Security News

Your company takes compliance and security very seriously, but you've no idea what or how to layer on top of AWS's existing security and compliance protocols to achieve levels necessary for compliance certification. In this case and others, passing a compliance audit may prove particularly problematic even though your company is committed to performing at or above baseline legal requirements.

The US Financial Industry Regulatory Authority has issued a regulatory notice warning US brokerage firms and brokers of an ongoing phishing campaign using fake compliance audit alerts to harvest information. The domain used in these ongoing phishing attacks was registered just two days ago, on March 3rd, using the NameCheap domain name registrar.

Secondly, a given password might be somewhat easy to guess, despite existing password requirements. Password changes only occur via the user or Active Directory administrator.

Find out what your company could risk by not getting cybersecurity audits. Steven Wertheim, president of SonMax Consultants, in his CPA Journal article Auditing for Cybersecurity Risk makes a strong case that auditing should be a part of every cybersecurity defense program.

The Ministry of Defence's multibillion budget overrun has been caused in part because of its spending splurge on flashy new "Cyber" capabilities, according to the National Audit Office. The MoD faces a budget black hole measured in billions thanks to its profligacy - and even the announcement of a cash top-up of £4bn per year between now and 2024, on top of its £41.2bn annual budget, won't be enough to plug it, according to the auditors.

Through most of 2020 bans on Chinese apps have meant geopolitical strife, but China yesterday revealed it has started banning some of its own apps. A ban on 34 apps was among the nuggets of news revealed, with their banishment from local app stores the result of a departmental trawl of 320,000 apps offered in local download-marts.

Shujinko launched AuditX, a SaaS platform that simplifies, automates and modernizes the enterprise cloud security compliance audit process to make it up to 3x faster and dramatically simpler. Simultaneously, the company announced its Automated Evidence Collection Engine, the industry's first platform for automatically orchestrating, collecting and transforming compliance evidence directly from public cloud platforms and other SaaS systems.

The US Department of the Interior spectacularly failed its latest computer security assessment, mostly for a lack of Wi-Fi defenses. The infosec experts also noted other security shortfalls, such as a lack of network segmentation that would allow intruders to casually move between systems, incomplete inventory records of wireless networks, and a reliance on pre-shared keys that could be exploited by miscreants to eavesdrop on network traffic.

CISOs are tasked with preparing for more than three audits on average in the next 6-12 months, but struggle with inadequate tools, limited budgets and personnel, and inefficient manual processes. "This survey clearly shows that CISOs at major companies are caught between a rock and hard place when it comes to security and compliance audits over the second half of 2020 and want automated tools to help dig them out. Unfortunately, they're simply not able to find them," said Scott Schwan, Shujinko CEO. "Teams are cobbling together scripts, shared spreadsheets, ticketing systems and a hodgepodge of other applications to try to manage, resulting in inefficiency, lengthy preparation and limited visibility. More than two-thirds of CISOs are looking for something better."

Calendars for security and compliance audits are largely unchanged despite COVID-19, but the pandemic is straining security teams as they work remotely, according to the findings of a recent survey by automated audit prep provider Shujinko. The survey of North American CISOs documented the challenges facing security and compliance professionals preparing for a wave of upcoming audits and was conducted by Pulse in late June 2020.