🕴 Mac Malware Cracks WatchGuard's Top 10 List 🕴

Security experts advise Mac users to deploy security suites to protect themselves from the growing threat.

📖 Read

via "Dark Reading: ".

<b>&#9000; Scanning for Flaws, Scoring for Security &#9000;</b>

<code>Is it fair to judge an organization’s information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Fair or not, a number of nascent efforts are using just such an approach to derive security scores for companies and entire industries. What’s remarkable is how many organizations don’t make an effort to view their public online assets as the rest of the world sees them — until it’s too late.</code><code>Media</code><code>Image: US Chamber of Commerce.</code><code>For years, potential creditors have judged the relative risk of extending credit to consumers based in part on the applicant’s credit score — the most widely used being the score developed by FICO, previously known as Fair Isaac Corporation. Earlier this year, FICO began touting its Cyber Risk Score (PDF), which seeks to measure an organization’s chances of experiencing a data breach in the next 12 months, based on a variety of measurements tied to the company’s public-facing online assets.</code><code>In October, FICO teamed up with the U.S. Chamber of Commerce to evaluate more than 2,500 U.S. companies with the Cyber Risk Score, and then invited these companies to sign up and see how their score compares with that of other organizations in their industry. The stated use cases for the Cyber Risk Score include the potential for cyber insurance pricing and underwriting, and evaluating supply chain risk (i.e., the security posture of vendor partners).</code><code>The company-specific scores are supposed to be made available only to vetted people at the organization who go through FICO’s signup process. But in a marketing email sent to FICO members on Tuesday advertising its new benchmarking feature, FICO accidentally exposed the FICO Cyber Risk Score of energy giant ExxonMobil.</code><code>The marketing email was quickly recalled and reissued in a redacted version, but it seems ExxonMobil’s score of 587 puts it in the “elevated” risk category and somewhat below the mean score among large companies in the Energy and Utilities sector, which was 637. The October analysis by the Chamber and FICO gives U.S. businesses an overall score of 687 on a scale of 300-850.</code><code>Media</code><code>Data accidentally released by FICO about the Cyber Risk Score for ExxonMobil.</code><code>How useful is such a score? Mike Lloyd, chief technology officer at RedSeal, was quoted as saying a score “taken from the outside looking in is similar to rating the fire risk to a building based on a photograph from across the street.”</code><code>“You can, of course, establish some important things about the quality of a building from a photograph, but it’s no substitute for really being able to inspect it from the inside,” Lloyd told Dark Reading regarding the Chamber/FICO announcement in October.</code><code>Naturally, combining external scans with internal vulnerability probes and penetration testing engagements can provide organizations with a much more holistic picture of their security posture. But when a major company makes public, repeated and prolonged external security foibles, it’s difficult to escape the conclusion that perhaps it isn’t looking too closely at its internal security either.</code><code>ENTIRELY, CERTIFIABLY PREVENTABLE</code><code>Too bad the errant FICO marketing email didn’t expose the current cyber risk score of big-three consumer credit bureau Equifax, which was relieved of personal and financial data on 148 million Americans last year after the company failed to patch one of its Web servers and then failed to detect an intrusion into its systems for months.</code><code>A 96-page report (PDF) released this week by a House oversight committee found the Equifax breach was “entirely preventable.” For 76 days beginning mid May 2017, the intruders made more…

🕴 Deception: Honey vs. Real Environments 🕴

A primer on choosing deception technology that will provide maximum efficacy without over-committing money, time and resources.

📖 Read

via "Dark Reading: ".

🕴 U.S. Defense, Critical Infrastructure Companies Targeted in New Threat Campaign 🕴

McAfee finds malware associated with 'Operation Sharpshooter' on systems belonging to at least 87 organizations.

📖 Read

via "Dark Reading: ".

❌ Android Trojan Targets PayPal Users ❌

The trojan purports to be a battery optimization app - and then steals up to 1,000 euro from victims' PayPal accounts.

📖 Read

via "Threatpost | The first stop for security news".

🕴 Bug Hunting Paves Path to Infosec Careers 🕴

Ethical hackers use bug bounty programs to build the skills they need to become security professionals.

📖 Read

via "Dark Reading: ".

🕴 Worst Password Blunders of 2018 Hit Organizations East and West 🕴

Good password practices remain elusive as Dashlane's latest list of the worst password blunders can attest.

📖 Read

via "Dark Reading: ".

⚠ Update now! Microsoft and Adobe’s December 2018 Patch Tuesday is here ⚠

If you find patching security flaws strangely satisfying, you’re in luck - Microsoft’s and Adobe’s December Patch Tuesdays have arrived with plenty for the dedicated updater to get stuck into.

📖 Read

via "Naked Security".

⚠ WordPress worms, Android fraud and Flash fails [PODCAST] ⚠

Here's the latest Naked Security podcast - enjoy!

📖 Read

via "Naked Security".

⚠ Supermicro: We told you the tampering claims were false ⚠

Computer manufacturer Supermicro is still trying to lay to rest reports that the Chinese government tempered with its equipment to spy on Western cloud users.

📖 Read

via "Naked Security".

❌ Shamoon Reappears, Poised for a New Wiper Attack ❌

One of the most destructive malware families ever seen is back, and researchers think its authors are gearing up to again take aim at the Middle East.

📖 Read

via "Threatpost | The first stop for security news".

⚠ Border agents are copying travelers’ data, leaving it on USB drives ⚠

It's just one of many SOP SNAFUs of a pilot program for advanced searches of travelers' devices that doesn't even have performance metrics.

📖 Read

via "Naked Security".

🕴 The Economics Fueling IoT (In)security 🕴

Attackers understand the profits that lie in the current lack of security. That must change.

📖 Read

via "Dark Reading: ".

🔐 15 skills you need to be a whitehat hacker and make up to $145K per year 🔐

Aspiring hackers and cybersecurity pros are joining the ethical hacking community to earn extra cash, according to Bugcrowd.

📖 Read

via "Security on TechRepublic".

🕴 Education Gets an 'F' for Cybersecurity 🕴

The education sector falls last on a list analyzing the security posture of 17 US industries, SecurityScorecard reports.

📖 Read

via "Dark Reading: ".

ATENTION‼ New - CVE-2017-1268

IBM Security Guardium 10 and 10.5 uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input. IBM X-Force ID: 124743.

📖 Read

via "National Vulnerability Database".

❌ Google Beefs Up Android Key Security for Mobile Apps ❌

Changes to how data is encrypted can help developers ward off data leakage and exfiltration.

📖 Read

via "Threatpost | The first stop for security news".

❌ Secure Critical Infrastructure Top of Mind for U.S. ❌

Attacks targeting critical infrastructure system are ramping up - and defense has become a top priority for the U.S. government.

📖 Read

via "Threatpost | The first stop for security news".

❌ Grammarly Launches Public Bug Bounty Program ❌

The online spell check platform is taking its private bounty program public in hopes of outing more threats.

📖 Read

via "Threatpost | The first stop for security news".

🔐 The biggest phishing attacks of 2018 and how companies can prevent it in 2019 🔐

Phishing attacks flourished in 2018, but organizations can protect themselves with the three tips below.

📖 Read

via "Security on TechRepublic".

🕴 Setting the Table for Effective Cybersecurity: 20 Culinary Questions 🕴

Even the best chefs will produce an inferior product if they begin with the wrong ingredients.

📖 Read

via "Dark Reading: ".