Android security changes, CISA incentive audit, LLM usage
Today on CISO Series...
In today’s cybersecurity news…
Android moving to “risk-based” security updates
Since August 2015, Google has published a monthly Android Security Bulletin (ASB) listing vulnerabilities fixed in its monthly security update. This came in two varieties: a public one, and a private one sent to OEM partners 30 days in advance to give them time to test and release patches before they go public. Google will now shift the monthly ASB to list “high-risk” vulnerabilities, while most other patches will go out in a quarterly ASB. This was designed to reduce the number of patches to test and validate for OEMs, hopefully speeding up patch time, while giving them more flexibility in addressing less urgent issues. As a result, some monthly ASB updates may list zero vulnerabilities.
CISA accused of Cyber Incentive mismanagement
This finding came from the Department of Homeland Security Office of Inspector General, which began an audit after receiving a complaint about the program in 2023. This program was developed to incentivize “mission-critical” cyber employees to stay in their roles. The OIG’s audit found the program was used to pay employees in support functions outside of cybersecurity. It also found a lack of adequate records for program enrollment and payouts, as well as a violation of federal rules for paying out incentive bonuses as part of “unallowable” back pay from 2022 to 2024. OIG didn’t recommend ending the program, but recommended handing over management to a separate office and developing consistent guidance and tracking for the program.
How security practitioners use LLMs
Anthropic released its Economic Index, an in-depth report on who, where, and how its LLMs are used. The report is fairly granular, going to into different use rates across countries and US states, as well as how different professions use it. For “Information Security Analysts” the most popular use case was automating the coordination of computer system plans with stakeholders. Other common use cases were creating documentation, performing risk assessments, and developing incident response plans. Other jobs seeing automation of security functions included web developers, web administrators, and network administrators. There’s lots of great stuff in the report, so be sure to check it out in the show notes.
Open-source benchmarks for AI security tools
Crowdstrike and Meta released CyberSOCEval, a suite of open-source benchmark tools meant to provide a baseline to evaluate LLMs for real-world cybersecurity use cases. These benchmarks are specifically focused on malware analysis and threat intelligence reporting, which Crowdstrike says it currently has an inadequate understanding of LLM effectiveness on. In a paper supporting the benchmarks, the researchers shows initial results on both tasks by major LLMs showed middling performance across the board. In the GitHub notes on CyberSOC Eval, CrowdStrike also said it has found that because most models “have not been trained to reason about cybersecurity analysis,” they don’t currently see similar performance scaling for additional analysis time that’s typically shown in coding or math tests.
Recommended by LinkedIn
Huge thanks to our sponsor, Drata
Credit Union notifies users about 2023 data breach
Fairmont Federal Credit Union notified over 187,000 individuals about the attack, which saw names, dates of birth, Social Security numbers, driver’s license numbers, government ID numbers, and full payment card numbers and PINs stolen. The attack occurred between September 30 and October 18, 2025, just shy of two years ago. Fairmont did not discover the breach until January 23, 2024, and did not conclude its investigation until August 17, 2025. The credit union did not give specifics on the attack or attribute it, but the Black Basta ransomware group listed it on its leak site.
Microsoft reminds us that people still use old things
Microsoft confirmed that the September 2025 Windows security update caused connection issues with shared files and folders over SMB v1 on the latest builds of Windows 11, 10, and Windows server platforms. Microsoft probably isn’t too upset by this, it’s been trying to phase out the 30-year old file-sharing protocol since deprecating in in 2014 and no longer installing it by default on Windows since 2017. Until it releases a fix, Microsoft recommends that impacted users allow traffic on TCP port 445 as a workaround. But really, please don’t use CIFS, SMB v1, or any other ancient file sharing. Please.
New Zealand sanctions Russians over cyberattacks
New Zealand Foreign Minister Winston Peters announced the country imposed sanctions on threat actors working with Russia’s Unit 29155, aka Ember Bear and Cadaet Blizzard, believed to be part of its GRU intelligence agency. This group was responsible for the 2022 WhispherGate attack on the Ukrainian government ahead of Russia’s invasion of the country. New Zealand specifically cited the group’s conduct in Ukraine for the sanctions. The EU and Great Britain have also sanctioned the group in recent months.
FinWise discloses insider threat breach
FinWise is a bank that originates and funds loans for consumer-facing services, including American First Finance. The bank sent a data breach notification on behalf of American First Finance, stating that an incident occurred on May 31, 2024, where a former employee accessed sensitive customer data after their employment ended. FinWise did not discover the data breach until June 18, 2025. A filing with the Main Attorney General’s office disclosed that this impacted 689,000 customers—no word on how the former employee was able to access the info after employment or the extent of the personal data leaked. FinWise is offering the industry standard platitude of two years of credit monitoring.
Subscribe to Cyber Security Headlines podcast
Spotify, Apple Podcasts, YouTube, RSS link, Amazon Music, add as an Alexa Skill, or search "Cyber Security Headlines" on your favorite podcast app.
