Governments ought to disclose zero-day vulnerabilities and begin to collaborate to make digital disarmament more than just ‘a thing.’ The case for these policy changes is becoming increasingly clear as new public debates begin to take shape around online privacy, trust and the prevention of cyber conflict. However, much work lies ahead in correctly...

The title of this piece is quite obvious, but it is also an unappreciated fact. Consider for a moment the change we have seen over the last 30 years: access to cyberspace was scarce, often limited to enterprise users such as governments, educational institutions and the largest corporation, whereas today, there are billions of users that treat the...

In any conflict, humans are impacted. In conflict, the best scenario is that the individual leaves unscathed and perhaps even unaware of what could have been their misfortune, whereas in the worst of cases – such as kinetic warfare – the impact can be the ultimate price: loss of life. There is also a cruel truth of conflict that often gets looked...

The Center for Internet Security (CIS) Top 20 Critical Security Controls, or "Foundational Controls," can help any organization address the growing number of digital security threats confronting them. Obviously, for these controls to reduce risk, a company must first implement them. Failure to do so can result in some real security nightmares. IT...

Malicious hackers are seizing control of poorly-protected home routers, and commanding them to launch attacks designed to brute force their way into WordPress websites. Security researchers at Wordfence first determined that something noteworthy was happening when they witnessed an unusual spike in attacks originating from Algeria against its...

Today’s VERT Alert addresses the Microsoft April 2017 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-720 on Wednesday, April 12th. With the elimination of Security Bulletins, the VERT Alert will be changing. This shortened version will act as a placeholder until the launch of the improved...

In January 2017, Tripwire completed a survey of 403 IT Security professionals about the most common attack types and how prepared organizations are to defend against them. You can read about the details here. There are two important conclusions from the research that I have to share for the purposes of this post. First, the top five attack types from...

In an article we wrote for Tripwire, we discuss the advantages of encryption and tokenization. The premise of our argument is as follows: slow down your adversary by making your data meaningless to them. In other words, make yourself a “goes nowhere” project forcing your adversary to seek out a target that does not cause them the grief you do....

Before we jump in, we need to make clear the following: no single solution will ever offer complete and total security. In fact, even multiple solutions designed to provide overlapping layers of security to your crown jewels will not provide “complete and total” security. But what any reasonably implemented solution should do is the following: slow...

I was fortunate enough to meet the author, Kevin Mitnick, while attending RSA in February. I was given a signed copy of The Art of Invisibility, one of The State Security's must-reads for infosec pros, so I made it a point to read the book. I knew a bit about Kevin’s past and had seen a few of his DEF CON talks, so I had a general idea as to the...

Brute force attacks are mitigated by using 2-factor authentication, which comes in many forms, such as time-based tokens, SMS and push authentication using a cell phone. A new contender has emerged: Universal 2nd factor or U2F. U2F is an authentication standard sponsored by the FIDO Alliance, whose members include the technology industry’s top...

Two security controls, file integrity monitoring (FIM) and security configuration management (SCM), help organizations manage change. The former monitors for unauthorized changes to a system's state, whereas the latter looks for configuration changes that introduce security risk. Both components are crucial to a company's strategy for defending...

In my last post, I briefly summarized the evolution of network security. I will now discuss how network security strategies are no longer meeting the needs of organizations' increasingly complex IT environments. A Different Strategy Technological innovation has changed the nature of the network itself. No longer are employees limited to their...

This is my first blog in an ongoing “It’s Not Rocket Science” series featuring articles on Information security. "Security is not an absolute, it's a continuous process and should be managed as such. Security is about risk reduction, not risk elimination, and risk will never be zero. It's about employing the appropriate security controls that best...

Security is a complex and connected web. Though there are many different categories within the all-encompassing field of security, there are still certain lessons that translate across the disciplines. Physical security can largely be seen as a manifestation of the ethereal elements of cyber security. Both the digital and the physical worlds of...

According to recent research, the majority of Android devices are running security patches that are months old, leaving users vulnerable to attacks. Mobile security company Skycure released the findings of its Q4 2016 Mobile Threat Intelligence Report, revealing that over 70 percent of Android phones lack the latest security patches. The company...

The Russian author of the notorious Citadel malware which infected over 11 million PCs and stole an astonishing $500 million from bank accounts has pleaded guilty to his crimes. 29-year-old Mark Vartanyan, who went by the online handle of "Kolypto", was arrested in the Norwegian town of Fredrikstad in 2015 at the request of the FBI. His extradition...

It's funny how kids have an affinity for toys we enjoyed as kids – like Legos. They will spend hours creating the biggest “thing,” often leading to a parent’s near universal response, “Johnny! That is the biggest tower I have ever seen! Great job!” Children (and we) love Legos because they foster imagination, offering a limitless way to create...

Almost everything you read or hear about routers includes a sentence or two about router security. The focus is generally on this essential piece of hardware as the first line of defense in an internet-connected world. Many medium-sized companies and large corporations take this into account when they purchase and set up their network infrastructure...

Businesses have always struggled with the idea of business security. Are you doing enough to protect your company, clients, and employees? Is there really such a thing as too much security? Technology is constantly changing, and as such, so are the threats many organizations face. Everywhere you turn, some security company is trying to point out...