New research released from Endor Labs finds that security patches have a 75 percent chance of breaking an application.

It also shows that 69 percent of vulnerability advisories are published after a patch has been released, with a median delay of 25 days between public patch availability and advisory publication, increasing the window of opportunity for attackers to exploit vulnerable systems.

Continue reading →

Fraudsters have used account takeovers (ATOs) to victimize 29 percent of internet users, resulting in $13 billion in losses in 2023. Over three-quarters of security leaders listed ATOs as one of the most concerning cyber threats, and the danger grows as bad actors leverage AI to launch more potent attacks.

The Snowflake breach demonstrates the devastating consequences of ATOs. Attackers gained access to 165 of the data platform’s customers’ systems, including AT&T and Ticketmaster, and exfiltrated hundreds of millions of records containing sensitive data. The attack wasn’t some brilliant hacking scheme -- the bad actors simply used legitimate credentials to log into the platform.

Continue reading →

When investigating an incident to contain and remediate a threat, security teams need to understand complex attack patterns, such as malware gestation, score, and sprawl -- the answers to which all lie in the data and systems.

To help with this process Druva is releasing Dru Investigate, a GenAI-powered tool that guides data security investigations using a natural language interface.

Continue reading →

New data shows that one in five organizations has experienced a security incident related to non-human identities; and only 15 percent remain confident in their ability to secure them.

A report from the Cloud Security Alliance (CSA), and Astrix Security reveals that there is a growing recognition of the importance of investing in NHI security with a quarter of organizations already investing in these capabilities and an additional 60 percent planning to within the next twelve months.

Continue reading →

As we begin a new school year, a survey of 250 IT leaders from educational institutions in the US and UK highlights the potential damage from cyberattacks on schools.

The study from Action1 shows 20 percent of respondents believe that the current level of support from their school board is insufficient, with a high risk of significant impact on education quality due to ransomware.

Continue reading →

The Chartered Institute of Information Security (CIISec) is announcing the addition of artificial intelligence (AI) and quantum computing modules to its CyberEPQ qualification for all students from September 2024 onwards.

Available to any student over the age of 14 in the UK, the CyberEPQ (Extended Project Qualification) is aimed at bringing new and diverse talent into the industry, representing an ideal stepping stone into a cybersecurity career.

Continue reading →

Threat intelligence is critical to protection efforts, but businesses often struggle with effective management and correlation of this data to help prioritize their efforts.

We spoke to Richard Struse, chief technology officer and co-founder of Tidal Cyber, to discuss the challenges presented when organizations scramble to update systems that aren’t actually vulnerable or stop threats that would essentially have no impact on their business.

Continue reading →

Remote access tools are creating cybersecurity risks and operational burdens for operational technology (OT) systems, according to a new report.

The study, from the Claroty Team82 threat research team, using data from more than 50,000 remote-access-enabled devices shows that the volume of remote access tools deployed is excessive, with 55 percent of organizations having four or more and 33 percent having six or more.

Continue reading →

Compliance automation software company Secureframe has launched its free Gap Assessment Tool to help service partners including MSPs, MSSPs, vCISOs, and IT security consultants identify gaps in security posture or compliance status.

It's designed to address a common challenge faced by IT service providers -- uncovering areas of non-compliance and potential risk while demonstrating value to clients.

Continue reading →

A new report on the mobile threat landscape from Lookout reveals a 40.4 percent jump in mobile phishing attempts and malicious web attacks targeting enterprise organizations.

More than 80,000 malicious apps were detected on enterprise mobile devices. These threats can vary widely, from invasive permissions and riskware that pose significant compliance risks to sophisticated spyware capable of tracking devices, stealing data, eavesdropping on conversations and accessing the user' camera and microphone.

Continue reading →

The manufacturing and industrial sectors have seen a dramatic rise in cyberattacks, accounting for 41 percent of cyber incidents in the first half of 2024, an increase of 105 percent.

A new threat intelligence report from Ontinue also highlights a rise in state-sponsored campaigns from China increasingly focused on information control and leveraging zero-day exploits, further complicating attribution and escalating the global threat landscape.

Continue reading →

Identities are probably the biggest attack surface for organizations in today's world as employees rely more on systems and apps to do their jobs.

Mapping identity and access data from the large, disparate, and often disconnected, mix of on-premise and cloud systems that enterprises use is a major challenge.

Continue reading →

While some professions -- including medicine, law, and engineering -- have wholeheartedly embraced wide-ranging codes of ethics and conduct, the field of cybersecurity continues to lack an overarching ethical standard. This vacuum constitutes a significant threat to the safety of consumers and businesses around the world, slows commerce, and delays innovation.

The Code of Honor: Embracing Ethics in Cybersecurity delivers a first of its kind comprehensive discussion of the ethical challenges that face contemporary information security workers, managers, and executives.

Continue reading →

Perimeter solutions such as Secure Email Gateways (SEGs) have long been a cornerstone of email security, historically serving as the primary line of defence against malicious emails entering an organization. Utilizing legacy technology such as signature and reputation-based detection, SEGs have provided pre-delivery intervention by quarantining malicious attacks before they reach the end recipient.

Why, then, are 91 percent of cybersecurity leaders frustrated with their SEGs, and 87 percent considering a replacement?

Continue reading →

A new zero-trust stealth mode browser is being launched by SlashNext, designed to see through obfuscation techniques commonly used by threat actors, and deliver enhanced protection against phishing and malware.

In recent years, well-intentioned companies offering free services such as CAPTCHA solutions and content delivery networks have inadvertently aided threat actors. For example, Cloudflare's Turnstile Services and similar CAPTCHA solutions are commonly exploited as obfuscation techniques. CAPTCHAs are used to block the crawlers employed by security services from accessing and analyzing phishing sites.

Continue reading →