The digital landscape is beset with challenges that threaten businesses and individual users alike. Even so, most organizations aren't prepared to face them. For example, 70 percent of IT professionals told Tripwire at Black Hat USA 2016 they lack confidence in their organization's ability to address security risks associated with the Internet of...

Everyone agrees that RSA Conference is a mainstay of information security. Every year, the event attracts tens of thousands of security professionals from around the world. As such, it's the perfect place for companies to gain a snapshot of the digital security landscape. That’s why Tripwire has made a tradition of capturing attendees’ thoughts on...

One might think that the security industry is beefing up its message with profanity and far-fetched stories, and you may regard all of it – to an extent – as scare mongering. The latest attack on the smart "HUE Light Bulbs" by Philips puts this views to rest, I hope. Apparently, modern smart light bulbs are equipped with secure communication...

Many IT decision makers look at assets as hardware, but really they should consider why they have the hardware in the first place. These decision makers remember the very significant investments they made in servers, PCs, firewalls, and so on in order to deploy that new CRM or Electronic Medical Records System. They think of the tens of thousands of...

A new tech support scam is using website elements to trick users into thinking their browser has loaded a Microsoft support page. Like other ruses of the sort, this ploy begins when malicious ads redirect a user to a fake tech support web page. The first thing they see is a pop-up alert warning them that "a virus and spyware" have compromised their...

Information security, cybersecurity, IT security, and computer security are all terms that we often use interchangeably. I know that I do. I've written a lot about those areas for the past several years. I notice that sometimes I switch between the terms in an article simply to avoid repeating the same phrases over and over again in my prose. Very...

NextGEN Gallery is an extraordinarily popular plugin for self-hosted WordPress websites, having been downloaded over 16.5 million times. The software's widespread popularity (it claims to have been "the industry's standard WordPress gallery plugin" since 2007) makes it an seemingly obvious choice for website owners looking to add image galleries to...

Near the bleeding edge of technology, there’s a lot of talk (and work) around DevOps and the use of containers for delivering services. This is a fast-paced environment where services are spun up and down to meet demand in an elastic cloud and code is shipped to production multiple times a day. It’s also an area where security is far from ‘figured...

File Integrity Monitoring solutions have been around for a few decades now, with one purpose in mind: to monitor changes to files on the endpoint. However, there is more to integrity monitoring than just looking at files. Over the past year or so, whilst working with Tripwire, I have met a large number of people who define FIM (File Integrity...

In the modern world, it isn’t bank robbers we’re worried about – it’s cyber criminals. They can steal consumer information, alter data so that it gives false insights or remains corrupted for months or even years without notice, and even sell valuable intellectual property to the highest bidder, putting companies under. However, while many...

In part 1 and part 2 of this series, I reviewed some of the administrative and technical evolution of the cybersecurity legislation that has been proposed for all financial entities in New York State. As I started to write this, the final regulation was adopted. The good news is that most of the changes that were proposed in the first revision have...

Most security folks are familiar with the threats posed by the Internet of Things (IoT). Indeed, one need only look to what happened to Dyn in October 2016 to grasp the devastating potential of insecure IoT devices. Given this new wave of distributed denial-of-service (DDoS) attacks, as well as the Mirai-infected bots that power them, it's no wonder...

Boeing has notified 36,000 employees of a security breach involving an email that inadvertently disclosed their personal information. On 8 February 2017, the American aerospace company sent a letter to Bob Ferguson, Attorney General for Washington State. In it, Boeing says a security incident might have exposed the personal information of 7,288...

Two weeks ago, while visiting the yearly security gathering at the RSA Conference in San Francisco’s Moscone center complex (and adjacent hotels – it’s growing like mad), I was walking across the North and South Expo halls to check out some vendors (several I had appointments with, some by curiosity, and a few that were really new kids on the block)...

In part 1 of this series about the proposed regulation promulgated by the New York State Department of Financial Services, the evolution of some of the administrative requirements were explored. The exemptions, appointment of a CISO and the utilization of cyber security personnel all changed from the originally proposed regulation. In this part,...

One of the key challenges with what we now call cyber is the shortage of relevant technical cyber skills. This is directly linked to what would seem to be an inability to recognise or accept the real scale of the cyber threat, which is, of course, playing into the hands of the criminals and hackers who are harvesting millions in revenue as a result...

A new report reveals that 68 percent of oil and gas organizations have experienced at least one digital attack. In the Siemens-sponsored The State of Cybersecurity in the Oil & Gas Industry: United States (PDF), Ponemeon Institute surveyed 377 individuals based in the United States who are responsible for overseeing digital risk to their...

The annual RSA Conference is a lot of things to a lot of people (43,000 this year!). For me, it’s become an annual opportunity to step out of the stream and to look back at what has happened in the last year and peer forward at what’s to come. This year, I think we have reached an inflection point around the way we as a profession treat the “human...

The New York State Department of Financial Services has proposed a cyber security regulation that is unique in its breadth. The original proposed regulation underwent a 45-day review period, after which it was changed. It is currently under another 45-day review period pending further changes and should be published in the next few weeks. The...

Attackers have lots of ways of gaining access to a target's information. One of their preferred attack vectors is exploiting careless end user behavior. This is especially true when it comes to users who don't adequately protect their web accounts. For instance, bad actors targeted users of TeamViewer, software which allows IT professionals to gain...