Category Archives: Expert Analysis

Looking at the future of identity access management (IAM)

Here we are: at the beginning of a new year and the start of another decade. In many ways, technology is exceeding what we expected by 2020, and in other ways, well, it is lacking. Back to the Future made us think we would all be using hoverboards, wearing self-drying and fitting jackets, and getting to and from the grocery store in flying cars by Oct. 21, 2015. Hanna-Barbera promised us a cutting-edge, underwater research … More

The post Looking at the future of identity access management (IAM) appeared first on Help Net Security.

Are CISOs ready for zero trust architectures?

Zero trust is a concept that is gaining an increasingly large and dedicated following, but it may mean different things to different audiences, so let’s start with a definition. I refer to an excellent post by my friend Lee Newcombe and I agree with his definition of zero trust: “Every request to access a resource starts from a position of zero trust. Access decisions are then made and enforced based on a set of trust … More

The post Are CISOs ready for zero trust architectures? appeared first on Help Net Security.

The top four Office 365 security pain points

Many novice Office 365 (O365) shops do not know where platform-specific security vulnerabilities lie, or even that they exist. The threats that you are unaware exist do not cause pain until they rise up and bite – then the agony is fierce. Companies get themselves into trouble when they do not fully understand the way data moves through O365 or they apply on-premise security practices to their cloud strategy. While the O365 platform comes with … More

The post The top four Office 365 security pain points appeared first on Help Net Security.

Three API security risks in the wake of the Facebook breach

Facebook recently pledged to improve its security following a lawsuit that resulted from a 2018 data breach. The breach, which was left open for more than 20 months, resulted in the theft of 30 million authentication tokens and almost as much personally identifiable information. A “View As” feature that enabled developers to render user pages also let attackers obtain the user’s access token. The theft of access token represents a major API security risk moving … More

The post Three API security risks in the wake of the Facebook breach appeared first on Help Net Security.

Take your SOC to the next level of effectiveness

Enterprise security infrastructures average 80 security products, creating security sprawl and a big management challenge for SOC teams. With high volumes of data generated from security controls across the infrastructure, SOC teams often rely on Security Information and Event Management (SIEM) solutions to aggregate data and deliver insight into events and alerts. Similarly, Security Orchestration, Automation and Response (SOAR) platforms can take the results and automate them into action. However, the business needs to know … More

The post Take your SOC to the next level of effectiveness appeared first on Help Net Security.

Emotet: Crimeware you need to be aware of

According to the U.S. Department of Homeland Security, Emotet continues to be among the most costly and destructive malware threats affecting state, local, and territorial governments and its impact is felt across both the private and public sectors. First identified as a banking Trojan in 2014 by Trend Micro, Emotet is often downplayed by network defenders as “commodity malware” or “crimeware”. The evolution of both the malware and the criminal network behind it continue to … More

The post Emotet: Crimeware you need to be aware of appeared first on Help Net Security.

Cybersecurity is a board level issue: 3 CISOs tell why

As a venture capital investor who was previously a Chief Information Security Officer, I have noticed an interesting phenomenon: although cybersecurity makes the news often and is top of mind for consumers and business customers, it doesn’t always get the attention it deserves by the board of directors. Misconceptions and knowledge gaps increase this distance between security and oversight. How can boards dive deeper into the world of security and overcome the entry barriers to … More

The post Cybersecurity is a board level issue: 3 CISOs tell why appeared first on Help Net Security.

5 tips for acquiring cyber talent in 2020

Cybersecurity is facing a recruitment crisis. There are currently 2.8 million professionals working in the field – far from sufficient given the ever-expanding cyber threat landscape. To meet the market’s true needs, ISC2 believes the cybersecurity workforce will need to more than double. Companies have a number of options to overcome the cyber talent crunch, including integrating external providers who can provide specialist support. For those looking to boost recruitment in the new year, here … More

The post 5 tips for acquiring cyber talent in 2020 appeared first on Help Net Security.

What the government infosec landscape will look this year

The information security landscape seems to evolve at a faster clip each year. The deluge of ever-changing threats, attack techniques and new breaches making headlines can be challenging to track and assess. That’s why each year the WatchGuard Threat Lab takes a step back to assess the world of cyber security and develop a series of predictions for what emerging trends will have the biggest impact. Following the worldwide controversy over hacking that influenced the … More

The post What the government infosec landscape will look this year appeared first on Help Net Security.

February 2020 Patch Tuesday forecast: A lot of love coming our way

The January 2020 Patch Tuesday was a light one as predicted; everyone was still catching up from the end-of-year holidays. As we gain momentum into February and move towards Valentine’s Day, I anticipate Microsoft, and at least Mozilla, will give plenty of love and attention to their applications and operating systems. LDAP Microsoft had announced back in August with Advisory 190023 that they were planning several updates to their implementation of the Lightweight Directory Access … More

The post February 2020 Patch Tuesday forecast: A lot of love coming our way appeared first on Help Net Security.

The Goldilocks principle for zero trust fraud prevention

According to Wikipedia, “zero trust is an information security framework which states that organizations should not trust any entity inside or outside of their perimeter at any time.” In the Identity and Access Management (IAM) world, zero trust is all the buzz. If you are in enterprise security, you are being bombarded with the phrase at conferences and from marketing materials. It’s inescapable. Having recently received just such a bombardment at one of the larger … More

The post The Goldilocks principle for zero trust fraud prevention appeared first on Help Net Security.

How CISOs can justify cybersecurity purchases

Sometimes a disaster strikes: ransomware encrypts critical files, adversaries steal sensitive data, a business application is compromised with a backdoor… This is the stuff that CISOs’ nightmares are made of. As devastating as such incidents can be, for the short time after they occur, the enterprise usually empowers the CISO to implement security measures that he or she didn’t get funding for earlier. Of course, waiting for disastrous events is a reckless and unproductive way … More

The post How CISOs can justify cybersecurity purchases appeared first on Help Net Security.

Three principles regarding encryption you need to keep in mind

Encryption is a popular topic among security professionals and occasionally a polarizing one. Plenty of misconceptions surround the process, and these often skew the way people perceive its complexity. For instance, we’ve encountered many IT and business leaders who assume that because they can’t encrypt one piece of important information (e.g., the birth date of a contact), it’s not worth encrypting any information at all. This is a ridiculous logical leap, but it’s not uncommon. … More

The post Three principles regarding encryption you need to keep in mind appeared first on Help Net Security.

How to prioritize IT security projects

If you’re an IT security professional, you’re almost certainly familiar with that sinking feeling you experience when presented with an overwhelming number of security issues to remediate. It’s enough to make you throw your hands up and wonder where to even begin. This is the crux of the problem that develops in the absence of effective security prioritization. If you aren’t prioritizing cybersecurity risks effectively, you’re not only creating a lot of extra work for … More

The post How to prioritize IT security projects appeared first on Help Net Security.

2020: A year of deepfakes and deep deception

Over the past year, deepfakes, a machine learning model that is used to create realistic yet fake or manipulated audio and video, started making headlines as a major emerging cyber threat. The first examples of deepfakes seen by the general public were mainly amateur videos created using free deepfake tools, typically of celebrities’ faces superimposed into pornographic videos. Even though these videos were of fairly low quality and could be reasonably distinguished as illegitimate, people … More

The post 2020: A year of deepfakes and deep deception appeared first on Help Net Security.

Data breach: Why it’s time to adopt a risk-based approach to cybersecurity

The recent high-profile ransomware attack on foreign currency exchange specialist Travelex highlights the devastating results of a targeted cyber-attack. In the weeks following the initial attack, Travelex struggled to bring its customer-facing systems back online. Worse still, despite Travelex’s assurances that no customer data had been compromised, hackers were demanding $6 million for 5GB of sensitive customer information they claim to have downloaded. Providing services to some of the world’s largest banking corporations including HSBC, … More

The post Data breach: Why it’s time to adopt a risk-based approach to cybersecurity appeared first on Help Net Security.

You can upgrade Windows 7 for free! Why wouldn’t you?

“Doomsday is here! The sky is falling! Windows 7 is out of support and all hell will break loose!” – or, at least, that’s what some cybersecurity experts and press outlets want you to think. In this article, I will offer some advice to businesses of all sizes that may need to continue using Windows 7, while understanding the risk. This is my opinion and should be taken as advice only. Every company is different, … More

The post You can upgrade Windows 7 for free! Why wouldn’t you? appeared first on Help Net Security.

Lessons from Microsoft’s 250 million data record exposure

Microsoft has one of the best security teams and capabilities of any organization in the technology industry, yet it accidentally exposed 250 million customer records in December 2019. The data was accessible to anyone with a browser, who knew the server location, for about a month in total before an external researcher detected the problem. The database held records of customer support engagements dating back to 2005. Once alerted, Microsoft quickly closed the hole, investigated … More

The post Lessons from Microsoft’s 250 million data record exposure appeared first on Help Net Security.

CISOs: Make 2020 the year you focus on third-party cyber risk

While cybersecurity professionals are certainly aware of the growing threat posed by sharing data with third parties, many seem to lack the urgency required to address this challenge. If there is one work-related New Year’s resolution I’d like CISOs to make as we enter 2020, it’s to give the challenge of third-party cyber risk the attention it needs. In fact, I no longer see this as optional or as an extension of an enterprise risk … More

The post CISOs: Make 2020 the year you focus on third-party cyber risk appeared first on Help Net Security.

Zero Trust: Beyond access controls

As the Zero Trust approach to cybersecurity gains traction in the enterprise world, many people have come to recognize the term without fully understanding its meaning. One common misconception: Zero Trust is all about access controls and additional authentication, such as multi-factor authentication. While these two things help organizations get to a level of Zero Trust, there is more to it: a Zero Trust approach is really an organization-wide architecture. Things aren’t always as they … More

The post Zero Trust: Beyond access controls appeared first on Help Net Security.

There is no easy fix to AI privacy problems

Artificial intelligence – more specifically, the machine learning (ML) subset of AI – has a number of privacy problems. Not only does ML require vast amounts of data for the training process, but the derived system is also provided with access to even greater volumes of data as part of the inference processing while in operation. These AI systems need to access and “consume” huge amounts of data in order to exist and, in many … More

The post There is no easy fix to AI privacy problems appeared first on Help Net Security.

Container security requires continuous security in new DevSecOps models

When Jordan Liggitt at Google posted details of a serious Kubernetes vulnerability in November 2018, it was a wake-up call for security teams ignoring the risks that came with adopting a cloud-native infrastructure without putting security at the heart of the whole endeavor. For such a significant milestone in Kubernetes history, the vulnerability didn’t have a suitably alarming name comparable to the likes of Spectre, Heartbleed or the Linux Kernel’s recent SACK Panic; it was … More

The post Container security requires continuous security in new DevSecOps models appeared first on Help Net Security.

Data-driven vehicles: The next security challenge

Companies are increasingly building smart products that are tailored to know the individual user. In the automotive world, the next generation passenger vehicle could behave like a personal chauffeur, sentry and bodyguard rolled into one. Over the next decade, every car manufacturer that offers any degree of autonomy in a vehicle will be forced to address the security of both the vehicle and your data, while also being capable of recognizing and defending against threats … More

The post Data-driven vehicles: The next security challenge appeared first on Help Net Security.

IoT cybersecurity’s worst kept secret

By improving access to data and taking advantage of them in fundamentally different ways to drive profitability, IT security executives are rapidly changing perceptions of their office. Although making better sense of and use of data may be standard fare in other areas of the enterprise, who knew that modern IoT cybersecurity solutions would become network security’s newest professional lever? Actually, we should have seen it coming, because digital transformation always starts with visibility and … More

The post IoT cybersecurity’s worst kept secret appeared first on Help Net Security.

Embedding security, the right way

As organizations proceed to move their processes from the physical world into the digital, their risk profile changes, too – and this is not a time to take risks. By not including security into DevOps processes, organizations are exposing their business in new and surprising ways. DevOps DevOps has accelerated software development dramatically, but it has also created a great deal of pain for traditional security teams raised up on performing relatively slow testing. Moving … More

The post Embedding security, the right way appeared first on Help Net Security.