Articles about Security

Even a year after the SolarWinds infiltration in late 2020, software supply chain risk continues to dominate the security conversation. Take the Log4Shell vulnerability that recently came to light and caught everyone off guard. Not only is this flaw insanely easy to exploit but the impacted Log4j library is used in nearly every enterprise Java installation -- and the vulnerability gives attackers ultimate power to download, delete, install, and server-hop as they please. As even massive companies like Google, PayPal, Apple, and Netflix are impacted by this flaw via the software supply chain, it’s another one that makes organizations wonder: are we using that too?

In 2022, IT leaders will intensify their supply chain focus to answer this very question, expanding their scrutiny from their own applications to the components they buy and integrate. Widening the scope of the supply chain is crucial; outside software and components need their checks and balances just as code created internally does. This deepened understanding of supply chain risk will increase demands to test and secure everything, from the most seemingly insignificant open source package to the most extensive APIs and third-party components.

Continue reading →

A new report finds that although 37 percent of respondents would pay a ransom, more than half of this group (57 percent) would reverse that decision if they had to publicly report the payment.

The Ransomware Disclosure Act, a bill currently before the US Senate, would require companies to report ransomware payments within 48 hours and so could have a dampening effect on the crime's profitability.

Continue reading →

In 93 percent of cases, an external attacker can breach an organization's network perimeter and gain access to local network resources.

This is among the findings of a new study of pentesting projects from Positive Technologies, conducted among financial organizations, fuel and energy organizations, government bodies, industrial businesses, IT companies and other sectors.

Continue reading →

Almost a quarter (22 percent) of employees globally are likely to expose their organization to the risk of cyber-attack via a successful phishing attempt according to a new study.

The study, from AI-driven cybersecurity training software company Phished, shows that of employees who open a phishing message 53 percent are likely to click a malicious link contained within it.

Continue reading →

A new report produced by MITRE Engenuity and Cybersecurity Insiders seeks to understand the current state of managed services security.

It finds that while 68 percent of respondents use MSSP/MDR solutions to fill security gaps, a worrying 47 percent are not confident in the technology or the people. Also 44 percent are not confident in the managed services security processes.

Continue reading →

Log data is important for tasks such as tracking performance of applications and capacity resources, informing product improvements, and identifying threats and anomalous activity.

But a new report from LogDNA, based on a Harris poll of more than 200 professionals responsible for observability and log data management across the US, shows 74 percent of companies are still struggling to achieve true observability despite substantial investments in tools.

Continue reading →

Ransomware is being targeted at organizations seven days a week, leaving no time for enterprises to shore up their security operations, according to a new report.

Analysis of publicly reported ransomware events by RiskRecon looks at the dates on which ransomware activated to encrypt systems, a metric that which was disclosed in 473 of the 654 events examined.

Continue reading →

Microsoft is improving the security of one-on-one Teams chats by adding end-to-end encryption. After a couple of months of testing the feature as part of a public preview the company says that the optional security boost is now generally available.

In order for calls to be protected, both parties need to have end-to-end encryption enabled. And if you're wondering why you might want to have E2EE disabled in Microsoft Teams, it's because having the security feature enabled means that some other call features do not work.

Continue reading →

At the end of November a vulnerability targeting Minecraft servers was uncovered. If you don't play Minecraft you probably didn't pay it much attention.

Since then, however, 'Log4Shell' has surged across the web sending tremors through the security community and prompting the US government to describe it as a 'severe risk'. So, what's going on and is it time to panic?

Continue reading →

Segmentation is an approach that separates critical areas of the network to control traffic, prevent lateral movement, and ultimately reduce the attack surface.

But according to a new study from Guardicore -- based on a survey of over 1,000 IT decision makers by Vanson Bourne -- while 96 percent of organizations claim to be implementing segmentation in their networks, only two percent are segmenting all six mission-critical asset classes, including critical applications, public-facing applications, domain controllers, endpoints, servers, and business critical assets/data.

Continue reading →

Anything that's connected to the internet can be a possible attack route for hackers, but organizations are often forced to use multiple solutions for protection, adding complexity and risk.

Cybereason and Google Cloud are launching an AI-powered XDR (Extended Detection and Response) solution to enhance and simplify the ability to predict, detect, and respond to cyberattacks.

Continue reading →

If you are running a version of Apache Log4j between 2.0-beta9 to 2.14.1 (inclusive) the Log4Shell vulnerability is something you need to be aware off. Tracked as CVE-2021-44228, this is a serious and easily exploited RCE flaw in the open-source Java-based logging utility.

An attacker can exploit the security flaw to execute a remote attack by simply using a particular string as the browser user agent. Although the Apache Software Foundation has released a patched version of Log4j 2.15.0, not everyone is able to update straight away, and this is something that attackers are taking advantage of. Thankfully, security firm Cybereason has released a "vaccine" called Logout4Shell that protects against Log4Shell.

Continue reading →

The current cyberthreat landscape can feel like a dark cloud hanging over the head of every organization, the same way Covid loomed over us for so long. But just as advances in health have offered light at the end of the tunnel for the pandemic, new approaches to cyber wellness can help us stay healthy and secure in the digital realm.

By taking proactive measures to ward off digital diseases like ransomware, and fighting off any infections that do occur through individually tailored therapies and treatments, we can go about our business with confidence, feeling and performing our best. 

Continue reading →

Over time enterprises amass lots of applications, each of which has its own means of authentication and authorization for users. This inevitably leads to 'identity sprawl' with information being held in multiple different silos.

In order to unify identity data from all sources within an organization and turn it into a flexible resource that can deliver verification on demand, Radiant Logic is launching its RadiantOne Intelligent Identity Data Platform.

Continue reading →

A new report from Venafi, based on in-depth security analysis of the world's top million websites over the last 18 months, shows the internet is becoming more secure.

Use of encryption is increasing and the adoption of newer TLS protocols is rising. However, many companies continue to use legacy RSA encryption algorithms to generate keys, despite stronger protocols being available.

Continue reading →