I was fortunate enough to meet the author, Kevin Mitnick, while attending RSA in February. I was given a signed copy of The Art of Invisibility, one of The State Security's must-reads for infosec pros, so I made it a point to read the book. I knew a bit about Kevin’s past and had seen a few of his DEF CON talks, so I had a general idea as to the...

Brute force attacks are mitigated by using 2-factor authentication, which comes in many forms, such as time-based tokens, SMS and push authentication using a cell phone. A new contender has emerged: Universal 2nd factor or U2F. U2F is an authentication standard sponsored by the FIDO Alliance, whose members include the technology industry’s top...

Two security controls, file integrity monitoring (FIM) and security configuration management (SCM), help organizations manage change. The former monitors for unauthorized changes to a system's state, whereas the latter looks for configuration changes that introduce security risk. Both components are crucial to a company's strategy for defending...

In my last post, I briefly summarized the evolution of network security. I will now discuss how network security strategies are no longer meeting the needs of organizations' increasingly complex IT environments. A Different Strategy Technological innovation has changed the nature of the network itself. No longer are employees limited to their...

This is my first blog in an ongoing “It’s Not Rocket Science” series featuring articles on Information security. "Security is not an absolute, it's a continuous process and should be managed as such. Security is about risk reduction, not risk elimination, and risk will never be zero. It's about employing the appropriate security controls that best...

Security is a complex and connected web. Though there are many different categories within the all-encompassing field of security, there are still certain lessons that translate across the disciplines. Physical security can largely be seen as a manifestation of the ethereal elements of cyber security. Both the digital and the physical worlds of...

According to recent research, the majority of Android devices are running security patches that are months old, leaving users vulnerable to attacks. Mobile security company Skycure released the findings of its Q4 2016 Mobile Threat Intelligence Report, revealing that over 70 percent of Android phones lack the latest security patches. The company...

The Russian author of the notorious Citadel malware which infected over 11 million PCs and stole an astonishing $500 million from bank accounts has pleaded guilty to his crimes. 29-year-old Mark Vartanyan, who went by the online handle of "Kolypto", was arrested in the Norwegian town of Fredrikstad in 2015 at the request of the FBI. His extradition...

It's funny how kids have an affinity for toys we enjoyed as kids – like Legos. They will spend hours creating the biggest “thing,” often leading to a parent’s near universal response, “Johnny! That is the biggest tower I have ever seen! Great job!” Children (and we) love Legos because they foster imagination, offering a limitless way to create...

Almost everything you read or hear about routers includes a sentence or two about router security. The focus is generally on this essential piece of hardware as the first line of defense in an internet-connected world. Many medium-sized companies and large corporations take this into account when they purchase and set up their network infrastructure...

Businesses have always struggled with the idea of business security. Are you doing enough to protect your company, clients, and employees? Is there really such a thing as too much security? Technology is constantly changing, and as such, so are the threats many organizations face. Everywhere you turn, some security company is trying to point out...

It doesn’t seem that long ago that we didn’t have online access to many of our utility, banking, and/or even shopping accounts. I was fortunate enough to be part of a revolutionary project at a university in southern England back in 1988, where accessing the internet was using a 1200 baud modem, a terminal emulator connecting via a mainframe that...

Today’s VERT Alert addresses 18 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins and expects to ship ASPL-716 on Wednesday, March 15th. Ease of Use (published exploits) to Risk Table Automated Exploit Easy ...

Digital attackers have many different strategies for infiltrating a target organization. That even goes for companies with robust perimeter defenses. Bad actors simply need to find a soft target they can exploit. Oftentimes, they find what they're looking for along a target's supply chain. We can best understand the supply chain as a network of...

One might think that the security industry is beefing up its message with profanity and far-fetched stories, and you may regard all of it – to an extent – as scare mongering. The latest attack on the smart "HUE Light Bulbs" by Philips puts this views to rest, I hope. Apparently, modern smart light bulbs are equipped with secure communication...

NextGEN Gallery is an extraordinarily popular plugin for self-hosted WordPress websites, having been downloaded over 16.5 million times. The software's widespread popularity (it claims to have been "the industry's standard WordPress gallery plugin" since 2007) makes it an seemingly obvious choice for website owners looking to add image galleries to...

The annual RSA Conference is a lot of things to a lot of people (43,000 this year!). For me, it’s become an annual opportunity to step out of the stream and to look back at what has happened in the last year and peer forward at what’s to come. This year, I think we have reached an inflection point around the way we as a profession treat the “human...

UPDATE 2/24/17, 4:30 PM PST: Researcher Hanno Böck (@hanno) has confirmed that leaked CloudFlare data was not entirely purged from multiple search engine caches ahead of the public disclosure. In April 2014, the security community was shocked with the revelation that a poorly implemented TLS extension in OpenSSL could allow attackers to easily...

What is GDPR, when is it coming, and what steps should you take to comply?If you’ve been following the information security news or Twitter feeds, then you’ve no doubt seen the increase in traffic around the General Data Protection Regulation (GDPR). And there’s a good chance you’ve been ignoring it, as well. It’s time to pay attention, for GDPR is...

With such a lively 2016 ­for infosec – mega-breaches, new malware strains, inventive phishing techniques, and big debates between security and privacy – there’s plenty of reason to pause and consider what the security community should be most concerned about for 2017 and what they can do to prepare. http://www.slideshare.net/Tripwire/tripwire-survey...