Security News

Three new security flaws have been disclosed in Microsoft Azure API Management service that could be abused by malicious actors to gain access to sensitive information or backend services. This includes two server-side request forgery flaws and one instance of unrestricted file upload functionality in the API Management developer portal, according to Israeli cloud security firm Ermetic.

"There are secrets in Jenkins, secrets in my TerraForm script, in my Infrastructure as a Service script. I have secrets everywhere." The deployment of centralized secrets management solution is arguably the best way to properly address these issues.

Cisco disclosed today a zero-day vulnerability in the company's Prime Collaboration Deployment software that can be exploited for cross-site scripting attacks. Tracked as CVE-2023-20060, the bug was found in the web-based management interface of Cisco PCD 14 and earlier by Pierre Vivegnis of the NATO Cyber Security Centre.

Traditional metrics such as CVSS score or the number of vulnerabilities are insufficient for effective vulnerability management as they lack business context, prioritization, and understanding of attackers' opportunities. Modern vulnerability management integrates security tools such as scanners, threat intelligence, and remediation workflows to provide a more efficient and effective solution.

In the complex and fast-moving world of cybersecurity-meets-regulations, working with third parties requires diligent third-party risk management oversight to monitor data management and processes. Improving InfoSec risk management can provide insights into how data is handled, the security safeguards in place to protect that data, potential security weaknesses, and better adherence to the multitude of data, security, and privacy regulations.

Google on Thursday outlined a set of initiatives aimed at improving the vulnerability management ecosystem and establishing greater transparency measures around exploitation. Mitigating such risks requires addressing the root cause of the vulnerabilities and prioritizing modern secure software development practices to eliminate entire classes of threats and block potential attack avenues.

With the world moving toward password-free and low-friction user verification systems, identity access management provider PingIdentity has joined the raft of cybersecurity vendors embracing decentralized identity management. Enter decentralized identity solutions: instead of identity verification being handled by each enterprise issuing a credential, identity is distributed across a network.

Although more than 72% of companies indicate they have an Insider Risk Management program in place, the same companies experienced a year-over-year increase in data loss incidents of 32%, and 71% expect data loss from insider events to increase in the next 12 months. With insider incidents costing organizations $16M per incident on average, and CISOs stating that insider risks are the most challenging type of threat to detect, the report is a clear call to action for the security industry to 'do better' and help professionals solve this challenge.

The research showed that the majority of IT teams leverage more than one IT infrastructure, a trend that's expected to intensify in the future, but struggle with visibility of data across environments with only 40% reporting complete visibility into where their data resides. "Organizations are grappling with current application and data management across the edge, different clouds and in the core. There's a need in the market for a cloud operating model to help build, operate, use, and govern a hybrid multicloud to support all types of applications - starting today and planning for tomorrow," Caswell continued.

Hybrid work has exposed another area of vulnerability, with 70% of government workers reporting they work virtually at least some of the time, according to Ivanti. The report found that 5% of government workers have fallen victim to a phishing attempt - either by clicking a link or sending money.