Network Security | SC Media

Network Security

Union Pacific tracks cyber risk via its own probability modeling methodology

Rick Holmes, assistant VP and CISO at Union Pacific Railroad, detailed at InfoSec World 2020 how the transportation giant incorporates cybersecurity risk into its larger enterprise risk management process in order to help senior executives estimate losses caused by potential cyber incidents and make better decisions on where to invest in defenses. “We think that…

Ex-CIA exec: Covid-19 has created ideal ‘crisis’ conditions for malicious hackers

Companies trying to stave off business disruption caused by the global Covid-19 pandemic may be ripe for compromise as they introduce new risks in the scramble to maintain business continuity, warned a retired senior CIA executive in a keynote presentation Wednesday at the InfoSec World 2020 digital conference. In essence, the coronavirus has created ideal…

Party City celebrates IT risk assessment program; reveals keys to success

At InfoSec World 2020 on Tuesday, a pair of risk officers from Party City offered an inside glimpse into how the $2.1 billion specialty retailer pulled off its first-ever top-down enterprise-wide IT risk assessment. Among the chief success factors they cited were: executive buy-in, the collaboration of skilled partners, assuring adequate resources, well-planned project scoping,…

Risk assessments reveal businesses remain deficient in security compliance, training

InfoSec World 2020 – An analysis of more than 100 risk self-assessments conducted by business organizations across a cross-section of industries revealed that over 65 percent admitted to achieving zero-to-minimal compliance of U.S. state data privacy and security regulations, including myriad breach laws and the California Consumer Privacy Act. The discouraging findings show that business…

Lululemon’s Rex Sarabia works up a sweat building a security awareness program from scratch

At InfoSec World 2020 on Monday, Rex Sarabia, security awareness program manager at Lululemon, led the session “Building an Enterprise Security Awareness Program from the Ground Up.” SC Media interviewed Sarabia about his presentation to learn more about Sarabia’s biggest challenges, his tips for security professionals starting up their own programs, and how he “gamifies”…

Sapphire Software’s Nicholas Takacs asks: Is self-aware malware possible yet?

“Two can play at this game…” Cybersecurity is a non-stop arms race between white hats and malicious hackers, and the three “A’s” — automation, analytics and artificial intelligence — are among the more powerful defensive tools that CISOs can implement to defend their organizations. But cybercriminals can also potentially employ them to magnify their attacks…

Adobe fixes 18 critical vulnerabilities on heels of largest-ever Microsoft Patch Tuesday

Adobe on Tuesday patched 18 critical vulnerabilities – five of them in Illustrator and another five in After Effects. The out-of-band updates came a week after the company patched four flaws in Flash and Microsoft unveiled its largest Patch Tuesday ever, offering updates for 129 vulnerabilities. The After Effects out-of-bounds read, out-of-bounds write and overflow…

Ripple20 bugs in scores of IoT devices reveal third-party code dangers

Hundreds of millions of Internet of Things (IoT) products use a TCP/IP software library containing severe vulnerabilities that can be exploited for remote code execution and complete device takeover, say researchers who also warn that the bug has been extremely difficult to track across the IoT supply chain due to liberal adoption of the third-party…

CallStranger bug in billions of devices can enable data exfiltration, DoS attacks

Billions of Internet of Things and Local Area Network devices that rely on the Universal Plug and Play (UPnP) protocol for discovery of and interaction with other devices are vulnerable to “CallStranger,” a bug that can be exploited to exfiltrate data, launch a denial of service attack or scan ports. The Windows 10 operating system,…

Attackers are using exploit code for SMBGhost bug, CISA warns

Functioning point-of-concept exploit code now exists for the highly critical “SMBGhost” bug that Microsoft last March patched in its Server Message Block 3.1.1 (SMBv3) protocol, and attackers are taking advantage, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned, citing open-source reports. Designated CVE-2020-0796 and also known as EternalDarkness, the bug can result in…

Next post in Vulnerabilities