This
LinkedIn piece warns of the cloud software company's cybersecurity disasters included no MFA, using MS Sticky Keys years after MS said they should be disabled and using vendor default passwords. Things got so bad that KPMG withdrew its compliance reports once they proved Blackbaud had lied to them.
Read full story
This
InfoWorld piece warns of the serious dangers with the all-but-impossible to resist efficiency benefits of using generative AI tools for programming. We need an entirely new human-in-the-loop approach to software management.
Read full story
This
InfoWorld piece looks at when AWS CEO Matt Garman told developers that "it's possible that most developers are not coding" by 2026, it raised the question of how different AI-centric coding environments would look.
Read full story
This
InfoWorld piece looks at Google's rollout of a series of GenAI-powered developer tools, including a coder-focused translation tool that one IDC analyst described as "an absolutely amazing and remarkable project."
Read full story
This
InfoWorld piece looks at how the non-compete rules will now vary from state to state; IT workers are back to precisely where they were a few months ago.
Read full story
Expressing unhappiness with so many companies reporting cybersecurity incidents that the companies say may not be material, the SEC Tuesday (May 21) encouraged companies to either not do it or at least use a different form.
Read full story
As enterprises strive to leverage data in every way possible, corporate privacy policies are a listing of what they are trying to get away with–and are written with the fervent hope that no one ever reads it.
Read full story
This
InfoWorld piece discusses the Copilot-powered security tools, simplified developer collaboration, and easier integration of voice-activated generative AI into mobile apps are among the changes on show at Build.
Read full story
SolarWinds' New Filing Attacks SEC. Is this now how CISOs must defend themselves? SolarWinds: the SEC "leaps to unwarranted conclusions from documents it either misunderstands or willfully mischaracterizes."
Read full story
This
Kiosk Kiosks story focuses on how kiosks are handling more sensitive and compliance-controlled data–as well as literally giving users money and other high-value items–robust authentication is critical.
Read full story
This
Kiosk Kiosks story focuses on the most talked about technology this year–generative AI, which is behind ChatGPT, BingChat, Google Bard and dozens of other implementations—is likely to be talking right from the speaker of most kiosks quite soon.
Read full story
This
Kiosk Kiosks interview with Sabine Croxford with the Royal National Institute of Blind People (RNIB), one of the UK's leading sight loss charities, examines a world where so many people are visually impaired to varying degrees, it is wise to rethink kiosk features, the screen layout, compatibility with peripherals (such as headphones), kiosk placement (away from noisier areas), and overall design.
Read full story
This
InfoBlox Blog story looks at when executives are strategizing their IT purchase plans, they may pigeonhole their companies into buckets, such as enterprise or SMB. But those classifications are typically based on annual revenue or, far less often, the number of employees. Is that really the right metric for IT strategies?
Read full story
This
InfoBlox Blog story looks at the Zero Trust strategy discussions among enterprise security teams. The problem is that every enterprise is implementing ZT differently and many CISOs are struggling trying to find the ideal approach for their business.
Read full story
This
Kiosk Association story examines how finding, sustaining and ultimately proving kiosk ROI can be tricky. Karl Goodhew, the chief technology officer at QSR BurgerFi, has come up with a very repeatable method of bringing home the kiosk ROI.
Read full story
This
InfoBlox Blog story examines cat and mouse game between enterprise security teams and the insurance companies trying to do whatever they can to limit what they have to pay.
Read full story
This
InfoBlox Blog story examines how DNS is typically viewed as a fine method for a post-incident investigation, but that's about all. In truth, given the reality of the threat environment as well as the threat today, DNS can save money, accelerate blocking attacks and defend against a wide range of DNS-specific attacks that can't be blocked any other way.
Read full story
This
InfoBlox Blog story examines how IPAM can fill in the data gaps from DHCP. With enterprise cybersecurity under almost constant attack today, CISOs need a complete and current view of their entire global environment.
Read full story
This
Kiosk Industry story examines kiosks as an highly effective way to interact with customers, but in healthcare settings, they must be handled carefully to avoid compliance, privacy and cybersecurity problems.
Read full story
This
Kiosk Industry story examines kiosks and the flood of new privacy rules and consent litigation that go well beyond compliance rules.
Read full story
This
The Motley Fool story examines how many enterprises are struggling to find enough employees, especially in lower-level roles. But Amazon has hired more employees than it needs -- and it did so deliberately. Here's how the company's massive scale and ambition could help it turn a potential weakness into yet another strength.
Read full story
This
InfoBlox Blog story examines government regulators' increased and active interest in cybersecurity defenses, especially with transportation and energy industries. Although the best practices proposed are basic measures that organizations should take, there are additional approaches that can boost an organization's security capabilities and responsiveness.
Read full story
This
InfoBlox Blog story examines how leveraging AI in with asset management–on top of DNS management–can accelerate detection and blocking of an attack some 60 times.
Read full story
This
InfoBlox Blog story examines the least surprising observation of the 2021 security landscapes that are far more complicated and attacker-friendly due to changes such as remote sites, IoT, soaring cloud use and partners demanding an ever-increasing amount of access to sensitive operational data. What is, however, surprising is how many enterprises are not leveraging DNS, IPAM and related tools that already exist in their environments. Indeed, one of the most useful things about DNS and IPAM is that they can detect patterns of movement within the enterprise that many other tools miss.
Read full story
This
InfoBlox Blog story examines how the enterprise security world changed forever in March 2020, with almost all enterprises flipping from 90 percent of people and information flow happening inside to 90 percent (or more) happening outside. The implications of this, coupled with sharp increases in cloud and IoT, has forced CISOs to deal with an environment completely different than what they are used to, and what they were trained for.
Read full story
This
InfoBlox Blog story examines how Zero Trust Networking (ZTN) is more of a concept of security, an approach, an ideology if you will, than a detailed specification. There are many ways of implementing ZTN, but the common thread is that everything must prove that it is a legitimate user. No "well, you're here in a secure area so something must have approved you" thinking. As a Unix admin would say, no trusted host anymore.
Read full story
This
TechCrunch story examines what energy executives can do to make major changes across the globe. Not only will such change take a very long time, but energy executives have a limited ability to materially move that needle.
Read full story
This
SC Magazine story explores the industry's hard lessons and what security teams across industries can learn from them.
Read full story
This
TechCrunch story examines senior executives at two of the world's most highly-regulated verticals—healthcare and finance—explore ways of improving operations, boosting margins and delivering it all with a strong ROI, their go-to plan focuses on pushing technology.
Read full story
This
TechCrunch story examines decision-makers lack of trust with AI, meaning that they resist if not disregard its recommendations in security defending against malware-armed attackers, to marketing trying to predict next season's buying habits, and manufacturing trying to guess the next piece of machinery to breakdown.
Read full story
This
TechCrunch story looks at startups looking to raise capital, more and more founders are turning to online fundraising. These platforms are relatively new, launching as a direct result of the 2012 JOBS Act, which paved the way for startups to publicly advertise their capital raises and leverage equity crowdfunding to turn everyday customers into investors — whether or not those customers were "accredited investors".
Read full story
This
SC Magazine story looks at the race to keep up with changing phishing attacks built to defeat new defenses. In the end, attackers are evolving faster than defense strategies are developed.
Read full story
This
IoT World Today story examines how experts say IoT pen testing is a no-brainer, but don't test everything.
Read full story
This
SC Magazine story explores how ever-changing rules, corporate landscapes, and supply chains put compliance mandates always in play. Juggling those variables make the CISO's compliance requirements a moving target.
Read full story
This
Virtasant story looks at how security technology is supposed to telegraph its functionality, but in the case of continuous authentication, the name does a great disservice to the technology and, more critically, to the CISOs and CSOs who potentially benefit.
Read full story
This
Protocol story looks at the software that facilitated decades of thin but stable margins in the grocery industry couldn't handle the weight of a pandemic.
Read full story
This
SC Magazine story looks at how CISOs are wrestling with limiting attack surface risk while COVID-19 is exploding the size of corporate networks far beyond the firewall. Controlling endpoints and deploying zero trust models are key to containing potential breaches.
Read full story
This
SC Magazine story looks at the physical security aspect of empty office buildings forced closed by COVID-19.
Read full story
This
SC Magazine story looks at how enterprise CISOs are used to worrying about corporate data leaks via typical mobile, remote locations, IoT and Shadow IT. But what about the vehicles used by so many people who have access to the systems and data you are paid to protect?
Read full story
This
SC Magazine story looks at one of the biggest threats is shadow IT where trying to defend against every IoT device in the company might not be the answer but having rules in place could help.
Read full story
This
InfoBlox Blog story looks at the cloud as a powerful way to boost bandwidth and scalability and to help with security, but it brings significant complexity for both security and compliance.
Read full story
This
InfoBlox Blog story looks at how 5G carrier rollouts will be slow and the argument on why CISOs/CIOs need to focus on this right away.
Read full story
This
SC Magazine story looks at network vulnerabilities that often occur in conjunction with some other IT security policy or procedure violation, creating a multilayer challenge for the security team.
Read full story
This
SC Magazine story looks into how it's time to rethink risk – both how to operationalize it and how to define it. With all the incompatible views of risk from different stakeholders through an enterprise, it's hardly surprising that so many organizations struggle to get beyond checklist security mentality.
Read full story
This
InfoBlox Blog story looks into upcoming 5G rollouts that are going to complicate Internet of Things (IoT) security far more than what we have now.
Read full story
This
SC Magazine story looks at today's enterprise-level asset management and how it has transformed asset management into something that was difficult to track into something that is often almost impossible to track.
Read full story
This
SC Magazine story looks at where CISOs can fall short when best laid plans are often fraught with mistakes — some big, some more nuanced.
Read full story
This
InfoBlox Blog story explores how AI can be used to review all internal and external threat feeds while the security team defends against an active attack.
Read full story
This
SC Magazine story explores what CISOs do right and wrong when fighting an active attack.
Read full story
This
SC Magazine story explores the perilous pitfalls of compliance.
Read full story
This
SC Magazine story explores ever-changing rules, corporate landscapes, and supply chains put compliance mandates always in play. Juggling those variables make the CISO's compliance requirements a moving target.
Read full story
This
SC Magazine story explores how judicious use of threat intel can be vital when actively defending against an attack.
Read full story
This
SC Magazine story explores how companies need to regain control over their threat intelligence feeds.
Read full story
This
Harvard Business Review piece explored the future of retail and AI.
Read full story
This
SC Magazine piece discusses how users are still baffled and defeated by phishing hustlers. CISOs and CIOs unleash their red teams to help users recognize the pernicious attacks.
Read full story
This
SC Magazine piece discusses the delicate conundrum of security chiefs who need to tell the board the truth, albeit a more palatable version of the truth.
Read full story
This
SC Magazine piece discusses the business of ransomware and as such, it has rules, requirements, customer support, and a driving need for customer loyalty and trust. Trust your attacker?
Read full story
This
SC Magazine piece discusses the risk of getting identity wrong and enabling a breach is driving behavioral analytics and other technologies, taking IAM to new heights.
Will that solve the problem?
Read full story
This
SC Magazine piece discusses sharing threat intelligence in an ISAC can make companies stronger when they fully participate.
Read full story
This
SC Magazine piece discusses that risk is everywhere, but how can a CISO reduce the company's risk profile without accidentally introducing even more?
Read full story
Evan Schuman wrote and reported this
Harvard Business Review piece that looks at how mid-sized companies are struggling with B2B digital payments and the strategies to take those payments to the next level .
Read full story
This
SC Magazine piece discusses how the future of SIEM is cloudy, literally and figuratively, as companies strive to keep up with potentially billions of events. Evan Schuman explains.
Read full story
This
SC Magazine piece discusses the insider threats that can be malicious or accidental, but they are always a threat. Evan Schuman explores how to solve the puzzle with analytics.
Read full story
This
Emerge piece discusses the single largest threat to everyday security enterprise systems is social engineering, where cyberthieves rely on deceit and human emotions to trick people into revealing sensitive data like passwords and personally identifiable information. But in an interesting twist, leveraging artificial intelligence (AI), researchers are now working on systems that can function as the human, using machine learning (ML) to predict when the other person is being deceitful.
Read full story
This
The Veracode Blog piece discusses how the enterprise challenge in generating secure code is well known: as software becomes a competitive advantage and customers expect regular updates, the need to release new features and content frequently often trumps the need to release secure code. Although that's a true conflict, it's not the full story.
Read full story
This
SC Magazine piece reports the fear of successful cyberattacks meets fear of unintended consequences when machine learning is your first line of defense.
Read full story
This
The Veracode Blog piece covers developer training on application security is critical to the success of every security program, but many companies deploy training improperly or insufficiently, argues Maria Loughlin, VP of Engineering at CA Veracode.
Read full story
This
The Veracode Blog piece is about how it's taken quite some time to get here, but enterprise IT execs are finally embracing DevSecOps.
Read full story
This
The Veracode Blog piece covers one of the sad truths about security is that it has typically been viewed by enterprise C-level executives as akin to an insurance policy — necessary, but would never produce profits, boost revenue, or attract new customers. But are those long-held perceptions changing?
Read full story
This
Emerge piece states that using artificial intelligence (AI)—and especially one example of AI: machine learning (ML)—is all the rage these days with enterprise IT. But could it also turn the reactive "have you tried restarting?" corporate helpdesk into a mechanism that could anticipate and predict technology problems before they're readily apparent? Quite possibly.
Read full story
This
IDG piece states that machine learning technology is still an evolving area in security. But it has the potential to be a game changer.
Read full story
This
IDG discusses how shadow IT was borne out of innovative necessity, often causing security headaches. But there are strategies for controlling it.
Read full story
This
SC Magazine piece asks: Has MDM gotten out of hand? Enterprises try to reign in mobile devices, new ones pop up on the network and additional software is installed to manage the chaos.
Read full story
This
IDG piece states a successful Identity and Access Management plan requires multiple departments to be involved in data identification.
Read full story
This
Emerge piece is about France's President Emmanual Macron last month laid out a vision for artificial intelligence (AI) dominance in a major speech, a vision that he hopes will place top global AI resources in France and not China or the U.S. But Macron's vision, especially when it comes to realistic privacy goals, seems to ignore key parts of what AI truly is.
Read full story
This
IDG piece states the Internet of Things devices have taken the enterprise by surprise. But communication and understanding can help to mitigate the rising risks around IoT.
Read full story
This
SC Magazine piece states it's too late to do GDPR compliance right for the May 2018 launch, but not too late to start.
Read full story
This
SC Magazine piece looks at the light side and dark side of threat intelligence.
Read full story
This
SC Magazine piece looks at how balancing governance, risk and compliance is complicated enough in the U.S., especially for companies in highly regulated industries. Throw in international requirements and now you're dealing with regulations that contradict U.S. regulations directly.
Read full story
The Veracode Blog story about making business people better understand how devastating cyber thief and cyber terrorist attacks can be and how remarkably dependent we are today on software.
Read full story
SC Magazine story about U.S. companies that are passionately resisting attempts to comply with GDPR. Why they are doing it and why it's self-defeating.
Read full story
This piece in
Ars Technica discusses ML has more than just a learning curve to overcome before it transforms business.
Read full story
This piece in
SC Magazine discusses Hybrid AI's pros and cons.
Read full story
This piece in
The Veracode Blog discusses that doing security well is hard work, but it should never block useful functionality for your customers. If security interferes with key software capabilities, the security must be tweaked. The answer should never be to abandon the functionality and certainly not to abandon the security. And yet two instances from this month suggest that is exactly what is happening.
Read full story
This piece in
The Veracode Blog discusses the latest discovery of "132 Android apps on Google Play infected with tiny hidden IFrames that link to malicious domains in their local HTML pages," according to the security firm that made the discovery.
Read full story
This piece in
SC Magazine discusses that there are few areas of technology that are as contradictory as governance, risk and compliance. A company might do everything to be secure yet still not be in compliance. This GRC story won a bronze writing award at the 2018 Azbee Awards of Excellence Gallery (the American Society Of Business Publication Editors).
Read full story
This piece in
SC Magazine discusses the overarching reality that in the first hours and even days following the detection of an incursion you truly know nothing. Were you perhaps breached more than a year ago and just learning of it now? Could someone on your team — intentionally or otherwise — be a factor? Not only do you know nothing in that first post-breach-discovery phase, but your initial probe might be more misleading than informative. So what should you do?
Read full story
This piece in
The Veracode Blog discusses a reminder that app security has not yet arrived at the optimal state. Consider this piece from Kaspersky's Threatpost pointing out how re-used third-party libraries perpetuate security holes long after they have been discovered.
Read full story
This piece in
The Veracode Blog discusses how in the US, there exist no meaningful national cybersecurity rules, but, as a practical matter, that is likely to change this year. But it's not coming from Congress. The catalyst is new rules slated to start in March from the New York State Department of Financial Services. In financial areas, that New York department is typically mimicked by a wide range of other state regulators, along with federal regulators. Hence, de facto national rules. The rules themselves (you can peruse the full guidelines here) are not especially controversial, primarily being security best practices. The rules insist on regular penetration testing and vulnerability assessments. They also establish strict encryption guidelines and require written access-control policies. Notably, however, the way they approach application security is somewhat novel, and the regulations do contain some language that might cause confusion.
Read full story
This piece in
NewCo Shift discusses how a news story or feature article published by the right media outlet can have a massive impact on your business — good or bad. After all, most reputable publications have far more credibility than does any marketing collateral your company might craft, simply because the press are considered unbiased observers.
Read full story
This piece in
NewCo Shift discusses how you made sure that reporters can reach you. Congratulations! You strategized reasons for them to want to talk with you, and now you have an interview lined up with a journalist from a relevant media outlet. Many companies never make it this far, so you've accomplished quite a bit. Now all you have to do is not blow it.
Read full story
This piece in
The Veracode Blog discusses a great idea for the most effective way to make life easier for cyberthieves, especially those who are focused on ineffective app security. All you have to do is get one of the most powerful brands in computing to publicly declare a security deadline and then have it quietly withdraw that deadline on the eve of it being effective.
Read full story
This piece in
The Veracode Blog discusses how app Security today is the Rodney Dangerfield of IT security. Everyone knows about it, but it gets no respect. Isn't it obvious that because apps are granted greater data-sharing with other apps and the ability to update itself—directly to the mothership—without IT signoff, that perhaps this should soar to the top of the danger list?
Read full story
This piece in
NewCo Shift discusses how reporters absolutely love real thought leaders: smart people who offer surprising and useful insights. But true leadership is quite hard to find. If you make it easy for the media to catch your execs being brilliant, your business may well benefit.
Read full story
This piece in
NewCo Shift discusses the most persuasive kind of publicity is media coverage. Free media is more valuable than almost any kind of marketing, except word of mouth, because it lets you tell the world the value of your offerings, and it comes with the validation of a third party (the publication). Nowhere is press coverage more crucial than for a budget-constrained start-up or small business.
Read full story
This piece in
Sift Science covers security researchers recently published that multi-merchant attacks gave them unlimited attempts at guessing Visa card fields (but not Mastercard fields), it was a reminder of the inherent fragility of payment card security today.
Read full story
This piece in
The Veracode Blog discusses the holiday season and the retail pop-up stores and seasonal sites. Those are all good for merchants, good for gift-seeking shoppers and potentially very good news for cyberthieves hoping for vulnerable sites that can fuel fraud.
Read full story
This piece in
SC Magazine discusses what you need to know about how the EU's privacy rules could impact your business operations. Just because you don't do business directly in the EU, that doesn't mean GDPR won't impact your business.
Read full story
This piece in
The Veracode Blog discusses the often said in security circles that a massive percentage of intrusions and breaches could be thwarted by the IT equivalent of eating your vegetables and exercising regularly. Whereas CFOs are often attracted to—or, in some cases, repelled by—the shiny objects of high-end security defenses, the mundane wash-your-hands-before-eating rules have the most impact. That means not reusing passwords, never clicking on unknown links, logging off before walking away and 50 other boring but amazingly effective tactics.
Read full story
This piece in
Sift Science discusses that it's no secret that fraud is costly for online businesses. But are you tracking exactly where your money is going? A new report from Javelin research found that fraud costs merchants more than 7.5% of their annual revenue — a figure computed by looking at a combination of fraud management costs, false positives, and chargeback losses.
Read full story
This piece in
The Veracode Blog discusses how malware threats are ever-present in mobile and this needs to be a top concern for IT execs, as they continue to issue millions of mobile devices to enterprise workers daily.
Read full story
This piece in
PCMagazine discusses seven considerations to think about before you make the jump into payments processing on your e-commerce website.
Read full story
This piece in
The Veracode Blog discusses how the App Economy is streamrolling along and has the very legitimate potential to rewrite so much of how businesses use technology. Uber obliterated Yellow Taxis, Pandora and Spotify has all but made FM radio irrelevant and streaming video has forced TV and movie theaters to sit in the back seat.
Read full story
This piece in
Sift Science discusses how security vs. convenience is always a delicate balancing act in e-commerce. But even if you're doing everything "right," security communication can be challenging. No shopper goes to a particular merchant because that shopper think that merchant's security is top-notch. Security perception can be a reason that someone decides to not shop somewhere, but it's never a reason they decide to shop somewhere.
Read full story
This piece in
Sift Science discusses the truth that geolocation is a very effective—albeit limited—tool to help authenticate a transaction. But Clifford Cook, senior vice president and head of product and marketing for the Retail Payment Solutions division at U.S. Bank is wrong when he says the bank can validate the transaction is legitimate. Not quite.
Read full story
This piece in
The Veracode Blog discusses about how dangerous are your app security holes. Sadly, they are quite dangerous and getting far more so. In a study released Tuesday (Oct. 18) that examined billions of lines of code from 300,000 assessments performed over the last 18 months, a stunning 97 percent of Java applications contained at least one component with a known vulnerability.
Read full story
This piece in
The Veracode Blog discusses how corporate execs are understandably worried these days about all of their electronic communications. Whether messages can be intercepted by corporate spies working for the opposition, government investigators snooping for terrorists or cyberthieves looking to steal what they can get, anything that is intercepted can wind up somewhere else. See Edward Snowden.
Read full story
This piece in
The Veracode Blog discusses how non-tech media outlets have figured out that applications make wonderful entry points for cyberthieves. Given the layers of complexity that many enterprise apps feature today, it's hardly surprising that they boast massive security holes. That message seems to be finally sinking in.
Read full story
This piece in
Sift Science discusses a single, standard way to pay for anything securely online. Sounds great, right? But does this ambitious vision actually stand a chance of happening?
Read full story
This piece in
The Veracode Blog discusses how much has been written about Apple's official stance against giving law enforcement an encryption backdoors into its customers' files. And Apple's firm position against a backdoor has been painted as a marketing decision, as it gives people a really good reason to buy Apple devices instead of Android or something else.
Read full story
This piece in
Sift Science discusses the surprise timing of the world's largest card brand's pledge to abandon passwords for just this one program wasn't to make them disappear by this year's holiday shopping season. Or for next year's holiday shopping season. No, Visa's announced plan was to rid its Verified By Visa world of "password1234" by April 2018. Good to see that this authentication risk is being taken so seriously.
Read full story
This piece in
The Veracode Blog discusses how it's hardly a revelation that hardcore security veterans are not at the pinnacle of clear communication. And the more technical the talent, in general, the weaker the communication. For most in IT and almost everyone in corporate outside of IT, this is generally dismissed as a fact-of-life.
Read full story
This piece in
Sift Science discusses the happy partnership between a fraudster and his gift cards. It's the perfect way to launder stolen funds while also getting a multi-day head start over law enforcement. Much of the reason involves how retailers handle—and, most critically, track—gift cards.
Read full story
This piece in
SC Magazine discusses the security threat from the Internet of Things (IoT) has grown real because far too many of those sneaky IoT devices fly in under the radar. Corporate maintenance, facilities and operations departments are not accustomed to requesting IT's signoff on purchasing light bulbs or door locks. And yet, when those devices have their own independent — or dependent — communications capabilities, they are an easy backdoor for cyberthieves.
Read full story
This piece in
The Veracode Blog discusses how it's not what you say, but how you say it. That piece of advice, which has given to countless politicians and executives over the decades, might be the premise behind an intriguing knew approach to biometric authentication. Although to be precise, it's closer to "It's not what you type, but how you type it."
Read full story
This piece in
Sift Science discusses how EMV payments were supposed to modernize payment card security in the U.S. But guess what? They haven't. There is still a fine chance that they will eventually be a huge fraud help in the U.S., but looking into the many deployment problems delivers a frighteningly accurate snapshot of U.S. bureaucracy.
Read full story
This piece in
The Veracode Blog discusses how not only is e-commerce being radically changed due the mobilization of shoppers, but it's disproportionately happening with younger consumers. At the same time, law enforcement and government regulatory attention is being focused on age violations. And yet, the vast majority of companies have age-verification systems that provide almost no legal protections.
Read full story
This piece in
Sift Science discusses about when it comes to payment fraud fears and shopping behavior, there's a big difference between what people say, and what they actually do. For example, studies show that debit card use is on the rise —despite the fact that the absence of zero liability protections for debit means that credit cards are much safer overall. Those same consumers will tell surveys that they would never shop with a retailer who has suffered a major data breach—and yet those retailers never sustain a detectable drop in revenue.
Read full story
This piece in
Sift Science discusses one of the pitfalls with interpreting judicial decisions is that it's easy to generalize—as in "this case means you had better no longer do X and Y"—whereas judges tend to be extremely specific (as in "this case with these exact players in these exact circumstances shouldn't do X and Y.") A classic example of this kind of misleading analysis is happening with an e-commerce fraud case called Gucci Vs. Alibaba.
Read full story
This piece in
The Veracode Blog discusses one of the biggest security threats is that enterprise mobile app testing is overwhelmingly focused on functionality and not security. Pen testing of apps to see what data they—or some third-party app it is integrated with—are actually retaining is hardly ever done prior to deployment, if then. Why?
Read full story
This piece in
Sift Science discusses how fraud prevention has always been about striking the right compromise between convenience and security — and this is especially true in the world of e-commerce. Although multi-factor authentication will work wonderfully in banking and legal—where the end-user is just as worried about security as your CISO—in online retail, it's dicey. People don't typically visit an e-commerce site concerned about credit card fraud. Why make your virtual storefront more difficult to interact with than your competitors'?
Read full story
This piece in
Sift Science discusses how research does little more than confirm what we already suspect — and that, in effect, forces us to confront an uncomfortable reality. Such is the case with new data about false declines. Fresh research from Business Insider puts the false decline problem front-and-center: "U.S. e-commerce merchants will lose $8.6 billion in falsely declined transactions in 2016, according to our estimates. This amounts to over $2 billion more than the $6.5 billion in fraud they will prevent."
Read full story
This piece in
The Veracode Blog talks about crowdsourcing security holes—aka bug bounties—has become an increasingly-popular tech firm tactic, bordering on Silicon Valley standard-operating-procedure. But as tempting as such an approach is, it's not without serious drawbacks.
Read full story
This piece in
The Veracode Blog discusses about when protecting app data, the default response for years has been passwords. And as long as a company's data is solely being defended by passwords, it makes sense to insist that they be changed regularly, no? Would not such mandated periodic changes shorten the life of the access-controls for thieves? Turns out that the answer is "no" to all of the above.
Read full story
This piece in
Sift Science discusses how fighting e-commerce fraudsters is a constantly changing game of point counter-point, where we develop defenses against today's attacks and then the fraudsters craft new attacks to sidestep our defenses. Wash, rinse, repeat. We've actually gotten quite good at defending against the common attack types, while cutting-edge approaches using predictive analytics help protect against more sophisticated attacks by detecting patterns that appear to be fraud.
Read full story
This piece in
The Veracode Blog discusses a fact about mobile apps that is as true for Fortune 100 companies as mom-and-pops: Rare is the company that understands what data its mobile app retains.
Read full story
This piece in
Sift Science discusses that online retailers know how fraudsters generally act: they conceal themselves behind bogus names and disposable IP addresses. Those HTML hoodlums are risking arrest by various levels of law enforcement, so they have to hide in the shadows. But what if that's not always true? What if some fraudsters are using their real names and aren't hiding at all?
Read full story
This piece in
The Veracode Blog discusses an uncomfortable truth for IT to internalize: enabling access for a friend facilitates access for an enemy. This is what was behind the anti-backdoor argument that Apple aggressively made, albeit for non-altruistic sell-more-hardware reasons. In effect, if you provide an easy way for government investigators to access data, there's no reason to believe that bad guys won't use a variation of that to steal data.
Read full story
This piece in
Sift Science discusses how fraud-fighting is ultimately an ROI equation. How much time and how many resources can you justify, and how much will this investment reduce your fraud? Given that it's almost never cost-effectively possible to bring fraud down to zero, it's a balancing act. But one major manufacturer—Birkenstock, of sandal fame—has crunched the numbers and decided to give up and let the fraudsters win. Birkenstock has decided to no longer supply products to Amazon as of January 1.
Read full story
This piece in
The Veracode Blog discusses a delightful bit of survey happiness out of Ireland: a vendor survey found that "almost half of Irish businesses wouldn't disclose a data security breach to impacted third parties, including customers and suppliers." Even worse, these results likely underestimate how many execs agree with that thinking, but are shrewd enough to not share that with someone taking a survey.
Read full story
This piece in
Sift Science discusses the reasons for the increase in fraud attempts is essentially the same, whether it's in a store or online. Thieves take advantage of crowds, inexperienced temporary sales people and a perceived relaxing of fraud practices to hide their fraudulent behavior. Why do thieves expect fraud defenses to be relaxed during big sales events? Because, unfortunately, they often are.
Read full story
This piece in
The Veracode Blog discusses a very interesting new Ponemon Institute report on app encryption, which concludes that app encryption usage is sharply increasing, as it has consistently for years. The report found 37 percent of the companies examined this year embrace enterprise encryption, up from 15 percent in 2005.
Read full story
This piece in
Sift Science discusses the struggle that e-commerce businesses have with payment fraud—affectionately known in the payments world as CNP (card not present) fraud—strategies all come down to a single concept: authentication. With a physical CP (card present) transaction, there are plenty of easy ways to authenticate. In a virtual reality, that task becomes a lot more challenging.
Read full story
This piece in
The Veracode Blog talks about security professionals and how they spend an awful lot of time trying to protect sensitive corporate information, locking it away in virtual vaults, as they should. But they often neglect to protect the people who have the keys/combinations to those virtual vaults—in some cases, protecting those key-holders from themselves.
Read full story
This piece in
The Veracode Blog talks about how encryption and tokenization are great security tools—when executed properly—as they sidestep protecting data and instead attempt to make the data worthless to thieves. It's a great strategy. But when it's executed improperly, it can insidiously weaken security. This happens when IT gets cocky and overconfident that the data would indeed be worthless to attackers and starts to get lax implementing strong prevention tactics, such as firewalls.
Read full story
This piece in
The Veracode Blog talks about another major security hole reported last week (June 8). This report, from Talos, is about a hole that allows malicious files to be launched when anyone clicks on a PDF from within the Google Chrome browser.
Read full story
This piece in
The Veracode Blog talks about the security researcher's lot is not an easy one. This player is an essential part of the security ecosystem, an experienced security person who tries and finds security holes in systems so that they can be flagged and fixed. The problem is that the good guy security researcher—at a glance—looks and acts an awful lot like a bad guy cyberthief. From the CISO's desk, how is one to tell the difference?
Read full story
This piece in
The Veracode Blog talks about another prominent person in software security suggests that the password needs to be done away with—and they invariably say it as though it's a new idea. In reality, the security community has effectively agreed for more than a decade that passwords are no longer sufficiently secure to protect the sensitive data it is tasked with protecting.
Read full story
This piece in
The Veracode Blog talks about how perceived security threats motivate IT people the same way they do everyone else. People react to how much a threat scares them, which sometimes has little relation to how truly threatening that threat is.
Read full story
This piece in
The Veracode Blog talks about how enterprise security is today at its most fundamental level, an afterthought. We take the OS, apps, databases, network controls as they are given to us, and then we try and Band-Aid on top of it the best security we can. We use firewalls and filters and VPN tunnels and encryption to try and limit the damage software vulnerabilities can do. As a practical matter, enterprise CISOs have little choice. Or do they?
Read full story
This piece in
The Veracode Blog talks about the US-CERT (the U.S. Computer Emergency Readiness Team) who issued an alert about an old SAP security hole after a vendor flagged that attackers were still using it.
Read full story
This piece in
The Veracode Blog where a security consultant argues that healthcare enterprises need to re-envision security and pull information from the network perimeter and back into servers, where everything is easier to control. It's a compelling argument until you get realistic, practical and focus on the reason enterprise networks exist in the first place.
Read full story
Report for
SC Magazine where some believe preparing an incident response plan is a useless precaution. Regardless, we must have them.
Read full story
This piece in
The Veracode Blog talks about Microsoft's optional security alert relating to peripherals and specifically mice. Until the patch is implemented, Microsoft said, the peripheral could receive plain English—aka QWERTY—key packets in keystroke communications issued from receiving USB wireless dongles to the RP addresses of wireless mouse devices.
Read full story
This piece in
The Veracode Blog talks about something unnerving—and even a tad repugnant—about announcing that there's a massive security hole and that it won't be patched for weeks. Welcome to Badlock.
Read full story
Penned for
The IBoss Blog a piece concerning IT security professionals today, one thing that is of minimal concern is an attack that goes undetected.
Read full story
Penned for
The Veracode Blog a piece concerning a security lesson that can be taken from this FBI versus Apple surrealistic encounter, it's that security redundancy is truly important. We're talking multi-layered security, where any one or two layers can completely fail and security is still maintained. Why? Let's look at the latest in the FBI-Apple encryption dance. And if any of you bought into this "this Apple fight is over" rhetoric, you haven't been paying attention.
Read full story
This piece in
The Veracode Blog talks about cyberattacks on hospitals that represent the true security nightmare scenario. It combines privacy risks far more severe than attacks on the largest banks or retailers with life-and-limb risks that rival remote takeovers of nuclear power plants and cars.
Read full story
Wrote for
Third Certainty about despite rising cyber exposures and intensifying attacks, small and midsize businesses actually may be regressing when it comes to defending their networks.
Read full story
Looked at encryption and other protection measures for
Third Certainty and explored whether they actually may make security more difficult.
Read full story
Wrote for
Third Certainty about whether employees must be enlisted—and monitored—as part of security given that perimeter protection is no longer enough.
Read full story
This piece in
Fortinet discusses strong encryption, the security professional's arms race.
Read full story