Week in review: Phishers’ perfect targets, evaluating partner cyber resilience, new issue of (IN)SECURE

Here’s an overview of some of last week’s most interesting news and articles:

Microsoft offers rewards for security bugs in Microsoft Teams
Microsoft is starting a new Applications Bounty Program, and the first application that they want researchers to find bugs in is Microsoft Teams, its popular business communication platform.

Tackling cross-site request forgery (CSRF) on company websites
Everyone with half a mind for security will tell you not to click on links in emails, but few people can explain exactly why you shouldn’t do that (they will usually offer a canned ‘hackers can steal your credentials if you do’ explanation) Cross-Site Request Forgery (CSRF) is that reason.

Phishers’ perfect targets: Employees getting back to the office
Phishers have been exploiting people’s fear and curiosity regarding breakthroughs and general news related to the COVID-19 pandemic from the very start, and will continue to do it for as long it affects out private and working lives.

Data breaches and network outages: A real and growing cost for the healthcare industry
One year into the COVID-19 pandemic, the Infoblox report reveals major challenges the healthcare industry faced as IT workers scrambled to secure protected health information (PHI) and the infrastructure against the pandemic’s complex cybersecurity and networking challenges.

How to stay ahead of the rise of synthetic fraud
There are a number of reasons why synthetic fraud is on the rise, but there are also actions banks and other financial institutions can take to prevent this growing trend from doing damage.

Only 14% of domains worldwide truly protected from spoofing with DMARC enforcement
While the DMARC enforcement rate increases, 3 billion messages per day are still spoofing the sender’s identity, Valimail reveals. Email continues to be an effective way to communicate and use has increased during a year of global pandemic, and hackers continue to use email as a primary attack vector, stressing that email security is not going away.

(IN)SECURE Magazine issue 68 released
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Issue 68 has been released. It’s a free download, no registration required.

Hidden areas of security and the future of hybrid working
With the UK government’s roadmap out of lockdown underway, it is predicted that employers will strive to keep the element of flexibility by moving to hybrid working models.

The financial impact of cybersecurity vulnerabilities on credit unions
Cybersecurity vulnerabilities among credit unions and their vendors create the potential for large financial impacts to the credit union industry, according to a Black Kite report.

Cybercriminals capitalizing on our reliance on the cloud
90% of cyberattacks on cloud environments in the last 12 months involved compromised privileged credentials, according to a research from Centrify.

5G network slicing vulnerability leaves enterprises exposed to cyberattacks
AdaptiveMobile Security today publicly disclosed details of a major security flaw in the architecture of 5G network slicing and virtualized network functions. The fundamental vulnerability has the potential to allow data access and denial of service attacks between different network slices on a mobile operator’s 5G network, leaving enterprise customers exposed to malicious cyberattack.

Remote workers admit to playing a significant part in increasing their company’s cybersecurity risks
The COVID-19 generation of remote workers are admitting to playing a significant part in increasing the cybersecurity risks facing their companies. An Opinium research shows 54% are regularly using their work device for personal purposes, including sharing work equipment with family members.

70% of organizations recognize the importance of secure coding practices
A research from Secure Code Warrior has revealed an attitudinal shift in the software development industry, with organizations bucking traditional practices for DevOps and Secure DevOps.

What businesses need to know to evaluate partner cyber resilience
Many recent high-profile breaches have underscored two important cybersecurity lessons: the need for increased scrutiny in evaluating access and controls of partners handling valuable customer data, and the imperativeness of assessing a third party’s (hopefully multi-layered) approach to cyber resilience.

Why DDI technology is fundamental for multicloud success
DDI technology, which integrates Domain Name System, Dynamic Host Configuration Protocol and IP Address Management functions, can help provide the solution to meet complexity and security risks head on.

80% of security leaders would like more control over their API security
There are major gaps in API security based on insights from over 100 senior security leaders at large enterprises in the United States and Europe, an Imvision report reveals.

How to get affordable DV certificates for onion sites
The Tor Project, the nonprofit developers of the Tor network and Tor Browser, have announced two exciting developments for onion services: affordable DV certificates for v3 onion sites from HARICA, and new, easy onion site setup guides.

Using memory encryption in web applications to help reduce the risk of Spectre attacks
There’s nothing quite like an actual proof-of-concept to make everyone listen. I was pleased by the PoC released by Google security engineers Stephen Röttger and Artur Janc earlier this month – in a nutshell, they showed how the Spectre vulnerability can be used to exfiltrate cross-origin data from any website.

Rapid increase in security tools causing alert fatigue and burn out
On average, enterprises maintain 19 different security tools, with only 22% of such tools serving as vital to primary security objectives, a ReliaQuest survey reveals.

Cybersecurity awareness is too often a part-time effort
SANS announced the release of a report which analyzes the data of over 1,500 security awareness professionals from around the world to benchmark how organizations are managing human risk and provides data-driven action items to mature awareness programs.

Special pricing on CISSP and CCSP training bundle
Whether you’re motivated by career advancement, higher pay or inspiring a safe and secure cyber world, the (ISC)² CISSP and CCSP certifications are professional game-changers. And now through April 30th, you can save 10% on Official (ISC)² CISSP or CCSP Online Self-Paced Training when bundled with your exam.

New infosec products of the week: March 26, 2021
A rundown of the most important infosec products released last week.

More about

Don't miss