By now, we should all be pretty well acquainted with phishing scams. They've been around for a very long time—nearly 30 years, in fact—and are the primary focus of most security awareness training programs and initiatives. Despite this, phishing remains remarkably effective, with over 90% of successful cyberattacks beginning with a phishing email. Why? Because these scams are constantly evolving...

Today’s VERT Alert addresses Microsoft’s February 2025 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1143 as soon as coverage is completed. In-The-Wild & Disclosed CVEsCVE-2025-21391A vulnerability in Windows Storage could lead to elevation of privilege, however, it is important to note that this would not give complete access to the file...

Building a vulnerability management (VM) program from the ground up is no small feat. It requires technical expertise, organizational buy-in, and a clear roadmap. In recent months, I’ve been working with a client who had to discard their legacy approach and start afresh. We came to realize just how many components have to come together to get a decent start on a VM project while also showing value...

British legal professionals have seen a "significant surge" in data breaches, according to new research from NetDocuments, a firm that provides a cloud-based content management platform for the legal sector.The firm has described how it analysed data from the UK regulator the Information Commissioner's Office (ICO), and discovered that the number of data breaches in the country's legal sector had...

The cyber threat to critical infrastructure has never been greater. The growing sophistication of cybercriminals, deteriorating geopolitical relations, and the convergence of operational technology (OT) and information technology (IT) have created unprecedented risks for critical infrastructure organizations. Fortunately, resources are available to help these organizations protect themselves.In...

Tripwire's January 2025 Patch Priority Index (PPI) brings together important vulnerabilities for Microsoft.First on the list are patches for the Microsoft office platform, including Word, Access, Visio, Excel, OneNote, and Outlook. These patches resolve 13 issues such as remote code execution and security feature bypass vulnerabilities.Next are patches that affect components of the core Windows...

Data breaches continue to cost organizations millions of dollars each year, with costs rising steadily. According to IBM's 2024 Cost of a Data Breach Report, the average cost of a data breach has surged to $4.88 million globally, reflecting the increasing complexity and sophistication of cyberattacks. In the United States, this figure is even higher, averaging $9.8 million per breach, and the...

It’s been a tough year for the healthcare sector. Throughout 2024, cybercriminals have unleashed a barrage of attacks on a vast number of healthcare organizations - with disconcerting levels of success. FBI research revealed that healthcare is now the US’s most targeted industry.The attack on Change Healthcare, a United Health-owned health tech company, for example, disrupted operations at...

Small businesses may think they don’t need to implement cybersecurity training programs because larger enterprises with more revenue are more profitable for bad actors. However, small businesses lacking essential security measures are prime targets due to the ease of access and fewer resources for investigation and remediation. While cybersecurity solutions can be an indispensable part of a robust...

Key Takeaways for Control 4Most fresh installs of operating systems or applications come with preconfigured settings that are usually insecure or not properly configured with security in mind. Use the leverage provided by multiple frameworks such as CIS Benchmarks or NIST NCP to find out if your organization needs to augment or adjust any baselines to become better aligned with the policies your...

Investment scams are a growing problem. Modern cybercriminals are increasingly using this technique to swindle money out of unsuspecting victims. It’s easy to understand why: investment scams are remarkably effective. Research from Barclays even found that they accounted for a staggering 33% of all money lost to scammers in 2023.It’s clear then that many people don’t know how to identify an...

Can you imagine a modern working world without Software-as-a-Service (SaaS) applications? Productivity, communication, and project management solutions have transformed the modern workplace, enabling hybrid and remote working, helping to cut costs, and offering unprecedented opportunities for collaboration and innovation. Without them, the business world would grind to a halt.But these...

The Transportation Security Administration (TSA) has proposed new rules requiring those under its jurisdiction to follow specific cyber risk management (CRM) requirements, report cybersecurity incidents in a certain timeframe, and address physical security concerns.This is positive news for the transportation industry, as hundreds of attacks have been leveled against the sector. These attacks have...

The Turkish government is proposing a controversial new cybersecurity law that could make it a criminal act to report on data breaches. The new legislation proposes penalties for various cybersecurity-related offences. But they key one which has people concerned is this:"Those who carry out activities aimed at targeting institutions or individuals by creating the perception that there has been a...

Recently, I looked at Microsoft’s assigned CVSS v3.1 scores for Patch Tuesday vulnerabilities alongside the Microsoft assigned severity ratings. I wanted to revisit these numbers and see just how closely CVSS aligns with Microsoft’s opinion of severity.Disclaimer: I’m aware that CVSS v4.0 exists. However, Microsoft has not yet adopted it, and I wanted an apples-to-apples comparison.What Is CVSS v3...

What is the Medusa ransomware?Medusa is a ransomware-as-a-service (RaaS) platform that first came to prominence in 2023. The ransomware impacts organisations running Windows, predominantly exploiting vulnerable and unpatched systems and hijacking accounts through initial access brokers.Initial access brokers?Initial access brokers (IABs) specialise in gaining unauthorised access to the networks of...

NASA is about to introduce new requirements for its contractors. These requirements will dramatically improve the cybersecurity of spacecraft and the US’ resilience to cyber threats. But what do these requirements mean for spacecraft manufacturers? What challenges will they face? And what will they need to do to comply? Keep reading to find out. Understanding the Cyber Space ThreatWhile NASA has...

The energy sector is the cornerstone of modern infrastructure, powering essential services and supporting the daily operations of economies worldwide. However, it also faces unique cybersecurity challenges, particularly in complying with the North American Electric Reliability Corporation's Critical Infrastructure Protection (NERC CIP) standards.Cyber threats keep growing in sophistication and...

Remote work isn’t just a temporary trend anymore; it has become a permanent fixture. What began as a quick response during the pandemic has evolved into the new normal for businesses worldwide. In America, 20% of people now work from home.While this has its advantages (flexibility for workers and cost savings for businesses), it’s not without its complications, having cracked open a host of issues...

Today’s VERT Alert addresses Microsoft’s January 2025 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1139 as soon as coverage is completed.In-The-Wild & Disclosed CVEsCVE-2025-21333The first of three Hyper-V vulnerabilities this month is a heap-based buffer overflow that leads to privilege escalation to SYSTEM. Microsoft has reported this...