Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The HIPAA Security Rule requires healthcare organizations to perform regular security risk assessments to protect e-PHI. Penetration testing can help organizations with this requirement.

There’s a scene in the original “Matrix” movie when Neo is sitting in the grimy kitchen with the rest of the crew and eating gray, runny slop. No matter what new version of gray slop they eat, they always seem to think that it tastes like chicken. When confronted with something new, it’s a natural human trait to relate it back to something we already know.

Just recently, our open-source fuzzing engine Jazzer found an Expression DoS vulnerability in Spring (CVE-2023-20861). Now, three weeks later, Jazzer found another similar Expression DoS in the Spring framework, labeled CVE-2023-20863. This new finding has an even higher CVSS score of 7.5 (high), compared to the previous finding which came in at 5.3 (medium).

Nexx is a home security company that specializes in internet-connected security devices such as alarms, garage door openers, cameras, plugs, and more. The company works to make homes safer and to help with home automation goals. Unfortunately, it appears that Nexx products are vulnerable to some major security issues, and it doesn't appear that the company is actively working to fix the issues.

Password security plays a fundamental role in Identity and Access Management (IAM). The easiest way for cybercriminals to breach an enterprise network is to obtain a set of legitimate login credentials. This allows them to bypass firewalls, intrusion detection systems and other technical security solutions. Once inside, they can remain undetected for extended periods of time.

When researching which managed detection and response (MDR) service provider to partner with, security professionals would do well to consider whether the provider also has experience with threat hunting, a topic we covered in a previous post. As with MDR, however, threat hunting offerings can vary dramatically, and an innovative, human-led form promises significant gains in terms of cyber protection: advanced continual threat hunting.

The use of Amazon Web Services (AWS) in organizations around the world is prolific. The platform accounted for 31% of total cloud infrastructure services spend in Q2 2022, growing by 33% annually. Despite its widespread use, many organizations still fail to consider the nuances of incident response in AWS.

The attack surface is bigger than ever before, and it’s only going to keep growing. As the hybrid work model puts endpoints in employee homes, IoT devices grow in number and complexity, and the very definition of endpoint itself evolves, the task of seeing into and securing all endpoints in an organization’s environment has grown into a colossal task for already overworked and overtaxed IT teams.

ChatGPT may not be used by all organizations and may even be banned. But that doesn't mean you don't have exposure to the security risks it contains. This post looks at why ChatGPT should be part of your threat landscape.

This is the second blog in the series focused on PCI DSS, written by an AT&T Cybersecurity consultant. See the first blog relating to IAM and PCI DSS here. There are several issues implied in the PCI DSS Standard and its associated Report on Compliance which are rarely addressed in practice. This occurs frequently on penetration and vulnerability test reports that I’ve had to assess.