Information security

Over the past several years, organizations have undergone a roller coaster of digital transformations.First, they accelerated the onboarding of cloud services and adopted bring-your-own-device (BYOD) policies so that users could effectively work from anywhere.Now, in the name of security and productivity, many industry leaders are coaxing employees back into the office.

Auditing and logging are essential measures for protecting mission-critical systems and troubleshooting problems.This policy outlines the appropriate auditing and logging procedures for computer systems, networks and devices that store or transport critical data.From the policy:
Many computer systems, network devices and other technological hardware used in the enterprise can audit and log various activities.

Passwords are problematic.They are arguably the weakest link in security, a leading cause of breaches, and difficult to manage.Yet, on Change Your Password Day 2023, passwords remain ubiquitous.Instead of continuously changing passwords in an attempt to stay ahead of online threats, the best solution is no passwords at all.

As many as 29,000 network storage devices manufactured by Taiwan-based QNAP are vulnerable to hacks that are easy to carry out and give unauthenticated users on the Internet complete control, a security firm has warned.The vulnerability, which carries a severity rating of 9.8 out of a possible 10, came to light on Monday, when QNAP issued a patch and urged users to install it.

A researcher has disclosed the details of a two-factor authentication (2FA) vulnerability that earned him a $27,000 bug bounty from Facebook parent company Meta.Gtm Manoz of Nepal discovered in September 2022 that a system designed by Meta for confirming a phone number and email address did not have any rate-limiting protection.

On Friday, January 20, 2023, Google announced it would lay off 12,000 employees.Amazon and Microsoft have laid off a combined 28,000 people; Twitter has reportedly lost 5,200 people; Meta (Facebook, etcetera) is laying off 11,000...This is just the tech giants, and almost all the staff looking for new positions are, by definition, tech-savvy - and some will be cybersecurity professionals.

Personal data on up to 10 million people who shopped online at sporting goods and fashion retailer JD Sports has been accessed and potentially stolen by cyber criminals in a cyber incident of a currently unknown nature.The incident, disclosed today (30 January), is understood to affect individuals who shopped online between November 2018 and October 2020 at six of the organisation's brands, JD, Size?, Millets, Blacks, Scotts and MilletSport.

In brief A US intelligence boss has asked Congress to reauthorize a controversial set of powers that give snoops warrantless authorization to surveil electronic communications in the name of fighting terrorism and so forth.NSA director General Paul Nakasone told the Privacy and Civil Liberties Oversight Board yesterday that the loss of Section 702 of the Foreign Intelligence Surveillance Act (FISA) would mean American spies would "lose critical insights into the most significant threats to our nation" if allowed to lapse on December 31.

Apple's product security response team on Monday rolled out patches to cover numerous serious security vulnerabilities affecting users of its flagship iOS and macOS platforms.The most serious of the documented vulnerabilities affect WebKit and can expose both iOS and macOS devices to code execution attacks via booby-trapped web content, Apple warned in multiple advisories.

Cybersecurity firm NCC Group has shared details on two vulnerabilities in Samsung's Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.An alternative app marketplace, the Galaxy Store comes pre-installed on Samsung's Android devices and can be used alongside Google Play to download and install software.

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December 2022, the US Government Accountability Office (GAO) says in a new report.Since 1997, the GAO has been regarding information security as a government-wide high-risk area and expanded it twice since: in 2003 to include critical cyber infrastructure and in 2015 to include the protection of personally identifiable information.