Security Boulevard

Uncover the hidden risks of Shadow AI and learn 8 key strategies to address it.

The post Shadow AI: Examples, Risks, and 8 Ways to Mitigate Them appeared first on Security Boulevard.

While we talk a lot on this site about the US Government’s various cybersecurity frameworks, like FedRAMP and CMMC, there’s one significant framework that deserves just as much attention: ISO 27001. ISO 27001, being an ISO standard, is an international framework for cybersecurity divorced from any one country’s government. It’s a way for businesses operating […]

The post ISO 27001 Risk Register Setup: Step-by-Step Guide appeared first on Security Boulevard.

More Meta mess: Pundits accuse Zuckerberg’s latest app of having a “dark pattern,” tricking the over 50s into oversharing.

The post Meta AI is a ‘Privacy Disaster’ — OK Boomer appeared first on Security Boulevard.

A Wake-Up Call for HR in the Age of Deepfakes and Remote Work

In 2025, HR leaders are facing a new kind of threat: highly convincing fake applicants, AI-powered resume fraud, and deepfake interview proxies. What used to be fringe or far-fetched is now a weekly reality for talent teams.

From fake IT workers linked to nation-states to deepfake-driven interview fraud, the threats have never been more diverse, or more advanced. According to HYPR's 2025 State of Passwordless Identity Assurance report, 95% of organizations experienced a deepfake incident in the last year, and nearly 40% had a GenAI-related security breach.

This field-ready guide outlines 10 bottom-of-funnel actions to equip HR teams with real-world tactics, tools, and strategies to detect, prevent, and respond to identity fraud in recruiting and onboarding. Each step is designed to be immediately implementable and mapped to core tools HR professionals already use.

The post HR’s 2025 Guide to Preventing Interview and Onboarding Fraud appeared first on Security Boulevard.

Aim Security researchers found a zero-click vulnerability in Microsoft 365 Copilot that could have been exploited to have AI tools like RAG and AI agents hand over sensitive corporate data to attackers simply by issuing a request for the information in a specially worded email. Microsoft fixed the security flaw.

The post Zero-Click Flaw in Microsoft Copilot Illustrates AI Agent, RAG Risks appeared first on Security Boulevard.

Kubernetes is powerful, but managing it in-house can be a major drain on your engineering resources. That’s why many organizations are turning to Fairwinds Managed Kubernetes-as-a-Service (KaaS): we handle the complexity, so you can focus on building what matters most—your applications and your business differentiations. It’s easy to be confused by the differences between Managed Kubernetes-as-a-Service and managed Kubernetes services, such as those offered by Amazon (Elastic Kubernetes Service or EKS), Google (Google Kubernetes Engine or GKE), and Microsoft (Azure Kubernetes Service or AKS), so let's clarify how they're different. 

The post A Guide to Managed Kubernetes-as-a-Service Shared Responsibility Model appeared first on Security Boulevard.

Author/Presenter: Sam Groveman (Research Associate)

Our sincere appreciation to LinuxFest Northwest (Now Celebrating Their Organizational 25th Anniversary Of Community Excellence), and the Presenters/Authors for publishing their superb LinuxFest Northwest 2025 video content. Originating from the conference’s events located at the Bellingham Technical College in Bellingham, Washington; and via the organizations YouTube channel.

Thanks and a Tip O' The Hat to Verification Labs :: Penetration Testing Specialists :: Trey Blalock GCTI, GWAPT, GCFA, GPEN, GPCS, GCPN, CRISC, CISA, CISM, CISSP, SSCP, CDPSE for recommending and appearing as speaker at the LinuxFest Northwest conference.

Permalink

The post LinuxFest Northwest: Easy Modular Sensors And Automation appeared first on Security Boulevard.

We’re witnessing a shift in enterprise architecture: AI agents are moving from supporting roles to autonomous actors that drive decisions, trigger transactions, and interact directly with APIs — often on behalf of users. As a result, identity management is evolving. Identity isn’t just for humans anymore — it’s becoming the security backbone for intelligent, non-human...

The post How identity management is shifting into the agent era appeared first on Strata.io.

The post How identity management is shifting into the agent era appeared first on Security Boulevard.

Paris, France, 13th June 2025, CyberNewsWire

The post Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale appeared first on Security Boulevard.

Identiverse 2025 exposed the urgent need for NHI governance. From AI agents to orphaned credentials, NHIs and their sprawling secrets are today’s most overlooked risks.

The post Identiverse 2025: Trust, Delegation, and the Era of Continuous Identity appeared first on Security Boulevard.

Introduction to Third-Party Cyber Risk Management Platforms

Third-party cyber risk management (TPRM) represents the systematic approach organizations use to assess, monitor, and mitigate cybersecurity risks posed by external vendors, suppliers, and service providers. As enterprise ecosystems expand, TPRM has evolved from a compliance checkbox to a critical business function integral to organizational resilience.

The post Third-Party Cyber Risk Management Platforms: The Definitive Guide appeared first on Security Boulevard.

Insight No. 1 — The great CISO exodus: Why your top defenders are planning a silent escape

What happens when your most critical security minds are quietly planning their exit? With 53% of cyber leaders exploring new roles, the cybersecurity industry faces a silent attrition problem rooted in the very nature of the job. The struggle to quantify success when risk is mitigated, coupled with persistent burnout and role uncertainty, leaves many feeling undervalued and unheard. This situation calls for a fundamental re-evaluation of how organizations support and reward their security leadership.

The post Cybersecurity Insights with Contrast CISO David Lindner | 06/13/25 appeared first on Security Boulevard.

Check out NIST best practices for adopting a zero trust architecture. Plus, learn how OpenAI disrupted various attempts to abuse ChatGPT. In addition, find out what Tenable webinar attendees said about their exposure management experiences. And get the latest on cyber crime trends, a new cybersecurity executive order and more!

Dive into six things that are top of mind for the week ending June 13.

1 - NIST issues practical implementation guidance for zero trust

Zero trust architectures’ (ZTAs) popularity has grown as traditional on-prem security perimeters dissolve with the adoption of cloud services, mobile devices, remote employees, IoT devices and more. But ZTA implementations aren’t “one-size-fits-all” affairs. They must be customized to individual environments.

To help organizations plan and deploy ZTAs, the U.S. National Institute of Standards and Technology (NIST) this week published a guide titled “Implementing a Zero Trust Architecture: Full Document (SP 1800-35).”

By offering 19 concrete ZTA implementation examples, the new guide is meant to complement NIST’s “Zero Trust Architecture (SP 800-207)” which was published in mid-2000 and unpacks what a ZTA is, as well as its components, benefits and risks.

“This guidance gives you examples of how to deploy ZTAs and emphasizes the different technologies you need to implement them,” Alper Kerman, a NIST computer scientist and the guide’s author, said in a statement. “It can be a foundational starting point for any organization constructing its own ZTA.”
 

To craft the new ZTA guide, NIST enlisted the help of 24 technology partners, including Tenable. “Our role? Help ensure that every device, user, and system is verified, monitored, and protected. This is what public-private partnership looks like at its best,” Tenable Senior VP of Global Government Affairs James Hayes wrote in a LinkedIn post.

In addition to the 19 examples, the guide also includes a description of these core steps applicable to all ZTA implementations:

• Discovering and inventorying all of your environment’s IT assets, including hardware, software, applications, data and services
• Specifying the security policies the ZTA will enforce regarding who can access each resource, according to the principles of least privilege
• Identifying and inventorying your existing security tools, technologies and capabilities, and determining which ones will be part of the ZTA
• Designing your access topology based on risk and the value of your data
• Rolling out ZTA components involving people, processes and technologies, and deploying baseline security components for areas including: 
  • continuous environment monitoring and asset detection
  • identity and access management
  • vulnerability scanning and assessment
  • endpoint protection
• Verifying the implementation supports your zero-trust objectives by:
  • continuously monitoring network traffic for suspicious activity
  • auditing and validating access-enforcement decisions
  • verifying enforced policies correlate with defined ones
  • performing periodic, scenario-based testing
• Continously improving and evolving the ZTA based on changes to your goals, threat landscape, technology and requirements

To get more details, read:

• The “Implementing a Zero Trust Architecture: Full Document (SP 1800-35)” guide
• The “Implementing a Zero Trust Architecture: High-Level Document (SP 1800-35)” complementary document
• The companion fact sheet
• The ZTA homepage of NIST’s National Cybersecurity Center of Excellence 
• The statement “NIST Offers 19 Ways to Build Zero Trust Architectures” 

For more information about zero trust, check out these Tenable resources:

• “Rethink security with a zero-trust approach” (solutions page)
• “What is zero trust?” (cybersecurity guide)
• “5 Things Government Agencies Need to Know About Zero Trust” (blog)
• “Making Zero Trust Architecture Achievable” (blog)
• “Security Beyond the Perimeter: Accelerate Your Journey to Zero Trust” (on-demand webinar)

2 - OpenAI details recent abuses of its AI products

Cyber espionage. Social engineering. Fraudulent employment schemes. Covert operations. Scams.

Those are some of the malicious uses of OpenAI’s artificial intelligence tools that the company has detected and halted in recent months.

“Every operation we disrupt gives us a better understanding of how threat actors are trying to abuse our models, and enables us to refine our defenses,” the company wrote in the report “Disrupting malicious uses of AI: June 2025,” published this week.

Specifically, OpenAI details 10 incidents with the goal of sharing how it flagged and defused them in the hopes that the lessons it learned can benefit other AI defenders.
 

Here’s a quick glance at three of the malicious use cases the maker of ChatGPT discusses in the report:

• In a deceptive IT-worker employment scheme, cyber scammers likely based in North Korea used ChatGPT to automate, streamline and enhance a variety of fraudulent activities, such as the creation of false resumes and the recruitment of North American residents to participate in the scams.
• ChatGPT was also abused by fraudsters likely located in China to mass-produce social media posts intended to spread misinformation as part of covert schemes to influence people’s opinions on geopolitical issues related to China. Written mostly in English and Chinese, the posts appeared primarily on TikTok and X, as well as on Facebook and Reddit.
• Russian-speaking malicious actors used a cluster of ChatGPT accounts to develop and refine a multi-stage malware campaign, including the setup of the command-and-control infrastructure. The malware’s capabilities included credential theft, privilege escalation and attack obfuscation.

“We’ll continue to share our findings to enable stronger defenses across the internet,” the report reads.

For more information about AI security, check out these Tenable resources:

• “How to Discover, Analyze and Respond to Threats Faster with Generative AI” (blog)
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood” (blog)
• “Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)
• “Tenable Cloud AI Risk Report 2025” (report)
• “Tenable Cloud AI Risk Report 2025: Helping You Build More Secure AI Models in the Cloud” (on-demand webinar)

3 - Tenable asks webinar attendees about exposure management

During our recent webinar “Security Without Silos: How to Gain Real Risk Insights with Unified Exposure Management,” we polled attendees about their exposure management knowledge, challenges and concerns. Check out what they said.

(44 webinar attendees polled by Tenable. Respondents could choose more than one answer.) 

(85 webinar attendees polled by Tenable)

(89 webinar attendees polled by Tenable)

Want to learn more about how unified exposure management works in the real world? Watch this webinar on-demand! 

4 - How to prevent AI systems from acting on what they don’t know

As has been widely documented by researchers and experienced by users, AI systems often make mistakes — a major challenge for AI developers. What can be done?

A critical piece of this puzzle is to build AI systems that recognize when they’re presented with a task for which they haven’t been trained, and are able to say they don’t know how to proceed.

That’s according to the article “Out of Distribution Detection: Knowing When AI Doesn’t Know” published this week by two experts from Carnegie Mellon University’s Software Engineering Institute (SEI).

In the piece, Eric Heim, a senior machine learning research scientist, and Cole Frank, an AI workforce development engineer, explore the issue of out-of-distribution detection (OoD) — flagging when an AI system faces situations it’s not trained to tackle — with a focus on AI military applications.

“By understanding when AI systems are operating outside their knowledge boundaries, we can build more trustworthy and effective AI capabilities for defense applications — knowing not just what our systems know, but also what they don't know,” they wrote.
 

The authors offer three broad categories of OoD detection:

• Anomaly detection and density estimation, which try to model what “normal” data looks like
• Learning with rejection and uncertainty-aware models, which seek to detect instances of OoD
• Adding OoD detection capabilities to existing models

The authors caution that all three OoD detection categories have their pros and cons, and that OoD detection methods aren’t foolproof, and, as such, should be considered “a last line of defense in a layered approach to assessing the reliability of ML models during deployment.”

“Developers of AI-enabled systems should also perform rigorous test and evaluation, build monitors for known failure modes into their systems, and perform comprehensive analysis of the conditions under which a model is designed to perform versus conditions in which its reliability is unknown,” they wrote.

For more information about OoD and about AI model accuracy in general:

• “Never Assume That the Accuracy of Artificial Intelligence Information Equals the Truth” (United Nations University)
• “Accurate and reliable AI: Four key ingredients” (Thomson Reuters)
• “What do we need to know about accuracy and statistical accuracy?” (U.K. Information Commissioner’s Office)
• “Out-of-Distribution Detection Is Not All You Need” (Université de Toulouse, Toulouse, France)
• “Rule-Based Out-of-Distribution Detection” (IEEE)

5 - White House EO seeks modernization of fed agencies’ cybersecurity

The Trump administration has put the spotlight on boosting the U.S. federal government’s cybersecurity posture with the recently issued Executive Order (EO) 14306.

EO 14306 aims “to strengthen the nation’s cybersecurity by focusing on critical protections against foreign cyber threats and enhancing secure technology practices,” reads a complementary White House fact sheet.
 

The EO addresses topics including AI system vulnerabilities, IoT security, quantum computing risk, patch management, secure software development and critical infrastructure defense.

“This EO reinforces the importance of shifting from reactive to proactive cybersecurity,” Tenable Senior VP of Global Government Affairs James Hayes wrote in a blog.

“By addressing emerging risks — such as AI exploitation, post-quantum threats and software supply chain weaknesses — the administration is signaling the need for adaptability and continuous improvement,” he added.

To learn more about EO 14306 and about how Tenable can help federal agencies comply with the EO’s requirements, check out the blog “New Cybersecurity Executive Order: What You Need To Know.”

6 - Report: Cyber crooks feasting on stolen data

Leveraging AI in increasingly powerful ways, cyber criminals have ramped up data theft, which they’re using as the foundation for myriad cyber attacks, including online fraud, ransomware, child exploitation and extortion.

That’s a key takeaway from Europol’s “Internet Organised Crime Threat Assessment 2025” report, published this week. The report aims to highlight major trends in cyber crime in order to help law enforcement agencies, policy makers and the tech industry respond.

“From phishing to phone scams, and from malware to AI-generated deepfakes, cybercriminals use a constantly evolving toolkit to compromise systems and steal personal information,” reads a Europol statement. 
 

Initial access brokers (IABs) then sell, resell and repackage stolen credentials and data in dark web forums and criminal marketplaces. Cyber criminals have also upped their use of communication apps that offer end-to-end encryption to negotiate deals and sell compromised data.

With regards to AI, cyber crooks continue to abuse it, especially generative AI tools, to launch ever more sophisticated social engineering attacks. “Criminals now tailor scam messages to victims’ cultural context and personal details with alarming precision,” the statement reads.

For more information about data security, check out these Tenable resources:

• “Securing Financial Data in the Cloud: How Tenable Can Help” (blog)
• “CISA and NSA Cloud Security Best Practices: Deep Dive” (blog)
• “Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)
• “Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)
• “Stronger Cloud Security in Five: How DSPM Helps You Discover, Classify and Secure All Your Data Assets” (blog)

The post Cybersecurity Snapshot: NIST Offers Zero Trust Implementation Advice, While OpenAI Shares ChatGPT Misuse Incidents appeared first on Security Boulevard.

Discover the capabilities of Microsoft 365 Data Loss Prevention (DLP) and understand its limitations. Learn how to prevent unauthorized data access and sharing.

The post Microsoft Data Loss Prevention (DLP): Tips to Protect Your Business Following the Latest Outage appeared first on Security Boulevard.

Join us for a live webinar with application security experts and Escape clients - Seth Kirschner (DoubleVerify), Nathan Byrd (Applied Systems), Nick Semyonov (PandaDoc), as they break down how their teams are rethinking testing strategies to keep up with AI-influenced codebases.

The post [Webinar] Securing AI-driven applications with DAST appeared first on Security Boulevard.

Santa Clara, Calif. Jun 13, 2025 – NSFOCUS, a global provider of intelligent hybrid security solutions, announced today that it has attained ISO 27701:2019 Privacy Information Management System (PIMS) certification. ISO/IEC 27701 extends the ISO/IEC 27001 information security management system to address global privacy protection needs, establishing a unified international standard for information security, privacy, […]

The post NSFOCUS Earns ISO 27701:2019 Privacy Information Management System Certification appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post NSFOCUS Earns ISO 27701:2019 Privacy Information Management System Certification appeared first on Security Boulevard.

The post 7 Steps to Developing a Cybersecurity Strategy appeared first on AI Security Automation.

The post 7 Steps to Developing a Cybersecurity Strategy appeared first on Security Boulevard.

The post Integrative Security That Doesn’t Add Work to Your Workload appeared first on Votiro.

The post Integrative Security That Doesn’t Add Work to Your Workload appeared first on Security Boulevard.

Is Assured Compliance Your Ultimate Goal? Consider Effective NHI Management Ever wondered how Non-Human Identities (NHIs) and Secrets Security Management could significantly enhance your cybersecurity strategy and lead to assured compliance? With the ever-increasing threats, it is essential for every organization, regardless of its sector, to prioritize robust strategies that can provide end-to-end protection. By […]

The post Assured Compliance Through Effective NHI Management appeared first on Entro.

The post Assured Compliance Through Effective NHI Management appeared first on Security Boulevard.

Does Non-Human Identity Management Hold the Key to Effective Cybersecurity? The management of Non-Human Identities (NHIs) and secrets has emerged as a pivotal component. For organizations aiming to bolster their cybersecurity strategy, the integration of NHI management can yield substantial benefits. But what is NHI management, and how can it mitigate risks associated with security […]

The post Freedom to Choose Your NHI Security Approach appeared first on Entro.

The post Freedom to Choose Your NHI Security Approach appeared first on Security Boulevard.