Security News

Week in review: Infosec career misconceptions and challenges, early warning signs of ransomware
2020-09-27 07:55

CISA orders federal agencies to implement Zerologon fixIf you had any doubts about the criticality of the Zerologon vulnerability affecting Windows Server, here is a confirmation: the US Cybersecurity and Infrastructure Security Agency has issued an emergency directive instructing federal agencies to "Immediately apply the Windows Server August 2020 security update to all domain controllers." NIST guide to help orgs recover from ransomware, other data integrity attacksThe National Institute of Standards and Technology has published a cybersecurity practice guide enterprises can use to recover from data integrity attacks, i.e., destructive malware and ransomware attacks, malicious insider activity or simply mistakes by employees that have resulted in the modification or destruction of company data.

Wondering how to tell the world you've been hacked? Here's a handy guide from infosec academics
2020-09-24 16:46

Infosec boffins at the University of Kent have developed a "Comprehensive playbook" for companies who, having suffered a computer security breach, want to know how to shrug off the public consequences and pretend everything's fine. In a new paper titled "A framework for effective corporate communication after cyber security incidents," Kent's Dr Jason Nurse, along with Richard Knight of the University of Warwick, devised a framework for companies figuring out how to publicly respond to data security breaches and similar incidents where servers are hacked and customer records end up in the hands of criminals.

Infosec pros struggle to find opportunities to improve their work skills
2020-09-23 04:30

68 percent of respondents report investing their own free time, outside working hours to improve their cyber skills. 46 percent of organizations do not confirm new hire skills for specific roles and 40 percent rarely or never assess the skills of newly onboarded team members.

Qualys Multi-Vector EDR: Providing infosec teams with actionable visibility into their endpoints
2020-09-23 02:30

Qualys announced the immediate availability of Qualys Multi-Vector EDR. Taking a new multi-vector approach to Endpoint Detection and Response, Qualys now brings the unified power of its highly scalable cloud platform to EDR. "Qualys Multi-Vector EDR provides our Infosec team with actionable visibility into our endpoints in terms of detecting malicious hashes provided by intelligent agencies as well as detecting potential malicious attacks through authorized processes, to keep our company assets secure." "Unfortunately, not all organizations have such a focus. Nevertheless, weaving in threat intelligence enables Qualys to combine in-house context and vulnerability management-driven prioritization with external context, representing an opportunity to achieve something greater than the majority of the market to date," said Mark Child, research manager, European Security, IDC. "We are proud to deliver Multi-Vector EDR to customers and extend into the detection and response market," said Philippe Courtot, chairman and CEO of Qualys.

Voatz Under Fire From Infosec Community Over Its Views on Security Research
2020-09-16 04:08

In the amicus brief it filed, Voatz suggests that only authorized security research should be considered lawful, but not independent security research, even if in good faith. "It is clear security research has tangibly improved the safety and security of systems we depend upon. It is not a given that this vital security work will continue. A broad interpretation of the CFAA would magnify existing chilling effects, even when there exists a societal obligation to perform such research," the letter reads.

Infosec big names rally against US voting app maker's bid to outlaw unsanctioned bug hunting via T&Cs
2020-09-15 01:08

About 70 members of the computer security community on Monday challenged US voting app maker Voatz's effort to dictate the terms under which bug hunters can look for code flaws. Earlier this month, Massachusetts-based Voatz filed an amicus brief in Van Buren v. United States, a case being heard by the US Supreme Court that will determine the scope of the US Computer Fraud and Abuse Act, a cybersecurity law long criticized for its ambiguity.

Infosec, compsci big names rally against US voting app maker's bid to outlaw bug hunting via T&Cs
2020-09-15 01:08

About 70 members of the computer security community on Monday challenged US voting app maker Voatz's effort to dictate the terms under which bug hunters can look for code flaws. Earlier this month, Massachusetts-based Voatz filed an amicus brief in Van Buren v. United States, a case being heard by the US Supreme Court that will determine the scope of the US Computer Fraud and Abuse Act, a cybersecurity law long criticized for its ambiguity.

CREST exam cheat-sheet scandal: New temp chairman at UK infosec body as lawyers and ex-copper get involved
2020-08-21 15:10

British infosec accreditation body CREST has appointed an ex-police officer to investigate the NCC Group exam cheat-sheet scandal as its chairman temporarily steps aside. The accreditation body has been rocked by revelations from The Register that major industry player NCC Group's training material was leaked in a Github repo alongside cheat sheets to help candidates pass accreditation exams first time.

New infosec products of the week: August 21, 2020
2020-08-21 04:00

Offensive Security has released Kali Linux 2020.3, the latest iteration of the popular open source penetration testing platform. Elastic Security 7.9 delivers a major milestone toward endpoint security integrated into the Elastic Stack.

CREST cancels two UK infosec accreditation exams after fresh round of 'cheat sheets' are leaked online
2020-08-17 17:10

British infosec accreditation body CREST has suspended all of its accreditation exams after The Register revealed a published cache of files including what appeared to be internal exam sheets as well as docs apparently tied to key industry player NCC Group. We understand from sources that the security body has suspended all of its CREST Certified Infrastructure Tester and CREST Certified Web Application Tester exams for up to a month while their contents are reviewed.