Just as you would map a hike or climb by creating waypoints you plan to hit each day, you must plan your vulnerability management process by creating similar goals. We call these goals Maturity Levels, from ML0 to ML5, as we defined them in the last blog. You have your asset inventory from an open-source tool, asset tracking database or maybe your...

Even though the healthcare industry has been slower to adopt Internet of Things technologies than other industries, the Internet of Medical Things (IoMT) is destined to transform how we keep people safe and healthy, especially as the demand for lowering healthcare costs increases. The Internet of Medical Things refers to the connected system of...

As a Professional Services Consultant, I have the pleasure of traveling all around the globe meeting clients and talking to a wide variety of IT security professionals who form the front line of defence against malware. One of my favorite topics is how people got their start in their careers in IT, but when I start discussing my own early years and...

Police recovered over $300,000 stolen by phishers from Spotslyvania County Public Schools in Spotslyvania County, Virginia. On 15 August, Virginia State Police announced that it had reclaimed over half the amount of money stolen in a phishing attack against the Spotslyvania County Public Schools. The...

The IoT Threat Landscape As technology continues to pervade modern-day society, security and trust have become significant concerns. This is particularly due to the plethora of cyber attacks that target organizations, governments and society. The traditional approach to address such challenges has been to conduct cybersecurity risk assessments that...

A biometrics system used to secure more than 1.5 million locations around the world - including banks, police forces, and defence companies in the United States, UK, India, Japan, and the UAE - has suffered a major data breach, exposing a huge number of records. South Korean firm Suprema runs the web-based biometric access platform BioStar 2, but...

Researchers identified a large-scale cryptocurrency miner infection in which a new malware family called "Norman" took part. The Varonis Security Research team made the discovery while investigating a cryptominer infection at a mid-sized company. Here's what they found through this effort: Almost every server and workstation was infected with...

On the last day of July, MITRE released its most recent update to the ATT&CK framework. The ATT&CK framework is a curated knowledge base of tactics, techniques, software, that adversarial groups have leveraged when compromising enterprise systems. The July 2019 update is relatively minor compared to the April 2019 update, which saw a new tactic with...

Fraudsters launched an attack campaign that distributed phishing emails designed to target the hotel industry in North America. In summer 2019, researchers at 360 Security Center discovered that bad actors had sent attack emails to financial personnel working at various hotels throughout North America. These emails informed recipients that their...

Today’s VERT Alert addresses Microsoft’s August 2019 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-845 on Wednesday, August 14th. In-The-Wild & Disclosed CVEs Microsoft has indicated that none of the vulnerabilities being patched this month have been used in-the-wild nor have they been...

Tripwire's July 2019 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft and Oracle. First on the list for July are patches for Microsoft's Browser and Scripting Engine. These patches resolve 11 vulnerabilities including fixes for Memory Corruption weaknesses. Next on the list are patches for Microsoft Excel and...

Many organizations are still struggling to fill out their digital security workforces. This task isn’t getting any easier with time, either. In a Tripwire-commissioned survey of 336 IT security professionals, four-fifths of respondents told Dimensional Research that they feel it’s gotten more difficult to hire skilled personnel since 2017. That’s a...

The evolution of the cyber threat landscape highlights the emerging need for organizations to strengthen their ability to identify, analyze and evaluate cyber risks before they evolve into full-fledged security incidents. When it comes to cyber risk mitigation, the terms “patch management” and “vulnerability management” are used as if they are...

Apple announced that it will be expanding the scope of its bug bounty program and increasing its maximum possible reward payout to $1 million. Ivan Krstić, Apple’s head of security engineering, made the announcement during a presentation on iOS and macOS security at Black Hat USA 2019. He revealed that Apple's bug bounty program will begin...

Binance, one of the world's largest cryptocurrency exchanges, has revealed that it is being blackmailed to the tune of 300 Bitcoin (approximately US $3.5 million) by someone who is threatening to release some 10,000 sensitive photographs of its customers. And in an attempt to identify its blackmailer, Binance has put a 25 Bitcoin (approximately US ...

Insurance company State Farm revealed that a digital security incident might have exposed their customers' personal information. In August 2019, ZDNet obtained a copy of a letter in which State Farm disclosed a data breach. The insurance company specifically revealed that a bad actor had conducted a credential stuffing attack. This type of operation...

About a decade ago, organizations were hesitant to adopt cloud solutions, with many citing security concerns. Fast forward to 2019, and 81% of organizations have a multi-cloud strategy, spurred on by the desire for increased flexibility, usage-based spending and desire to respond to market opportunity with greater agility. In fact, organizations are...

The recent Tripwire blog ‘7 Habits of highly effective Vulnerability Management’ by Tim Erlin was a great read with some sage advice on the always relevant security topic of VM. I noticed, however, that although the seven points themselves were all Tim’s own, the title snappily paraphrased Steven Covey’s classic management book. This made me think....

American multinational conglomerate holding company AT&T has announced the launch of its public bug bounty program on HackerOne. Revealed on 6 August, the new program will award security researchers who submit reports on eligible vulnerabilities that affect AT&T's websites, mobile apps, devices and exposed APIs. In-scope flaws include weaknesses...