In the last few days, I have seen multiple articles on ransomware in my news feeds (including a shameless reference back to our own post on The State of Security). As I read these, it occurred to me that there is an ironic similarity between these schemes and legitimate companies. The criminals running these malware and ransomware schemes have to be...

There are important security lessons for CEOs following the embarrassing revelation that a teenager hacked into the personal email accounts of CIA Director John Brennan and Homeland Security Secretary Jeh Johnson. This isn't the first nor will it be the last time that people hack into accounts using a variety of techniques; it illustrates the...

Today’s VERT Alert addresses 12 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-643 on Wednesday, November 11th. Ease of Use (published exploits) to Risk Table Automated Exploit Easy ...

For decades, the field of computer security has evolved as a cat-and-mouse game between security researchers and malware authors. When the former devises new methods to detect malicious programs, the latter incorporates into their software dormant functionality scenarios and a variety of other evasive techniques – four of which are now particularly...

Just last week, police forces across Europe arrested individuals who they believed had been using the notorious DroidJack malware to spy on Android users. Now attention has been turned on to another piece of software that can spy on communications, secretly record conversations, snoop on browsing histories and take complete control of a remote...

A blind spot is defined as “an area where a person's view is obstructed.” As a longstanding professional in the industry, seeing the rhetoric change over the years, from Information Security, through Information Assurance and now to “cyber security,” what is occurring is the creation of a significant and worrying blind spot. Sadly, what people...

British Gas has emailed approximately 2,200 customers urging them to change their passwords after their login credentials were posted online. According to The Guardian, the account details were posted to the online text-sharing service Pastebin and, if accessed, could have allowed an attacker to view the names, addresses, and previous energy bills...

We are very proud to announce the release of Version 6 of the Center for Internet Security Critical Security Controls for Effective Cyber Defense. This is a set of security practices developed and supported by a large volunteer community of cybersecurity experts. Based on an ongoing analysis of attacks, vulnerabilities and defensive options, the CIS...

Although associating with third parties and outsourcing certain processes provides many benefits – from reducing costs to leveraging their expertise – many organisations choose to overlook the security risks accompanying these benefits. According to a recent survey conducted by Tripwire at the IP EXPO Europe in London earlier this month, 63 percent of...

Defensible and defended are not the same thing. There are characteristics of an environment that make it more or less defensible. While IT and OT environments both have some mixed results, in general, OT environments are more defensible than IT environments. My hypothesis, as a reminder, is that a more defensible network is one in which currently...

In continuing our VERT Vuln School series on SQL Injection vulnerabilities, we’re going to take a look at how attackers can leverage this vulnerability to steal and exfilitrate data. Once we views bob’s account balance page, we notice that there’s another input-field that might be of interest, the...

A new report reveals that cyber insurance premiums are on the rise in response to a growing number of high-profile hacks and breaches. According to Timetric's Insight Report: The Future of Cyber Risk Insurance, insurers are raising the deductibles on existing companies' information security policies, whereas others are limiting the amount of...

This October marks another iteration of National Cyber Security Awareness Month (NCSAM), a program designed to engage both the public and private sectors on good security practices via activities that encourage awareness and resiliency in the event of a national cyber incident. Sponsored by the Department of Homeland Security (DHS) in cooperation...

On Tuesday, the European Court of Justice ruled the 'safe harbor' data transfer agreement between the United States and the European Union invalid. According to BBC News, the United States and the EU adopted the 'safe harbor' framework back in 2000 in order to provide a "streamlined and cost-effective" means of transferring data from Europe to U.S....

SQL injection is arguably the most severe problem web applications face. OWASP, an online community devoted to web application security, consistently classifies injection vulnerabilities as number one on their OWASP Top 10 Project. SQL injection vulnerabilities are a favorite amongst a number of “hactivist” groups whose aim is to cause disruption in...

What a whirlwind the past few months have been for data security, breaches and hacking events. From the Wyndham v. FTC ruling to yet another breach by a BCBS affiliate, there is increasing pressure across the information security industry to push organizations to perform those pesky security risk assessments touted by the National Institute of...

Banks have another security headache on their hands, as ATM-infecting malware is becoming increasingly sophisticated in its attempt to help criminals audaciously empty out cash machines on the high street on demand, without having to have previously stolen the payment cards of legitimate customers. Dubbed GreenDispenser by researchers at Proofpoint,...

The United States Navy has announced it is currently working on developing a new system aimed at protecting its ships from pervasive Internet attacks, often leading to network spying and confidential data theft. Codenamed the Resilient Hull, Mechanical, and Electrical Security (RHIMES) system, the Office of Naval Research (ONR) revealed the enhanced...

Today, enterprises must grapple with a panoply of numerous and highly sophisticated threats. In response to this dangerous landscape, it is no wonder that businesses are increasingly turning to security dashboards – a powerful communication vehicle for all information security professionals. An effective security dashboard provides personnel,...

Earlier this week, a U.S. judge ruled that banks can proceed with a class action suit filed against Target for a data breach that occurred in 2013. A U.S. District Court judge in St. Paul Minnesota affirmed Target's negligence in the data hack, which compromised upwards of 40 million credit cards. This decision enables the $5 million class action to...