Copy
View this email in your browser

Thursday, July 1, 2021

A selection of the top articles and videos from the last week on SecuritySenses.com. Don't forget to check back regularly for daily updates from around the globe.

If you like SecurityBuzz, why not forward it to some friends or share the online version?

Until Next Time! 👏

Tweet
Share
Share
Forward

4 Steps To Lower Your Digital Risk

30-Jun-21   |   By Threat Intelligence Team   |   In Cyberint , Risk Management
Cyberint

Business decision-makers are inundated today with messages about the importance of digital transformation and innovation. If you want to stay ahead of the competition, you're told, you need to take full advantage of the cloud, move to microservices, replace your VMs with containers and so on. Yet what often gets lost or overlooked in those conversations is the digital risk that goes hand-in-hand with digital transformation. When you invest in new technologies -- especially technologies that are inherently more complex than conventional IT services -- you also expose your business to new threats.

Read More

AI everywhere: How AI is being applied in 4 different fields

30-Jun-21   |   By Devin Morrissey   |   In AT&T Cybersecurity , AI
AT&T Cybersecurity

Image Source: Pexels This blog was written by an independent guest blogger. Historically, the idea of artificial intelligence (AI) saturating our world has been met with suspicion. Indeed, it’s one of the more popular tropes of science fiction — learning machines gain sentience that helps them take over the planet. While we’re not even slightly close to that dystopian reality, we have reached a point at which AI has been significantly integrated into various aspects of our society.

Read More

Cybersecurity Due Diligence in M&A

30-Jun-21   |   By Kasey Hewitt   |   In SecurityScorecard , M&A
SecurityScorecard

Mergers and acquisitions (M&A) enable companies to add products and services to their portfolios, giving them a way to scale their business. To gain true visibility into a company’s long-term impact on your organization’s bottom line, you need to understand all assets and liabilities, including digital ones. If you’re looking to add to your current portfolio, understanding how cybersecurity due diligence in M&A can help you appropriately evaluate the way security posture impacts your financial bottom line.

Read More

How Cloud Evangelists Face - and Overcome - Cloud-Computing Security Challenges

30-Jun-21   |   By Gunter Ollmann   |   In Devo , Cloud
Devo

This is the third in a series of posts examining the recent Devo research report, Beyond Cloud Adoption: How to Embrace the Cloud for Security and Business Benefits, which is based on a survey conducted by Enterprise Strategy Group (ESG). This time, we’ll take a look at the cloud-computing security challenges Cloud Evangelists face. Let’s begin by explaining how we define that group. According to the report, Cloud Evangelists are organizations that have adopted cloud computing for both business applications/workloads and cloud security.

Read More

Optimizing software composition analysis for developer workflows with Black Duck Rapid Scan

Synopsys

Black Duck Rapid Scan enables developers to check for security or policy violations without disrupting development process. When the first software composition analysis (SCA) tools made their entrance into the market, their focus was on license compliance. As open source grew in popularity, SCA tools expanded to include vulnerability management, helping to reduce the attack surface for organizations leveraging open source. Today, the goal is still reducing license and security risks, but changes to how software is developed has shifted much of the responsibility for risk reduction onto the developer.

Read More

Ransomware Has Evolved, And So Should Your Company

30-Jun-21   |   By Veriato   |   In Veriato , Insider Threats
Veriato

Ransomware is typically initiated via phishing or social engineering tactics, these attacks often take advantage of human error for the successful delivery of the malware. These criminal organizations are impartial to the size of your organization. They target any company with data, and if you don't pay the ransom, your information could be posted to a public forum or sold on the Dark Web for profit. Most companies unfortunately are forced to pay due to system failure and file corruption.

View Video

Save the Embarrassment: The Value of Two-Factor Authentication on Social Media

29-Jun-21   |   By Tyler Reguly   |   In Tripwire , Data Breaches
Tripwire

These days, it’s not a matter if your password will be breached but when. Major websites experience massive data breaches at an alarming rate. Have I Been Pwned currently has records from 543 sites comprising 11.4 billion accounts. This includes well-known names like Wattpad, MySpace, and Facebook. This is an 84% increase in the number of sites and a 115% increase in the number of accounts from when I published the first version of this article in 2018.

Read More

The Basics of PCI Compliance: Merchant Levels and Requirements

29-Jun-21   |   By Emily Heaslip   |   In Nightfall , Compliance
Nightfall

PCI compliance isn’t just good for customers; it’s also good for business. Merchants that fall short of PCI compliance standards not only put their customer data at risk, they also may face hefty fines. The PCI Compliance Guide reports that fines and penalties can range from $5,000 to $100,000 per month for the merchant. And, if you don’t achieve PCI compliance, not only will these fees start to add up quickly, but you’re at risk of being dropped by your credit card merchant.

Read More

Why do we need a MITRE ATT&CK-style framework for bots?

29-Jun-21   |   By Alex McConnell   |   In Netacea , Bots
Netacea

Since launching in 2015, MITRE’s ATT&CK framework has been the cybersecurity industry standard for understanding cyber-attacks and their kill chains. Now the BLADE framework is set to develop a similar understanding of business logic attacks fueled by malicious bots. In this post, we will look at why MITRE ATT&CK is so important and examine why BLADE is needed now more than ever.

Read More

5 ways to prevent PHP code injection

29-Jun-21   |   By DeveloperSteve   |   In Snyk , PHP
Snyk

Following on from my previous post on testing for PHP Composer security vulnerabilities, I thought this post might be useful in helping create more secure applications that prevent PHP code injection. As developers, we build apps to help make end users’ lives easier. Be it entertainment, workplace or social network application, the end goal is to protect the users we build for by ensuring we build security into the code. Adopting secure coding practices not only helps keep end users secure, it also saves time and development costs by preventing rework.

Read More

Speed or Security? Don't Compromise

29-Jun-21   |   By Meaghan McBee   |   In Veracode , Application Security
Veracode

“Speed is the new currency of business.” Chairman and CEO of Salesforce Marc R. Benioff’s words are especially potent today as many organizations small and large look for ways to speed up production during their shifts to digital. In software development, speed is a critical factor. Everything from shifting priorities to manual processes and siloed teams can seriously impede deployment schedules. One of the biggest obstacles, however, is a lack of security throughout every step of the production process to ensure that coding mistakes and flaws are found and fixed before they turn into project-derailing problems.

Read More

Is Dropbox HIPAA Complinant?

29-Jun-21   |   By Michael Osakwe   |   In Nightfall , Data Security
Nightfall

Dropbox is known for being a convenient file sharing and storage tool. For over a decade, Dropbox has allowed teams to collaborate cross- functionally by providing a single source of truth. With files being managed and synced to a central location, teams can work together without issues of version control. Even in a post- Google Drive and OneDrive era, Dropbox remains important, as not everyone uses the same productivity suites.

Read More

What If You Had Advance Notice of a Ransomware Attack?

29-Jun-21   |   By Cyndi Gutowski   |   In SecurityScorecard , Malware
SecurityScorecard

One of the worst things about ransomware attacks isn’t just the mayhem they cause as your data is encrypted by criminals and your business is put on hold — it’s not knowing when they’ll happen. But what if you had some advance notice about the next cyberattack before it hit? What if you could find out if your data was up for bid on the dark web?

Read More

What Is a Quality Management System?

29-Jun-21   |   By Reciprocity Labs   |   In Reciprocity , Risk Management
Reciprocity

A quality management system (QMS) is a system that documents the policies, business processes, and procedures necessary for an organization to create and deliver its products or services to its customers, and therefore increase customer satisfaction through high product quality. In short, a QMS helps a company meet its regulatory requirements and customer requirements, and make continuous improvements to its operations.

Read More

What Are Audit Procedures for Internal Controls?

29-Jun-21   |   By Reciprocity Labs   |   In Reciprocity , Audit
Reciprocity

Audit procedures are the processes and methods auditors use to obtain sufficient, appropriate audit evidence to give their professional judgment about the effectiveness of an organization’s internal controls. Internal controls are the mechanisms and standards that businesses use to protect their sensitive data and IT systems; or as a means of providing accountability on financial statements and accounting records.

Read More

Asset management in the age of digital transformation

28-Jun-21   |   By Todd Waskelis   |   In AT&T Cybersecurity , Asset Management
AT&T Cybersecurity

Over the past year or so, organizations have rapidly accelerated their digital transformation by employing technologies like cloud and containers to support the shift to IoT and address the expanding remote workforce. This digital shift calls for a new approach to asset visibility as traditional asset administration responsibilities like inventory, software support, and license oversight are often the purview of IT and addressed with IT inventory-focused tools.

Read More

5 Cyber Risks SLED Agencies Need to Protect Against

28-Jun-21   |   By Phoebe Fasulo   |   In SecurityScorecard , Cyberattacks
SecurityScorecard

Last year was a tough one for schools, local, and state governments. Not simply because of COVID-19, which forced every local government and school to navigate a pandemic, but also because the pandemic brought with it a different set of dangers. While local governments and schools were trying to figure out remote learning, remote work, and how to run public meetings safely and effectively online, cybercriminals took advantage of the fact that the remote world is new to most small governments.

Read More

Cybersecurity Challenges in the Construction Industry

28-Jun-21   |   By Tripwire Guest Authors   |   In Tripwire , Security
Tripwire

Digital transformation is at the heart of every industry. There are no longer any industries that are immune to the rapid adoption of this movement. When we think of the construction industry, we may think back to an image of ironworkers sitting over a city and enjoying a lunch break on a construction beam. However, rapid digitalization has transformed the construction industry and will continue to drive change and encourage innovation. The traditional ways of conducting business brings about additional risks and challenges that the industry has to solve.

Read More

Should Australian Businesses Pay Ransoms to Cybercriminals?

28-Jun-21   |   By Edward Kost   |   In UpGuard , Malware
UpGuard

The Australian Cyber Security Center (ACSC) strongly advises against paying ransoms of any amount to cybercriminals. In some circumstances, these payments could even be illegal. The Australian government is tightening its cybersecurity regulations to align with the United State's new stance on nation-state threats. As a result, there have been significant changes to how Australian businesses are expected to respond to cyberattacks. In this post, we will discuss some of the major reforms impacting ransomware attacks, data breaches, and cybersecurity best practices.

Read More

Product Update: SMS TxN Extractor-The future of income proof and financial profiling

28-Jun-21   |   By Sushanta Kumar Mishra   |   In IDcentral , Digital Identity
IDcentral

With our continuous pursuit to help businesses reduce the blind spots in business metrics, we have come up with yet another feature that will prove to be the richest source of financial data, i.e SMS TxN Extractor. SMS was believed to be a dead market until people began to understand the reliability. Apart from the concept of reliability of SMS messaging, texts are quick, cost-effective and results can very quickly be analyzed.

Read More

How to cyber security: Embedding security into every phase of the SDLC

28-Jun-21   |   By Jonathan Knudsen   |   In Synopsys , SDLC
Synopsys

Creating a secure software development life cycle can lower risk, but security must be embedded into every step to ensure more secure applications. On May 6, 1937, the Hindenburg airship burst into flames while docking, causing 35 deaths and bringing the airship era to a sudden close. In hindsight, it seems tragically obvious. Fill a giant bag with highly flammable hydrogen gas and trouble is bound to follow. But hydrogen is also especially buoyant, which means airships filled with hydrogen could carry more passengers and more cargo than airships filled with other gases. Helium, which is not flammable, would only allow for about one-quarter the payload, and it’s more expensive and harder to obtain.

Read More

Too Many Vulnerabilities and Too Little Time: How Do I Ship the Product?

28-Jun-21   |   By Bernard Felix   |   In Veracode , Application Security
Veracode

The percentage of open source code in the enterprise has been estimated to be in the 40 percent to 70 percent range. This doesn't make the headlines anymore, but even if your company falls in the average of this range, there is no dearth of work to do to clean up, comply with AppSec policies, and ship the product. Phew! So where do you start when it comes to resolving all the vulnerabilities uncovered in your open source libraries? By prioritizing the findings from your scans and addressing the most critical and relevant vulnerabilities first.

Read More

Identity, Business Agility, and Bird Feeders

28-Jun-21   |   By Tim Bedard ·   |   In ForgeRock , Digital Identity
ForgeRock

Businesses love stability. Yes, they love profits too, but those come when markets are consistent. Unfortunately, the world doesn’t always work this way – things change, markets are volatile, and you must know the risks in trying to stay on a straight path across a moving landscape. Businesses that survive (and thrive) have one thing in common: the ability to be nimble. As the old Confucius adage goes, “The green reed which bends in the wind is stronger than the mighty oak which breaks in a storm”, a successful business knows when to be flexible to the surrounding conditions. This requires business agility and the willingness to adjust both to changes in the market and to changes in the business itself.

Read More

Use ZTNA to address requirements VPNs cannot. Here's why.

28-Jun-21   |   By Sundaram Lakshmanan   |   In Lookout , Networks
Lookout

I recently hopped on the Endpoint Enigma podcast to talk about virtual private networks (VPNs) and how they’ve been extended beyond their original use case of connecting remote laptops to your corporate network. Even in this new world where people are using personal devices and cloud apps, VPN continues to be the go-to solution for remote access and cloud access. After my conversation with Hank Schless, I was inspired to put some additional thoughts about VPN on paper.

Read More

EU representation - what UK businesses need to know

28-Jun-21   |   By Nicky Whiting   |   In Bulletproof , Security
Bulletproof

EU representation isn’t a new thing – it’s a core component of the GDPR – but it has become something that UK companies need to be aware of post Brexit. Up until 31st December 2020, UK companies didn’t need to worry about having an EU representative, as the UK was a part of the EU. Now things have changed, and many UK businesses need to find an EU data representative in order to maintain compliance with EU GDPR.

Read More

How can businesses stay ahead of loyalty point fraud?

25-Jun-21   |   By Yasmin Duggal   |   In Netacea , Bots
Netacea

In our recent webinar featuring Netacea’s Head of eCommerce, Tom Platt, we explored the rising threat of loyalty point fraud and how businesses can reap the benefits of loyalty schemes while staying protected from attacks and retaining customer loyalty. Watch the full webinar on demand or catch up on the takeaways here.

Read More

How an open source software audit works

25-Jun-21   |   By Phil Odence   |   In Synopsys , Audit
Synopsys

Open source software audits can identify undetected issues in your codebase. Learn how our audit services can help you understand the risks during an M&A. Most of our clients understand that an open source software audit differs from an automated scan. An audit involves expert consultants analyzing a proprietary codebase using a combination of Black Duck® commercial tools and tools we’ve developed and use internally. The deliverable is a report that identifies open source in the code as well as associated risks. If you’d like to understand our process—what comes before, during, and after—read on.

Read More

How to reduce your attack surface with system hardening in 2021

25-Jun-21   |   By Editor   |   In Cyphere , Cyberattacks
Cyphere

The goal of system hardening (or security hardening) is to reduce the attack surface. It includes reducing security risks and removing potential attack vectors. By removing superfluous programs, accounts functions, applications, ports permissions access etc., the reduced attack surface means the underlying system will be less vulnerable, making it harder for attackers or malware to gain a foothold within your IT ecosystem.

Read More

The Top 3 Reasons to Remove Bloated Code

24-Jun-21   |   By Rezilion   |   In Rezilion , DevOps
Rezilion

Many things can slow down the development and deployment of a project. But one of the most significant issues is also wholly manageable: Code Bloat. Bloated code occurs where the runtime environment contains useless pieces of code, like libraries or service binaries, that will invariably lead to software inefficiencies and security vulnerabilities. It is typically caused by inadequacies in the language in which the code is written, the compiler used to compile the code, or even a feature-focused programmer who writes more lines of code than required for the application to work.

Read More

What Is A Compliance Management System?

24-Jun-21   |   By Reciprocity Labs   |   In Reciprocity , Compliance
Reciprocity

Regardless of your industry, regulatory compliance is an important component of ongoing success. Staying on top of your compliance obligations can be challenging, and a strong compliance management program will require a compliance management system.

Read More

The 3 Types of Security Controls (Categories, Frameworks and Standards)

24-Jun-21   |   By Editor   |   In Cyphere , Compliance
Cyphere

Security controls can be physical or virtual, policies, training, techniques, methodologies, action plan, devices, and customised solutions to avoid, detect, and prevent intruders and minimise the security risk befalling the individual or organisational proprietary information systems, etc.

Read More

Accountability Through Reporting: The Path to True DevSecOps

24-Jun-21   |   By ZeroNorth   |   In ZeroNorth , Application Security
ZeroNorth

Visibility within an application security (AppSec) program is key to accountability. CISOs and executive leaders can’t expect to hold developers and product lines responsible for security when these professionals don’t have the comprehensive insight needed to properly assess risk and security gaps.

Read More

Security at speed: Justifying your security program transformation using key development motivators

24-Jun-21   |   By Synopsys Editorial Team   |   In Synopsys , DevOps
Synopsys

Security investments require executive buy-in. Learn what key development motivators can help justify your security program updates. As development speeds increase exponentially, organizations often struggle to introduce or maintain security practices capable of keeping pace. Additionally, security teams can find it difficult to get the top-down buy-in and support they need for a security overhaul. So we’re outlining the key drivers and motivators for improving security velocity that you can use to justify your own organization’s security upgrade needs.

Read More

XDR: What Next-Gen SIEM Would Have Been

24-Jun-21   |   By Bozhidar Bozhanov   |   In LogSentinel , SIEM
LogSentinel

It’s easy to get lost in product categories in security these days. And XDR (eXtended Detection and Response) is a new addition to the landscape, which makes people wonder – what exactly is that? We’ve previously held that XDR and SIEM are effectively the same thing, although many vendors and Gartner analysts would probably disagree. They would insist that it’s different because it has machine learning, it has better and easier native integrations, it has endpoint detection and response, it has fewer false positives, and so on. An article on the topic would usually say that XDR does not obsolete SIEM because it’s still needed for compliance/reporting/retention/forensics/…

Read More

Cloud Computing Security: A Primer

24-Jun-21   |   By Patricia Johnson   |   In WhiteSource , Cloud
WhiteSource

Gartner forecasts that worldwide public cloud end-user spending will grow 23% to USD 332.3 billion in 2021 as cloud technologies become mainstream. As cloud computing architectures continue to become more prevalent, “cloud native” has become a popular buzzword. But what exactly does “cloud native” mean and what impact does it have on security? How exactly do you secure all these cloud native applications? In this blog, we define cloud native, look at cloud computing security challenges and risks, and identify cloud security best practices. We’ll wrap up our discussion of all things cloud computing with a look at security solutions and tools.

Read More
Copyright © 2021 OpsMatters, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp