Week in review: Log4j new vulnerabilities, Microsoft patch bypass, 2022 e-commerce threat trends

week in review

Here’s an overview of some of last week’s most interesting news, articles and interviews:

The Log4j saga: New vulnerabilities and attack vectors discovered
The Apache Log4j saga continues, as several new vulnerabilities have been discovered in the popular library since Log4Shell (CVE-2021-44228) was fixed by releasing Log4j v2.15.0.

Log4Shell is a dumpster fire that should have been avoided
If basic IT hygiene guidance had been followed, Log4j would have easily been immune to this type of vulnerability, but the internet has not exactly been built by way of hygiene.

Combating identity fraud: The key is to avoid stagnation
In this interview with Help Net Security, Tom Wesselman, CTO of TeleSign, explains how to successfully combat identity fraud to not only protect an organization but its customers too.

The cybersecurity executive order is not all it’s cracked up to be
Seventy-two percent of federal cybersecurity leaders say the White House’s May 2021 Cybersecurity Executive Order (EO) addresses only a fraction of today’s cybersecurity challenges, according to a study from MeriTalk.

Cyber insurance trends: Insurers and insurees must adapt equally to growing threats
In this interview with Help Net Security, Avi Bashan, CTO at Kovrr, talks about cyber insurance trends and how the growing threat landscape impacted both insurers and insurees.

Shifting security further left: DevSecOps becoming SecDevOps
Veracode has revealed usage data that demonstrates cybersecurity is becoming more automated and componentized in line with modern software architectures and development practices.

CTO of Security at Salesforce talks e-commerce cybersecurity threat trends for 2022
In this interview with Help Net Security, Dr. Taher Elgamal, cryptographer, infosec leader and currently the CTO of Security at Salesforce, talks about the obstacles retailers’ need to overcome to increase their cybersecurity posture and his expectations for the threat landscape in 2022.

How likely are employees to fall prey to a phishing attack?
22% of employees are likely to expose their organization to the risk of cyber attack via a successful phishing attempt, a Phished report reveals.

Zero trust isn’t just for IT, it can also protect targeted critical infrastructure
Bare-minimum OT security is no longer passable in today’s cyber landscape. A future-proof solution is already effective in the IT world: zero trust. Let’s examine some of the big challenges in OT security, and how zero trust can fix them.

Cybersecurity budgets surge, as skills gap wreaks havoc on 2022 plans
As enterprises plan and set budgets for the new year ahead, the vast majority are expecting to channel more dollars toward enhancing their cybersecurity efforts.

How can AI be made more secure and trustworthy?
While we’re still debating whether and how long it will take to reach singularity and superintelligence, artificial intelligence is playing an increasingly important role in our everyday lives.

Attackers bypass Microsoft patch to deliver Formbook malware
Sophos Labs researchers have detected the use of a novel exploit able to bypass a patch for a critical vulnerability (CVE-2021-40444) affecting the Microsoft Office file format.

6 top cybersecurity trends from 2021 and their impact on 2022
2021 has been a wild year in the cybersecurity space. From supply chain attacks like the SolarWinds hack to the NSO Group’s spyware scandal to the Colonial Pipeline ransomware attack, organizations are facing new (and repackaged) attacks daily. In fact, according to the Identify Theft Resource Center, the total number of data breaches through September 2021 has already exceeded 2020 numbers by 17%.

PCI SSC updates its device security standard for HSMs
The PCI SSC published the latest version of its device security standard for Hardware Security Modules (HSMs). HSMs are secure cryptographic devices that are used for cryptographic-key management and the protection of sensitive data used in payment card processing.

Open-source software holds the key to solving Log4Shell-like problems
Earlier this month, the existence of a critical vulnerability in Apache Log4j 2 was revealed and a PoC for it published. Dubbed Log4Shell, it’s an issue in a logging library for Java applications that is widely used across popular open-source projects and enterprise-grade back-end applications. Log4Shell introduced a critical security risk, scoring 10 out of 10 in severity.

Ransomware Empire: Who might blackmail your company?
The history of ransomware attacks covers slightly over 30 years. Over this modest period, cybercriminals have been relentlessly building ransomware capacities and improving logistics to facilitate the infections of their victims and reach the most high-profile targets. This helped ransomware operators climb to the top of the cybercriminal hierarchy and earn the name of the number one cyber threat.

Five cybersecurity predictions for 2022 and beyond
2021 saw some of the largest and most influential cyber attacks to date. Leaders in cybersecurity have faced numerous challenges this year and are likely to experience unprecedented obstacles in the years to come.

GoTestWAF: Open-source project for evaluating web application security solutions
GoTestWAF is a tool for API and OWASP attack simulation that supports a wide range of API protocols including REST, GraphQL, gRPC, WebSockets, SOAP, XMLRPC, etc. It was designed to evaluate web application security solutions, such as API security proxies, web application firewalls, IPS, API gateways, and others.

Why the updated OWASP Top 10 list can’t be addressed by WAF?
Did you know that OWASP published its updated Top 10 web vulnerabilities list? And that it includes updates that could impact the design and functionality of your WAF solution?

New infosec products of the week: December 24, 2021
Here’s a look at the most interesting products from the past week, featuring releases from BlackBerry, Box, and Veriff.




Share this