As we quickly approach the last quarter of the year, it's a good time to reflect on what's happened thus far in 2019, and where we should focus our energy for 2020.

If I asked you what security products you had in place to manage your risk within your IT organisation 10 years ago, you’d probably have been able to list a half dozen different tools and confidently note that most of your infrastructure was covered by a common set of key products such as antivirus, DLP, firewalls, etc. But in a world with IaaS, PaaS and SaaS, maintaining a comprehensive approach becomes far more difficult.

For many organizations moving to the cloud, Infrastructure as a Service (IaaS) like AWS EC2, Azure Virtual Machines or Google Compute Engine often forms the backbone of their cloud architecture. These services allow you to create instances of pretty much any operating system almost instantly. Unfortunately, moving your IT infrastructure to the cloud doesn’t relieve you of your compliance or security obligations.

Cyber Essentials and Cyber Essentials Plus are Government-backed schemes which highlight key technical controls that need to be in place in order to defend against the most common cyber threats. By becoming Cyber Essentials certified your organisation can display the logo on your website and marketing materials, improving trust with your customers. Many Government contracts will only consider applications from Cyber Essentials certified companies.

Detectify now has a built-in detection for vBulletin RCE CVE-2019-16759, thanks to a report from our Crowdsource community. Last week, a proof-of-concept exploit for a Remote Code Execution (RCE) vulnerability for vBulletin forum software CVE 2019-16759 was disclosed publicly. The vulnerability was exploited in the wild and actively being exploited by malicious attackers.

A selection of this week’s more interesting vulnerability disclosures and cyber security news. A serious breach from a popular game was announced earlier in the week. Considering the prevalence of linking many such games with Facebook and other social media platforms, such an exposure gives a great ‘way in’. If you’ve not done it already, go check what access you’ve granted to your data.

Network security is the process of using physical and software security solutions to protect the underlying network infrastructure from unauthorized access, misuse, malfunction, modification, destruction or improper disclosure, creating a secure platform for computers, users and programs to perform their functions in a secure environment.

You might have noticed this incident: Users of some online service providers lose their accounts en masse yet the companies assert that there haven’t been any intruders on their systems. It may sound unlikely, but in most cases they have a valid point. With the new hacking technique called credential stuffing, it is possible. Read our article to learn more.

Finding a zero-day (0-day) is probably one of the best feelings in the world for a hacker, and sometimes we receive these submissions through Detectify Crowdsource, our bug bounty platform. This article will explain how Detectify handles 0-days with transparency to responsibly work with vendors, researchers and customers with the disclosure.

Karim Rahal, Detectify Crowdsource hacker, is a 17-year-old web-hacker who has been hacking for the greater part of his teenager years. At age 13, he started to responsibly disclose vulnerabilities—and he even blogged about one he found in Spotify! Karim still makes time for bug bounty programs, despite school. We asked Karim to tell us why Firefox is the best choice from a white hat hacker’s point-of-view.