Search results for: vulnerability

encryption

Eight resolutions to help navigate the new hybrid office model

Continuous review and improvement are crucial for a successful security program. As this year draws to a close, it is a good time to look back on 2021 and prepare a few resolutions for the new year. Adapting to the pandemic-created hybrid office model has proven to be one of the biggest challenges. I expect that securing a remote workforce, the growth of applications and services in the cloud, and improving security controls over the … More

week in review

Week in review: Discussing cybersecurity with the board, APT-style attacks, Patch Tuesday forecast

Here’s an overview of some of last week’s most interesting news, articles and interviews: January 2022 Patch Tuesday forecast: Old is new again Let’s look at some recent events which will be influencing this month’s patch releases. Ransomware attacks decrease, operators started rebranding Positive Technologies experts have analyzed the Q3 2021 cybersecurity threatscape and found a decrease in the number of unique cyberattacks. However, there’s been an increase in the share of attacks against individuals, … More

patch

January 2022 Patch Tuesday forecast: Old is new again

Welcome to 2022 and a new year of patch management excitement! I’m rapidly approaching 40 years working in this industry and I can honestly say there is rarely a dull day. If you are willing to take on the challenges presented, it is a great industry to work in and I hope you all are excited to start the new year too. Let’s look at some recent events which will be influencing this month’s patch … More

Log4j

The Log4j debacle showed again that public disclosure of 0-days only helps attackers

On December 9, 2021, a (now deleted) tweet linking to a 0-day proof of concept (PoC) exploit (also now deleted) for the Log4Shell vulnerability on GitHub set the internet on fire and sent companies scrambling to mitigate, patch and then patch again as additional PoCs appeared. Public vulnerability disclosure – i.e., the act of revealing to the world the existence of a bug in a piece of software, a library, extension, etc., and releasing a … More

virtual reality

How can SMBs extend their SecOps capabilities without adding headcount?

Which is more important for achieving organizational cybersecurity: security products or security people? The right answer to this (trick) question is that both are equally important. But while cybersecurity budgets are rising, most small and some midsize organizations looking to employ skilled cybersecurity professionals are often unable to match salaries offered by big enterprises in a job market where demand outstrips supply. Outsourcing security: What’s on offer? Fortunately, there is an alternative way for procuring … More

security platform

Finite State’s binary analysis enhances automated zero-day vulnerability detection

Vulnerabilities in the software supply chain are costing device manufacturers business. Threats like Treck TCP/IP and ThroughTek Kalay P2P SDK continue to emerge, and according to a recent Ponemon Institute report, nearly 60% of organizations have lost revenue due to product security concerns. Finite State has unveiled a way to reduce the business risk of those vulnerabilities through advanced binary analysis. Device manufacturers use board support packages (BSPs) and software development kits (SDKs) from third-party … More

Appointments

Onapsis appoints Sadik Al-Abdulla as CPO

Onapsis announced the appointment of Sadik Al-Abdulla as Chief Product Officer. In his role, Al-Abdulla will focus on the company’s platform vision, strategy, and execution, ensuring Onapsis continues to meet the growing demand for securing cloud, hybrid, and on-premises business-critical applications. As an executive leader of enterprise security businesses with more than 20 years of experience, Al-Abdulla brings the insight and expertise to help clients solve today’s most sophisticated security challenges. Prior to joining Onapsis, … More

Laura Hoffner

Insider threat does not have to be malicious, so how do you protect your organization?

In this interview with Help Net Security, Laura Hoffner, Chief of Staff at Concentric, talks about the causes of insider threat attacks and what companies can do to mitigate or even avoid them. In these particularly tumultuous times, when organizations are not really sure what the working arrangements will be, insider threats have become the issue to look out for. What is making businesses increasingly vulnerable to them? First, “insider threat” doesn’t necessarily mean that … More

Infosec products of the month: December 2021

Here’s a look at the most interesting products from the past month, featuring releases from Action1, AwareGO, BlackBerry, Box, Castellan Solutions, Cloudflare, Code42, Cossack Labs, F5 Networks, Immuta, IriusRisk, MetricStream, MobileSphere, Nerdio, NetQuest, Oxeye, Ping Identity, Pondurance, SentinelOne, Syxsense, Tenable, ThreatConnect, Tufin, Veriff, Verimatrix, and Zerto. Open source cloud native security analyzer Terrascan embeds security into native DevOps tooling Tenable enhanced Terrascan, an open source cloud native security analyzer that helps developers secure Infrastructure as … More

bomb

Ransomware and terrorism: For security pros the threat is equal

Venafi announced the findings of a global survey of more than 1,500 IT security decision makers that reveals that 60% of security professionals believe ransomware threats should be prioritized at the same level as terrorism. These opinions echo the U.S. Department of Justice, which raised the threat level of ransomware following the Colonial Pipeline attack earlier this year. The study also found that less than one-third of respondents have implemented basic security controls that break … More

Log4j

4 practical strategies for Log4j discovery

For security teams scrambling to secure their organizations against Log4j exploitation, one of the first and most challenging tasks is understanding where Log4j exists within their environment. Without this understanding, any remediation efforts will be hamstrung from the get-go. Of course, this type of asset management can prove exceedingly difficult as Log4j is represented across thousands of products. Still, even missing one vulnerable instance of Log4j can leave an organization at risk, which is why … More

week in review

Week in review: Log4j new vulnerabilities, Microsoft patch bypass, 2022 e-commerce threat trends

Here’s an overview of some of last week’s most interesting news, articles and interviews: The Log4j saga: New vulnerabilities and attack vectors discovered The Apache Log4j saga continues, as several new vulnerabilities have been discovered in the popular library since Log4Shell (CVE-2021-44228) was fixed by releasing Log4j v2.15.0. Log4Shell is a dumpster fire that should have been avoided If basic IT hygiene guidance had been followed, Log4j would have easily been immune to this type … More