Security News > 2021 > November

Microsoft Active Directory and Azure Active Directory are directory services products used for identity and access management at most major enterprises all over the world. All Active Directory environments are vulnerable to a type of attack called identity attack paths.

What excites a security professional is not exciting for developers because, at the end of the day, a developer needs to build, not to break. While it can be fun to find and exploit a security vulnerability, this should not be the goal of secure coding training.

In this interview with Help Net Security, she talks about her take on the CISO role and offers advice for those who aspire to fulfill it one day. The company then created the first Information Security Officer role, which I stepped into to work on building out a security-first approach.

The 9th edition of the ENISA Threat Landscape report released by the European Union Agency for Cybersecurity highlights the surge in cybercriminality motivated by monetization using ransomware or cryptojacking. EU Agency for Cybersecurity Executive Director, Juhan Lepassaar stated that "Given the prominence of ransomware, having the right threat intelligence at hand will help the whole cybersecurity community to develop the techniques needed to best prevent and respond to such type of attacks. Such an approach can only rally around the necessity now emphasized by the European Council conclusions to reinforce the fight against cybercrime and ransomware more specifically."

Despite increasing cyberattacks targeting data in the cloud, 83% of businesses are still failing to encrypt half of the sensitive data they store in the cloud, raising even greater concerns as to the impact cyber criminals can have. 40% of organizations have experienced a cloud-based data breach in the past 12 months, according to a study conducted by 451 Research.

80% of IT and security professionals plan to increase spending on their cybersecurity posture management over the next 12-18 months, according to a Balbix survey. Organizations will put that money toward cyber-risk quantification tools, cloud security posture management and security asset management.

IDC announced its worldwide IT industry predictions for 2022 and beyond. "Digital is now a permanent, yet dynamic fixture in our world, and the IT and Communications industries themselves will be among the most transformed in the next few years. CIOs must establish procurement, development, and operations teams that align with as-a-service and outcomes-centric technology delivery models while ICT providers primary task is to help enterprises share, use, govern and increase the value of data," said IDC Group Vice President for Worldwide Research, Rick Villars.

Google on Monday announced that it will pay security researchers to find exploits using vulnerabilities, previously remediated or otherwise, over the next three months as part of a new bug bounty program to improve the security of the Linux kernel. To that end, the company is expected to issue rewards worth $31,337 for exploiting privilege escalation in a lab environment for each patched vulnerability, an amount that can climb up to $50,337 for working exploits that take advantage of zero-day flaws in the kernel and other undocumented attack techniques.

A novel class of vulnerabilities could be leveraged by threat actors to inject visually deceptive malware in a way that's semantically permissible but alters the logic defined by the source code, effectively opening the door to more first-party and supply chain risks. Dubbed "Trojan Source attacks," the technique "Exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers," Cambridge University researchers Nicholas Boucher and Ross Anderson said in a newly published paper.

A surge in spearphishing emails designed to steal Office 365 credentials were rigged to look like they came from a Kaspersky email address. Office 365 credentials are a common target for phishing attacks.