Week in review: Password-less security, WPA3 design flaws, new Windows 10 update controls

Here’s an overview of some of last week’s most interesting news and articles:

Magento sites under attack through easily exploitable SQLi flaw
A recently patched SQL injection flaw affecting the popular open-source e-commerce platform Magento is being actively exploited by attackers, so if you haven’t implemented the provided security update or patch, now is the time to do it.

What hackers inside your company are after: Convenience
Digital transformation is not a technology trend. Rather, it is a convenience trend. Businesses are changing because customer expectations demand it. Each day, consumers find yet another use for mobile connectivity. Corporations, meanwhile, hasten the rush of data into the cloud. And the so-called Internet of Things, or IoT, is woven more tightly into the fabric of our lives.

77% of orgs lack a cybersecurity incident response plan
Of the organizations surveyed that do have a plan in place, more than half (54%) do not test their plans regularly.

A quarter of phishing emails bypass Office 365 security
Email phishing is one of the most often used – and most successfully used – attack vectors that lead to cybersecurity incidents and breaches.

Securing your app and driving down call center fraud
In this Help Net Security podcast, Angie White, Product Marketing Manager at iovation, talks about how optimizing the customer journey through your mobile app can help you optimize your call center.

FileTSAR: Free digital forensic investigations toolkit for law enforcement
Purdue University cybersecurity experts have created FileTSAR, an all-in-one digital forensic investigations toolkit for law enforcement.

WPA3 design flaws affect security of new Wi-Fi standard
Researchers have discovered a number of design flaws affecting the security of the recently introduced WPA3 data transmission protocol.

CIOs and CISOs hold off on crucial updates due to potential impact on business operations
CIOs and CISOs around the world have held back from implementing critical measures that keep them resilient against disruption and cyber threats.

WikiLeaks’ Julian Assange arrested in London
Wikileaks founder Julian Assange has been arrested by officers of the Metropolitan Police at the Embassy of Ecuador in London.

Enterprise VPN apps store authentication and session cookies insecurely
CVE-2019-1573, a flaw that makes VPN applications store the authentication and/or session cookies insecurely (i.e. unencrypted) in memory and/or log files, affects a yet to be determined number of enterprise Virtual Private Network (VPN) applications.

Insights gained from working on more than 750 cybersecurity incidents
Many entities face the same security risks so it is essential to have an insight on how to manage them and respond in case of occurrence.

How password-less security benefits helpdesks
As the list of helpdesk tasks continues to grow, IT teams can improve efficiency and effectiveness by making changes to eliminate some of the most mundane and time-consuming tasks. Chief among these are password resets.

TRITON attackers detected at another critical infrastructure facility
The attackers who were first spotted wielding the custom TRITON framework have targeted another critical infrastructure facility, FireEye researchers have revealed.

April 2019 Patch Tuesday: Microsoft fixes two actively exploited bugs
Microsoft has plugged 74 CVE-numbered security including two vulnerabilities actively exploited by attackers. All of the bugs are rated either Critical or Important.

Windows 10: New update controls for end users, automatic removal of broken updates
It seems that last year’s Windows 10 updating troubles have spurred Microsoft to make some changes to the operating system’s update experience and the company’s quality testing of updates.

PoC exploit for Carpe Diem Apache bug released
Charles Fol, the security engineer that unearthed the Carpe Diem Apache HTTP Server bug (CVE-2019-0211), has released an exploit for it.

Hacking healthcare: A call for infosec researchers to probe biomedical devices
With innovative attacks against a variety of biomedical devices being demonstrated seemingly every day, ransomware attacks might end up to be the least of our and the healthcare industry’s problems.

90% of OT organizations are cyberattack victims, yet visibility into OT systems is still limited
90% of OT organizations stated their environments had been damaged by at least one cyberattack over the past two years, with 62% experiencing two or more attacks.

Regulating the IoT: Impact and new considerations for cybersecurity and new government regulations
In 2019 we have reached a new turning point in the adoption of IoT – more markets and industries are migrating to a cloud-based infrastructure, and as the IoT continues to gain popularity and more devices and data move online, lawmakers and legislators around the globe are taking note.

Perimeter solutions: Do layers of security make a difference?
As an enterprise, it is always important to constantly reevaluate information security solutions. When doing so, take a good look at the perimeter solutions in place and their associated detection mechanisms.

Is your organization getting physical security right?
For most organizations (and especially for tech companies), the physical security of data centers and headquarters is of the utmost importance.

Adhering to the mobility requirements of NIST 800-171 does not have to keep you awake at night
The majority of companies in the United States and Europe are required to comply with at least one IT security regulation – often times more. This forces companies to exert strong control over how data is transferred, accessed and maintained throughout its lifecycle.

The unique business-critical threats facing converged IT-OT systems
Manufacturers are heavily investing in the convergence of traditional operational technology (OT) with IT networks in 2019, adding new technology to environments that are still vulnerable to more than 10-year-old issues, like Conficker.

Gain immediate visibility into your actual cyber risk for free
Cynet Free Threat Assessment (available for organizations with 300 endpoints and above) spotlights critical, exposed attack surfaces and provides actionable knowledge of attacks that are currently alive and active in the environment.