Tony Sager, Senior Vice President and Chief Evangelist at CIS (Center for Internet Security) joins us to discuss the best approaches to the changing security landscape in the wake of COVID-19. Tony is a lifelong defender, with more than 44 years of experience. He spent most of his career at the NSA and now leads the development of the CIS Controls,...

Government officials said that a glitch in the State of Illinois' Pandemic Unemployment Assistance (PUA) program exposed thousands of people's Social Security Numbers (SSNs) and other private data. Jordan Abudayyeh, a spokesperson for Illinois Governor J. B. Pritzer, sent a statement to WBEZ on May 16. In it, she revealed that the Illinois...

On May 1st President Trump signed an Executive Order on “Securing the United States Bulk-Power System.” The order cites foreign adversaries and their increased creation and usage of vulnerabilities against the power grid as the primary driver. In my opinion, perhaps more interesting is the inherent ties to the NERC standards, namely CIP-010 R4 and...

In this final part of the series, I discuss why everyone should consider reviewing their OPSEC (Operations Security), not just those with something to hide. If you haven’t read the previous articles then please check them out first (Part I & Part II), as they provide key background information about the techniques discussed in this post. The...

I usually spend my mornings doing some reading and enjoying my coffee. On this one particular morning, I noticed that I had received an email from a gaming company I had created an account with around 10 years ago for my kids. They had sent me a code to confirm a login that was being done from Thailand. I had forgotten that I had even created the...

Newly-discovered zero-day vulnerabilities may generate the biggest headlines in the security press, but that doesn't mean that they're necessarily the thing that will get your company hacked. This week, US-CERT has published its list of what it describes as the "Top 10 Routinely Exploited Vulnerabilities" for the last three years. The list is...

The UK’s designated national agency responsible for providing information and expert guidance on qualifications (UK NARIC) recently announced that the Certified Information Systems Security Professional (CISSP) credential offered by (ISC)2 is rated RQF Level 7, thereby placing it equal to a particular level of a Master’s Degree. This declaration is...

It will be rare that an attacker exploits a single system and does not attempt any lateral movement within the network. Even ransomware that typically targets a single system at a time has attempted to spread across the network looking for other victims. More often than not, an attacker will gain an initial foothold and start to pivot across systems...

This new world is putting a strain on organizations’ digital security defenses. First, malicious actors are increasingly leveraging coronavirus 2019 (COVID-19) as a theme to target organizations and to prey upon the fears of their employees. Our weekly COVID-19 scam roundups have made this reality clear. Second, organizations are working to mitigate...

The Cyber Security Body of Knowledge project or CyBOK is a collaborative initiative mobilised in 2017 with an aspiration to “codify the foundational and generally recognized knowledge on Cyber Security.” Version 1.0 of the published output of this consultative exercise was quietly released last year and then more publicly launched in January 2020....

Today’s VERT Alert addresses Microsoft’s May 2020 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-884 on Wednesday, May 13th. In-The-Wild & Disclosed CVEs None of the vulnerabilities resolved this month have been publicly disclosed or exploited according to Microsoft. CVE Breakdown by Tag ...

For most practical uses today, a combination of hardening and vulnerability detection is required to secure even the most basic digital environment. In each area it is important to see the progress you’re making in these competencies so that you can improve and build on the work you and your team have done over time. But with so many assets in your...

The United States Marshals Service announced a data breach involving the personal information of its former and current prisoners. In a data breach notification letter obtained by ZDNet, the U.S. Marshals Service revealed that it had first learned of the security incident in late 2019. A redacted...

Digital attacks continue to exploit coronavirus 2019 (COVID-19) as part of their malicious operations. On May 5, 2020, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) along with the United Kingdom's National Cyber Security Centre (NCSC) published a joint alert in which they revealed that they had...

Samsung has released a security update for its popular Android smartphones which includes a critical fix for a vulnerability that affects all devices sold by the manufacturer since 2014. On its Android security update page Samsung thanks researcher Mateusz Jurczyk of Google Project Zero for the discovery of the vulnerability that could - he claims -...

Security researchers attributed a spike in Snake ransomware activity to a new campaign that's targeted organizations worldwide. Snake ransomware first attracted the attention of malware analysts in January 2020 when they observed the crypto-malware family targeting entire corporate networks. Shortly after this discovery, the threat quieted down. It...

Tripwire's April 2020 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Oracle, and VMware. Up first on the patch priority list this month is a patch for VMware vCenter Server. This patch resolves an information disclosure vulnerability. This patch has highest priority as proof-of-concept code to exploit the...

The Discovery tactic is one which is difficult to defend against. It has a lot of similarities to the Reconnaissance stage of the Lockheed Martin Cyber Kill Chain. There are certain aspects of an organization which need to be exposed in order to operate a business. https://www.youtube.com/watch?v=NDT2qnpvKTk In fact, all of the techniques at this...

If you’ve read a newspaper or watched the news in the past few weeks, you’ll notice one common topic that all the major news outlets are discussing… COVID-19. Right now, many companies are trying to provide employee guidance during this worldwide pandemic, as governments ask those who can to work from home in an effort to slow the spread. Zoom, a...

“Never let a good crisis go to waste.” These wise words have been recently attributed to former Bill Clinton Chief of Staff Rahm Emanuel, though Freakonomics actually dates it back to 1976 and a completely different context. Regardless of who first uttered the phrase or some permutation of it, modern-day cybercriminals have taken the candid advice...