The use of open source code in modern software has become nearly ubiquitous. It makes perfect sense: facing ever-increasing pressures to accelerate the rate at which new applications are delivered, developers value the ready-made aspect of open source components which they can plug in where needed, rather than building a feature from the ground up. Indeed, this practice has become so common that today the average application is composed mostly of open source libraries, with … More
The post Cooking up secure code: A foolproof recipe for open source appeared first on Help Net Security.
With 5G adoption ramping up all over the world, we sat down with Chris Pearson, President of 5G Americas, to learn more about the current 5G landscape. 5G Americas is an industry trade organization composed of leading telecommunications service providers and manufacturers like Samsung, AT&T, Intel, Ericsson, Qualcomm and T-Mobile. What’s your take on the current global progress towards 5G? Despite the COVID-19 crisis, 5G continues to progress at a robust pace in terms of … More
Bad actors are rapidly mounting phishing campaigns, setting up malicious websites and sending malicious attachments to take full advantage of the pandemic and users’ need for information, their fears and other emotions. More often than not, the goal is the compromise of login credentials. Many organizations grant more trust to users on the intranet versus users on the internet. Employees working from home – while unknowingly browsing potentially malicious websites and clicking on doctored COVID-19 … More
The post Lean into zero trust to ensure security in times of agility appeared first on Help Net Security.
Introducing a new security model into your existing infrastructure can be challenging. The task becomes even more daunting when starting with a new host-based or micro-segmentation solution. If you’ve decided on a host-based approach to segmentation, I’d like to share, based on personal experience, some advice and best practices on using this type of solution in your organization. Discovery The business case that drove your organization to adopt a host-based segmentation solution will serve as … More
The post How to successfully operationalize your micro-segmentation solution appeared first on Help Net Security.
At a high level—and contrary to conventional wisdom – not all IT budgets are being cut. Even with the economic challenges that COVID-19 has posed for businesses, almost 38 percent of enterprises are keeping their IT budgets unchanged (flat) or actually increasing them. Yellowbrick Data received responses from more than 1,000 enterprise IT managers and executives, uncovering their infrastructure priorities during this era of economic uncertainty and disruption. “The survey brought to light some trends … More
The post Not all IT budgets are being cut, some are increasing appeared first on Help Net Security.
Demand for security analysts and security operations centre experts is high – so high that Frost and Sullivan found only two percent unemployment in the sector and that demand continues outstrip the supply of newly skilled professionals. (ISC)² suggests that the number of skilled professionals will have to grow from 2.8 million worldwide to 4.07 million to close the skills gap. All these roles will require the right skills and the right data. Alongside filling … More
The post When SOCs never stop: How to fill the intelligence gaps in security appeared first on Help Net Security.
As organizations work to ensure remote workforce productivity, the issue of cached credentials will inevitably appear, causing a problem for the impacted user, and the IT service desk. It’s no secret that some material portion of nearly every workforce is functioning remotely. You’ve spent the last few months scurrying to establish remote connectivity, cloud-based productivity, and some form of encompassing security – all to allow your remote employees to get their job done while meeting … More
The post The challenge of updating locally cached credentials appeared first on Help Net Security.
Agile adoption improves key capabilities needed to respond to current business challenges, especially those resulting from the pandemic, according to Digital.ai. With 60 percent of survey respondents saying Agile has helped increase speed to market, 41 percent agreeing they are better able to manage distributed teams, and 58 percent saying they have improved team productivity it is clear these practices are invaluable during these challenging times. “Our all-in move to the cloud in recent years … More
The post Agile security helps software teams deliver quicker and better software appeared first on Help Net Security.
This is third in a series of articles that introduces and explains application programming interfaces (API) security threats, challenges, and solutions for participants in software development, operations, and protection. Explosion of APIs The API explosion is also driven by several business-oriented factors. First, enterprises are moving away from large monolithic applications that are updated annually at best. Instead, legacy and new applications are being broken into small, independently functional components, often rolled out as container-based … More
Cybercriminals have been using the COVID-19 pandemic as a central theme in all kinds of crisis-related email phishing campaigns. But because of the dramatic rise of the number of at-home workers, one method that has become increasingly common over the past few months are vishing attacks, i.e., phishing campaigns executed via phone calls. Rising success rates are the reason why vishing has become more common, and there are several factors driving this trend: People are … More
The post How to protect your business from COVID-19-themed vishing attacks appeared first on Help Net Security.
The number of vulnerabilities disclosed in Q1 2020 has decreased by 19.8% compared to Q1 2019, making this likely the only true dip observed within the last 10 years, Risk Based Security reveals. Vulnerabilities of interest disclosed in Q1 2020 Vulnerabilities disclosed in Q1 2020: What happened? Many factors have been identified as potential contributors to this decline, including the COVID-19 pandemic, though its precise impact may not be known for another year. “Although the … More
The post Despite lower number of vulnerability disclosures, security teams have their work cut out for them appeared first on Help Net Security.
Software Defined Perimeter (SDP) is the most effective architecture for adopting a zero trust strategy, an approach that is being heralded as the breakthrough technology for preventing large-scale breaches, according to the Cloud Security Alliance. “Most of the existing zero trust security measures are applied as authentication and sometimes authorization, based on policy after the termination of Transport Layer Security (TLS) certificates,” said Nya Alison Murray, senior ICT architect and co-lead author of the report. … More
The post Why is SDP the most effective architecture for zero trust strategy adoption? appeared first on Help Net Security.
48% of employees are less likely to follow safe data practices when working from home, a report from Tessian reveals. The global shift to remote working poses new security challenges for businesses and traditional security solutions are failing to curb the problem of the insider threat and accidental data loss. Remote work compounds insider threats While 91% of IT leaders trust their staff to follow best security practices when working remotely, 52% of employees believe … More
The post Employees abandoning security when working remotely appeared first on Help Net Security.
A large part of the world’s workforce has transitioned to working remotely, but as plans are being drawn up to reopen economies, the security industry is being challenged to develop stronger screening practices, emergency operations planning, and to deploy tools to detect and minimize the impact that future pandemics, natural disasters and cyberattacks can have on a company. Things like global security operation centers (SOCs), managed security services, thermal imaging and temperature screening for on-site … More
With COVID-19, a variety of new cyber risks have made their way into organizations as a result of remote working and increasingly sophisticated, opportunistic threats. As such, efficiency in the security operations center (SOC) is more critical than ever, as organizations have to deal with limited SOC resources. Limited SOC resources The SOC is a centralized team of analysts, engineers, and incident managers who are responsible for detecting, analyzing, and responding to incidents and keeping … More
The post Maintaining the SOC in the age of limited resources appeared first on Help Net Security.
As the power of IoT devices increases, security has failed to follow suit. This is a direct result of the drive to the bottom for price of network enabling all devices. But small steps can greatly increase the overall security of IoT. A better IoT security story has to be one of the most urgent priorities in all of technology. That’s because IoT is one of the industry’s most compelling opportunities and squandering it due … More
The post IoT security: In 2020, action needs to match awareness appeared first on Help Net Security.
42% of companies experienced a data loss event that resulted in downtime last year. That high number is likely caused by the fact that while nearly 90% are backing up the IT components they’re responsible for protecting, only 41% back up daily – leaving many businesses with gaps in the valuable data available for recovery. In order to select an appropriate backup solution for your business, you need to think about a variety of factors. … More
The post How do I select a backup solution for my business? appeared first on Help Net Security.
More than 88% percent of organizations use cloud infrastructure in one form or another, and 45% expect to migrate three quarters or more of their apps to the cloud over the next twelve months, according to the O’Reilly survey. The report surveyed 1,283 software engineers, technical leads, and decision-makers from around the globe. Of note, the report uncovered that 21% of organizations are hosting all applications in a cloud context. The report also found that … More
The post Organizations plan to migrate most apps to the cloud in the next year appeared first on Help Net Security.
Infoblox identified the challenges Communication Service Providers (CSPs) face in transitioning to distributed cloud models, as well as the use cases for multi-access edge computing (MEC), 5G New Radio (NR), and 5G Next Generation Core (NGC) networks. “Distributed cloud models such as 5G and multi-access edge computing networks have the potential to drastically change the CSP industry, delivering high-bandwidth, low latency services to network customers,” said Dilip Pillaipakam, Vice President and GM of Service Provider … More
“The customer comes first” started out as the secret to success in business. Now it’s the secret to 21st century cybersecurity and fraud prevention, too. The phrase always seemed more like an empty platitude, but a growing number of banks and other financial institutions now understand that optimizing convenient consumer experience with risk and safety across all their channels is a strategic differentiator. Dealing with fraudulent transactions Financial institutions have been on the lookout for … More
The post Create a safe haven for your customers to build loyalty appeared first on Help Net Security.
Security Information and Event Management (SIEM) systems combine two critical infosec abilities – information management and event management – to identify outliers and respond with appropriate measures. While information management deals with the collection of security data from across silos in the enterprise (firewalls, antivirus tools, intrusion detection, etc.), event management focuses on incidents that can pose a threat to the system – from benign human errors to malicious code trying to break in. Having … More
The post Integrating a SIEM solution in a large enterprise with disparate global centers appeared first on Help Net Security.
Fifteen years ago, there was a revolution in personal music players. The market had slowly evolved from the Walkman to the Discman, when a bolt of innovation brought the MP3 player. Finally, the solution to having all of one’s music anywhere was solved with a single device, not a device plus a bag full of whatever physical media was popular at that time. History clearly shows that the iPod and a few of its competitors … More
The post What do IGA solutions have in common with listening to music anywhere? appeared first on Help Net Security.
Technology executives, C-suite leaders and senior executives in areas such as IoT, DevOps, security, and embedded development—from both the U.S. and China are realigning their focus during the COVID-19 pandemic, Wind River reveals. Seismic events can disrupt our focus and thinking and force reassessment of drivers of future business success. The current pandemic is one of those major events producing a worldwide impact, especially given its reverberations on the two largest global economies, the U.S. … More
The post COVID-19 is driving diverging perspectives as enterprises decide which technologies to focus on appeared first on Help Net Security.
There are growing disparities in how CEOs and CISOs view the most effective cybersecurity path forward, according to Forcepoint. The global survey of 200 CEOs and CISOs from across industries including healthcare, finance and retail, among others, uncovered prominent cybersecurity stressors and areas of disconnect for business and security leaders, including the lack of an ongoing cybersecurity strategy for less than half of all CEO respondents. The research also identified disparities between geographic regions on … More
As breaches and hacks continue, and new vulnerabilities are uncovered, secure coding is being recognized as an increasingly important security concept — and not just for back-room techies anymore, Accurics reveals. Cloud stack risk “Our report clearly describes how current security practices are grossly inadequate for protecting transient cloud infrastructures, and why more than 30 billion records have been exposed through cloud breaches in just the past two years,” said Sachin Aggarwal, CEO at Accurics. … More
The post Technologies in all layers of the cloud stack are at risk appeared first on Help Net Security.
Senior security leaders within financial services companies are being challenged with a lack of trusted data to make effective security decisions and reduce their risk from cyber incidents, according to Panaseer. Results from a global external survey of over 400 security leaders that work in large financial services companies reveal concerns on security measurement and metrics that include data confidence, manual processes, resource wastage and request overload. Issues with processes, people and technologies The results … More
The post Over half of security leaders still rely on spreadsheets appeared first on Help Net Security.
Even before COVID-19 initiated an onslaught of additional cybersecurity risks, many chief information security officers (CISOs) were struggling. According to a 2019 survey of cybersecurity professionals, these critical data defenders were burned out. At the time, 64% were considering quitting their jobs, and nearly as many, 63%, were looking to leave the industry altogether. Of course, COVID-19 and the ensuing remote work requirements have made the problem worse. It’s clear that companies could be facing … More
The post CISOs are critical to thriving companies: Here’s how to support their efforts appeared first on Help Net Security.
Have you ever done a jigsaw puzzle with pieces missing? Or tried to do a complicated one with only part of the picture showing on the box lid? If so, you will know how it feels to be the folks working to create secure, robust, and seamless enterprise IT systems. Enterprise IT has morphed into something that can feel complex and messy at best and out of control at worst. Each deployment can be convoluted, … More
The post How a good user experience brings the pieces of the enterprise IT jigsaw together appeared first on Help Net Security.
Organizations that put data at the center of their vision and strategy realize a differentiated competitive advantage by mitigating cost and risk, growing revenue and improving the customer experience, a Collibra survey of more than 900 global business analysts reveals. Orgs rarely use data to guide business decisions Despite a majority of companies saying they valued using data to drive decisions, many organizations are not consistently executing. While 84% of respondents said that it is … More
Kurt John is Chief Cybersecurity Officer of Siemens USA, where he is responsible for the information security strategy, governance and implementation for the company’s largest market with ~$23B in annual revenues. In this interview with Help Net Security, he explores a variety of smart security decisions. Kurt discusses the challenges modern CISO have to deal with, the importance of IT security certification, he provides his opinion on what an ideal cybersecurity candidate looks like, and … More
The post Redefining business for a digital world with smart security decisions appeared first on Help Net Security.
Data security is creating fear and trust issues for IT professionals, according to a new Oracle and KPMG report. The study of 750 cybersecurity and IT professionals across the globe found that a patchwork approach to data security, misconfigured services and confusion around new cloud security models has created a crisis of confidence that will only be fixed by organizations making security part of the culture of their business. Data security is keeping IT professionals … More
The post Shifting responsibility is causing uncertainty and more security breaches appeared first on Help Net Security.
In the interest of capturing the thought, and not in the interest of thinking too deeply or comprehensively (at least right now), I offer seven security strategies, summarized.
When I mention the risk equation, I'm talking about the idea that one can conceptually image the risk of some negative event using this "formula": Risk (of something) is the product of some measurements of Vulnerability X Threat X Asset Value, or R = V x T x A.
- Denial and/or ignorance. This strategy assumes the risk due to loss is low, because those managing the risk assume that one or more of the elements of the risk equation are zero or almost zero, or they are apathetic to the cost.
- Loss acceptance. This strategy may assume the risk due to loss is low, or more likely those managing the risk assume that the cost of risk realization is low. In other words, incidents will occur, but the cost of the incident is acceptable to the organization.
- Loss transferal. This strategy may also assume the risk due to loss is low, but in contrast with risk acceptance, the organization believes it can buy an insurance policy which will cover the cost of an incident, and the cost of the policy is cheaper than alternative strategies.
- Vulnerability elimination. This strategy focuses on driving the vulnerability element of the risk equation to zero or almost zero, through secure coding, proper configuration, patching, and similar methods.
- Threat elimination. This strategy focuses on driving the threat element of the risk equation to zero or almost zero, through deterrence, dissuasion, co-option, bribery, conversion, incarceration, incapacitation, or other methods that change the intent and/or capabilities of threat actors.
- Asset value elimination. This strategy focuses on driving the threat element of the risk equation to zero or almost zero, through minimizing data or resources that might be valued by adversaries.
- Interdiction. This is a hybrid strategy which welcomes contributions from vulnerability elimination, primarily, but is open to assistance from loss transferal, threat elimination, and asset value elimination. Interdiction assumes that prevention eventually fails, but that security teams can detect and respond to incidents post-compromise and pre-breach. In other words, some classes of intruders will indeed compromise an organization, but it is possible to detect and respond to the attack before the adversary completes his mission.