"Most people don't realize they're running hundreds of applications that can access all data in their files. Limiting what apps can do on your network prevents data breaches. At the end of the day, identifying specific vulnerabilities is key to selecting the right cybersecurity tools for your organization." - Danny Jenkins
What you need to know: Ransomware group WorldLeaks breached Sapp Bros.' network late last year, exfiltrating internal data and publicly posting fragments of employee's sensitive information on the dark web. The company did not publicly acknowledge the breach for several weeks. During that time, stolen data had reportedly already circulated. A class-action lawsuit was filed alleging that the delay left employees vulnerable and allowed the attackers to effectively set the notification timeline.
Why it matters:At the center of this incident is when an organization is legally required to disclose a breach. The employees (plaintiffs) argue that Sapp Bros.' delay constituted a separate injury and a violation of the company's duties to employees. Sapp Bros. meanwhile argues that statutory notification periods begin only after confirmed unauthorized acquisition rather than unverified rumors. Plaintiffs also cite FTC guidance and NIST CSF to define reasonable expectations. While these materials are influential, they are not binding law, and courts typically focus on explicit statutory duties and evidence of harm.
Key takeaways: Every organization needs a clear breach confirmation playbook defining detection and validation steps, internal roles, and criteria for issuing notice. Preserve logs, investigation timelines, and internal reports as evidence of deliberation, response actions, and decision making. Finally, premature exposure carries a risk, but prolonged silence can erode trust. Making a plan for timely, accurate communication is just as critical as the technical response.
What you need to know: Privileged Identity Management (PIM) focuses on controlling, monitoring, and limiting access to accounts with elevated permissions like admins, service accounts, and system-level users. These are prime targets for attacks because a single compromised privileged account can grant broad access across systems and data. Traditional approaches rely on standing admin rights, rotating passwords, or manual approvals. The ThreatLocker Zero Trust approach to PIM emphasizes removing persistent privilege and only granting elevated access when explicitly needed and approved.
Why it matters: As seen in multiple recent incidents, most major breaches start with credential abuse and privilege escalation. If attackers gain a foothold, excessive or always-on privileges allow them to move laterally, disable controls, and access sensitive systems undetected. PIM addresses this risk by enforcing least privilege, shrinking the blast radius of a compromise, and making privilege escalations visible and auditable. This is critical in a Zero Trust architecture because it treats privileged access as inherently untrusted and requires continuous validation.
Key takeaways: Privileged access should be temporary, verified, and auditable rather than permanent. Eliminating standing admin rights significantly reduces the impact of credential theft and malware, and PIM should be treated as a foundational control alongside application control. Enforcing least privilege by default and requiring explicit approval for elevation can prevent a single compromise from becoming a full account takeover.
What you need to know: Authoritative security policies define what is explicitly allowed, rather than reacting to threats after the fact. Instead of relying on alerts, detections, or user behavior assumptions, authoritative policies establish clear rules for applications, processes, and access and enforce them consistently across your environment. This approach shifts security into proactive control, reducing ambiguity and dependency on human decision-making during incidents.
Why it matters: Many security failures stem from unclear or inconsistent policies that leave room for exceptions, manual overrides, and alert fatigue. When policies are vague or reactive, attackers can exploit gaps through trusted tools, misconfigurations, or legitimate-but-abused processes. Authoritative policies align closely with Zero Trust principles by assuming nothing should execute unless explicitly permitted. This reduces attack surface, limits blast radius, and makes security outcomes more predictable at enterprise scale.
What you can do: Clearly document which applications, scripts, and behaviors are allowed and enforce those rules consistently across your environment. Replace broad trust and detection with policies that block unauthorized actions before they execute. Treat these policies as living controls that adapt as business evolves, not static rules you can set and forget.
This year's ZTW is shaping up to be the most hands-on, high-energy event yet.
The highlights include:
Linus Sebastian, Jakoby, MalwareTech, PC Security Channel, and more.
Live hacking contest with a $5,000 custom-built PC on the line.
A Space Age-themed after party (costumes are highly encouraged).
In-person Cyber Hero Help Desk so you can troubleshoot issues face-to-face.
What you need to know: Security researchers have uncovered five malicious Chrome extensions that impersonate popular enterprise HR and ERP platforms such as Workday, NetSuite, and SuccessFactors. These extensions (DataByCloud Access, Total Access 11, Software Access, DataByCloud 1, and DataByCloud 2) were designed to look like productivity tools but instead steal authentication tokens, hijack sessions, and block security controls, enabling attackers to take over user accounts with elevated access. Although most were removed from the Chrome Web Store, they may still be available on third-party download sites and could remain installed on enterprise machines.
Why it matters: Browser extensions run with broad privileges inside the user’s browser and can access session cookies or DOM elements of enterprise applications. By exfiltrating tokens, these rogue extensions effectively bypass traditional defenses such as MFA and monitoring alerts, facilitating silent account takeover and lateral movement within corporate environments. Even a single compromised user session for HR or ERP systems can expose sensitive employee data, financial workflows, and internal business processes.
What you can do: Many employees assume browser extensions are innocuous, so educating your teams on suspicious add-ons and preventing them from installing unapproved software is crucial. Look for unexpected token activity or session anomalies that might indicate cookie theft or hijacking.
The hidden risk of orphan accounts
What you need to know: Recent research highlights a growing threat from orphaned or unmanaged accounts. These neglected accounts can include legacy administrative logins, service accounts without owners, and cloud identities disconnected from HR processes. Because they’re often overlooked by identity governance tools, attackers actively hunt for them as easy targets to gain footholds and persist in environments undetected.
Why it matters: Orphan accounts undermine the principle of least privilege and widen the attack surface. Once an attacker discovers an unused or unmanaged account, they can escalate privileges, maintain persistence, and blend into normal activity because these accounts aren’t monitored closely. In environments with hybrid cloud, legacy systems, and frequent organizational changes, orphaned identities multiply, turning forgotten access into unmonitored backdoors.
What you can do: Conduct regular identity audits to find and disable orphan accounts, especially for admin and service roles. Integrate HR so account provisioning and deprovisioning is tied to employee onboarding and offboarding. Use IAM and PAM tools to flag accounts with long periods of inactivity or privilege mismatches.
Live webinars with Zero Trust experts
Actionable strategies you can implement immediately
How attackers move laterally between hosts and VMs.
How to contain compromise when something goes wrong.
The third issue of Cyber Hero Frontline will be released in March. To receive your copy, let us know your current address at the button below. You can also send a copy to a friend.
