Data breaches are quickly becoming one of the most damaging crimes committed today and one of the most common. Hackers are stealing valuable information from organizations at a rapidly growing rate, which means your data isn't safe for anyone. Major companies like Tesla, M&T Bank, and Duolingo were all hit by breaches this week, as well as Missouri Medicaid, the University of Missouri, and UMass Chan Medical School.

Cross-Site Scripting (XSS) is a web security vulnerability that happens when cybercriminals inject client-side scripts into web pages accessible by other users. These scripts compromise the web page and allow cybercriminals to inject malicious scripts into a user’s browser, leading to the exposure of data, session hijacking or manipulation of the web page’s content and functionality.

The European Union introduced the EU Cybersecurity Act to boost cybersecurity measures and cyber resilience across EU member states. With a digitally connected Union, having consistent regulations for cybersecurity measures across member states is vital in protecting against cyber attacks.

Whenever an organization outsources part of its business process to an outside party, it introduces various risks to the primary organization. Third-party risk management refers to how organizations address and mitigate security risks across their entire library of vendors and suppliers. Unfortunately, third-party risk exposure can be difficult to manage and comes with many challenges organizations must address for an effective third-party risk management program.

The concept of ratings has been the accepted standard for making investment decisions. The first commercial credit reporting agency, the Mercantile Agency, was founded in 1841. While this relied on largely subjective methods of evaluation, it wasn’t until the 1960s, when credit reporting became computerized, that the industry consolidated and took off. Since then, credit and financial ratings models have progressed to become objective and trustworthy data points that inform lending decisions.

It’s been reported that 2.6 million user records sourced from the Duolingo app are for sale. The attacker apparently obtained them from an open API provided by the company. There’s a more technical explanation available here. While we talk a lot about the vulnerabilities in the OWASP API Top-10 and the exploits associated with those vulnerabilities, this incident provides a good reminder that not all vulnerabilities are flaws in code. In fact, this API was working as designed.

Application architectures have been transformed in recent years. Modern application systems have become more complex with monolithic applications being replaced by more complicated applications based on multiple microservices and stored on cloud platforms. These applications run on new technologies based on Kubernetes, an open-source container orchestration system that automates the deployment, scaling, and management of containerized applications.

If you’re not particular techy these acronyms may not mean much, but you can easily make checks, even if you can’t implement the fix! Read on….. One of KEEPs consultants recently assessed a client (CNI) where only 55% of their domains had the necessary SPF and DMARC configurations in place correctly. This mis-configuration allows attackers (at minimum) to easily email spoof and target your users. If you do nothing else this week, check the basics!

There’s a sentiment that has, unfortunately, taken hold in the field of cybersecurity: Users are the weakest part of your environment. You can see why some may try to paint that picture. The statistics would seem to back it up: However, there’s a deeper truth hiding behind these statistics: It’s not the employees who are the weakest part of your security environment, it’s the training they receive.