News

News

• July 17, 2014 17 Jul'14

  Report finds poor security communication among executives

  New Ponemon Institute data shows enterprise executives rarely if ever talk with their security teams, and that threat modeling may be underused.

• July 15, 2014 15 Jul'14

  Pass the hash? Severity of Active Directory security flaw questioned

  Despite what may be a dangerous new Active Directory "pass the hash" attack variant, Microsoft has downplayed the issue as a technical limitation.

• July 15, 2014 15 Jul'14

  Why advanced threats are less dangerous than simple attacks

  Video: BeyondTrust's Marc Maiffret explains why simple attacks are often more effective than advanced threats.

• July 11, 2014 11 Jul'14

  Successful Heartbleed response still raises important questions

  Former CSO Paul Howell details the school's Heartbleed response and how he overcame challenges with assessment, patching and communication.

• July 10, 2014 10 Jul'14

  Facebook manipulation controversy offers ethics and privacy lessons

  News roundup: Facebook's manipulation of users' news feeds has reignited the data privacy debate regarding how enterprises should manage user data.

• July 08, 2014 08 Jul'14

  July 2014 Patch Tuesday fixes two dozen IE vulnerabilities

  Microsoft's July 2014 Patch Tuesday release addressed two dozen flaws in Internet Explorer. Adobe also provided a critical update for Flash.

• July 08, 2014 08 Jul'14

  Multifactor authentication key to cloud security success

  Following the collapse of an AWS-based cloud hosting provider, experts say enterprises should prioritize use of multifactor authentication.

• July 07, 2014 07 Jul'14

  Oracle: Future Java updates for Windows XP users may not arrive

  Though Oracle has confirmed that Windows XP users will not see Java 8 updates for now, security support for Java 7 is still possible.

• July 02, 2014 02 Jul'14

  OpenSSL Project establishes roadmap for future OpenSSL security

  Heartbleed exposed a number of long-standing issues at OpenSSL, but the open source encryption project has laid out plans to improve the organization.

• July 01, 2014 01 Jul'14

  New site catalogs XSS vulnerabilities in top Web domains

  A new online archive is allowing researchers to anonymously submit and expose cross-site scripting vulnerabilities uncovered across the Web.

• June 30, 2014 30 Jun'14

  Gartner: Nascent SDN security controls pose sizable risk

  A Gartner analyst says SDN security issues abound because of lacking security controls, little interoperability and shaky management features.

• June 27, 2014 27 Jun'14

  User security training program success relies on psychology

  A Gartner analyst offers some psychology tips to help security pros get inside users' heads and eliminate bad security behaviors.

• June 26, 2014 26 Jun'14

  Harassment claims call OWASP leadership, governance into question

  Special report: The handling of an OWASP employee's disputed harassment claim has sparked a debate over the group's governance and its future.

• June 25, 2014 25 Jun'14

  Enterprises fix NTP amplification, but many DDoS techniques remain

  NTP amplification had led to several recent massive DDoS attacks. Despite the good news, researchers say many other DDoS techniques remain unfixed.

• June 24, 2014 24 Jun'14

  On prevention vs. detection, Gartner says to rebalance purchasing

  At its annual security confab, the research giant said enterprises buy too much threat prevention and not enough detection and response technology.

• June 19, 2014 19 Jun'14

  Amazon EC2 control panel hack submarines hosting provider

  Update: Following a hack that destroyed much of Code Spaces' AWS EC2 data, cloud app provider One More Cloud reported similar compromises.

• June 18, 2014 18 Jun'14

  Experts tout benefits of bug bounty program outsourcing

  Third-party vendors are enabling bug bounty programs for organizations of all sizes, experts say, by handling triage and payment duties.

• June 17, 2014 17 Jun'14

  API gateways emerge to address growing security demands

  With mobile, cloud and the Internet of Things driving massive API growth, experts say now is the time for API gateway technology to shine.

• June 10, 2014 10 Jun'14

  June 2014 Patch Tuesday brings huge IE update, IE8 vulnerability fix

  June's patches fix an Internet Explorer 8 issue that Microsoft said was never exploited in the wild. Plus: Adobe issues a critical Flash Player patch.

• June 10, 2014 10 Jun'14

  CryptoLocker takedown unlikely to deter growing ransomware

  CryptoLocker's infrastructure may be down for now, but experts say the easy money that can be made from ransomware means it is here to stay.

• June 10, 2014 10 Jun'14

  Chris Wysopal reveals new ways to monitor open source code security

  Video: Chris Wysopal of Veracode discusses the risks of externally sourced code and monitoring its use in the enterprise.

• June 06, 2014 06 Jun'14

  EBay breach response missteps: What other organizations can learn

  The mishandled eBay breach response effort showed that even enterprises with mature information security programs can fumble the ball.

• June 05, 2014 05 Jun'14

  OpenID Connect: Poised for greatness in enterprise authentication?

  Despite the popularity of SAML, the mobile and cloud benefits of OpenID Connect may spur adoption as an enterprise authentication platform.

• June 05, 2014 05 Jun'14

  PCI SIG supplemental guidance process begins 2015 nominations

  The Security Standards Council is soliciting topics for next year's PCI DSS special interest groups, despite delays that have held back two 2013 PCI SIGs.

• June 04, 2014 04 Jun'14

  Recent barrage of IE zero days highlights risk for enterprises

  Despite a torrent of recent Internet Explorer zero-days, experts cautioned that the flaws aren't a true gauge of the browser's security.

• June 03, 2014 03 Jun'14

  Heartbleed attack research shows risk to enterprise wireless networks

  According to one researcher, most enterprise wireless networks are likely vulnerable to Cupid, a proof-of-concept based on the Heartbleed attack.

• June 02, 2014 02 Jun'14

  High alert on cyber risk and cybersecurity preparedness

  Threat intelligence can shine a light on important security holes.

• May 30, 2014 30 May'14

  TrueCrypt shutdown: Little warning, explanation given by developers

  For enterprises, the sudden shuttering of the disk-encryption utility TrueCrypt highlights the risk of using open source security tools.

• May 27, 2014 27 May'14

  New certification seeks to bolster insider threat programs

  Carnegie Mellon's new certificate aims to arm managers with the necessary skills to develop an insider threat program from scratch.

• May 23, 2014 23 May'14

  Next-generation firewall comparisons show no product is perfect

  When comparing NGFW appliances, experts say that enterprises should focus on products that meet specific needs, not just those with the most features.

• May 21, 2014 21 May'14

  Microsoft fails to address IE zero day before public disclosure

  Though notified of the IE zero day months ago, Microsoft failed to address the vulnerability before it was made public.

• May 21, 2014 21 May'14

  Vulnerable applications, plug-ins remain juicy targets

  As attackers increasingly target e-commerce websites, vulnerable applications and third-party plug-ins represent an easy avenue of exploitation.

• May 20, 2014 20 May'14

  Enterprises fear insiders, but lack privileged user controls

  A new survey finds that, despite the huge looming threat of malicious insiders, many enterprises fail to implement proper privileged user controls.

• May 16, 2014 16 May'14

  Heartbleed flaw lingers due to shaky response

  Uneven response efforts have left hundreds of thousands of servers and other devices vulnerable to the Heartbleed OpenSSL vulnerability.

• May 16, 2014 16 May'14

  For infosec career success, do security certifications trump all?

  Respondents to a SANS survey say security certifications lead to career success, but a top infosec career consultant says their value is limited.

• May 15, 2014 15 May'14

  White House big data initiative: A data security and privacy analysis

  Attorney Francoise Gilbert analyzes the White House big data initiative and the data security and privacy ramifications for enterprises.

• May 13, 2014 13 May'14

  May 2014 Patch Tuesday delivers critical IE security update

  Microsoft's May 2014 Patch Tuesday features two critical security updates, including another fix for its beleaguered Internet Explorer browser.

• May 13, 2014 13 May'14

  NTLM security flaws show attackers don't need latest malware to thrive

  Security flaws in protocols such as NTLM are so easy to exploit that in many cases attackers no longer need the latest and greatest malware.

• May 13, 2014 13 May'14

  PCI SSC webcast to highlight risk of small business data breaches

  During National Small Business Week, the PCI SSC will offer a free webcast Thursday to draw attention to the risk of small business data breaches.

• May 09, 2014 09 May'14

  ISACA certification, training program targets entry-level security pros

  ISACA has launched a new program to create an entry-level information security certification path that may rival offerings from (ISC)2 and CompTIA.

• May 08, 2014 08 May'14

  Two New York hospitals to pay largest-ever HIPAA violation settlement

  Two New York hospitals agreed to pay a $4.8 million settlement for a potential HIPAA violation dating back to 2010.

• May 05, 2014 05 May'14

  How the Target CEO resignation will affect other execs' security views

  Experts say the resignation of Target CEO Gregg Steinhafel shows that executives at other companies must now take security seriously -- or else.

• May 01, 2014 01 May'14

  Microsoft issues out-of-band patch for 'use-after-free' IE zero day

  Microsoft's out-of-band patch for the 'use-after-free' IE zero day offered a fix for Windows XP, which is now being actively targeted.

• May 01, 2014 01 May'14

  Good information security leadership demands focus on shared knowledge

  At a SANS event, former NSA cybersecurity boss Tony Sager said effective information security leadership requires a holistic, disciplined approach.

• April 29, 2014 29 Apr'14

  DDoS trends: Attackers vary DDoS size to cloak other attacks

  A new report indicated malicious actors are hiding behind DDoS attacks, successfully installing malware and stealing sensitive data undetected.

• April 28, 2014 28 Apr'14

  Microsoft confirms IE zero day being used in active exploits

  The IE zero-day, first spotted by FireEye, is being actively exploited in the wild. US-CERT recommends avoiding IE until a fix is released.

• April 25, 2014 25 Apr'14

  Report: Gap between on-premises and cloud attacks closing

  A new report shows the volume of cloud attacks is rising, as attack types traditionally associated with on-premises environments migrate with users.

• April 24, 2014 24 Apr'14

  Heartbleed response: Tech giants to fund OpenSSL, other projects

  A number of tech giants have pledged financial help to OpenSSL and other open source projects after the Heartbleed bug exposed numerous issues.

• April 24, 2014 24 Apr'14

  FBI notice: Healthcare security not as mature as other verticals

  The security practices in place at healthcare organizations is not up to par with those of other, more mature industries, according to an FBI notice.

• April 22, 2014 22 Apr'14

  Verizon data breach report: Web application attacks a growing concern

  The 2014 Verizon data breach report shows a big rise in Web application attacks, with CMS frameworks and user credentials the most likely targets.

• April 22, 2014 22 Apr'14

  Verizon DBIR 2014: Incident patterns show industry-specific threats

  The Verizon DBIR 2014 shows that organizations should build a security strategy around industry-specific threats and incident patterns.

• April 18, 2014 18 Apr'14

  Revoked certificates cause issues after Heartbleed

  In the wake of the Heartbleed OpenSSL vulnerability, the massive deluge of revoked certificates could cause palpitations across the Internet.

• April 18, 2014 18 Apr'14

  Michaels breach: Retailer says up to three million cards affected

  Sophisticated malware was behind the Michaels breach that resulted in three million compromised payment cards, according to the crafts retailer.

• April 17, 2014 17 Apr'14

  Report says app risk management should fall to business stakeholders

  When it comes to app risk management, who is ultimately responsible: business leaders or security professionals? A new report weighs in.

• April 16, 2014 16 Apr'14

  The Heartbleed OpenSSL vulnerability may pose risk to Android users

  Though millions of Android devices could contain the Heartbleed OpenSSL vulnerability, experts say the risk to Android users may not be that great.

• April 15, 2014 15 Apr'14

  Both attackers, researchers exploit Heartbleed OpenSSL vulnerability

  Proving the Heartbleed OpenSSL vulnerability can be exploited in the wild, two organizations say attackers have used it to glean sensitive data.

• April 11, 2014 11 Apr'14

  NSS Labs breach-detection systems report sparks controversy

  FireEye and Palo Alto Networks take issue with the new NSS Labs report on breach-detection systems, calling the review process into question.

• April 10, 2014 10 Apr'14

  'Heartbleed' OpenSSL vulnerability: A slow-motion train wreck

  Analysis: The 'Heartbleed' OpenSSL vulnerability is one of the worst bugs a SANS expert has seen, and that's before the fallout is fully understood.

• April 10, 2014 10 Apr'14

  NSA TAO: What Tailored Access Operations unit means for enterprises

  The NSA's top-secret Tailored Access Operations offensive hacking unit offers enterprise defense strategy lessons. Expert Nick Lewis discusses.

• April 10, 2014 10 Apr'14

  What are the effects of the ongoing NSA encryption-cracking scandal?

  Video: Cryptography Research Inc. president Paul Kocher details how the ongoing NSA encryption-cracking scandal affects trusted crypto algorithms.

• April 08, 2014 08 Apr'14

  April 2014 Patch Tuesday: Microsoft ships final XP security updates

  The April 2014 Patch Tuesday release features the final Office 2003 and XP security updates, as well as a fix for a recent Word zero-day.

• April 08, 2014 08 Apr'14

  OpenSSL security vulnerability 'Heartbleed' may have exposed encrypted traffic

  Researchers who discovered the 'Heartbleed' OpenSSL security vulnerability say it could have exposed encrypted Internet traffic from millions of systems.

• April 08, 2014 08 Apr'14

  Security experts optimistic amid Windows XP end-of-life date

  Windows XP's end-of-life date is here, and while experts said dangerous new attacks won't arrive right away, they will soon enough.

• April 04, 2014 04 Apr'14

  OpenDNS' Hubbard predicts Internet threats with security analytics

  OpenDNS CTO Dan Hubbard says big data techniques like machine learning and data mining can be used to spot and mitigate unknown Internet threats.

• April 03, 2014 03 Apr'14

  NTP-based DDoS attacks on the rise, but SYN floods still more perilous

  NTP-based DDoS attacks are increasing, but a report warns that SYN floods are still more likely to cause enterprises damage.

• April 02, 2014 02 Apr'14

  Safari security update includes fix for 2014 Pwn2Own hack

  The Safari security update addresses a number of remotely exploitable vulnerabilities and includes a fix for a hack from the Pwn2Own competition.

• April 01, 2014 01 Apr'14

  Women in cybersecurity: The time is now

  With the field in urgent need of practitioners, the chief of a new cybersecurity program at a small women's college believes he can make a difference.

• April 01, 2014 01 Apr'14

  Marcus Ranum and Anton Chuvakin explore big data and security

  When will big data technologies move past the hype and help security teams?

• April 01, 2014 01 Apr'14

  Data encryption, notification and the NIST Cybersecurity Framework

  Awkward? The NIST Cybersecurity Framework arrives as the U.S. government struggles to counter negative reports on its data privacy and encryption standards.

• April 01, 2014 01 Apr'14

  Banks drop Target breach lawsuit amid Trustwave liability questions

  It remains unclear whether Trustwave could be held liable for Target's massive 2013 data breach in future litigation.

• March 31, 2014 31 Mar'14

  McGraw: Firewalls, fairy dust and forensics? Try software security

  Gary McGraw discusses why the software security segment of the IT security industry is growing at a faster rate than the category as a whole.

• March 31, 2014 31 Mar'14

  Windows XP migration lessons: Focus on application compatibility

  IT pros who have successfully completed large-scale Windows XP migrations advise focusing on application compatibility and up-front planning.

• March 31, 2014 31 Mar'14

  Microsoft privacy policy to change in wake of Hotmail privacy debate

  The Microsoft privacy policy changes are meant to address concerns raised by the company's questionable search of a Hotmail account.

• March 28, 2014 28 Mar'14

  Security acquisitions: Palo Alto buys Cyvera; Trustwave buys Cenzic

  Security vendors had money to spend in March as acquisition activity featured Trustwave scooping up Cenzic and Palo Alto's purchase of Cyvera.

• March 28, 2014 28 Mar'14

  Cisco IOS security patches address denial-of-service vulnerabilities

  The bundle of IOS security patches addresses a total of six denial-of-service vulnerabilities in Cisco's enterprise networking products.

• March 26, 2014 26 Mar'14

  Target breach lawsuit pins partial blame on security vendor Trustwave

  The lawsuit cites Target for negligence in its massive data breach, and accuses Trustwave of not spotting the incident in a timely manner.

• March 26, 2014 26 Mar'14

  ACA security issues can be tamed with right controls, expert says

  The Affordable Care Act introduced a number of infosec issues, but an expert at SecureWorld Boston 2014 said the right mitigations can ease concerns.

• March 25, 2014 25 Mar'14

  Advanced threat detection products yet to earn trust of enterprises

  Innovative threat detection products like FireEye and Damballa aren't being deployed inline and that lack of trust poses incident response challenges.

• March 21, 2014 21 Mar'14

  Experts: Merely ousting Bennett won't solve Symantec strategy problems

  Experts say firing Steve Bennett overshadows the larger problems with the Symantec strategy, namely the company's lack of focus on security.

• March 21, 2014 21 Mar'14

  HealthCare.gov security issues: Lessons learned for enterprises

  Researchers have warned of numerous HealthCare.gov security issues. Michael Cobb reviews the website security lessons learned for enterprises.

• March 20, 2014 20 Mar'14

  Bennett out as Symantec CEO

  Symantec Thursday fired its CEO, Steve Bennett, amid ongoing struggles to adjust to a changing infosec product market.

• March 20, 2014 20 Mar'14

  Monitoring for unusual network traffic key to banking botnet detection

  Spotting unusual network traffic, like large amounts of encrypted data headed to suspicious domains, is key to better banking botnet detection.

• March 19, 2014 19 Mar'14

  Imperva finds old PHP vulnerability still being exploited by attackers

  Security vendor Imperva says thousands of enterprise Web servers are exposed to an easy-to-exploit PHP flaw despite a patch long being available.

• March 18, 2014 18 Mar'14

  Despite Pwn2Own 2014 hacks, application sandboxing still critical

  Researchers at the 2014 Pwn2Own contest bypassed application sandboxing repeatedly, proving even the most secure applications can be vulnerable.

• March 18, 2014 18 Mar'14

  Data suggests Android malware threat greatly overhyped

  Vendors may hype the Android malware threat, but data indicates the Android security ecosystem has kept Android malware at bay.

• March 13, 2014 13 Mar'14

  Consumers: Companies don't take data privacy and security seriously

  Nearly three out of four say companies don't value data privacy and security, but experts say to see change, consumers must vote with their wallets.

• March 12, 2014 12 Mar'14

  For merchants, Windows XP POS systems put PCI compliance at risk

  PCI compliance may be nearly impossible after the April 2014 Windows XP end-of-life date if merchants don't address vulnerable XP-based POS systems.

• March 12, 2014 12 Mar'14

  Experts: Filling CISO role just first step for Target security program

  Veteran CISOs say Target's move to create and fill its CISO role is a good one, but that can't be the end of the Target security program overhaul.

• March 11, 2014 11 Mar'14

  March 2014 Patch Tuesday produces fix for IE zero day

  Microsoft moved to address a lingering Internet Explorer zero-day vulnerability that was originally discovered by security vendor FireEye in February.

• March 10, 2014 10 Mar'14

  DevOps and security: Coexistence depends on automated security tools

  Does DevOps sacrifice security to speed software deployments? Experts say DevOps and security can coexist with help from automated security tools.

• March 10, 2014 10 Mar'14

  How will Cisco-Sourcefire security combo affect Cisco product roadmap?

  New Cisco CTO Martin Roesch says the Cisco product roadmap for network security will include a robust NGFW using Sourcefire technology.

• March 07, 2014 07 Mar'14

  Cisco provides patch for critical wireless router vulnerability

  Cisco Systems has provided a security patch for an authentication vulnerability found in its Wireless N-VPN family of routers and firewall.

• March 06, 2014 06 Mar'14

  Information security incident response teams need plans and partners

  Speakers at RSA Conference 2014 said information security incident response teams must identify and prep key participants well before incidents occur.

• March 05, 2014 05 Mar'14

  TrustyCon: U.S. data privacy laws offer little protection from FBI seizures

  Attorney Marcia Hofmann says without new data privacy laws, the FBI can strong-arm providers into handing over customers' sensitive data.

• March 05, 2014 05 Mar'14

  RSA 2014 recap: On NSA surveillance, truth remains elusive

  Expert Kevin Beaver shares his highlights of RSA Conference 2014 and offers advice on how to apply the knowledge learned at this year's event.

• March 04, 2014 04 Mar'14

  Microsoft's EMET security tool useful despite bypasses, say experts

  Experts say Microsoft's EMET security tool remains valuable to enterprise security teams if used as one layer in a larger security strategy.

• March 03, 2014 03 Mar'14

  Sears confirms data breach investigation amid retailer data breaches

  Sears is undergoing a data breach investigation for an unconfirmed incident, but speculation persists about false positives from the Target breach.

• March 03, 2014 03 Mar'14

  Mobility bandwagon: Developing enterprise mobile applications

  Mobile security gaps stretch from distributed architecture to data leaks. Address security and privacy concerns before any coding starts.

• March 03, 2014 03 Mar'14

  Ranum Q&A with Aaron Turner: Whitelisting is on enterprise blacklist

  An early proponent of Microsoft SRP, Aaron Turner says application whitelisting has finally taken hold in consumer app stores.

• March 03, 2014 03 Mar'14

  IT security salary survey: What happened in 2013, forecast for 2014

  The value of information security professionals can outweigh security technology. Does your organization show you the money?