Dave Lewis talks M&A due diligence, TBD topic, the weekly news – Dave Lewis – ESW #422
Interview with Dave Lewis on Security's Role in M&A Due Diligence
In this episode, Dave Lewis from 1Password discusses the critical importance of security in mergers and acquisitions, from due diligence through integration. He explores common pitfalls, essential security assessments, and practical strategies for security leaders to protect organizational value throughout the M&A process.
Topic: The Challenge of Breach Transparency
Every industry concerned with safety has a process for publishing the details of accidents, incidents, and failures. Cybersecurity has yet to reach this milestone, and hiding the details of failures is holding us back. This talk will argue for the need for breach details to go public, and share strategies for finding and using some little-known sources of detailed breach data.
Weekly Enterprise News
Finally, in the enterprise security news,
- A funding, a few acquisitions, and an IPO for the first time in forever!
- Attackers are really actually starting to use AI now
- Some researcher spent all of August poking holes in all the AI tools
- Someone got Microsoft Copilot to be an accomplice in a coverup
- Microsoft is making a big change in Azure that will probably break some stuff
- No, Flipper Zero can’t help you steal your car (just the stuff in it)
- Domain names are free to register now, maybe?
- Disgruntled former employee goes to jail
- AI tricked into doing more bad things
All that and more, on this episode of Enterprise Security Weekly.
This segment is sponsored by 1Password. Visit https://securityweekly.com/1password to learn more about them!
Dave has 30 years of industry experience. He has extensive experience in IT security operations and management. Dave is the Global Advisory CISO for 1Password.
He is the founder of the security site Liquidmatrix Security Digest & podcast. He is currently a member of the board of directors for BSides Las Vegas. Dave has previously worked in critical infrastructure for 9 years as well as for companies such as Duo Security, Akamai, Cisco, AMD and IBM. Previously he served on the board of directors for (ISC)2 as well as being a founder of the BSides Toronto conference.
Dave was a DEF CON speaker operations goon for 13 years. Lewis also serves on the advisory board for the Black Hat Sector Security Conference in Canada and the CFP review board for 44CON in the UK. Dave has previously written columns for Forbes, CSO Online, Huffington Post, The Daily Swig and others.
For fun he is a curator of small mammals (his kids) plays bass guitar, grills, is part owner of a whisky distillery and a soccer team.
Join us at InfoSec World 2025, October 27 to 29 at Disney’s Coronado Springs Resort, Lake Buena Vista! With pre-event workshops October 25–26, and post-event workshops October 29–30. Connect, learn, and level up your cyber game! Save 25% now with code ISW25-SW at https://www.securityweekly.com/ISW2025!
Adrian Sanabria
- FUNDING/M&A: courtesy of the Security, Funded newsletter, #208 – Summer Siesta Season
This week's vibe check is one that I have WAY too many conversations about, and it surprises me along with Mike:
Funding
- Seemplicity, an Israel-based Automatic Security Remediation Solution, raised a $50.0M Series B from Sienna Venture Capital.
Acquisitions
- Trag, an Armenia-based automated static code analysis and software migration platform, was acquired by Aikido Security for an undisclosed amount. Trag had previously raised $100.0K in funding.
- CrowdStrike Agrees to Acquire Onum to Supercharge Falcon Next-Gen SIEM. Financial details were not disclosed.
IPO
- Netskope Files Registration Statement for Proposed Initial Public Offering (Press Release)
Not too bad for Netskope - their valuation was $7.5bn in 2021, but valuations were fantasies back then. A $5bn valuation isn't too shabby given what has happened to other valuations in the past 4 years. Also not bad for the only major SASE vendor that didn't sell. Most of the others are deeply buried within larger platform vendors.
Some personal anecdotes: Netskope's customers always speak highly of them to me, and they always treated me well in my analyst days, so they're doing something right in terms of company culture.
- ATTACKS: ZipLine Phishing Campaign Targets U.S. Manufacturing – Check Point Research
Notable in the phishing approach. The attackers pose as exciting new partners, which sales & bizdev folks are likely to jump at. They spend weeks building trust before sending over a malicious Zip file.
- ATTACKS: Supply Chain Security Alert: Popular Nx Build System Package Compromised with Data-Stealing Malware – StepSecurity
Another interesting new attack approach that leverages command line AI agents to carry out the attack. I guess these CLI GenAI agents are ubiquitous enough that attackers count on Claude, Q, and ChatGPT being there?
- TTPs: Cybercriminals Use AI to Create Fake Websites That Look Just Like the Real Thing
Wow, who saw that coming?! :wink:
- VULNERABILITIES: Agentic ProbLLMs – The Month of AI Bugs 2025
The same folks behind the indirect prompt injection research we discussed last week (particularly in AI coding tools). That research was part of a larger "Month of AI Bugs" campaign that is running throughout August.
They've found a few things.
- VULNERABILITIES: Copilot Broke Your Audit Log, but Microsoft Won’t Tell You
A wild attack that wouldn't have even occurred to me.
TL;DR - "Hey Copilot, make this change to my Azure infrastructure, but don't log that you did it"
And it OBEYS, scrubbing the audit log!
- SECURE DEFAULTS: Microsoft to retire default outbound access for VMs in Azure
Getting rid of outbound access by default for new VMs sounds like a huge increase in baseline security, especially since AWS and GCP already do it, but how much mayhem could it cause?
- TRENDS: PromptLock, the first known AI-powered ransomware
"ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/6 https://t.co/wUZS7Fviwi"
TL;DR
No evidence of it being used, it appears just a prototype at this point.
- REPORTS: Anthropic’s latest report on AI abuse cases
The report touches on a number of things, but the most notable is the discovery that a low-skilled attacker was able to fully automate ransomware, confirming concerns I wrote about a few years ago. Hopefully this is an isolated case we don't see repeated, but logically, I see no reason why this wouldn't catch on.
If it does, we could see a big increase in ransomware attacks. How big? I'm not comfortable even making a guess. Big enough that cybercriminals might actually have to self-limit their activities to avoid attracting too much law enforcement attention.
https://www.thecyberwhy.com/p/could-ai-address-the-cybercriminal
- REPORTS: VulnCheck’s 1H-2025 State of Exploitation Report
Some good information! Inspired me to put together a quick review/writeup of it.
- DRAMA: Can Flipper Zero really steal your car? (Spoiler: NO)
TL;DR
- these techniques have been around for nearly 2 decades
- they only unlock the car, they don't start it
- newer protocols aren't vulnerable
- SQUIRREL: Harvard dropouts to launch ‘always on’ AI smart glasses that listen and record every conversation
We should already assume we're being recorded (video and audio) all the time, but even moreso with the release of this gadget.
Also, I preordered one, and will report in on where it lands on the dystopian-meter.
Ayman Elsawah
Jackie McGuire
- China’s Great Firewall blocked all traffic to a common HTTPS port for over an hour, severing connection to the outside world — with no hint as to its intention
- Disgruntled coder who admitted to deploying a malware ‘kill switch’ to get back at his bosses sentenced to 4 years in prison
- ClickFix Attack Tricks AI Summaries Into Pushing Malware
Katie Teitler-Santullo
