It's somehow fitting that Groundhog Day and tax scam season overlap. Much like the 1993 Bill Murray film where he repeatedly experienced the same day, tax season scammers come out of their hole every year at the same time and tend to use the same attack methods against organizations and regular taxpayers. These scammers stick to these tried-and-true methods because they still work.

Ransomware continued to be the most significant cybersecurity threat facing critical infrastructure, healthcare, defense, and other industries, according to a report issued jointly on February 9 by law enforcement and cybersecurity agencies from the United States, United Kingdom, and Australia.

This is the first in a series of blogs that will describe the importance of conducting Red and Purple Team exercises. The first entry in the series gives an overview of how to properly conduct these drills with follow on blogs diving deeper into the specifics of Red and Purple team maneuvers. The first realization most organizations have that their cybersecurity is, let's say, subpar generally comes right after it has been hit by a devastating attack.

A stored cross-site scripting vulnerability, tracked as CVE-2021-45919, was identified in elFinder File Manager. The vulnerability can result in the theft of user credentials, tokens, and the ability to execute malicious JavaScript in the user's browser. Any organization utilizing an out-of-date elFinder component on its web application could be affected.

When it comes to protecting personal healthcare information or a medical facility from cyberattacks or data breaches, the first step that must be taken is a thorough and exhaustive data assessment. The data assessment will provide your organization with a complete understanding of: Why? Because a cybersecurity team cannot be expected to protect something if it does not know it exists in the first place.

During a recent engagement Trustwave SpiderLabs discovered a vulnerability (CVE-2021-45901) within ServiceNow (Orlando) which allows for a successful username enumeration by using a wordlist. By using an unauthenticated session and navigating to the password reset form, it is possible to infer a valid username. This is achieved through examination of the HTTP POST response data initially triggered by the password reset web form. This response differs depending on a username's existence.

A recent survey by the analyst firm Gartner showed that 89% of companies experienced a supplier risk event in the last five years; however, those companies' overall awareness and plans to mitigate lacked maturity. As a result, it is no longer enough to secure your own company's infrastructure. You must also evaluate the risk posed by third-party vendors and plan to monitor those organizations for breaches.

Forrester recently predicted that in 2022, 60% of security incidents would involve third parties. Yikes! With such a large percentage of incidents taking place outside the confines of their organizations, corporate leaders need to know what to do to protect their business. So, here is a list of items to address to succeed at supply chain risk (SCR) management.

As Data Privacy Day once again rolls around, we can look back at some healthy improvements when it comes to privacy that organizations made over the previous 12 months. We can also use this yearly reminder on such an important topic to look forward to the coming year to pinpoint where additional changes are needed.