Security News > 2022 > October

In this Help Net Security video, David Samuelson, CEO at ISACA, talks about how enterprises approach digital trust. While nearly 98% of respondents to an ISACA survey say that digital trust is essential, and 63% say that digital trust is relevant to their jobs, only 12% of their organizations have a dedicated staff role for digital trust.

To withstand cyberattacks, businesses must continually update internal systems and avoid hasty tech upgrades that might open the door to attackers. In this Help Net Security video, Phillip Verheyden, Security Engineer at Shipwell, discusses the challenges technology organizations face when investing in cybersecurity and offers tips for CISOs, from securing development to dealing with phishing attacks.

In recent years organizations such as NIST and Microsoft have abandoned this longstanding best practice and are now recommending against mandatory password expiration. From Microsoft's perspective it is far better for a user to create a strong but unchanging password than to simply create a password that barely adheres to the organization's minimal password requirements and then make small changes to that password each time that the organization requires the password to be changed.

Incident responders are primarily driven by a strong sense of duty to protect others. The global survey of over 1100 cybersecurity incident responders in 10 markets revealed trends and challenges that incident responders experience due to the nature of their profession.

In this Help Net Security video, Austin Jones, Principal Software Engineer at ThreatX, explains what HTTP request smuggling is, and discusses a recently uncovered HTTP request smuggling vulnerability in Node.js. This vulnerability allows an attacker to bypass security controls on the target server to conduct any nefarious activities.

We're talking about the range of free educational resources from SANS, targeted at every job level from apprentice to senior professional. These sneaky free materials will give you easy-to-use shortcuts covering topics from cloud security to DevSecOps to digital forensics and incident response.

The Cybersecurity and Infrastructure Security Agency late on Friday placed the flaw - tracked as CVE-2022-36804 - on its catalog of Known Exploited Vulnerabilities, effectively a must-patch list. CISA put the vulnerability in Bitbucket Server and Data Center tools on the KEV list on the same day as two high-profile Microsoft Exchange zero-day flaws.

TD Bank has disclosed a data breach affecting an undisclosed number of customers whose personal information was stolen by a former employee and used to conduct financial fraud.TD Bank is one of the largest banks in the United States by deposits, operating 1,220 branches and employing over 26,000 people.

A man in the US has been jailed for 25 years after using dating websites, email scams, and other online swindles to steal more than $9.5 million from companies and individuals. Elvis Eghosa Ogiekpolor, 46, of Norcross, Georgia, was part of an "International network of online fraudsters and money launderers," US Attorney Ryan Buchanan said today.

Scammers are impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly discovered Microsoft Exchange zero-day vulnerabilities. Last week, Vietnamese cybersecurity firm GTSC disclosed that some of their customers had been attacked using two new zero-day vulnerabilities in Microsoft Exchange.