Welcome to Your Cybersecurity Recap: a bite-sized weekly newsletter by cybersecurity enthusiasts, for cybersecurity enthusiasts.
Here are this week’s top takeaways:
Alert: New Warning for Chrome, Safari, and Edge Users
Hundreds of millions of web users have been warned about a new and dangerous cyber attack that is impacting some of the world's most-used browsers.
The culprit? Clickjacking.
Clickjacking is an attack that tricks a user into clicking a webpage element that is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.
How is this done? With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account when they are actually typing into an invisible frame controlled by the attacker.
This issue comes on the heels of our poll revealing that the majority of our voters are prioritizing proactive threat detection in 2025 and beyond.
So how can organizations proactively defend against clickjacking threats?
There are three main ways to prevent clickjacking:
- Sending the proper Content Security Policy (CSP) frame-ancestors directive response headers that instruct the browser to not allow framing from other domains. The older X-Frame-Options HTTP headers is used for graceful degradation and older browser compatibility.
- Properly setting authentication cookies with SameSite=Strict (or Lax), unless they explicitly need None (which is rare).
- Employing defensive code in the UI to ensure that the current frame is the most top level window.
During your next Employee Awareness Training, it is recommended to advise users of the following:
- Don’t click on pop-ups, especially on sites you don’t use regularly. Many of them are malicious.
- Pay attention to any browser warnings on the sites you visit. If you are warned not to proceed, don’t.
- Don’t click a link in any email from an unfamiliar source. Before clicking a link that looks trustworthy, check for spelling errors and note whether it’s an HTTP or HTTPS link. Most trustworthy sites use HTTPS.
- Text-based clickjacking is becoming more common. Do not click any links in a text from an unknown sender.
How to Fortify Your Organization's Network Security Management in 2025
Identifying risks before they become headlines is integral in 2025 and beyond.
Our ethical hackers have outlined the foundation for improving network security management to fortify your organization against increasingly sophisticated attacks:
- Step 1. Stay Abreast of Password and Passkey Best Practices: Using the current standards, a password of 8 characters can be cracked within seconds to minutes, while a 12-character password may take hours to days. Increasing the length to 16 characters increases the average time for brute-forcing to several months, and a 20-character password could take decades to crack. A 256-bit AES encryption key, often used for safeguarding sensitive data, could take billions of years to crack even with a supercomputer. Alternatively, organizations around the globe are embracing passwordless logins for enhanced security
- Step 2. Build a Comprehensive Vulnerability Management Program: It is advised to make sure the operating system and any running software are current and patched to the most recent level according to vendor recommendations. This will help reduce opportunities for threat actors to exploit vulnerabilities.
- Step 3. Develop Data Backup Solutions: Backup solutions and tools—while it is practical to back up data manually, most organizations rely on a technology solution to ensure systems are backed up routinely and consistently. These include: Backup Administrator— Every organization should designate a person to be responsible for backups. That person should ensure that backup systems are properly configured, verified on a routine basis and that critical data is actually backed up. Backup Scope & Schedule— An organization must develop a backup policy, specifying which files and systems are sufficiently important to be backed up and how frequently data should be backed up. And Recovery Point Objective (RPO)— An organization’s tolerance to sacrifice data in the event of a disaster is defined by the frequency of backups. If backups are conducted once daily, the RPO is 24 hours. The lower the recovery point objective (RPO), the more data storage, computational, and network resources are required to do regular backups.
Read more in our full article.
Recent Posts From Our Ethical Hackers
Every month, our ethical hackers work to provide free resources so that your team can continue improving your organization's security posture.
Here are just some of our recent posts:
