DevOps is redefining the way organizations handle software development. But it’s also challenging security professionals in their efforts to manage digital risk. With that said, there are security teams need to be strategic about how they approach DevOps security. Here are some expert recommendations on what to do and what to avoid when implementing...

Tripwire's September 2018 Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft and Adobe. First on the patch priority list this month are patches for Microsoft's Internet Explorer, Edge and Scripting Engine. These patches resolve 18 vulnerabilities, including fixes for Elevation of Privilege, Information Disclosure,...

Cloud security is not as simple as it may seem. Businesses have a shared security responsibility with cloud service providers, but some lack the knowledge to keep up their share of the bargain. Poor configuration and data leaks are common problems that many businesses encounter in the cloud. These issues can lead to malware infecting your cloud...

Due to popular demand, my women in information security interview series is back for autumn! This marks the second anniversary since I started. Some of my subjects in this round have been waiting since last spring, so getting to chat with them has been long overdue. Let’s start with Sharka, a penetration tester who is full of enthusiasm. She wants...

It is a common trend now to see most of the organizations opting for the cloud. Growing business demands, competition and the growth of Software-as-a-Service (SaaS) have helped propel this trend. While everything looks smart in the cloud, what about security? Does that look smart, too? Now that organizations use different kinds of cloud environments...

The ability to feed key security information onto a big screen dashboard opens up many new opportunities for managing the day-to-day security and maintenance workload as well as providing a useful method of highlighting new incidents faster than “just another email alert.” Most Security Operation Centres I’ve visited in recent years have embraced...

Three men who operated and controlled the notorious Mirai botnet have been sentenced to five years of probation. The Mirai botnet notoriously launched a massive distributed denial-of-service (DDoS) attack on DNS service company Dyn in October 2016 and made it impossible for many users to reach popular sites such as Amazon, Reddit, Netflix, Twitter,...

Vulnerability management (VM) programs are the meat and potatoes of every comprehensive information security program. They are not optional anymore. In fact, many information security compliance, audit and risk management frameworks require organizations to maintain a vulnerability management program. If you don’t have vulnerability management tools,...

Today’s VERT Alert addresses Microsoft’s September 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-796 on Wednesday, September 12th. In-The-Wild & Disclosed CVEs CVE-2018-8440 This vulnerability was disclosed on Twitter on August 27th, and a high level analysis was published on...

Tripwire's August 2018 Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft and Adobe. First on the patch priority list this month are patches for Microsoft's Internet Explorer, Edge, and Scripting Engine. These patches resolve 21 vulnerabilities, including fixes for Remote Code Execution, Elevation of Privilege,...

Thanks to FERC’s Order 822, the North American Electric Reliability Corporation’s critical infrastructure protection standards, known as NERC CIP, are continually updated. Seven updated standards proposed by NERC for inclusion have now been accepted. April 1st, 2016, was the compliance deadline for the NERC CIP v5 requirements. Most of the newly...

As part of this two-part series, let’s now look to another exhibit demonstrating of how people act as the first, last and best data and privacy defense. Exhibit B: Potentially Unwanted Leaks If you have some technical literacy, you may have heard of potentially unwanted programs (“PUPs”). It’s all that glop and gloop – malware, viruses, trojans,...

Have you ever wondered how much your patient health record could garner on the black market? Whereas a cybercriminal only needs to shell out a mere dollar for your social security number, your electronic health record (EHR) is likely to sell for something closer to the tune of $50. This is according to research firm Cybersecurity Ventures, who also...

In this third installment of #TripwireBookClub, we look at “Gray Hat Python,” written by Justin Seitz and published by No Starch Press. I had the opportunity to briefly meet Justin at CanSecWest the year this book was published, which only increased my interest in the book and ensured my preorder. I read it back then (2009), and now, nine years...

It is a well-known fact that legacy equipment shall continue to play a crucial role in the continuity and stability of critical infrastructure, especially in industrial control systems. A recent Center for Digital Government survey found that 70% of respondent agencies depend on legacy infrastructure for their operations. Another recent report from...

Thanks to the advent of technology, the number of mobile phone users are increasing day by day. You'll be shocked to hear that by 2019, this number will cross the 5 billion mark! While mobile phones may have made our life easier, they have also opened up domains for many cybercriminals who are adapting and using new methods to profit from this...

The Healthcare industry by its very nature is populated with some amazing people who are devoted to those in need of physical and mental care. Given this noble cause, it was perfectly understandable for them to ask “Why would someone attack us?” when WannaCry hit their sector. In my opinion, the WannaCry compromise was the crescendo of almost a decade...

If you have followed our work for any amount of time, you will note that we are fans of certain information security technologies such as encryption, AI and machine learning as well as blockchain. But you will also note we are very specific, cautious and surgical about their use. Encryption is a must-have but does little for you if your underlying...

Hackers planted malware on an automated teller machine (ATM) server belonging to an Indian bank as part of a criminal scheme which saw the theft of nearly 944 million rupees (US $13.5 million) in a co-ordinated attack across 28 countries last weekend. India's Cosmos Bank, based in the western city of Pune, suffered an attack which saw hackers use...

Today’s VERT Alert addresses Microsoft’s August 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-792 on Wednesday, August 15th. In-The-Wild & Disclosed CVEs CVE-2018-8373 A vulnerability exists within the scripting engine in Internet Explorer. An attacker exploiting this vulnerability...