Boards of directors need to maintain an appropriate level of cyber expertise, incidents must be reported within 72 hours after determination, and all ransom payments made must be reported within a day. Those are just some of the changes made by The New York State Department of Financial Services to its Cybersecurity Requirements for Financial Services (23 NYCRR 500) , effective November 1, 2023...

Today’s VERT Alert addresses Microsoft’s November 2023 Security Updates . VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1082 on Wednesday, November 15th. In-The-Wild & Disclosed CVEs CVE-2023-36033 A vulnerability in the Microsoft Desktop Window Manager (DWM) could allow an attacker to gain SYSTEM level privileges. This vulnerability has been publicly...

What's the deal with CherryBlos? CherryBlos is a rather interesting family of Android malware that can plunder your cryptocurrency accounts - with a little help from your photos. Wait. I've heard of hackers stealing photos before, but what do you mean by malware stealing cryptocurrency via my photos? How does it do that? Well, imagine you have sensitive information - such as details related to...

The heat has just been turned up for companies hoping to “hide out” a data breach. Announced October 27th, all non-banking financial institutions are now required to report data breach incidents within 30 days. The amendment to the Safeguards Rule was made by the U.S. Federal Trade Commission (FTC). It will go into effect 180 days after publication of the law in the Federal Register, or around...

Tripwire's October 2023 Patch Priority Index (PPI) brings together important vulnerabilities for Microsoft. First on the patch priority is a patch for Microsoft Edge (Chromium-based) that resolves a type confusion vulnerability. Next on the patch priority list this month are patches for Microsoft Office that resolve 3 elevation of privilege vulnerabilities. Next are patches that affect components...

Containers offer a streamlined application deployment and management approach. Thanks to their efficiency and portability, platforms like Docker and Kubernetes have become household names in the tech industry. However, a misconception lurks in the shadows as containers gain popularity - the belief that active vulnerability scanning becomes redundant once containers are implemented. This blog will...

In the world of cybersecurity, insider threats remain a potent and often underestimated danger. These threats can emanate not only from malicious actors within an organization but also from well-intentioned employees who inadvertently compromise security with a mis-click or other unwitting action. Having spent many years in system administrator-type roles, I'm actually surprised at how easy it...

Plastic surgeries across the United States have been issued a warning that they are being targeted by cybercriminals in plots designed to steal sensitive data including patients' medical records and photographs that will be later used for extortion. The warning , which was issued by the FBI yesterday and is directed towards plastic surgery offices and patients, advises that extortionists have been...

Today’s VERT Alert addresses Microsoft’s October 2023 Security Updates , which includes a recently introduced release notes format. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1077 on Wednesday, October 11th. In-The-Wild & Disclosed CVEs CVE-2023-41763 While this vulnerability is labeled as a Skype for Business Elevation of Privilege Vulnerability, the...

Compliance and security often go hand in hand as ideas that attempt to protect against cyber threats. While both compliance and security are designed to lower risk, they are not mutually inclusive—that is, not everything that is required for compliance will necessarily help with security, and not everything that bolsters security will necessarily put you in compliance. Both are vital to...

Tripwire's September 2023 Patch Priority Index (PPI) brings together important vulnerabilities for Microsoft. First on the patch priority are patches for Microsoft Edge (Chromium-based) that resolve 5 vulnerabilities such as out of bounds memory access, type confusion, and use after free. Next on the patch priority list this month are patches for Microsoft Office, Excel, Word, and Outlook. The...

While always a part of business, compliance demands have skyrocketed as the digital world gives us so many more ways to go awry. We all remember the Enron scandal that precipitated the Sarbanes-Oxley Act (SOX). Now, SOX compliance means being above board on a number of cybersecurity requirements as well. Fortra's Tripwire recently released a new guide: How Managed Services Can Help with...

Electric grids are part of every nation’s critical infrastructure. Every societal activity and business depends on reliable and safe electricity distribution. The US electric grid is a huge network of powerlines, distribution hubs, and renewable and non-renewable energy generators that is increasingly exposed to cyber-physical risks due to the accelerated reliance on cyber-enabled systems and IoT...

The evolution of the cyber threat landscape highlights the need for organizations to strengthen their ability to identify, analyze, and evaluate cyber risks before they evolve into security incidents. Known unpatched vulnerabilities are often exploited by criminals to penetrate Industrial Control Systems (ICS) environments and disrupt critical operations. Although the terms “patch management” and...

The importance of cybersecurity is no secret in our increasingly digital world. Even individuals who have no experience or expertise in tech or related fields are aware of the threat of hacking, phishing, and the like. It can be difficult, however, to actually quantify the risks of being targeted by these attacks. Keeping track of the trends in cyberthreats, the different attackers and types of...

The then-new 2014 NIST Cybersecurity Framework (CSF) was designed to plug security gaps in operational technology. It’s still in use today and more relevant than ever. Fortra’s whitepaper provides a cohesive review of this security staple and how to glean the best out of it for your strategy. A Brief History of NIST CSF “The full maximum NIST Cybersecurity Framework is about as big an umbrella as...

In July 2021, the White House established a voluntary initiative for industrial control systems (ICS) to promote cooperation between the critical infrastructure community and the federal government. The fundamental purpose of the initiative was “to defend the nation’s critical infrastructure community by encouraging and facilitating the deployment of technologies and systems that provide threat...

When building a tower, it helps to start with a sturdy foundation. Cyber maturity is the tower, and there are three levels that build it: Foundational IT/OT & Security Control Processes Fundamental Security Control Capabilities Advanced Security Control Capabilities Fortra occupies a unique space in the industry because of the sheer size of the security portfolio. It’s one thing to advocate for...

Do you remember where you were on 25th May 2018? Perhaps you were enjoying a Friday night drink with friends. Perhaps you were with family, relaxing after a busy week at work. I was actually having a GDPR Birthday party with friends and colleagues because 25th May 2018 was a landmark day for the world of Data Protection (yes, seriously, we had a party!). But the funny thing about the effective...

Non-compliance in cybersecurity marks a grave oversight. It involves neglecting established security protocols, leaving organizations vulnerable to malicious actors. Read on as we examine the potential risks of non-compliance, including heightened susceptibility to cyberattacks, the specter of data breaches, and the erosion of a company's hard-earned reputation. Risks of Non-Compliance Non...