Data security and privacy

NotPetya ransomware impact costs Maersk hundreds of millions

Danish shipping giant A.P. Moller-Maersk said the NotPetya ransomware attacks severely damaged business processes and the impact has been estimated at as much as $300 million in lost revenue. Continue Reading

CISSP Domain 2: Asset security

This Security School will help prepare you for Domain 2 of the CISSP exam, providing overviews of data encryption methods, data ownership concepts and asset protection. Continue Reading

Why data fidelity is crucial for enterprise cybersecurity

Cybersecurity teams can't be effective if they don't trust their data. Expert Char Sample explains the importance of data fidelity and the threat of cognitive hacking. Continue Reading

How did flaws in WhatsApp and Telegram enable account takeovers?

Flaws in WhatsApp and Telegram, popular messaging services, enable attackers to break encryption and take over accounts. Expert Michael Cobb explains how the attacks work. Continue Reading

Could the WannaCry decryptor work on other ransomware strains?

Researchers created WannaCry decryptor tools after the outbreak of the ransomware. Expert Matthew Pascucci explains how the tools work and if they work on other ransomware. Continue Reading

Risk & Repeat: Why are Amazon S3 buckets spilling on the web?

In this week's Risk & Repeat podcast, SearchSecurity editors discuss the series of enterprise data leaks through misconfigured Amazon S3 buckets and what should be done about them. Continue Reading

ASLR side-channel attack: How is JavaScript used to bypass protection?

Researchers have developed an ASLR Cache side-channel attack that enables them to eliminate ASLR protections. Expert Nick Lewis explains how JavaScript code is used in the attack. Continue Reading

What data loss prevention systems and tactics can do now

Setting up systems to preventing data loss is a must for companies of all sizes. Learn the basics of and what's new in data loss prevention and how to keep your DLP system humming. Continue Reading

Tools to transfer large files: How to find and buy the best

Need to transfer files within headquarters or between branches? Managed file transfer tools now offer some interesting new features. Continue Reading

Another AWS data leakage due to misconfiguration

Dow Jones becomes the latest organization to be affected by an AWS cloud data leakage due to misconfiguration and user error. Continue Reading

AWS S3 bucket leak exposes millions of Verizon customers' data

News roundup: An AWS S3 bucket leak containing personal data of millions of Verizon customers was exposed to the public. Plus, DNC hack victims are suing the Trump campaign, and more. Continue Reading

How are forged cookies used in attacks on online user accounts?

Yahoo claimed a vulnerability in its email service enabled attackers to use forged cookies to gain access to user accounts. Expert Michael Cobb explains what forged cookies are and how they are used in attacks Continue Reading

Risk & Repeat: RNC voter database left open to the public

In this week's Risk & Repeat podcast, SearchSecurity editors discuss how the Republican National Committee's voter database was accidentally exposed in an Amazon S3 bucket. Continue Reading

How did thousands of MongoDB databases get hijacked?

Thousands of MongoDB configurations were hijacked due to poor authentication practices. Expert Nick Lewis explains how organizations can properly configure their implementations. Continue Reading

How intelligence data leaks caused collateral damage for infosec

Alvaka Networks' Kevin McDonald looks at the real-world damage caused by data leaks at the CIA and NSA, which have put dangerous government cyberweapons in the hands of hackers Continue Reading

Information privacy and security requires a balancing act

Maintaining information privacy and security seem to be separate challenges, but in reality, each is integral to the other. Expert Kevin Beaver explains how to work toward both. Continue Reading

Cloud access security brokers: Hard to tell what's real

Most cloud access security brokers offer CISOs a way to set policy and gain better understanding of multiple cloud services and data in use across the enterprise. As CASBs have gained momentum in recent years, use cases for them have expanded. Do these tools fill the gaps around visibility and control of software as a service and other cloud services?

Although cloud service visibility and data leak protection continue to be the biggest drivers, cloud access security brokers can do more than just help with your shadow IT problem and unsanctioned application activity in the cloud.

Organizations are increasingly looking to use cloud access security brokers to identify anomalies in data movement between on-premises and cloud apps as well as multiple cloud services. Malware identification and encryption of data have become important. More enterprises are also beginning to use CASBs or similar intermediary security technologies to provide some level of security policy management for custom identity-as-a-service platforms.

In this issue of Information Security magazine, we look at cloud access security brokers and the best ways to evaluate new models, such as infrastructure as a service and platform security.

 Continue Reading

What MongoDB security issues are still unresolved?

There are some MongoDB security issues that have yet to be resolved. Expert Matthew Pascucci discusses the risks and how to protect your enterprise from them. Continue Reading

Target data breach settlement requires security improvements

News roundup: The Target settlement following the 2013 data beach requires the company to adopt a stronger security program. Plus, experts knock the FCC's DDoS claim, and more. Continue Reading

Trustwave Data Loss Prevention: Product overview

Expert Bill Hayes examines Trustwave Data Loss Prevention and how the product addresses data at rest, endpoint data in use and network data in transit for enterprises. Continue Reading

Cognitive hacking: Understanding the threat of bad data

Bad data can create more than just 'fake news.' Expert Char Sample explains how cognitive hacking and weaponized information can undermine enterprise security. Continue Reading

How effective is geofencing technology as a security method?

Geofencing technology is increasingly being used as a security tactic, such as to control access to servers with DNS settings. Expert Michael Cobb explains how it works. Continue Reading

ISAOs: The benefits of sharing security information

ISAOs are a good way for organizations to share information about security threats. Expert Steven Weil explains what these organizations are and their attributes. Continue Reading

How can a distributed guessing attack obtain payment card data?

Attackers can gather payment card data by carrying out distributed guessing with a minimal amount of existing information. Expert Michael Cobb explains how this attack works. Continue Reading

How does USB Killer v3 damage devices through their USB connections?

USB Killer devices, with the ability to destroy systems via a USB input, are available and inexpensive. Expert Nick Lewis explains how they work and how to defend against this threat. Continue Reading

DARPA's SSITH program takes aim at hardware vulnerabilities

News roundup: DARPA's SSITH program tackles hardware vulnerabilities for better security. Plus, new risks placed in OWASP Top 10, SWIFT launches new anti-fraud tool, and more. Continue Reading

Risk & Repeat: Strong encryption under fire again

In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss the latest round of the encryption debate and what it means for apps that use strong encryption. Continue Reading

1024-bit encryption keys: How 'trapdoored' primes have caused insecurity

Encryption algorithms using 1024-bit keys are no longer secure, due to the emergence of 'trapdoored' primes. Expert Michael Cobb explains how the encryption backdoor works. Continue Reading

DLP systems: Spotting weaknesses and improving management

DLP systems are becoming a necessity, but their weaknesses need to be tightened to ensure enterprise asset security. Expert Kevin Beaver explains what areas to focus on. Continue Reading

RSA Data Loss Prevention Suite: Product overview

Expert Bill Hayes examines the RSA Data Loss Prevention Suite, which covers data in use, in transit and at rest for corporate networks, mobile devices and cloud services. Continue Reading

CJIS Security Policy: How can companies ensure FIPS compliance?

Companies and government agencies handling criminal justice information need to comply with CJIS Security Policy. Expert Michael Cobb explains the cryptographic modules to use. Continue Reading

Risk & Repeat: Cloudflare bug poses incident response challenges

In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss the recent Cloudflare bug that leaked an undetermined amount of customer data over several months. Continue Reading

Cloudflare security team calms fears over Cloudbleed bug

Cloudflare security researchers continue investigations as CEO calms fears over potential exposure of sensitive personal data by the Cloudbleed bug, though doubts remain. Continue Reading

Employees knew about Yahoo security breach years ago, per new SEC filing

A new SEC filing details who knew about the major Yahoo security breach in 2014, but experts are confused by the repercussions of the announcement. Continue Reading

What caused the ClixSense privacy breach that exposed user data?

A privacy breach at ClixSense led to user account details being put up for sale. Expert Michael Cobb explains how companies should be held accountable for their security practices. Continue Reading

Which encryption tools can secure data on IoT devices?

Protecting the data that moves through the internet of things can be a challenge for enterprises. Expert Judith Myerson offers several encryption tools for the task. Continue Reading

How serious are the flaws in St. Jude Medical's IoT medical devices?

MedSec and Muddy Waters Capital revealed serious flaws in IoT medical devices manufactured by St. Jude Medical. Expert Nick Lewis explains the severity of these vulnerabilities. Continue Reading

Big data frameworks: Making their use in enterprises more secure

Many enterprises apply big data techniques to their security systems. But are these methods secure? Expert John Burke explains some of the efforts to secure big data analysis. Continue Reading

How does USBee turn USB storage devices into covert channels?

USB storage devices can be turned into covert channels with a software tool called USBee. Expert Nick Lewis explains how to protect your enterprise data from this attack. Continue Reading

How do man-in-the-middle attacks on PIN pads expose credit card data?

Passive man-in-the-middle attacks on PIN pads can lead to attackers stealing credit card details. Expert Nick Lewis explains how companies can mitigate these attacks. Continue Reading

Google Cloud KMS simplifies the key management service, but lacks features

Experts are impressed with the simplicity of Google's Cloud KMS even if it doesn't separate itself from the key management service competition. Continue Reading

Git repos hide secret keys, rooted out by Truffle Hog

Truffle Hog utility roots out and detects text blobs with enough entropy to be secret keys -- even those buried deep in old Git repositories -- to prevent exploits. Continue Reading

Should one cybersecurity mistake mean the end of a CEO's career?

In one case, a tenured CEO made one cybersecurity mistake and was fired. Expert Mike O. Villegas discusses whether this sets a precedence for enterprises going forward. Continue Reading

Test your privileged user management knowledge

Test your proficiency in privileged user management. Take this quiz to determine your ability to keep privileged access secure across your organization. Continue Reading

Digital Guardian for Data Loss Prevention: Product overview

Expert Bill Hayes examines Digital Guardian for Data Loss Prevention and more of the vendor's DLP product lineup, which cover data in use, data in transit and data in the cloud. Continue Reading

CA Technologies Data Protection: DLP product overview

Expert Bill Hayes examines CA Technologies Data Protection, a data loss prevention suite designed to protect data at rest, in transit and in use across enterprise devices, networks and cloud services. Continue Reading

Can an HTML5 document with a digital signature be authenticated?

A digital signature on an HTML5 document cannot be authenticated the same way a PDF can. Expert Michael Cobb explains how enterprises should address this issue. Continue Reading

Splunk Enterprise Security: Product overview

Expert Dan Sullivan explores how Splunk Enterprise Security uses big data security analytics to incorporate multiple methods of data integration to identify malicious events. Continue Reading

Blue Coat DLP: Data loss prevention product overview

Expert Bill Hayes takes a look at Blue Coat DLP, a single appliance data loss prevention system that works with the company's web security gateway products. Continue Reading

Blue Coat Security Analytics Platform: Product overview

Expert Dan Sullivan takes a look at the Blue Coat Security Analytics Platform, which is designed to capture comprehensive network information and apply targeted security analytics. Continue Reading

WinMagic SecureDoc: Full-disk encryption product overview

Expert Karen Scarfone examines the features of WinMagic's SecureDoc, a full-disk encryption product for laptops, desktops, mobile devices and servers. Continue Reading

The best email encryption products: A comprehensive buyer's guide

Email encryption is a critical component of enterprise security. In this buyer's guide, expert Karen Scarfone breaks down what you need to know to find the best email encryption software for your organization. Continue Reading

Voltage SecureMail encryption tool: Product overview

Expert contributor Karen Scarfone takes a look at Voltage SecureMail for encrypting email messages in the enterprise. Continue Reading

Symantec Desktop Email Encryption: Product overview

Expert contributor Karen Scarfone examines Symantec Desktop Email Encryption, a tool for encrypting email messages for individuals within the enterprise. Continue Reading

Comparing the top big data security analytics tools

Expert Dan Sullivan compares how the top-rated big data security analytics tools measure up against each other to help you select the right one for your organization. Continue Reading

What privacy regulations should enterprises follow?

The U.S. government has been criticized for its lack of updated privacy regulations. Expert Mike Chapple advises enterprises that want to bolster their privacy policies. Continue Reading

Introduction to big data security analytics in the enterprise

Expert Dan Sullivan explains what big data security analytics is and how these tools are applied to security monitoring to enable broader and more in-depth event analysis for better enterprise protection. Continue Reading

Secure Hash Algorithm-3: How SHA-3 is a next-gen security tool

Expert Michael Cobb details the changes in SHA-3, including how it differs from its predecessors and the additional security it offers, and what steps enterprises should take. Continue Reading

Vormetric Transparent Encryption: Product overview

Expert Ed Tittel takes a look at Vormetric Transparent Encryption, a component of Vormetric's Data Security Platform that encrypts data and does access control for that data. Continue Reading

HP Security Voltage's SecureData Enterprise: Product overview

Expert Ed Tittel examines SecureData Enterprise, which is a part of the HP Security Voltage platform, a scalable database security product that encrypts both structured and unstructured data, tokenizing data to prevent viewing and more. Continue Reading

Protegrity Database Protector: Database security tool overview

Expert Ed Tittel examines Protegrity Database Protector, a database security add-on product that provides column- and field-level protection of confidential and sensitive data stored in nearly any type of relational database. Continue Reading

Oracle Advanced Security: Database security tool overview

Expert Ed Tittel examines Oracle Advanced Security, a database security add-on product with transparent data encryption (TDE) and data redaction features. Continue Reading

McAfee Database Activity Monitoring: Database security tool overview

Expert Ed Tittel takes a look at McAfee Database Activity Monitoring and McAfee Vulnerability Manager for Databases to see how they protect enterprises' databases and corporate data. Continue Reading

Imperva SecureSphere: Database security tool overview

Expert Ed Tittel examines Imperva SecureSphere Database Activity Monitoring and Database Assessment, products that are deployed as an inline bridge or as a lightweight agent to assess and monitor local database access. Continue Reading

IBM Guardium: Database security tool overview

Expert Ed Tittel examines IBM Guardium, a security product that offers continuous, real-time, policy-based monitoring of database activities. Continue Reading

Comparing the best data loss prevention products

Expert Bill Hayes examines the strengths and weaknesses of top-rated data loss prevention (DLP) products to help enterprises make the right purchasing decision. Continue Reading

How to deploy the right DLP products for the right jobs

Expert Bill Hayes maps specific data loss prevention products to three deployment scenarios to better help readers make their own purchase decisions. Continue Reading

Improve corporate data protection with foresight, action

Better corporate data protection demands foresight and concrete action. Learn why breach training, monitoring and early detection capabilities can minimize damage when hackers attack. Continue Reading

Can a new encryption trick prevent reverse engineering?

Expert Michael Cobb explains how reverse engineering can be made more difficult with an approach called Hardened Anti-Reverse Engineering System or HARES. Continue Reading

Comparing the top database security tools

Expert Ed Tittel examines the strengths and weaknesses of top-rated database security tools -- from database activity monitoring to transparent database encryption -- to help enterprises make the right purchasing decision. Continue Reading

Tips for creating a data classification policy

Before deploying and implementing a data loss prevention product, enterprises should have an effective data classification policy in place. Expert Bill Hayes explains how that can be done. Continue Reading

How to keep track of sensitive data with a data flow map

Expert Bill Hayes describes how to create a data flow map to visualize where sensitive data is processed, how it transits the network and where it's stored. Continue Reading

Six criteria for buying data loss prevention products

Expert Bill Hayes lays out six steps to take in order to buy the right data loss protection (DLP) products for your organization. Continue Reading

Introduction to database security tools for the enterprise

Expert Adrian Lane explains why database security tools play a significant, if not the majority, role in protecting data in the enterprise data center. Continue Reading

Three usage scenarios for deploying data loss prevention products

Expert Bill Hayes details usage scenarios for deploying data loss prevention: standalone suites, integrated tools and standalone/integrated DLP combined. Continue Reading

The business case for data loss prevention products

Data loss prevention (DLP) can help any organization where the loss of sensitive information could seriously impact continued operation, explains Bill Hayes. Continue Reading

Introduction to data loss prevention products

Expert Bill Hayes describes how data loss prevention (DLP) products can help identify and plug information leaks and improve enterprise security. Continue Reading

Six criteria for procuring security analytics software

Security analytics software can be beneficial to enterprises. Expert Dan Sullivan explains how to select the right product to fit your organization's needs. Continue Reading

Symantec Endpoint Encryption: Full disk encryption product overview

Expert Karen Scarfone examines the features of Symantec Endpoint Encryption, a full disk encryption product for Windows laptops, desktops and servers. Continue Reading

Sophos SafeGuard: Full disk encryption product overview

Expert Karen Scarfone examines the features of Sophos SafeGuard, a full disk encryption product for laptops, desktops and servers. Continue Reading

Microsoft BitLocker: Full disk encryption software overview

Expert Karen Scarfone examines the features of BitLocker, Microsoft's native full disk encryption software for Windows laptops, desktops and servers. Continue Reading

McAfee Complete Data Protection: Full disk encryption product overview

Expert Karen Scarfone examines the features of McAfee Complete Data Protection, a full disk encryption product for securing client-side computers and servers. Continue Reading

Dell Data Protection | Encryption: Full disk encryption product overview

Expert Karen Scarfone examines the features of Dell Data Protection | Encryption, a full disk encryption product for securing client-side devices. Continue Reading

Check Point Full Disk Encryption product overview

Expert Karen Scarfone examines the features of Check Point Full Disk Encryption, an FDE product for securing client devices such as laptops and desktops. Continue Reading

Apple FileVault 2: Full disk encryption software overview

Expert Karen Scarfone examines the features of Apple's bundled full disk encryption software for Mac OS X, FileVault 2. Continue Reading

The top full disk encryption products on the market today

Full disk encryption can be a key component of an enterprise's desktop and laptop security strategy. Here's a look at some of the top FDE products in the industry. Continue Reading

Introduction to security analytics tools in the enterprise

Expert Dan Sullivan explains how security analysis and analytics tools work, and how they provide enterprises with valuable information about impending attacks or threats. Continue Reading

A CISO's introduction to enterprise data governance strategy

Every enterprise must have a viable strategy for protecting high-value data. See if your plan aligns with Francoise Gilbert's advice on top priorities to consider when defining data governance plans. Continue Reading

The importance of email encryption software in the enterprise

Expert Karen Scarfone explains how email encryption software protects messages and attachments from malfeasance. Continue Reading

The fundamentals of FDE: Comparing the top full disk encryption products

Expert Karen Scarfone examines the top full disk encryption products to determine which one may be best for your organization. Continue Reading

The fundamentals of FDE: Procuring full-disk encryption software

Expert Karen Scarfone examines the most important criteria for evaluating full disk encryption options for deployment within an enterprise. Continue Reading

The fundamentals of FDE: The business case for full disk encryption

Expert Karen Scarfone outlines the benefits of FDE to help businesses decide if the storage encryption technology is right for their organization. Continue Reading

The fundamentals of FDE: Full disk encryption in the enterprise

Expert Karen Scarfone examines full disk encryption, or FDE, tools and describes how the security technology protects data at rest on a laptop or desktop computer. Continue Reading

Inside the four main elements of DLP tools

Security expert Rich Mogull outlines the four elements of a DLP tool: the central management server, network monitoring, storage and endpoint DLP. Continue Reading

The NoSQL challenge: What's in store for big data and security

Big data offers horizontal scalability, but how do you get your database security to scale along with it? Continue Reading

Amid Microsoft MD5 deprecation, experts warn against SHA-1 algorithm

With Microsoft's MD5 deprecation set for next week, experts say companies must be careful to avoid other weak protocols, like SHA-1. Continue Reading

Quiz: Database security issues

This 10-question quiz will test your knowledge of the key points we’ve covered in the webcast, podcast and tip in this database security school lesson. Continue Reading

Managing big data privacy concerns: Tactics for proactive enterprises

The growing use of big data analytics has created big data privacy concerns, yet viable tactics exist for proactive enterprises to help companies get smarter while keeping consumers happy. Continue Reading

What risk does the Apple UDID security leak pose to iOS users?

Expert Michael Cobb details Apple's Unique Device Identifiers, plus why iOS users should be concerned about the Anonymous UDID security leak. Continue Reading

Windows Server 2012 security: Is it time to upgrade?

Expert Michael Cobb wades through the security features of Windows Server 2012 to find out what's new and beneficial in Microsoft's latest release. Continue Reading