Here’s an overview of some of last week’s most interesting news and articles:
Authentication today: Moving beyond passwords
A new global study from IBM Security examining consumer perspectives around digital identity and authentication, found that people now prioritize security over convenience when logging into applications and devices.
Dridex gang follows trends, also created FriedEx ransomware
The gang behind the infamous banking Trojan Dridex has also created the FriedEx (aka BitPaymer) ransomware, ESET researchers confidently claim.
Groundhog Day: Third-party cyber risk edition
Here are the five consistent Groundhog Day things Scott Schneider, Chief Revenue Officer at CyberGRX, hears in most every conversation he has around third-party risk management.
The Ransomware Survival Handbook
Written based on advice from IT pros who experienced ransomware first hand, the handbook provides you with essential tips and recovery lessons you don’t have to learn the hard way.
Cisco plugs critical hole in many of its enterprise security appliances
There’s an eminently exploitable remote code execution flaw in the Adaptive Security Appliance (ASA) Software running on a number of Cisco enterprise appliances, and admins are advised to plug the hole as soon as possible.
How to prepare for the future of digital extortion
Digital extortion has evolved into the most successful criminal business model in the current threat landscape, and Trend Micro researchers predict that it will continue to grow rampant because it’s cheap, easy to commit, and many times the victims pay.
What is a security data lake?
While data lakes have a bit of a head start in adoption – largely among data science teams – some security teams are beginning to look into security data lakes to keep afloat in the wash of security log data they amass every day.
AutoSploit: Automated mass exploitation of remote hosts using Shodan and Metasploit
A “cyber security enthusiast” that goes by VectorSEC on Twitter has published AutoSploit, a Python-based tool that takes advantage of Shodan and Metasploit modules to automate mass exploitation of remote hosts.
BEC scams surge, cybercriminals target nearly all organizations
Social networks and free cloud email services make it simple for cybercriminals to identify their targets, create an email account that impersonates a trusted entity (CEO, brand, partner) and then create a believable con with personalised details to make these attacks successful.
How do your IT complexity challenges compare to those of other CIOs?
A global survey of 800 CIOs conducted by Vanson Bourne reveals that 76% of organizations think IT complexity could soon make it impossible to manage digital performance efficiently.
The future of smartphone security: Hardware isolation
What advantages can hybrid hardware isolation have for combatting smartphone attacks and vulnerabilities?
Researchers showcase automated cyber threat anticipation system
A group of researchers is trying to develop an automatic early warning system that should help defenders take preventative action before specific cyber attacks start unfolding.
It’s time to get serious about email security
The amount of sensitive information sent through email is accelerating – day over day, year over year. At the same time, our confidence in our ability to protect these communications is rapidly dwindling.
Attackers disrupt business operations through stealthy crypto mining
WannaMine, a Monero-mining worm discovered last October, is increasingly wreaking havoc on corporate computers.
Mozilla plugs critical and easily exploitable flaw in Firefox
The vulnerability (CVE-2018-5124) is considered critical because a successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. Another reason for such a classification is that exploitation can be triggered with just a bit of clever social engineering.
Building a coping mechanism for data breaches
Data breaches may be daily news, but they will always be a significant worry for business stakeholders. It is the IT team, however, that have to deal with the technical side of breaches, so establishing a coping mechanism is a good idea.
Multiple zero-day vulnerabilities found in ManageEngine products
Digital Defense uncovered multiple, previously undisclosed vulnerabilities within several Zoho ManageEngine products.
Strava user heatmap reveals patterns of life in western military bases
In November 2017, online fitness tracker Strava published a heatmap of the activity many of its users around the world engage in (and track) daily. But what might have seemed as a harmless sharing of anonymized, aggregated data turned out to reveal potentially sensitive information about (mostly western) military bases and secret sites.
Achieving zero false positives with intelligent deception
Cyber attacks are not single events. When attackers compromise an asset, they don’t know which asset is infected. They must determine where they are in the network, the network structure and where they can find valuable information. That means attackers carefully try to find out as much as possible about the organization. This is precisely the behavior that intelligent deception technology can exploit in order to thwart attackers and protect organizations.
PCI DSS 3.2 will unveil compliance cramming culture
February 1, 2018 marks the deadline for businesses to adopt the new industry standard, PCI DSS 3.2, aimed at reducing and better responding to cyber attacks resulting in payment data breaches.
New infosec products of the week: February 2, 2018
A rundown of infosec products released last week.