Week in review: CISOs’ earnings per year, Atlassian Bitbucket Server and Data Center flaw


Here’s an overview of some of last week’s most interesting news, articles, interviews and videos:

US-based CISOs get nearly $1 million per year
The role of the Chief Information Security Officer (CISO) is a relatively new senior-level executive position within most organizations, and is still evolving. To find out how current CISOs landed in that role, their aspirations, the compensation they receive, and which risks they face and responsibilities they shoulder, analysts with international executive search firm Heidrick & Struggles have asked 327 CISOs (and CISOs in all but name) to participate in their 2022 Global CISO Survey.

NetworkManager 1.40 released, features 600 patches
NetworkManager attempts to keep an active network connection available at all times. The point of NetworkManager is to make networking configuration and setup as painless and automatic as possible, while still allowing a high level of customization and manual control.

Patch critical flaw in Atlassian Bitbucket Server and Data Center! (CVE-2022-36804)
A critical vulnerability (CVE-2022-36804) in Atlassian Bitbucket Server and Data Center could be exploited by unauthorized attackers to execute malicious code on vulnerable instances.

Rise in IoT vulnerability disclosures, up 57%
Vulnerability disclosures impacting IoT devices increased by 57% in the first half (1H) of 2022 compared to the previous six months, according to a research by Claroty.

Google invites bug hunters to scrutinize its open source projects
Google wants to improve the security of its open source projects and those projects’ third-party dependencies by offering rewards for bugs found in them.

Dealing with cyber threats in the energy sector: Are we on the right path?
In this interview for Help Net Security, Katie Taitler, Senior Cybersecurity Strategista at Axonius, talks about cyber threats in the energy sector and what should be improved to make sure this sector is properly guarded.

Attackers changing targets from large hospitals to specialty clinics
Critical Insight announced the release of the firm’s H1 2022 Healthcare Data Breach Report, which analyzes ​​breach data reported to the United States Department of Health and Human Services by healthcare organizations.

Data security hinges on clear policies and automated enforcement
Developments in emerging technologies, data privacy, cybersecurity, and digital assets are proving to be beneficial for organizations. Yet, given the level of sensitive and confidential data held and maintained, companies need to be locked in on how to advance their policy priorities and stay up to speed on the debates that impact their businesses and markets.

Outdated infrastructure not up to today’s ransomware challenges
A global research commissioned by Cohesity reveals that nearly half of respondents say their company depends on outdated, legacy backup and recovery infrastructure to manage and protect their data. In some cases, this technology is more than 20 years old and was designed long before today’s multicloud era and onslaught of sophisticated cyberattacks plaguing enterprises globally.

Can your passwords withstand threat actors’ dirty tricks?
Password security hinges on the answer to that seemingly simple question. Unfortunately, you can’t know the answer until you’ve engaged a ruthless penetration tester to find out if your environment can stand up to the frighteningly good password cracking skills of today’s most nefarious hackers.

Ransomware gangs’ favorite targets
Barracuda released its fourth-annual threat research report which looks at ransomware attack patterns that occurred between August 2021 and July 2022.

Organizations security: Highlighting the importance of compliant data
Protecting an organization’s digital infrastructure is certainly no easy task. From cloud assets to online devices, customers and websites, to servers, the list goes on and on.In fact, there are so many systems to keep track of that it’s becoming increasingly difficult for a company to catalog all the possible risks and security threats that exist inside their organization. Having that 360 view of all potential vulnerabilities that could jeopardize an organization’s digital safety is essential.

1 in 3 organizations don’t know if their public cloud data was exfiltrated
Laminar released findings from its 2022 Security Professional Insight Survey conducted at AWS re:Inforce in July 2022 and Black Hat in August 2022. The research revealed gaps in organizations’ defenses that security teams will want to proactively address to reduce their risk of data exposure. A total of 415 security professionals participated, representing both leadership and line roles.

How Just-in-Time privilege elevation prevents data breaches and lateral movement
By granting users unrestricted access to resources, organizations increase the risk associated with both internal and external threats. Least privilege based on the Just Enough and JIT model reduces that risk significantly. Implementing these security models gives users, applications, tasks, and commands the minimum required level of access for the duration needed, in time to complete the task.

Creating cyber career opportunities during the talent shortage
In this Help Net Security video, Mark Manglicmot, SVP of Security Services at Arctic Wolf, talks about creating cyber career opportunities during the talent shortage.

Companies underestimate number of SaaS applications in their environment
A new research study focused on SaaS usage among enterprises across the USA, UK, and Europe, highlights a striking difference between consumption and security of SaaS applications. In fact, the majority of respondents (74%) reported more than half of their applications are now SaaS-based, and 70% of organizations in the UK reported spending more on SaaS applications today than a year ago.

The complexity of modern aircraft cybersecurity
In this Help Net Security video, Josh Lospinoso, CEO at Shift5, talks about modern aircraft and some cybersecurity concerns that arise as a result of modern technology within these aircraft.

How BEC attacks on human capital management systems are increasing
In this Help Net Security video, Jon Hencinski, VP of Security Operations at Expel, talks about how their SOC team has recently observed Business Email Compromise (BEC) attacks across multiple customer environments, with threat actors trying to access human capital management systems. Their goal? Payroll and direct deposit fraud.

Should ransomware payments be banned? A few considerations
In this Help Net Security video interview, Alex Iftimie, Partner at Morrison & Foerster (MoFo), talks about the possible repercussions of such legislation and, in general, about the evolving nature of ransomware attacks and the current global efforts aimed at fighting the ransomware threats.

7 metrics to measure the effectiveness of your security operations
In this Help Net Security video, Andrew Hollister, CSO at LogRhythm, talks about measuring the effectiveness of a security operations program.

Best practices for Kubernetes security in the enterprise market
In this Help Net Security video, Deepak Goel, CTO at D2iQ, talks about best practices for Kubernetes security in the enterprise market.

COVID-19 data put for sale on the Dark Web
Resecurity, a California-based cybersecurity company protecting Fortune 500, has identified leaked PII stolen from Thailand’s Department of Medical Sciences containing information about citizens with COVID-19 symptoms. The incident was uncovered and shared with Thai CERT.

Product showcase: The Stellar Cyber Open XDR platform
As enterprises find themselves dealing with ever-increasing threats and the boundaries of their organization disappearing, security teams are more challenged than ever to deliver consistent security outcomes across the environment. Stellar Cyber aims to help lean enterprise security teams meet this challenge day in and day out.

5 open-source vulnerability assessment tools to try out
A vulnerability assessment is a methodical examination of network infrastructure, computer systems, and software with the goal of identifying and addressing known security flaws. Once the vulnerabilities are pinpointed, they are classified based on how critical it is to fix/mitigate them sooner rather than later. Usually, the vulnerability scanning tool also provides instructions on how to remediate or mitigate the discovered flaws.

Infosec products of the month: August 2022
Here’s a look at the most interesting products from the past month, featuring releases from: AuditBoard, Claroty, Concentric AI, Cymulate, Deepfence, Drata, Fortinet, Halo Security, NetRise, Ntrinsec, PlainID, Privitar, Qualys, Raytheon Technologies, ReasonLabs, Scrut Automation, SimSpace, Sony, Tenacity, Traceable AI, Transmit Security, and VIPRE Security.

More about

Don't miss