CISA senior official Goldstein to leave agency in June

The executive assistant director for cybersecurity at CISA often served as the voice of the agency and helped steer its secure-by-design efforts.

By Matt Kapko • May 16, 2024

Unsafe software development practices persist, despite CISA’s push

The industry isn’t making sufficient progress in cleaning up code despite recurring efforts from the agency to eliminate entire classes of vulnerabilities.

By Matt Kapko • May 15, 2024

National Cyber Director echoes past warnings: Nation-state cyber threats are mounting

State-linked actors with ties to China and Russia are growing more sophisticated in their efforts to disrupt critical infrastructure, Harry Coker Jr. said during a CyberUK conference keynote.

By David Jones • May 15, 2024

How a CISA proposal could impact K-12 cyber incident reporting

Overall, the nonprofit K12 Security Information Exchange backed the requirement for schools, but it asked for clarification on how the sector should report cyber incidents students initiate.

By Anna Merod • May 14, 2024

Black Basta ransomware is toying with critical infrastructure providers, authorities say

The threat group has impacted more than 500 targets worldwide and the vast majority of critical infrastructure sectors.  Numerous attacks have exploited vulnerabilities in ConnectWise ScreenConnect.

By David Jones • May 13, 2024

Congress wants to question Microsoft exec over security defects

The committee wants to question Brad Smith, Microsoft’s president and vice chair, over the company’s security shortcomings and how it plans to strengthen security measures.

By Matt Kapko • May 13, 2024

White House wants to hold the software sector accountable for security

Federal officials are taking steps toward a long-stated goal of shifting the security burden from technology users to the companies that build it.

By David Jones • May 10, 2024

68 tech, security vendors commit to secure-by-design practices

CISA said companies ranging from Microsoft to Palo Alto Networks signed the voluntary pledge in an effort to boost resiliency and increase transparency around CVEs and cyberattacks.

By David Jones • May 9, 2024

CISA explains why it doesn’t call out tech vendors by name

Federal officials rarely criticize tech companies when their mistakes result in attacks. The stinging conclusions CSRB levied at Microsoft are an exception, not the norm.

By Matt Kapko • May 9, 2024

The US really wants to improve critical infrastructure cyber resilience

A report from the Office of the National Cyber Director highlights persistent threats targeting healthcare and water, echoing warnings from cyber officials earlier this year. 

By David Jones • May 8, 2024

CISA, FBI urge software companies to eliminate directory traversal vulnerabilities

The software defects are linked to recent exploitation campaigns against critical infrastructure providers, including healthcare and schools. 

By David Jones • May 7, 2024

How can AI companies navigate a complex regulatory framework? — Compliance Labels

The rapid unregulated growth in the field of artificial Intelligence has given rise to Large Language Models (LLM’s) such as GPT-4 and Gemini which has contributed to major technical advancements but has also been coupled with legal and ethical issues.

By Sai Prasad, Security Analyst, CyberProof, MS Cybersecurity Risk Management '22 • May 6, 2024

Congress grills UnitedHealth CEO over Change cyberattack

Legislators slammed Andrew Witty over the company’s lack of cybersecurity practices and the impact of the breach, which may have compromised the data of a third of Americans.

By Emily Olsen • May 2, 2024

CISA warned 1,750 organizations of ransomware vulnerabilities last year. Only half took action.

More than half of CISA's ransomware vulnerability warning pilot alerts were sent to government facilities, healthcare and public health organizations.

By Matt Kapko • May 1, 2024

Hacktivists exploiting poor cyber hygiene at critical infrastructure providers

CISA, the FBI and international partner agencies want water, energy, agriculture and other sectors to immediately reset passwords and apply multifactor authentication.

By David Jones • May 1, 2024

FTC broadens health breach notification rule

Regulators have been pursuing more enforcement actions against health applications sharing consumers’ data. Friday’s final rule should give those actions more heft.

By Rebecca Pifer • April 29, 2024

CISA director pushes for vendor accountability and less emphasis on victims’ errors

Stakeholders need to address why vendors are delivering products with common vulnerabilities, which account for the majority of attacks, Jen Easterly said.

By Matt Kapko • April 25, 2024

Preparing for CISA’s Secure Software Development Attestation and PCI compliance updates with ASPM

With increased expectations and a prime position in the spotlight, AppSec teams need reliable tools that can act as a force multiplier for their AppSec programs.

April 22, 2024

Fears rise of social engineering campaign as open source community spots another threat

Federal officials are said to be investigating potential links between the recent XZ Utils campaign and new threat activity against JavaScript project maintainers.

By David Jones • April 16, 2024

Top officials again push back on ransom payment ban

In lieu of a ban, the Institute for Security and Technology advises governments to achieve 16 milestones, most of which are already in place or in the works.

By Matt Kapko • April 15, 2024

CISA to big tech: After XZ Utils, open source needs your support

The attempted malicious backdoor may have been part of a wider campaign using social engineering techniques, the open source community warned.

By David Jones • April 15, 2024

FBI director echoes past warnings, as critical infrastructure hacking threat festers

Chris Wray says adversaries from China, Russia and Iran are ramping up cyber, espionage and other threat activity against key sectors, including water, energy and telecommunications.

By David Jones • April 11, 2024

What’s going on with the National Vulnerability Database?

CVE overload and a lengthy backlog has meant the federal government’s repository of vulnerability data can’t keep up with today’s threat landscape.

By Matt Kapko • April 10, 2024

Industry stakeholders seek 30-day delay for CIRCIA comments deadline

Industry officials are asking for additional time to comb through hundreds of pages of detailed rules about disclosure of covered cyber incidents and ransom payments.

By David Jones • April 8, 2024

CISA assessing threat to federal agencies from Microsoft adversary Midnight Blizzard

Microsoft previously warned that the Russia-linked threat group was expanding malicious activity following the hack of senior company executives, which it disclosed in January.

By David Jones • April 5, 2024