Today’s VERT Alert addresses the Microsoft May 2017 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-724 on Wednesday, May 10th. In-The-Wild & Disclosed CVEs CVE-2017-0290 Also known as Microsoft Security Advisory 4022344, this is a code execution in the Microsoft Malware Protection Engine...

In previous articles on understanding big data, the need for AI, using encryption and tokenization (including the drawbacks of encryption), and the series on human vulnerabilities, we laid down just some of the building blocks necessary to create a robust cybersecurity strategy. Yet there is a larger problem we often experience: losing the trees for...

In Part 1 of this series, we covered how easy it is for any novice to set up a self-hosted WordPress site and how quickly security can fall between the cracks. In this blog post, I will share with you what to look for in a Webhost provider, how to secure and harden WordPress, and what often-overlooked items you should watch out for during this...

Online extortionists took their attacks to a whole new level last month. They brought the infamous Locky monster back to life after more than three months of hiatus. The architects of the Jigsaw ransomware campaign were busier than ever, contriving seven new variants of their plague. The Hidden Tear, EDA2, and CryptoWire proof-of-concept ransomware...

In today's expanding world of digital security threats, some truths are self-evident. Information security professionals must understand: That change happens That protecting customers and preventing unnecessary downtime is both a financial and moral imperative That we can only collect intelligence on things that we monitor That we must...

April 29, 2017, marked Donald Trump's 100th day in office as President of the United States. Since his inauguration on January 20, President Trump has fulfilled his campaign promises of nominating a conservative judge to the Supreme Court and withdrawing the United States from the Trans-Pacific Partnership. But he has yet to meet some of his other...

Earlier this year, I had the opportunity to present at S4x17 in Miami on the topic of deep packet inspection (DPI) technologies and the ways in which you could evaluate products that tout DPI features. At first glance, I thought, "Sure, no problem. How hard could it be?" It turns out that this is a difficult problem for a few reasons. The difficulties...

When the 2017 Verizon Data Breach Investigations Report (DBIR) came out last week, I read through it like I do every year. Each time I go through the report, I challenge myself to find something new and interesting. This year, I was intrigued by the "Things to consider" and "Areas of focus" at the end of each section. These two blurbs gave tips on...

Bug bounties, security acknowledgements and reward programs all have strong ties to IT security today. But that wasn't always the case. In the past, public penetration testers and security researchers mostly looked out for their personal benefit without recognizing their own responsibility to the security community. The reason? In a lot of cases,...

10 years and counting! Such is the milestone of Verizon's 2017 Data Breach Investigations Report (DBIR). Like in years past, the 10th version of Verizon's research initiative highlights new patterns, evolving trends, and interesting findings in the information security field. It does so by synthesizing reports that Verizon received of discovered...

The upcoming GDPR compliance deadline of May 2018 affects any organization across the world that collects, processes, or stores data on citizens of the European Union. The intent behind the GDPR is to better protect the privacy of EU citizens, and the mechanism to do so is through harmonizing the existing data privacy laws across Europe. “The six...

Governments ought to disclose zero-day vulnerabilities and begin to collaborate to make digital disarmament more than just ‘a thing.’ The case for these policy changes is becoming increasingly clear as new public debates begin to take shape around online privacy, trust and the prevention of cyber conflict. However, much work lies ahead in correctly...

The title of this piece is quite obvious, but it is also an unappreciated fact. Consider for a moment the change we have seen over the last 30 years: access to cyberspace was scarce, often limited to enterprise users such as governments, educational institutions and the largest corporation, whereas today, there are billions of users that treat the...

In any conflict, humans are impacted. In conflict, the best scenario is that the individual leaves unscathed and perhaps even unaware of what could have been their misfortune, whereas in the worst of cases – such as kinetic warfare – the impact can be the ultimate price: loss of life. There is also a cruel truth of conflict that often gets looked...

The Center for Internet Security (CIS) Top 20 Critical Security Controls, or "Foundational Controls," can help any organization address the growing number of digital security threats confronting them. Obviously, for these controls to reduce risk, a company must first implement them. Failure to do so can result in some real security nightmares. IT...

Malicious hackers are seizing control of poorly-protected home routers, and commanding them to launch attacks designed to brute force their way into WordPress websites. Security researchers at Wordfence first determined that something noteworthy was happening when they witnessed an unusual spike in attacks originating from Algeria against its...

Today’s VERT Alert addresses the Microsoft April 2017 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-720 on Wednesday, April 12th. With the elimination of Security Bulletins, the VERT Alert will be changing. This shortened version will act as a placeholder until the launch of the improved...

In January 2017, Tripwire completed a survey of 403 IT Security professionals about the most common attack types and how prepared organizations are to defend against them. You can read about the details here. There are two important conclusions from the research that I have to share for the purposes of this post. First, the top five attack types from...

In an article we wrote for Tripwire, we discuss the advantages of encryption and tokenization. The premise of our argument is as follows: slow down your adversary by making your data meaningless to them. In other words, make yourself a “goes nowhere” project forcing your adversary to seek out a target that does not cause them the grief you do....

Before we jump in, we need to make clear the following: no single solution will ever offer complete and total security. In fact, even multiple solutions designed to provide overlapping layers of security to your crown jewels will not provide “complete and total” security. But what any reasonably implemented solution should do is the following: slow...