Today’s VERT Alert addresses Microsoft’s March 2025 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1147 as soon as coverage is completed.In-The-Wild & Disclosed CVEsCVE-2025-26633According to Microsoft, improper neutralization in Microsoft Management Console could allow an unauthorized attacker to bypass a security feature locally. For...

A critical aspect of manufacturing, energy, and transportation is Industrial Control Systems (ICS) and Operational Technologies (OT). The rapid pace of digital growth makes these systems susceptible to cyberattacks.OT and ICS system security is important, making penetration testing an essential activity. This tactic makes it possible to mitigate weaknesses so they are no longer vulnerabilities. It...

What is it?The Tripwire Enterprise Critical Change Audit rules provide customers with the ability to monitor for critical events that could have a significant impact on a system. Monitoring for critical events can help administrators identify malicious and/or unexpected changes within their environment.Changes To CCAAdditional rules were added to the Critical Change Audit rule set. These rules...

Tripwire's February 2025 Patch Priority Index (PPI) brings together important vulnerabilities for Microsoft.Up first on the list are patches for Microsoft Edge (Chromium-based) that resolve 4 remote code execution and 2 spoofing vulnerabilities.Next on the list are patches for Microsoft Office and Excel. These patches resolve 8 issues such as remote code execution and information disclosure...

The evolution of the cyber threat landscape highlights the need for organizations to strengthen their ability to identify, analyze, and evaluate cyber risks before they evolve into security incidents. Criminals often exploit known unpatched vulnerabilities to penetrate Industrial Control Systems (ICS) environments and disrupt critical operations. Although patch management seems like the obvious...

Over 80% of businesses use at least one Software-as-a-Service (SaaS) application in their operations, per a report by SaaS Academy. It’s easy to see why SaaS applications are the fulcrum of many businesses today. From collaboration tools to CRMs, SaaS platforms enable flexibility, scalability, and operational efficiency. However, this convenience also comes with several security risks.According to...

Many organizations have a vulnerability management (VM) problem without knowing it. Vulnerability management is a crucial component of any organization’s cybersecurity program and is required by most major compliance standards because of its sink-or-swim impact on network security. One of the biggest issues in VM is that organizations aren’t testing the entirety of their networks. Could yours be...

The original NIS Directive came into force in 2016 as the EU’s first comprehensive law governing cybersecurity in member states. As part of its key policy objective to make Europe “fit for the digital age,” the European Commission proposed in December 2020 that NIS be revised, and NIS2 entered into force in January of 2023. Member states were required to transpose it into law by October 17, 2024...

In December 2024, Malaysia passed its Data Sharing Bill 2024, a new piece of legislation aimed at streamlining data-sharing across federal government agencies. This bill promises to revolutionize how data is managed, shared, and secured within Malaysia's government, fueling a more efficient, innovative, and secure public sector.By enabling seamless data exchange between federal entities while...

In today’s dynamic IT environments, securing and maintaining the integrity of your systems is critical. Fortra’s Tripwire Enterprise is a robust tool designed to help organizations ensure compliance and security by continuously monitoring the configuration and behavior of their IT assets.When deploying Tripwire, a common question arises: should you prioritize monitoring applications, operating...

Security experts have warned that a cybercriminal group has been running a malicious and inventive phishing campaign since August 2024 to break into organizations across Europe, North America, Africa, and the Middle East.The Russian group, known as Storm-2372, has targeted government and non-governmental organisations (NGOs), as well as firms working in IT, defence, telecoms, health, and the...

By now, we should all be pretty well acquainted with phishing scams. They've been around for a very long time—nearly 30 years, in fact—and are the primary focus of most security awareness training programs and initiatives. Despite this, phishing remains remarkably effective, with over 90% of successful cyberattacks beginning with a phishing email. Why? Because these scams are constantly evolving...

Today’s VERT Alert addresses Microsoft’s February 2025 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1143 as soon as coverage is completed. In-The-Wild & Disclosed CVEsCVE-2025-21391A vulnerability in Windows Storage could lead to elevation of privilege, however, it is important to note that this would not give complete access to the file...

Building a vulnerability management (VM) program from the ground up is no small feat. It requires technical expertise, organizational buy-in, and a clear roadmap. In recent months, I’ve been working with a client who had to discard their legacy approach and start afresh. We came to realize just how many components have to come together to get a decent start on a VM project while also showing value...

Tripwire's January 2025 Patch Priority Index (PPI) brings together important vulnerabilities for Microsoft.First on the list are patches for the Microsoft office platform, including Word, Access, Visio, Excel, OneNote, and Outlook. These patches resolve 13 issues such as remote code execution and security feature bypass vulnerabilities.Next are patches that affect components of the core Windows...

Data breaches continue to cost organizations millions of dollars each year, with costs rising steadily. According to IBM's 2024 Cost of a Data Breach Report, the average cost of a data breach has surged to $4.88 million globally, reflecting the increasing complexity and sophistication of cyberattacks. In the United States, this figure is even higher, averaging $9.8 million per breach, and the...

Key Takeaways for Control 4Most fresh installs of operating systems or applications come with preconfigured settings that are usually insecure or not properly configured with security in mind. Use the leverage provided by multiple frameworks such as CIS Benchmarks or NIST NCP to find out if your organization needs to augment or adjust any baselines to become better aligned with the policies your...

Can you imagine a modern working world without Software-as-a-Service (SaaS) applications? Productivity, communication, and project management solutions have transformed the modern workplace, enabling hybrid and remote working, helping to cut costs, and offering unprecedented opportunities for collaboration and innovation. Without them, the business world would grind to a halt.But these...

Security Operations Center (SOC) analysts have it rough. Modern security tools generate an extraordinary number of alerts, attackers are more sophisticated than ever, and IT infrastructures are unprecedentedly complex. As a result, analysts are overwhelmed with workload and alerts, making it near-impossible to make intelligent, informed decisions. Fortunately, artificial intelligence (AI) is...

Recently, I looked at Microsoft’s assigned CVSS v3.1 scores for Patch Tuesday vulnerabilities alongside the Microsoft assigned severity ratings. I wanted to revisit these numbers and see just how closely CVSS aligns with Microsoft’s opinion of severity.Disclaimer: I’m aware that CVSS v4.0 exists. However, Microsoft has not yet adopted it, and I wanted an apples-to-apples comparison.What Is CVSS v3...