Compliance | Breaking Cybersecurity News | The Hacker News

Shadow apps, a segment of Shadow IT, are SaaS applications purchased without the knowledge of the security team. While these applications may be legitimate, they operate within the blind spots of the corporate security team and expose the company to attackers.  Shadow apps may include instances of software that the company is already using. For example, a dev team may onboard their own instance of GitHub to keep their work separate from other developers. They might justify the purchase by noting that GitHub is an approved application, as it is already in use by other teams. However, since the new instance is used outside of the security team's view, it lacks governance. It may store sensitive corporate data and not have essential protections like MFA enabled, SSO enforced, or it could suffer from weak access controls. These misconfigurations can easily lead to risks like stolen source code and other issues. Types of Shadow Apps  Shadow apps can be categorized based on their interac

The 2024 State of the vCISO Report continues Cynomi's tradition of examining the growing popularity of virtual Chief Information Security Officer (vCISO) services. According to the independent survey, the demand for these services is increasing, with both providers and clients reaping the rewards. The upward trend is set to continue, with even faster growth expected in the future. However, service providers looking to enter the vCISO market must address challenges like technological limitations and a lack of security and compliance expertise.  For more details on the state of vCISO, read Cynomi's comprehensive report. The State of the Virtual CISO Survey Report by Global Surveyz, an independent survey company, which was commissioned by Cynomi, provides a deep understanding of the vCISO opportunities and challenges facing MSPs and MSSPs today. The report shares insights from 200 security leaders in MSPs and MSSPs that provide cybersecurity strategic services or cybersecurity con

For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,

Nowadays, sensitive and critical data is traveling in everyday business channels that offer only the basic level of security and encryption, and companies are often oblivious to the risk. A case in point: Disney suffered a devastating data leak by a hacktivist group known as NullBulge that got hold of over 1.2 terabytes of data from Disney's internal Slack messaging channels. The breach exposed sensitive information, including: details about unreleased projects, computer code, login details and passwords, and Intellectual Property (IP) and corporate secrets. Slack breaches have also impacted companies like Uber, Rockstar, and Electronic Arts (EA). Cisco Webex used by the German Bundeswehr leaked data from hundreds of meetings, some classified. Outlook was breached by Chinese hackers last year. We have nothing against any of the tools above. They are all great collaboration tools. However, just like companies don't allow developers to use just any old tool to push code to p

What is Continuous Attack Surface Penetration Testing or CASPT? Continuous Penetration Testing or Continuous Attack Surface Penetration Testing (CASPT) is an advanced security practice that involves the continuous, automated, and ongoing penetration testing services of an organization's digital assets to identify and mitigate security vulnerabilities. CASPT is designed for enterprises with an evolving attack surface where periodic pentesting is no longer sufficient. Unlike traditional penetration testing, which is often performed annually or semi-annually, CASPT is an ongoing process that integrates directly into the software development lifecycle (SDLC), ensuring that vulnerabilities are discovered and addressed in real-time or near-real-time. CASPT is a proactive security measure designed to stay ahead of potential attackers by continuously evaluating the security posture of an organization. It enables security teams to identify critical entry points that could be exploited b

SaaS applications have become indispensable for organizations aiming to enhance productivity and streamline operations. However, the convenience and efficiency these applications offer come with inherent security risks, often leaving hidden gaps that can be exploited. Conducting thorough due diligence on SaaS apps is essential to identify and mitigate these risks, ensuring the protection of your organization's sensitive data. Understanding the Importance of Due Diligence Due diligence is a critical step in evaluating the security capabilities of SaaS applications. It involves a comprehensive assessment of the app's audit log events, system and activity audits, and integration capabilities to ensure proper logging and monitoring, helping to prevent costly incidents. Here are a few reasons why due diligence is non-negotiable: Identifying Critical Audit Log Gaps: A thorough review helps ensure that essential events, such as logins, MFA verifications, and user changes, are lo

Traditionally, the focus has been on defending against digital threats such as malware, ransomware, and phishing attacks by detecting them and responding. However, as cyber threats become more sophisticated. There is a growing recognition of the importance of measures that stop new attacks before they are recognized. With high-value assets, it's not good enough to have the protection, it's essential to have some assurance that the protection is effective. With software, that assurance is hard work, and this has led to a complimentary approach, called hardsec. What is Hardsec? Short for " Hardware Security ." Hardsec is about using hardware logic and electronics to implement a security defence, rather than through software alone - thereby providing a higher level of security assurance and resilience against both external and insider threats . Making it an essential component of comprehensive cybersecurity strategies. The Rise of Sophisticated Attacks When the impact of an attack ag

The last few years have seen more than a few new categories of security solutions arise in hopes of stemming a never-ending tidal wave of risks. One of these categories is Automated Security Validation (ASV), which provides the attacker's perspective of exposures and equips security teams to continuously validate exposures, security measures, and remediation at scale. ASV is an important element of any cybersecurity strategy and by providing a clearer picture of potential vulnerabilities and exposures in the organization, security teams can identify weaknesses before they can be exploited.  However, relying solely on ASV can be limiting. In this article, we'll take a look into how combining the detailed vulnerability insights from  ASV  with the broader threat landscape analysis provided by the Continuous Threat Exposure Management Framework (CTEM) can empower your security teams to make more informed decisions and allocate resources effectively. (Want to learn more about CTEM? Check

Certificate authority (CA) DigiCert has warned that it will be revoking a subset of SSL/TLS certificates within 24 hours due to an oversight with how it verified if a digital certificate is issued to the rightful owner of a domain. The company said it will be taking the step of revoking certificates that do not have proper Domain Control Validation ( DCV ). "Before issuing a certificate to a customer, DigiCert validates the customer's control or ownership over the domain name for which they are requesting a certificate using one of several methods approved by the CA/Browser Forum ( CABF )," it said . One of the ways this is done hinges on the customer setting up a DNS CNAME record containing a random value provided to them by DigiCert, which then performs a DNS lookup for the domain in question to make sure that the random values are the same. The random value, per DigiCert, is prefixed with an underscore character so as to prevent a possible collision with an actu

Searchable Encryption has long been a mystery. An oxymoron. An unattainable dream of cybersecurity professionals everywhere. Organizations know they must encrypt their most valuable, sensitive data to prevent data theft and breaches. They also understand that organizational data exists to be used. To be searched, viewed, and modified to keep businesses running. Unfortunately, our Network and Data Security Engineers were taught for decades that you just can't search or edit data while in an encrypted state. The best they could do was to wrap that plaintext, unencrypted data within a cocoon of complex hardware, software, policies, controls, and governance. And how has that worked to date? Just look at the T-Mobile breach, the United Healthcare breach, Uber, Verizon, Kaiser Foundation Health Plan, Bank of America, Prudential… and the list goes on. All the data that was stolen in those breaches remained unencrypted to support day-to-day operations. It's safe to conclude that the way we