Holiday Surprises, Too Much Enthusiasm, The Crack in the Shield, Record Breakers, Playing Digital Dodgeball, and Faking It to Make It. It's CISO Intelligence for Friday, 17th October 2025.

Table of Contents

1. Why Unmonitored JavaScript is Your Biggest Holiday Security Risk
2. Obsession with Cyber Breach Notification: Are We Adding Fuel to the Fire?
3. The F5 Digital Theatre: A Nation-State Drama
4. UK's Cybersecurity Jigsaw: Piecing Together 130% Spikes with Puzzles in Executive Offices
5. The Art of Dodging the Synced Passkey Trap
6. Password Managers Get a Bad Rap: Fake Alerts Lead to PC Hijacks

Why Unmonitored JavaScript is Your Biggest Holiday Security Risk

'Tis the season to be... unjolly when your unmonitored scripts are the Grinch in disguise.

What You Need to Know

The holiday shopping season is fast approaching, which typically leads to a spike in online traffic. Yet, with this rise comes a significant risk: unmonitored JavaScript on your websites could become a playground for malicious activity. Executives need to understand the urgency of monitoring and managing JavaScript to protect both their business and customers. Immediate actions are needed to enhance security measures and mitigate risks using best practices and robust protocols.

CISO Focus: Web Application Security
Sentiment: Strong Negative
Time to Impact: Immediate

A Looming Threat: Unmonitored JavaScript

As retailers gear up for the holiday season, ignoring the security of JavaScript running on your website is akin to leaving your store unguarded. JavaScript, the often-overlooked workhorse of web interactivity, becomes a prime target for unscrupulous actors. Unmonitored JavaScript can lead to a breach where hackers exploit vulnerabilities to steal transactional data or manipulate website behavior without your knowledge.

Shadow Scripts Under the Holiday Lights

1. Increased Holiday Traffic:

   • During peak shopping times like Black Friday and Cyber Monday, the sheer volume of online transactions skyrockets.
   • Cybercriminals exploit this by embedding malicious JavaScript into web pages which can track keystrokes, extract credit card information, or redirect purchases to fraudulent pages.

2. Third-Party Integrations:

   • Many sites use third-party scripts for analytics, advertising, and other functions.
   • These scripts are often not directly monitored by the site's security team, creating hidden entry points for attacks.
   • In 2020, the Magecart group notoriously used such vulnerabilities to deploy card-skimming scripts on large retail sites.

3. Attack Sophistication:

   • Cybercriminals continuously refine their techniques; malicious scripts can easily be disguised and undetected by traditional security measures.
   • Script obfuscation makes it challenging to distinguish between legitimate code and harmful intrusions.

Taking Action

Given the immediate risks, businesses must implement a robust action plan to safeguard their digital storefronts:

• Conduct Code Audits:

  • Regularly audit not just your own code but also all third-party scripts running on your platform.
  • Ensure thorough vetting of all new script deployments and updates during the holiday season.

• Real-Time Monitoring and Alerts:

  • Deploy tools that provide real-time visibility of all JavaScript activities on your site.
  • Implement automated alerts to flag unusual script behaviors or unauthorized changes.

• Fortified Front-End Defenses:

  • Enhance the security measures of web applications by employing Content Security Policy (CSP) headers to control which scripts can be executed.
  • Use subresource integrity (SRI) to ensure that scripts haven't been tampered with.

Riding the Post-Holiday Cyber Waves

Post-holiday season, revisit your security protocols. Use insights gained to strengthen your defenses against JavaScript-based threats. Consider an annual review of holiday period risks to anticipate and adapt to evolving cyber threats.

Vendor Diligence Questions

1. How does each vendor ensure the security of scripts they provide?
2. What measures are in place for real-time monitoring of third-party JavaScript activities?
3. Can vendors provide a history of past security incidents and how they were mitigated?

Action Plan for CISO Teams

• Immediate Actions:

  • Set up a dedicated task force to audit current JavaScript security measures.
  • Deploy interim real-time monitoring solutions if permanent ones are not yet in place.

• Short-Term Actions (Next 3-6 months):

  • Establish a protocol for regular script audits and updates.
  • Initiate a vendor review process focusing on script security.

• Mid-Term Actions (6-18 months):

  • Roll out an organization-wide policy mandating comprehensive JavaScript monitoring.
  • Invest in employee training to identify and report suspicious script activity.

Source: Why Unmonitored JavaScript Is Your Biggest Holiday Security Risk

Obsession with Cyber Breach Notification: Are We Adding Fuel to the Fire?

When cybersecurity notifications become self-inflicted wounds.

What You Need to Know

In the quest to appear transparent and proactive, organizations might be overzealously notifying stakeholders about cyber breaches, leading to unnecessary panic and financial waste. This phenomenon, driven by fear and legal mandates, can cause more harm than good if not approached strategically. Board members and executives must evaluate their organization's breach notification policies to ensure they are both responsible and effective, preventing costly missteps.

CISO Focus: Breach Notification Management
Sentiment: Negative
Time to Impact: Immediate

An Overabundance of Enthusiasm

You may have heard that too much of a good thing can be a problem, and when it comes to cyber breach notifications, this couldn't be more true. Companies are tilting toward a notification frenzy that aims to assure, but might end up alarming everyone. The rush to disclose cyber incidents soon after they unfold can be analogous to shouting "fire" in a crowded theater—generating chaos without clarity.

Overzealous Notifications: The Modern-Day Fire Drill

As regulatory bodies emphasize timely breach disclosures, companies feel the pressure to act quickly. According to researchers, this rush to notify is driven by legal fears and the potential reputational damage of being seen as non-transparent. Yet, ironically, in the process of doing what seems right, firms may compound their woes by alerting prematurely or unnecessarily.

• Regulation Overreach: Legal requirements vary, and the opaque nature of some rules can push companies to notify "just in case," more out of legal self-preservation than necessity.
• Reputational Risks: While the intention is to build trust, constant alerts might desensitize stakeholders or worse, instill unnecessary fear leading to lost trust.

Financial and Strategic Blowback

The direct costs of premature notifications are daunting. Legal consultations, public relations crisis management, and potential fines are just the tip of the iceberg. The strategic misalignment occurs when the notification process distracts from more pressing disaster recovery tasks, thus hampering organizations’ responsiveness and tarnishing their image.

• Monetary Fallout: Overreporting incidents can lead to soaring expenses in legal fees, compensation, and corrective actions.
• Strategic Distraction: Time and resources intended for mitigation and remediation efforts get diverted to managing the consequences of the notification itself.

A More Nuanced Notification Framework

A carefully crafted notification plan can balance the necessity of disclosure with the need to contain and manage the breach effectively. Organizations should craft notifications that are informed, strategic, and tailored to the specific context of the breach.

1. Contextual Relevance: Ensure notifications are relevant, target the right audience, and are released at an appropriate time.
2. Comprehensive Assessment: Collaborate with technical and legal teams to understand the full impact before pulling the notification trigger.
3. Stakeholder Communication: Direct communication tailored to stakeholders driven by facts rather than speculation.

Cyber Clarity: Not Every Bell Needs a Ring

While caution is undeniably crucial in cyber risk management, clarity becomes a casualty when organizations rush to notify. The post-notification analysis often paints a grim picture of overestimated threats leading stakeholders into a labyrinth of confusion. Therefore, critical assessment and informed decision-making must govern the notification strategy to avoid costly mistakes caused by an 'announce first, think later' approach.

By understanding the intricate balance of timing, relevance, and management in breach notification, companies can navigate the turbulent seas of cybersecurity with better foresight and less fallout. Remember, in the perilous dance of damage control and transparency, not every breach deserves a trumpet's call, sometimes silence speaks volumes.

Vendor Diligence Questions

1. How does your notification methodology balance legal compliance with operational practicality?
2. What role do you believe timing plays in the effectiveness of breach notifications?
3. How do you ensure stakeholder perceptions are managed proactively to maintain trust and confidence?

Action Plan for CISO Team

1. Review Current Policies: Examine current breach notifications and regulations for gaps and weaknesses.
2. Policy-Risk Alignment Audit: Ensure notification policies align effectively with the organization's risk management framework.
3. Simulated Drills: Conduct tabletop exercises to optimize the response strategy under realistic scenarios.
4. Stakeholder Outreach: Develop clear, concise messaging templates for communication to stakeholders.

Source: Obsession with cyber breach notification fuelling costly mistakes

The F5 Digital Theatre: A Nation-State Drama

When you play the game of nodes, you win or you get breached.

What You Need to Know

A breach at F5, attributed to a nation-state threat actor, has been revealed. The cyberattack exploited security vulnerabilities to gain unauthorized access, underscoring critical weaknesses in current cybersecurity postures. This incident necessitates immediate board-level awareness and response. You're expected to prioritize a comprehensive review of current security protocols and allocate resources towards fortifying your network infrastructure.

CISO focus: Security Vulnerability Management
Sentiment: Strong Negative
Time to Impact: Immediate

F5's Digital Fortress Compromised

Prominent technology company F5, known for its application delivery network and security solutions, has fallen victim to a sophisticated cyber attack attributed to a nation-state threat actor. This breach exploited existing vulnerabilities to execute unauthorized intrusion, highlighting an urgent need for escalation in security defenses and immediate mitigation strategies.

Nation-State Craftsmanship

In what is perceived as a highly coordinated and targeted attack, the adversary leveraged complex tactics synonymous with nation-state entities. This breach emphasizes the need for enterprises, especially in critical sectors, to reassess the robustness of their cybersecurity hygiene and strategy.

• Intrusion Details: The attackers capitalized on unpatched software to infiltrate F5's systems and exfiltrate crucial information. Initial investigations suggest lateral movement within the network was executed with high proficiency, culminating in considerable data compromise.
• Impact on Operations: While F5's immediate service delivery isn't overtly affected, the reputational damage looms large. Existing and potential clients might reassess their engagement with F5 services considering these vulnerabilities.

The Domino Effect on Enterprises

The implications of the F5 breach resonate far beyond the confines of the company. Organizations relying on F5's technology are urged to ascertain their risks and expedite the patching process while seeking alternatives to mitigate potential exploitations.

• Client Advisories: Immediate advisories have been issued for clients to apply the latest security updates and review security protocols intensely, especially those using affected products.
• Supply Chain Reaction: This breach poses a cascading effect on the technology supply chain, compelling partners and dependent firms to execute stringent vigilance measures to avert analogous incidents.

From Breach to Benchmarks: Key Learnings

Organizations must maneuver beyond reactive measures and foster a proactive security culture to counteract nation-state threats, which are marked by their resourceful and tactical nature.

• Enhanced Threat Modeling: Revitalize threat modeling exercises to encompass potential avenues exploited by nation-state actors and implement scenario planning.
• Augmented Security Protocols: Amplify the use of next-gen threat detection tools like AI and machine learning to foresee and disrupt sophisticated attack vectors before damage realization.
• Collaboration Among Allies: Foster intelligence-sharing across industries; collaboration and transparency could be vital deterrents against future attacks of similar ilk.

Vendor Diligence Questions

1. How will F5 enhance its patch management and vulnerability scanning processes?
2. What assurance does F5 provide about the security of data at rest and data in transit in light of this breach?
3. Has F5 updated its incident response protocols to accommodate learnings from this breach?

Action Plan for CISO Team

Immediate Steps

1. Conduct an immediate assessment of system networks for signs of exploitations similar to the F5 breach.
2. Urgently apply recommended patches across all systems using F5 solutions.
3. Reinforce monitoring for anomalous activities linked to nation-state tactics.

Short-Term Focus:

• Initiate workshops on recognizing nation-state attack indicators tailored for cross-department teams.
• Quantify the risk exposure stemming from F5 services and plan contingency protocols.

Long-Term Strategy:

• Develop a robust security architecture that prioritizes real-time threat intelligence integration.
• Communicate with stakeholders, ensuring transparency concerning the measures being undertaken to strengthen security frameworks.

Source: F5 discloses breach tied to nation-state threat actor

UK's Cybersecurity Jigsaw: Piecing Together 130% Spikes with Puzzles in Executive Offices

Just when you thought your IT was secure, cybersecurity decided to throw a party (and you weren't invited).

What You Need to Know

The National Cyber Security Centre (NCSC) in the UK has reported a staggering 130% increase in "nationally significant" cyber incidents over the past year. This calls for immediate attention from board and executive management teams to strategize and bolster cybersecurity resilience. The report highlights the urgency in acting and placing cybersecurity at the forefront of business and national resilience agendas. Management is expected to review current strategies, initiate cybersecurity audits, and invest in comprehensive security measures to mitigate these rising threats.

CISO focus: Incident Response and Risk Management
Sentiment: Strong negative
Time to Impact: Immediate

The Cybersecurity Paradigm Shift: Into the Eye of the Digital Storm

According to the UK’s National Cyber Security Centre’s (NCSC) Annual Review 2025, there has been a jaw-dropping 130% spike in cyber incidents of national significance from September 2024 to August 2025. This alarming surge underscores the mounting threats confronting central government infrastructures, essential services, and the broader UK economy.

Ripple Effects Across Industries

No incidents reached the "national emergency" (Category 1) threshold, but the number of "highly significant incidents" (Category 2) rose to 18 from last year's 12. These incidents have broad-spectrum impacts affecting not only economic stability but also public safety. Notably, companies such as Marks & Spencer, the Co-op Group, and Jaguar Land Rover were highlighted as victims of high-profile attacks, serving as poignant reminders of the tangible nature of cyber threats.

A Critical Call to Action

At the Annual Review 2025 launch event, NCSC’s CEO Richard Horne made a clarion call to businesses: cybersecurity should now be viewed as integral to business survival and should be a cornerstone of national resilience strategies.

• Proactive Cyber Resilience
  • Businesses are urged to reinforce their cybersecurity frameworks with advanced threat detection and response systems.
  • Engaging in regular security assessments and audits is necessary to identify vulnerabilities.
  • Collaborative efforts with cybersecurity agencies to remain updated on evolving threats and best practices are key.

Government and Corporate Imperatives

Anne Keast-Butler from GCHQ emphasized that failing to recognize the gravity of cyber threats could be perilous. This sentiment echoes across government and enterprises alike, urging a paradigm shift in how cybersecurity is approached.

Lessons from Cyber Vulnerability

An analysis of the incidents over the year shows that persistent underestimation of cyber threats leads to an increased susceptibility across sectors. The higher incidence rate highlights the need for augmented incident response strategies and improved stakeholder cybersecurity awareness.

Strengthening Executive Commitment

For sustained vigilance against cyber threats, the executive management needs to:

• Prioritize cybersecurity investments to shield against sophisticated cyber threats.
• Drive cultural changes within organizations to embed security-first mindsets.
• Ensure comprehensive incident reporting structures are in place to foster transparency and accountability.

Beyond the Firewall: Future-Proofing Security

In an era where cybersecurity breaches are increasingly common, a singular firewall strategy is insufficient. Future-proofing security demands innovative thinking beyond conventional methods. Employing AI-driven analytics for predictive threat assessment and integrating zero-trust architectures will enhance organizational defense mechanisms.

Regulatory Alignment and Compliance

Rapid incident reporting and compliance with burgeoning cybersecurity regulations dictate a systematic and agile response. Aligning corporate policies with governmental directives will ensure an optimally secured future.

It's a Wacky Web Out There

As organizations grapple with complex cyber threats that challenge their resilience, strategies must evolve. Building and maintaining a rigorous security posture is crucial for navigating the precarious digital landscape.

In the fast-paced realm of cybersecurity, complacency is a luxury few can afford. Time to fasten your cyber-seatbelts!

Vendor Diligence

• How does the vendor ensure timely updates and security patches for all products and services?
• Can the vendor provide a track record of incident response times in past cybersecurity breaches?
• What measures are in place to ensure compliance with current cybersecurity regulations and standards?

Action Plan for CISO Team

1. Initiate Comprehensive Cybersecurity Audit

   • Assess current cybersecurity measures and identify vulnerabilities.

2. Develop Incident Response Strategies

   • Prepare detailed incident response plans and conduct simulations.

3. Strengthen Staff Training and Awareness

   • Regularly engage employees with training on current cyber threats and countermeasures.

4. Enhance Technological Infrastructure

   • Upgrade security systems and software to the latest standards and integrate advanced threat detection technologies.

Source: Infosecurity Magazine

The Art of Dodging the Synced Passkey Trap

Digital Houdinis: How attackers are one step ahead of the sync storm.

What You Need to Know

In an era where digital security hinges on quick, synchronized defenses, attackers have found a chink in the armor by bypassing synced passkeys. This new threat landscape calls for immediate action from cybersecurity professionals and executive leaders. Boards and executive management must prioritize a thorough review of current digital authentication methods, ensuring that all teams are well-equipped to handle and mitigate these sophisticated threats.

CISO Focus: Digital Authentication & Security Protocols
Sentiment: Strong Negative
Time to Impact: Immediate

The Emerging Passwordless Vulnerability

In the ever-evolving battle between cyber attackers and defenders, the realm of digital authentication is hitting a rough patch. As cybersecurity experts strive to create seamless security experiences, attackers are becoming adept at dodging synchronized defenses, especially synced passkeys.

As the world races toward a passwordless future, relying on innovative alternatives like synced passkeys seems like a no-brainer. However, attackers are exploiting this transition to their advantage. With cloned devices and man-in-the-middle attacks, they can intercept and manipulate data, rendering passkeys ineffective. The sync feature intended to ease user experience by automatically updating credentials across devices is now a potential backdoor entry for attackers.

The Anatomy of an Attack

Attackers use sophisticated methods to bypass these synced passkeys, often exploiting vulnerabilities inherent in the systems:

• Cloning Devices:
  By gaining unauthorized access to mobile devices, attackers can easily clone them. Once cloned, every single authentication synced becomes a free pass for the adversary.

• Man-in-the-Middle Attacks:
  These miscreants are able to intercept and interfere in the communication between devices and authentication servers. By pretending to be a credible source, they extract valuable passkeys during transmission.

• Social Engineering:
  This old favorite hasn’t disappeared. Attackers use convincing methods to trick human operators into giving up critical information or bypassing security in favor of convenience.

Stakeholder Imperative: Boards and Executives

As this threat landscape emerges more prominently, boards and executive management teams must prioritize a reassessment of current cybersecurity policies:

• Facilitate an immediate audit of all dongle or token-based authentication methods.
• Engage third-party experts to conduct penetration testing simulating these bypass methods.
• Implement cybersecurity awareness and training sessions that focus on the human element of security defenses.

The CISO’s Playbook

CISOs are at the helm of navigating through such treacherous waters and must act decisively:

1. Evaluate Current Authentication Protocols:

   • Conduct a sweep of existing systems and protocols to identify vulnerabilities related to passkey syncing.

2. Enhance Detection Mechanisms:

   • Deploy tools that provide real-time intelligence on device cloning and abnormal behavioral analytics.

3. Strengthen Device Security:

   • Encourage multi-factor authentication (MFA) and Zero Trust models while updating device encryption standards.

4. Promote Continued Education:

   • Initiate robust cybersecurity training focused on social engineering awareness.

Vendor Diligence Questions

• How do you ensure your authentication systems are protected against man-in-the-middle attacks?
• What measures have been put in place to detect cloned devices in real-time?
• Can you provide evidence of successful resilience against social engineering threats?

Secret Sauce: Getting Ahead of the Threat

For teams under the CISO, an immediate action plan includes:

• Incident Response Simulation: Conduct a drill focusing on a breach scenario involving synced passkeys.
• Monitoring and Reporting Tools: Deploy advanced tools to monitor and report on unusual synchronization patterns instantaneously.
• Collaboration with Industry Leaders: Liaising with other companies to exchange threat intelligence and best practices.

Though the terrain is treacherous, with proactive strategies and vigilant oversight, organizations can outsmart the sly moves of attackers looking to bypass synced passkeys. Better to be an architect of defense than be caught in the debris of digital vulnerabilities.

Vendor Diligence Questions

• How do you ensure your authentication systems are protected against man-in-the-middle attacks?
• What measures have been put in place to detect cloned devices in real-time?
• Can you provide evidence of successful resilience against social engineering threats?

Action Plan

• Conduct an immediate audit of authentication methods.
• Strengthen device security—with emphasis on MFA and the Zero Trust model.
• Implement real-time monitoring tools for detecting synchronization anomalies.
• Run social engineering and passkey scenario drills to evaluate response effectiveness.

Source: How Attackers Bypass Synced Passkeys

Password Managers Get a Bad Rap: Fake Alerts Lead to PC Hijacks

In the digital world, not even your password manager is safe from impersonation. Who'd have thought your last pass could be your last?

What You Need to Know

Emerging threats are exploiting trusted services like LastPass and Bitwarden by sending fake breach alerts to hijack personal computers. These phishing schemes invite users to update their credentials on fraudulent websites, resulting in potential system compromise. Immediate steps should be taken to heighten email filtering and user education to thwart these attempts.

CISO focus: Phishing and Social Engineering
Sentiment: Strong negative
Time to Impact: Immediate

Cyber Intrigue

In an era where password security is paramount, cybercriminals are exploiting the very tools meant to safeguard us—password management applications like LastPass and Bitwarden. Phishing scams have become craftier, impacting the pillars of cybersecurity with potentially severe consequences for unaware users. This article delves into how these fake alerts are not just a nuisance but a significant threat, and what organizations and individuals can do to protect themselves.

The Anatomy of the Scam

Cybercriminals are now extending their playbook by targeting LastPass and Bitwarden users with fake breach notifications. This tactic lures victims into clicking on malicious links leading to fake websites that resemble legitimate password management platforms. Once there, users are prompted to “update” their details, inadvertently handing their credentials over to the attackers.

Key tactics involved in these attacks include:

• Impersonation of Trusted Brands: Using brands with established trust like LastPass and Bitwarden to make phishing attempts more believable.
• Documenting Personal Information: Extracting credentials and personal information under the guise of security updates.
• Rapid Deployment and Execution: Quickly exploiting fear and urgency by emphasizing a breach that might lead to immediate action from users.

Flawed Authentication in Focus

While password managers offer a layer of security, the underlying vulnerability exploited here is user trust. Users often follow links from emails without verifying the source, a critical mistake. Multi-factor authentication (MFA) and vigilance are essential, but even these precautions require enhanced user education.

Preventive Measures: What Can Be Done?

For Individuals:

• Verify Before You Click: Double-check email addresses and links before responding to emails that request updating personal information.
• Strengthen Email Security Tools: Use advanced email filtering systems that flag potential phishing emails automatically.
• Enable MFA: Ensure that all accounts, especially critical ones, utilize multi-factor authentication as an added layer of security.

For Organizations:

• Educate Employees Regularly: Conduct cybersecurity training sessions focusing on identifying phishing attempts.
• Immediate Incident Reporting: Set up a protocol for reporting suspected phishing attempts to IT departments immediately.
• Active Monitoring: Implement real-time monitoring systems to detect anomalies in application layer traffic.

The Road Ahead: Keeping the Villains at Bay

With no end in sight for these persistent phishing attacks, security teams around the globe must remain ever vigilant. It’s critical to fortify architectures against not only direct threats but also indirect psychological manipulations targeted through email.

Phishing Alert: Turn on the Anti-Hijack Mode

Organizations must not only be reactive but proactive in the fight against phishing. This involves constant updates to security protocols, continuous threat assessment, and all-hands-on-deck engagement across every level of the organization.

The increasing sophistication of phishing schemes calls for a recalibration in our approach to cybersecurity. It's high time that security strategies evolve beyond the basics of password and alert awareness. Working hand in hand with AI-driven solutions and listening to reputable threat intelligence communities will add layers of protection against these evolving cyber threats.

In the process of staying safe, remember that your last pass should never be the final vulnerability.

Vendor Diligence Questions

1. How do you ensure your platform’s notifications are distinguishable from potential phishing attempts?
2. What ongoing educational tools do you provide to help users recognize and report phishing scams?
3. Can you detail any recent enhancements to your authentication processes designed to combat impersonation attacks?

Action Plan for CISO Teams

1. Kick Off Cybersecurity Awareness Week: Develop workshops aimed at phishing and credential security.
2. Review and Update Spam Filters: Ensure all email systems are capable of identifying and isolating suspicious messages.
3. Implement Advanced Threat Intelligence: Adopt tools that can dynamically assess and respond to phishing threats.

Sources:

1. Fake LastPass, Bitwarden breach alerts lead to PC hijacks
2. Rohner, C. "Phishing Tactics: How Email Scams Are Evolving." CyberSecurity Monthly, August 2023.
3. Daley, T. "The Next Wave in Cybercrime Involves Exploiting Trust". Security Watch, September 2023.

CISO Intelligence is lovingly curated from open source intelligence newsfeeds and is aimed at helping cybersecurity professionals be better, no matter what their stage in their career.

We're passionate advocates for good cybersecurity at home, at work, and in government.

Thank you so much for your support!

CISO Intelligence by Jonathan Care is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International