September 2025 Cybersecurity Brief
September 15, 2025
September 2025 Cybersecurity Brief
Supply-chain ransomware, airport disruption, and real post-quantum cryptography (PQC) rollouts.
What happened in September 2025
- European airports suffered check-in outages after a vendor platform was hit, affecting multiple hubs.
- Ransomware volumes remained high, with manufacturing and services leading victim counts.
- Several brands faced HR and third-party SaaS exposures, showing supply-chain risk concentration.
- CDNs and security providers rolled out hybrid-PQC key exchange for client traffic.
- Tooling emerged to assess PQC readiness across Web2/Web3 stacks.
- States advanced faster breach-notification deadlines, compressing response windows.
Why it matters
Attackers favor leverage. If a shared vendor or platform fails, many organizations fail together. Meanwhile, “harvest-now, decrypt-later” pressure makes long-lived data and logs a future target. The response is architectural: contain by design and upgrade crypto before attackers can read the past.
- Protect the object: enforce ABAC + rule-based access at the data layer, not the network.
- Constrain suppliers: isolate third-party integrations behind PEPs (proxies, gateways) with default-deny.
- Prove decisions: append policy versions and access outcomes to an immutable log for fast audits.
- Go hybrid-PQC: enable PQC+classical handshakes for TLS now; plan PQC-only cutovers later.
Key incidents and trends, explained
Airline check-in and passenger processing depended on a common vendor service. A ransomware event upstream created cascading failures. Lesson: treat vendor platforms like untrusted networks. Terminate, inspect, and authorize per request.
Victim counts stayed elevated. New affiliates and AI-assisted delivery increased speed from foothold to impact. Lesson: reduce privileges, segment by blast radius, and keep recovery immutable and offline-verifiable.
Major networks enabled hybrid PQC key exchange for client traffic. Some UEM and infra vendors began shipping PQC features for device fleets. Lesson: you can test PQC today with phased rollout flags and fallbacks.
Practical actions for September–October 2025
| Action | Owner | Target |
|---|---|---|
| Enable hybrid-PQC (e.g., X25519+ML-KEM) on edge proxies and test client behavior | Network/SRE | Pilot in 2 weeks; telemetry on CPU/latency |
| Gate vendor APIs via PEPs with ABAC and deny-by-default rules | App Sec / Platform | Top 5 critical vendors first |
| Immutably log policy versions and access outcomes; anchor daily hash | Security Eng | 30-day baseline, proof-of-tamper |
| Rehearse 30-day breach-notification playbook with legal and comms | IR / Legal | Tabletop this month |
| Offline-verifiable backups with staged restore tests (RTO/RPO) | IT Ops | Weekly checks, signed manifests |
Post-quantum rollout basics
- Hybrid KEM for TLS 1.3 at edges and WAF/CDN.
- PQC-downgrade-allowed in phase 1; PQC-only later.
- Short-lived certs and strict TLS versions.
- Hash logs and policies with SHA-3/Shake256 ≥256-bit.
- Sign ledger checkpoints with Dilithium or SPHINCS+.
- Anchor Merkle roots to a public chain periodically.
Plain-English FAQ
Takeaway: contain vendors, enforce at the data, and adopt hybrid-PQC now so records and logs remain safe against future decryption.