Articles about Security

LastPass, the firm behind the eponymous password management software, has revealed that it fell victim to a security breach two weeks ago. Although the company is quick to point out that passwords stored by users have not been exposed, the incident remains hugely significant.

The hackers were able to breach the security of a developer account and took advantage of this to steal "source code and some proprietary LastPass technical information". While LastPass is at pains to stress that it has seen "no evidence that this incident involved any access to customer data or encrypted password vaults" it is an incident that will nonetheless dent user confidence.

Continue reading →

Six months after the Log4Shell vulnerability was made known, vulnerable instances remain accessible on the internet and people attempting to exploit them according to the latest Trustwave SpiderLabs Telemetry report.

Using data gathered from the Shodan device search engine, the report shows that as of June 9, 2022, 1,467 instances were vulnerable to Log4Shell. These vulnerable instances are from the Russian Federation, United States, and Germany with 266 (18 percent), 215 (15 percent), and 205 (15 percent) hosts, respectively.

Continue reading →

A new survey of over 300 UK security professionals shows 32 percent of respondents say they are kept awake by job stress, 25 percent by lack of opportunity, but only 22 percent by their organization suffering a cyberattack.

The study from The Chartered Institute of Information Security (CIISec) says organizations have been slow to adopt industry standards. Almost half (49 percent) don't follow the UK Government's Cyber Essentials practices, which provide basic best practice; and just 20 percent have formally adopted the NCSC's 'Ten steps to cyber security' guidance.

Continue reading →

After a tailing off during the pandemic, phishing is back, with more attacks spotted in the second quarter of this year than for the whole of 2021.

The latest phishing and malware report from Vade also shows that malware emails decreased 48 percent month-on-month -- down from 32.9 million in March to 17 million in April -- but rebounded 31 percent May, with 22.4 million malware-weaponized emails detected. June saw even higher malware volumes (28.9 million), a 29 percent increase from the previous month.

Continue reading →

New research from Venafi into the rise of nation-state cyberattacks and their links to geopolitics has revealed that two-thirds (64 percent) of security decision-makers suspect that their organization has been directly targeted or impacted by a nation state attack.

In addition, 77 percent believe we're in a perpetual state of cyberwar, while 66 percent of companies say they have changed their security strategy as a direct response to the war in Ukraine.

Continue reading →

While large healthcare providers have lots of juicy data to tempt cybercriminals, they are also likely to have strong defenses.

It's not too surprising then that a new report from managed detection and response provider Critical Insight shows that in the first half of this year attackers have shifted their attentions to smaller hospital systems and specialty clinics that lack the same level of security preparedness, staff size, or budget.

Continue reading →

Plex has emailed its users to warn about a security indecent it has become aware of. While the subject line of the email refers to a "potential data breach", the body goes on to talk about suspicious activity and a third-party gaining access to part of a database.

The company says that the exposed data included emails, usernames and encrypted passwords. Although all passwords were secured and hashed, all Plex users are required to change their security credentials out of an "abundance of caution".

Continue reading →

Nearly three-quarters of respondents to a new survey have adopted -- or plan to adopt within a year -- a DevOps platform in order to meet rising industry expectations around security, compliance, toolchain consolidation, and faster software delivery.

The study from GitLab shows security has overtaken even cloud computing as the number one investment area across DevOps teams at global organizations.

Continue reading →

According to a new study 59 percent US and UK consumers are now more cautious about trusting others online thanks to having watched fraud documentaries.

The report from Onfido looks at the impact of popular shows like Inventing Anna and The Tinder Swindler and finds that 67 percent of consumers admit they have changed their outlook on fraud.

Continue reading →

As one of the most effective ways to prevent attacks on IT assets, it is universally acknowledged and known that patching vulnerabilities is a critical process. But as the volume of vulnerabilities discovered in the tools we use continues to proliferate -- and the speed at which they are being weaponized increases -- patching is becoming a complex and difficult task for security teams. During the 2021 calendar year alone, more than 20,000 individual vulnerabilities were discovered and announced, and by May 2022, more than 10,000 issues had been released. The number of vulnerabilities being discovered and disclosed is not slowing down, it is accelerating.

While the security community’s ability and attention towards discovering vulnerabilities has matured, the scale of these issues has - in tandem - become overwhelming. So what can organizations do to stay afloat in today’s "sink-or-swim" threat landscape?

Continue reading →

A new study reveals that identity sprawl is a major problem for organizations, with 60 percent reporting as many as 21 separate identities per user.

The report from Radiant Logic and Gartner Peer Insights looks at the rapid growth of enterprise identity silos, and the explosion of user information, attributes, and credentials that accompanies it.

Continue reading →

Data breaches, cyberattacks and security concerns are growing exponentially in the digital climate, as new development practices, extra languages, and structural frameworks appear -- compounded by geopolitical tensions giving rise to state sponsored attacks. In 2022 to date, 39 percent of UK businesses have already experienced the disruption and costly consequences of cyberattacks. Some of the largest enterprises, such as Microsoft, T-Mobile, and Vodafone, have experienced attacks by highly organized groups, such as Lapsus$.

With the scale, type of attacks and target industries constantly evolving, the healthcare sector has joined financial services and the public sector in becoming a lucrative target. Healthcare data breaches reached an all-time high in 2021, impacting 45 million people -- personal health information (PHI) became worth more than credit card information on the dark web. Attack approaches are constantly evolving, with hackers searching for any weak links in growing infrastructure.

Continue reading →

Supply chain attacks have been on the threat radar of many organizations and their security teams for several years. However, since the infamous SolarWinds attack in 2020 -- which led to widespread and damaging compromises of data, networks and systems -- the supply chain attack vector has taken on a new level of focus. Indeed, supply chain attacks, which have become an effective way for hackers to gain access to IT networks at scale, and as such, are among the most worrying cybersecurity risks currently facing organizations today.

Supply chain risks come in many forms -- from complex to relatively simplistic. The UK government’s Cyber Security Breaches Survey, which explores organizations’ policies, processes, and approaches to cybersecurity and is used to inform government cybersecurity policy, looked at this in its latest report. The 2022 survey reveals that just 13 percent of businesses review the risks posed by their immediate suppliers, with that number dropping to 7 percent for their wider supply chain. Possibly even more concerning, many organizations commonly perceive 'big tech' companies to be "invulnerable to cyber attacks".

Continue reading →

Even before 2020, connectivity played an important role in university life. In recent years, however, connectivity shifted from a mere convenience to a lifeline for students and universities. As these institutions built and expanded online remote access for their students, many from scratch, their IT departments were forced to shift their focus from on-campus networking to supporting a distributed global network to meet the new normal of education.

Although in-person teaching has now seen a welcome return, the wealth of online learning resources available, both on internal and external networks, are an invaluable asset to both teachers and students. Meanwhile, online retail, banking, health services, gaming, media, and more are mainstays of student life.

Continue reading →

If you’ve been in the cybersecurity field for a while, you’ve probably noticed that there’s less emphasis on formal disaster recovery and business continuity plans than there used to be. CISOs still create plans, but it’s not the centerpiece of cybersecurity operations in the same sense.  As security technology evolved, people started focusing more on technology solutions that they hoped could prevent problems altogether.

There’s some magical thinking involved in that, and ironically, one of the biggest struggles CISOs face now is how their organizations think about cybersecurity problems, i.e., that there shouldn’t be problems. That’s not the world we live in. Having difficulties is not the issue. Rather, thinking there are magic solutions that can eliminate every weakness is the problem. We need to rethink cybersecurity to accommodate this reality and create a holistic response for when problems inevitably arise.

Continue reading →