Information Security Buzz
  • HOME
  • Domains
    • Data Breach
    • Malware
    • Application Security
    • IoT
    • Cloud Security
    • Privacy
  • InfoSec Deals
  • Companies
  • Security Experts
  • ISB Conference 2021
  • Register
  • Log In
Top Posts
Iran Nuclear Facility Potential Cyber Attack – What...
Industry Leaders On Android.Joker Malware
Expert Reaction On Pulse Secure VPN Users Can’t...
New Vulnerabilities Put Millions Of IoT Devices At...
Expert Comment On Darktrace Set For IPO
Fake App Attacks On The Rise, As Malware...
Expert On Study That Brits Using Pets’ Names...
Expert Reaction On Europol Publishes Its Serious And...
Fake Netflix App Allows Hackers to Hijack WhatsApp
Hackers Pretend To Be Your Friend In The...
Information Security Buzz
Connecting Security Experts
  • HOME
  • Domains
    • Data Breach
    • Malware
    • Application Security
    • IoT
    • Cloud Security
    • Privacy
  • InfoSec Deals
  • Companies
  • Security Experts
  • ISB Conference 2021
  • Register
  • Log In
Expert(s): November 30, 2020
Casey Ellis
CTO and Founderfeature_status*/ ?>
Bugcrowd

Comments Dotted : 22
April 07, 2021

Expert Commentary On CISA Warns Of APTs Exploiting Fortinet Vulnerabilities

Networking equipment tends to be central to a company's operations.

Networking equipment tends to be central to a company's operations. This incident of attackers capitalizing on a combination of N-day vulnerabilities—as opposed to zero-day—and unpatched systems, highlights the challenges that IT administrators experience in scheduling downtime to patch vulnerabilities. However, in the meantime, this also makes unpatched systems a prime target for attackers seeking out prey. This advisory is similar to a  NSA/CISA advisory released in December 2020,

.....Read More

Networking equipment tends to be central to a company's operations. This incident of attackers capitalizing on a combination of N-day vulnerabilities—as opposed to zero-day—and unpatched systems, highlights the challenges that IT administrators experience in scheduling downtime to patch vulnerabilities. However, in the meantime, this also makes unpatched systems a prime target for attackers seeking out prey. This advisory is similar to a  NSA/CISA advisory released in December 2020, regarding advanced persistent threat (APT) groups’ use of N-day vulnerabilities on access software, like VPNs and edge content delivery networks.

 

As APT groups continue to target vulnerabilities within government, technology and commercial services’ systems, organizations across industries must recognize the need to accept the assistance of security researchers who are actively defending against a growing legion of adversaries. Even enterprises with in-house security teams can benefit from the hypervigilance of external security researchers — specifically their ability to provide continuous, 24/7 security testing and monitoring.

 

Although each of these vulnerabilities were known and patches were issued by the Fortinet, the responsibility falls on IT administrators to rapidly apply these fixes. By leveraging external security researchers, admins can rely on the insights of security researchers to provide contextual intelligence as to which vulnerabilities constitute the greatest —and therefore most urgent— risk to an organization. Active scanning for system vulnerabilities is a routine process after the release and weaponization of remotely exploitable common vulnerabilities and exposures (CVEs), from actors ranging from amateur to the very sophisticated.

 

Additionally, IT administrators can arm themselves with an extra layer of security to proactively identify and address such vulnerabilities before they are discovered and exploited by adversaries, such as these APT groups. This grants IT administrators a more generous timeline to address vulnerabilities and ensure proper security measures have been implemented. Speed is the natural enemy of security and the best way to improve an organization’s security posture and beat malicious adversaries is by thinking like one.

  Read Less
Like(0)  (0)

Linkedin Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Networking equipment tends to be central to a company\'s operations...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-commentary-on-cisa-warns-of-apts-exploiting-fortinet-vulnerabilities

Copy this message and share on your Linkedin profile. Thanks!

Facebook Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Networking equipment tends to be central to a company\'s operations...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-commentary-on-cisa-warns-of-apts-exploiting-fortinet-vulnerabilities

Copy this message and share on your Facebook profile. Thanks!
    No Comments Yet ....
Please login to comment.
February 04, 2021

Expert Commentary: Several Thousand Addresses Leaked In FHKC Insurance Data Breach

Widespread adoption of new tech initiatives brought on by COVID-19 has led to an increase in data.

The pandemic has put a global spotlight on the wealth of sensitive data insurance organizations possess. Widespread adoption of new tech initiatives brought on by COVID-19 has led to an increase in data within insurance companies and inevitably opened up a new attack surface for malicious cyber adversaries to target -- such as the 122,000 globally-connected internet assets within the top nine insurance organizations. With the increased pace of technology rollout, increased use of online health

.....Read More

The pandemic has put a global spotlight on the wealth of sensitive data insurance organizations possess. Widespread adoption of new tech initiatives brought on by COVID-19 has led to an increase in data within insurance companies and inevitably opened up a new attack surface for malicious cyber adversaries to target -- such as the 122,000 globally-connected internet assets within the top nine insurance organizations. With the increased pace of technology rollout, increased use of online health service on account of the pandemic, and the active adversaries lurking, the insurance industry has become adversaries’ latest target.

 

FHKC was allegedly exposed by it's hosting provider, and a failure to apply patches -- which isn't an uncommon story. This highlights the need to consider and manage supply chain security, as well as to trust -- but first verify.


As the insurance industry continues to play an instrumental role in distributing the COVID-19 vaccine and providing basic healthcare amidst the pandemic, insurance organizations must look to up-level their current cybersecurity measures with external security researchers via a bug bounty or vulnerability disclosure program (VDP) to help identify and disclose vulnerabilities before they can be exploited by adversaries. By doing so, insurance organizations can get ahead of malicious actors and proactively address vulnerabilities before they become a devastating breach.

  Read Less
Like(0)  (0)

Linkedin Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Widespread adoption of new tech initiatives brought on by COVID-19 has led to an increase in data...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-commentary-several-thousand-addresses-leaked-in-fhkc-insurance-data-breach

Copy this message and share on your Linkedin profile. Thanks!

Facebook Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Widespread adoption of new tech initiatives brought on by COVID-19 has led to an increase in data...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-commentary-several-thousand-addresses-leaked-in-fhkc-insurance-data-breach

Copy this message and share on your Facebook profile. Thanks!
    No Comments Yet ....
Please login to comment.
January 27, 2021

Expert Commentary: Phishing Attack Impersonates UK NHS To Obtain Sensitive Consumer Data

Do not respond to calls or emails that request credit card information or any other means of payment.

The critical importance and widespread uncertainty around the COVID-19 vaccine put the global spotlight on government and healthcare organizations involved in distribution efforts. As the world waits with bated breath, the anticipation and anxiety around the subject of vaccination make it especially useful as a phishing lure for attackers who target unsuspecting citizens. This was most recently demonstrated by the ongoing phishing attack linked to the UK's National Health Service (NHS). The NHS

.....Read More

The critical importance and widespread uncertainty around the COVID-19 vaccine put the global spotlight on government and healthcare organizations involved in distribution efforts. As the world waits with bated breath, the anticipation and anxiety around the subject of vaccination make it especially useful as a phishing lure for attackers who target unsuspecting citizens. This was most recently demonstrated by the ongoing phishing attack linked to the UK's National Health Service (NHS). The NHS phish was a serious attempt - It used the pretext of existing NHS vaccinations campaigns, included "credible jargon" and NHS design mimicry to appear as legitimate as possible, and exploited loss-aversion through a fake "use it or lose it" message.

  Read Less
Like(1)  (0)

Linkedin Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Do not respond to calls or emails that request credit card information or any other means of payment...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-commentary-phishing-attack-impersonates-uk-nhs-to-obtain-sensitive-consumer-data

Copy this message and share on your Linkedin profile. Thanks!

Facebook Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Do not respond to calls or emails that request credit card information or any other means of payment...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-commentary-phishing-attack-impersonates-uk-nhs-to-obtain-sensitive-consumer-data

Copy this message and share on your Facebook profile. Thanks!
    No Comments Yet ....
Please login to comment.
December 18, 2020

Cyber Security Predictions 2021: Experts’ Responses

Governments around the world will continue to adopt vulnerability disclosure as a default.
Governments are collectively realizing the scale and distributed nature of the threats they face in the cyber domain, as well as the league of good-faith hackers available to help them balance forces. When you're faced with an army of adversaries, an army of allies makes a lot of sense. Judging by the language used in the policies released in 2020, governments around the world (including the UK) are also leaning in to the benefit of transparency inherent to a well-run VDP to create confidence.....Read More
Governments are collectively realizing the scale and distributed nature of the threats they face in the cyber domain, as well as the league of good-faith hackers available to help them balance forces. When you're faced with an army of adversaries, an army of allies makes a lot of sense. Judging by the language used in the policies released in 2020, governments around the world (including the UK) are also leaning in to the benefit of transparency inherent to a well-run VDP to create confidence in their constituents (neighborhood watch for the internet). The added confidence, ease of explanation, and the fact that security research and incidental discovery of security issues happen whether there is an invitation or not is making this an increasingly easy decision for governments to make.  Read Less
Like(0)  (0)

Linkedin Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Governments around the world will continue to adopt vulnerability disclosure as a default...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/cyber-security-predictions-2021-experts-responses

Copy this message and share on your Linkedin profile. Thanks!

Facebook Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Governments around the world will continue to adopt vulnerability disclosure as a default...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/cyber-security-predictions-2021-experts-responses

Copy this message and share on your Facebook profile. Thanks!
    No Comments Yet ....
Please login to comment.
December 15, 2020

U.S. Government Victimized By Russian Cyberattacks – Expert Commentary

The Solarwinds incident also highlights the complexity of supply chains and the "no look" dependency on upstream security programs.
Well funded, talented, motivated nation-states exist as a crowd of potential adversaries with diverse skill sets, a variety of motivations and goals, and incentive to get results. The "Mossad/Not-Mossad" threat model introduced by James Mickens suggests that while a sufficiently motivated and resourced adversary will ultimately always achieve their goals, an army of allies stands ready to help raise the bar, increase the cost of an attack, and route the adversary into places where they can be.....Read More
Well funded, talented, motivated nation-states exist as a crowd of potential adversaries with diverse skill sets, a variety of motivations and goals, and incentive to get results. The "Mossad/Not-Mossad" threat model introduced by James Mickens suggests that while a sufficiently motivated and resourced adversary will ultimately always achieve their goals, an army of allies stands ready to help raise the bar, increase the cost of an attack, and route the adversary into places where they can be more easily detected. The Solarwinds incident also highlights the complexity of supply chains and the "no look" dependency on upstream security programs to maintain the integrity of the supplied software, as well as the systems and environments of all users of that software. What happened with Solarwinds could, and has, happened with open source software, and well as with other providers - The use of M.E.Doc in the NotPetya attacks in the Ukraine is a recent example, as was the 2011 attacks on the RSA SecureID authentication software. In this case, the breach of SolarWinds Orion’s code poses a major threat to the Federal Civilian Executive Branch agencies that were using its software, as well as the 425 Fortune companies in their client list, and many, many other organizations worldwide. The potential upside of this breach, as noted by Dmitry Alperovich, is that the incredible scope of its impact creates a dilemma for attacks when it comes to choosing what to exploit. This will shift the burden to incident response and threat hunting teams over the coming weeks to establish if the incident affects them, and if so, was the access provided by the breach used by APT29. Vulnerabilities exist in every platform and every company, and the number of exploitable and their potential impact compounds as developers innovate at unprecedented rates, in part due to the new demands of remote work and widespread access triggered by the COVID-19 pandemic. While there are still many questions remaining about this breach, government agencies must acknowledge the scale and distributed nature of the threats they face in the cyber domain, and realize that they need to accept the assistance of that army of allies who are offering to help defend against the legion of adversaries. Governments and private organizations around the globe have recognized the threats they face and are leaning into the benefit of well-run Vulnerability Disclosure Programs (VDPs) to roll out the red carpet to the digital locksmiths of the Internet, who work to counter and outsmart the adversary and - more importantly - to help create confidence in their constituents’ security ecosystem. The kind of security research and discovery of security issues that could frustrate the efforts of nation-states is happening whether there is an invitation or not, and the truth of this is making the implementation of a VDP an increasingly easy decision to make.  Read Less
Like(0)  (0)

Linkedin Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"The Solarwinds incident also highlights the complexity of supply chains and the \"no look\" dependency on upstream security programs...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/u-s-government-victimized-by-russian-cyberattacks-expert-commentary

Copy this message and share on your Linkedin profile. Thanks!

Facebook Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"The Solarwinds incident also highlights the complexity of supply chains and the \"no look\" dependency on upstream security programs...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/u-s-government-victimized-by-russian-cyberattacks-expert-commentary

Copy this message and share on your Facebook profile. Thanks!
    No Comments Yet ....
Please login to comment.
September 23, 2020

Expert Commentary: New House Approved Legislation Risks Prosecuting Ethical Security Researchers

As cybersecurity leaders, we have an obligation to support the ethical hacker community as they defend the safety of the Internet.
By enacting The Defending the Integrity of Voting Systems Act, the U.S. government might seek to deter adversaries from meddling with the voting process, but instead the biggest impact they will have is chilling and potentially criminalizing the actions of good-faith hackers conducting security research to help secure the election process. If security researchers are legally unable to discover vulnerabilities in voting systems, then malicious hackers - who are ignoring these laws to being with.....Read More
By enacting The Defending the Integrity of Voting Systems Act, the U.S. government might seek to deter adversaries from meddling with the voting process, but instead the biggest impact they will have is chilling and potentially criminalizing the actions of good-faith hackers conducting security research to help secure the election process. If security researchers are legally unable to discover vulnerabilities in voting systems, then malicious hackers - who are ignoring these laws to being with - have an open field to exploit undiscovered vulnerabilities within voting systems. Another question that remains is whether this new bill will now make ethical security research of second hand and aftermarket voting equipment illegal by putting these machines into the protected computer class? If so, this bill will have practical impact on the ability for voting machine security research to be conducted in the first place/ As the legislation now awaits the POTUS’ signature for final approval, it would be remiss of cybersecurity industry leaders to ignore the fact that this legislation is a step in the wrong direction, as is any broadening of the scope of the CFAA. The Computer Fraud and Abuse Act (CFAA) was originally passed by Congress in response to growing threats from malicious actors, yet it serves as a barrier for the betterment of our society by barring security researchers from doing their job. Every time that it is broadened, good-faith hackers unfortunately are the ones most affected. As cybersecurity leaders, we have an obligation to support the ethical hacker community as they defend the safety of the Internet. This legislation would not only outlaw but also derail the efforts of security researchers in helping identify and resolve vulnerabilities that could potentially destroy an organization within the voting infrastructure, impacting democracy as a whole.  Read Less
Like(0)  (0)

Linkedin Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"As cybersecurity leaders, we have an obligation to support the ethical hacker community as they defend the safety of the Internet...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-commentary-new-house-approved-legislation-risks-prosecuting-ethical-security-researchers

Copy this message and share on your Linkedin profile. Thanks!

Facebook Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"As cybersecurity leaders, we have an obligation to support the ethical hacker community as they defend the safety of the Internet...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-commentary-new-house-approved-legislation-risks-prosecuting-ethical-security-researchers

Copy this message and share on your Facebook profile. Thanks!
    No Comments Yet ....
Please login to comment.
September 04, 2020

Expert Commentary: Voatz Wrongly Accuses Ethical Hacker

Congress originally passed the CFAA in response to growing threats from malicious actors.
Voatz’s corporate disclosure in the introduction of this brief is the exact reason why they should not qualify for Amicus Curiae, as it benefits them to uphold the Computer Fraud and Abuse Act (CFAA). Additionally, Voatz’s main argument to the researcher’s amicus brief fails to address the fact that the organizations that establish authorized access will not know about all possibilities for exploitation by an adversary. To elaborate, if there’s a method of exploiting the system that.....Read More
Voatz’s corporate disclosure in the introduction of this brief is the exact reason why they should not qualify for Amicus Curiae, as it benefits them to uphold the Computer Fraud and Abuse Act (CFAA). Additionally, Voatz’s main argument to the researcher’s amicus brief fails to address the fact that the organizations that establish authorized access will not know about all possibilities for exploitation by an adversary. To elaborate, if there’s a method of exploiting the system that the organization is unaware of, they cannot possibly provide legal access to test it. In this case, Voatz would be leaving their voting system vulnerable to attack. Unauthorized access is one of the main purposes of security research - by making it illegal, researchers will be unable to effectively do their jobs, the organization will not be able to close all vulnerabilities, and attackers will win. Congress originally passed the CFAA in response to growing threats from malicious actors. Unfortunately, the law is so broadly written that it criminalizes acts that otherwise violate a website’s terms of services, from lying about your name on a web form to the socially beneficial security testing that ethical security researchers undertake. The purpose of the CFAA is to outlaw malicious cyberattacks, not grant organizations the ability to halt vulnerability reporting by holding ethical researchers legally accountable for their actions. A broader interpretation of "exceeds unauthorized access" in CFAA works directly against the goals of a safer and more resilient internet. Moving forward, security researchers must also pay attention to organizations’ bug bounties to ensure they have safe harbor language.  Read Less
Like(0)  (0)

Linkedin Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Congress originally passed the CFAA in response to growing threats from malicious actors. ..."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-commentary-voatz-wrongly-accuses-ethical-hacker

Copy this message and share on your Linkedin profile. Thanks!

Facebook Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Congress originally passed the CFAA in response to growing threats from malicious actors. ..."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-commentary-voatz-wrongly-accuses-ethical-hacker

Copy this message and share on your Facebook profile. Thanks!
    No Comments Yet ....
Please login to comment.
August 24, 2020

Expert Commentary: Uber Covers-up Ransom Payment For PII Of 57M Drivers

I highly advise other industry leaders to consider the value of the ethical security researcher community.
Today's rather escalates the ethical considerations around how Uber responded to its 2016 breach into very real legal ones. What took place in 2016 was clearly extortion, not a bug bounty payment. In a bug bounty program, the terms of engagement - including payment - are set before any sort of hacking takes place. This alignment on all sides facilitates interactions between businesses and the researcher community for safe and effective security testing, and minimizes potential for.....Read More
Today's rather escalates the ethical considerations around how Uber responded to its 2016 breach into very real legal ones. What took place in 2016 was clearly extortion, not a bug bounty payment. In a bug bounty program, the terms of engagement - including payment - are set before any sort of hacking takes place. This alignment on all sides facilitates interactions between businesses and the researcher community for safe and effective security testing, and minimizes potential for misunderstanding. In extortion, it's the other way around, and the threat of data exposure puts pressure on payment. Unfortunately, this incident has also negatively influenced the public’s perception of the hacker community, and of bug bounties in general. Historically, hackers were strictly viewed as malevolent, but the industry's understanding of ethical hackers within the industry has progressed within the last few years to include the much larger community. In fact, there’s a global community of ethical hackers who operate above board and in good faith, and are committed to helping organizations improve their security posture. Although Uber’s original issue was clearly on the side of bad faith, it has highlighted how blurry the line is between hacking that crosses legal lines into dark territory, and the kind of hacking which can be helpful. As leaders within the cybersecurity space, we have a moral obligation to support the next generation of Internet defenders as they advance the ethical hacker community forward. We must band together to fight the masses of bad actors by empowering the hackers that operate with integrity, and protecting them and their work. I highly advise other industry leaders to consider the value of the ethical security researcher community. As the Internet plays an instrumental role in both our daily work and personal lives, this community of cyber defenders around the world work to make the Internet a safer place for everyone.  Read Less
Like(0)  (0)

Linkedin Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"I highly advise other industry leaders to consider the value of the ethical security researcher community...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-commentary-uber-covers-up-ransom-payment-for-pii-of-57m-drivers

Copy this message and share on your Linkedin profile. Thanks!

Facebook Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"I highly advise other industry leaders to consider the value of the ethical security researcher community...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-commentary-uber-covers-up-ransom-payment-for-pii-of-57m-drivers

Copy this message and share on your Facebook profile. Thanks!
    No Comments Yet ....
Please login to comment.
August 12, 2020

Expert Commentary: Unsecured databases exposes 3.1M+ patients’ data

Organizations across all industries can benefit from having a vulnerability disclosure program (VDP) in place.
This researcher’s discovery of Adit’s unsecured database and disclosure to the company is a textbook practice that ethical security researchers will do to help organizations proactively identify and close vulnerabilities before they can be exploited by bad actors. Unfortunately, Adit’s failure to respond to the researcher in the time allowed a bot to delete and possibly steal the critical information belonging to millions of patients that were in the database. This highlights the overall .....Read More
This researcher’s discovery of Adit’s unsecured database and disclosure to the company is a textbook practice that ethical security researchers will do to help organizations proactively identify and close vulnerabilities before they can be exploited by bad actors. Unfortunately, Adit’s failure to respond to the researcher in the time allowed a bot to delete and possibly steal the critical information belonging to millions of patients that were in the database. This highlights the overall failure of both public and private sector organizations to cooperate with ethical security researchers. Organizations across all industries can benefit from having a vulnerability disclosure program (VDP) in place. This is because humans are prone to error and, when developers feel rushed to bring a new product or innovation to market, they will make mistakes along the way. Historically, NoSQL databases like Elasticsearch and MongoDB have been subject to bulk erasure and ransoming. That being said, exposed Elasticsearch instances on the internet will be found, and organizations with VDPs in place will have a greater chance of closing these up before they can be exploited by adversaries. With a VDP, organizations will be able to be proactively alerted of vulnerabilities by ethical researchers before they can be exploited in the wild. Speed is the natural enemy of security, and the best way to remain secure and beat attackers is by thinking like one – even organizations with in-house security teams can benefit from having outside help. In this instance, having a VDP would have allowed Adit to secure their database before it could have been deleted and the data possibly stolen.  Read Less
Like(0)  (0)

Linkedin Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Organizations across all industries can benefit from having a vulnerability disclosure program (VDP) in place. ..."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-commentary-unsecured-databases-exposes-3-1m-patients-data

Copy this message and share on your Linkedin profile. Thanks!

Facebook Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Organizations across all industries can benefit from having a vulnerability disclosure program (VDP) in place. ..."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-commentary-unsecured-databases-exposes-3-1m-patients-data

Copy this message and share on your Facebook profile. Thanks!
    No Comments Yet ....
Please login to comment.
July 23, 2020

Expert Commentary: Apple iOS Security Research Device Program

Speed is the natural enemy of security in software development.
The iOS Security Research Device program is a step in the right direction for Apple, as they are a high-priority target for nation-state-backed attackers. By looping in more researchers to perform a greater volume of testing, Apple should achieve better security as a result. To proactively identify and close vulnerabilities in their products before they can be exploited by bad actors, both before and after products are brought to market, organizations should take a page out of Apple’s.....Read More
The iOS Security Research Device program is a step in the right direction for Apple, as they are a high-priority target for nation-state-backed attackers. By looping in more researchers to perform a greater volume of testing, Apple should achieve better security as a result. To proactively identify and close vulnerabilities in their products before they can be exploited by bad actors, both before and after products are brought to market, organizations should take a page out of Apple’s playbook and work with outside researchers. Speed is the natural enemy of security in software development, and no organization is safe, even companies with in-house security teams. The news is dampened by their legal battle with Corellium over copyright infringement, since Corellium developed and sold software that allows researchers to hunt for potential iPhone vulnerabilities, but is ultimately a good and exciting move by Apple.  Read Less
Like(0)  (0)

Linkedin Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Speed is the natural enemy of security in software development...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-commentary-apple-ios-security-research-device-program

Copy this message and share on your Linkedin profile. Thanks!

Facebook Message

@Casey Ellis, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Speed is the natural enemy of security in software development...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-commentary-apple-ios-security-research-device-program

Copy this message and share on your Facebook profile. Thanks!
    No Comments Yet ....
Please login to comment.

SECURELY DOTTED BY

Steve Forbes, Government Cyber Security Expert, Nominet States

"It is vital that governments pay close attention to the resilience of their critical infrastructures. "

Iran Nuclear Facility Potential Cyber Attack – What Expert Says

Saryu Nayyar, CEO, Gurucul

"The good news is that it appears the only damage is financial, and likely temporary. "

Industry Leaders On Android.Joker Malware

Eddie Glenn, Senior Product Manager, Venafi

"These timestamps indicate that the code signing certificate was valid at the time it was used to sign the code. "

Expert Reaction On Pulse Secure VPN Users Can’t Login Due To Certificate Related Outage

Jake Moore, Cybersecurity Specialist, ESET

"IoT remains a huge burden on potential victims, but the industry is slowly catching up. "

New Vulnerabilities Put Millions Of IoT Devices At Risk

Sri Sundaralingam, VP of Security and Cloud Solutions, ExtraHop

"The growth of the NDR category underscores the unique value that the network vantage point can provide for security teams. "

Expert Comment On Darktrace Set For IPO

Doug Davis, Senior Product Manager, Semperis

"Hybrid Identity Management Requires Critical Security Adjustments "

Experts Comments On Identity Management Day – Tuesday 13th April

Alan Grau, VP of IoT , Sectigo

"Attackers dupe individuals through a number of methods. "

Fake App Attacks On The Rise, As Malware Hides In Plain Sight

David Emm, Principal Security Researcher , Kaspersky

"Our passwords are the gateway to a plethora of valuable personal data that should never be openly shared. "

Expert On Study That Brits Using Pets’ Names As Online Passwords

Colin Truran, Senior Risk, Compliance and Governance Advisor , Quest

"Many of us recognise this problem, but as human beings we will continue to opt for easy passwords. "

Expert On Study That Brits Using Pets’ Names As Online Passwords

Ian Pitt, CIO, LogMeIn

"Online security risks have risen substantially over the past year. "

Expert On Study That Brits Using Pets’ Names As Online Passwords

Ilia Kolochenko, CEO, ImmuniWeb

"It is likewise a myth that governments cannot control cryptocurrencies. "

Expert Reaction On Europol Publishes Its Serious And Organised Crime Threat Assessment 2021

Jake Moore, Cybersecurity Specialist, ESET

"Being able to send rogue messages from another app installed on a device is impressive and extremely dangerous. "

Fake Netflix App Allows Hackers to Hijack WhatsApp

Burak Agca, Security Engineer, Lookout

"It is imperative that individuals and organisations keep their mobile operating systems and apps up to date. "

Hackers Pretend To Be Your Friend In The Latest WhatsApp Scam.

Adenike Cosgrove, Cyber Security Strategist, International, Proofpoint

"A password’s complexity is irrelevant if people use the same password for everything. "

Millions Of Brits Still Using Pet’s Names As Passwords Despite Risk

Richard Blech, Founder & CEO, XSOC CORP

"The LI capability was co-opted and exploited by one or more malicious actors. "

Advertised Sites May Appear Genuine On First Glance

WORKING WITH US

About Us

Advertise With Us

Information Security Companies

Contact Us

ISB CONFERENCE

ISB Conference 2021

THE PAGES

Privacy Policy

Terms & Conditions

RSS Feeds

INFORMATION SECURITY EXPERTS

Information Security Experts: Comments Dotted

Register and Comments

Categories

  • Facebook
  • Twitter

Copyright © 2020 ISBuzz Pty Ltd is a company registered in Australia with company number 605 203 772 whose registered office is 14 Alanvale Street, Harrison, ACT 2914.


Back To Top
Information Security Buzz
  • Home
  • Experts Comments on News
  • Security Articles
  • Vendor News
  • Study & Research
  • ISBuzz Expert Panel