Copy
View this email in your browser

Thursday, June 24, 2021

A selection of the top articles and videos from the last week on SecuritySenses.com. Don't forget to check back regularly for daily updates from around the globe.

If you like SecurityBuzz, why not forward it to some friends or share the online version?

Until Next Time! 👏

Tweet
Share
Share
Forward
Featured Post

Demystifying Shift-Left Approach in Application Security

17-Jun-21   |   By Subho Halder   |   In Appknox , Mobile
Appknox

In this blog, we will guide you through the benefits and the right approach to implement the shift-left security approach in your application development process and see how this simple strategy can transform the entire security posture of your organization.

Read More

Portrait of Malicious Insiders: Types, Characteristics, and Indicators

23-Jun-21   |   By Ekran   |   In Ekran , Insider Threats
Ekran

While organizations are spending a good deal of money protecting their data against unauthorized access from the outside, malicious insiders may pose no less harm. According to the 2021 Data Breach Investigation Report [PDF] by Verizon, 36% of all data breaches experienced by large organizations in 2020 were caused by internal actors. For small and midsize businesses, it was 44%. Organizations that become victims of malicious insider attacks face many negative consequences: from loss of confidential data, revenue, and clients to reputational harm or even going out of business. Let’s look closer at how organizations can detect a malicious insider before they cause harm.

Read More

Getting started with Snyk for secure Java development

23-Jun-21   |   By Brian Vermeer   |   In Snyk , DevOps
Snyk

If you’re a Java developer that wants to develop your applications more securely, you’ve come to the right place. Snyk can help you with that mission. This article will explain how to begin with Snyk for secure Java development so you can be more secure from the get-go. If you’re new to Snyk, it’s important to know that we offer a variety of developer-focused products and tools. Some of these tools, like our CLI and some IDE integration, support multiple products. However, we can distinguish four different products within Snyk.

Read More

How does AWS IAM role, STS and Identity Pool work with each other.

23-Jun-21   |   By Shuo Yang   |   In Teleport , Cloud
Teleport

We talked about IAM in the past 3 posts, identities in IAM, manage users privilege as an IT person and control privilege boundaries. We also talked about how applications use AWS Cognito Identity Pool to get AWS temporary credentials to access AWS resources in early posts of “What I wish I could have learned before starting using AWS Cognito” and “Authentication and authorization with AWS Amplify under the hood”. In this post, we want to give a holistic view across these three AWS building blocks: CIP, STS and IAM roles.

Read More

Difference between Agent-based and Network-based Internal Vulnerability Scanning

23-Jun-21   |   By Nishaanth Guna   |   In Appknox , Mobile
Appknox

Technology evolution is the only constant in our lives these days. Sometimes, an existing approach can go a long way in addressing problems, while other times, a new approach needs to be adopted to get the work done. Let’s talk about vulnerabilities; internal networks and software can be riddled with loopholes, which can expose them to breaches and data leaks, paving the way for hackers to have an easy ride. Through the process of vulnerability scanning, IT teams assess, mitigate and report security vulnerabilities that have been found in a company’s internal networks.

Read More

Zero Trust Architecture (ZTA) within LEXIS

23-Jun-21   |   By Frédéric Donnat   |   In Outpost 24 , Security
Outpost 24

To ensure Outpost24 stays at the forefront of cybersecurity technology we conduct regular research into new innovations, and LEXIS High Performance Computing (HPC) is one of them. Outpost24 was instrumental in contributing and providing the “Security-By-Design” and “Zero-Trust” principles to creating the secure LEXIS Cloud-HPC-Big Data platform, and in this blog we explore the zero-trust fundamentals for which the LEXIS portal has been designed.

Read More

Trends in Cloud Adoption: Why Cloud Computing is on the Rise

23-Jun-21   |   By Gunter Ollmann   |   In Devo , Cloud
Devo

In this post, I’ll answer one question: Have we reached the tipping point for cloud proliferation? According to the report, the answer is yes. ESG surveyed 500 IT and security professionals working in the security operations center (SOC) chain of command at organizations with more than 1,000 employees in North America and Western Europe in Q1 of this year. They found that many organizations are starting to overcome traditional barriers to cloud adoption — such as concerns over how secure the cloud is — and are making the shift.

Read More

Risk Management Process For Insurance Companies

22-Jun-21   |   By Reciprocity Labs   |   In Reciprocity , Insurance
Reciprocity

Insurance companies know how to protect their clients’ homes, cars, and businesses— but protecting the personal information of those customers is a bit harder to assure. While the insurance industry focuses on risk-based analyses for its own underwriting programs, firms also need to apply those same risk management processes to securing customer information.

Read More

The Evolution of Securing Critical Infrastructure

22-Jun-21   |   By Irfahn Khimji   |   In Tripwire , ICS
Tripwire

Everything evolves. Simply stated, the gradual development of something from a simple to a more complex form is what evolution is all about. When something ceases to evolve, yet still exists, it becomes classified as a living fossil. One example is the Ginkgo Biloba tree. It took millions of years for this evolution to cease. This all happened without any help from humans.

Read More

The Top 5 Vendor-Neutral Cloud Security Certifications of 2021

22-Jun-21   |   By David Bisson   |   In Tripwire , Cloud
Tripwire

Most organizations have already begun their shift to the cloud. In its Cloud Computing Survey 2020, for instance, International Data Group (IDG) found that 81% of respondents had at least one workload or segment of their computing infrastructure in the cloud. That percentage could grow by the end of the year, as IDG found that 32% of total IT budgets will go to cloud computing—up from 30% in 2018.

Read More

What is Application Security Risk?

22-Jun-21   |   By ZeroNorth   |   In ZeroNorth , Application Security
ZeroNorth

If you have ever considered how hackers and other cyber attackers on the internet use different paths to harm systems and software, you already know a bit about what application risk means. While understanding the essence of risk—and what it can do to the business—is critical, it’s also important to visualize how the notion of security risk is impacted and affected by other areas of threat and vulnerability. Much like a mathematical equation, the relationship between threat, vulnerability and risk sits at the core of application development and security.

Read More

SSL/TLS Protocols: Definition, Differences, Versions & Vulnerabilities

22-Jun-21   |   By Editor   |   In Cyphere , Networks
Cyphere

SSL TLS are two encryption protocols that provide security for communication over the internet. SSL protocol has been around for many years, but both are still widely used today. Why is this? The answer is simple: these protocols work well to encrypt data sent between a client and server computer, which can be very important in protecting sensitive information such as credit card numbers or passwords. But what really sets them apart from each other? This post will understand the basics and the differences between SSL and TLS protocol versions, SSL vs TLS encryption.

Read More

Essential Eight Compliance Guide (Updated for 2021)

22-Jun-21   |   By Edward Kost   |   In UpGuard , Security
UpGuard

In an effort to significantly improve the cyber resilience of Australian businesses, the Australian federal government is mandating compliance across all eight cybersecurity controls of the Essential Eight framework. This is an ambitious move that may be burdensome to the many entities still struggling to comply with just the top four controls of the Essential Eight. This post clearly outlines the expectations of all eight security controls and explains how Australian businesses can achieve compliance for each of them.

Read More

PII Compliance Checklist & Best Practices

22-Jun-21   |   By Emily Heaslip   |   In Nightfall , Data Security
Nightfall

Research from Gartner suggests that, by 2023, more than 60% of the world’s population will be covered by some form of personal data protection legislation. From GDPR to CalPRA, privacy regulations are on the rise. These compliance regimes aim to protect a user’s rights to their data — which, in practice, means that businesses need to implement more effective approaches to security. Here’s what the current landscape of PII compliance looks like, and how businesses can take concrete steps to implement PII compliance best practices. [Read more: Understand How User Privacy Can Improve Cybersecurity]

Read More

The SASE Solution to Network and Security's Complicated Relationship Status

22-Jun-21   |   By Bob Gilbert   |   In Netskope , Cloud
Netskope

If our friends Security and Networking were on Facebook, they would probably both list their relationship status as “It’s Complicated.” Sometimes everything’s great, but now and then things can get a little weird, unclear, or uncomfortable. At many organizations, there has traditionally been a barrier between the security and networking teams. Each team has its own objectives — and at times, those objectives can be at cross-purposes. Enforcing security affects the networking team’s ability to do its job and serve user demands. At the same time, the needs and expectations of networking also have a direct impact on the security team.

Read More

Understanding Insider Threats: Definition and Examples

22-Jun-21   |   By Elena Vodopyan   |   In Netwrix , Insider Threats
Netwrix

Insider threats remain one of the biggest issues plaguing cybersecurity. A study by Ponemon shows that the costs of insider threats leaped 31% in just two years, from $8.76 million in 2018 to $11.45 million in 2020. The same report shows that it takes companies an average of 77 days to contain an insider threat incident. Forrester predicts that insider threats will cause 31% of data breaches by the end of 2021, up from 25% in 2020.

Read More

How data poisoning is used to trick fraud detection algorithms on ecommerce sites

21-Jun-21   |   By Theodoros Karasavvas   |   In AT&T Cybersecurity , AI
AT&T Cybersecurity

Artificial intelligence (AI) and machine learning (ML) systems have become the norm for using client data to provide recommendations to customers. As more people are working from home and conducting business online, it is imperative that fraud detection software is used to protect user information. But these protective systems also utilize ML to automate the process and understand when a potential attack is taking place.

Read More

Open source data loss prevention for helpdesk ticketing systems

21-Jun-21   |   By Chris Martinez   |   In Nightfall , Data Security
Nightfall

When your customers want help, ticketing systems provide the first line of communication between your company and your customers. Solving a problem or resolving an issue for your customers often requires collecting a lot of information and context throughout the support interaction. Especially today, these interactions can be captured through a myriad of channels including but not limited to messaging apps, SMS, social media, help centers, forums, bots, video conferencing, and more.

Read More

What is Application Security Testing and How Does it Affect Software?

21-Jun-21   |   By ZeroNorth   |   In ZeroNorth , AST
ZeroNorth

In a nutshell, application security (AppSec) testing is the process of ensuring software is built to be as resistant as possible to outside threats. When applications are secured through effective testing methods, weaknesses and vulnerabilities in the source code and third-party components can be easily identified, managed and actioned before the software is deployed.

Read More

A Beginner's Guide to Risk Mitigation and Management for Security and Compliance Professionals

21-Jun-21   |   By Neil Jones   |   In Egnyte , Compliance
Egnyte

Good data governance can go a long way toward reducing business risk. If your content and your data are secure, you’ve eliminated danger to your customers’ information and secured your proprietary information. From a digital perspective, you’re ahead of the game. But data governance shouldn’t be your only concern. Your business also faces other kinds of threats, which could be anything from a competitor releasing a new product to a customer choosing to take their business elsewhere, which can impact your bottom line. In order to keep your business truly secure, you need to look at risk from a holistic perspective.

Read More

How to be Compliant with Biden's Cybersecurity Executive Order

21-Jun-21   |   By Edward Kost   |   In UpGuard , Legislation
UpGuard

In an ambitious leap towards improving the Nation’s security posture, President Joe Biden has instituted an Executive Order to improve cyber threat information sharing between the U.S Government and the Private Sector. The goal is to align cybersecurity initiatives and minimize future threats to national security by modernizing cybersecurity defenses in the United States. In this post we provide a framework for compliance with Biden's Executive Order with a specific focus on the sections with the greatest impact on the private sector. For the complete Executive Order, refer to the official White House publication.

Read More

Are U.S. Companies Affected by the GDPR?

21-Jun-21   |   By Reciprocity Labs   |   In Reciprocity , Legislation
Reciprocity

The European Union’s General Data Protection Regulation applies to any organization that operates in the EU or that collects or processes the personal data of EU citizens. So if a business in the United States (or anywhere else in the world, for that matter) does handle such data — yes, the GDPR can apply to you. That said, the exact compliance requirements will vary depending on the size of your company and how you process and store the applicable data. If your company’s website actively targets EU citizens (known as data subjects) for marketing or monitoring, then your organization must be compliant.

Read More

What is Third-Party Risk Management?

21-Jun-21   |   By Reciprocity Labs   |   In Reciprocity , Risk Management
Reciprocity

Third-party risk management (TPRM), also known as “vendor risk management” is the process of managing risks introduced to your business by your organization’s vendors, suppliers, contractors, and service providers. Any outside party that plays a significant part in your company’s ecosystem or supply chain is considered a third-party vendor.

Read More

Survey: Nearly Half of Manufacturers Suffered a Digital Attack in the Last Year

21-Jun-21   |   By Dean Ferrando   |   In Tripwire , Cyberattacks
Tripwire

Confidence isn’t new when it comes to cybersecurity. All the way back in 2015, for example, 86% of security professionals working in the energy sector told Tripwire that they were confident they could detect a breach in a week. Just less than half (49%) said it wouldn’t take them longer than a day to spot an attack. It was the same story a year later when Tripwire surveyed infosec professionals in the retail sector. Most (95%) respondents said their organization could detect a breach within a month. That was the case even with 48% of survey participants admitting their breach detection products were just partially integrated.

Read More

Five Lessons from the JBS Attack for Securing the Manufacturing Supply Chain

21-Jun-21   |   By Adam Preis ·   |   In ForgeRock , Cyberattacks
ForgeRock

The Fourth of July is just around the corner and many Americans are looking to celebrate their holiday with family and friends. “Grillin’ and chillin,’’ as it’s come to be known, is an industry. But what if the prices of meat spiked overnight or, worse still, if there was no meat available on supermarket shelves? And what if consumers learned that this disruption could have been prevented if meat producers had secured their supply chains with modern technology?

Read More

Cybersecurity Maturity Model Certification (CMMC): Tips for Compliance

18-Jun-21   |   By Mike Tierney   |   In Netwrix , Compliance
Netwrix

Following a string of 83 data breaches in 2019 alone, the United States Department of Defense (DoD) established the Cybersecurity Maturity Model Certification (CMMC). The CMMC framework is a unified national standard for improving cybersecurity. Companies in the defense industrial base (DIB) must implement CMMC requirements in order to win contracts. Read on to find out how you can achieve compliance.

Read More

Risk-based security now more important than ever for Energy and Utilities!

18-Jun-21   |   By Bindu Sundaresan   |   In AT&T Cybersecurity , Security
AT&T Cybersecurity

This is the third of three blogs in a series to help the energy and utility industries. You can read the first blog on Ransomware and Energy and Utilities and the second blog on Threat Intelligence and Energy and Utilities as well.

Read More

PHI Compliance: What It Is and How To Achieve It

18-Jun-21   |   By Emily Heaslip   |   In Nightfall , Compliance
Nightfall

For organizations that work in or partner with the healthcare industry, HIPAA compliance is of paramount importance. Keeping a patient’s medical records and personal information safe isn’t just a matter of avoiding penalties. It’s also key to building trust with patients and, ultimately, providing great patient care. Here’s what health organizations and their partners need to know about PHI and keeping it secure.

Read More

Understanding Mobile Application Penetration Testing Methodologies

17-Jun-21   |   By Abhinav Vasisth   |   In Appknox , Mobile
Appknox

Mobile Application Penetration Testing Methodology as a security testing measure, analyses security perimeters within a mobile environment. Derived from the traditional concept of application security methodology, its main focus lies on client-side security and it broadly puts the end-user in control. By conducting penetration testing, companies can gain insights into the source code’s vulnerabilities, bottlenecks, and attack vectors beforehand. This way, once all shortcomings are known, developers can put in fixes to plug these gaps and change the design to address the issues at hand.

Read More

What is an Advanced Persistent Threat in Cybersecurity?

17-Jun-21   |   By Reciprocity Labs   |   In Reciprocity , Cyberattacks
Reciprocity

Corporate cybersecurity professionals must be on constant alert to avoid the wide range of cyberattacks that can be thrown at them today: malware, ransomware, trojan horses, social engineering, and spear-phishing attacks, to name just a few. Among the most serious of attacks is the advanced persistent threat (APT). An APT is an attack that uses sophisticated methods to gain access to information systems and sensitive information. Typically this attack seems so inconspicuous that it goes undetected — and therefore remains, and continues to cause harm. for an extended period of time.

Read More

SAST vs. DAST: What's the Difference?

17-Jun-21   |   By ZeroNorth   |   In ZeroNorth , AST
ZeroNorth

Considering the threats posed by the digital world, organizations today must think about security and the way it affects their software. With business outcomes and revenue on the line, setting up and running an effective application security (AppSec) program is no longer just nice to have—it’s imperative. Practitioners need to identify vulnerabilities in their applications to prioritize risk and mitigate risk, a goal that can only be achieved through comprehensive AppSec testing. Two AppSec testing methodologies that exist in today’s security realm are SAST and DAST. While SAST investigates applications from the inside out, DAST works from the outside looking in.

Read More

Reduce open source risk in M&A with software due diligence

17-Jun-21   |   By Synopsys Editorial Team   |   In Synopsys , M&A
Synopsys

The vast majority of today’s applications are made up of open source components. The 2021 “Open Source Security and Risk Analysis” (OSSRA) report, conducted by the Synopsys Cybersecurity Research Center (CyRC), found that 75% of the 1,500+ codebases analyzed were composed of open source. Understanding what’s in your codebase is essential, and for M&A transactions it’s one of the key drivers for performing software due diligence. Identifying open source risks, security flaws, and code quality issues ensures there are no surprises for acquirers, and earlier detection protects the value of a deal.

Read More

Scan for AWS CloudFormation misconfigurations with Snyk IaC

17-Jun-21   |   By Ilianna Papastefanou   |   In Snyk , Cloud
Snyk

We’re excited to announce the launch support for AWS CloudFormation in Snyk Infrastructure as Code. In our recent Infrastructure as Code Security Insights report, we found that 36% of survey participants were using AWS CloudFormation (CF) as their primary infrastructure as code tool of choice. Using Snyk Infrastructure as Code, you can now scan your CF YAML or JSON templates against our comprehensive set of AWS security rules. With these new capabilities, you have the power to treat your CloudFormation files like any other code and shift security left, early in your development process, making security an integral part of your infrastructure development and deployment pipelines.

Read More

Three Steps to Meet Digital Healthcare Challenges in the Post-Pandemic Era

17-Jun-21   |   By Steve Gwizdala ·   |   In ForgeRock , Digital Identity
ForgeRock

The combined, specialized efforts of ForgeRock and Accenture in digital identity for healthcare, especially during a global pandemic, have provided a unique perspective. The unexpected digital transformation journey that the healthcare industry has taken from pre-pandemic to current day is staggering. Along with the front-line workers, the healthcare IT and digital experience teams that quickly made digital access and telehealth care available to the masses deserve our thanks.

Read More

Bridging the Network-Security Divide with SASE Thinking

17-Jun-21   |   By David Fairman   |   In Netskope , Cloud
Netskope

The many business benefits made possible by digital transformation are undoubtedly making waves across industries. Data is the raw material that drives smarter decision-making, and as such, drives value for organizations, but things quickly get challenging when you start to consider how all that data will be used—and who has access to it, when. It was easier for security teams when all this data was housed inside the perimeter of the data center environment over which the organization had total control. Now, however, the business relies on remote workers and extensive collaboration with third-parties, leveraging SaaS and cloud-based tool providers who can only deliver results when provided with this critical data.

Read More
Copyright © 2021 OpsMatters, All rights reserved.


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Email Marketing Powered by Mailchimp