Page 2

What to know about software bill of materials

The Biden administration wants more transparency in the software supply chain. Will private industry join in?

Security teams prepare for the yearslong threat Log4j poses

Industry is still investigating the full extent of the vulnerability, which limits the actions security teams can immediately take. 

Log4j attacks poised to rise as threat actors search for attack vectors

Microsoft warns that threat actors are using third-party hosted Minecraft servers to launch ransomware attacks. The company also warned that access brokers are getting into the game.

Log4j threat expands as second vulnerability emerges and nation states pounce

Early stage ransomware attempts are underway and federal officials are urging organizations to take immediate steps to protect IT systems.

To combat open source insecurity, companies need tech and leadership

With software dependencies commonplace, it's up to industry to clear a path to greater supply chain security in software.

One year later: Has SolarWinds changed how industry builds software?

The SolarWinds hack caused government and industry leaders to rethink how software is made and secured, giving rise to close scrutiny of the software supply chain.

Log4j under siege, millions of devices vulnerable

Technology firms are scrambling to investigate and patch their systems amid reports of more than 800,000 attempted attacks.

Federal authorities, technology vendors race to contain Log4j vulnerability

The vulnerability is considered to be among the most dangerous over the past decade, according to security researchers.

What incident reporting could look like

Legislation could remove some of the complexity of overlapping standards when CISA's roles and authorities become more robust. 

Long-expected cyber incident reporting rule loses ground once again

The House's recently passed National Defense Authorization Act is set to advance to the Senate. But it omitted a key cyber rule: mandatory incident reporting. 

More research connects security burnout with business risk

One in three 1Password respondents said burnout adds to a decline in initiative and motivation, which also reduces compliance with security protocols.

Cyberattacks keep targeting colleges. How can they protect themselves?

Higher ed's sprawling systems mean cybersecurity doesn't come easy — or cheap. But smart strategies and thinking through risk can go a long way.

Is the security of legacy IT providers prompting a confidence crisis?

Research commissioned by CrowdStrike found security professionals are losing confidence in providers like Microsoft amid the rise in supply chain attacks. Microsoft has thoughts. 

Supply chain attacks lift debate on how to manage software vulnerabilities

Researchers and developers dispute where responsibilities lie for early detection and how to manage disclosure to customers. The disagreement can allow vulnerabilities to linger. 

Beyond backup: Modern ransomware coercion tactics and how to detect them before it is too late

Despite lots of ransomware advice centering on backing up files and systems, it's important to remember that precursors to ransomware can be identified and attacks disrupted, the author writes. 

A month after 'malicious' cyberattack, a small Colorado utility still doesn't have all systems back online

Delta-Montrose Electric Association is still working to restore its payment and billing systems. Security experts say the recovery time points to a need for better backups.

A year later, Nobelium-linked threat actors still target businesses, government

Threat actors seeking sensitive data are compromising CSPs and MSPs to go after Microsoft 365 and Azure AD environments, Mandiant found. 

Cuba ransomware targets critical infrastructure, steals $44M in payments

The threat actors compromised at least 49 organizations across the financial, government, healthcare, manufacturing, and information technology sectors. 

Insurer Lloyd's slashes coverage on state-sponsored cyberattacks, reflecting battered market

The limits for state-sponsored attack coverage comes at a time when nation-state activity and ransomware linked to foreign threat actors is surging.

TSA rolls out rail cyber requirements, targeting prevention and rapid response

The directives, with immediate implementation expected, are primarily for higher-risk freight railroads, passenger rail, and rail transit, DHS said. 

CISA names 23 industry leaders to advisory board

The members — who range from industry and government technology and security leaders — will advise CISA Director Jen Easterly on the agency's policies and programs. 

Tech adoption makes construction industry top target for cyberattacks

Companies like Shawmut emphasize strengthening security, as a new report finds that contractors are at high risk for ransomware and other threats.

Marriott is still covering — and recovering — expenses from its 2018 data breach

The hotel has seen an increase in renewal costs for its cyber insurance "over the last several years," the company said. 

What cyber insurance CEOs want to see from customers

Insurers joined high-profile CEOs at the White House summit last week to discuss how to improve national cybersecurity. For one insurance CEO, the industry needs three points of improvement.

Majority of US retailers, critical infrastructure unscathed after holiday cyber warnings

Industry averted a major cyber incident amid warnings from the FBI and CISA, though home furnishings retailer Ikea fought to contain a sophisticated phishing attack.