Schneier on Security

FEBRUARY 16, 2018

The National Academies has just published " Decrypting the Encryption Debate: A Framework for Decision Makers." It looks really good, although I have not read it yet. Not much news or analysis yet. Please post any links you find in the comments, and I will summarize them here.

Encryption 115

Encryption 115

Security Affairs

APRIL 1, 2024

The US government announced establishing the Office of the Assistant Secretary of Defense for Cyber Policy. The US Defense Department announced establishing the Office of the Assistant Secretary of Defense for Cyber Policy (ASD(CP)) as directed in the National Defense Authorization Act for Fiscal Year 2023.

Government 114

Government Hacking Information Security 114

Schneier on Security

DECEMBER 11, 2020

The Aspen Institute’s Aspen Cybersecurity Group — I’m a member — has released its cybersecurity policy agenda for the next four years. Lots of detail in the 70-page report. The next administration and Congress cannot simultaneously address the wide array of cybersecurity risks confronting modern society.

Cybersecurity 287

Cybersecurity Education Risk 287

Security Affairs

APRIL 6, 2024

Shadowserver researchers reported that roughly 16,500 Ivanti Connect Secure and Poly Secure gateways are vulnerable to the recently reported RCE flaw CVE-2024-21894. x) and Ivanti Policy Secure that allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack.

VPN 118

VPN Internet Internet Hacking 118

Krebs on Security

JANUARY 25, 2024

Google says keeping users safe is a top priority, and that the company has a team of thousands working around the clock to create and enforce their abuse policies. ” In February 2023, Hegel co-authored a report on this same network, which Sentinel One has dubbed MalVirt (a play on “malvertising”).

Software 245

Software Advertising Malware Accountability 245

Schneier on Security

MARCH 26, 2024

Hand-counts delay timely reporting of results, and introduce the possibility for human error, bias, or misinterpretation. We recommend state legislators adopt policies consistent with these guiding principles, which are further developed below.

Technology 237

Technology Cybersecurity 237

Schneier on Security

APRIL 27, 2023

Stanford and Georgetown have a new report on the security risks of AI—particularly adversarial machine learning—based on a workshop they held on the topic. Andy Grotto and I have vigorously argued against siloing AI security in its own governance and policy vertical.)

Risk 235

Risk Cybersecurity Government Engineering 235

The Last Watchdog

SEPTEMBER 25, 2023

If you’re a small business looking for the secret sauce to cybersecurity, the secret is out: start with a cybersecurity policy and make the commitment to security a business-wide priority. Financial information is one of the most frequently targeted areas, so it’s crucial your cybersecurity policies start with your finance team.

Small Business 200

Small Business Cybersecurity Technology Data breaches 200

Schneier on Security

FEBRUARY 25, 2021

I am a co-author on a report published by the Hoover Institution: “ Chinese Technology Platforms Operating in the United States.”

Technology 283

Technology Risk 283

Schneier on Security

SEPTEMBER 28, 2022

The Atlantic Council has published a report on securing the Internet of Things: “Security in the Billions: Toward a Multinational Strategy to Better Secure the IoT Ecosystem.”

IoT 281

IoT Telecommunications Manufacturing Internet 281

Security Affairs

MARCH 9, 2024

The US Cybersecurity and Infrastructure Security Agency (CISA) agency was hacked in February, the Recorded Future News first reported. In response to the security breach, the agency had to shut down two crucial systems, as reported by a CISA spokesperson and US officials with knowledge of the incident, according to CNN.

Hacking 138

Hacking Government Cybersecurity Software 138

Schneier on Security

MAY 11, 2022

Georgetown has a new report on the highly secretive bulk surveillance activities of ICE in the US: When you think about government surveillance in the United States, you likely think of the National Security Agency or the FBI. This report argues that you should.

Surveillance 293

Surveillance Government 293

Security Affairs

APRIL 4, 2024

Ivanti addressed four flaws impacting Connect Secure and Policy Secure Gateways that could lead to code execution and denial-of-service (DoS) condition. Ivanti has released security updates to address four security flaws impacting Connect Secure and Policy Secure Gateways that could result in code execution and denial-of-service (DoS).

Authentication 108

Authentication Hacking Cybersecurity Information Security 108

Schneier on Security

FEBRUARY 16, 2022

Google’s Project Zero is reporting that software vendors are patching their code faster. In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. We hope that this comparison can showcase best practices, and encourage vendors to experiment with new policies.

Software 242

Software 242

Penetration Testing

APRIL 16, 2024

A newly released report from cybersecurity leaders at Proofpoint paints a chilling picture of North Korean hacking operations reaching new levels of sophistication.

Social Engineering 71

Social Engineering Engineering Penetration Testing Government 71

eSecurity Planet

MAY 12, 2023

A vulnerability management policy sets the ground rules for the process, minimum standards, and reporting requirements for vulnerability management. An effective vulnerability management policy can help with the cyclical process of discovering and managing vulnerabilities found within IT hardware, software, and systems.

Penetration Testing 95

Penetration Testing Risk Cybersecurity Government 95

Security Affairs

FEBRUARY 1, 2024

Mandiant spotted new malware used by a China-linked threat actor UNC5221 targeting Ivanti Connect Secure VPN and Policy Secure devices. Mandiant researchers discovered new malware employed by a China-linked APT group known as UNC5221 and other threat groups targeting Ivanti Connect Secure VPN and Policy Secure devices.

VPN 115

VPN Malware Authentication Hacking 115

Security Affairs

MARCH 10, 2024

A report published by Lithuanian security services warned that China has escalated its espionage operations against Lithuania. A report released by Lithuanian security services has cautioned that China has intensified espionage activities targeting Lithuania. ” reads the report published by Lithuanian security services.

Government 117

Government Hacking Information Security 117

Security Affairs

SEPTEMBER 4, 2023

The social media platform X (formerly known as Twitter) has updated its privacy policy informing its premium users that the company will collect their biometric data to curb fraud and prevent impersonation. Bloomberg first reported the news and confirmed that the change will only impact premium users. “ Biometric Information.

Media 131

Media Education Advertising Government 131

Security Affairs

JANUARY 31, 2024

Ivanti warns of two new vulnerabilities in its Connect Secure and Policy Secure products, one of which is actively exploited in the wild. Ivanti is warning of two new high-severity vulnerabilities in its Connect Secure and Policy Secure solutions respectively tracked as CVE-2024-21888 (CVSS score: 8.8) x) and Policy Secure (9.x,

Software 117

Software Authentication Hacking Malware 117

Security Affairs

FEBRUARY 1, 2024

CISA is ordering federal agencies to disconnect Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours. For the first time since its establishment, CISA is ordering federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours. x and Ivanti Policy Secure.

VPN 111

VPN Authentication Software Malware 111

Krebs on Security

APRIL 29, 2022

The move comes just months after Google rolled out a new policy enabling people under the age of 18 (or a parent/guardian) to request removal of their images from Google search results. Its homepage includes a copy of my credit report, Social Security card, phone bill, and a fake but otherwise official looking government ID card.

Identity Theft 361

Identity Theft Cybercrime Retail Hacking 361

Krebs on Security

SEPTEMBER 20, 2021

Or maybe it isn’t entirely clear who should get the report when remote access to an organization’s internal network is being sold in the cybercrime underground. There may be another good reason for consolidating security contact and vulnerability reporting information in one, predictable place.

Retail 298

Retail Healthcare Internet Internet 298

Security Affairs

MARCH 12, 2024

Threat actors can abuse QR codes to carry out sophisticated scams, as reported by the Italian Postal Police in its recent alert. In practice, fake insurance operators contact victims through calls, messages, or sponsorships on social networks, offering policies at advantageous prices.

Insurance 107

Insurance Scams Education Engineering 107

The Hacker News

JULY 28, 2023

Porsche has a well-established Vulnerability Reporting Policy (Disclosure Policy)[1], it was considered in scope for our research, so we decided to start there, and see what we could find. What we found is an

Manufacturing 94

Manufacturing Software 94

Google Security

APRIL 18, 2024

In this blog post, we'll explore reporting and enforcement policies that enterprise security teams can implement within Chrome Enterprise Premium for data loss prevention (DLP). As enterprises work through their policies and processes involving GenAI, Chrome Enterprise Premium empowers them to strike the balance that works best.

Engineering 70

Engineering Software 70

eSecurity Planet

SEPTEMBER 23, 2022

However, after minimal corporate adoption of stronger cybersecurity, the SEC has drafted rules to require more formal cybersecurity reporting and disclosure. This requirement copies the strategies of previous legislation that dramatically improved financial reporting for both public and private companies. Proposed SEC Security Changes.

Cybersecurity 105

Cybersecurity Risk Passwords Penetration Testing 105

Security Affairs

MARCH 21, 2024

of the NATO Cyber Security Centre reported the vulnerability. In early February, the Five Eyes intelligence alliance issued a joint cybersecurity advisory warning of threat actors exploiting known vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. which address the issue.

Authentication 115

Authentication Internet Internet Hacking 115

Security Boulevard

MARCH 14, 2023

A new report from the Bipartisan Policy Center ( BPC ) lays out — in stark terms – the prominent cybersecurity risks of the moment. Related: Pres. Biden’s impact on cybersecurity.

Cybersecurity 117

Cybersecurity Risk Security Awareness 117

Security Boulevard

DECEMBER 3, 2023

The Harvard Business Review conducted a survey of more than 330 remote employees from a wide range of industries to self-report on both their daily stress levels and their adherence to cybersecurity policies over the duration of two weeks.

Cybersecurity 62

Cybersecurity 62

Tech Republic Security

MARCH 16, 2021

The AD report card scores the security of Group Policies, Kerberos security and AD infrastructure.

175

175

eSecurity Planet

NOVEMBER 18, 2022

A Patch Management Policy formalizes the fundamental IT requirement that all systems and software should be patched and updated in a timely manner with: Rules that explain the requirements for patching and updates Clear processes that can be followed, reported on, and confirmed Standards that can be tested and verified.

Software 88

Software Risk Cybersecurity Backups 88

Security Boulevard

NOVEMBER 16, 2022

That was on the heels of reports that TikTok’s privacy policy shows that Chinese staff can. Just days after Elon Musk took over Twitter, the platform’s chief privacy officer resigned, as did others germane to the company’s safety and security. The post Privacy Hits a Low at TikTok, Twitter appeared first on Security Boulevard.

Media 138

Media Data privacy Security Awareness Risk 138

Malwarebytes

FEBRUARY 2, 2024

In an emergency directive , the Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to disconnect all instances of Ivanti Connect Secure and Policy Secure solution products from agency networks no later than 11:59PM on Friday February 2, 2024. How did it come this far?

Accountability 98

Accountability Ransomware Risk Cybersecurity 98

Tech Republic Security

MAY 7, 2020

More than one in five also acknowledge transitioning to remote work without a policy, according to an Alliant Cybersecurity report.

Cybersecurity 180

Cybersecurity 180

Security Affairs

JANUARY 11, 2024

Cybersecurity and Infrastructure Security Agency (CISA) added an Ivanti Connect Secure and Policy Secure flaws, tracked as CVE-2024-21887 and CVE-2023-46805 , and Microsoft SharePoint Server flaw CVE-2023-29357 to its Known Exploited Vulnerabilities (KEV) catalog. x and Ivanti Policy Secure. x) and Ivanti Policy Secure.

Authentication 113

Authentication Hacking Cybersecurity Software 113

Security Affairs

JANUARY 31, 2024

In early January 2024, software firm Ivanti reported that threat actors were exploiting two zero-day vulnerabilities ( CVE-2023-46805, CVE-2024-21887 ) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways. x and Ivanti Policy Secure. x) and Ivanti Policy Secure.

VPN 100

VPN Malware Authentication Small Business 100