Week in review: Log4Shell lingers, NIS2 directive adopted, LastPass breached (again)

Cybersecurity week in review

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos:

The top 200 most common passwords in 2022 are bad, mkay?
According to NordPass’ latest list of top 200 most common passwords in 2022, “password” is the most popular choice, followed by “123456”, “123456789”, “guest” and “qwerty“.

Pre-auth RCE in Oracle Fusion Middleware exploited in the wild (CVE-2021-35587)
A pre-authentication RCE flaw (CVE-2021-35587) in Oracle Access Manager (OAM) that has been fixed in January 2022 is being exploited by attackers in the wild, the Cybersecurity and Infrastructure Security Agency has confirmed by adding the vulnerability to its  Known Exploited Vulnerabilities (KEV) Catalog.

Predatory loan mobile apps grab data, harass users and their contacts
Lookout researchers have discovered nearly 300 Android and iOS apps that trick victims into unfair loan terms, exfiltrate excessive user data from mobile devices, and then use it to pressure and shame the victims for repayment.

LastPass, GoTo announce security incident
LastPass and its affiliate GoTo (formerly LogMeIn) have announced that they suffered a security incident and, in LastPass’ case, a possible data breach.

All of Medibank’s stolen data leaked, Australia increases maximum penalties for data breaches
Australian health insurance provider Medibank has confirmed that another batch of the customer data stolen in the recent breach has been leaked.

Cloud security starts with zero trust
In this interview for Help Net Security, Mark Ruchie, CISO at Entrust, talks about cloud security and how zero trust should be implemented to guarantee overall cloud protection.

The cybersecurity trends organizations will soon be dealing with
In this interview with Help net Security, Brad Jones, VP of Information Security at Seagate Technology, talks about cybersecurity trends organizations will be dealing with soon, particularly concerning cloud misconfiguration, data classification, software vulnerabilities, and the cybersecurity skills gap.

The impact of lay-offs on your organization’s cyber resilience
In this interview with Help Net Security, Ben Smith, Field CTO at NetWitness, talks about how the wave of lay-offs has impacted the cyber resilience of many businesses, but also what are the threats organizations should be aware of in these times of crises.

How to find hidden data breaches and uncover threats in your supply chain
A company’s supply chain is like a body’s nervous system: a mesh of interconnected manufacturers, vendors, sub-contractors, service delivery firms, even coding and collaboration tools.

7 free cybersecurity resources you need to bookmark
7 free cybersecurity resources you need to bookmark.

How the dynamics of phishing attacks are changing
In this Help Net Security video, Alex Paquette, COO at Ironscales, discusses the impact in terms of the time and energy required to defend against the never-ending and ever-evolving onslaught of phishing attacks.

IoT device origin matters more than ever
Recently, British politicians called on the government to crack down on the use of surveillance equipment from two Chinese companies, Hikvision and Dahua, which are already blacklisted by Washington.

Cybercriminals are cashing in on FIFA World Cup-themed cyberattacks
The hype and popularity of the FIFA World Cup has attracted audiences from across the globe. And this, in turn attracts a variety of cybercriminals, who want to exploit the varied fan following, and the organizations participating, to make a quick buck.

How an effective fraud prevention strategy can force fraudsters to invest more in their attacks
In this Help Net Security video, David Fletcher, SVP at ClearSale, discusses how an effective fraud prevention strategy can force fraudsters to invest more in the attack, making it less attractive to exploit and ultimately change the ROI of ATO.

Cybersecurity engineering under the Federal Trade Commission
When the Federal Trade Commission (FTC) releases new regulations or changes to existing ones, the implications may not be obvious to the average business or company employees.

Many Global 2000 companies lack proper domain security
CSC released its third annual Domain Security Report that found three out of four Forbes Global 2000 companies have not adopted key domain security measures—exposing them to high risk of security threats.

CISOs in investment firms help fast-track cybersecurity startups
In this Help Net Security video, Frank Kim, CISO-in-Residence at YL Ventures, discusses the growing role of CISOs in investment firms and how their role as advisors helps drive cybersecurity startups.

Don’t ignore the security risks of limitless cloud data
Over the past two decades, technology has evolved to make it easy and affordable for companies to collect, store and use massive amounts of data.

33% of attacks in the cloud leverage credential access
Elastic released the 2022 Elastic Global Threat Report, detailing the evolving nature of cybersecurity threats, as well as the increased sophistication of cloud and endpoint-related attacks.

Identifying key areas for fraud risk during the recession
In this Help Net Security video, Ari Jacoby, CEO at Deduce, discusses how cybercriminals see times of downturn as an opening to exploit potential vulnerabilities.

CISOs’ priorities for the coming year
BlueFort Security has announced the results of its 2022 CISO survey, which revealed that while CISOs are still experiencing challenges around visibility, intelligence and control, 47% are proactively focused on digital transformation and cloud migration.

Why are K-12 educational institutions reluctant to report cyber incidents?
In this Help Net Security video, Stan Golubchik, CEO at ContraForce, talks about concerns of the lack of cyber incident reporting across K-12 school systems.

EU Council adopts the NIS2 directive
The European Council adopted legislation for a high common level of cybersecurity across the Union, to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole.

Consumers want convenience without sacrificing security
In this Help Net Security video, Aubrey Turner, Executive Advisor at Ping Identity, talks about how consumers want one-click convenience with enhanced protection.

A year later, Log4Shell still lingers
72% of organizations remain vulnerable to the Log4Shell vulnerability as of October 1, 2022, Tenable‘s latest telemetry study has revealed, based on data collected from over 500 million tests.

Here’s the deal: Uptycs for all of 2023 for $1
Customers are shifting their cybersecurity up with Uptycs. Now, for only a buck, you can shift up, too.

Infosec products of the month: November 2022
Here’s a look at the most interesting products from the past month, featuring releases from: Abnormal Security, Acronis, Bearer, Bitdefender, Clumio, Cohesity, Flashpoint, Forescout, ForgeRock, ImmuniWeb, Keyo, Lacework, LOKKER, Mitek, NAVEX, OneSpan, Persona, Picus Security, Qualys, SecureAuth, Solvo, Sonrai Security, Spring Labs, Tanium, Tresorit, and Vanta.

New infosec products of the week: December 2, 2022
Here’s a look at the most interesting products from the past week, featuring releases from Adaptive Shield, Datadog, Delinea, Fortinet, LogicGate, Shoreline, and Trend Micro.

More about

Don't miss