Archive for the Commentary Category

« Older Entries
Newer Entries »

CDW Canada’s 2026 Cybersecurity Study reveals an 80% jump in cyberattacks for Canadian enterprise

Posted in Commentary with tags on April 1, 2026 by itnerd

Today, CDW Canada released data from its annual Canadian Cybersecurity Study, Navigating Ransomware, Modern Architectures and the Maturity Paradox. 

Key findings from the study include: 

  • Canadian companies are being targeted by cyberattacks at a rate not seen before. Enterprise organizations saw an 80 percent increase in cyberattacks in 2025 due to the use of AI in cyberattacks and the larger financial reward potential.
  • Enterprise cloud infection rates hit a record high in 2026, jumping from 41 percent to 53 percent year over year, the highest level recorded since CDW Canada started this study.
  • Most organizations assume their cloud environments are secure. The study suggests that assumption is creating one of the biggest vulnerabilities in Canadian cybersecurity right now.
  • Security spending reached a five-year high, with 20% of IT budgets now dedicated to security; however, the gaps in foundational weaknesses in people and processes create the “security maturity paradox,” making organizations appear advanced but leaving them open to attacks.
  • AI is creating new security pressures on two fronts. Attackers are using it to be more effective. And organizations adopting AI internally need to make sure they are doing so in a way that does not create new vulnerabilities.
  • The ripple effects go beyond the organization itself. When a major company is hit, the impact is felt by employees, customers and the communities that depend on those services.

There are many more findings in the press release linked here. The full report can be accessed here.

Leave a comment »

The CISA mandates federal patching of Citrix NetScaler flaw by Thursday 

Posted in Commentary with tags , on March 31, 2026 by itnerd

The CISA has added a new Citrix NetScaler appliance vulnerability to its Known Exploited Vulnerabilities catalog and is giving federal agencies till Thursday to remediate the flaw.

The vulnerability (CVE-2026-3055) is caused by inadequate input validation and can be exploited by unauthenticated remote attackers to extract sensitive data from Citrix ADC or Citrix Gateway appliances configured as SAML identity providers.

Denis Calderone, CTO, Suzu Labs provided this comment:

   “Back in 2023 CISA, the FBI, and Australia’s ACSC put out a joint advisory related to CVE-2023-4966, CitrixBleed. That was the same class of vulnerability on the same product family as this new issue, CVE-2026-3055. The issues are memory leaks on NetScaler that let attackers steal session tokens and walk right past authentication, including MFA. We saw LockBit use it to devastating effect against ICBC, Boeing, and DP World, and now we’re looking at another critical memory disclosure flaw on NetScaler. Citrix themselves are warning that exploitation is likely once proof-of-concept code surfaces.

   “An out-of-bounds read on a device like this is particularly dangerous because of where NetScaler sits in the environment. It’s at the network boundary, handling authentication and session management.

   “NetScaler is often used to build a layer of abstraction between the untrusted, semi-trusted and fully trusted security zones within a network. When memory leaks on a device like that, what spills out isn’t random data. It’s potentially session tokens, authentication material, and credentials. These are the things that let attackers bypass every security control sitting behind it. That’s what made CitrixBleed so devastating, and this vulnerability has the same potential.

   “The one piece of good news is that this only affects NetScaler instances configured as a SAML Identity Provider, not default configurations. SOC teams should check right now: search your NetScaler config for ‘add authentication samlIdPProfile’. If it’s there, you’re in scope and you need to patch immediately. If you can’t patch today, consider whether you can disable SAML IDP functionality as a temporary mitigation. Citrix has 21 entries in the CISA KEV catalog at this point. Waiting to see if this gets exploited is not a strategy that has historically worked out with this vendor.”

Jacob Warner, Director of IT, Xcape, Inc. adds this comment:

   “Unpatched gateway appliances are the primary door for initial access brokers and nation-state actors, making this 48-hour remediation window a critical operational priority. This vulnerability allows unauthenticated attackers to bypass security boundaries and harvest credentials or session tokens, effectively turning your identity provider into a pivot point for lateral movement across the entire network. Organizations should immediately identify all Citrix ADC and Gateway instances acting as SAML IdPs and apply the vendor-provided firmware updates before the Thursday deadline.

   “If immediate patching is not feasible, security teams must evaluate whether to disable SAML functionality or place these appliances behind a restrictive VPN to reduce the attack surface. This is not a drill for the weekend; the inclusion in the KEV catalog confirms that active exploitation is already occurring in the wild.

   “Given the history of NetScaler vulnerabilities such as CitrixBleed, the blast radius of a successful exploit likely includes a full bypass of multi-factor authentication (MFA) for downstream applications. Priority should be placed on Internet-facing instances, followed by a comprehensive review of logs for unusual outbound traffic from these appliances.

   “I appreciate CISA giving us a Tuesday warning for a Thursday deadline, though I suspect the “unauthenticated remote attackers” didn’t bother waiting for the official calendar invite.”

Rajeev Raghunarayan, Head of GTM, Averlon said this:

   “Most organizations measure response in terms of time to patch. The real gap is time to decision. Teams often know about a vulnerability, but they don’t know whether it actually matters in their environment.

   “We’ve seen environments with tens of thousands of vulnerabilities where only a handful created meaningful risk based on how they connected to critical systems, especially when identity infrastructure is involved. Without that clarity, everything looks urgent and ends up in the same queue.

   “The organizations moving fastest don’t need external deadlines to act. They can quickly determine what matters and treat those cases as incidents. Others rely on external signals like KEV listings to prioritize, rather than identifying that urgency internally.”

If you organization is affected by this, you need to patch this ASAP because threat actors will not wait to exploit this.

Leave a comment »

Unit 42 researchers discover security flag in Google Vertex AI Engine

Posted in Commentary with tags on March 31, 2026 by itnerd

Palo Alto Networks Unit 42 published new research on a security flaw in Google’s Vertex AI Engine,

Unit 42 researchers found that Google Cloud’s Vertex AI Engine is giving AI agents far too much access by default. This critical discovery highlights the challenges of applying foundational security standards in the AI era.

Key Takeaways:

  • Significant Insider Threat: The research details how Google Cloud’s Vertex AI Engine is giving AI agents far too much access, by default. The report reveals that a misconfigured or compromised AI agent deployed via Google Cloud Platform’s (GCP) Vertex AI Agent Engine can be weaponized to compromise an organization’s cloud environment. This level of access constitutes a significant security risk, transforming the AI agent from a helpful tool into a potential insider threat.
  • The Big Picture: The rapid deployment of AI agents introduces a whole new class of overprivileged insiders. This comes as 90% of organizations are already facing pressure to loosen access control to support AI-driven automation.

You can read the research here:http://unit42.paloaltonetworks.com/double-agents-vertex-ai 

Leave a comment »

New Research Shows How Attackers Silently Disable AWS CloudTrail Without Triggering Alerts

Posted in Commentary with tags on March 31, 2026 by itnerd

The Abstract ASTRO research team has just published a blog entitled: How Attackers Disable CloudTrail Without Calling StopLogging or DeleteTrail.

Security teams rely heavily on AWS CloudTrail as a source of truth for detecting breaches, but new research shows attackers can quietly disable or degrade logging without ever touching the APIs most defenders monitor.

In a new technical deep dive, ASTRO uncovers how adversaries are bypassing traditional detections (like StopLogging or DeleteTrail) and instead using lesser-known AWS APIs to blind logging systems while keeping them appearing fully operational.

Key findings that may interest your readers:

  • Attackers can create “invisible activity zones” using PutEventSelectors, selectively excluding malicious actions from logs while CloudTrail continues to run normally.
  • CloudTrail Lake can be silently neutralized via APIs like StopEventDataStoreIngestion and DeleteEventDataStore, halting or destroying long-term forensic visibility.
  • Anomaly detection can be disabled outright by-passing empty parameters to PutInsightSelectors, removing automated detection of suspicious behavior.
  • Critical guardrails can be dismantled through APIs like DeleteResourcePolicy and DeregisterOrganizationDelegatedAdmin, weakening cross-account protections.
  • The real risk is in the sequence: individually, these API calls look like routine maintenance—but chained together, they allow attackers to erase evidence and evade detection entirely.

The research also outlines detection strategies, including how to identify subtle parameter changes and—more importantly—how to correlate multiple low-signal events into high-confidence alerts, something most SIEMs struggle to do.

This has major implications for DFIR teams and cloud security programs: organizations may believe they have full visibility, while attackers are actively operating in blind spots.

You can read the blog entry here: https://www.abstract.security/blog/how-attackers-disable-cloudtrail-without-calling-stoplogging-or-deletetrail

Leave a comment »

Liquibase Unveils Change Intelligence and New Connectors for Governed Database Delivery 

Posted in Commentary with tags on March 31, 2026 by itnerd

Liquibase today unveiled Liquibase Change Intelligence and a new suite of Liquibase Secure Deployment Connectors, expanding how enterprises understand, govern, and operationalize database change across modern delivery environments.

The new capabilities are designed to help teams understand database changes, monitor delivery performance, identify risk earlier, resolve issues up to 95% faster, and centralize audit evidence, while extending governed database change into the systems where developers, DBAs, and change teams already work, including ServiceNow, GitHub, Harness, and Terraform.

The announcement addresses a persistent gap in enterprise delivery. While application and infrastructure changes have become more automated, observable, and standardized, database change still too often moves through ticket attachments, side-channel SQL, manual approvals, and inconsistent execution paths. The result is slower investigations, weaker auditability, and more risk around outages, data integrity, and compliance.

Change Intelligence helps teams see what changed and respond faster

Liquibase Change Intelligence is designed to give teams a clearer view of what changed, how changes are moving across environments, where drift is emerging, and what requires attention next.

It brings together deployment activity, environment-level change status, drift signals, policy outcomes, and operational history so teams can answer critical questions faster: What changed? Where did it fail? Which environments are out of sync? Is drift increasing? What needs to be fixed now?

When failures occur, Change Intelligence is designed to help teams investigate with greater speed and context through AI-driven analysis that identifies likely causes and provides remediation guidance. Instead of forcing teams to reconstruct events from scattered logs, tickets, and tribal knowledge, it gives them a more direct path from issue to understanding to action.

Change Intelligence is also designed to help organizations centralize audit evidence for what changed, who approved it, where it ran, and what happened. That gives engineering, security, and compliance teams a more structured and accessible record of database change activity, reducing reliance on screenshots, manual evidence gathering, and fragmented reporting.

New connectors extend governed database change into the tools teams already use

Liquibase also unveiled a new suite of Liquibase Secure Deployment Connectors designed to extend governed database change into the platforms many enterprises already use to plan, approve, and deliver work.

For teams using ServiceNow, the connector is designed to bring database change into the existing approval process so approved tickets can result in governed, auditable deployments instead of manual SQL execution and disconnected handoffs.

For teams using GitHub, the connector is designed to bring database change into the same pull request and workflow model already used for application code, adding policy checks, validation, and deployment history tied to commits and branches.

For teams using Harness, the connector is designed to preserve existing pipelines while adding stronger governance, centralized visibility, and compliance-grade auditability around database changes.

For teams using Terraform, the connector is designed to extend infrastructure as code to the database layer, connecting Liquibase Secure to Terraform-managed instances through existing pipelines while enforcing database policies, applying versioned changeSets, and maintaining a complete audit trail over time.

Together, the connectors are designed to remove one of the biggest barriers to stronger database governance: the belief that teams need to rebuild their workflows to get it. Instead, Liquibase is extending governed database change into the systems teams already use, while strengthening traceability, standardization, and audit evidence across the delivery lifecycle.

Built for a new era of AI, data integrity, and operational accountability

The new capabilities reflect a broader shift in how enterprises are thinking about AI readiness and operational risk.

As AI initiatives expand, more changes are being generated, reviewed, and pushed through delivery systems at higher speed and greater scale. But when database change remains inconsistent, weakly governed, or hard to trace, the resulting risk does not stay isolated at the database layer. It carries into applications, analytics, automation, and AI-driven systems.

By helping organizations better understand database changes, catch drift earlier, investigate failures faster, and centralize audit evidence, Liquibase is giving enterprises a stronger operational foundation for trusted applications, data products, and AI initiatives.

Availability

Liquibase Change IntelligenceLiquibase Secure Deployment Connectors, and related capabilities are expected to begin rolling out in fall 2026. Additional details will be shared closer to availability.

Leave a comment »

Ericsson to power majority of Virgin Media O2’s UK RAN network through major partnership extension

Posted in Commentary with tags on March 31, 2026 by itnerd

Ericsson will become Virgin Media O2’s primary radio access network (RAN) partner in a five-year partnership extension that will see Ericsson power the majority of the UK service provider’s nationwide UK radio network. Through securing the majority of the radio network-focused element of Virgin Media O2’s latest Mobile Transformation Plan, the partnership extension will earn Ericsson several hundred million Euros across the five years.

Virgin Media O2’s Mobile Transformation Plan will deliver faster, more reliable mobile connectivity across the UK.

With Virgin Media O2’s mobile traffic more than doubling in the last five years alone, a key element of the network enhancement will focus on maximizing the capabilities of additional 5G mid-band spectrum acquired by Virgin Media O2 in 2025, to strengthen the service provider’s UK leadership in 5G Standalone (SA) connectivity.

The partnership extension is the latest development in Virgin Media O2’s Mobile Transformation Plan – with 2026 investments aimed at improving reliability, boosting capacity and widening coverage across its nationwide network.

The upgrade will feature the deployment of a wide range of Ericsson Radio System products, including advanced and energy-efficient multiband Massive MIMO radios – such as the AIR 3229 and the triple-band Radio 4486 – at both new and existing locations.

Ericsson AI and machine learning-based software will also be deployed to intelligently optimize network performance and efficiency in real time.

Network programmability and intelligence will help Virgin Media O2 to utilize the full capabilities of its 5G SA network, supporting advanced differentiated services through network slicing for application, enterprise and industry use cases.

The network upgrade will enable Virgin Media O2 to move more of its customer base to its 5G SA network, which is already available to 87 percent of the UK population. The partnership is also structured to support Virgin Media O2’s evolution to Cloud RAN and to scale into future 5G-Advanced.

The 2026 enhanced Ericsson-VMO2 partnership is the latest development in a productive longstanding relationship between the companies – which included the 2025 investment tranche of the Mobile Transformation Plan.

That scope included performance and capacity improvements through additional spectrum, network densification and small‑cell deployments, targeted upgrades at network hot spots (like stadiums and transport hubs), and extended coverage along railways, major roads, and previously underserved rural and coastal areas.

Leave a comment »

Hammerspace Announces FIPS 140-3 Validation

Posted in Commentary with tags on March 31, 2026 by itnerd

Hammerspace today announced support for FIPS 140-3 validated cryptography, enabling the Hammerspace Data Platform to be configured to meet the U.S. government standard for cryptographic security. This milestone positions Hammerspace to support deployments in federal, defense, healthcare, finance and other highly regulated environments. Integration into the Hammerspace Data Platform is planned for an upcoming release by the end of 2026.

By supporting FIPS 140-3 validated cryptography, Hammerspace meets key requirements for secure data protection in regulated environments and is advancing the integration of these capabilities into the Hammerspace Data Platform.
 

Security Enforced at the Data Layer for Consistent Control, Compliance and Data Sovereignty

Hammerspace delivers consistent, policy-driven orchestration, governance and protection across distributed environments, providing consistent control in multi-site and hybrid-cloud architectures. With the integration of FIPS 140-3 validated cryptography, the platform is designed to provide:
 

  • End-to-End Encryption with FIPS-Validated Security: Support for encrypting data in-flight and at-rest using FIPS 140-3 validated cryptographic modules, aligning with federal security requirements.
  • Built-In Data Protection and Ransomware Resilience: Immutable snapshots, clones and WORM capabilities to enable rapid recovery and protect against unauthorized modification or deletion.
  • Consistent Security Enforcement Across a Global Namespace: Centralized policy enforcement across the global namespace, ensuring consistent protection across sites, clouds and storage systems.
  • Unified Access Controls Across Protocols and Environments: Consistent access policies across file and object data, spanning NFS, SMB and S3.
  • Policy-Driven Data Governance Sovereignty and Orchestration: Metadata-driven data placement policies to control where data resides, how it moves and how it is used in real time.


The Federal Information Processing Standards (FIPS) 140-3 is defined by the National Institute of Standards and Technology (NIST), and establishes stringent requirements for the design, implementation, and validation of cryptographic modules used to protect sensitive data. Validation requires independent testing by accredited laboratories and is mandatory for systems used by U.S. federal agencies and organizations operating under stringent compliance mandates.

Learn more about Hammerspace solutions for the public sector at https://hammerspace.com/public-sector/.

Leave a comment »

NordLayer launches NordLayer Browser

Posted in Commentary with tags on March 31, 2026 by itnerd

NordLayer has officially launched the NordLayer Browser — an enterprise-grade solution tailored to small and medium-sized businesses (SMBs). To safeguard company operations, it integrates browser-native security, enhanced observability, and access management and control into a single platform, delivering a familiar and intuitive experience for users with effortless deployment and management for businesses.

Leading research and advisory firm Gartner predicts that by 2028, 25% of organizations will deploy at least one secure enterprise browser technology to address specific gaps in their cybersecurity strategy. Gartner also predicts that by 2030, enterprise browsers will be the core platform for workforce productivity and security software on managed and unmanaged devices for a seamless hybrid work experience. These predictions are a direct response to cybercriminals frequently targeting employees via web-based and SaaS-use related attacks, like phishing, malicious browser extension campaigns, and account takeovers, that call for an additional layer of control and visibility within the browser.

The lack of dedicated IT staff, coupled with limited cybersecurity budgets, makes SMBs an attractive target for cybercriminals. A report from NordStellar, a threat exposure management platform, revealed that SMBs — companies with up to 200 employees and revenues up to $25 million — bore the brunt of all ransomware attacks last year.

Key solutions of the NordLayer business browser include:

  • Shadow IT management. The browser provides visibility into SaaS usage and helps mitigate shadow IT activity through web activity monitoring, browser extension tracking, domain blocking, and a comprehensive activity log.
  • Browser data loss prevention (DLP) elements. DLP elements restrict camera, microphone, file downloads, and clipboard access to prevent data capture and exfiltration on untrusted websites. This helps organizations limit uncontrolled data movement and reduce the risk of data leaks.
  • Secure browsing capabilities. The browser enhances security through IP anonymization to hide the user’s address as well as web threat protection that blocks malicious or deceptive websites before they load. Category-based DNS filtering further restricts access to websites based on predefined categories for safer browsing.
  • SaaS access control. The NordLayer Browser secures access through single sign-on (SSO) and multi-factor authentication (MFA) to prevent unauthorized access and maintain compliance. A dedicated IP feature enables IP-based control for internal and SaaS applications, while administrators can configure access to internal websites via a private gateway with a fixed, allowlisted IP address for secure connectivity.
  • Zero-trust browsing. The browser securely manages how the browser traffic flows and what users can access. It routes traffic through approved gateways, provides secure tunnels to private resources, and enables security administrators to allow or block connections to internal and cloud services.

The NordLayer Browser is now available to all organizations. For more information, visit https://nordlayer.com/browser/.

Leave a comment »

Priced to Move: The Underground Markets of Modern Cyberattacks 

Posted in Commentary with tags on March 31, 2026 by itnerd

Abstract’s ASTRO research team just released a new report: Priced to Move: The Underground  Markets of Modern Cyberattacks.

The ASTRO team offers these critical threats for the remainder of 2026:

The ecosystem demonstrated remarkable resilience despite law enforcement successes: BreachForums returned months after its April 2025 takedown, and 57 new ransomware groups emerged to fill gaps left by disrupted operations. Intelligence assessments predict 2026 will mark the first year that non-Russian ransomware actors will outnumber those within Russia. An alarming trend of ransomware groups recruiting corporate insiders further blurs the line between external and internal threats. 

The Priced to Move: The Underground  Markets of Modern Cyberattacks report goes in-depth into:

  • The Broker: Three Weeks of Silence
  • What just happened: The IAB Model
  • The IAB Marketplace
  • Meet the Brokers: A Field Guide
  • How They Get In
  • Twelve Months Inside One Operation
  • The Pipeline in Action
  • When the Broker Gets Caught
  • Detection and Defense
  • Impact and Trends
  • Law Enforcement and Policy

You can read the report here: https://www.abstract.security/reports/priced-to-move

Leave a comment »

World Cloud Security Day exposes the overlooked gap in cloud security: Outbound communication

Posted in Commentary with tags on March 31, 2026 by itnerd

Exclaimer today announced a reminder for organizations to prioritize email communications governance. On World Cloud Security Day, most organizations are focused on securing access to their cloud systems. But far fewer are asking a more difficult question: what happens after a user hits send? According to Exclaimer, one of the most under-governed areas of enterprise communication is outbound email.

Email continues to sit at the center of modern business operations, yet it is also one of the most widely used and least consistently governed communication channels. According to IBM’s Cost of a Data Breach Report 2025, the average data breach in the US now costs $10.22 million, and it takes organizations an average of 258 days to identify and contain an incident. These findings highlight how gaps in visibility and control persist across the enterprise, including in how communication is created and sent.

Cloud security has matured significantly when it comes to controlling access to systems, but governance of communication within those systems hasn’t kept pace. Governance often breaks down at the point of execution, where individual users, manual processes, and fragmented tools create inconsistency and reduce control. Findings from Exclaimer’s State of Business Email 2025 report reinforce how widespread this gap has become, with 83% of organizations reporting issues related to email misuse, inconsistency, or risk.

A shift from access risk to communication risk

Exclaimer, recently named for its leadership in SaaS and cloud workplace culture at the 2025/26 Cloud Awards, says this highlights a broader issue in how businesses approach cloud security.

When 83% of organizations are already experiencing email-related challenges, this shows the issue is no longer awareness, but how consistently organizations can apply control. And control breaks down quickly when critical elements like disclaimers, branding, and compliance messaging are left to individual users to manage and implement. As communication scales, this challenge is only intensifying. IBM’s research shows that one in six data breaches now involve AI-driven attacks, underscoring how quickly the volume and complexity of communication is increasing.

The governance gap in enterprise communication

Findings from Exclaimer’s State of Business Email 2025 report reveal a growing gap between how organizations secure access and how they control communication. While investment in platforms like Microsoft 365 and Google Workspace continues to rise, only 41% have fully integrated email into their broader security and compliance stack.

In regulated industries, this can introduce real exposure, where missing or inconsistent information may fall short of legal or industry-specific requirements. Even outside of compliance risk, inconsistent outbound communication can erode trust, particularly when customers expect accuracy, professionalism, and clarity in every interaction.

Security at scale requires real-time control

As email volumes increase and communication becomes more distributed across users, devices, and AI-assisted tools, ensuring consistency can’t depend on manual action, it requires policy-driven enforcement that operates in real time, across the entire organization.

Learn more at www.exclaimer.com

Leave a comment »

« Older Entries
Newer Entries »