News

News

• February 18, 2015 18 Feb'15

  Password reuse and password sharing prevalent in enterprises

  The high percentage of password reuse and sharing by employees leaves enterprises vulnerable to breaches, according to a recent survey from SailPoint Technologies.

• February 18, 2015 18 Feb'15

  When is an ISAC not an ISAC?

  A lot of what went on at the White House Summit on Cybersecurity and Consumer Protection, held at  Stanford University last week was for show — a reaction in particular to the attacks allegedly ...

• February 17, 2015 17 Feb'15

  UTM vs. NGFW: Unique products or advertising semantics?

  In comparing UTM vs. NGFW, organizations find it difficult to see if there are differences between the two products or if it is just marketing semantics.

• February 17, 2015 17 Feb'15

  International spyware operation linked to NSA

  The US National Security Agency has reportedly hidden surveillance software in the hard drives of several top computer makers

• February 13, 2015 13 Feb'15

  Security information sharing: A double-edged sword

  News roundup: While data sharing can boost intelligence and improve security, recent events show the benefits don't always outweigh the pitfalls. Plus: Chip-enabled POS systems coming quickly; MongoDB databases exposed; sophisticated phishing scams.

• Sponsored News

  • Keep out vulnerable third-party scripts that help steal data from your website

    Sponsored by Akamai - Visiting a website today, users gain access to a rich, interactive experience that is often customized to their preferences and enhanced for their convenience. See More

  • DDoS attacks are growing in frequency and scale during the pandemic. What can businesses do?

    Sponsored by Akamai - At a time when many businesses have their resources stretched to the limit, the scourge of distributed denial-of-service (DDoS) attacks has continued unabated and added to the difficulties faced by many during this ongoing pandemic. See More

  • Product Video: Page Integrity Manager

    Sponsored by Akamai - With modern web pages relying heavily on scripts to run services and access data, attackers are exploiting those scripts as a new attack vector to steal sensitive customer information. See More

  • Product Video: Web Application Protector

    Sponsored by Akamai - With limited security expertise, protecting your web applications is a daunting task. Web Application Protector provides automated web application firewall (WAF) and distributed denial-of-service (DDoS) protection that’s designed to offload the complexity associated with a traditional WAF. See More

  View All Sponsored News
• February 13, 2015 13 Feb'15

  Prevoty offers context-aware, automatic RASP

  Though I’ll admit to a bit of skepticism about Runtime Application Self Protection (RASP), I was nevertheless impressed with a recent look at Prevoty. The two-year-old company’s product, which ...

• February 12, 2015 12 Feb'15

  Report: Firewall policy management is a hot mess

  A new report from FireMon finds that firewalls are still a critical security component, but firewall policy management is a major pain point for admins.

• February 10, 2015 10 Feb'15

  February 2015 Patch Tuesday: Group Policy flaw tops three critical fixes

  Microsoft's February 2015 Patch Tuesday release offers three critical fixes, including one for a dangerous Group Policy vulnerability, but does not patch a recently revealed IE XSS zero-day flaw.

• February 10, 2015 10 Feb'15

  Will Chip and PIN technology boost payment card transaction security?

  Visa and MasterCard are putting pressure on merchants to implement Chip and PIN technology, and while it will improve transaction security, it won't make PCI compliance any easier.

• February 10, 2015 10 Feb'15

  Voltage Security acquisition to bolster HP's data protection offerings

  HP has agreed to acquire encryption vendor Voltage Security. Gartner says the move will bolster HP's data protection and cloud security products.

• February 09, 2015 09 Feb'15

  Security professionals warn against relying on cyber insurance

  Security professionals have warned businesses not to rely on cyber insurance in the face of increased cyber attacks.

• February 06, 2015 06 Feb'15

  Same-origin policy IE vulnerability may signal new attack trend

  A new IE vulnerability has led to a proof-of-concept same-origin policy exploit, and some experts say it highlights a technique that may soon become popular among attackers.

• February 06, 2015 06 Feb'15

  Budget, breach law highlight growing federal cybersecurity awareness

  News roundup: With the proposed 2016 federal budget and push for a national data breach law, Washington may finally care about cybersecurity. Plus: Coviello to retire; Flash patched again; Sony Pictures breached by Russians and loses its co-chair.

• February 06, 2015 06 Feb'15

  Report: Most enterprise security operations centers ineffective

  A new report by HP shows most enterprise security operations centers fail to meet recommended maturity levels needed to detect and manage cybersecurity threats.

• February 05, 2015 05 Feb'15

  Digitally signed malware risk on the rise, Kaspersky finds

  Kaspersky reports digitally signed malware -- malicious files using legitimate digital certificates -- is a growing threat to enterprises, increasing four-fold in the past six years.

• February 05, 2015 05 Feb'15

  US health insurer Anthem hacked, exposing up to 80 million records

  Hackers have broken into a database at US health insurer Anthem said to contain the personal data of up to 80 million people

• February 04, 2015 04 Feb'15

  Sony says cyber attack will cost $15m

  Sony expects the investigation and remediation costs of the November 2014 cyber attack on its movie subsidiary will amount to $15m

• February 02, 2015 02 Feb'15

  Adobe Flash patch promised this week for new zero-day bug

  Trend Micro discovered a new zero-day bug in Adobe Flash that is being actively exploited in the wild. Adobe promises a patch for the vulnerability this week.

• January 30, 2015 30 Jan'15

  GHOST Linux bug update: WordPress, other PHP applications vulnerable

  PHP applications, including WordPress, are vulnerable to the GHOST Linux exploit, but overall the flaw may not be as dangerous as first thought.

• January 30, 2015 30 Jan'15

  Will YouTube HTML5 transition mean the end of Flash security issues?

  News roundup: YouTube announced it has stopped using Flash by default in favor of HTML5. Is this the long-awaited end for Flash? Plus: Java was the riskiest software in 2014; BEC scam cost $215 last year; NFL data interceptions.

• January 29, 2015 29 Jan'15

  The politics of DDoS response

  Reports of a 'hack back' DDoS attack by Sony stirred up acceptable use questions.

• January 27, 2015 27 Jan'15

  Qualys finds GHOST: Critical Linux remote code execution flaw

  A critical Linux vulnerability, called GHOST, has been found to affect glibc versions released since 2000, and could pose a remote exploit risk on many Linux systems.

• January 23, 2015 23 Jan'15

  Detection vs. prevention: Ponemon report points to controversial trend

  A Ponemon Institute report highlights the biggest risks to endpoint security, and what IT professionals plan to do to fight back, including one controversial tactic in malware protection.

• January 23, 2015 23 Jan'15

  Patchapalooza: In 2015, software patches, software security flaws surge

  News roundup: An of onslaught Adobe, Oracle, OpenSSL, Chrome and Firefox patches highlights the sad state of software security in 2015. Plus, security budgets increasing; HealthCare.gov security woes; false-positive alerts cost millions annually.

• January 23, 2015 23 Jan'15

  CryptoWall 3.0: Ransomware returns, adopts I2P

  Shortly after CryptoWall began using TOR to conduct transcations, a new version of the ransomware, dubbed CryptoWall 3.0, has begun using I2P.

• January 22, 2015 22 Jan'15

  Report: Popularity of biometric authentication set to spike

  Juniper Research claims that the popularity of biometric authentication will rise dramatically in the next five years, incorporating innovative technology beyond today's fingerprint sensors and voice authentication systems.

• January 21, 2015 21 Jan'15

  Report: More than 90% of 2014 data breaches could have been prevented

  The Online Trust Alliance finds that over 90% of data breaches resulting in data loss could have been prevented.

• January 21, 2015 21 Jan'15

  Wasted spending on security shelfware affects small businesses more

  Osterman Research and Trustwave report that organizations waste money on underutilized security software because IT often doesn't have enough time or resources to use it.

• January 20, 2015 20 Jan'15

  ISACA: Majority of enterprises report cybersecurity workforce shortage

  In its new 2015 Global Cybersecurity Status Report, ISACA finds that most organizations are aware of cyberattack risk, but few believe they have the capability to thwart a sophisticated attack.

• January 19, 2015 19 Jan'15

  Android vulnerability highlights Google's controversial patch policy

  WebView vulnerabilities in older versions of Android are putting the majority of Android devices at risk. Google will not provide patches, forcing enterprises to determine the risk posed by unpatched Android devices.

• January 19, 2015 19 Jan'15

  Google's Project Zero reveals another Windows zero-day vulnerability

  For the third time in one month, Microsoft couldn't meet Google's 90-day public disclosure deadline, leading to Project Zero's disclosure, though experts say this Windows zero-day vulnerability may have little value to attackers.

• January 16, 2015 16 Jan'15

  Hardware security issues prove tough to find, harder to fix

  News roundup: Recently discovered firmware flaws highlight the challenges posed by hardware security. Plus: Heartland's breach warranty; RSA's overhaul; and Download.com's app (in)security.

• January 16, 2015 16 Jan'15

  Preview of 2015 Verizon PCI report hints at firewall compliance issues

  In a sneak preview of its 2015 PCI Compliance Report, Verizon says improper firewall maintenance is among the leading causes of PCI DSS compliance failures.

• January 15, 2015 15 Jan'15

  Cybersecurity training needed to raise number of skilled workers

  A survey by ESG finds that IT has an ongoing problematic shortage of enterprise cybersecurity skills, and the problem is getting worse.

• January 14, 2015 14 Jan'15

  Cybersecurity awareness can reduce infection risk up to 70%

  A new study from Wombat Security and Aberdeen Group shows that boosting cybersecurity awareness and education among employees can reduce enterprise security risks and cost.

• January 13, 2015 13 Jan'15

  Light January 2015 Patch Tuesday delivers one critical Windows fix

  Microsoft's January 2015 Patch Tuesday updates include a critical Windows update for Telnet, and a fix for a controversial Windows 8.1 flaw disclosed two weeks ago. Plus: An expert says Adobe's critical Flash Player fix demands immediate attention.

• January 13, 2015 13 Jan'15

  Cisco releases multiple WebEx security patches

  The most important of the seven fixes for the WebEx Meeting Server platform remedies a flaw that could allow a cross-site request forgery attack.

• January 09, 2015 09 Jan'15

  Fake SSL certificates enable variety of security threats, say experts

  Experts say the security industry's 'blind trust' may result in a new wave of security threats caused by fake SSL certificates, including man-in-the-middle and DNS attacks.

• January 09, 2015 09 Jan'15

  Sony Pictures hack recap: Experts debate North Korea's role

  News roundup: The FBI maintains North Korea was behind the Sony Pictures hack, in spite of naysayers. Plus: Malware campaign attributed to Russia; new Mac OS X bootkit; cyberattack causes physical damage.

• January 09, 2015 09 Jan'15

  Expert: Mobile malware risk rising, but still largely Android malware

  Video: Mobile malware expert Chester Wisniewski of Sophos says most enterprises need not fear mobile malware today, but Android malware is a growing threat.

• January 08, 2015 08 Jan'15

  Password security issues show case for privileged identity management

  Video: Lieberman Software CEO Philip Lieberman explains how privileged identity management can shore up the many weaknesses of password-based authentication.

• January 06, 2015 06 Jan'15

  IBM: Retail cyberattacks become less frequent, but more effective

  Research from IBM indicates cyberattackers are going after retailers with surgical precision, using fewer attack attempts yet frequently compromising vulnerable databases.

• January 05, 2015 05 Jan'15

  Evolving mobile security management thwarts unified endpoint management

  Experts say unified endpoint management for mobile devices, laptops and desktops will take more time due to the complex, evolving demands of mobile security management.

• December 19, 2014 19 Dec'14

  Home router security vulnerability exposes 12 million devices

  Check Point has uncovered a widespread home router security vulnerability, dubbed Misfortune Cookie, that could allow attackers to gain control over millions of devices.

• December 12, 2014 12 Dec'14

  Sony Pictures hacking back: The ethics of obfuscation

  News roundup: Amid a devastating breach incident Sony Pictures is fighting back, raising legal and ethical questions. Plus: A big week in security acquisitions; Comcast sued over open Wi-Fi; and Yahoo announces vulnerability disclosure policy.

• December 09, 2014 09 Dec'14

  FIDO Alliance releases 1.0 specifications for passwordless authentication

  Amid growing fears of stolen credentials and data breaches, the FIDO Alliance released its long-awaited 1.0 specifications for passwordless and multifactor authentication systems.

• November 21, 2014 21 Nov'14

  Encryption everywhere: Debating the risks and rewards

  News roundup: As the industry responds to growing demand for end-to-end Internet encryption, some fear unintended consequences. Plus: Black hats wanted; Windows Phone survives Pwn2Own; webcam spying resurgence.

• November 17, 2014 17 Nov'14

  Microsoft's Schannel security patch affecting TLS connections

  Microsoft admitted that MS14-066, released last week to patch a serious Schannel security vulnerability, is causing some users to drop TLS connections.

• November 04, 2014 04 Nov'14

  Despite skeptics, security awareness training for employees is booming

  Employee security awareness training has been derided in the past, but new Gartner research suggests that a market of competitive, high-quality vendors are making security awareness a must-have.

• October 15, 2014 15 Oct'14

  Remembering Shon Harris: Logical Security founder passes away

  Shon Harris, founder and CEO of Logical Security and recognized security certification training expert, died Oct. 8, 2014, after a long illness. SearchSecurity pays tribute to her contributions to the information security field.

• October 10, 2014 10 Oct'14

  Are offensive hacking courses ethical? Debating the ethics of hacking

  News roundup: Colleges across the country are offering courses in offensive hacking, but are they ethical? Plus: Why the first 'online murder' may happen in 2014; Palo Alto and NSS Labs make up; numerous Android security issues surface.

• October 03, 2014 03 Oct'14

  Palo Alto NGFW fails NSS Labs report, war of words ensues

  News roundup: Palo Alto's next-generation firewall fared poorly in a recent NSS Labs report, leading to a testy back-and-forth about NGFW testing. Plus: Mitnick selling zero days; EMET bypassed, again; iThemes stored plaintext passwords.

• October 02, 2014 02 Oct'14

  PCI 3.0 changes: A PCI compliance requirements checklist for 2015

  In this presentation, compliance expert Nancy Rodriguez offers a line-by-line review of the key PCI DSS changes that become mandatory as of Jan. 1, 2015.

• September 19, 2014 19 Sep'14

  Rogue IMSI catchers heighten enterprise cell phone security risks

  News roundup: Rogue cell phone towers are popping up across the United States, heightening enterprise communication and data privacy concerns. Plus: Goodwill breach update; Adobe patches released; and security in 2025.

• September 19, 2014 19 Sep'14

  Home Depot data breach update: 56 million cards confirmed stolen

  Home Depot said late Thursday that its recent breach involving 56 million payment cards was the result of custom-built malware, and that the company has since rolled out new POS encryption technology.

• September 05, 2014 05 Sep'14

  Goodwill breach highlights need for service provider due diligence

  News roundup: The recent Goodwill security breach has been blamed on a third-party service provider, highlighting the need for due diligence. Plus: Mobile device theft; Android app vulnerabilities and a 12-year-long cyber-espionage network.

• September 03, 2014 03 Sep'14

  Apple two-factor authentication fail leaves iCloud users vulnerable

  Apple's decision to not extend its two-factor authentication security mechanism to all iCloud services may leave users more vulnerable to attacks

• September 02, 2014 02 Sep'14

  Apple and FBI launch iCloud hack investigation

  Apple and FBI investigate the breach of Apple’s iCloud causing fresh business concerns over cloud security

• August 28, 2014 28 Aug'14

  Plan ahead to avoid SIEM deployment pitfalls

  Despite SIEM technology improvements, Gartner says many organizations still dive into SIEM deployments without adequate planning, often resulting in disaster.

• August 07, 2014 07 Aug'14

  SSC issues PCI compliance checklist for third-party service providers

  The PCI Security Standards Council's new information supplement helps enterprises implement a security assurance program to ensure their third-party service providers meet PCI DSS requirements.

• August 07, 2014 07 Aug'14

  Black Hat 2014: Researcher reveals Amazon cloud security weaknesses

  At Black Hat 2014, a researcher showed how AWS cloud security flaws and misconfigurations can have devastating consequences for AWS customers that don't take security seriously.

• August 06, 2014 06 Aug'14

  Russian hackers steal over a billion usernames and passwords

  A group of Russian cyber criminals have attacked 500 million email addresses and gained 1.2 billion usernames and passwords.

• July 24, 2014 24 Jul'14

  How the CryptoLocker ransomware was defeated with its own DGA

  Preview: At Black Hat USA, experts will detail the steps taken by the security community and law enforcement to put down the infamous CryptoLocker ransomware.

• July 15, 2014 15 Jul'14

  Pass the hash? Severity of Active Directory security flaw questioned

  Despite what may be a dangerous new Active Directory "pass the hash" attack variant, Microsoft has downplayed the issue as a technical limitation.

• July 08, 2014 08 Jul'14

  Multifactor authentication key to cloud security success

  Following the collapse of an AWS-based cloud hosting provider, experts say enterprises should prioritize use of multifactor authentication.

• June 24, 2014 24 Jun'14

  On prevention vs. detection, Gartner says to rebalance purchasing

  At its annual security confab, the research giant said enterprises buy too much threat prevention and not enough detection and response technology.

• June 19, 2014 19 Jun'14

  Amazon EC2 control panel hack submarines hosting provider

  Update: Following a hack that destroyed much of Code Spaces' AWS EC2 data, cloud app provider One More Cloud reported similar compromises.

• June 17, 2014 17 Jun'14

  API gateways emerge to address growing security demands

  With mobile, cloud and the Internet of Things driving massive API growth, experts say now is the time for API gateway technology to shine.

• June 12, 2014 12 Jun'14

  Pandemiya banking malware emerges as Zeus-level threat

  RSA researchers say the costly Pandemiya banking malware was written entirely from scratch, a dangerous oddity in the world of malware.

• June 05, 2014 05 Jun'14

  OpenID Connect: Poised for greatness in enterprise authentication?

  Despite the popularity of SAML, the mobile and cloud benefits of OpenID Connect may spur adoption as an enterprise authentication platform.

• May 23, 2014 23 May'14

  Next-generation firewall comparisons show no product is perfect

  When comparing NGFW appliances, experts say that enterprises should focus on products that meet specific needs, not just those with the most features.

• May 16, 2014 16 May'14

  For infosec career success, do security certifications trump all?

  Respondents to a SANS survey say security certifications lead to career success, but a top infosec career consultant says their value is limited.

• April 10, 2014 10 Apr'14

  'Heartbleed' OpenSSL vulnerability: A slow-motion train wreck

  Analysis: The 'Heartbleed' OpenSSL vulnerability is one of the worst bugs a SANS expert has seen, and that's before the fallout is fully understood.

• April 10, 2014 10 Apr'14

  NSA TAO: What Tailored Access Operations unit means for enterprises

  The NSA's top-secret Tailored Access Operations offensive hacking unit offers enterprise defense strategy lessons. Expert Nick Lewis discusses.

• April 03, 2014 03 Apr'14

  NTP-based DDoS attacks on the rise, but SYN floods still more perilous

  NTP-based DDoS attacks are increasing, but a report warns that SYN floods are still more likely to cause enterprises damage.

• April 01, 2014 01 Apr'14

  Data encryption, notification and the NIST Cybersecurity Framework

  Awkward? The NIST Cybersecurity Framework arrives as the U.S. government struggles to counter negative reports on its data privacy and encryption standards.

• March 12, 2014 12 Mar'14

  For merchants, Windows XP POS systems put PCI compliance at risk

  PCI compliance may be nearly impossible after the April 2014 Windows XP end-of-life date if merchants don't address vulnerable XP-based POS systems.

• March 03, 2014 03 Mar'14

  Ranum Q&A with Aaron Turner: Whitelisting is on enterprise blacklist

  An early proponent of Microsoft SRP, Aaron Turner says application whitelisting has finally taken hold in consumer app stores.

• February 24, 2014 24 Feb'14

  Richard Clarke: NSA revelations show potential for police state

  At the 2014 CSA Summit, presidential cybersecurity advisor Richard Clarke said NSA monitoring efforts are negatively affecting U.S. cloud providers.

• February 17, 2014 17 Feb'14

  Final version of NIST cybersecurity framework draws mixed reviews

  Experts differed over whether the NIST cybersecurity framework provides critical infrastructure firms with the tools to defend themselves.

• February 05, 2014 05 Feb'14

  Amid Microsoft MD5 deprecation, experts warn against SHA-1 algorithm

  With Microsoft's MD5 deprecation set for next week, experts say companies must be careful to avoid other weak protocols, like SHA-1.

• February 03, 2014 03 Feb'14

  Mobile security report: Data on devices

  New survey shows the battle between corporate-issued devices versus personally owned smartphones and tablets is too close to call.

• January 28, 2014 28 Jan'14

  McGraw: Software [in]security and scaling automated code review

  Gary McGraw and Jim Routh talk through the pitfalls of scaling static source code review and offer some potential process improvements.

• January 28, 2014 28 Jan'14

  On Data Privacy Day, OTA highlights need for data protection policy

  The Online Trust Alliance marks Data Privacy Day with events to help enterprises plan for inevitable data protection and privacy incidents.

• January 24, 2014 24 Jan'14

  Spear phishing still popular, but more watering hole attacks coming

  A report from CrowdStrike shows spear phishing remains popular in targeted attacks, but that watering hole attacks are gaining favor.

• January 10, 2014 10 Jan'14

  Target breach update: Information on up to 70 million customers stolen

  Updated details on the Target breach show a much greater scope than originally announced, and reveal its Q4 finances were hurt by related charges.

• January 03, 2014 03 Jan'14

  FireEye buys Mandiant in $1 billion deal

  In acquiring the incident response firm, FireEye will combine Mandiant's endpoint defense product with its network-based detection technology.

• December 24, 2013 24 Dec'13

  McGraw: Software [in]security and scaling architecture risk analysis

  Software architecture risk analysis doesn't have to be hard. Gary McGraw and Jim DelGrosso discuss an easier, more scalable process.

• December 02, 2013 02 Dec'13

  Return on security investment: The risky business of probability

  You are better off with real numbers when it comes to measuring probability and the elements of security risk, even if they are wrong.

• November 08, 2013 08 Nov'13

  Web application firewalls may not fix Web application security issues

  Some consultants are finding Web application firewall products don't deliver due to poor deployment strategies and a lack of skilled maintenance.

• October 28, 2013 28 Oct'13

  Software [In]security: BSIMM-V does a number on secure software dev

  The fifth iteration of the Building Security In Maturity Model project is a tool you can use as a measuring stick for software security initiatives.

• October 15, 2013 15 Oct'13

  The role of the enterprise intrusion prevention system in APT defense

  One research group says an enterprise IPS can't help detect APTs. But network security expert Brad Casey explains why that isn't necessarily true.

• September 20, 2013 20 Sep'13

  HP introduces 'self-healing' BIOS protection with SureStart

  HP's new SureStart feature detects and 'heals' corrupted BIOS code.

• September 10, 2013 10 Sep'13

  Opinion: Software [in]security -- software flaws in application architecture

  Many defects aren't found with code review. Gary McGraw and Jim DelGrosso think architectural risk analysis is a must to uncover software flaws.

• August 09, 2013 09 Aug'13

  Five major technology trends affecting software security assurance

  Column: Gary McGraw says five shifts in the IT landscape are affecting software security, but several BSIMM best practices can limit risk exposure.

• August 01, 2013 01 Aug'13

  New data on enterprise mobile security

  We polled readers in our annual Enterprise Mobile Security Survey and the 2013 results are in.

• August 01, 2013 01 Aug'13

  Black Hat 2013 opens with testy keynote, smart device hacks

  After a contentious opening keynote by NSA Director Gen. Keith Alexander, day one of Black Hat 2013 showed smart device hacks, severe SCADA issues.

• August 01, 2013 01 Aug'13

  Ten years later: The legacy of SB 1386 compliance on data privacy laws

  A decade after becoming law, the ripple effects of California's SB 1386 have surfaced in a new breed of proactive, granular state data privacy laws.

• June 19, 2013 19 Jun'13

  RSA Silver Tail improves online fraud detection, enterprise security

  Fraud prevention for the Web: RSA Silver Tail sets stage for enterprise-level security with big data and brand new interface.

• April 24, 2013 24 Apr'13

  PayPal CISO: Laws must foster better cybersecurity information sharing

  PayPal's Michael Barrett says many firms fear misuse of shared cybersecurity data. He also discusses the evolution of PCI DSS and mobile payment security.