Vulnerability management (VM) programs are the meat and potatoes of every comprehensive information security program. They are not optional anymore. In fact, many information security compliance, audit and risk management frameworks require organizations to maintain a vulnerability management program. If you don’t have vulnerability management tools...

Bolting on security after the fact. It’s been a common approach to software security for decades. We architect, build code, deploy it and then figure out how to secure it. From the parade of application-related breaches and data thefts over the last few years, we pretty much know this approach does not work. Fortunately, the evolution of continuous...

It shouldn’t come as a surprise to anyone reading this article that there has been a major shift towards businesses hosting their critical applications in the cloud. Software-as-a-Service (SaaS), as well as cloud-based servers from Amazon or Microsoft, have changed the way we build networked business systems for any size organization. Cloud-hosted...

The concept of configuration hardening has nice imagery to it. When we use it to describe battle-hardened soldiers who have been tested in combat, a grim, determined image invariably leaps to mind. The same thing happens when we speak of hardened steel that’s been repeatedly quenched and tempered or of hardened fortifications and bunkers. What Are...

“Worldwide spending on information security products and services will reach more than $114 billion in 2018, an increase of 12.4 percent from last year, according to the latest forecast from Gartner, Inc. In 2019, the market is forecast to grow 8.7 percent to $124 billion.” That’s good, right? Well maybe-not-so-much. The current dystopian cyber...

Today’s VERT Alert addresses Microsoft’s September 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-796 on Wednesday, September 12th. In-The-Wild & Disclosed CVEs CVE-2018-8440 This vulnerability was disclosed on Twitter on August 27th, and a high level analysis was published on...

Security professionals are warning users who are or soon will be engaged in real estate transactions to watch out for the "homeless homebuyer" scam. On 10 September, Verdict built upon its coverage of account takeover attacks found in its threat insight magazine Verdict Encrypt to discuss this...

The U.S. Government is constantly working to improve its ability to respond to the growing threat of cyber-attacks facing the national power grid. Towards that end, the Federal Energy Regulatory Commission (FERC) approved the revised critical infrastructure protection reliability standards for cybersecurity management controls on April 19, 2018. The...

Apple has removed "Adware Doctor" from the macOS App Store amid claims that the program was uploading browser histories to China. Adware Doctor, which sold for $4.99 and was listed last week among the highest grossing apps in the "Paid Utilities" category of the macOS App Store, promised it would "keep your Mac safe", "get rid of annoying pop-up ads...

When we think of industrialization and the industrial revolution, images of smoke stacks, purpose-built machinery, and automation come to mind. Some examples are the Jacquard Machine, as pictured below. This machine simplified the process of manufacturing textiles in the early 1800s, and some consider it an early example of computer punch cards and...

Electric vehicle manufacturer Tesla is encouraging what it calls "good faith" security research in its bug bounty program. In its vulnerability disclosure program, Tesla says it welcomes "the community to participate in our responsible reporting process" for the company's product offerings and...

This article describes one of the recent frauds used by cybercriminals to steal funds from people’s credit cards. Unfortunately, it is a simple one to pull off, so peruse the details below and make sure you don’t get on the hook. The malicious logic in a nutshell The malefactors use a legit remote access tool for mobile devices called AirDroid....

Tripwire's August 2018 Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft and Adobe. First on the patch priority list this month are patches for Microsoft's Internet Explorer, Edge, and Scripting Engine. These patches resolve 21 vulnerabilities, including fixes for Remote Code Execution, Elevation of Privilege,...

Thanks to FERC’s Order 822, the North American Electric Reliability Corporation’s critical infrastructure protection standards, known as NERC CIP, are continually updated. Seven updated standards proposed by NERC for inclusion have now been accepted. April 1st, 2016, was the compliance deadline for the NERC CIP v5 requirements. Most of the newly...

As part of this two-part series, let’s now look to another exhibit demonstrating of how people act as the first, last and best data and privacy defense. Exhibit B: Potentially Unwanted Leaks If you have some technical literacy, you may have heard of potentially unwanted programs (“PUPs”). It’s all that glop and gloop – malware, viruses, trojans,...

Someone compromised a Google Chrome extension with malicious code designed to snoop on users' account credentials and cryptocurrency private keys. On 4 September, a security researcher who goes by the name "SerHack" tweeted out a warning about version 3.39.4 of the Chrome extension for MEGA.nz, a cloud storage and file sharing service. https:/...

Have you ever wondered how much your patient health record could garner on the black market? Whereas a cybercriminal only needs to shell out a mere dollar for your social security number, your electronic health record (EHR) is likely to sell for something closer to the tune of $50. This is according to research firm Cybersecurity Ventures, who also...

Good security engineers are hard to come by. What is a company to do? Not all companies can afford outrageous salaries to acquire one, much less a full team of security professionals. Even if those few companies can afford it today, how do they retain them? The answer to this is not simple and is realistically beyond the scope of one simple article...

In this third installment of #TripwireBookClub, we look at “Gray Hat Python,” written by Justin Seitz and published by No Starch Press. I had the opportunity to briefly meet Justin at CanSecWest the year this book was published, which only increased my interest in the book and ensured my preorder. I read it back then (2009), and now, nine years...

Container security is not a unitary action but a multifaceted process. It involves securing the build environment using secure code control and other strategies. The procedure also necessitates securing containers’ contents via code analysis and unit tests. At some point, organizations need to develop a plan to secure their containers in production...