Blog

Blog

“Cyber” Is Not an Appropriate Risk Category

“Cyber” is not an appropriate category of risk. Often cited in 10-K reports, discussed by board directors and C-suite executives, and referenced by Enterprise Risk Management (ERM) or Governance, Risk and Compliance (GRC) professionals, the category merely perpetuates ambiguity and lack of understanding related to all things “cyber.” Because of this ...
Blog

Stackoverflowin: The Story of How IoT Broke the Internet

Recently, an incident commonly referred to as “stackoverflowin” swept social media. On February 4, 2017, a 17-year-old hacker from the UK using the alias ‘stackoverflowin’ decided on a whim to do some printing. He printed quite a bit. In fact, he printed so much that it started to trend on Twitter. That’s because he printed to every open printer on...
Blog

LinkedIn Messenger Flaws Enabled Attackers to Spread Malicious Files

Bad actors commonly abuse LinkedIn to launch digital attacks. With over 500 million members spread across 200 countries, the professional networking site contains crucial information that nefarious individuals can use to attack nearly any organization and its corporate data. They just need to establish an initial foothold in the company. Most of the...
Blog

Bad Poetry Day Highlights - The Security Edition

Friday, August 18th was Bad Poetry Day. To celebrate, Tripwire decided to ask some of it's employees and friends in the community to share some of their security poems with us. Some folks tweeted theirs out using the hashtag #tripwirebadpoetryday. Others sent them in. Here are some of our favorites: Roses are red, Violets are blue Tripwire is...
Blog

Super X-Ray Vision for Vulnerabilities into Non-Running Containers

Containers can be traced back to 1979 with chroot but the advent of Docker has exponentially increased the popularity and usefulness of this technology. Any technology that becomes popular and useful also becomes a target for attacks. Containers are designed to provide isolated environments rather than full virtual machines, but they make great...
Blog

Dynamic Security in an Elastic World

I have had the pleasure of working on the latest curriculum for Tripwire University. In that capacity, I've noticed more and more interest around securing cloud environments as our customers and the market continue to move towards cloud technologies. Whether it be customers who are 100% committed to the cloud and moving all of their assets up into...
Blog

VERT Threat Alert: August 2017 Patch Tuesday Analysis

Today’s VERT Alert addresses the Microsoft August 2017 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-737 on Wednesday, August 9th. In-The-Wild & Disclosed CVEs CVE-2017-8627 The first publicly disclosed vulnerability this month is a denial of service in the Windows Subsystem for Linux....
Blog

Looking Back On SOHOpelessly Broken at DEF CON 25

DEF CON 22 was my third DEF CON and the first time ever for the IoT Village and related "SOHOpelessly Broken" contests. That year, I easily won both tracks of the competition with only a handful of hours spent analyzing and hacking routers. As anyone who’s ever attended DEF CON can tell you, there are roughly one billion options for how to spend the...
Blog

Shadow IT – How Do You Protect What You Don’t Know You Have?

For a cybersecurity program to succeed, it must identify the assets it aims to protect. Without a clear understanding of its assets, no organization can truly understand the value of its resources, assess the risks they face, or understand how much to spend to secure its infrastructure. Unfortunately, the process of identification is not getting any...
Blog

12 Indispensable DevOps Tools for 2017

DevOps is revolutionizing the way enterprises deliver apps to the market. It blends software development and information technology operations, or the processes and services used by IT staff, as well as their internal and external clients to fulfill their business duties. Such a convergence creates an assembly line for the cloud, as Tim Erlin wrote...
Blog

Are Bug Bounties a True Safe Harbor?

Security vulnerabilities are becoming the new oil, and the bug bounty economy is booming. As news of cyberattacks and data breaches continue to consume the press, never before has the market for vulnerabilities been so dynamic. “Bug bounty programs,” frameworks where security researchers legally trade previously undiscovered vulnerabilities for...
Blog

Risk of Security: Why a Security Measure Is Needed & How It's Achieved

The Phoenix Project was an easy and enjoyable read about Bill Palmer, a manager in the IT department who unexpectedly gets promoted to VP of IT Operations. To succeed in this new role, Bill had to expand his view from just his group to the organization as a whole in order to master the "Three Ways" for how to evolve from a dysfunctional group of...
Blog

VERT Threat Alert: July 2017 Patch Tuesday Analysis

Today’s VERT Alert addresses the Microsoft July 2017 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-733 on Wednesday, July 12th. In-The-Wild & Disclosed CVEs CVE-2017-8584 In a Patch Tuesday first, we have a HoloLens code execution vulnerability. This vulnerability impacts Windows 10 and...
Blog

Brainwashing Embedded Systems IoT Hack Lab Update

I’ve been studying the security designs of various embedded devices for the past couple of years. This research has led me to uncover dozens of critical flaws in internet-connected devices ranging from enterprise NAS devices and access points to countless consumer products like wireless routers, home automation controllers, security cameras and more...
Blog

Security Risks to Consider When Deploying Containers on Docker

Docker – a platform for OS-level virtualization instances known as containers – has become a hugely popular infrastructure technology. Flexible containerization is completely changing the way we build and maintain applications at scale, with analyst group RedMonk identifying the large enterprise market as a key driving force. Towards the end of...