Wednesday, January 31, 2018

Facebook’s New Policy Bans All Ads Promoting Cryptocurrencies

Facebook announced on Tuesday its plans to ban all ads that promote Bitcoin and other digital currency exchanges, initial coin offerings (ICOs) and binary options. The social network said the new policy aims to protect users from scams, describing such financial services as “frequently associated with misleading or deceptive promotional practices.” In a company blog […]… Read More

The post Facebook’s New Policy Bans All Ads Promoting Cryptocurrencies appeared first on The State of Security.

The post Facebook’s New Policy Bans All Ads Promoting Cryptocurrencies appeared first on Security Boulevard.



from Facebook’s New Policy Bans All Ads Promoting Cryptocurrencies

Scarab ransomware: new variant changes tactics

We've found that a variant of the Scarab ransomware, called Scarabey, is distributed via a different technique, with a different payload code, and a new target: Russia.

Scarabey, like most ransomware, is designed to demand a Bitcoin payment from its victims after encrypting files on their systems. However, instead of being distributed via Necurs malspam like the original Scarab, Scarabey was found targeting Russian users and being distributed via RDP/manual dropping on servers and systems.

Categories:

Tags:

(Read more...)

The post Scarab ransomware: new variant changes tactics appeared first on Malwarebytes Labs.

The post Scarab ransomware: new variant changes tactics appeared first on Security Boulevard.



from Scarab ransomware: new variant changes tactics

CRISC Domain #1: IT Risk Identification

The CRISC Exam consists of 4 domains, and this writing focuses on the first one. Often regarded as an adverse event, a risk is the likelihood of event to happen along with its concomitant...

Go on to the site to read the full article

The post CRISC Domain #1: IT Risk Identification appeared first on Security Boulevard.



from CRISC Domain #1: IT Risk Identification

XKCD, Campaign Fundrasing Emails

campaign_fundraising_emails.png

Permalink

The post XKCD, Campaign Fundrasing Emails appeared first on Security Boulevard.



from XKCD, Campaign Fundrasing Emails

Advanced User Imports | JumpCloud PowerShell Module

PowerShell has been enabling admins to interact with their directory in unique ways for years now. With it, many of the monotonous tasks of everyday IT can be automated and...

The post Advanced User Imports | JumpCloud PowerShell Module appeared first on JumpCloud.

The post Advanced User Imports | JumpCloud PowerShell Module appeared first on Security Boulevard.



from Advanced User Imports | JumpCloud PowerShell Module

Autopsy Computer Forensics Platform Overview

Autopsy: a platform overview Autopsy is the graphical user interface (GUI) used in The Sleuth Kit to make it simpler to operate, automating many of the procedures, and so easier to identify, sort and...

Go on to the site to read the full article

The post Autopsy Computer Forensics Platform Overview appeared first on Security Boulevard.



from Autopsy Computer Forensics Platform Overview

Computer Forensics Code of Ethics

Computer Forensics Code of Ethics ensures fairness and integrity An important aspect of most professional associations is its code of ethics. A code of ethics is normally established and defined by...

Go on to the site to read the full article

The post Computer Forensics Code of Ethics appeared first on Security Boulevard.



from Computer Forensics Code of Ethics

Ohio and FTC versus tech support scammers

Kevin Townsend, for Security Week, reports on action against tech support scammers in the US and UK. Tech Support Scammers Fined in US, Jailed in UK Kevin says: Ohio Attorney General Mike DeWine and the Federal Trade Commission (FTC) announced Monday that operators of a nationwide computer repair scam have been banned from the tech support business […]

The post Ohio and FTC versus tech support scammers appeared first on Security Boulevard.



from Ohio and FTC versus tech support scammers

Computer Forensics Roles and Responsibilities

These days cops might be trolling for bad guys online in a chat room as often—maybe even more often—than chasing them down a back alley. Although there’s still plenty of crime that requires a police...

Go on to the site to read the full article

The post Computer Forensics Roles and Responsibilities appeared first on Security Boulevard.



from Computer Forensics Roles and Responsibilities

Kevin Townsend: some actions against tech support scammers

Kevin Townsend, for Security Week, reports on action against tech support scammers in the US and UK. Tech Support Scammers Fined in US, Jailed in UK Kevin says: Ohio Attorney General Mike DeWine and the Federal Trade Commission (FTC) announced Monday that operators of a nationwide computer repair scam have been banned from the tech support business […]

The post Kevin Townsend: some actions against tech support scammers appeared first on Security Boulevard.



from Kevin Townsend: some actions against tech support scammers

CRISC: Exam Details & Process

In a fast-changing cyberspace landscape, CRISC-recognized professionals are essential for any companies thanks to their knowledge in the fields of IT risk management and IS control. As ISACA states:...

Go on to the site to read the full article

The post CRISC: Exam Details & Process appeared first on Security Boulevard.



from CRISC: Exam Details & Process

Spectre, Meltdown and Malware

Eduard Kovacs for Security Week: Malware Exploiting Spectre, Meltdown Flaws Emerges. He observes: Researchers have discovered more than 130 malware samples designed to exploit the recently disclosed Spectre and Meltdown CPU vulnerabilities. While a majority of the samples appear to be in the testing phase, we could soon start seeing attacks. Information from AV-Test regarding samples […]

The post Spectre, Meltdown and Malware appeared first on Security Boulevard.



from Spectre, Meltdown and Malware

CRISC: Overview of Domains

Being Certified in Risk and Information Systems Control (CRISC) means being able to fill IT-related risk management roles and to effectively evaluate security threats and vulnerabilities of the...

Go on to the site to read the full article

The post CRISC: Overview of Domains appeared first on Security Boulevard.



from CRISC: Overview of Domains

Information Assurance Scholarship Program: Capitol Technology University

Picture this: a full scholarship package enabling you to complete your cybersecurity education without being hampered by financial burdens. In addition, a generous stipend covering room and board. And the assurance of federal government employment [...]

The post Information Assurance Scholarship Program: Capitol Technology University appeared first on SecurityOrb.com.

The post Information Assurance Scholarship Program: Capitol Technology University appeared first on Security Boulevard.



from Information Assurance Scholarship Program: Capitol Technology University

Security+: Account Management Best Practices

In the evolving world of cybercrime, malicious actors are posing grave threats to individual and companies’ authentication mechanisms. Fortunately, Security+ candidates learn account management best...

Go on to the site to read the full article

The post Security+: Account Management Best Practices appeared first on Security Boulevard.



from Security+: Account Management Best Practices

Israeli Scientists Accidentally Reveal Classified Information

According to this story (non-paywall English version here), Israeli scientists released some information to the public they shouldn't have. Defense establishment officials are now trying to erase any trace of the secret information from the web, but they have run into difficulties because the information was copied and is found on a number of platforms. Those officials have managed to...

The post Israeli Scientists Accidentally Reveal Classified Information appeared first on Security Boulevard.



from Israeli Scientists Accidentally Reveal Classified Information

Google: defending against Android malware

Some figures from Google with reference to its fights against malware submitted to Google Play.

The post Google: defending against Android malware appeared first on Security Boulevard.



from Google: defending against Android malware

Central Illinois MSP gains edge in security threat battle using Managed Workplace

The customer

Headquartered in Peoria, Illinois, Advanced Technology Services (ATS) has been providing IT and managed services for some of the largest brands in the U.S., Mexico, and United Kingdom since 1985. In addition to global enterprises, ATS also services a good many small businesses. This calls for adaptability in their offerings.

The post Central Illinois MSP gains edge in security threat battle using Managed Workplace appeared first on Security Boulevard.



from Central Illinois MSP gains edge in security threat battle using Managed Workplace

Quantum Video, Sino-Style

W020160819382529888442.jpg

One of those Wired pieces that may be marginally accurate. Let's hope this dingus can fly, and encrypt quantum bits at the same time.

Permalink

The post Quantum Video, Sino-Style appeared first on Security Boulevard.



from Quantum Video, Sino-Style

2018 Web Vulnerability Scanners Comparison – Netsparker Confirmed a Market Leader

The 2018 independent web application security scanners benchmark results have been published. How did Netsparker fare when compared to the other web vulnerability scanners?

In short, Netsparker was:

  • The only scanner that identified all the vulnerabilities
  • One of the only two scanners that did reported zero false positives

None of the other scanners in the comparison performed as well as Netsparker. If you'd like to find out more information, including results, read this post which explains how the tests were conducted and displays the results of each individual test.

Table of Content

  1. What is the Web Application Security Scanner (DAST) Benchmark?
  2. The Benchmark Results – Global Results
  3. The Benchmark Results – Individual Tests Results
    1. OS Command Injection Detection
    2. Remote File Inclusion / SSRF
    3. Path Traversal
    4. SQL Injection
    5. Reflective Cross-site Scripting (XSS)
    6. Unvalidated Redirect
  4. Are Web Security Scanner Comparisons Useful & Realistic?
    1. Which is the Best Web Application Security Scanner?
    2. Can Netsparker Identify Security Flaws in Your Web Applications and APIs?
  5. Past Comparisons Between Automated Web Application Security Scanners

What is the Web Application Security Scanner (DAST) Benchmark?

It is a test that compares the features, coverage, vulnerability detection rate and accuracy of automated web application security scanners, also known as web vulnerability scanners or Dynamic Application Security Testing (DAST) solutions.

Individual tests were conducted by the independent information Security Researcher and Analyst, Shay Chen. Shay has been conducting benchmark tests and improving the platform since 2010. So far he has released six (2010, 2011, 2012, 2013/2014, 2015, 2017/2018). His work is considered the de facto comparisons results by the application security industry.

How Are Tests Performed?

Shay Chen and his team built The Web Application Vulnerability Scanner Evaluation Project (WAVSEP), a testbed that they scan to see how every scanner performs. The WAVSEP is an open source project and new tests are incorporated every year. You  can download it from the WAVSEP GitHub repository.

This year Shay and his team went a step further. They have been installing and integrating DAST solutions in real-life enterprise SSDLC (Secure Software Development Lifecycle) processes to get a better understanding of how they can expand the WAVSEP testbed and test the scanners. The have implemented automated vulnerability scanners in financial, hi-tech and telecom organizations. As Shay himself explains:

Some of these experiences led us to develop test cases aimed to inspect issues in proclaimed features that we noticed didn't work as expected in actual implementations, and some to the creation of comparison categories that are apparently crucial for real-world implementations.

The Negative Impact of False Positives

Shay and his team also talked about the importance of accurate scan results in the report, after their first-hand experience with scanners in real-life environments. Quoting from the official benchmark results:

Weeding out a reasonable amount of false positives during a pentest is not ideal, but could be performed with relative ease. However, thousands upon thousands of false positives in enterprise SSDLC periodic scan scenarios can take their toll.

False positives occur in scan results to the detriment of the web application security industry. So much so, that large organizations, that have hundreds or even thousands of web applications, limit their efforts to a handful of mission-critical websites and ignore the rest. I was quite shocked to learn this, though it is unsurprising because many hacks and data leaks that happen every year.

False Positives Make Scaling Up Web Security Impossible

If a solution reports false positives, it is impossible – unless you have an army of people – to scale up your efforts and secure all your web applications. Even if you have the budget for such an undertaking, there is still the troublesome problem of human error.

This is why we developed Netsparker's proprietary Proof-Based Scanning, technology that automatically verifies detected vulnerabilities – proving they are real flaws, and not false positives. The benefits of such technology are plentiful, and since the scan results are accurate, you can easily scale up your efforts. In a real-life environment, with thousands of web applications, you can start the vulnerability triage process and fix them within a matter of hours.

Evaluation Criteria

In the 2017/2018 benchmark tests, Shay and his team included several previously uncovered aspects of scanners and new tests to check the detection capabilities of previously uncovered vulnerabilities. This included OS Command Injection, and repurposing XSS via RFI tests that can also be used for Server Side Request Forgery (SSRF) evaluation.

The Benchmark Results – Global Results

How Many Vulnerabilities Did the Scanners Detect?

This matrix lists what percentage of all vulnerabilities each web application security scanner identified. Missing data or scores are represented with 'N/A'.

Netsparker WebInspect AppSpider Acunetix Burp Suite AppScan
OS Command Injection (New) 100 N/A 99.11 78.57 93.3 N/A
Remote File Inclusion/SSRF (New) 100 100 82.67 64.22 74.67 N/A
Path Traversal 100 91.18 81.61 94.12 78.31 100
SQL Injection 100 98.46 95.39 100 97 100
Reflective XSS 100 100 100 100 97 100
Unvalidated Redirect 100 95.51 100 100 76.67 36.67
Average % 100.0 97.0 93.1 89.5 86.2 84.2

Clearly, Netsparker beats the competition in terms of vulnerability detection. It was the only scanner to identify all the security issues, followed by HP WebInspect at 97% and Rapid7 AppSpider at 93.1%.

Note: Missing data or scores were the result of lack of support (in some cases even a lack of response) from some vendors. Only the tests for which scanners had a result were used to calculate the global average.

How Many False Positives Were Reported?

This matrix lists what percentages of all false positives each web application security scanner identified.

Netsparker AppSpider WebInspect AppScan Acunetix Burp Suite
OS Command Injection (NEW) 0 0 0 0 0 0
Remote File Inclusion / SSRF (NEW) 0 0 0 0 0 16.67
Path Traversal 0 0 0 0 0 12.5
SQL Injection 0 0 0 0 0 0
Reflective XSS 0 0 0 0 0 0
Unvalidated Redirect 0 0 11 11 11 0
Total % 0.0 0.0 1.8 1.8 1.8 4.9

Netsparker and Rapid7 AppSpider were the only solutions that reported zero false positives, while Burp Suite was the one that reported the most false positives.

Graph with Global Detection & False Positives Rates

This graph is a visual representation of the global results, illustrating both the vulnerability detection and false positives rates side by side for each vendor.

The Benchmark Results – Individual Tests Results

OS Command Injection Detection

The OS Command Injection vulnerability tests is one of the new tests. Netsparker was the only scanner to detect all the vulnerability instances in the test.

Remote File Inclusion / SSRF

This was also one of the new tests included in the WAVSEP benchmarking tests. Netsparker and WebInspect were the only two scanners that detected all the vulnerabilities in this test. AppSpider followed with 82.67%, and then Burp Suite with 74.67%. Though Burp Suite also had 16.67% false positives.

Path Traversal

This time Netsparker and Appscan led the field, both of which detecting all the Path Traversal vulnerabilities.Acunetix WVS and HP WebInspect came third and fourth, followed by AppSpider. Burp Suite was the scanner that detected the least at 78.31% and also reported 12.5% false positives.

SQL Injection

This is one of the classic tests; the SQL injection vulnerability. In this test Netsparker, Acunetix WVS and Appscan detected all the vulnerabilities. HP WebInspect followed with 98.46%. None of the scanners reported any false positives in this test.

Reflective Cross-site Scripting (XSS)

All scanners but Burp Suite detected all the cross-site scripting vulnerabilities.

Unvalidated Redirect

In the unvalidated redirect vulnerability tests three of the scanners, WebInspect, Acunetix and AppScan reported vulnerabilities. AppScan also performed very poorly with a detection rate of only 36.67%. On the other hand, Netsparker, AppSpider and Acunetix detected all the vulnerabilities.

Are Web Security Scanner Comparisons Useful & Realistic?

As a rule of thumb, nothing beats a live environment test. In fact, at Netsparker we always encourage potential customers to test our web security solution by scanning a staging copy of their web applications, as explained in How to Evaluate Web Application Security Scanners.

It's impossible to test all the scanners available on the market. So, these comparisons are incredibly useful because they highlight who the market leaders are – those scanners that can detect the most vulnerabilities and generate accurate results.

Which is the Best Web Application Security Scanner?

The best web vulnerability scanner is the one that detects the most vulnerabilities in your web applications, is easiest to use and can help you automate most of your work. Finding vulnerabilities in a web application is not just about the duration of the scan, but how long it takes to setup the scan (pre-scan) and verify the results (post scan). Therefore, when you evaluated solutions, you should ensure that automated vulnerability confirmation is part of the equation.

Read Shay Chen’s full report: Evaluation of Web Application Vulnerability Scanners in Modern Pentest/SSDLC Usage Scenarios.

Can Netsparker Identify Security Flaws in Your Web Applications and APIs?

The best way to find out is to download a demo and launch a vulnerability scan. Netsparker is very easy to use and most of the pre-scan configuration is automated. All you need to do is specify the URL and credentials (to scan password protected websites), and launch the scan.

Past Comparisons Between Automated Web Application Security Scanners

See the previous results for the comparisons between the 2015 web application security scanners and 2013-2014 web application security scanners.

The post 2018 Web Vulnerability Scanners Comparison – Netsparker Confirmed a Market Leader appeared first on Security Boulevard.



from 2018 Web Vulnerability Scanners Comparison – Netsparker Confirmed a Market Leader

Podcast: 2017 AppSec Lessons Learned

Appsec Lessons Learned from 2017

“The more things change the more they stay the same” could be the application security motto for 2017. Last year featured breaches stemming from the same vulnerabilities that have been wreaking havoc for years. In fact, we saw SQL injection in about 30 percent of the apps we scanned in 2017 – a number that hasn’t budged much since 2011.

2017 also shone a harsh spotlight on the risk of open source component use, with several high-profile breaches originating with this type of code.

But 2017 also brought some reasons to be optimistic about the future of application security. We’ve seen awareness increasing, best practices emerging and many organizations moving the needle in reducing their application layer risk.

CA Veracode’s Director of Content and Corporate Communications Jessica Lavery recently sat down with Evan Schuman to take a look back at AppSec in 2017 and discuss where it’s headed in 2018.

The post Podcast: 2017 AppSec Lessons Learned appeared first on Security Boulevard.



from Podcast: 2017 AppSec Lessons Learned

experimental debian rsyslog packages

We often receive requests for Debian packages. So far, we did not package for recent Debian, as the Debian maintainer, Michael Biebl, does an excellent job. Other than us, he is a real expert on Debian policies and infrastructure.

Nevertheless, we now took his package sources and gave the Suse Open Build Service a try. In the end result, we now seem to have usable Debian packages (and more) available at:
I would be very interested in your feedback on the first incarnation of this project. Is it useful? Is it something we should continue? Do you have any problems with the packages? Other suggestions? Please let us know.
Please node: should we decide that the project is worth keeping, the above URL will change. However, it we will give sufficiently advance notice. The current version is not suggested for production systems, at least not without trying it out on test-systems first!

The post experimental debian rsyslog packages appeared first on Security Boulevard.



from experimental debian rsyslog packages

Firestarter: Architecting Your Cloud with Accounts

Posted under:

We are taking over our own Firestarter and kicking off a new series of discussions on cloud security… from soup to nuts (whatever that means). Each week for the next few months we will cover, in order, how to build out your cloud security program. We are taking our assessment framework and converting it into a series of discussions talking about what we find and how to avoid issues. This week we start with architecting your account structures, after a brief discussion of the impact of the Meltdown and Spectre vulnerabilities since they impact cloud (at least for now) more than your local computer.

Watch or listen:


- Rich
(0) Comments
Subscribe to our daily email digest

The post Firestarter: Architecting Your Cloud with Accounts appeared first on Security Boulevard.



from Firestarter: Architecting Your Cloud with Accounts

Protostar: Finals – Remote Heap Unlink Exploitation

In this article, the two final challenges of Protostar will be solved, and these are the remote Format String and the Heap Unlink Exploitation vulnerabilities. Introduction These levels introduce the...

Go on to the site to read the full article

The post Protostar: Finals – Remote Heap Unlink Exploitation appeared first on Security Boulevard.



from Protostar: Finals – Remote Heap Unlink Exploitation

What is AlienVault

It’s coming up on my 3 year anniversary at AlienVault – and after a conversation with a friend, it dawned on me that I don’t think I’ve ever really explained what AlienVault does. So, when I was in Austin this last week I recruited some of my colleagues to help make this short video to […]

The post What is AlienVault appeared first on Security Boulevard.



from What is AlienVault

After Section 702 Reauthorization

For over a decade, civil libertarians have been fighting government mass surveillance of innocent Americans over the Internet. We've just lost an important battle. On January 18, President Trump signed the renewal of Section 702, domestic mass surveillance became effectively a permanent part of US law.

Section 702 was initially passed in 2008, as an amendment to the Foreign Intelligence Surveillance Act of 1978. As the title of that law says, it was billed as a way for the NSA to spy on non-Americans located outside the United States. It was supposed to be an efficiency and cost-saving measure: the NSA was already permitted to tap communications cables located outside the country, and it was already permitted to tap communications cables from one foreign country to another that passed through the United States. Section 702 allowed it to tap those cables from inside the United States, where it was easier. It also allowed the NSA to request surveillance data directly from Internet companies under a program called PRISM.

The problem is that this authority also gave the NSA the ability to collect foreign communications and data in a way that inherently and intentionally also swept up Americans' communications as well, without a warrant. Other law enforcement agencies are allowed to ask the NSA to search those communications, give their contents to the FBI and other agencies and then lie about their origins in court.

In 1978, after Watergate had revealed the Nixon administration's abuses of power, we erected a wall between intelligence and law enforcement that prevented precisely this kind of sharing of surveillance data under any authority less restrictive than the Fourth Amendment. Weakening that wall is incredibly dangerous, and the NSA should never have been given this authority in the first place.

Arguably, it never was. The NSA had been doing this type of surveillance illegally for years, something that was first made public in 2006. Section 702 was secretly used as a way to paper over that illegal collection, but nothing in the text of the later amendment gives the NSA this authority. We didn't know that the NSA was using this law as the statutory basis for this surveillance until Edward Snowden showed us in 2013.

Civil libertarians have been battling this law in both Congress and the courts ever since it was proposed, and the NSA's domestic surveillance activities even longer. What this most recent vote tells me is that we've lost that fight.

Section 702 was passed under George W. Bush in 2008, reauthorized under Barack Obama in 2012, and now reauthorized again under Trump. In all three cases, congressional support was bipartisan. It has survived multiple lawsuits by the Electronic Frontier Foundation, the ACLU, and others. It has survived the revelations by Snowden that it was being used far more extensively than Congress or the public believed, and numerous public reports of violations of the law. It has even survived Trump's belief that he was being personally spied on by the intelligence community, as well as any congressional fears that Trump could abuse the authority in the coming years. And though this extension lasts only six years, it's inconceivable to me that it will ever be repealed at this point.

So what do we do? If we can't fight this particular statutory authority, where's the new front on surveillance? There are, it turns out, reasonable modifications that target surveillance more generally, and not in terms of any particular statutory authority. We need to look at US surveillance law more generally.

First, we need to strengthen the minimization procedures to limit incidental collection. Since the Internet was developed, all the world's communications travel around in a single global network. It's impossible to collect only foreign communications, because they're invariably mixed in with domestic communications. This is called "incidental" collection, but that's a misleading name. It's collected knowingly, and searched regularly. The intelligence community needs much stronger restrictions on which American communications channels it can access without a court order, and rules that require they delete the data if they inadvertently collect it. More importantly, "collection" is defined as the point the NSA takes a copy of the communications, and not later when they search their databases.

Second, we need to limit how other law enforcement agencies can use incidentally collected information. Today, those agencies can query a database of incidental collection on Americans. The NSA can legally pass information to those other agencies. This has to stop. Data collected by the NSA under its foreign surveillance authority should not be used as a vehicle for domestic surveillance.

The most recent reauthorization modified this lightly, forcing the FBI to obtain a court order when querying the 702 data for a criminal investigation. There are still exceptions and loopholes, though.

Third, we need to end what's called "parallel construction." Today, when a law enforcement agency uses evidence found in this NSA database to arrest someone, it doesn't have to disclose that fact in court. It can reconstruct the evidence in some other manner once it knows about it, and then pretend it learned of it that way. This right to lie to the judge and the defense is corrosive to liberty, and it must end.

Pressure to reform the NSA will probably first come from Europe. Already, European Union courts have pointed to warrantless NSA surveillance as a reason to keep Europeans' data out of US hands. Right now, there is a fragile agreement between the EU and the United States ­-- called "Privacy Shield" -- ­that requires Americans to maintain certain safeguards for international data flows. NSA surveillance goes against that, and it's only a matter of time before EU courts start ruling this way. That'll have significant effects on both government and corporate surveillance of Europeans and, by extension, the entire world.

Further pressure will come from the increased surveillance coming from the Internet of Things. When your home, car, and body are awash in sensors, privacy from both governments and corporations will become increasingly important. Sooner or later, society will reach a tipping point where it's all too much. When that happens, we're going to see significant pushback against surveillance of all kinds. That's when we'll get new laws that revise all government authorities in this area: a clean sweep for a new world, one with new norms and new fears.

It's possible that a federal court will rule on Section 702. Although there have been many lawsuits challenging the legality of what the NSA is doing and the constitutionality of the 702 program, no court has ever ruled on those questions. The Bush and Obama administrations successfully argued that defendants don't have legal standing to sue. That is, they have no right to sue because they don't know they're being targeted. If any of the lawsuits can get past that, things might change dramatically.

Meanwhile, much of this is the responsibility of the tech sector. This problem exists primarily because Internet companies collect and retain so much personal data and allow it to be sent across the network with minimal security. Since the government has abdicated its responsibility to protect our privacy and security, these companies need to step up: Minimize data collection. Don't save data longer than absolutely necessary. Encrypt what has to be saved. Well-designed Internet services will safeguard users, regardless of government surveillance authority.

For the rest of us concerned about this, it's important not to give up hope. Everything we do to keep the issue in the public eye ­-- and not just when the authority comes up for reauthorization again in 2024 -- hastens the day when we will reaffirm our rights to privacy in the digital age.

This essay previously appeared in the Washington Post.



from After Section 702 Reauthorization

Hardware Security Is Best for Securing Healthcare, Finance IoT

Over the past year, we’ve seen a wave of high-profile cyberattacks, and all companies should be concerned. These attacks haven’t been limited to any one industry, but range from credit scores (Equifax) to health care (WannaCry ransomware attack). WannaCry, in particular, points to a growing threat: cyberattacks on infrastructure. As CNN explained, “The ransomware, called..

The post Hardware Security Is Best for Securing Healthcare, Finance IoT appeared first on Security Boulevard.



from Hardware Security Is Best for Securing Healthcare, Finance IoT

The Top Malware Families in Banking, Mobile, Ransomware, and Crypto-Mining of 2017

The second half of 2017 was busy in terms of digital security events. In September, consumer reporting agency Equifax announced a breach that potentially compromised the Social Security Numbers and other personal information of 143 million U.S. consumers. Less than two months later, organizations in Russia and Ukraine suffered infections at the hands of BadRabbit, […]… Read More

The post The Top Malware Families in Banking, Mobile, Ransomware, and Crypto-Mining of 2017 appeared first on The State of Security.

The post The Top Malware Families in Banking, Mobile, Ransomware, and Crypto-Mining of 2017 appeared first on Security Boulevard.



from The Top Malware Families in Banking, Mobile, Ransomware, and Crypto-Mining of 2017

The Cyber Law of War

A recent article in the New York Times postulated America may choose to respond to a devastating cyberattack with a nuclear response. In November of 2017, a widely viewed social media video entitled Slaughterbots suggested “swarms of AI-controlled drones [could] carry out strikes on thousands of unprepared victims with targeted precision.” Both of these articles raised […]… Read More

The post The Cyber Law of War appeared first on The State of Security.

The post The Cyber Law of War appeared first on Security Boulevard.



from The Cyber Law of War

Is There a Better Alternative to Active Directory®?

According to Gartner, public cloud adoption can save an organization 14% of their budget. So it makes sense that over the next year, IT admins are dedicating 80% of their...

The post Is There a Better Alternative to Active Directory®? appeared first on JumpCloud.

The post Is There a Better Alternative to Active Directory®? appeared first on Security Boulevard.



from Is There a Better Alternative to Active Directory®?

E-Discovery and Computer Forensics – How are They Different?

Introduction to E-Discovery E-discovery is the procedure by which parties involved in a legal case collect, preserve, review and exchange information in electronic format to use it as an evidence in...

Go on to the site to read the full article

The post E-Discovery and Computer Forensics – How are They Different? appeared first on Security Boulevard.



from E-Discovery and Computer Forensics – How are They Different?

GandCrab ransomware distributed by RIG and GrandSoft exploit kits

Ransomware may have slowed its growth but is still a go-to payload for threat actors looking to monetize drive-by download attacks. The latest attempt: GandCrab ransomware.

Categories:

Tags:

(Read more...)

The post GandCrab ransomware distributed by RIG and GrandSoft exploit kits appeared first on Malwarebytes Labs.

The post GandCrab ransomware distributed by RIG and GrandSoft exploit kits appeared first on Security Boulevard.



from GandCrab ransomware distributed by RIG and GrandSoft exploit kits

Incident Response and Computer Forensics

Introduction With the number of devices connected to the Internet exploding in recent years, the incidences of security breaches have likewise become a hot and rather disturbing topic. Within this...

Go on to the site to read the full article

The post Incident Response and Computer Forensics appeared first on Security Boulevard.



from Incident Response and Computer Forensics

Overview of Computer Forensics Linux Distributions

What is a Live CD? A live CD/DVD/Disk contains a complete bootable Operating System that runs in a computer’s memory, rather than loading from the hard disk. The CD itself is read-only. They allow...

Go on to the site to read the full article

The post Overview of Computer Forensics Linux Distributions appeared first on Security Boulevard.



from Overview of Computer Forensics Linux Distributions

An Infrastructure Plan in the 21st Century Needs to Address Cybersecurity

Shortly before tonight’s scheduled State of the Union address, U.S. President Trump released a long-awaited infrastructure plan. Its focus on upgrading our roads, bridges, tunnels and other physical infrastructure is welcome. But we need to do more than address these weak brick-and-mortar foundations. A real 21st century infrastructure plan needs to integrate digital infrastructure into physical upgrades and invest in innovative technologies that will keep America globally competitive and secure. 

Today, it’s just a fact that the technology which makes things like education and healthcare more accessible to more Americans – the rise of cloud, mobile and IoT – also makes us more vulnerable to cyberattacks. The stakes could not be greater, particularly when it comes to our critical infrastructure.

Cyberattacks on critical infrastructure are rising

The U.S. Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) recently detected coordinated efforts by malicious actors to compromise our critical infrastructure, including those organizations involved in government, aviation, power production, energy production and critical manufacturing sectors. Further, the U.S. Department of Energy reported last year that America’s electricity infrastructure was in “imminent danger” from cyberattacks that are “growing more frequent and sophisticated.”

It’s no surprise that cyberattacks on critical infrastructure are rising. Organizations in the sector are high-value targets because they’re weakly defended systems that, if hacked, could help disrupt a network of utilities or oil and gas companies, potentially cutting off essential public services such as electricity, gas and water.

Ensuring security of critical infrastructure requires collaboration

So, how can the federal government ensure the security of critical infrastructure in the implementation of a broader infrastructure plan?

For starters, government regulators need to work with industry to develop standards. For example, the Federal Regulatory Commission (FERC) proposed new rules to protect the power grid from cyberattacks and the U.S. Department of Commerce is expected to issue an update to its cybersecurity framework for critical infrastructure early this year. These are both laudable steps.

But, in an environment where attacks are probable more than possible, early detection is key. Every organization needs to proactively develop the tools and capability to rapidly respond and recover in the event of a breach or attack. That’s why Tenable recently began a partnership with global energy leader Siemens to help operators of critical infrastructure continuously monitor both their traditional IT environment and Industrial Control Systems (ICS) environment for indicators of compromise, proper configuration, the presence of vulnerabilities and changes of state to the endpoints.

The public and private sectors also need to work together to assess the security of critical infrastructure sectors and develop a risk-based approach to address it, similar to the widely successful NIST Cybersecurity Framework. More broadly, we need tech advocates in Congress like Reps. Will Hurd and Gerry Connolly to play a leading role in ensuring the latest technology and security solutions are seeded into proposals for new construction and upgrades.

Smart infrastructure investments must address digital infrastructure, too 

The bottom line? If America is going to invest $1 trillion in our infrastructure, it must include significant investments in digital infrastructure, so that we can take advantage of new innovations which will save lives, boost our economy and protect against the cybersecurity threats posed by a more connected society.

The post An Infrastructure Plan in the 21st Century Needs to Address Cybersecurity appeared first on Security Boulevard.



from An Infrastructure Plan in the 21st Century Needs to Address Cybersecurity

The Joy of Tech®, ‘The Magical Mystery Pod’

Via the non-trackable observations of Nitrozac and Snaggy at The Joy of Tech®'

Via the non-trackable observations of Nitrozac and Snaggy at The Joy of Tech®'

The post The Joy of Tech®, ‘The Magical Mystery Pod’ appeared first on Security Boulevard.



from The Joy of Tech®, ‘The Magical Mystery Pod’

Protecting customers from being intimidated into making an unnecessary purchase

There has been an increase in free versions of programs that purport to scan computers for various errors, and then use alarming, coercive messages to scare customers into buying a premium version of the same program. The paid version of these programs, usually called cleaner or optimizer applications, purportedly fixes the problems discovered by the

Read more

The post Protecting customers from being intimidated into making an unnecessary purchase appeared first on Security Boulevard.



from Protecting customers from being intimidated into making an unnecessary purchase

Can I Replace Active Directory with Google IdP?

Microsoft® Active Directory® is the most popular identity and access management (IAM) platform in the world. Introduced in 1999, it quickly became the standard identity provider (IdP) for organizations. With...

The post Can I Replace Active Directory with Google IdP? appeared first on JumpCloud.

The post Can I Replace Active Directory with Google IdP? appeared first on Security Boulevard.



from Can I Replace Active Directory with Google IdP?

Professionally Evil Web App Pen Testing 101 Course

Since our founding in 2010 Secure Ideas has always tried to focus on education and increasing the amount of available knowledge in our field.   As such we have contributed to courses, presented at conferences around the world and contributed to open source projects.  Two years ago we announced our free training for veterans and first …

Professionally Evil Web App Pen Testing 101 CourseRead More »

The post Professionally Evil Web App Pen Testing 101 Course appeared first on Security Boulevard.



from Professionally Evil Web App Pen Testing 101 Course

Other Types of Questions on the Security+ Exam

Introduction In addition to performance-based questions, the Security+ exam also involves some other types of questions that include Multiple Choice, Fill in the Blanks, and Drag and Drops, according...

Go on to the site to read the full article

The post Other Types of Questions on the Security+ Exam appeared first on Security Boulevard.



from Other Types of Questions on the Security+ Exam

From my Gartner Blog – The “working with an MSSP” Tome Is Here

As Anton just posted, the new version of the famous “How to Work With an MSSP to Improve Security” has just been published. I’m very happy to become a co-author (together with Anton and Mike Wonham) on this document, as it is usually one of our documents that I most frequently refer to clients during inquiry calls. After all, it’s very common to start a call about SIEM, UEBA, NTA or EDR and end it talking about MSS, after the client realizes that using those tools require people – a lot of people – on their side.

Among lots of exciting new content (this is indeed a looooong document :-)), a new guidance framework for those looking for (and eventually hiring) an MSSP:

343485_0001

You’ll notice that we added “joint content development” as part of the Operating phase. This is something we also added to the recently updated Use Cases document. After all, there’s no reason to believe the MSSP knows everything you want them to detect for you; so, how do you tell them that? If you hired an MSSP, do you know if you still have people on your side capable of working with them to develop content?

There is also an important reminder for organizations expecting to have the entire security monitoring process managed by the service provider:

“When customers perform triage, they will often find cases of false positives. Many organizations don’t report these back to the MSSP, only to complain later that they keep receiving the same false-positive alerts repeatedly! Although the MSSP is responsible for tuning the detection systems it manages, such tuning typically requires feedback from the customer. This feedback goes beyond a simple statement like, “This alert is a false positive.” Adding context about why the alert is a false positive will allow the MSSP to perform the appropriate tuning. It will also avoid cases where entire classes of alerts are disabled due to uncertainty around what type of activity is causing them”

I had countless conversations with organizations complaining about the false positives sent by the MSSP. But it’s impressive how many of them are not prepared to report back those events to the provider in a way that would allow them to tune their systems and avoid a similar occurrence in the future. This is a recurrent theme in this document: You MUST WORK WITH THE MSSP, not expect them to figure everything out alone.

We have this and far more in the doc; please read it and don’t forger to provide feedback: http://surveys.gartner.com/s/gtppaperfeedback

 

 

The post The “working with an MSSP” Tome Is Here appeared first on Augusto Barros.

from Augusto Barros http://ift.tt/2EmY5iN
via IFTTT

The post From my Gartner Blog – The “working with an MSSP” Tome Is Here appeared first on Security Boulevard.



from From my Gartner Blog – The “working with an MSSP” Tome Is Here

11 Points to Consider When Virtualizing Security

Virtualized computing resources can save organizations money, but awareness of the security implications must be to the fore in any discussion As the name suggests, virtualization creates a virtual...

Go on to the site to read the full article

The post 11 Points to Consider When Virtualizing Security appeared first on Security Boulevard.



from 11 Points to Consider When Virtualizing Security

Ransomware scammers scammed…

…but that doesn’t help the victims. John Leyden for The Register: Scammers become the scammed: Ransomware payments diverted with Tor proxy trickery So the victim pays the original scammer via the onion[.]top  Tor proxy, but another scammer redirects the payment via a Man-in-the Middle attack to their own Bitcoin account, so even if the scammer was intending to […]

The post Ransomware scammers scammed… appeared first on Security Boulevard.



from Ransomware scammers scammed…

5 Social Media Site Privacy Issues You Should Worry About

Introduction I recently took my Amazon Alexa device to a friend’s home so they could see what I had been going on about for months. The friend and her husband, both millennials, instantly reacted...

Go on to the site to read the full article

The post 5 Social Media Site Privacy Issues You Should Worry About appeared first on Security Boulevard.



from 5 Social Media Site Privacy Issues You Should Worry About

Looking ahead: 9 threat trends in 2018

Cyberattacks are continuing to increase in number and severity every year, and 2018 will be no exception. We believe that many of the threats we observed in 2017 will, unfortunately, appear in evolved forms this year to continue threatening our businesses, personal data, and privacy via attacks on our PCs, smartphones and IoT devices. After all, as trends in politics, society, and technology evolve, so does cybercrime.

The post Looking ahead: 9 threat trends in 2018 appeared first on Security Boulevard.



from Looking ahead: 9 threat trends in 2018

5 Easy Ways to Protect Your Small Business from Phishing Attacks

Your business is vulnerable to phishing attacks, no matter what size it is. According to the 2016 State of SMB Security Report, half of the 28 million small businesses in the US have been breached;...

Go on to the site to read the full article

The post 5 Easy Ways to Protect Your Small Business from Phishing Attacks appeared first on Security Boulevard.



from 5 Easy Ways to Protect Your Small Business from Phishing Attacks

Our Updated MSSP and MDR Guidance Publishes

While Augusto may disagree, this is probably one of our top 3 favorite papers we’ve written, and it has been UPDATED. Hello world! Please welcome “How to Work With an MSSP to Improve Security”, 2018 update (Gartner GTP access required). Apart from content updates and new MDR coverage, it now features a juicy new guidance […]

The post Our Updated MSSP and MDR Guidance Publishes appeared first on Security Boulevard.



from Our Updated MSSP and MDR Guidance Publishes

AWS, Journey Through the Cloud – Security Best Practices

Permalink

The post AWS, Journey Through the Cloud – Security Best Practices appeared first on Security Boulevard.



from AWS, Journey Through the Cloud – Security Best Practices

Meltdown/Spectre Update

In addition to establishing an aggressive and proactive patch-and-replace protocol, it is essential that organizations have layers of security in place designed to detect malicious activity and malware, and to protect vulnerable systems.

The post Meltdown/Spectre Update appeared first on Security Boulevard.



from Meltdown/Spectre Update

FortiGuard Labs Discovers Vulnerability in Asus Router

Over the last few weeks, ASUS released a series of patches aimed at addressing a number of vulnerabilities discovered in their RT routers running AsusWRT firmware. The models listed at the end of this post are known to be vulnerable. If you are not sure which model or firmware you are using, I recommend double-checking the ASUS support website to get the latest information and updates.

The post FortiGuard Labs Discovers Vulnerability in Asus Router appeared first on Security Boulevard.



from FortiGuard Labs Discovers Vulnerability in Asus Router

Tuesday, January 30, 2018

Subway Elevators and Movie-Plot Threats

Local residents are opposing adding an elevator to a subway station because terrorists might use it to detonate a bomb. No, really. There's no actual threat analysis, only fear:

"The idea that people can then ride in on the subway with a bomb or whatever and come straight up in an elevator is awful to me," said Claudia Ward, who lives in 15 Broad Street and was among a group of neighbors who denounced the plan at a recent meeting of the local community board. "It's too easy for someone to slip through. And I just don't want my family and my neighbors to be the collateral on that."

[...]

Local residents plan to continue to fight, said Ms. Gerstman, noting that her building's board decided against putting decorative planters at the building's entrance over fears that shards could injure people in the event of a blast.

"Knowing that, and then seeing the proposal for giant glass structures in front of my building ­- ding ding ding! -- what does a giant glass structure become in the event of an explosion?" she said.

In 2005, I coined the term "movie-plot threat" to denote a threat scenario that caused undue fear solely because of its specificity. Longtime readers of this blog will remember my annual Movie-Plot Threat Contests. I ended the contest in 2015 because I thought the meme had played itself out. Clearly there's more work to be done.



from Subway Elevators and Movie-Plot Threats

Cisco Fixes 10.0 CVSS-Scored RCE Bug Affecting Its ASA Software

Cisco has patched a remote code execution (RCE) vulnerability bearing a “perfect” CVSS score of 10.0 that affects its Adaptive Security Appliance (ASA) software. On 29 January, the American multinational technology conglomerate publicly recognized the security issue (CVE-2018-0101) and revealed that it affects the ASA software found in the following 10 Cisco products: 3000 Series […]… Read More

The post Cisco Fixes 10.0 CVSS-Scored RCE Bug Affecting Its ASA Software appeared first on The State of Security.

The post Cisco Fixes 10.0 CVSS-Scored RCE Bug Affecting Its ASA Software appeared first on Security Boulevard.



from Cisco Fixes 10.0 CVSS-Scored RCE Bug Affecting Its ASA Software

Oracle MICROS POS breached again

The security issue of POS systems is nothing new. Breaches in point-of-sale payment terminals have already been highlighted in the media. Taking into consideration that this device is connected with personal information, orders and card details, small wonder that it often becomes a hacker’s coveted choice. What matters here is that in 2016, Oracle MICROS […]

The post Oracle MICROS POS breached again appeared first on ERPScan.

The post Oracle MICROS POS breached again appeared first on Security Boulevard.



from Oracle MICROS POS breached again

BYOD and Securing It to Protect Your Organization

BYOD, which stands for bring-your-own-device, is an important concept. With its supporting technologies it is accelerating telecommuting and collaboration in the workplace at a rapid pace. When selecting a BYOD strategy it is important to focus on some key areas. Understand your users’ needs. Establish clear policies. Define the discovery and enrollment process. Customize the…

The post BYOD and Securing It to Protect Your Organization appeared first on CCSI.

The post BYOD and Securing It to Protect Your Organization appeared first on Security Boulevard.



from BYOD and Securing It to Protect Your Organization

The RSA Archer Business Risk Management Reference Architecture

The RSA® Archer® Business Risk Management Reference Architecture is a high-level visual representation of the framework needed within an organization to understand and manage risk and compliance obligations across the enterprise.

The post The RSA Archer Business Risk Management Reference Architecture appeared first on Security Boulevard.



from The RSA Archer Business Risk Management Reference Architecture

Financial Fraud in the Digital Banking Age

Banking-as-a-service will allow customers to transact with their financial institution more often and from more channels. This is expected to drive significant challenges as it pertains to fraud management. Hear how financial institutions can embrace the changes and what the role of trusted identity might look like in the future.

The post Financial Fraud in the Digital Banking Age appeared first on Security Boulevard.



from Financial Fraud in the Digital Banking Age

China Gifts the African Union a 21st Century Trojan Horse

China’s intelligence community demonstrated its appetite for high-risk espionage operations—and evidenced it had “cojones” at least as large as Chicago’s Millennium Park’s egg—when it built the African Union (AU) headquarters in Addis Ababa, Ethiopia. It turns out the Chinese gift was a 21st century Trojan Horse, according to the French daily newspaper, Le Monde. The..

The post China Gifts the African Union a 21st Century Trojan Horse appeared first on Security Boulevard.



from China Gifts the African Union a 21st Century Trojan Horse

Study: Alarming Number of Fortune 500 Credentials Found in Data Leaks

Data breaches are common in the news lately, but a recent study by credential monitoring firm Vericlouds focuses specifically on the credentials of Fortune 500 employees found in account leaks posted online. Using a corpus of 8 billion stolen credentials gathered over three years, the total number of employees of each Fortune 500 company was […]… Read More

The post Study: Alarming Number of Fortune 500 Credentials Found in Data Leaks appeared first on The State of Security.

The post Study: Alarming Number of Fortune 500 Credentials Found in Data Leaks appeared first on Security Boulevard.



from Study: Alarming Number of Fortune 500 Credentials Found in Data Leaks

Survey: Nearly Half of Respondents Lack Confidence in Security Both Personally and Professionally

Americans are showing an interesting disconnect in their perception of personal cybersecurity. More than four in 10 (43 percent) U.S. adults have experienced a personal data breach in the past three years, according to a recent University of Phoenix College of Information Systems and Technology cybersecurity survey. The lack of confidence in security is both […]… Read More

The post Survey: Nearly Half of Respondents Lack Confidence in Security Both Personally and Professionally appeared first on The State of Security.

The post Survey: Nearly Half of Respondents Lack Confidence in Security Both Personally and Professionally appeared first on Security Boulevard.



from Survey: Nearly Half of Respondents Lack Confidence in Security Both Personally and Professionally

Average CASS Salary in 2018

Introduction Our last article examined the salaries, job trends, and the relevant certifications for a Web Applications Penetration Testing. As it was discussed, this will be an explosive area of...

Go on to the site to read the full article

The post Average CASS Salary in 2018 appeared first on Security Boulevard.



from Average CASS Salary in 2018

Average Web Application Penetration Testing Salary in 2018

Introduction For businesses and corporations, it is crucial to secure web based applications. After all, it is not just their bottom line at stake, but their brand, reputation, and most importantly...

Go on to the site to read the full article

The post Average Web Application Penetration Testing Salary in 2018 appeared first on Security Boulevard.



from Average Web Application Penetration Testing Salary in 2018

Diginomica on How RNIB Tackles Homeworker Compliance Issues with Semafone

The post Diginomica on How RNIB Tackles Homeworker Compliance Issues with Semafone appeared first on Semafone.

The post Diginomica on How RNIB Tackles Homeworker Compliance Issues with Semafone appeared first on Security Boulevard.



from Diginomica on How RNIB Tackles Homeworker Compliance Issues with Semafone

Phishing Attacks in the Shipping Industry

Introduction The good old email is still the cybercriminals’ most preferred avenue for unauthorized access to your technological (and other) assets. As many as 9 out of 10 cyberattacks start with a...

Go on to the site to read the full article

The post Phishing Attacks in the Shipping Industry appeared first on Security Boulevard.



from Phishing Attacks in the Shipping Industry

Phishing Attacks in the Electronics Industry

Introduction The electronics industry, popularly known as consumer electronics, developed in the twentieth century and has now turned into a worldwide industry worth billions of dollars. Most...

Go on to the site to read the full article

The post Phishing Attacks in the Electronics Industry appeared first on Security Boulevard.



from Phishing Attacks in the Electronics Industry

How to Restore Metadata in Salesforce Without Using Force.com IDE

Every Salesforce administrator and developer needs a better way to restore Salesforce metadata – that’s why Spanning Backup for Salesforce now provides automated Metadata Restore for Dashboards, Reports, Email, Layouts, Objects, Permission Sets, Profiles, Reports, Roles, Triggers, and Workflows. Why does this new feature matter? It’s incredibly easy to accidentally delete a Custom Field during […]

The post How to Restore Metadata in Salesforce Without Using Force.com IDE appeared first on Security Boulevard.



from How to Restore Metadata in Salesforce Without Using Force.com IDE

XKCD, Night Sky

Permalink

The post XKCD, Night Sky appeared first on Security Boulevard.



from XKCD, Night Sky

Managed Identities

While at surface level it may seem like a simple task, controlling and securing identities can actually become quite a significant responsibility. Historically, IT organizations have leveraged the on-prem solution...

The post Managed Identities appeared first on JumpCloud.

The post Managed Identities appeared first on Security Boulevard.



from Managed Identities

Phishing Attacks in the Recreation Industry

Introduction When it comes to phishing schemes, the world of recreation may appear safer than more finance-oriented pursuits like banking, cloud storage, and payment enterprises. But the reality is,...

Go on to the site to read the full article

The post Phishing Attacks in the Recreation Industry appeared first on Security Boulevard.



from Phishing Attacks in the Recreation Industry

Security Testing: At What Level?

Now that we are on a subject of testing security and breach/attack simulation tools, one more interesting questions arises: if you test security, what constitute a “pass”? Or, alternatively, at what level do you test? Think back the infamous bear analogy. In security, it is NOT a certainty that it is enough to outrun the […]

The post Security Testing: At What Level? appeared first on Security Boulevard.



from Security Testing: At What Level?

Phishing Attacks in the Manufacturing Industry

Introduction In the second quarter of 2017, the manufacturing industry was the most targeted by cyber-attacks, with 24% of attacks globally, according to NNT Security report. According to Dark...

Go on to the site to read the full article

The post Phishing Attacks in the Manufacturing Industry appeared first on Security Boulevard.



from Phishing Attacks in the Manufacturing Industry

UK Critical Infrastructure Firms Could Face £17m Fine for Inadequate Cybersecurity

Organizations operating critical infrastructure could face hefty fines of up to £17m if they lack adequate cybersecurity measures, the UK government announced over the weekend. The penalties would apply to energy, transport, water and health firms that “fail to have the most robust safeguards in place against cyber attack,” the UK government said in a […]… Read More

The post UK Critical Infrastructure Firms Could Face £17m Fine for Inadequate Cybersecurity appeared first on The State of Security.

The post UK Critical Infrastructure Firms Could Face £17m Fine for Inadequate Cybersecurity appeared first on Security Boulevard.



from UK Critical Infrastructure Firms Could Face £17m Fine for Inadequate Cybersecurity