Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users and may be used to bypass access control, such as the same-origin policy. The impact of XSS can range from a small nuisance to significant cybersecurity risk, depending on the sensitivity of data handled by the vulnerable website, and the nature of any mitigations implemented.

Over 10 million people who have stayed at MGM Resorts hotels – including Twitter boss Jack Dorsey and pop idol Justin Bieber – have had their personal details posted online by hackers. The security breach, publicised by ZDNet and security researcher Under the Breach, saw the records of 10,683,188 former guests – including names, postal addresses, phone numbers, dates of birth, and email addresses – made available in an online data dump.

For decision making, “reactive” tends to be frowned upon in the business world. “Proactive” is the preferred mode and has been pretty much since the word was coined (in 1933).

Implementing a risk based security program and appropriate controls against adaptive cyber threat actors can be a complex task for many organizations. With an understanding of the basic motivations that drive cyber-attacks organizations can better identify where their own assets may be at risk and thereby more efficiently and effectively address identified risks.

In part 1 of web security trends 2020, we discussed the rise of Crowdsourced Security and the ever-changing attack surface. This time we turned to 3 security leaders to get their perspective on trends to come in 2020.

I am not an engineer. I’m a director of human resources. I don’t work in a technical space, but the concept of open source is fascinating to me as it applies to organizational culture. A company like Gravitational that has intentionally chosen open source as a foundation for our work makes not only a technical decision, but a cultural one. We’re finding that employees and candidates care deeply and appreciate our choice. Open source is a big deal for us.

In part one of this cyber resilience blog series, we discussed what it means to be a resilient organization. For part two, let’s discuss why organizations need to consider these challenges and who’s responsible for addressing them. Whilst asking why an organization may need to be resilient sounds a bit silly, I can say from experience that just because something seems obvious doesn’t mean it’s not quite a bit of work.

As hackers’ methods become more sophisticated, the scale of email security breaches and the frequency at which they occur grow greater with each passing year. In 2019 alone, an estimated 2 billion unique email addresses, accompanied by over 21 million unique passwords, were exposed within a single data breach.

This blog post is one in an occasional series about how we at Elastic embrace our own technology. The Elastic InfoSec team is responsible for securing Elastic and responding to threats. We use our products everywhere we can — and for more than just logs. By harnessing the power and breadth of capabilities of the Elastic Stack, we are working on tracking risk and performance metrics, threat intelligence, our control framework, and control conformance information within Elastic.

This is the third and final post of a three-part series on understanding kernel extension frameworks for Mac systems. In part 1, we reviewed the existing kernel extension frameworks and the information that these frameworks can provide. In part 2 we covered techniques that could be used in kernel to gather even more details on system events. In this post, we will go into the new EndpointSecurity and SystemExtensions frameworks.