Category Archives: Hot stuff

Looking at the future of identity access management (IAM)

Here we are: at the beginning of a new year and the start of another decade. In many ways, technology is exceeding what we expected by 2020, and in other ways, well, it is lacking. Back to the Future made us think we would all be using hoverboards, wearing self-drying and fitting jackets, and getting to and from the grocery store in flying cars by Oct. 21, 2015. Hanna-Barbera promised us a cutting-edge, underwater research … More

The post Looking at the future of identity access management (IAM) appeared first on Help Net Security.

What is flowing through your enterprise network?

Since Edward Snowden’s revelations of sweeping internet surveillance by the NSA, the push to encrypt the web has been unrelenting. Bolstered by Google’s various initiatives (e.g., its prioritizing of websites that use encryption in Google Search results, making Chrome mark HTTP sites as “not secure,” and tracking of worldwide HTTPS usage), CloudFlare’s Universal SSL offer and the advent of Let’s Encrypt, nearly seven years later various sources put the percentage of encrypted internet traffic between … More

The post What is flowing through your enterprise network? appeared first on Help Net Security.

Are CISOs ready for zero trust architectures?

Zero trust is a concept that is gaining an increasingly large and dedicated following, but it may mean different things to different audiences, so let’s start with a definition. I refer to an excellent post by my friend Lee Newcombe and I agree with his definition of zero trust: “Every request to access a resource starts from a position of zero trust. Access decisions are then made and enforced based on a set of trust … More

The post Are CISOs ready for zero trust architectures? appeared first on Help Net Security.

The top four Office 365 security pain points

Many novice Office 365 (O365) shops do not know where platform-specific security vulnerabilities lie, or even that they exist. The threats that you are unaware exist do not cause pain until they rise up and bite – then the agony is fierce. Companies get themselves into trouble when they do not fully understand the way data moves through O365 or they apply on-premise security practices to their cloud strategy. While the O365 platform comes with … More

The post The top four Office 365 security pain points appeared first on Help Net Security.

Jon Callas: Encryption is a technology that rearranges power

In anticipation of his keynote at HITB Security Conference 2020 in Amsterdam, we talked to Jon Callas, a world-renowned cryptographer, software engineer, UX designer, and entrepreneur. Before joining the ACLU as senior technology fellow, he was at Apple, where he helped design the encryption system to protect data stored on a Mac. Jon also worked on security, UX, and crypto for Kroll-O’Gara, Counterpane, and Entrust. He has launched or worked on the launches of many … More

The post Jon Callas: Encryption is a technology that rearranges power appeared first on Help Net Security.

The challenges of cyber research and vulnerability disclosure for connected healthcare devices

As Head of Research at CyberMDX, Elad Luz gathers and analyzes information on a variety of connected healthcare devices in order to improve the techniques used to protect them and/or report about their security issues to vendors. The research includes analyzing protocols, reverse engineering software, and conducting vulnerability tests. Healthcare organizations are increasingly experiencing IoT-focused cyberattacks. What is the realistic worst-case scenario when it comes to such attacks? The first and most important risk to … More

The post The challenges of cyber research and vulnerability disclosure for connected healthcare devices appeared first on Help Net Security.

Take your SOC to the next level of effectiveness

Enterprise security infrastructures average 80 security products, creating security sprawl and a big management challenge for SOC teams. With high volumes of data generated from security controls across the infrastructure, SOC teams often rely on Security Information and Event Management (SIEM) solutions to aggregate data and deliver insight into events and alerts. Similarly, Security Orchestration, Automation and Response (SOAR) platforms can take the results and automate them into action. However, the business needs to know … More

The post Take your SOC to the next level of effectiveness appeared first on Help Net Security.

(IN)SECURE Magazine issue 65 released

(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Issue 65 has been released today. It’s a free download, no registration required. Table of contents A case for establishing a common weakness enumeration for hardware security Things to keep in mind when raising capital for your cybersecurity venture Burner phones are an eavesdropping risk for international travelers Hardware hacks: The next generation of cybercrime California’s IoT cybersecurity bill: … More

The post (IN)SECURE Magazine issue 65 released appeared first on Help Net Security.

Emotet: Crimeware you need to be aware of

According to the U.S. Department of Homeland Security, Emotet continues to be among the most costly and destructive malware threats affecting state, local, and territorial governments and its impact is felt across both the private and public sectors. First identified as a banking Trojan in 2014 by Trend Micro, Emotet is often downplayed by network defenders as “commodity malware” or “crimeware”. The evolution of both the malware and the criminal network behind it continue to … More

The post Emotet: Crimeware you need to be aware of appeared first on Help Net Security.

Cybersecurity is a board level issue: 3 CISOs tell why

As a venture capital investor who was previously a Chief Information Security Officer, I have noticed an interesting phenomenon: although cybersecurity makes the news often and is top of mind for consumers and business customers, it doesn’t always get the attention it deserves by the board of directors. Misconceptions and knowledge gaps increase this distance between security and oversight. How can boards dive deeper into the world of security and overcome the entry barriers to … More

The post Cybersecurity is a board level issue: 3 CISOs tell why appeared first on Help Net Security.

5 tips for acquiring cyber talent in 2020

Cybersecurity is facing a recruitment crisis. There are currently 2.8 million professionals working in the field – far from sufficient given the ever-expanding cyber threat landscape. To meet the market’s true needs, ISC2 believes the cybersecurity workforce will need to more than double. Companies have a number of options to overcome the cyber talent crunch, including integrating external providers who can provide specialist support. For those looking to boost recruitment in the new year, here … More

The post 5 tips for acquiring cyber talent in 2020 appeared first on Help Net Security.

What the government infosec landscape will look this year

The information security landscape seems to evolve at a faster clip each year. The deluge of ever-changing threats, attack techniques and new breaches making headlines can be challenging to track and assess. That’s why each year the WatchGuard Threat Lab takes a step back to assess the world of cyber security and develop a series of predictions for what emerging trends will have the biggest impact. Following the worldwide controversy over hacking that influenced the … More

The post What the government infosec landscape will look this year appeared first on Help Net Security.

The future of DNS security: From extremes to a new equilibrium

In anticipation of his keynote at HITB Security Conference 2020 in Amsterdam, we talked to internet pioneer Dr. Paul Vixie, Farsight Security Chairman and CEO. Dr. Vixie was inducted into the internet Hall of Fame in 2014 for work related to DNS and anti-spam technologies. He is the author of open source internet software including BIND 8, and of many internet standards documents concerning DNS and DNSSEC. You’ve worked in the DNS field for more … More

The post The future of DNS security: From extremes to a new equilibrium appeared first on Help Net Security.

How can we harness human bias to have a more positive impact on cybersecurity awareness?

Dr. Jessica Barker, Co-CEO of Cygenta, follows her passion of positively influencing cybersecurity awareness, behaviours and culture in organisations around the world. Dr. Barker will be speaking about the psychology of fear and cybersecurity at RSA Conference 2020, and in this interview she discusses the human nature of cybersecurity. What are some of the most important things you’ve learned over time when it comes to security culture? How important is it and why? A positive … More

The post How can we harness human bias to have a more positive impact on cybersecurity awareness? appeared first on Help Net Security.

HECVAT toolkit helps higher education institutions assess cloud adoption risks

Higher education institutions are increasingly adopting cloud-based solutions in order to lower costs, improve performance and productivity, and increase flexibility and scalability. Before settling on a solution, though, they must assess it for security and privacy needs, including some that are unique to higher education. To help them do that more expeditiously, EDUCAUSE – a US nonprofit association that aims to advance higher education through the use of information technology – has created HECVAT: the … More

The post HECVAT toolkit helps higher education institutions assess cloud adoption risks appeared first on Help Net Security.

How CISOs can justify cybersecurity purchases

Sometimes a disaster strikes: ransomware encrypts critical files, adversaries steal sensitive data, a business application is compromised with a backdoor… This is the stuff that CISOs’ nightmares are made of. As devastating as such incidents can be, for the short time after they occur, the enterprise usually empowers the CISO to implement security measures that he or she didn’t get funding for earlier. Of course, waiting for disastrous events is a reckless and unproductive way … More

The post How CISOs can justify cybersecurity purchases appeared first on Help Net Security.

Layering diverse defenses is crucial for stopping email attacks

Despite heading a company that provides a technological solution for stopping targeted email attacks, Evan Reiser, CEO of Abnormal Security, knows that technology is not the complete answer to the malicious email problem. At the same time, security awareness and anti-phishing training is also not a foolproof solution, he maintains. “Some businesses are giving up on technology and defaulting to an awareness-based security program for detecting email attacks, but that sets them up for failure. … More

The post Layering diverse defenses is crucial for stopping email attacks appeared first on Help Net Security.

Three principles regarding encryption you need to keep in mind

Encryption is a popular topic among security professionals and occasionally a polarizing one. Plenty of misconceptions surround the process, and these often skew the way people perceive its complexity. For instance, we’ve encountered many IT and business leaders who assume that because they can’t encrypt one piece of important information (e.g., the birth date of a contact), it’s not worth encrypting any information at all. This is a ridiculous logical leap, but it’s not uncommon. … More

The post Three principles regarding encryption you need to keep in mind appeared first on Help Net Security.

How to prioritize IT security projects

If you’re an IT security professional, you’re almost certainly familiar with that sinking feeling you experience when presented with an overwhelming number of security issues to remediate. It’s enough to make you throw your hands up and wonder where to even begin. This is the crux of the problem that develops in the absence of effective security prioritization. If you aren’t prioritizing cybersecurity risks effectively, you’re not only creating a lot of extra work for … More

The post How to prioritize IT security projects appeared first on Help Net Security.

2020: A year of deepfakes and deep deception

Over the past year, deepfakes, a machine learning model that is used to create realistic yet fake or manipulated audio and video, started making headlines as a major emerging cyber threat. The first examples of deepfakes seen by the general public were mainly amateur videos created using free deepfake tools, typically of celebrities’ faces superimposed into pornographic videos. Even though these videos were of fairly low quality and could be reasonably distinguished as illegitimate, people … More

The post 2020: A year of deepfakes and deep deception appeared first on Help Net Security.

Data breach: Why it’s time to adopt a risk-based approach to cybersecurity

The recent high-profile ransomware attack on foreign currency exchange specialist Travelex highlights the devastating results of a targeted cyber-attack. In the weeks following the initial attack, Travelex struggled to bring its customer-facing systems back online. Worse still, despite Travelex’s assurances that no customer data had been compromised, hackers were demanding $6 million for 5GB of sensitive customer information they claim to have downloaded. Providing services to some of the world’s largest banking corporations including HSBC, … More

The post Data breach: Why it’s time to adopt a risk-based approach to cybersecurity appeared first on Help Net Security.

Recommendations for navigating the dynamic cybercrime landscape

In this interview, Mark Sangster, VP & Industry Security Strategist at eSentire, talks about the most pressing issues CISOs are dealing with in today’s fast-fast paced threat environment. How has the cybersecurity threat landscape evolved in the past 5 years? What are some of the most notable threats eSentire is seeing that were not an issue in the past? The past five years have seen significant progress in both the recognition of cybercrime, but also … More

The post Recommendations for navigating the dynamic cybercrime landscape appeared first on Help Net Security.

You can upgrade Windows 7 for free! Why wouldn’t you?

“Doomsday is here! The sky is falling! Windows 7 is out of support and all hell will break loose!” – or, at least, that’s what some cybersecurity experts and press outlets want you to think. In this article, I will offer some advice to businesses of all sizes that may need to continue using Windows 7, while understanding the risk. This is my opinion and should be taken as advice only. Every company is different, … More

The post You can upgrade Windows 7 for free! Why wouldn’t you? appeared first on Help Net Security.

Zero Trust: Beyond access controls

As the Zero Trust approach to cybersecurity gains traction in the enterprise world, many people have come to recognize the term without fully understanding its meaning. One common misconception: Zero Trust is all about access controls and additional authentication, such as multi-factor authentication. While these two things help organizations get to a level of Zero Trust, there is more to it: a Zero Trust approach is really an organization-wide architecture. Things aren’t always as they … More

The post Zero Trust: Beyond access controls appeared first on Help Net Security.

There is no easy fix to AI privacy problems

Artificial intelligence – more specifically, the machine learning (ML) subset of AI – has a number of privacy problems. Not only does ML require vast amounts of data for the training process, but the derived system is also provided with access to even greater volumes of data as part of the inference processing while in operation. These AI systems need to access and “consume” huge amounts of data in order to exist and, in many … More

The post There is no easy fix to AI privacy problems appeared first on Help Net Security.

Container security requires continuous security in new DevSecOps models

When Jordan Liggitt at Google posted details of a serious Kubernetes vulnerability in November 2018, it was a wake-up call for security teams ignoring the risks that came with adopting a cloud-native infrastructure without putting security at the heart of the whole endeavor. For such a significant milestone in Kubernetes history, the vulnerability didn’t have a suitably alarming name comparable to the likes of Spectre, Heartbleed or the Linux Kernel’s recent SACK Panic; it was … More

The post Container security requires continuous security in new DevSecOps models appeared first on Help Net Security.

Data-driven vehicles: The next security challenge

Companies are increasingly building smart products that are tailored to know the individual user. In the automotive world, the next generation passenger vehicle could behave like a personal chauffeur, sentry and bodyguard rolled into one. Over the next decade, every car manufacturer that offers any degree of autonomy in a vehicle will be forced to address the security of both the vehicle and your data, while also being capable of recognizing and defending against threats … More

The post Data-driven vehicles: The next security challenge appeared first on Help Net Security.

Review: Enzoic for Active Directory

Seemingly every day news drops that a popular site with millions of users had been breached and its user database leaked online. Almost without fail, attackers try to use those leaked user credentials on other sites, making password stuffing one of the most common attacks today. Users often use the same username/email and password combination for multiple accounts and, unfortunately, enterprise accounts are no exception. Attackers can, therefore, successfully use leaked credentials to access specific … More

The post Review: Enzoic for Active Directory appeared first on Help Net Security.

IoT cybersecurity’s worst kept secret

By improving access to data and taking advantage of them in fundamentally different ways to drive profitability, IT security executives are rapidly changing perceptions of their office. Although making better sense of and use of data may be standard fare in other areas of the enterprise, who knew that modern IoT cybersecurity solutions would become network security’s newest professional lever? Actually, we should have seen it coming, because digital transformation always starts with visibility and … More

The post IoT cybersecurity’s worst kept secret appeared first on Help Net Security.

Embedding security, the right way

As organizations proceed to move their processes from the physical world into the digital, their risk profile changes, too – and this is not a time to take risks. By not including security into DevOps processes, organizations are exposing their business in new and surprising ways. DevOps DevOps has accelerated software development dramatically, but it has also created a great deal of pain for traditional security teams raised up on performing relatively slow testing. Moving … More

The post Embedding security, the right way appeared first on Help Net Security.