Week in review: Popular npm package hijacked, zero trust security key tenets, wildcard certificate risks


Here’s an overview of some of last week’s most interesting news, articles and interviews:

Apple fixes security feature bypass in macOS (CVE-2021-30892)
Apple has delivered a barrage of security updates for most of its devices this week, and among the vulnerabilities fixed are CVE-2021-30892, a System Integrity Protection (SIP) bypass in macOS, and CVE-2021-30883, an iOS flaw that’s actively exploited by attackers.

SolarWinds hackers are going after cloud, managed and IT service providers
Nobelium, the advanced, persistent threat (APT) actor behind the 2020 SolarWinds supply chain attack that served as a springboard for breaching a variety of high-level targets, is targeting organizations via their various service providers.

Popular npm package hijacked, modified to deliver cryptominers
Several versions of the npm package for UA-parser.js, a widely used JavaScript library, have been modified to include malicious code and have been made available for download.

MVSP: A minimum cybersecurity baseline to simplify vendor security assessment
Any organization that’s actively working on managing its cybersecurity risk can’t ignore the risk that goes with third-party vendors having access to its critical systems and customer data.

Good security habits: Leveraging the science behind how humans develop habits
In this interview with Help Net Security, George Finney, CSO at Southern Methodist University, explains what good security habits are, how to successfully implement them and why are they important. He also talks about his book Well Aware and what inspired him to write it.

Data engineers burnout overwhelming, a wake-up call to organizations
A Wakefield Research survey reveals a disturbing state of affairs among data engineering professionals. The study of 600 data engineers suggests an overwhelming majority are burned out and calling for relief.

Implementing DMARC to eliminate phishing emails
In this interview with Help Net Security, Alexander Garcia-Tobar, CEO at Valimail, explains the importance of implementing DMARC, as email is still greatly used by cybercriminals to infiltrate and attack organizations.

Despite spending millions on bot mitigation, 64% of organizations lost revenue due to bot attacks
A Kasada survey covers the state of bot mitigation exclusively from the perspective of organizations already using anti-bot solutions.

How do I select an SD-WAN solution for my business?
To select a suitable SD-WAN solution for your business, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.

72% of organizations hit by DNS attacks in the past year
Domain name system (DNS) attacks are impacting organizations at worrisome rates. According to a survey from the Neustar International Security Council (NISC) conducted in September 2021, 72% of study participants reported experiencing a DNS attack within the last 12 months.

Network and IoT security in a zero trust security model
You can never be too careful when it comes to network and IoT security. With a rapidly growing number of disparate devices being connected to corporate and industrial infrastructures, it’s better to be safe than sorry.

Biometrics emerging as the preferred identity verification option for digital consumers
Onfido announced the results of a global study with Okta which revealed that businesses have just 10 minutes to set up digital accounts or risk losing consumer trust.

Why cybersecurity leaders should focus on spending, people and technology (in that order)
Although cybersecurity continues to be top-of-mind for most organizations, organizations are dissatisfied with the state of their programs, and this is reflected in growing security budgets.

Increased risk tolerances are making digital transformation programs vulnerable
Digital transformation programs could be vulnerable to cyber attacks due to increased risk tolerances and ongoing cybersecurity challenges, according to a global research of 500 cybersecurity decision makers by NCC Group.

Ransomware: How bad is it going to get?
Ransomware gangs are becoming more brazen. In 2021, they hit high-profile targets like Kaseya and Colonial Pipeline. The question now is: how worse is the situation going to get?

Executives’ top concern in Q3 2021? New ransomware models
The threat of “new ransomware models” was the top concern facing executives in the third quarter of 2021, according to Gartner. Concerns about ransomware topped pandemic-related concerns, including supply chain disruptions, according to the survey of 294 senior executives across industry and geography.

Navigating ethics in AI today to avoid regrets tomorrow
As artificial intelligence (AI) programs become more powerful and more common, organizations that use them are feeling pressure to implement ethical practices in the development of AI software.

How to close the cybersecurity workforce gap
(ISC)² released the findings of its 2021 (ISC)² Cybersecurity Workforce Study. The study reveals updated figures for both the Cybersecurity Workforce Estimate and the Cybersecurity Workforce Gap in 2021, provides key insights into the makeup of the profession and explores the challenges and opportunities that exist for professionals and hiring organizations.

The first step to being cybersmart: Just start somewhere
When company leaders and IT staff begin looking at their options around improving their security and discover hundreds of possible solutions, they can become overwhelmed. However, the best thing they can do is just start somewhere.

Top cybersecurity threats enterprises will face in 2022
McAfee and FireEye released its 2022 Threat Predictions, examining the top cybersecurity threats they predict enterprises will face in 2022.

The dangers behind wildcard certificates: What enterprises need to know
Before IT leaders can truly respond to and mitigate wildcard certificate security risks – and manage wildcard certificates – it’s essential to first understand what wildcard certificates are and why it’s a common, flexible and helpful, but risky certificate.

API attacks are both underdetected and underreported
Akamai released a research into the evolving threat landscape for application programming interfaces (APIs), which according to Gartner will be the most frequent online attack vector by 2022.

The fast-expanding world of online proctoring: What cybersecurity industry leaders must know
The blistering post-pandemic pace of digital transformation has put the urgent demand for cybersecurity professionals in the spotlight. Simultaneously, more testing taking place online has meant that certification providers are now under increased pressure to ensure the integrity of remote cybersecurity examinations. When candidates present credentials that they have been awarded online, recruiters want to trust their validity.

Four key tenets of zero trust security
As cybercrime threatens businesses of all sizes, industries and locations, organizations have realized that the status quo is no longer tenable and that implementing zero trust is necessary.

Is offensive testing the way for enterprises to finally be ahead of adversaries?
The one principle the cyber-security industry is founded on is that defenders are always a step behind the hackers. Solutions are developed (FW, AV and onwards), technologies introduced (VMs, LB’s, microservices) practices emerge (DevSecOps anyone?) and yet – adversaries always find new ways.

Regulation fatigue: A challenge to shift processes left
The president’s recent order, and the potential actions of legislators to follow, could lead to burdensome regulations that interfere with shift left practices, and ultimately slow down the pace of software development.

Safeguarding the B2B sharing economy
Most people are familiar with business-to-consumer (B2C) sharing economy companies such as Uber, Airbnb, and DoorDash, but what you may not know is that this fast-growing, widely recognized business model is also being increasingly leveraged by business-to-business (B2B) companies to access on-demand services in lieu of short- or long-term contracts with third-party businesses.

Three OT security lessons learned from 2021’s biggest cyber incidents
The Colonial Pipeline, Oldsmar water treatment plant, and Iranian Railways incidents are etched into our memories because of their real-world impact, but the headlines only tell part of the story. In each instance, there are key OT security lessons to be learned, so that other organizations can avoid repeating history.

How to implement secure configurations more quickly
Secure configurations are a key best practice for limiting an organization’s cyber vulnerabilities. Since systems don’t ship securely, it’s important to review and implement recommended guidance.

The CISO’s guide to choosing an automated security questionnaire platform
In this day and age of cyber risk and data privacy regulations, automated third-party questionnaires are a must. Organizations can no longer simply hire vendors without proof of a strong cyber posture, and a comprehensive questionnaire can demonstrate that vendors’ internal security policies are up to par.

The CISO’s guide to third-party security management
Managing the security of your third parties is crucial, but security assessments are riddled with problems, including a lack of context, scalability and relevance. How can you build an effective process?

How to automate configuration review
Configuration management can be challenging. IT teams can become overwhelmed between various standards, compliance requirements, and security options. As the popularity of remote work grows, so does the complexity of implementing secure configurations. Thankfully, there are consensus-developed security recommendations and tools available to help automate the process.

New infosec products of the week: October 29, 2021
Here’s a look at the most interesting product releases from the past week, featuring releases from Avast, Data Theorem, Jumio, Quest and Secure.

More about

Don't miss