Category Archives: Editor’s Choice

Expand vulnerability and risk management programs to eliminate security misconfigurations

In this podcast recorded at RSA Conference 2018, Tim White, Director of Product Management, Policy Compliance at Qualys, discusses how expanding vulnerability and risk management programs can eliminate security misconfigurations. Many don’t realize misconfigurations can be exploited just as easily as a vulnerable piece of software to result in compromise. Here’s a transcript of the podcast for your convenience. Hi, my name is Tim White with Qualys. I am the Director of Product Management for … More

The post Expand vulnerability and risk management programs to eliminate security misconfigurations appeared first on Help Net Security.

GDPR: It’s an issue of transparency

The General Data Protection Regulation (GDPR) has been on the lips of security professionals for a long time now – but in just over a month, it will become a reality. While it is easy to get stuck with reviewing the potential fines or setting up efficient security procedures to ensure compliance, many are still overlooking what is at the heart of the regulation: transparency. Getting the bigger picture It goes without saying that transparency … More

The post GDPR: It’s an issue of transparency appeared first on Help Net Security.

Your Android phone says it’s fully patched, but is it?

How do fully-maintained (i.e., patched) Android phones end up getting exploited? Searching for an answer to that question spurred security researchers to analyze thousands of Android firmwares for the presence of hundreds of patches. Their research led to an unwelcome discovery: most Android vendors regularly forget to include some patches in the security updates provided to users. The research Security Research Labs researchers Jakob Lell and Karsten Nohl explained how they went about making the … More

The post Your Android phone says it’s fully patched, but is it? appeared first on Help Net Security.

Real-time detection of consumer IoT devices participating in DDoS attacks

Could we detect compromised consumer IoT devices participating in a DDoS attack in real-time and do someting about it? A group of researchers Princeton University have presented some encouraging results showing that the first part of that equation can be relatively easily solved. As IoT traffic is often distinct from that of other Internet connected devices and as machine learning has proved promising for identifying malicious Internet traffic, they decided to use these facts to … More

The post Real-time detection of consumer IoT devices participating in DDoS attacks appeared first on Help Net Security.

What’s your security story? How to use security as a sales tool

Positioning security as a value-add to the business rather than a necessary evil is a challenge for many organizations. Since the dawn of enterprise computing, information security has generally been seen as a purely technical function. Did the new two-factor authentication setting lock the sales team out of the system in the middle of a demo? Too bad. The “S” in “IS” is for security, not sales. Security teams often believe that their job is … More

The post What’s your security story? How to use security as a sales tool appeared first on Help Net Security.

Key obstacles in enterprise security budgeting

IANS released its latest findings on budget-related best practices for information security leaders to consistently command the budget and resources they need. “It’s part of the CISO’s job to transition from unsupported to being fully supported, but that can only be done when the stage has been properly set within an organization,” said Doug Graham, CSO at Nuance Communications. “This research report from IANS goes beyond the numbers and uncovers some of the underlying and … More

The post Key obstacles in enterprise security budgeting appeared first on Help Net Security.

How security researchers deal with risks stemming from their activities

Broad and inconsistent interpretations of behind the times laws, new anti-infosec legislation, lawsuits and criminal prosecutions are having a chilling effect on security research. It’s difficult to quantify the effect, but Joseph Lorenzo Hall and Stan Adams of the US-based non-profit Center for Democracy & Technology have attempted to reveal the worries and choices of security researchers in the current climate by interviewing twenty of them. “We used a qualitative methods research design to understand … More

The post How security researchers deal with risks stemming from their activities appeared first on Help Net Security.

The eternal struggle: Security versus users

There’s an old joke that a job in security is a safe place to be grumpy. From what I’ve seen over my career, that is often true. Security people seem to cherish their reputation for being pessimistic and untrusting. Some take it further and cast their disdain upon the users, who obviously need to be protected from themselves. (As a side note, my mom always hated when we computer folk referred to their customers as … More

The post The eternal struggle: Security versus users appeared first on Help Net Security.

ShifLeft: Fully automated runtime security solution for cloud applications

When talking about data loss prevention, the first thing that comes to mind are solutions aimed at stopping users from moving sensitive documents/data out of a network. But there is a different type of data loss that app developers should be conscious and worry about: cloud applications inadvertently sending critical data to unencrypted/public databases/services. Fuelled by the adoption of microservices and short software development cycles, this is the fastest growing problem in application security today. … More

The post ShifLeft: Fully automated runtime security solution for cloud applications appeared first on Help Net Security.

Are there too many cybersecurity companies?

The most potent global threat in 2018 may not be armed conflict or civil unrest, but cybersecurity. While cybersecurity awareness has increased with high profile breaches in recent years, the core problem remains of how industries can protect themselves and their customers when so much of our interaction has gone digital. Here are some predictions for the challenges companies may face in 2018: There are too many security vendors, and many of them will go … More

The post Are there too many cybersecurity companies? appeared first on Help Net Security.

Using deception to gain enterprise IoT attack visibility

The main lessons from attacks against Internet of Things (IoT) devices are to change default usernames and passwords, use longer passphrases to avoid brute force attacks, and make sure devices have enough memory for firmware and kernel updates to remove vulnerabilities or service backdoors, plus implement strong encryption for communications. Also, having IoT devices connected to standard PC platforms is not advised given endpoints are often the foothold in most attacks. Case in point with … More

The post Using deception to gain enterprise IoT attack visibility appeared first on Help Net Security.

Hacking intelligent buildings using KNX and Zigbee networks

A great many of us are living, staying or working in “smart” buildings, relying on automated processes to control things like heating, ventilation, air conditioning, lighting, security and other operation systems. We expect those systems to work without a glitch and withstand attacks but, unfortunately, the security of these systems is still far from perfect. A group of researchers from Tencent Security Platform is getting ready to demonstrate just how imperfect it is at the … More

The post Hacking intelligent buildings using KNX and Zigbee networks appeared first on Help Net Security.

Do you have what it takes to withstand modern DDoS attacks?

As the latest record DDoS attack hit GitHub and threatened to overwhelm its edge network, the popular Git-repository hosting service quickly switched to routing the attack traffic to their DDoS mitigation service. In the end, GitHub ended up completely unavailable for five minutes and intermittently unavailable for four. But while the effect of the attack could have been worse, GitHub’s engineering team aims to do better next time they are hit. Robert Hamilton, Director of … More

The post Do you have what it takes to withstand modern DDoS attacks? appeared first on Help Net Security.

How Facebook’s data issue is a lesson for everyone

The headlines have been dominated by the recent news around Facebook, Cambridge Analytica and the misuse of customer data. The impact of these revelations has led to millions being wiped off Facebook’s share price and an ongoing investigation into the incident. With just two months left until the General Data Protection Regulation (GDPR) comes into effect, this scandal could not be timelier. The ongoing discussions around Facebook’s use of customer data are a clear reminder … More

The post How Facebook’s data issue is a lesson for everyone appeared first on Help Net Security.

RSA Conference 2018 USA: What you can expect at this year’s event

With RSA Conference 2018 USA less than a month away, we asked Britta Glade, Director, Content and Curation for RSA Conference, to tell us more about this year’s event. Read on to find out what’s in store for the world’s largest gathering of information security professionals. What have been the major security developments in the past year, and how have these informed the conference agenda for 2018? Where to begin? 2017 showed us just how … More

The post RSA Conference 2018 USA: What you can expect at this year’s event appeared first on Help Net Security.

Excessive alerts, outdated metrics, lead to over-taxed security operations centers

A new study, conducted by 360Velocity and Dr. Chenxi Wang, found that excessive alerts, outdated metrics, and limited integration lead to over-taxed security operations centers (SOCs). SOCs are overwhelmed The study was conducted over the span of three months, interviewing security practitioners from enterprise companies in a cross-section of industries: Software-as-a-Service (SaaS), retail, financial services, healthcare, consumer services, and high tech. As the threat landscape changes and enterprises move to adopt additional layers of defensive … More

The post Excessive alerts, outdated metrics, lead to over-taxed security operations centers appeared first on Help Net Security.