Blog

Blog

The Cyber Law of War

A recent article in the New York Times postulated America may choose to respond to a devastating cyberattack with a nuclear response. In November of 2017, a widely viewed social media video entitled Slaughterbots suggested “swarms of AI-controlled drones [could] carry out strikes on thousands of unprepared victims with targeted precision.” Both of...
Blog

Integrity: The New "I" in PCI Compliance

The retail industry saw more than its fair share of data breaches in 2017, with security incidents impacting at American supermarket chain Whole Foods Market and clothing companies Brooks Brothers, The Buckle, and Forever 21, to name a few. At least some of those events likely resulted from retailers' poor data breach preparation. Consider the fact...
Blog

Foundational Controls for Integrity Assurance - Part II

As I noted in my previous article, companies should use foundational controls to assure integrity of their software and critical data – doing so can help prevent many data breaches and security incidents from occurring in the first place. That's not all that integrity driven by foundational controls can accomplish. Here are two more benefits...
Blog

How Management Can Help Prevent Insider-Caused Data Breaches

In 2017, some of the world’s most devastating cyber attacks were seen. Insider threats continue to be the primary reason for such high profile data breaches year over year. With the rise of malware as a service, insiders are now more than capable of sabotaging a company's operations or stealing data to sell on the darknet. Without the right support...
Blog

Smart Contracts 101: How This Emerging Technology Works

You can’t turn around today without running into a story about blockchain technology and smart contracts. In fact, one creative beverage company saw their stock climb 289 percent when they added the term "Blockchain" to their company name even though they have nothing to do with blockchain technology. Blockchain technology is one form of a secure,...
Blog

Real Life Examples of Phishing at its "Phinest"

There are several technical methods of stealing passwords via malware or software vulnerabilities, and one of the most difficult to defend against occurs when users disclose their credentials unknowingly. Yes, I am referring to phishing. Specifically, phishing that tricks users into accessing a fake website and entering their credentials. We often...
Blog

Survey: Most Security Pros Aim to Patch Vulnerabilities within 30 Days

High-profile cybersecurity incidents continue to result from the simple mistake of leaving a known vulnerability unpatched. To understand how organizations are keeping up with vulnerabilities, Tripwire partnered with Dimensional Research to survey 406 IT security professionals about their patching processes. Findings revealed that the majority (78...
Blog

How to Budget for Digital Security in 2018

Based on the past year, one thing that is certain to be on every company’s mind is security. Among the various concerns associated with security, perhaps the most important is how much it costs to effectively secure your company data in the age of large-scale cyberattacks and breaches. According to Accenture’s 2017 “Cost of Cybercrime” report, the...
Blog

The Top 17 Information Security Conferences of 2018

You can now read the 2019 edition here! With 2017 now in the rear-view mirror, the security industry is turning its attention to 2018. The new year will no doubt present its fair share of challenging digital security threats. So too will it present numerous opportunities for infosec professionals to discuss shared difficulties at conferences and...
Blog

VERT Threat Alert: January 2018 Patch Tuesday Analysis

Today’s VERT Alert addresses the remainder of the Microsoft January 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-760 on Wednesday, January 10th. In-The-Wild & Disclosed CVEs CVE-2018-0802 A malicious file could cause code execution due to Microsoft Office Equation Editor’s failure...
Blog

December 2017: The Month in Ransomware

Ransomware activity was on a fairly high level till mid-December but slowed down by the end of the month, perhaps due to threat actors’ holiday spree. Some of the newsmaking events included the onset of the first-ever blackmail virus targeting network-attached storage devices, the breach of California's voter database, and arrests of CTB-Locker and...
Blog

VERT Threat Alert: CPU Vulnerabilities - Meltdown and Spectre

Vulnerability Description Meltdown and Spectre are hardware design vulnerabilities in CPUs utilizing speculative execution. While the defect exists in the hardware, mitigations in operating systems are possible and are currently available. CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. The...
Blog

VERT Threat Alert: January 2018 Security Updates

Today’s VERT Alert addresses the Microsoft January 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-759 on Friday, January 5th. We are not yet certain if this release contains all January updates or if Tuesday will see a second set of updates released. In-The-Wild & Disclosed CVEs ...
Blog

Spectre and Meltdown: What you need to know

If this first week is any indication, 2018 could mark a significant paradigm shift in trusted computing and open source hardware. Chip makers have been very effective in making enhancements to greatly improve application performance, but the revelation of Spectre and Meltdown makes it clear that more attention needs to be paid to hardware level...
Blog

Foundational Controls for Integrity Assurance - Part I

Among organizations today, there's not enough focus on where digital security matters, that is, setting up the challenge/risk. Let’s come right out and say it: if you haven’t been hacked yet, you soon will be. This is not a surprise to you. You know this. We know this. Other companies know this. And yet, we saw WannaCry spread to hundreds of thousands...
Blog

Women in Information Security: Roselle Safran

Last time, I had the honor of speaking with Tiffany Gerstmar. Her work with the US Navy led to her become a cybersecurity policy professional. In this final interview of the current series, I got to speak with Roselle Safran. Not unlike Tiffany, work in US government agencies also helped her to get where she is today. Now she's the president of Rosint...