Crowdstrike wasn’t the only security news.
Microsoft’s Windows Hello for Business (WHfB) authentication model, designed to be phishing-resistant, has been found vulnerable to downgrade attacks. Attackers can intercept and alter authentication requests, downgrading WHfB to less secure authentication methods. Microsoft has released a fix for this vulnerability, and a security researcher will demonstrate the attack and mitigation at Black Hat USA 2024. Administrators can now activate a new Conditional Access capability called “authentication strength” to enforce phishing-resistant authentication. This fix ensures that users can only authenticate with secure methods.
And I want to revisit that AT&T breach because it appears AT&T paid the ransom. AT&T’s response involved paying a hacker $370,000 to delete the stolen call records, which seems to have mitigated the fallout. AT&T believed that the data stolen during the breach was never made public, but there may still be pockets of customer data floating around hacking circles. They aren’t alone — 84% of security professionals surveyed earlier this year said their company had paid ransom after being attacked.
Here’s a different approach. Switzerland has passed a groundbreaking law, the Federal Law on the Use of Electronic Means for the Fulfillment of Governmental Tasks (EMBAG), which mandates using open-source software (OSS) in the public sector. The law requires public bodies to disclose the source code of software developed by or for them, promoting transparency, security, and efficiency. The implementation of EMBAG is expected to serve as a model for other countries.
The Cybersecurity and Infrastructure Security Agency (CISA) has published a playbook for resilienceplanning in critical infrastructure. The playbook provides guidance on improving security and resilience, minimizing the impact of cyberattacks, and reducing system restoration costs. It includes processes, tabletop exercises, and key actions for resilience planning. The playbook is a voluntary resource and does not carry any regulations or statutory authority.
Speaking of CISA, Brandon Wales, the executive director of the Cybersecurity and Infrastructure Security Agency (CISA), will be leaving the agency after three years. Bridget Bean will take over as the new executive director in August. Wales played a crucial role in guiding CISA through major cybersecurity threats and shaping the agency’s strategic plan. This departure follows the recent departure of Eric Goldstein, the executive assistant for cybersecurity at CISA.
Why do we care?
Tactically, make sure your Windows Hello settings are correct and the fix applied. Also, leverage that CISA playbook and know that CISA is maturing like most organizations with changes in leadership.
Strategically, I’m with the security experts who say not to pay ransoms, and I believe this should be your plan, expecting not to pay the ransom. That said, it appears we’re in the minority. And know that it’s possible to go entirely different routes that everyone else. The Swiss Government has done all open source. No one says you HAVE to do everything like everyone else.

