The vulnerability scan results security departments issue to the operations teams typically contain hundreds of pages and thousands of vulnerabilities to address. It’s a massive list often containing some prioritization based on the criticality of the vulnerabilities observed; and for some more mature organizations, an assessment and opinion of the security team. Typically, operations teams care about security in the endpoints. But, their job is to guarantee uptime and user satisfaction, which often suffers when deploying patches requires reboots and application restarts. And then there’s the resource constraint issue, like the difficulty of prioritization in a world where everything seems to be urgent, the lack of visibility, questions around ownership and available time, and so on. It’s a tough ask to minimize the risk in the endpoints without a holistic, multi-departmental collaboration focused on specific risk policies and profiles.

Compliance pressure doesn’t help either, because frequently it ends up being just a check-box, and not a mechanism for improving security. Therefore, while the bare minimum is undertaken very reluctantly to satisfy the auditors, there’s still a significant amount of fire drill and distraction from the daily grind.

Malware writers have been using a free market model to sell their wares for some time. The success of this approach is clear from new research by Positive Technologies that finds demand for malware creation on the dark web is three times greater than supply.

Demand for malware distribution is twice the supply. This mismatch of supply and demand has led to interest among criminals in new tools, which are becoming more readily available in the form of partner programs that include malware-as-a-service and malware distribution-for-hire.

Data breaches have serious consequences for SMBs and if not handled correctly can cause serious damage to the business.

It's perhaps no surprise then that according to a survey from IT infrastructure company Kaseya security remains the top IT priority for SMBs with 54 percent citing it as their main concern in 2018, up 14 percent from 2017.

There has been a long-standing movement trying to make the web a safer place. For some time, Google's Chrome browser has alerted people when they are visiting secure sites, but with the launch of Chrome 68, it instead warns when an insecure site is encountered.

As we warned just a couple of days ago, the latest update to Chrome means you're likely to see warnings about a lot of insecure sites -- and there are some big-name sites being shamed. Included on the non-HTTPS list are some of Google's own sites, the BBC, the Daily Mail and Fox News. And there are plenty of other recognizable offenders too, as Why No HTTPS? reveals.

We all like to think that we're smart enough not to fall for phishing emails, yet a surprising number of people do get caught out by them.

A new report from security awareness training company KnowBe4 looks at the most successful phishing emails in the second quarter of 2018. The results show that hackers are playing into users' commitment to security, by using clever subject lines that deal with passwords or security alerts.

Cybercriminals are delving into the past to launch attacks based on some very old vulnerabilities according to the latest report from Kaspersky Lab, and they're using Linux to do it.

In the second quarter of 2018, experts have reported DDoS attacks involving a vulnerability in the Universal Plug-and-Play protocol known since 2001. Also, the Kaspersky DDoS Protection team observed an attack organized using a vulnerability in the CHARGEN protocol that was described as far back as 1983.

IBM's i operating system -- originally known as OS/400 -- is still popular in many larger and mid-sized organizations, and it is of course subject to the same security and compliance challenges as other systems.

Big data specialist Syncsort is launching additions to its Syncsort Assure family of products to help i users achieve compliance with GDPR and other legislation, and strengthen security with multi-factor authentication.

Of over 200 respondents to a new survey, more than half report the most vulnerable aspects of their IIoT infrastructure as data, firmware, embedded systems, or general endpoints.

But at the same time the survey by information security training organization SANS Institute reveals an ongoing debate over what actually constitutes an endpoint.

Tomorrow -- Tuesday, 24 July -- sees the release of Chrome 68. Many people will regard this as just another browser update, but the release sees an important change to the way Chrome handles unencrypted websites.

The new way in which non-HTTPS sites are handled means that Chrome is going to start throwing up warning messages whenever an insecure site is encountered -- a reversal of the way things have been up until now.

According to a new study, 80 percent of IT decision makers and IT security professionals believe software supply chain attacks have the potential to become one of the biggest cyber threats over the next three years.

The survey by Vanson Bourne for endpoint security company CrowdStrike  finds two-thirds of the surveyed organizations experienced a software supply chain attack in the past 12 months.

Cyberattacks come in many forms and from many sources, but a new report from endpoint security company Carbon Black reveals an increasing number originate from nation states with espionage as their goal.

The findings show that 81 percent of incident response (IR) professionals say the majority of attacks come from Russia, while 76 percent say the majority come from China. These foreign actors are seeking more than just financial gain or theft -- 35 percent of IR professionals say the attackers' end goal is espionage.

In 1941, the US Military was trying to save on security costs by mooring its battleships close together while they were in port. Aircraft were also parked neatly in rows. Many of the most valuable assets of the Pacific Fleet were all centralized in one convenient spot that was well organized, easy to find, and therefore easy to attack.

On 7 December 1941, a date that will live on in infamy, that is exactly what happened.

According to a new report, 52 percent of US retailers have suffered a data breach in the past year and 75 percent have had one at some time in the past.

The latest Thales Data Threat Report, Retail Edition, also shows that US retail data breaches more than doubled from 19 percent in the 2017 survey to 50 percent, making retail the second most breached industry vertical this year.

When usernames and passwords are exposed through a data breach or attack on users, criminals harvest these credentials and test them on a wide range of websites and mobile applications, a practice known as 'credential stuffing'.

A new report by security and anti-fraud specialist Shape Security looks at the lifecycle of stolen credentials and at the damage their use can cause.

Phisherfolk love to try to trick people into thinking they are a major brand in order to get them to reveal passwords or personal data.

New research from Vade Secure reveals that in the second quarter of this year Microsoft has supplanted Facebook as the most spoofed brand. The social network drops two places to third, behind perennial phishing favorite PayPal.