This blog series expands upon a presentation given at DEF CON 29 on August 7, 2021. Phishing attacks are starting to evolve from the old-school faking of login pages that harvest passwords to attacks that abuse widely-used identity systems such as Microsoft Azure Active Directory or Google Identity, both of which utilize the OAuth authorization protocol for granting permissions to third-party applications using your Microsoft or Google identity.

This blog series expands upon a presentation given at DEF CON 29 on August 7, 2021. In Part 1 of this series, we provided an overview of OAuth 2.0 and two of its authorization flows, the authorization code grant and the device authorization grant.

Teleport has been instrumental in helping our clients achieve difficult security and compliance requirements, and today we are proud to announce that our Cloud offering is now SOC2 Type II compliant. Last year our on-premises product was SOC2 Type II certified, and we published an overview on our blog helping explain what SOC2 is and why it has become table stakes for B2B SaaS companies.

Between us — there’s no such thing as zero trust — it’s a catchy term used to describe a very complicated approach to security. But just because marketing loves the term doesn’t mean we should ignore the concept. The idea of zero trust is the assumption that users should be granted the least access possible to be productive, and that security should be verified at every level with consistent protection measures.

Most discussions around cybersecurity understandably focus on information technology (IT). Assets like cloud services and data centers are typically what companies spend the most time and effort securing. Recently, though, operational technology (OT) has come under increasing scrutiny from leading security experts in both the private and public sectors. In June, for instance, the Cybersecurity and Infrastructure Security Agency (CISA) released a fact sheet about ransomware attacks on OT.

The internet is an incredible tool for education. Unfortunately, not everyone uses it to better themselves or the world around them. There are plenty of opportunities to learn how to defraud, damage, and steal from organizations – so many in fact, that this open source of hacking knowledge is a new technology service industry in its own right: crime-as-a-service.

Infrastructure as code is a key concept in DevOps for cloud deployments. Learn how to secure it using Rapid Scan SAST. It was not long ago when we needed to submit an IT support ticket to help launch infrastructure configurations (virtual machines, networks configurations, load balancers, databases, etc.) every time we needed to deploy a new application. It worked when we needed those less frequently, but it was not easily scalable.

Higher education has increasingly been attracting the attention of cybercriminals. In March, the FBI released an advisory in response to a barrage of ransomware attacks on schools, and Inside Higher Education recently reported that colleges and universities are becoming favorite victims of bad actors. It's not just colleges themselves that are being targeted; their vendors and third parties are being attacked in the hopes of compromising an institution’s data.

At AT&T Cybersecurity, we believe in the exceptional expertise of our managed security service provider (MSSP) partners. That’s why we are delighted to announce the launch of our new, simplified MSSP Partner Program that will help enhance your business. Our aim is to enable our MSSP partners to successfully monetize security capabilities and achieve exceptional growth and profits by delivering superior, next-generation managed security services to customers.

API security is one of the most important aspects of cybersecurity. The rise of new technologies like microservices, cloud-native applications, IoT devices, single-page applications, serverless, and mobile has led to increased use of APIs. Any internal application elements are now APIs connecting with one other through a network. A game API lets your applications and web services communicate with one another and share information such as rules, settings, specs, and data.