Intel, AMD Dispute Findings on Chip Vulnerabilities

Doug Olenick • May 6, 2021

Intel and AMD are disputing the findings of researchers from two universities who say they've discovered new attacks on Intel and AMD processors that can bypass most of the defenses put in place earlier for similar "Spectre" and "Meltdown" attacks.

Endpoint Security

Tips on Enhancing Supply Chain Security

Latest

Critical Infrastructure Security

US Physics Laboratory Exposed Documents, Credentials

Jeremy Kirk • May 7, 2021

The Fermilab physics laboratory in the U.S. has tidied up its systems after security researchers found weaknesses exposing documents, proprietary applications, personal information, project details and credentials. The findings come from the Sakura Samurai security research group.

Cloud Security

Mitigating the Risks of Malicious OAuth Apps

Prajeet Nair • May 6, 2021

Attackers are increasingly using malicious OAuth 2.0 applications to siphon data and access sensitive information from cloud platforms, and mitigating the risks is proving challenging, according to the security firm Proofpoint.

Business Continuity Management / Disaster Recovery

DHS Secretary: Small Businesses Hard-Hit by Ransomware

Doug Olenick • May 6, 2021

About 50% to 70% of all ransomware attacks in the U.S. are targeting small and medium-sized businesses, costing the victims an estimated total of $350 million in the last year, Secretary of Homeland Security Alejandro Mayorkas said Wednesday in a speech to the U.S. Chamber of Commerce.

Governance & Risk Management

3 Bills Focus on Enhancing Electrical Grid Cybersecurity

Scott Ferguson • May 5, 2021

Lawmakers in the Senate and House have introduced legislation designed to improve and enhance the nation's electrical grid and respond to concerns that the country's power system is prone to cyberthreats.

Governance & Risk Management

PHP Composer Flaw That Could Affect Millions of Sites Patched

Prajeet Nair • May 5, 2021

A patch has been issued for a serious vulnerability that affects PHP Composer - a tool used to manage and install software dependencies in the PHP ecosystem. Security researchers at SonarSource say the flaw could put millions of websites at risk.

Fraud Management & Cybercrime

IT Modernization Grants Will Prioritize Cybersecurity

Scott Ferguson • May 4, 2021

The Biden administration will prioritize cybersecurity in its $1 billion IT modernization grant program for federal agencies, which will be overseen by the General Services Administration and the Office of Management and Budget.

Governance & Risk Management

Pulse Secure VPN Zero-Day Flaw Patched

Scott Ferguson • May 3, 2021

Ivanti, parent company of Pulse Secure, published a permanent fix Monday for a zero-day vulnerability in Pulse Connect Secure VPN products that has been exploited to target U.S. government agencies, critical infrastructure providers and other companies over the last several weeks.

Fraud Management & Cybercrime

Vulnerability Management: Essential Components

Suparna Goswami • May 3, 2021

Effective vulnerability management requires more frequent scanning of infrastructure, says Steve Yurich, CISO at Penn National Insurance, who explains his organization's approach.

3rd Party Risk Management

NSA Offers OT Security Guidance in Wake of SolarWinds Attack

Akshaya Asokan • May 1, 2021

The NSA is offering operational technology security guidance for the Defense Department as well as third-party military contractors and others in the wake of the SolarWinds supply chain attack. The agency notes that attackers could use IT exploits to pivot to OT systems.

Cyberwarfare / Nation-State Attacks

CISA: 5 Agencies Using Pulse Secure VPNs Possibly Breached

Scott Ferguson • April 30, 2021

CISA is investigating whether five U.S. government agencies may have been breached when attackers exploited vulnerabilities in Pulse Connect Secure VPN products, according to a senior official. Security researchers believe that at least two nation-state groups have been attempting to exploit these flaws.

Fraud Management & Cybercrime

ISMG Editors’ Panel: Cyber Extortion and More

Anna Delaney • April 30, 2021

Four editors at Information Security Media Group discuss timely issues, including how the zero-day attacks against Accellion File Transfer Appliance users have rewritten the rules of the cyber extortion game and former federal CISO Gregory Touhill taking on an important new role.

Active Defense & Deception

Analysis: 'Cybersecurity Call to Arms'

Anna Delaney • April 30, 2021

The latest edition of the ISMG Security Report features an analysis of British spy chief Jeremy Fleming’s "cybersecurity call to arms." Also featured: Insights on COVID-19 business continuity planning; the wisdom of the late Dan Kaminsky.