Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

In the latter part of December 2021, WhiteSource Diffend detected the new release of a package called @maui-mf/app-auth. This package used a vector of attack that was similar to the server side request forgery (SSRF) attack against Capital One in 2019, in which a server was tricked into executing commands on behalf of a remote user, thereby enabling the user to treat the server as a proxy for requests and gain access to non-public endpoints.

Just over three years ago, Joe DePalo joined Netskope as Senior Vice President of Platform Engineering. He had most recently led the infrastructure design and build-out at AWS, the world’s largest public cloud, and prior to that, engineering and operations for one of the largest content delivery networks (CDNs) at Limelight Networks.

State-sponsored threat actors continue to exploit legitimate cloud services. In their latest campaign, uncovered by Malwarebytes during January 2022, the North Korean group Lazarus (AKA HIDDEN COBRA) has been carrying out spear phishing attacks, delivering a malicious document masquerading as a job opportunity from Lockheed Martin (37% of malware is now delivered via Office documents).

Since the 1990s, the federal government has been issuing guidelines and recommendations for security via their 800-Series Special Publications. While some of those guidelines became mandates, things have largely inched forward, instead of making any dramatic leaps. OMB’s new memorandum M-22-09, “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles,” is changing this pattern, and setting deadlines for implementation across the government.

As the competitive online gaming and eSports industries gain legitimacy by becoming more popular and attracting mainstream attention, the question of competitive integrity lingers in the back of my mind. Can the game’s developers, community, and users maintain and uphold competitive integrity? Or will they fold under the pressure of greed and complacency?

Unstructured data is data that cannot be processed and analyzed using conventional data tools and methods: qualitative data, such as customer feedback or social media posts are considered unstructured data. Unstructured data is particularly prevalent in the healthcare industry, where patient records, doctors’ notes, and other unstructured data can make upward of 80% of data within a healthcare organization.

Does the saying "compliance does not equal security" paint a holistic picture? Sure, the concept is genuine; meeting a single compliance standard will not directly improve security posture. However, after working with hundreds of organizations, we have learned there are key considerations that can help maximize the value and urgency of compliance requirements by channeling such efforts into more practical risk assessments.

Our activities around sponsoring Open Source are not just limited to projects we rely on; we have also been supporting those that are important to the general Cybersecurity ecosystem and beyond. We're in this for the long haul and the most recent set of projects covers a very wide scope. We want to help ensure that everyone has sustainable Open Source for many years to come. Let's tell you about these new projects and why you should be aware of them.

January’s update is a little late but it is only because we are really busy with lots of big things coming. One of things we are looking forward to in the near-term is a webinar with one of our oldest and most valued customers: Soteria - Security Solutions & Advisory Join us this Valentines Day as we recount cybersecurity’s greatest love story and explore how Soteria leveraged their expertise - and the LimaCharlie platform - to create a successful MDR/DFIR business.