What’s New in InsightAppSec and tCell: Q4 2020 in Review

It’s crazy to believe 2020 has come to an end, and we’re sure we’re not alone in our excitement for 2021! Without a doubt, 2020 has presented some challenges for us all in the security world, as many companies quickly adopted a work-from-home model and pivoted from an in-store experience quickly ...

Set New InsightVM Goals and Share with Your Team for Increased Visibility and More Efficient Execution

Since 2018, thousands of enterprises have utilized InsightVM’s Goals and SLAs feature to build their organization-specific security goals. Through Goals and SLAs, security teams ensure that they’re making progress toward their goals and service-level agreements SLAs at an appropriate pace, and th...

Applied ThreadFix: Seeding Your Application Portfolio with OWASP Amass

OWASP Amass is a great tool for asset discovery and enterprise attack surface mapping. It pulls data from a number of different data sources and identifies potential hosts and applications associated with organizations, domains, IP CIDRs and other identifiers. As we have noted, having a solid...

CISO Stressbusters: Post #2: 4 tips for getting the first 6 months right as a new CISO

In your first six months in a new Chief Information Security Officer CISO role, you will often be tasked with building a security program. For some of us this is the most exciting part of the job, but it can also be stressful. You’re probably working under a deadline. Plus, it can be difficult to...

Microsoft Shells Out $100K for IoT Security

Microsoft has launched a bug-bounty program for its Azure Sphere offering, which is a security suite for the internet of things IoT that encompasses hardware, OS and cloud elements. The top reward will come in at $100,000. The Azure Sphere Security Research Challenge is an expansion of a program...

Time for Reflection and Thanks

Most of the programs I ran used calendar years for project planning, budgets, etc. I always found November to be a good time to reflect on the progress made, plan for the next year, and give thanks for all the positive steps in the right direction. In general, I followed the SWOTT method for...

ID Thieves Turn to Snail Mail as Juicy Target for Financial Crimes

As it gets harder for cybercriminals to bypass business email compromise BEC defenses, some hackers are switching from email scams to real-mail cons. Researchers at Flashpoint said they are monitoring hacker forums where criminals are swapping tips on a growing ID theft and financial crime area,...

Internet Bug Bounty: CVE-2019-11043: a buffer underflow in fpm_main.c can lead to RCE in php-fpm

The vulnerability exists in php-fpm because of missing bounds check in fpmmain.c. If the FastCGI variable PATHINFO is empty, the underflow happens when the code tries to calculate the value of the pathinfo variable. An invalid pointer in pathinfo leads to a single byte out-of-bounds write, which...

When Checking the Box Results in Two Zero Days and Root (CVE-2019-14257 and CVE-2019-14258)

Finding new bugs and exploiting them can be exciting and fun for a penetration tester. I was ecstatic to find my first two zero-days, and I used them to break a system from no access to root. This was a good day for me - but the story behind the story provides some real lessons enterprises can...

D-Link Agrees to 10 Years of Security Audits to Settle FTC Charges

Taiwanese networking equipment manufacturer D-Link has agreed to implement a "comprehensive software security program" in order to settle a Federal Trade Commission FTC lawsuit alleging that the company didn't take adequate steps to protect its consumers from hackers. Your wireless router is the...

Top 5 Threat Hunting Myths: “Threat Hunting Isn’t Worth My Time”

The cybersecurity landscape is in a constant state of change and, as many organizations have learned, it’s no longer a matter of if you’ll face a cyberattack, but when. In today’s world, attackers intentionally look normal to evade automated defenses. With the rise of ransomware, fileless and...

USPS, Amazon Data Leaks Showcase API Weaknesses

The annual holiday buying bonanza has officially kicked off for 2018, and, as if on cue, a pair of security incidents at two of the most-used services this time of year – the U.S. Postal Service and Amazon – showed up to remind us of the dangers of shopping season. Both hinged on improper API use...

No Data is an Island: One Infosec Pro’s Experience As a Consumer Involved in a Data Breach

British Airways BA was hit by a major breach that resulted in a loss of customer records. I was notified promptly by BA. I thought their public response was timely. By the way, this breach was announced while I was about to board a BA flight to Heathrow. My credit card was used to purchase my...

The Risk of IoT Security Complacency

Trend Micro recently surveyed 1,150 IT executives globally. We found a gap between the perceived risk from IoT and the planned mitigation for that risk. Most senior executives recognize that IoT can introduce security risk to the organization, but few will invest resources to remediate that risk...

So you’ve been asked to start a threat intel program

Ever since the Mandiant APT1 report landed like a bomb in private sector security reporting, threat intelligence has been a hot buzzword many companies have been chasing over. But what is threat intelligence? What do you need to execute it well? And how many new tools do you need to buy? The...

Mergers, Acquisitions, and Malware?

Every year, tens of thousands of mergers and acquisitions M&A take place across every industry and vertical. In fact, "In 2017, companies announced over 50,600 transactions with a total value of more than 3.5 trillion USD."1 Not only is M&A complex from a business sense, it also brings the...

Streamline Compliance with SWIFT Customer Security Program Requirements

Transferring money from our bank accounts has never been easier than it is today. With a single click on our smartphones, we can transfer money from a bank account in New York to an account at a different bank in the Netherlands. This advancement is largely a result of the fluent communication...

Developing an effective cyber strategy

The word strategy has its origins in the Roman Empire and was used to describe the leading of troops in battle. From a military perspective, strategy is a top-level plan designed to achieve one or more high-order goals. A clear strategy is especially important in times of uncertainty as it provid...

How public-private partnerships can combat cyber adversaries

For several years now, policymakers and practitioners from governments, CERTs, and the security industry have been speaking about the importance of public-private partnerships as an essential part of combating cyber threats. It is impossible to attend a security conference without a keynote...

Cybersecurity in the Workplace is Everybody’s Business

What can individual users do to preserve cybersecurity at work? Your organization is spending on cybersecurity tools, you have an awareness program, and if you look you will find that there are standards and procedures for choosing and maintaining products to help keep information secure. But wha...