Collaborate Disseminate
Zombie cloud data — information that lingers in the cloud even after a user supposedly deletes it — can open organizations to data theft and noncompliance.
The post Zombie Cloud Data: What Your Delete Key May Not Delete appeared first on Security Intelligence.
Continue reading Zombie Cloud Data: What Your Delete Key May Not Delete
When the authors of WannaCry turbo-charged their ransomware with NSA exploits leaked by the Shadow Brokers, people thought it was the Vulnerability Equities Process’ worst-case scenario. It’s really not. The VEP is the policy process the U.S. government undertakes when one of its agencies finds a new software vulnerability. It’s how the government decides whether to tell the manufacturer about the bug, so they can patch it and keep all their customers safe; or to keep it secret and stealthily employ it to spy on foreign adversaries who use that software. In the wake of Shadow Brokers dumping several sets of highly advanced NSA hacking tools online — many using previously unknown vulnerabilities — there have been rising demands for reform of the VEP. Lawmakers have got in on the act, pledging to legislate the process with the Protecting Our Ability to Counter Hacking, or PATCH Act of 2017. But […]
The post Why reforming the Vulnerability Equities Process would be a disaster appeared first on Cyberscoop.
Continue reading Why reforming the Vulnerability Equities Process would be a disaster
Microsoft researchers recently uncovered a sophisticated hacking campaign that was serving targeted malware to “several high-profile technology and financial organizations.” The unidentified hackers reportedly compromised a set of third-party editing software tools by injecting malicious code into the programs’ updating mechanism, Windows Defender Advanced Threat Protection research team found. The recent findings underscore the threat organizations face through vulnerable, third-party applications. In many cases, such applications and services are commonly integrated into a company’s IT infrastructure; widening the attack vector for hackers. “[A] forensic examination of the Temp folder on [a] affected machine pointed us to a legitimate third-party updater running as service,” a Microsoft blog reads. “The updater downloaded an unsigned, low-prevalence executable right before malicious activity was observed. The downloaded executable turned out to be a malicious binary that launched PowerShell scripts bundled with the Meterpreter reverse shell, which granted the remote attacker silent control. The binary is detected by […]
The post Microsoft uncovers hacking operation aimed at software supply chain appeared first on Cyberscoop.
Continue reading Microsoft uncovers hacking operation aimed at software supply chain
There is no such thing as a magic bullet for security. When security vendors push their products too hard, customers grow skeptical of the entire industry.
The post The Competing Claims of Security Vendors Sow Customer Distrust appeared first on Security Intelligence.
Continue reading The Competing Claims of Security Vendors Sow Customer Distrust
Silicon Valley venture capitalists are betting $20 million on a cybersecurity startup that launched in March and is staffed with former NSA and CIA talent. Denver-based CyberGRX on Tuesday announced it had successfully raised funding to help develop and expand its main product, a software tool that is used to gauge security risks associated with a wide array of different third-party vendors. “As enterprises’ dependence on their partner ecosystems grows, so does their exposure to breaches from these key vendors, partners and customers,” explained CyberGRX CEO Fred Kneip, “the combination of outsourcing, globalization and the digitization of business has created new security and resiliency risks that many businesses are just starting to address [and understand].” Founded by former Blackstone executives, CyberGRX describes its platform — called the “third party global cyber risk exchange” — as a sort of rating agency like Standard & Poor’s or Moody’s. CyberGRX has now raised $29 million total. […]
The post Investors drop $20M on startup CyberGRX’s platform for auditing supply-chain cyber risks appeared first on Cyberscoop.
Organizations need to assess third-party security to determine whether their partners and contractors are putting critical data at risk.
The post The Third-Party Security Challenge appeared first on Security Intelligence.
With cloud-based resources becoming an integral part of the enterprise, it’s time for security leaders to recognize the best ways to protect these assets.
The post Securing Your Cloud-Based Resources: Start With These Four Areas appeared first on Security Intelligence.
Continue reading Securing Your Cloud-Based Resources: Start With These Four Areas
A Dutch developer stole e-commerce customers’ login credentials using a website backdoor and admin access that former employers had neglected to revoke.
The post Did Your Developer Leave a Website Backdoor? appeared first on Security Intelligence.
Continue reading Did Your Developer Leave a Website Backdoor?
A new report based on IBM MSS data revealed that ransomware, insider threats and third-party breaches plagued health care organizations in 2016.
The post IBM Report Finds Health Care Data at Growing Risk From Ransomware, Insiders and Third-Party Breaches appeared first on Security Intelligence.
A new report based on IBM MSS data revealed that ransomware, insider threats and third-party breaches plagued health care organizations in 2016.
The post IBM Report Finds Health Care Data at Growing Risk From Ransomware, Insiders and Third-Party Breaches appeared first on Security Intelligence.