News

News

• November 08, 2013 08 Nov'13

  Web application firewalls may not fix Web application security issues

  Some consultants are finding Web application firewall products don't deliver due to poor deployment strategies and a lack of skilled maintenance.

• October 28, 2013 28 Oct'13

  Software [In]security: BSIMM-V does a number on secure software dev

  The fifth iteration of the Building Security In Maturity Model project is a tool you can use as a measuring stick for software security initiatives.

• October 15, 2013 15 Oct'13

  The role of the enterprise intrusion prevention system in APT defense

  One research group says an enterprise IPS can't help detect APTs. But network security expert Brad Casey explains why that isn't necessarily true.

• September 20, 2013 20 Sep'13

  HP introduces 'self-healing' BIOS protection with SureStart

  HP's new SureStart feature detects and 'heals' corrupted BIOS code.

• September 10, 2013 10 Sep'13

  Opinion: Software [in]security -- software flaws in application architecture

  Many defects aren't found with code review. Gary McGraw and Jim DelGrosso think architectural risk analysis is a must to uncover software flaws.

• Sponsored News

  • Part I: Keep the Cloud Your Safe Place

    Sponsored by Forcepoint - Organizations of all sizes have been called upon to swiftly support remote work in order to safeguard the health of their workforce and local communities. As businesses are called upon to scale up remote work procedures for the physical safety of employees, IT teams must accelerate the adoption of technology that ensures their people and data are secure—without hurting productivity or morale. See More

  • Part II: Safeguard Data Everywhere

    Sponsored by Forcepoint - As security teams are tasked with the duty of rapidly scaling up protections for remote workers, one of the key considerations they must keep in mind is how to safeguard data no matter where it resides or travels. This is hardly a new problem. However, the vastly broadened scope of remote work today requires security teams to revisit policies and technologies. Some solutions that may have been sufficient for isolated use cases don't adequately protect a completely distributed workforce. See More

  • Part III: Protect Your People

    Sponsored by Forcepoint - In response to the rapid rise in remote work, cybersecurity teams have increased their efforts to protect their dispersed team’s cyber hygiene. The rapid rise in remote work to protect the health of employees has required cybersecurity teams to scale their efforts to similarly protect the cyber hygiene of these workers as they operate in new conditions. One of the key directives for cybersecurity departments looking to safeguard the people and data within a distributed enterprise is the implementation of cyber defenses that can move with employees and protect them—regardless of their location or device. See More

  View All Sponsored News
• August 09, 2013 09 Aug'13

  Five major technology trends affecting software security assurance

  Column: Gary McGraw says five shifts in the IT landscape are affecting software security, but several BSIMM best practices can limit risk exposure.

• August 01, 2013 01 Aug'13

  New data on enterprise mobile security

  We polled readers in our annual Enterprise Mobile Security Survey and the 2013 results are in.

• August 01, 2013 01 Aug'13

  Black Hat 2013 opens with testy keynote, smart device hacks

  After a contentious opening keynote by NSA Director Gen. Keith Alexander, day one of Black Hat 2013 showed smart device hacks, severe SCADA issues.

• August 01, 2013 01 Aug'13

  Ten years later: The legacy of SB 1386 compliance on data privacy laws

  A decade after becoming law, the ripple effects of California's SB 1386 have surfaced in a new breed of proactive, granular state data privacy laws.

• June 19, 2013 19 Jun'13

  RSA Silver Tail improves online fraud detection, enterprise security

  Fraud prevention for the Web: RSA Silver Tail sets stage for enterprise-level security with big data and brand new interface.

• April 24, 2013 24 Apr'13

  PayPal CISO: Laws must foster better cybersecurity information sharing

  PayPal's Michael Barrett says many firms fear misuse of shared cybersecurity data. He also discusses the evolution of PCI DSS and mobile payment security.

• March 25, 2013 25 Mar'13

  Why information security education isn’t making the grade

  Security experts explain why a holistic approach to security is critical to training computer engineers and computer scientists for a career in information security.

• March 05, 2013 05 Mar'13

  RSA 2013: Experts struggle to define offensive security, hacking back

  Is offensive security or 'hacking back' a viable cyberdefense tactic? RSA Conference 2013 experts struggled to define the terms, never mind the role they play.

• February 25, 2013 25 Feb'13

  DHS cybersecurity boss pushes 'cyber 911', new voluntary standards

  At the CSA Summit 2013, Mark Weatherford said the DHS 'cyber 911' service will better support the private sector, and new voluntary standards are in the works.

• February 25, 2013 25 Feb'13

  Well-rounded information security education benefits IT professionals

  A security-savvy IT staff can help reduce risk. Learn about information security training and education options for IT professionals.

• January 28, 2013 28 Jan'13

  Testing, assessment methods offer third-party software security assurance

  No ultimate test can give third-party software a clean bill of health, but careful assessment can help organizations gain more control over vendors.

• January 17, 2013 17 Jan'13

  Thirteen principles to ensure enterprise system security

  Designing sound enterprise system security is possible by following Gary McGraw's 13 principles, many of which have held true for decades.

• December 07, 2012 07 Dec'12

  Twelve common software security activities to lift your program

  Software security expert Gary McGraw explains the processes commonly found in highly successful software security programs.

• December 03, 2012 03 Dec'12

  Many in industry at odds over pending cybersecurity executive order

  Some security industry veterans fear regulatory overreach, others believe an executive order won't go far enough.

• November 27, 2012 27 Nov'12

  Unrealistic expectations, skills gap mire market for IT security jobs

  Unrealistic HR and hiring manager expectations and a widening security skills gap is challenging CISOs trying to find the right security talent.

• November 27, 2012 27 Nov'12

  Chief information security officer skills go beyond customary technical roles

  A trusted advisor and a strong communicator and promoter, a good CISO should be a jack-of-all-trades to rally the IT security team to support the business needs by minimizing risk.

• November 21, 2012 21 Nov'12

  Phishing attack, stolen credentials sparked South Carolina breach

  A phishing attack and stolen credentials gave an attacker access to the systems of the South Carolina Department of Revenue for two months.

• November 14, 2012 14 Nov'12

  Enterprises can obtain value from red teaming exercises, expert says

  Red teaming assesses the security of an organization and can be a more effective way to assess the organization's security posture.

• November 01, 2012 01 Nov'12

  Protecting Intellectual Property: Best Practices

  Organizations need to implement best practices to protect their trade secrets from both internal and external threats.

• November 01, 2012 01 Nov'12

  Gary McGraw: Proactive defense prudent alternative to cyberwarfare

  Software security expert Gary McGraw explains that the U.S. should build proactive defense capabilities rather than pour billions into cyberweapons.

• October 23, 2012 23 Oct'12

  Pros and Cons of Information Security Certifications

  Educating the security professional requires far more than a certification exam.

• September 04, 2012 04 Sep'12

  Data supports need for security awareness training despite naysayers

  Claims that security awareness training doesn't work are unsubstantiated, explain software security experts Gary McGraw and Sammy Migues.

• July 25, 2012 25 Jul'12

  Crisis Trojan, new Mac OSX Trojan, considered a low risk for now

  Mac security vendor Intego identified the Crisis Trojan, a new Mac OSX Trojan, as a likely future weapon for targeted attacks against Apple endpoints.

• July 23, 2012 23 Jul'12

  Black Hat 2012: MITRE to detail STIX cyberthreat intelligence system

  Sean Barnum of MITRE will describe Structured Threat Information eXpression (STIX), a new cyberthreat intelligence system for incident response teams.

• July 16, 2012 16 Jul'12

  Black Hat 2012: Google Chrome sandbox security flaws to be exposed

  The Google Chrome Native Client was designed to secure browser plug-ins, but researcher Chris Rohlf says Google Chrome sandbox security flaws exist.

• July 11, 2012 11 Jul'12

  AWS outage doesn't discourage Netflix

  Netflix says it remains bullish on the cloud despite major Amazon outage.

• July 11, 2012 11 Jul'12

  Survey: Firewall rules sprawl makes firewall policy management a mess

  Bloated firewall rules are making security unmanageable and audits a nightmare, according to a survey by firewall management vendor Athena.

• July 09, 2012 09 Jul'12

  DNSChanger malware problems unlikely

  DNSChanger infections have declined precipitously, but remaining systems could have Internet access turned off today.

• June 28, 2012 28 Jun'12

  Putting the mobile botnet threat in perspective

  While lucrative mobile botnets do exist, Industry experts provide a perspective on seems to be a relatively small mobile botnet threat.

• June 28, 2012 28 Jun'12

  Operation High Roller: Online bank fraud

  McAfee and Guardian Analytics released the findings of an investigation into a global online bank fraud ring that takes the old techniques up a notch.

• June 26, 2012 26 Jun'12

  LinkedIn password leak: Lessons to be learned from LinkedIn breach

  Breach at the professional networking site highlights password practices, storage procedures.

• June 21, 2012 21 Jun'12

  Review your security contingency plan during the Games

  U.K. companies are preparing to manage their security during the Olympics. Would your security contingency plan hold up to such a disruptive event?

• June 20, 2012 20 Jun'12

  Gartner: Web app firewalls can support secure application development

  Web app firewalls can’t erase the need for secure application development, but Gartner says WAF patching may have a growing role in the enterprise.

• June 14, 2012 14 Jun'12

  Opinion: LinkedIn hacking incident betrays users’ trust

  Users are told to create strong passwords, but the LinkedIn hacking showed strong passwords are no defense when the application provider is attacked.

• June 08, 2012 08 Jun'12

  Arbor Networks warns of IP-Killer, MP-DDoser DDoS tool

  Arbor Networks researchers found robust capabilities in the MP-DDoser/IP-Killer tool used to conduct powerful distributed denial-of-service attacks.

• June 07, 2012 07 Jun'12

  Information technology security jobs hiring outlook

  The unemployment rate for IT security pros is 0%, says CompTIA, leaving some companies with key information technology security jobs unfilled.

• June 06, 2012 06 Jun'12

  LinkedIn investigating user account password breach

  More than 6 million passwords may have been stolen from the servers of social network LinkedIn and posted to a Russian hacking forum.

• June 01, 2012 01 Jun'12

  Stuxnet details should prompt call to action, not words

  Security experts have warned of potential problems with military cyberstrikes. Cyberwarfare is difficult to plan and could put civilians at risk.

• May 31, 2012 31 May'12

  Why execs really need corporate security training

  Senior executives may be the most likely to disobey all your hard-won corporate security training. Here are five reasons why.

• May 24, 2012 24 May'12

  A bold view on prioritizing computer security laws

  The number of computer security laws in the U.S. can be daunting. One bold lawyer suggests a way to prioritize the laws and avoid most legal battles.

• May 24, 2012 24 May'12

  Technology raises visibility of partner networks

  Lookingglass shines a light on the security posture of an enterprise’s partners, clients and third-party providers.

• May 17, 2012 17 May'12

  Maybe security is recession proof; VCs investing again

  Venture capital firms are funding security technologies after a quiet period. The investments are a silver lining in a still bleak overall outlook.

• May 17, 2012 17 May'12

  Division of CISO responsibilities may prevent burnout

  CISO responsibilities can be overwhelming, according to a new IBM survey. One solution may be to divide the role into two jobs.

• May 02, 2012 02 May'12

  Analysis: Oracle trips on TNS zero-day workaround

  Oracle's refusal to patch a zero-day in its flagship database management system is another example of how it carelessly exposes customers to risk.

• April 27, 2012 27 Apr'12

  Reverse engineering tools for mobile apps emerging, expert says

  Reverse engineering mobile apps help pen testers find weaknesses and hidden malware, but the various mobile platforms and different versions make automation difficult, according to one expert.

• April 27, 2012 27 Apr'12

  CISPA threat intelligence bill passes House

  The Cyber Intelligence Sharing and Protection Act (CISPA), clears security vendors of any liability for sharing customer attack data with federal officials.

• April 24, 2012 24 Apr'12

  Spam filter gets better of Microsoft SDL—almost

  Two program managers at SOURCE Boston shared how a serious vulnerability reported to the MSRC fell into a spam filter and caused an out-of-band patch.

• April 19, 2012 19 Apr'12

  Experts differ on European ‘cookie law’ advice

  U.S. firms with European customers are wondering about the new “cookie law.” Experts have different advice for European cookie law compliance.

• April 12, 2012 12 Apr'12

  Defining a full security threat

  How would you define a security threat? The correct answer could score the funding you need for your next security project.

• April 11, 2012 11 Apr'12

  Azure boosts CSA’s STAR

  Cloud Security Alliance transparency effort expands with addition of Windows Azure.

• April 09, 2012 09 Apr'12

  Business and IT security alignment is off

  Aligning IT security with business goals is nice, but is it always realistic? Mandates from management often clash with the industry’s ideal characterization of an IT security leader.

• April 04, 2012 04 Apr'12

  TIBCO to acquire SIEM vendor LogLogic

  TIBCO, an integration software company with little security experience, will purchase one of the few remaining viable standalone SIEM vendors. Terms were not disclosed.

• April 03, 2012 03 Apr'12

  Global Payments breach exposes PCI shortcomings

  Payment processor Global Payment is the latest poster child for PCI shortcomings and shoddy data security.

• April 03, 2012 03 Apr'12

  Experts say it's time for a mobile security review

  There are many mobile device management (MDM) platforms, but they may be unnecessary if you can use the security features native to the devices.

• March 30, 2012 30 Mar'12

  Secure remote access? Security-related remote access problems abound

  Is there really such a thing as secure remote access? Editor Eric B. Parizo says there are too many security-related remote access problems to ignore.

• March 28, 2012 28 Mar'12

  Verizon sheds some light on cloud breaches

  Verizon says cloud breaches are more about giving up control of assets rather than technology vulnerabilities.

• March 27, 2012 27 Mar'12

  Facebook attacks illustrate need for education

  Stolen Facebook account credentials could potentially give attackers access to the victim’s corporate network.

• March 26, 2012 26 Mar'12

  ISP’s anti-botnet code of conduct accomplishes little

  Leading ISPs sign the U.S. Anti-Bot Code of Conduct, which stops short of demanding ISPs provide a clean pipe to customers.

• March 19, 2012 19 Mar'12

  Professional developers behind Duqu Trojan

  The Duqu Trojan’s communications module was written in a custom version of C—indicating a sophisticated professional development team at work.

• March 15, 2012 15 Mar'12

  Can a security association bring us all together?

  Vendors and government call for security pros from different organizations to work together, but will our competitive nature stand in our way?

• March 15, 2012 15 Mar'12

  NSA mobile security plan could be industry roadmap

  Tight controls over the mobile device and the use of VPN tunnels could be employed in enterprise mobile security plans.

• March 12, 2012 12 Mar'12

  Do we need zero-day research?

  Vulnerability research is at a crossroads as bug hunters in pursuit of zero-day vulnerabilities and exploits feel pressure from the security community.

• March 08, 2012 08 Mar'12

  Changes to European privacy laws foreshadow serious business impact

  Changes to the data protection regulations are on the way for the European Union, and the fallout in Europe serves as a good case study for U.S. businesses.

• March 02, 2012 02 Mar'12

  OpenDNS hires Websense CTO, readies enterprise strategy

  DNS provider said it plans a big move into enterprise security market.

• March 01, 2012 01 Mar'12

  Dan Kaminsky offers unconventional wisdom on security innovation

  Luminary Dan Kaminsky, known for his DNS research, pushed RSA Conference 2012 attendees toward security innovation by upending conventional wisdom.

• February 22, 2012 22 Feb'12

  IBM QRadar adds X-Force threat intelligence to SIEM system

  Big Blue unveils integration of its Q1 Labs acquisition giving IT security pros the ability to add rule-based alerts using threat intelligence feeds.

• February 06, 2012 06 Feb'12

  Nothing funny about SCADA and ICS security

  A researcher calls the state of industrial control system security “laughable” and warns of the consequences of unpatched critical infrastructure that is reachable over the Internet.

• January 23, 2012 23 Jan'12

  More information security news from SearchSecurity

  For all the enterprise information security news that matters, visit our news page on SearchSecurity.

• December 30, 2011 30 Dec'11

  Multifunctional malware, staged drive-by attacks to rise in 2012

  Malware toolkits are being programmed with attacks that make the most business sense, say security experts. Automated toolkit users will have new capabilities to target specific groups and organizations.

• December 20, 2011 20 Dec'11

  Why businesses should care about proposed Protect IP, SOPA pirating laws

  Legislation is aimed at stopping piracy, but security professionals and industry groups say it could weaken security, hamper innovation and limit competition among small businesses and startups.

• December 14, 2011 14 Dec'11

  Nitro attackers use Symantec report

  Those responsible for the Nitro attacks earlier this year are targeting chemical companies with malicious emails claiming to be from Symantec.

• December 09, 2011 09 Dec'11

  Special report: 'Eye On' mobile security

  SearchSecurity.com's news team explores the challenges and technologies enterprises must know to successfully manage mobile security.

• November 15, 2011 15 Nov'11

  Confusion over APT attacks leads to misguided security effort

  Enterprises swayed by vendor marketing and a lack of understanding still fail to adequately counter advanced persistent threats (APT).

• October 05, 2011 05 Oct'11

  DHS cloud computing: Homeland Security’s model private cloud strategy

  Using private cloud at separate data centers has allowed the Department of Homeland Security to strike a balance between security and cost savings.

• September 22, 2011 22 Sep'11

  (ISC)2 at a crossroads: CISSP value vs. security industry growth

  Should the (ISC)2 look to grow the pool of CISSPs to meet demand, or boost CISSP value for those who already have it? Eric B. Parizo looks at both sides.

• September 21, 2011 21 Sep'11

  NIST guidelines seek to minimize risk of BIOS attacks

  Amid emerging attack methods and the rollout of a new generation of BIOS, NIST offers guidelines to help enterprises reduce the risk of BIOS attacks.

• May 05, 2011 05 May'11

  Maiffret: Configuration changes, attack mitigation can reduce attack surface

  A new report produced by noted security researcher Marc Maiffret outlines free steps companies can take to greatly reduce the attack surface.

• May 03, 2011 03 May'11

  Sony attack: Sony expands scope of its massive data security breach

  Sony executives said an attack on its PlayStation Network systems, also exposed the data of 24.6 million users at its Online Entertainment division.

• April 26, 2011 26 Apr'11

  Software remediation can get caught in organizational issues

  Running an application security program requires more than a solid budget. It needs a person with deep knowledge of the organization and its engineering processes.

• April 04, 2011 04 Apr'11

  RSA SecurID breach began with spear phishing attack

  Two waves of email attacks targeted small groups of RSA employees, the company said in a blog post last week revealing the first details of the attack since the breach was announced March 22.

• March 23, 2011 23 Mar'11

  Comodo warns of serious SSL certificate breach

  A breach at a registration authority caused Comodo to issue nine fraudulent certificates, enabling an attacker to impersonate some major websites and servers.

• February 10, 2011 10 Feb'11

  Emerging theme at RSA Conference 2011 may be 'mostly cloudy'

  Security vendors at RSA Conference 2011 need to be more specific about the security technologies they are aiming at the cloud, industry analysts say.

• January 31, 2011 31 Jan'11

  Cost of non-compliance outweighs cost of maintaining compliance, report finds

  A study by the Ponemon Institute found that the average total cost of compliance is more than $3.5 million.

• September 15, 2010 15 Sep'10

  IBM to acquire OpenPages for GRC, operational risk management

  OpenPages will be integrated with IBM's business analytics software portfolio.

• August 30, 2010 30 Aug'10

  Opinion: Security information sharing is a shared responsibility

  Senior Site Editor Eric B. Parizo says infosec pros need to participate in the public dialog for the good of the industry and offers harsh words for companies who silence their own security talent.

• June 22, 2010 22 Jun'10

  Gartner: Companies shouldn't bother banning Facebook, social networking

  The research firm argues social networking isn't the responsibility of enterprise information security, but social media governance policies and monitoring practices are important.

• May 11, 2010 11 May'10

  Aite Group: Take action now to manage remote deposit capture risks

  Fraud losses involving RDC technology have the potential to skyrocket if banks don't work proactively to deal with the risks, research firm says.

• March 23, 2010 23 Mar'10

  Insurance company finds relief with Forefront user provisioning tool

  First American Title Insurance Company cuts identity management user provisioning time from days to seconds with Microsoft Forefront Identity Manager 2010.

• March 12, 2010 12 Mar'10

  MD5 hash vulnerability is expert's top Web security flaw

  Jeremiah Grossman told RSA Conference 2010 attendees that a successful defense against Web-based flaws requires both a secure browser and a secure website infrastructure.

• October 13, 2009 13 Oct'09

  Five mistakes banks make in pandemic planning

  Experts cite five areas where financial institutions could improve their planning for a potential H1N1 outbreak

• September 22, 2009 22 Sep'09

  First Data, RSA push tokenization for payment processing

  The encryption-token service could compete against vendors offering format preserving encryption to secure payment transactions.

• September 15, 2009 15 Sep'09

  Brute force attacks target Yahoo email accounts

  Attackers target a background Web services authentication application used by ISPs and Web applications to authenticate users.

• July 30, 2009 30 Jul'09

  Machiavelli Mac OS X rootkit unveiled at Black Hat

  Researcher Dino Dai Zovi presented details on a rootkit called Machiavelli, a proof-of-concept Mac OS X rootkit that seeks to dent what many Mac enthusiasts believe is an impervious OS.

• July 30, 2009 30 Jul'09

  MMS messaging spoof hack could have global ramifications

  Researchers have figured out a way to spoof sender numbers, bypass carrier protections and trick mobile devices to pull content from an attacker's server. This would leave users vulnerable to phishing attacks and other scams.

• June 24, 2009 24 Jun'09

  TJX to pay $9.75 million for data breach investigations

  The company agrees to pay legal expenses related to investigations conducted by 41 Attorneys Generals and establish a data security fund for states.