CISA and its counterparts around the world have published new guidance advising technology manufacturers to prioritize Secure-by-Design and Secure-by-Default in all product design and development processes, and urging customers to hold them accountable for doing so.

The cloud is king. 94% of organizations rely on the public cloud in some capacity, and 84% have a “multi-cloud” strategy. The rise of hybrid and remote work, the proliferation of software-as-a-service (SaaS) and Internet of Things (IoT) devices, and the general digitization of once analog industries has turned the cloud into a “must-have,” especially with its pricing, space, and ability to be accessed from anywhere. But with new technologies comes new threats.

With the continued move to the cloud, cloud detection and response helps security teams defend their cloud applications and infrastructure.

A selection of this week’s more interesting vulnerability disclosures and cyber security news. For a daily selection see our twitter feed at #ionCube24. Oooo, that could be unfortunate for some users….

New data shows how poorly organizations are at identifying – let alone removing – an attacker's foothold, putting themselves at continued risk of further attacks and data breaches. We’d like to think our security stance includes some really great abilities to detect, investigate, detect, and remediate an attack.

A new survey points to an overconfidence around organization’s preparedness, despite admitting to falling victim to ransomware attacks – in some cases multiple times. According to Fortinet’s 2023 Global Ransomware Report, the threat of ransomware at face value seems to be of high importance to organizations: But the data also shows that despite the focus on protecting against attacks and believing they are ready, organizations still fell victim.

Poker players and other human lie detectors look for “tells,” that is, a sign by which someone might unwittingly or involuntarily reveal what they know, or what they intend to do. A cardplayer yawns when he’s about to bluff, for example, or someone’s pupils dilate when they’ve successfully drawn to an insider straight.

What a week we’re having – and it’s only Thursday! RSA has been action-packed, meeting with customers, showing off our new product enhancements, and booking time with new prospects. Interest in API security is running at an all-time high, as more organizations recognize what Salt saw years ago, that APIs entirely upend the security playing field!

In 2022 & 2023 Western government agencies have managed to take down multiple prominent dark web forums such as RaidForums in April 2022, BreachedForums in March 2023, and Genesis Marketplace in April 2023. This might make threat actors in the West feel less confident in initiating activities on such monitored platforms and could shift their focus to Chinese-speaking forums.

Analysis on 3,000 websites and over 100,000 associated webpages (using the client-side security scanning feature of Feroot Inspector) revealed that pixels/trackers are collecting and/or transferring data prior to the explicit consent (e.g., cookie acceptance) of a website user. (While some do not require actual consent for one reason or another, the consent is not explicitly made.) Table 1 shows the degree to which some pixels/trackers were present on the analyzed websites.