Blog

Blog

A Simple Data Breach Guide (Interpreting GDPR)

Perhaps it’s too melodramatic to claim that the debate over how to define a data breach "rages on" because we haven’t seen bodies flying out of windows yet, but it is a serious question with genuine financial ramifications now that the General Data Protection Regulation (GDPR) and its accompanying fines for mishandling data have arrived to save (and...
Blog

Magecart Used Same Skimmer against Two Web-Based Suppliers

Magecart threat actors used the same skimmer against two web-based suppliers to try to steal users' payment card information. As discovered by security researcher Willem de Groot, the first attack occurred at 15:56:42 GMT on 10 May when bad actors injected the skimmer into the bottom of a script used by enterprise content management system CloudCMS....
Blog

VERT Threat Alert: May 2019 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s May 2019 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-830 on Wednesday, May 15th. In-The-Wild & Disclosed CVEs CVE-2019-0863 Windows Error Reporting (WER) incorrectly handles certain files and, when exploited, could lead to the execution of code...
Blog

Bad Actors Using MitM Attacks against ASUS to Distribute Plead Backdoor

Researchers believe bad actors are using man-in-the-middle (MitM) attacks against ASUS software to distribute the Plead backdoor. Near the end of April 2019, researchers at ESET observed several attack attempts that both created and executed the Plead backdoor using "AsusWSPanel.exe," a legitimate process which belongs to the Windows client for the...
Blog

6 Common Compliance Conundrums to Know About

Cyber security assessment initiatives and frameworks abound in the US government, the most important being the Federal Information Systems Management Act (FISMA) passed in 2002. The law’s broad scope included a mandate to the US National Institute of Standards and Technology (NIST), charging it to create methods and standards to assess and optimize...
Blog

Women and Nonbinary People in Information Security: Stacey Holleran

Last week I spoke with Trica Howard about social engineering attacks and user education. Considering how social engineering and poorly trained users are two of the most significant cybersecurity problems ever, it was a great conversation. This week I spoke with another security communications specialist, tech writer Stacey Holleran. We both write...
Blog

MITRE ATT&CK April 2019 Update

MITRE has released an April 2019 update to its ATT&CK framework. It’s been a year since the last major update featuring a new tactic. There are a number of changes for this year: the most major being the addition of a 12th Tactic, Impact, which contains 14 new Techniques. There are also seven new Techniques under existing Tactics, as well as a...
Blog

A Changing Threat Landscape: Inside Verizon’s 2019 DBIR

Verizon Enterprise has once again released its annual Data Breach Investigations Report (DBIR). The publication doesn’t disappoint in providing crucial insight into today’s digital threats. On the one hand, Verizon’s 2019 report captures how many forces in the threat landscape have remained the same since its previous report. The study observed how...
Blog

Highlights from the Verizon DBIR 2019

Every year, the Verizon Data Breach Investigations Report comes out, and there’s a mad scramble to inspect and interpret the data. The report is data-rich, as always, and already contains a bunch of analysis, so there are really only a few options for adding value to the conversation. Industry commentators can choose to disagree with the analysis,...
Blog

With Great Freedom Comes Great Cloud Responsibility

Modern digital and cloud technology underpins the shift that enables businesses to implement new processes, scale quickly and serve customers in a whole new way. Historically, organisations would invest in their own IT infrastructure to support their business objectives, and the IT department's role would be focused on keeping the "lights on." To...
Blog

Online Tutoring Program Reveals Customer Data Breach

An online tutoring program has revealed that it suffered a data breach in which an unauthorized individual might have compromised customers' information. The Hacker News received a copy of a notice sent out by Wyzant to its customers informing them about the data breach. According to this letter, the...
Blog

What Is DevOps Maturity, and How Does It Relate to DevOps Security?

By now, many organizations have turned to DevOps as part of their ongoing digital transformations. This process has not been the same for any two companies. Indeed, organizations have embraced DevOps at their own place, and they’ve invested varying levels of time and budget into their nascent deployments. Such variety has helped shape organizations’...
Blog

Women and Nonbinary People in Information Security: Tricia Howard

Last time, I got to speak with social engineering expert Jenny Radcliffe. This time, I got to speak with cybersecurity-minded client manager Tricia Howard. I got to learn even more about social engineering from her plus quite a bit about the importance of user education. Kim Crawley: Please tell me a bit about yourself and what you do. Tricia...
Blog

Fraudsters Targeting Consumers with One-Ring Phone Scams

Fraudsters are targeting consumers with one-ring phone scams that exploit people's curiosity so as to trick them into paying exorbitant fees. According to the U.S. Federal Communications Commission (FCC), this scam oftentimes begins when a fraudster contacts an unsuspecting consumer using a one-ring...
Blog

Cyber Security + Compliance Controls: What Does It All Mean, Rick?

I'm sure you have all seen the Rickie Fowler commercial where the interviewer rants about all of the confusing financial terms involved with getting a mortgage. If not, you can find it below: https://www.youtube.com/watch?v=Q1YqNTWOldY Confusion in Cyber Security Throughout my career, I have worked with hundreds of organizations. Regardless of the...
Blog

Unprotected Database Exposed 13.7M Users' Employment Information

An unprotected database made it possible for anyone on the web to view the personal and employment information of 13.7 million users. Security researcher and GDI Foundation member Sanyam Jain discovered the database and determined that it belonged to Ladders, a New York-based job recruitment site which specializes in high-end jobs. Jain then shared...
Blog

The Infamous Password

Passwords may not be the favourite piece of your workday, however, I have a theory – if I could share with you the value of a password and the reality of how simple they can be to create; then passwords may not be the monster you avoid. When you get the "your password expires in 5 days" notice, instead of feeling anxious or aggravated, let’s...
Blog

Mitigating Risks in Cloud Migration

Companies are moving to incorporate the cloud into their computing infrastructure at a phenomenal rate. This is, without question, a very positive move. It permits companies to scale processing resources up and down in response to changing demands, giving companies the operational equivalent of unlimited resources while paying only for the resources...