Articles about Security

Spam in your calendar? It’s not something that most of us think about -- the word brings to mind email and phone calls and even just old-fashioned snail mail. But your online calendar is also a very real target and it may be growing worse. 

It’s actually fairly ingenious; a spammer sends an invite to an event and, even if the email invitation goes to your spam folder, the event still goes to your Google Calendar. When you click on the event in your calendar it contains a malicious link. Even if you click 'decline' it can still take you to possible NSFW content, or worse. Plus, declining will simply cross out the appointment and leave the reminder behind.  

Continue reading →

A 'work device' isn’t what it used to be. Employees are no longer restricted to a single, company-issued device. Instead, they move between devices based on task, time of day, and location. One minute, they might be working at a desk on a Mac, while the next they are on the move, staying productive from an iPhone.

Research has shown that employees highly value the ability to choose which device(s) they use. In fact, 87 percent of respondents in an independent global survey, conducted by Vanson Bourne in 2021 said choosing their work device was important to them, and 89 percent said they’d even be willing to sacrifice part of their salary to be empowered to choose their own technology.

Continue reading →

As security professionals assess the cloud security challenges that lie ahead for the coming year, one thing is certain. Threat actors will continue to double down on their efforts, utilizing new techniques and refining pre-existing methods as they extend their ever-growing toolbox.

To help enterprises stay ahead of the game, our security research team has highlighted some of the top trends and attack vectors cloud security teams can expect to encounter in 2023.

Continue reading →

Misconfigurations are often a source of security issues, especially when they relate to an organization's firewalls.

FireMon is launching a new, free firewall assessment tool that provides organizations with a comprehensive diagnostic report outlining the health of a firewall policy, complete with best practices and suggestions to improve their security posture.

Continue reading →

In 2022, the number of DDoS attacks grew 150 percent globally compared to the previous year, while the number of attacks in the Americas rose even faster, increasing 212 percent compared to 2021.

These figures are from the 2022 Global Threat Analysis Report released today by Radware which also shows the frequency of DDoS attacks saw a significant uptick. Globally, organizations mitigated an average of 29.3 attacks per day during the fourth quarter of 2022, 3.5 times more compared to 8.4 attacks per day at the end of 2021.

Continue reading →

With Patch Tuesday having rolled around once again, Microsoft has issued its regular batch of releases. We've already talked about the KB5022836 update for Windows 11 21H2, but if you're running Windows 11 22H2, you will need the KB5022845 update instead.

The KB5022845 update takes Windows 11 up to build 22621.1265, and it also includes the changes and improvements that were part of the KB5022360 update preview released last month.

Continue reading →

It is the time of the month when Microsoft releases updates for Windows, and as such the company has released a pair of patches for Windows 11. Specifically, we have two cumulative updates in the form of KB5022845 for Windows 11 22H2 and KB5022836 for Windows 11 21H2.

The KB5022836 update takes Windows 11 up to build 22000.1574, and it also includes the changes and improvements that were part of the KB5019274 update preview released last month.

Continue reading →

As many CISOs are discovering, protecting cloud native environments requires a fundamental shift in thinking when it comes to keeping threats at bay. The huge change in the technology stack, the rapid delivery of software updates, and the unfettered use of open source, all present new challenges that old-style security tools cannot resolve.

Rather than using different point solutions that only solve specific security issues and need to be manually stitched together, Gartner recommends adopting a unified and end-to-end full lifecycle solution that starts in development and extends to deliver comprehensive runtime protection. In other words, a cloud-native application protection platform (CNAPP).

Continue reading →

Privileged access management (PAM) solutions are too complex, with 68 percent of organizations paying for features they don't need, according to a new report.

The report from Keeper Security finds 91 percent of organizations employ PAM and 84 percent of global IT leaders say they want to simplify their PAM solutions in 2023.

Continue reading →

The latest report from JFrog looks at the most prevalent vulnerabilities in 2022 with an in-depth analysis of open source security vulnerabilities that have most impact for DevOps and DevSecOps teams.

The report shows that the severity of six of the top 10 CVEs was overrated, meaning they scored higher in the NVD rating than in JFrog's own analysis. In addition the CVEs appearing within enterprises most frequently are low-severity issues that were simply never fixed.

Continue reading →

Security failures happen. Unfortunately, in today’s always-on, highly digitized world, it is inevitable and a question of not if but when. We only need look at the news during the first few of weeks of 2023 to see several high-profile breaches reported, including T-Mobile and Mailchimp. The companies, its customers and its employees must remain on high alert in the coming months for increased phishing attempts from threat actors using credentials from the attack.

So many of these breaches get blamed on employees being socially engineered, highlighting the importance for employees to be more aware of their role in cybersecurity and for companies to have effective, thoughtful security training and intuitive security systems in place. Users are an organization’s biggest vulnerability; a well-known attack vector for data exfiltration that unfortunately cannot be completely closed. Today, organizations have a wide variety of users and any one employee, partner or supplier from any level within the company can present a vector through which a hacker can infiltrate the organization.

Continue reading →

We’ve already had the first major API-related cybersecurity incident for 2023, and the year has barely started. The T-Mobile API breach exposed the personally identifiable information (PII) of 37 million customers. The API attack had been going on since November but was not discovered and disclosed until January 19, illustrating the threat of the "low and slow" approach of API attacks, which are increasing at a steady pace. Following research by Sam Curry that uncovered hundreds of API vulnerabilities in the automotive industry -- from Mercedes-Benz to Nissan to Kia to Ferrari and more -- it’s not surprising that 2023 has been dubbed "The Year of API Security."

Unfortunately, threats do not stop at API security. Today’s organizations -- and the world -- face inordinate security risks. What other threats and trends can we expect to see in the coming year?

Continue reading →

Reddit has fallen victim to a security incident that has been described as a "sophisticated and highly-targeted phishing attack". Hackers targeted employees of the site a few days ago, and were able to gain access to "some internal documents, code, and some internal business systems".

The unknown attackers sent Reddit employees "plausible-sounding prompts" leading to a website that cloned the behavior of the company's intranet gateway. While able to use an employee's credentials to steal data and code, user accounts are not affected.

Continue reading →

Google is using today's Safer Internet Day to announce a number of new security and privacy initiatives.

Among these are new ways to fill out passwords easily and securely in Chrome, more privacy protection for the Google app, improvements to Google Password Manger, and an expansion of SafeSearch to protect against explicit images.

Continue reading →

Cybercriminals don't need to be clever and use inventive hacking exploits to breach systems as organizations are making things too easy for them, says a new report.

Intelligence-led computer security testing company SE Labs has released its annual Cyber Threat Intelligence report with a warning that CEOs need to take cybersecurity seriously or risk falling into the clutches of criminals eager to take their data and their money.

Continue reading →