News

News

• February 10, 2015 10 Feb'15

  Voltage Security acquisition to bolster HP's data protection offerings

  HP has agreed to acquire encryption vendor Voltage Security. Gartner says the move will bolster HP's data protection and cloud security products.

• February 09, 2015 09 Feb'15

  Security professionals warn against relying on cyber insurance

  Security professionals have warned businesses not to rely on cyber insurance in the face of increased cyber attacks.

• February 06, 2015 06 Feb'15

  Same-origin policy IE vulnerability may signal new attack trend

  A new IE vulnerability has led to a proof-of-concept same-origin policy exploit, and some experts say it highlights a technique that may soon become popular among attackers.

• February 06, 2015 06 Feb'15

  Budget, breach law highlight growing federal cybersecurity awareness

  News roundup: With the proposed 2016 federal budget and push for a national data breach law, Washington may finally care about cybersecurity. Plus: Coviello to retire; Flash patched again; Sony Pictures breached by Russians and loses its co-chair.

• February 06, 2015 06 Feb'15

  Report: Most enterprise security operations centers ineffective

  A new report by HP shows most enterprise security operations centers fail to meet recommended maturity levels needed to detect and manage cybersecurity threats.

• Sponsored News

  • It’s Time to Modernize Your SOC

    Sponsored by Microsoft - With the shift to remote work caused by COVID-19, Security Operations Centers (SOCs) are under more pressure than ever, particularly with many SOC workers also working from home. Today’s reality is that SOCs have to embrace a new way of working in order to keep their analysts and admins effective and to ensure that morale doesn’t collapse under the weight of too much work and pressure. See More

  • 6 Factors to Consider in Building Resilience Now

    Sponsored by Microsoft - COVID-19 has been, and continues to be, a stark reminder of the importance of business resilience. Organizations of all types and sizes have had to adjust to rapidly changing and unpredictable circumstances: A shift to remote work, supply chain disruptions, new digitally driven business models and an environment where uncertainty is the rule, not the exception. See More

  • Why Zero Trust, Why Now

    Sponsored by Microsoft - The concept of a Zero Trust cybersecurity architecture has been around for more than a decade, but adoption didn’t really begin to take hold until the past couple of years. As with many technology innovations, it hasn’t always been clear just what Zero Trust is all about and, more important, how to implement it easily and cost effectively. See More

  • 5 Best Practices To Secure Remote Workers

    Sponsored by Microsoft - The impact of COVID-19 has changed the dynamics and landscape of remote work for at least the foreseeable future and, probably, forever. All of a sudden, organizations across all industries had to scale remote workers at unprecedented intensity and speed. See More

  View All Sponsored News
• February 05, 2015 05 Feb'15

  Digitally signed malware risk on the rise, Kaspersky finds

  Kaspersky reports digitally signed malware -- malicious files using legitimate digital certificates -- is a growing threat to enterprises, increasing four-fold in the past six years.

• February 05, 2015 05 Feb'15

  US health insurer Anthem hacked, exposing up to 80 million records

  Hackers have broken into a database at US health insurer Anthem said to contain the personal data of up to 80 million people

• February 04, 2015 04 Feb'15

  Sony says cyber attack will cost $15m

  Sony expects the investigation and remediation costs of the November 2014 cyber attack on its movie subsidiary will amount to $15m

• February 02, 2015 02 Feb'15

  Adobe Flash patch promised this week for new zero-day bug

  Trend Micro discovered a new zero-day bug in Adobe Flash that is being actively exploited in the wild. Adobe promises a patch for the vulnerability this week.

• January 30, 2015 30 Jan'15

  GHOST Linux bug update: WordPress, other PHP applications vulnerable

  PHP applications, including WordPress, are vulnerable to the GHOST Linux exploit, but overall the flaw may not be as dangerous as first thought.

• January 30, 2015 30 Jan'15

  Will YouTube HTML5 transition mean the end of Flash security issues?

  News roundup: YouTube announced it has stopped using Flash by default in favor of HTML5. Is this the long-awaited end for Flash? Plus: Java was the riskiest software in 2014; BEC scam cost $215 last year; NFL data interceptions.

• January 29, 2015 29 Jan'15

  The politics of DDoS response

  Reports of a 'hack back' DDoS attack by Sony stirred up acceptable use questions.

• January 27, 2015 27 Jan'15

  Qualys finds GHOST: Critical Linux remote code execution flaw

  A critical Linux vulnerability, called GHOST, has been found to affect glibc versions released since 2000, and could pose a remote exploit risk on many Linux systems.

• January 23, 2015 23 Jan'15

  Detection vs. prevention: Ponemon report points to controversial trend

  A Ponemon Institute report highlights the biggest risks to endpoint security, and what IT professionals plan to do to fight back, including one controversial tactic in malware protection.

• January 23, 2015 23 Jan'15

  Patchapalooza: In 2015, software patches, software security flaws surge

  News roundup: An of onslaught Adobe, Oracle, OpenSSL, Chrome and Firefox patches highlights the sad state of software security in 2015. Plus, security budgets increasing; HealthCare.gov security woes; false-positive alerts cost millions annually.

• January 23, 2015 23 Jan'15

  CryptoWall 3.0: Ransomware returns, adopts I2P

  Shortly after CryptoWall began using TOR to conduct transcations, a new version of the ransomware, dubbed CryptoWall 3.0, has begun using I2P.

• January 22, 2015 22 Jan'15

  Report: Popularity of biometric authentication set to spike

  Juniper Research claims that the popularity of biometric authentication will rise dramatically in the next five years, incorporating innovative technology beyond today's fingerprint sensors and voice authentication systems.

• January 21, 2015 21 Jan'15

  Report: More than 90% of 2014 data breaches could have been prevented

  The Online Trust Alliance finds that over 90% of data breaches resulting in data loss could have been prevented.

• January 21, 2015 21 Jan'15

  Wasted spending on security shelfware affects small businesses more

  Osterman Research and Trustwave report that organizations waste money on underutilized security software because IT often doesn't have enough time or resources to use it.

• January 20, 2015 20 Jan'15

  ISACA: Majority of enterprises report cybersecurity workforce shortage

  In its new 2015 Global Cybersecurity Status Report, ISACA finds that most organizations are aware of cyberattack risk, but few believe they have the capability to thwart a sophisticated attack.

• January 19, 2015 19 Jan'15

  Android vulnerability highlights Google's controversial patch policy

  WebView vulnerabilities in older versions of Android are putting the majority of Android devices at risk. Google will not provide patches, forcing enterprises to determine the risk posed by unpatched Android devices.

• January 19, 2015 19 Jan'15

  Google's Project Zero reveals another Windows zero-day vulnerability

  For the third time in one month, Microsoft couldn't meet Google's 90-day public disclosure deadline, leading to Project Zero's disclosure, though experts say this Windows zero-day vulnerability may have little value to attackers.

• January 16, 2015 16 Jan'15

  Hardware security issues prove tough to find, harder to fix

  News roundup: Recently discovered firmware flaws highlight the challenges posed by hardware security. Plus: Heartland's breach warranty; RSA's overhaul; and Download.com's app (in)security.

• January 16, 2015 16 Jan'15

  Preview of 2015 Verizon PCI report hints at firewall compliance issues

  In a sneak preview of its 2015 PCI Compliance Report, Verizon says improper firewall maintenance is among the leading causes of PCI DSS compliance failures.

• January 15, 2015 15 Jan'15

  Cybersecurity training needed to raise number of skilled workers

  A survey by ESG finds that IT has an ongoing problematic shortage of enterprise cybersecurity skills, and the problem is getting worse.

• January 14, 2015 14 Jan'15

  Cybersecurity awareness can reduce infection risk up to 70%

  A new study from Wombat Security and Aberdeen Group shows that boosting cybersecurity awareness and education among employees can reduce enterprise security risks and cost.

• January 13, 2015 13 Jan'15

  Light January 2015 Patch Tuesday delivers one critical Windows fix

  Microsoft's January 2015 Patch Tuesday updates include a critical Windows update for Telnet, and a fix for a controversial Windows 8.1 flaw disclosed two weeks ago. Plus: An expert says Adobe's critical Flash Player fix demands immediate attention.

• January 13, 2015 13 Jan'15

  Cisco releases multiple WebEx security patches

  The most important of the seven fixes for the WebEx Meeting Server platform remedies a flaw that could allow a cross-site request forgery attack.

• January 09, 2015 09 Jan'15

  Fake SSL certificates enable variety of security threats, say experts

  Experts say the security industry's 'blind trust' may result in a new wave of security threats caused by fake SSL certificates, including man-in-the-middle and DNS attacks.

• January 09, 2015 09 Jan'15

  Sony Pictures hack recap: Experts debate North Korea's role

  News roundup: The FBI maintains North Korea was behind the Sony Pictures hack, in spite of naysayers. Plus: Malware campaign attributed to Russia; new Mac OS X bootkit; cyberattack causes physical damage.

• January 06, 2015 06 Jan'15

  IBM: Retail cyberattacks become less frequent, but more effective

  Research from IBM indicates cyberattackers are going after retailers with surgical precision, using fewer attack attempts yet frequently compromising vulnerable databases.

• January 05, 2015 05 Jan'15

  Evolving mobile security management thwarts unified endpoint management

  Experts say unified endpoint management for mobile devices, laptops and desktops will take more time due to the complex, evolving demands of mobile security management.

• December 12, 2014 12 Dec'14

  Sony Pictures hacking back: The ethics of obfuscation

  News roundup: Amid a devastating breach incident Sony Pictures is fighting back, raising legal and ethical questions. Plus: A big week in security acquisitions; Comcast sued over open Wi-Fi; and Yahoo announces vulnerability disclosure policy.

• November 21, 2014 21 Nov'14

  Encryption everywhere: Debating the risks and rewards

  News roundup: As the industry responds to growing demand for end-to-end Internet encryption, some fear unintended consequences. Plus: Black hats wanted; Windows Phone survives Pwn2Own; webcam spying resurgence.

• November 17, 2014 17 Nov'14

  Microsoft's Schannel security patch affecting TLS connections

  Microsoft admitted that MS14-066, released last week to patch a serious Schannel security vulnerability, is causing some users to drop TLS connections.

• November 04, 2014 04 Nov'14

  Despite skeptics, security awareness training for employees is booming

  Employee security awareness training has been derided in the past, but new Gartner research suggests that a market of competitive, high-quality vendors are making security awareness a must-have.

• October 15, 2014 15 Oct'14

  Remembering Shon Harris: Logical Security founder passes away

  Shon Harris, founder and CEO of Logical Security and recognized security certification training expert, died Oct. 8, 2014, after a long illness. SearchSecurity pays tribute to her contributions to the information security field.

• October 03, 2014 03 Oct'14

  Palo Alto NGFW fails NSS Labs report, war of words ensues

  News roundup: Palo Alto's next-generation firewall fared poorly in a recent NSS Labs report, leading to a testy back-and-forth about NGFW testing. Plus: Mitnick selling zero days; EMET bypassed, again; iThemes stored plaintext passwords.

• September 05, 2014 05 Sep'14

  Goodwill breach highlights need for service provider due diligence

  News roundup: The recent Goodwill security breach has been blamed on a third-party service provider, highlighting the need for due diligence. Plus: Mobile device theft; Android app vulnerabilities and a 12-year-long cyber-espionage network.

• September 02, 2014 02 Sep'14

  Apple and FBI launch iCloud hack investigation

  Apple and FBI investigate the breach of Apple’s iCloud causing fresh business concerns over cloud security

• August 28, 2014 28 Aug'14

  Plan ahead to avoid SIEM deployment pitfalls

  Despite SIEM technology improvements, Gartner says many organizations still dive into SIEM deployments without adequate planning, often resulting in disaster.

• August 07, 2014 07 Aug'14

  Black Hat 2014: Researcher reveals Amazon cloud security weaknesses

  At Black Hat 2014, a researcher showed how AWS cloud security flaws and misconfigurations can have devastating consequences for AWS customers that don't take security seriously.

• August 06, 2014 06 Aug'14

  Russian hackers steal over a billion usernames and passwords

  A group of Russian cyber criminals have attacked 500 million email addresses and gained 1.2 billion usernames and passwords.

• July 24, 2014 24 Jul'14

  How the CryptoLocker ransomware was defeated with its own DGA

  Preview: At Black Hat USA, experts will detail the steps taken by the security community and law enforcement to put down the infamous CryptoLocker ransomware.

• July 15, 2014 15 Jul'14

  Pass the hash? Severity of Active Directory security flaw questioned

  Despite what may be a dangerous new Active Directory "pass the hash" attack variant, Microsoft has downplayed the issue as a technical limitation.

• June 24, 2014 24 Jun'14

  On prevention vs. detection, Gartner says to rebalance purchasing

  At its annual security confab, the research giant said enterprises buy too much threat prevention and not enough detection and response technology.

• June 19, 2014 19 Jun'14

  Amazon EC2 control panel hack submarines hosting provider

  Update: Following a hack that destroyed much of Code Spaces' AWS EC2 data, cloud app provider One More Cloud reported similar compromises.

• June 17, 2014 17 Jun'14

  API gateways emerge to address growing security demands

  With mobile, cloud and the Internet of Things driving massive API growth, experts say now is the time for API gateway technology to shine.

• June 12, 2014 12 Jun'14

  Pandemiya banking malware emerges as Zeus-level threat

  RSA researchers say the costly Pandemiya banking malware was written entirely from scratch, a dangerous oddity in the world of malware.

• June 05, 2014 05 Jun'14

  OpenID Connect: Poised for greatness in enterprise authentication?

  Despite the popularity of SAML, the mobile and cloud benefits of OpenID Connect may spur adoption as an enterprise authentication platform.

• May 23, 2014 23 May'14

  Next-generation firewall comparisons show no product is perfect

  When comparing NGFW appliances, experts say that enterprises should focus on products that meet specific needs, not just those with the most features.

• April 25, 2014 25 Apr'14

  Report: Gap between on-premises and cloud attacks closing

  A new report shows the volume of cloud attacks is rising, as attack types traditionally associated with on-premises environments migrate with users.

• April 10, 2014 10 Apr'14

  'Heartbleed' OpenSSL vulnerability: A slow-motion train wreck

  Analysis: The 'Heartbleed' OpenSSL vulnerability is one of the worst bugs a SANS expert has seen, and that's before the fallout is fully understood.

• April 10, 2014 10 Apr'14

  NSA TAO: What Tailored Access Operations unit means for enterprises

  The NSA's top-secret Tailored Access Operations offensive hacking unit offers enterprise defense strategy lessons. Expert Nick Lewis discusses.

• April 03, 2014 03 Apr'14

  NTP-based DDoS attacks on the rise, but SYN floods still more perilous

  NTP-based DDoS attacks are increasing, but a report warns that SYN floods are still more likely to cause enterprises damage.

• April 01, 2014 01 Apr'14

  Data encryption, notification and the NIST Cybersecurity Framework

  Awkward? The NIST Cybersecurity Framework arrives as the U.S. government struggles to counter negative reports on its data privacy and encryption standards.

• March 12, 2014 12 Mar'14

  For merchants, Windows XP POS systems put PCI compliance at risk

  PCI compliance may be nearly impossible after the April 2014 Windows XP end-of-life date if merchants don't address vulnerable XP-based POS systems.

• February 28, 2014 28 Feb'14

  RSA Conference 2014 analysis: Security topics to keep on the radar

  Several information security topics emerged as hot topics at RSA 2014. Learn three security topics enterprises should keep on their radar.

• February 26, 2014 26 Feb'14

  RSA 2014: Insider threat detection tools critical to detection success

  Even with a solid insider threat program in place, an RSA Conference 2014 speaker said good insider threat detection tools are key to success.

• February 17, 2014 17 Feb'14

  Final version of NIST cybersecurity framework draws mixed reviews

  Experts differed over whether the NIST cybersecurity framework provides critical infrastructure firms with the tools to defend themselves.

• February 05, 2014 05 Feb'14

  Amid Microsoft MD5 deprecation, experts warn against SHA-1 algorithm

  With Microsoft's MD5 deprecation set for next week, experts say companies must be careful to avoid other weak protocols, like SHA-1.

• February 03, 2014 03 Feb'14

  Mobile security report: Data on devices

  New survey shows the battle between corporate-issued devices versus personally owned smartphones and tablets is too close to call.

• January 28, 2014 28 Jan'14

  McGraw: Software [in]security and scaling automated code review

  Gary McGraw and Jim Routh talk through the pitfalls of scaling static source code review and offer some potential process improvements.

• January 24, 2014 24 Jan'14

  Spear phishing still popular, but more watering hole attacks coming

  A report from CrowdStrike shows spear phishing remains popular in targeted attacks, but that watering hole attacks are gaining favor.

• January 03, 2014 03 Jan'14

  FireEye buys Mandiant in $1 billion deal

  In acquiring the incident response firm, FireEye will combine Mandiant's endpoint defense product with its network-based detection technology.

• December 24, 2013 24 Dec'13

  McGraw: Software [in]security and scaling architecture risk analysis

  Software architecture risk analysis doesn't have to be hard. Gary McGraw and Jim DelGrosso discuss an easier, more scalable process.

• December 02, 2013 02 Dec'13

  Return on security investment: The risky business of probability

  You are better off with real numbers when it comes to measuring probability and the elements of security risk, even if they are wrong.

• November 08, 2013 08 Nov'13

  Web application firewalls may not fix Web application security issues

  Some consultants are finding Web application firewall products don't deliver due to poor deployment strategies and a lack of skilled maintenance.

• October 28, 2013 28 Oct'13

  Software [In]security: BSIMM-V does a number on secure software dev

  The fifth iteration of the Building Security In Maturity Model project is a tool you can use as a measuring stick for software security initiatives.

• October 15, 2013 15 Oct'13

  The role of the enterprise intrusion prevention system in APT defense

  One research group says an enterprise IPS can't help detect APTs. But network security expert Brad Casey explains why that isn't necessarily true.

• September 20, 2013 20 Sep'13

  HP introduces 'self-healing' BIOS protection with SureStart

  HP's new SureStart feature detects and 'heals' corrupted BIOS code.

• September 10, 2013 10 Sep'13

  Opinion: Software [in]security -- software flaws in application architecture

  Many defects aren't found with code review. Gary McGraw and Jim DelGrosso think architectural risk analysis is a must to uncover software flaws.

• August 09, 2013 09 Aug'13

  Five major technology trends affecting software security assurance

  Column: Gary McGraw says five shifts in the IT landscape are affecting software security, but several BSIMM best practices can limit risk exposure.

• August 01, 2013 01 Aug'13

  New data on enterprise mobile security

  We polled readers in our annual Enterprise Mobile Security Survey and the 2013 results are in.

• August 01, 2013 01 Aug'13

  Black Hat 2013 opens with testy keynote, smart device hacks

  After a contentious opening keynote by NSA Director Gen. Keith Alexander, day one of Black Hat 2013 showed smart device hacks, severe SCADA issues.

• August 01, 2013 01 Aug'13

  Ten years later: The legacy of SB 1386 compliance on data privacy laws

  A decade after becoming law, the ripple effects of California's SB 1386 have surfaced in a new breed of proactive, granular state data privacy laws.

• June 19, 2013 19 Jun'13

  RSA Silver Tail improves online fraud detection, enterprise security

  Fraud prevention for the Web: RSA Silver Tail sets stage for enterprise-level security with big data and brand new interface.

• March 25, 2013 25 Mar'13

  Why information security education isn’t making the grade

  Security experts explain why a holistic approach to security is critical to training computer engineers and computer scientists for a career in information security.

• March 05, 2013 05 Mar'13

  RSA 2013: Experts struggle to define offensive security, hacking back

  Is offensive security or 'hacking back' a viable cyberdefense tactic? RSA Conference 2013 experts struggled to define the terms, never mind the role they play.

• February 25, 2013 25 Feb'13

  Well-rounded information security education benefits IT professionals

  A security-savvy IT staff can help reduce risk. Learn about information security training and education options for IT professionals.

• January 28, 2013 28 Jan'13

  Testing, assessment methods offer third-party software security assurance

  No ultimate test can give third-party software a clean bill of health, but careful assessment can help organizations gain more control over vendors.

• January 17, 2013 17 Jan'13

  Thirteen principles to ensure enterprise system security

  Designing sound enterprise system security is possible by following Gary McGraw's 13 principles, many of which have held true for decades.

• December 07, 2012 07 Dec'12

  Twelve common software security activities to lift your program

  Software security expert Gary McGraw explains the processes commonly found in highly successful software security programs.

• November 27, 2012 27 Nov'12

  Chief information security officer skills go beyond customary technical roles

  A trusted advisor and a strong communicator and promoter, a good CISO should be a jack-of-all-trades to rally the IT security team to support the business needs by minimizing risk.

• November 14, 2012 14 Nov'12

  Enterprises can obtain value from red teaming exercises, expert says

  Red teaming assesses the security of an organization and can be a more effective way to assess the organization's security posture.

• November 01, 2012 01 Nov'12

  Protecting Intellectual Property: Best Practices

  Organizations need to implement best practices to protect their trade secrets from both internal and external threats.

• October 23, 2012 23 Oct'12

  Pros and Cons of Information Security Certifications

  Educating the security professional requires far more than a certification exam.

• July 23, 2012 23 Jul'12

  Black Hat 2012: MITRE to detail STIX cyberthreat intelligence system

  Sean Barnum of MITRE will describe Structured Threat Information eXpression (STIX), a new cyberthreat intelligence system for incident response teams.

• July 16, 2012 16 Jul'12

  Black Hat 2012: Google Chrome sandbox security flaws to be exposed

  The Google Chrome Native Client was designed to secure browser plug-ins, but researcher Chris Rohlf says Google Chrome sandbox security flaws exist.

• July 11, 2012 11 Jul'12

  AWS outage doesn't discourage Netflix

  Netflix says it remains bullish on the cloud despite major Amazon outage.

• July 11, 2012 11 Jul'12

  Survey: Firewall rules sprawl makes firewall policy management a mess

  Bloated firewall rules are making security unmanageable and audits a nightmare, according to a survey by firewall management vendor Athena.

• July 09, 2012 09 Jul'12

  DNSChanger malware problems unlikely

  DNSChanger infections have declined precipitously, but remaining systems could have Internet access turned off today.

• June 28, 2012 28 Jun'12

  Putting the mobile botnet threat in perspective

  While lucrative mobile botnets do exist, Industry experts provide a perspective on seems to be a relatively small mobile botnet threat.

• June 28, 2012 28 Jun'12

  Operation High Roller: Online bank fraud

  McAfee and Guardian Analytics released the findings of an investigation into a global online bank fraud ring that takes the old techniques up a notch.

• June 21, 2012 21 Jun'12

  Review your security contingency plan during the Games

  U.K. companies are preparing to manage their security during the Olympics. Would your security contingency plan hold up to such a disruptive event?

• June 14, 2012 14 Jun'12

  Opinion: LinkedIn hacking incident betrays users’ trust

  Users are told to create strong passwords, but the LinkedIn hacking showed strong passwords are no defense when the application provider is attacked.

• June 08, 2012 08 Jun'12

  Arbor Networks warns of IP-Killer, MP-DDoser DDoS tool

  Arbor Networks researchers found robust capabilities in the MP-DDoser/IP-Killer tool used to conduct powerful distributed denial-of-service attacks.

• June 07, 2012 07 Jun'12

  Information technology security jobs hiring outlook

  The unemployment rate for IT security pros is 0%, says CompTIA, leaving some companies with key information technology security jobs unfilled.

• June 01, 2012 01 Jun'12

  Stuxnet details should prompt call to action, not words

  Security experts have warned of potential problems with military cyberstrikes. Cyberwarfare is difficult to plan and could put civilians at risk.

• May 31, 2012 31 May'12

  Why execs really need corporate security training

  Senior executives may be the most likely to disobey all your hard-won corporate security training. Here are five reasons why.