threat actors. In a cloud world, it starts with identifying where data is stored and how it flows between cloud services.

Cloud Risk Factors (Pandemic Eleven, 2022 CSA Top Threats)

Common risk factors and categories include:

  • Insufficient Identity, Credentials, Access, and Key Management.
  • Insecure Interfaces and APIs.
  • Misconfiguration and Inadequate Change Control.
  • Lack of Cloud Security Architecture and Strategy.
  • Cloud Storage Data Exfiltration.
  • Accidental Cloud Data Disclosure.
  • Misconfiguration and Exploitation of Serverless and Container Workloads.

Cloud Risk Management Process (Based on ENISA framework)

Risk management in the cloud uses the same methodologies as on-premises environments, but the specific actions for scope definition, environment setup, and risk evaluation/treatment change. The process includes:

  1. Definition of Scope and Framework: Defining the external and internal environment, generating the risk management context, and formulating risk criteria.
  2. Risk Assessment: Identify, analyze (likelihood and severity), and evaluate risks.
  3. Risk Treatment: Identify options, develop, approve, and implement an action plan (mitigate, transfer, avoid, or accept), and identify residual risks.
  4. Risk Acceptance.
  5. Risks Communication and Awareness Consulting.
  6. Monitoring & Review: Continuously monitor plans, events, and quality.

3.1.3 Assessing Cloud Services

This is a systematic process for evaluating and approving cloud services.

  1. Business Requests: Understand the business need, the data involved, risk appetite, and relevant policies/regulations.
  2. Review CSP Documentation: Check security/privacy policies, SLAs, Terms of Service (ToS), and use the CSA Consensus Assessments Initiative Questionnaire (CAIQ) for security controls disclosure. Also review certifications (e.g., ISO/IEC 27001, SOC 2).
  3. Review External Sources: Research external reviews, reported vulnerabilities, and past security/operational incidents.
  4. Map to Compliance Requirements: Align the CSP’s features/policies with organizational requirements (e.g., GDPR, HIPAA, PCI DSS).
  5. Map to Data Classification: Approve providers and services based on the data types (sensitivity) they will handle. Riskier services are acceptable for less valuable or public data.
  6. Define Required & Compensating Controls: Security defines required controls (e.g., configuration settings) and compensating controls (e.g., third-party tools) needed to safely use the service.
  7. Approval Process: If criteria are met, approve the service and incorporate it into the cloud register. Reassess based on time, major use, or major feature changes.

The Cloud Register

  • A central repository of approved cloud services, detailing what kind of data they are approved to handle at a given risk level.
  • Guides internal teams on which providers and services to use for projects.
  • Helps ensure data is only used with compliant services (a role in compliance).

3.2 Compliance & Audit

Compliance Definition

  • Compliance: Adherence to a set of requirements from internal policies, applicable laws/regulations, sector-specific codes, standards, and best practices.
  • Compliance is demonstrated through audits and conformity assessments.
  • Requirements can stem from National/International standards, Industry standards (like PCI), Contracts, and Internal policies.

Jurisdictions

The complexity of cloud compliance is magnified by operating across multiple regions with different legal and regulatory frameworks. Compliance is affected by:

  • Location of the cloud provider and cloud consumer.
  • Location of the data subject and where the data is stored.
  • Legal jurisdiction of the contract.
  • Treaties or other legal frameworks between locations.

Cloud-Relevant Laws & Regulations Examples

CategoryRegulation/Standard (Examples)Key Focus
PrivacyEU GDPR, Brazil LGPDHigh standard for data protection, individual rights, consent, strict penalties.
US: CCPA, COPPAProtect specific sectors/consumers (e.g., children’s online privacy, California consumers).
Industry/SectorHIPAA (US)Safeguards medical privacy/personal health information.
GLBA (US)Imposes requirements on financial institutions to protect consumer information.
PCI DSS (Cross-jurisdictional)Standard for organizations handling cardholder information; financial data protection.
EU LawsDORAEnsures operational resilience for critical financial market infrastructures.
EU AI ActEstablishes regulations for the trustworthiness of AI systems.

Factors Common Across Laws

  • Secure handling: Tightly controlled access to sensitive data to maintain confidentiality and integrity.
  • Secure storage: Encryption, proper data retention, and deletion practices for data at rest and in transit.
  • Due care: Adhering to industry best practices and security standards.
  • Audit trails: Maintaining records of data processing for compliance demonstration and audits.

Adherence to Standards

  • ISO/IEC 27001: International standard for Information Security Management Systems (ISMS); systematic, risk-management based approach.
  • System and Organization Controls (SOC): Compliance standard focusing on five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. Important for SaaS companies.
  • Security Trust Assurance and Risk (STAR) Registry: Developed by the CSA. CSPs publish adherence to standards enhanced with cloud-specific controls from the Cloud Controls Matrix (CCM).

Compliance Inheritance

  • Follows the shared responsibility model.
  • Allows the customer to acquire a control set from a compliant provider.
  • Example: A customer using a PCI DSS-compliant infrastructure provider inherits that compliance at the infrastructure level. The customer is still responsible for their application’s PCI DSS compliance.
  • Both the CSP and the customer (CSC) are audited independently.

Artifacts of Compliance

These are the materials needed for audits, serving as evidence of compliance. Customers are ultimately responsible for providing artifacts for their audits. Examples include:

  • Audit Logs: Detailed records of events, actions, and changes.
  • Activity Reporting: Summaries of user activities and access patterns.
  • System Configuration Details: Documentation of network settings and access controls.
  • Change Management Details: Records of updates, modifications, and patches.

3.3 Governance, Risk, Compliance (GRC) Tools & Technologies

The GRC tool kit includes both technical and non-technical tools.

  • Non-technical: Clear documentation of responsibilities, contracts, the risk register, and frameworks/processes adapted for the business context.
  • Technical: Tools to automate labor-intensive tasks.

Flashcards: https://quizlet.com/in/1086485167/ccsk-domain-3-flash-cards/?i=4jehw4&x=1qqt

August 2025: Major Data Breaches and Cyber Attacks

SABC hacked

The South African Broadcasting Corporation (SABC) has confirmed that it was the victim of a business email compromise that affected some of its staff’s email accounts.

The state-owned broadcaster’s head of communications, Mmoni Ngubane, told MyBroadband that its IT team has secured the compromised mailboxes.

“The SABC is aware of a recent email compromise affecting a small number of employee accounts,” she said.

“Our IT Security team responded immediately, securing the affected mailboxes and containing the incident. Preliminary investigations indicate that the matter was isolated and quickly resolved.”

Ngubane said the SABC continues strengthening its cybersecurity measures and educating staff on cybersecurity.

“We encourage vigilance against suspicious emails to our staff and external partners,” she added.

Microsoft restores services to Russia-backed Nayara Energy

Microsoft suspended service after the EU introduced its fresh round of sanctions on July 18 against Russia and its energy sector that also cover Nayara, majority owned by Russian entities.

Nayara had approached a New Delhi court to order restoration of Microsoft’s services, saying its employees were unable to access official emails and company data needed for day-to-day operations.

On Wednesday, Nayara’s lawyer told the judge that the “matter has been resolved” as Microsoft has restored services to the company.

In a statement to Reuters, Microsoft confirmed it has restored services for Nayara Energy.

Cyberattack hits France’s third-largest mobile operator, millions of customers affected

Bouygues Telecom, one of France’s largest telecom companies and its third-largest mobile operator, announced on Wednesday being hit by a cyberattack that compromised the data of millions of customers.

The nature of the attack was not disclosed, and the company said the “situation was resolved as quickly as possible” by its technical teams, and that “all necessary measures were put in place.”

According to its corporate statement, the attack “allowed unauthorized access to certain personal data from 6.4 million customer accounts.”

Bouygues reported having 18.3 million mobile customers in its annual results for 2024, as well as 4.2 million fiber-to-the-home customers. It is not clear from the announcement which customer segment was affected.

The company stated those who were impacted “have received or will receive an email or text message to inform them, and our teams remain fully mobilized to support them.”

A report regarding the data breach has been filed with France’s data protection regulator, the CNIL, and a complaint has been submitted to France’s judicial authorities.

Global Jewellery Brand Pandora Suffers Hacked

Danish jewellery giant Pandora has disclosed a significant data breach that compromised customer information through a third-party vendor platform. 

The company has begun notifying affected customers, starting with Italian markets, about the cybersecurity incident that resulted in unauthorized access to personal data.

Key Takeaways

1. Supply-chain breach via third-party vendor exposed customer names, phone numbers, and emails.

2. No passwords or payment data accessed.

3. No signs of data leaks, but customers warned to watch for phishing.

Third-Party Vendor Vulnerability Exploited

According to the RansomNews report on X, the breach occurred through a supply chain attack, where threat actors gained access to customer data via a third-party service provider’s platform rather than directly targeting Pandora’s primary systems. 

This attack vector has become increasingly common as cybercriminals exploit the attack surface created by vendor relationships and interconnected digital ecosystems.

Cisco Discloses Data Breach Exposed User Profiles from Cisco.com

Cisco Systems has disclosed a data breach that compromised basic profile information of users registered on Cisco.com following a successful voice phishing attack targeting one of the company’s representatives.

The incident resulted in unauthorized access to a third-party cloud-based Customer Relationship Management (CRM) system used by the networking giant.

The breach occurred when a malicious actor executed a vishing attack against a Cisco employee, ultimately gaining access to export a subset of user data from the compromised CRM instance.

According to Cisco’s official disclosure, the exported information primarily consisted of basic account profile details including names, organization names, addresses, Cisco-assigned user IDs, email addresses, phone numbers, and account metadata such as creation dates.

Google hit by cyberattack targeting Salesforce data

Hackers stole user credentials from Salesforce customers in a widespread campaign earlier this month, according to researchers at Google Threat Intelligence Group, who warned that the thefts could lead to follow-up attacks.

A threat actor that Google tracks as UNC6395 targeted Salesforce instances using compromised OAuth tokens that were associated with the customer engagement vendor Salesloft’s Drift AI chat agent.

Researchers believe the hackers’ primary goal was to harvest credentials, as they stole large amounts of data from numerous Salesforce instances.

TransUnion says 4.4 million consumers’ data compromised in hack

Credit bureau TransUnion said Thursday that more than 4 million people’s data was exposed in a recent hack involving an unidentified third party. The company said it had “recently experienced a cyber incident involving a third-party application serving our U.S. consumer support operations.”

In a statement, TransUnion said it had “quickly contained the issue, which did not involve our core credit database or include credit reports.”

Maine legally requires disclosures for certain kinds of breaches affecting its residents. The name of the third party application was not disclosed, but U.S. corporations have recently seen waves of compromises as hackers trick employees into opening up their respective employers’ Salesforce databases.

A Salesforce representative did not immediately return a message seeking comment.

Manpower franchise discloses data theft after RansomHub posts alleged stolen data

Global staffing firm Manpower confirmed ransomware criminals broke into its Lansing, Michigan franchise’s network and stole personal information belonging to 144,189 people, months after the extortionists claimed that they pilfered “all of [the company’s] confidential data.” 

Back in January, notorious extortion crew RansomHub listed Manpower on its data leak site and claimed to have swiped 500GB of data before posting screenshots of the allegedly stolen files. These images included people’s social security cards, driver’s licenses, and passports, a lawsuit filed against Manpower, corporate bank statements, spreadsheets detailing employees’ hours and worksites, and customer lists.

“Unfortunately, all of your confidential data is on our servers,” the miscreants crowed, adding that they stole financial statements, HR data analytics, passports, ID cards, names and addresses, confidential contracts, and non-disclosure agreements. 

“We are waiting for you to return in the chatroom,” the RansomHub affiliate added. “Otherwise, I believe your competitors would like it very much!!!!!”

WestJet confirms passport details stolen in cyber attack

WestJet has admitted that a cyberattack on its systems earlier this year resulted in the theft of personal details from some passengers, including information drawn from travel documents such as passports. Payment card details and user passwords, however, were not taken.

The airline said the compromised data differs from person to person but may include names, dates of birth, contact information, gender, and recent booking records, including reservation numbers. Details from government-issued identification used for travel were also among the data taken.

In correspondence to those affected, WestJet warned that the stolen information could be used for identity theft or fraud, and said it would provide two years of free identity monitoring. The intrusion was detected on June 13, when the airline found that criminals had temporarily accessed some systems. The Office of the Privacy Commissioner of Canada has opened an inquiry.

Workday Data Breach Exposes HR Records via Third-Party CRM Hack

Enterprise software giant Workday has disclosed a security incident involving unauthorized access to employee information through a compromised third-party customer relationship management (CRM) platform.

The breach, discovered as part of a broader social engineering campaign targeting multiple large organizations, has raised concerns about supply chain security risks in the enterprise software sector.

Incident Details and Scope

According to Workday’s official statement, threat actors successfully infiltrated the company’s third-party CRM system following a sophisticated social engineering campaign.

The attackers contacted employees through text messages and phone calls, impersonating human resources and IT personnel to trick staff into surrendering account credentials and personal information.

The compromised data primarily consisted of standard business contact information, including employee names, email addresses, and phone numbers.

Workday emphasized that customer tenant data remained secure, with no evidence suggesting unauthorized access to client information or the core Workday platform infrastructure.

“There is no indication of access to customer tenants or the data within them,” the company stated, highlighting the limited scope of the security incident.

This distinction is crucial for Workday’s extensive client base, which includes numerous Fortune 500 companies relying on the platform for critical HR and financial operations.

Workday moved swiftly to contain the breach upon discovery, immediately terminating the attackers’ access to the compromised CRM system.

The company has implemented additional security safeguards designed to prevent similar incidents in the future, though specific details about these enhanced measures were not disclosed.

The incident underscores the persistent threat of social engineering attacks, which have become increasingly sophisticated in targeting enterprise environments.

Cybersecurity experts note that attackers often leverage stolen contact information to enhance the credibility of subsequent phishing campaigns and social engineering attempts.

This breach highlights the inherent risks associated with third-party integrations in enterprise environments.

Columbia University Confirms Data Breach Affecting Nearly 870,000 Individuals

Columbia University disclosed a significant cybersecurity incident that compromised personal information of 868,969 individuals nationwide, including 2,026 Maine residents, marking one of the largest higher education data breaches in recent years.

The breach notification, filed through outside counsel Debevoise & Plimpton LLP, reveals that hackers gained unauthorized access to the university’s external systems between May 16 and June 6, 2025.

The prestigious Ivy League institution discovered the security incident on July 8, 2025, nearly two months after the breach period concluded.

The university has classified this as an “external system breach (hacking),” indicating that cybercriminals successfully penetrated Columbia’s network infrastructure from outside the organization.

The compromised data included names and other personal identifiers, though specific details about additional sensitive information have not been fully disclosed in the initial notification.

1.1M Impacted by Farmers Insurance Data Breach, Security Leaders Discuss

Farmers Insurance has revealed it experienced a data breach that may be connected to the ongoing Salesforce social engineering campaign. According to a security incident notice sent out by the organization, a third-party vendor experienced a cyber incident that compromised a database of the insurance company’s customers. Affected data includes: 

  • Names 
  • Addresses 
  • Birth dates
  • Driver’s license numbers
  • Last four digits of Social Security Numbers 

Approximately 1.1 million customers are impacted by this breach. Below, security leaders share their insights. 

French Retailer Auchan Cyberattack  – Thousands of Customers Personal Data Exposed

Major French retail chain Auchan announced on August 21, 2025, that it suffered a significant cybersecurity incident resulting in the unauthorized access and theft of personal data from “several hundred thousand” customer loyalty accounts. 

The breach represents another critical example of retail sector vulnerabilities to Advanced Persistent Threats (APTs) targeting customer databases containing Personally Identifiable Information (PII).

Key Takeaways

1. Auchan confirmed a cyberattack exposing customer data.

2. Database attack stopped by segmentation.

3. Customers notified, CNIL alerted, phishing warning issued.

Customer Personal Data Compromised

Le Monde reports that the cyberattack compromised multiple data fields within Auchan’s customer relationship management system, including first and last names, email addresses, postal addresses, telephone numbers, and loyalty card numbers. 

Security analysts note that this data profile suggests attackers gained access to the retailer’s Customer Loyalty Management (CLM) database, likely through SQL injection vulnerabilities or privileged account compromise.

Notably, Auchan confirmed that financial data, authentication credentials (passwords), loyalty card PIN codes, and customer reward balances remained secure, indicating the breach was contained to specific database tables rather than achieving full system compromise. 

This suggests the implementation of a defense-in-depth architecture with data segmentation protocols that prevent lateral movement to more sensitive systems.

Ransomware attack on DaVita exposes data from 2.7M

  • Data from 2.7 million people were exposed after a ransomware attack on kidney care provider DaVita this spring, according to a report to federal regulators.
  • DaVita determined in April that an unauthorized user had gained access to its servers. Later that month, the attacker posted leaked data it claimed to have stolen from DaVita. The kidney care provider was able to obtain that information in June, which included sensitive personal information from its dialysis labs database. 
  • The data breach is one of the largest healthcare incidents reported to the HHS’ Office for Civil Rights this year, following breaches at Yale New Haven Health, UnitedHealth-owned healthcare services firm Episource and Blue Shield of California. 

Bragg Confirms Cyberattack, Internal IT Systems Breached

Bragg Gaming Group (NASDAQ: BRAG, TSX: BRAG), a prominent content and technology provider in the online gaming industry, has disclosed a cybersecurity incident that compromised its internal computer systems over the weekend.

The company discovered the breach on August 16, 2025, and has immediately implemented containment measures while engaging independent cybersecurity experts to assist with the investigation.

Initial Assessment Shows Limited Scope

According to the company’s preliminary investigation, the cyberattack appears to be contained within Bragg’s internal computer environment. 

Crucially, there is currently no indication that any personal information has been compromised, which represents a significant relief for the gaming operator’s customers and partners.

The company emphasized that despite the security breach, its operations remain fully functional and unaffected.

Bragg’s response demonstrates adherence to industry best practices for incident response, with the immediate retention of additional independent cybersecurity experts to conduct a thorough investigation.

Telecom company Colt hit by cyber attack

Telecom company Colt Technology Services has been dealing with a cyber incident since August 12 that has taken important customer systems offline. The company is working around the clock to restore the affected infrastructure.

The disruption mainly affects customers who depend on number hosting and porting activities via the Voice API platform. Several other customer systems, including Colt Online, are also temporarily unavailable. Customers who use the Colt Online portal can only contact the company by email or phone for the time being. The company warns that response times may be longer than usual.

Colt Technology Services confirmed that it has detected a cyber incident on an internal system. The company emphasizes that this system is separate from its customer infrastructure. “We detected the cyber incident on an internal system. This system is separate from our customer infrastructure,” the company said in a status update.

As a precautionary measure, several systems were proactively taken offline, which led to the disruption of customer support services.

At Least 14,485 Individuals Known to be Affected by Oracle Health/Cerner Data Breach

The number of individuals affected by a data breach at Oracle Health (formerly Cerner Corporation) is becoming clearer. While the total number of affected individuals has yet to be disclosed, based on the breach notifications issued to state attorneys general, more than 14,480 individuals have been confirmed as affected, although the actual total is undoubtedly considerably larger.

While several states publish their breach notification letters, only a few disclose the number of affected individuals, such as Massachusetts, South Carolina, Texas, and Washington.  In addition to those states, California has published a breach notice from Oracle Health, but California has not stated how many individuals were affected.

CCSK Domain 2 Notes

1. Introduction

  • Governance = alignment of IT/Cloud with business objectives.
  • Defined by ISACA: evaluation of stakeholder needs, setting direction, monitoring performance.
  • Cloud introduces multi-tenancy, shared responsibility, regulatory complexity, requiring strong governance.

2. Cloud Governance Key Points

  • Drivers of cloud adoption: Cost efficiency (CapEx → OpEx), speed to market, innovation.
  • Risks in cloud adoption: misconfigurations, supply chain issues, compliance challenges.
  • Governance must balance speed vs. risk control.

Two major ways cloud impacts governance:

  1. Shared Responsibility Model – CSP + CSC share responsibilities; compliance risk always with CSC.
  2. Operational differences – multi-tenancy, data geography, failover, etc.

3. Complexities in Cloud Governance

  • Loss of direct IT control.
  • Multi-jurisdiction data & privacy compliance.
  • Limited visibility/transparency from CSP.
  • Accountability remains with CSC (cannot outsource responsibility).
  • Standardized offerings may not fit unique needs.
  • Chain of providers (e.g., SaaS on IaaS) complicates scoping.
  • Hybrid cloud = unclear provider vs. customer boundaries.
  • Reliance on third-party certifications instead of direct testing.
  • Rapid CSP changes → governance must adapt.
  • Need for specialized skills (cloud auditing, cloud security).

4. Governance Framework Components

Effective governance requires:

  • Defining roles & responsibilities.
  • Risk management.
  • Data classification & ownership.
  • Legal & regulatory compliance.
  • Governance hierarchy.
  • Cloud-specific frameworks.

5. Governance Hierarchy

Layers:

  1. Risk Frameworks – assess cyber risk (e.g., NIST 800-30, ISO 27005).
  2. Program Frameworks – define security program (e.g., NIST CSF, ISO 27001, COBIT).
  3. Control Frameworks – technical/procedural controls (e.g., NIST 800-53, CIS CSC, CSA CCM).

Governance documents produced:

  • Policies – high-level security requirements.
  • Control Objectives – specific goals (e.g., MFA required).
  • Control Specifications/Standards – technical enforcement (e.g., enable MFA in cloud).

6. Stakeholder Alignment

  • Must consult with: IT, security, compliance/legal, finance, business leaders, DevOps, operations, vendors, end users.

7. Cloud Security Frameworks

  • Provide structured approach to cloud security.
  • Key frameworks:
    • CSA Cloud Controls Matrix (CCM)
    • ISO/IEC 27017:2015
    • BSI C5
    • NIST 800-53
    • PCI DSS Cloud Guidelines
    • NIST Cybersecurity Framework (CSF)
    • CSA Cloud Security Maturity Model (CSMM)

8. CSA CCM & STAR

  • Cloud Controls Matrix (CCM):
    • Library of cloud control objectives, mapped to ISO, PCI, NIST, etc.
    • Tailored for multi-tenant, dynamic cloud systems.
    • Supports customization per IaaS, PaaS, SaaS.
    • Updated regularly.
  • CAIQ (Consensus Assessment Initiative Questionnaire): checklist based on CCM.
  • CSA STAR (Security, Trust, Assurance, Risk) Registry:
    • Public registry of CSP security/privacy controls.
    • STAR Certification → 3rd party cert against CCM + ISO 27001.
    • STAR Attestation → SOC 2 (AICPA) + CCM, done by CPAs.

9. Policies

  • Top-level Information Security Policy → defines program direction.
  • Supporting policies: acceptable use, data protection, identity management, mobile/endpoint security, cloud usage, 3rd-party risk.
  • Should have executive sign-off.

Exam Tip: Always tie governance hierarchy → frameworks → policies → control objectives → standards.

Governance = accountability stays with CSC even if CSP or third party provides services.

Flashcards: https://quizlet.com/in/1072373945/ccsk-domain-2-flash-cards/?i=4jehw4&x=1jqt

The Role of NTP Servers in Information Security: Why Accurate Time Matters

In the world of cybersecurity, we often focus on firewalls, intrusion detection systems, encryption algorithms, and endpoint defenses. Yet, one of the most fundamental elements of a secure and reliable IT infrastructure is often overlooked: time synchronization. This is where the Network Time Protocol (NTP) server comes into play.

NTP is more than just a way to keep clocks aligned across devices. In fact, it forms a critical backbone of information security by ensuring that all systems in a network speak the same “time language.” Without it, log analysis, incident response, authentication, and even compliance can break down.

What is an NTP Server?

A Network Time Protocol (NTP) server is a network service that synchronizes the clocks of computers, routers, switches, and other devices to a common, precise time reference. This reference may come from highly accurate sources such as GPS, radio clocks, or stratum-1 atomic clocks.

NTP ensures that every device in the network maintains consistent time, compensating for drift, latency, and network delays. It works hierarchically:

  • Stratum-0: Primary reference clocks (GPS, atomic clock).
  • Stratum-1: Directly connected NTP servers to reference clocks.
  • Stratum-2 and below: Devices that synchronize time from higher stratum servers.

Why Time Synchronization is Crucial for Information Security

1. Accurate Log Correlation and Forensics

When investigating a security incident, analysts rely on system logs from firewalls, intrusion detection systems, servers, and applications. If these devices are not time-synchronized:

  • Logs may appear out of order.
  • Attack timelines become confusing.
  • Correlation between systems is unreliable.

NTP provides the foundation for accurate forensic analysis and incident response.

2. Authentication Protocols and Certificates

Many security mechanisms depend on precise timestamps:

  • Kerberos authentication uses timestamps to prevent replay attacks. Time drift can cause authentication failures.
  • Digital certificates (SSL/TLS) rely on valid “not before” and “expiry” times. Incorrect system time may result in expired or invalid certificate errors.
  • Token-based authentication (e.g., OTPs, JWTs) depends on synchronized time.

3. Regulatory Compliance

Regulatory frameworks such as PCI DSS, HIPAA, and ISO 27001 require accurate logging and audit trails. For instance, PCI DSS mandates time synchronization to ensure all logs can be reliably tied to specific events. Non-compliance due to unsynchronized time may lead to audit failures.

4. Intrusion Detection and SIEM Accuracy

Security tools like SIEMs and IDS/IPS aggregate logs from multiple sources. If timestamps don’t align:

  • Correlation rules may misfire.
  • False positives and false negatives increase.
  • Real threats may go unnoticed.

NTP servers reduce this risk by ensuring temporal consistency across all inputs.

5. Resilience Against Time-based Attacks

Attackers sometimes manipulate system clocks to evade detection or disrupt authentication mechanisms. By maintaining secure and redundant NTP synchronization, organizations can mitigate:

  • Replay attacks (exploiting old valid sessions).
  • Time-warping attacks (tampering with logs to cover tracks).

Best Practices for Secure NTP Implementation

  1. Use Trusted NTP Sources: Always prefer stratum-1 or reputable public NTP services (e.g., NIST, pool.ntp.org), or better yet, deploy an internal stratum-1 NTP server for critical systems.
  2. Deploy Redundant NTP Servers: Avoid a single point of failure. Use multiple, geographically diverse servers.
  3. Secure NTP Traffic:
    • Use authentication (NTPv4 supports symmetric key and Autokey).
    • Restrict access to internal systems only.
    • Block or monitor external NTP traffic to prevent abuse (e.g., NTP amplification DDoS).
  4. Monitor for Time Drift: Integrate NTP monitoring with your SIEM to detect anomalies. Sudden time changes can indicate misconfiguration or malicious activity.
  5. Harden NTP Servers:
    • Run NTP on hardened systems with minimal services.
    • Apply patches regularly.
    • Limit which devices can query your NTP server.

Conclusion

While NTP servers may seem like a minor infrastructure component, they are fundamental to maintaining integrity, reliability, and security in IT systems. Without synchronized time, incident investigations fall apart, authentication mechanisms break, and compliance audits fail.

In today’s threat landscape, where even milliseconds matter, securing and correctly deploying NTP servers is not optional — it is a cornerstone of information security.

Information Security Blogs

Blogs on infosec and cyber security, writeups, latest trends, security best practices, etc.

Skip to content ↓