Modern Software Development and DevSecOps: Despite security controls, data leaks persist

Modern Software Development and DevSecOps: Despite security controls, data leaks persist
Viktoria Austin
Read More From Viktoria Austin
June 22, 2020 | 15 Min Read

Quick Synopsis

No matter how many software developers you employ, development processes or cultures (such as DevOps or DevSecOps) that you adopt, sensitive technical data such as code, credentials or security infrastructure can still be prone to online exposure. 

In this blog, we walk you through how modern software development practices lead to technical leakage, despite security controls in place to minimize this – and how security teams lack the visibility to detect it. Then, we’ll reveal some tips and tricks on how security teams can minimize their attack surface. 

DevSecOps and The Evolution of Software Development

As customers, we can be a bit demanding when it comes to technology products. We want the latest products, the latest features – or the most recent versions of those. We’re not stuck for choice though. Rather, our menu of technology products is ever-growing. Companies are all racing to push out new products or better versions of those products to satisfy our digital hunger. 

Companies are racing to push out product updates more than customers may realize. Research conducted by Google highlighted that elite performing organizations deploy software updates to their end-users, on average, multiple times per day and on the lower end of that up to between once a month and between every six months. Regardless of the speed at which software is deployed, something shared between these organizations is the ability to deliver software quickly – and on top of that value for the customers. 

Several processes, tools, and cultures have evolved which facilitates the speedy delivery of products. In terms of processes, digital transformation has shifted development practices online, mostly to the cloud. Along with that, code platforms have proliferated, with a stronger preference to use code collaboration platforms to develop and deploy software. Then, throughout the development lifecycle, to ensure software teams collaborate more effectively and securely, development practices and cultures have evolved, though adoption varies, commonly known as Developer Operations (DevOps) and Developer Security Operations (DevSecOps). It’s the combination of the above factors that have, respectively, transformed software development functions for good, driving operational efficiency, flexibility, and agility. However, despite the progress made, challenges still exist, particularly in terms of securing software. 

In this blog, we’ll review how modern security practices, among other factors, increase the likelihood of technical leakage. Along with this, we’ll introduce you to software development processes and cultures, DevOps and DevSecOps, that attempt to minimize technical leakage exposure, through security controls – but, as we explore, even with security controls leakage is still possible.   

Software development: Frameworks that redress security

Depending on the maturity or size of a software development function within a business, several software applications and cultures have evolved, to not only reduce friction between these teams but also to address security. To address the former, is the culture of Developer Operations (DevOps) and addressing the latter is the application and culture of Developer Security Operations (DevSecOps).

What is DevOps & DevSecOps?

The software and engineering function is broad in scope – and its application varies by organization. At a very high level, software development can range from software engineers, who build software, to platform and cloud engineers who may build infrastructure around it. 

To bring these teams closer together, and drive frictionless collaboration, one commonly known culture exists known as Developer Operations (DevOps). Cross-functional collaboration creates many process improvements, such as increased flexibility and agility, however, security often becomes an afterthought, as it is unable to keep pace with deployment. By itself, security in DevOps increases friction – slowing the product’s time to market. 

De-prioritizing security can create some serious problems for software, though, which is already inherently prone to flaws, taking the form of either bugs or vulnerabilities. Not only do these negative occurrences make for unpleasant user experience – but they can, depending on the severity, allow an attacker instant access into an organization. As such, software demands IT and network security to work collaboratively to address these types of flaws, quickly. 

DevOps versus DevSecOps

A step on from DevOps is the application and culture known as DevSecOps. This is a term that embodies a practice as well as a culture. When adopted, DevSecOps embeds security from start to finish within the software development lifecycle, while aiming to minimize time to market. As we’ve argued before, adopting DevSecOps and its programs can result in happier customers; there’s increased uptime, better support, and less lead time between fixes.

DevSecOps Toolchain: Intro to security controls

A DevSecOps toolchain is a great way to visualize how security can be embedded into the development lifecycle, continuously. A few interpretations of the toolchain exist, varying from Gartner to SANS. For reference, The SANS DevSecOps toolchain [Figure 1] outlines several security controls beneath each phase of the life cycle. 

Security controls aim to improve deployment efficiency 

According to SANS, security controls bake security into the toolchain, attempting to minimize the frequency and intensity of bugs and flaws, more easily. However, not all security controls are airtight – and must be managed appropriately.

SANS devsecops toolchain
Fig 1: SANS’ interpretation of the The DevSecOps ToolChain

However, the adoption of DevOps and DevSecOps varies by organization. Even with security controls listed outlined above, technical leakage can still persist, as a result of poor security practices. Here are key challenges affecting this space, regardless of whether DevOps or DevSecOps has been implemented. 

The Digital Risks in Software Development

You may be wondering, why is Digital Shadows talking about software development? What has this got to do with digital risk? By definition, digital risks are unwanted exposure of data (company assets) across the open, deep, and dark web. Those risks can take form in the loss of sensitive corporate data, disruption of identity, violation of privacy laws, and damaged reputations. 

Adding to the dynamic list of digital risks, Digital Shadows has observed the exposure of data emanating from the software development functions of organizations. 

Who should own the problem?

Though the problem may emanate from software development functions, most security teams may now have to monitor and track the risks that threaten product success. In the ever-growing list of responsibilities that fall under their remit, security practitioners, depending on the type of organization and industry, may now have to proactively detect whether an employee – or perhaps a contractor or supplier – has inadvertently been exposing sensitive code or publicly committing to code repositories. For organizations, those risks can be deemed technical leakage – and impact organizations to different extents. 

Concerted effort to minimize risks 

On the other side of that, you also have the code collaboration platforms, which too can exacerbate the problem, if privacy controls aren’t enforced. In 2018, GitHub began offering token scanning services to prevent the accidental exposure of technical credentials. However, this isn’t just about GitHub; this also extends to software platforms where developers seek and share technical advice, such as GitLab, BitBucket, Azure, and Stack Exchange. These services have a joint responsibility to safeguard their customers, as best as they can. Exposure needs to be minimized from all sources – and no one party is responsible, though they can exacerbate the problems if unmanaged.

Together, organizations should also act to prevent such exposure, by strengthening internal security policies and educating consumers on the risks of exposure. Without such guidance, exposure of secrets and sensitive code is inevitable. On the organizational side, monitoring for technical leakage need not create another burden, though it may seem like it. Now, Digital Shadows makes it even easier for organizations to detect potential technical leakage – which we’ll go into depth later. But first, it’s worth diving into some of the key risks we have seen.

4 Key Risks impacting Software Development

  1. Leaked credentials: Exposure of Secrets 

One of the biggest challenges of software development is when secrets become exposed by developers. Secrets (in software terms) are forms of digital authentication, such as passwords, API, access keys, and more. Secrets should even not be stored in a private code repository, and they definitely should not be in a public repository. 

Unfortunately, in reality, this is worryingly common, meaning those crown jewels are fully accessible to everyone. Researchers at North Carolina State University found “that not only is secret leakage pervasive — affecting over 100,000 repositories — but that thousands of new, unique secrets, identified as AP and cryptographic keys, are leaked on Github at a rate of thousands per day.” Further highlighting how exposure on code repositories, such as Github, was a growing concern raised by users on Twitter highlighting how passwords could be searched across Github – imploring Github to introduce new features, instantly, to address such exposure. 

There are also open-source tools, such as Trufflehog, a tool designed to search git repositories for secrets and Git Hound, which offer Github scanning tools, to detect sensitive data and prevent sensitive data from being committed (publicly posted). 

What might appear to be an innocuous post seeking advice, or an inadvertent public commit or post, actually provides attackers with a goldmine of information.

  1. Leaked sensitive technology

While the exposure of technical credentials can be damaging, an equally important area to consider is whether the company’s infrastructure, which may hold data, is exposed online too. Knowledge of infrastructure could allow an attacker to perform reconnaissance on the organization, and build a deeper understanding of the target. 

We know from our own monitoring that attackers actively seek this type of information. For example, Figure 2 illustrates a post made by an actor to the Russian cybercriminal forum. In the post, the actor allegedly details a list of company subdomains, which then reference ElasticSearch, indicating that these organizations use ElasticSearch as a form of data management and/ or storage. While there is no indication that these instances are exposed, this type of enumeration of technical information is incredibly helpful for malicious attackers’ campaigns.

devsecops tool by digitalshadows - elasticsearch example
Figure 2: An exploit user offering a list of subdomains with ElasticSearch
  1. A growing number of breaches attributable to erroneous configurations

Depending on the organization, one of the core functions of DevSecOps is to oversee and manage IT infrastructure, which extends to configuration management of all servers in local, staging, and production environments, and ensuring that they are kept in sync and consistent.

Verizon’s latest research, 2020 Data Breach Investigations Report: Official, highlighted that misconfiguration errors were increasing. In particular, databases or file storages not being secured and directly exposed to a cloud service.While Verizon cited system admins setting the storage to the public, research independent of Verizon delved deeper into the causes of misconfigurations via a survey. Respondents cited a lack of awareness of cloud security and policies (52%), a lack of adequate controls and oversight (49%), too many cloud APIs and interfaces to adequately govern (43%), and negligent insider behavior (32%). 

Similarly, Digital Shadows’s 2019 research, Too Much Information: the Sequel, highlighted how 2.3 billion files exposed through misconfigured devices, resulted from error and other factors. 

These research pieces highlight how data can easily be exposed by weak to poor security controls or insufficient security awareness in place.

  1. Attackers picking on poor security practices

Often with data exposure, it’s worth asking “so what?”. So my files have been exposed, what now? A developer has posted to a public code repository, what’s the risk? 

Unfortunately, such data can often fall into the wrong hands, which could cause significant damage. Here are some examples:

Data Extortion attempts

In 2017, activity was discovered accessing unauthenticated MongoDB installations and replacing their contents with a ransom note, usually containing an email, to force the victims to pay up in return for their sensitive data. Digital Shadows took the research further, concluding that the attacks were extortion rather than ransom since most campaigns did not appear to even attempt to view or backup the data before deleting.

Ransomware 

In 2019, Digital Shadows revealed how threat actors were actively attempting to exploit exposed data: 17 million files across online file repositories, which are often used for backing up data, had been encrypted by ransomware, 2 million of them linked to “NamPoHyu”, a variant of the “MegaLocker” ransomware. (See more in our report: Too Much Information). 

Exploiting credentials

In 2018, an attacker located an AWS credential within code in a private repository for Uber Engineers on GitHub. Though the repository was private, it is thought that the attacker either brute forced or password guessed the credentials – allowing them access to the app’s databases, stealing personal information on 57 million passengers and drivers – information including names, email addresses, and phone numbers. Ensuring data is protected doesn’t just mean the databases aren’t publicly available – but that the access to it has sufficient authentication practices in place too. 

According to research by Vinny Troia, GnosticPlayers were able to identify valid developer accounts by credential stuffing the HTTP-based API authentication, adding their SSH keys to the developer’s accounts using GitHub’s command-line tools, allowing the attackers to take advantage of an oversight in Github configuration. 

Threat intelligence for DevSecOps: Minimizing the attack surface

There is a wealth of security controls that can assist with tackling these challenges head-on – and several products that map to it too. Now we won’t go into each of them – but one security control, that can benefit securing software development in particular is Threat Intelligence.  

Threat intelligence can serve security teams by informing threat modeling and security architecture processes. In terms of threat modeling, threat intelligence can be applied to the pre-development phases of creating or making changes to code, and SANS recommends applying threat intelligence to address these types of questions: 

  • Are you changing the attack surface (new entry/exit points, new user role…)?
  • Are you changing the technology stack or application security controls?

When it comes to security architecture, threat intelligence – specifically vulnerability and exploit tracking – can help organizations understand if their software is vulnerable to an attack. Threat intelligence is capable of so much more though and here’s where Digital Shadows fits in.

Threat Intelligence: SearchLight for DevSecOps

We have recently bolstered our technical leakage product offering. In addition to monitoring for code exposure or secrets across public repositories, organizations can now track, with the “unauthorized code commit alert”, their employees’ corporate activity on public code repositories. Identifying whether employees have unintentionally committed to a repository, provides organizations with a quick, scalable way to preemptively catch leakage before it becomes a serious threat. You can read more about the Unauthorized Code Commit alert here.

devsecops tool by digitalshadows - unauthorized code commit
Figure 3: DIgital Shadows Unauthorized Code Commit Alert

Furthermore, to stay up to date with the latest risks impacting software, organizations can start by monitoring and tracking the latest vulnerabilities affecting them. The figure below is an example of how customers can search across the open, deep, and dark web for vulnerabilities to web applications. 

devsecops tool by digitalshadows - web application vulnerabilities
Figure 4: How customers can search across the open, deep, and dark web for vulnerabilities to web applications

The adoption of DevSecOps varies by industry – and the above threat intelligence tips may not apply to all, requiring tailored approaches instead. Industries that are likely to be impacted include: retail, financial services, technology, telecommunications, energy, and more. 

Begin Bolstering DevSecOps with Outside-In Intelligence

Like traditional security, DevSecOps is currently being affected by the forces of digital transformation, which blurs network perimeters, meaning data is increasingly likely to be exposed online. On top of that, the nature of the software development industry, which demands rapid deliveries and multiple stakeholders working together on collaborative tools, has also increased the likelihood of sensitive data to be exposed publicly. To prevent the exposure of software online and to minimize threats to software from modern development practices, Digital Shadows recommends the following:

  • Monitor for exposure of sensitive technology and code:  Benefit from a set of free tools or paid tools to detect public code exposure – or sensitive company assets across public repositories, such as Github, BitBucket, or Gitlab. Searchlight, for example, detects technical leakage – and whether an employee has used their corporate email to publicly commit to repositories. Learn more about Digital Shadows capability here. Alternatively, free, open-source tools available include Git hound, which prevents sensitive data from being exposed or TruffleHog, which searches through repositories for secrets. 
  • Harness contextualized Threat intelligence: Stay informed with the latest threats, tools, campaigns, and news impacting your organization and security architecture. 
  • Tracking vulnerable software: By aggregating data from open sources, SearchLight gains a broader picture of your network over time. This enables you to prioritize securing your network assets that are most at risk from compromise and exploitation. We provide high priority alerts that relate to genuine threats to your network infrastructure, not a deluge of CVEs (Common Vulnerabilities and Exposures).
  • Increase awareness: Individuals may not be clued up when it comes to securing technical data. Such a problem can be easily solved by better education and training around these risks. 
  • Ease of use: When it comes to software collaboration tools, such as Github or Gitlab, ensure security protocols are set to prevent activity from being posted publicly

DevSecOps Resources

If you’re interested in learning more about how to implement DevSecOps for your organization, check out our resources below.

Technical Leakage Detection Overview
Detecting Unauthorized Code Commits

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Tags:

Related Posts

Access Keys Exposed: More Than 40% Are For Database Stores

Access Keys Exposed: More Than 40% Are For Database Stores

September 14, 2020 | 6 Min Read

By now, we’ve all heard news about AWS...
What is DevSecOps and Why Do We Need It?

What is DevSecOps and Why Do We Need It?

August 12, 2020 | 4 Min Read

DevSecOps, SecDevOps, and any...
Validate Exposed Credentials with Okta to Save Even More Time

Validate Exposed Credentials with Okta to Save Even More Time

August 24, 2020 | 3 Min Read

SearchLight customers can now automatically...
Account takeover: Expanding on impact

Account takeover: Expanding on impact

July 27, 2020 | 7 Min Read

Digital Shadows has collected over 15 billion...
SearchLight’s Credential Validation: Only Focus on What Matters

SearchLight’s Credential Validation: Only Focus on What Matters

July 14, 2020 | 4 Min Read

Of the many use cases associated with threat...
Reducing technical leakage: Detecting software exposure from the outside-in

Reducing technical leakage: Detecting software exposure from the outside-in

June 16, 2020 | 6 Min Read

Modern Development Practices Leads to...
The 2020 Verizon Data Breach Investigations Report: One CISO’s View

The 2020 Verizon Data Breach Investigations Report: One CISO’s View

May 19, 2020 | 6 Min Read

Sadly, Marvel’s Black Widow release date was...
A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

May 14, 2020 | 10 Min Read

Q1 2020 was packed full of significant...
How to minimize cybersecurity breaches in 2020

How to minimize cybersecurity breaches in 2020

April 8, 2020 | 9 Min Read

Seriously, don’t click back or close – I...
COVID-19: Third-party risks to businesses

COVID-19: Third-party risks to businesses

March 31, 2020 | 5 Min Read

As social distancing becomes more prevalent...
Threat Model of a Remote Worker

Threat Model of a Remote Worker

March 25, 2020 | 7 Min Read

Threat models are an often discussed but...
Want to Control Your Ever-Changing Perimeter? Focus on Integrations.

Want to Control Your Ever-Changing Perimeter? Focus on Integrations.

March 4, 2020 | 5 Min Read

An ever changing perimeter? Over the past few...
How Digital Shadows Helped Find and Remediate an Exposed Admin Password on Github

How Digital Shadows Helped Find and Remediate an Exposed Admin Password on Github

January 23, 2020 | 5 Min Read

  I often get asked to share examples of...
Third Party Risk: 4 ways to manage your security ecosystem

Third Party Risk: 4 ways to manage your security ecosystem

January 16, 2020 | 5 Min Read

  The digital economy has multiplied the...
2020 Cybersecurity Forecasts: 5 trends and predictions for the new year

2020 Cybersecurity Forecasts: 5 trends and predictions for the new year

December 18, 2019 | 10 Min Read

  If all the holiday fuss isn’t...
2.3 billion files exposed across online file storage technologies

2.3 billion files exposed across online file storage technologies

December 3, 2019 | 17 Min Read

Originally published May 2019 2.3 billion is a...
Understanding the Consequences of Data Leakage through History

Understanding the Consequences of Data Leakage through History

October 24, 2019 | 4 Min Read

One of the most interesting aspects of...
Honeypots: Tracking Attacks Against Misconfigured or Exposed Services

Honeypots: Tracking Attacks Against Misconfigured or Exposed Services

October 17, 2019 | 9 Min Read

Honeypots can be useful tools for gathering...
ANU Breach Report: Mapping to Mitre ATT&CK Framework

ANU Breach Report: Mapping to Mitre ATT&CK Framework

October 11, 2019 | 14 Min Read

Introduction This week, the Australian National...
DevSecOps: Continued Database Exposures Point to Growing Challenges

DevSecOps: Continued Database Exposures Point to Growing Challenges

September 24, 2019 | 5 Min Read

Last week, we learned that millions of...
Your Data at Risk: FBI Cyber Division Shares Top Emerging Cyber Threats to Your Enterprise

Your Data at Risk: FBI Cyber Division Shares Top Emerging Cyber Threats to Your Enterprise

September 17, 2019 | 8 Min Read

Data breaches are not slowing down. Nobody...
Capital One Breach: What we know and what you can do

Capital One Breach: What we know and what you can do

July 31, 2019 | 5 Min Read

Monday blues. It’s a thing. It’s when you...
Harnessing Exposed Data to Enhance Cyber Intelligence

Harnessing Exposed Data to Enhance Cyber Intelligence

July 11, 2019 | 7 Min Read

  An illicit and lucrative trade has...
Leaky SMB File Shares – So Many Bytes!

Leaky SMB File Shares – So Many Bytes!

June 19, 2019 | 5 Min Read

Everyone loves a sequel. If you’re an avid...
Managing Digital Risk: 4 Steps to Take

Managing Digital Risk: 4 Steps to Take

June 18, 2019 | 9 Min Read

Organizations are finding it increasingly...
Enabling Soi Dog’s Digital Transformation: A Case Study

Enabling Soi Dog’s Digital Transformation: A Case Study

May 8, 2019 | 3 Min Read

At the beginning of this year I was introduced to...
Reducing your attack surface

Reducing your attack surface

April 9, 2019 | 4 Min Read

What is an attack surface According to OWASP, an...
Detecting Exposed Company Data: The What, Why, and How

Detecting Exposed Company Data: The What, Why, and How

March 12, 2019 | 3 Min Read

What is data loss detection? A fundamental...
Introducing Our Practical Guide to Reducing Digital Risk

Introducing Our Practical Guide to Reducing Digital Risk

February 12, 2019 | 5 Min Read

Download a copy of A Practical Guide to Reducing...
Understanding Digital Risk Protection

Understanding Digital Risk Protection

February 8, 2019 | 3 Min Read

There has been a lot of talk recently about...
SingHealth Breach Post-mortem: Key Findings

SingHealth Breach Post-mortem: Key Findings

January 29, 2019 | 5 Min Read

On 10 January 2019, Singaporean authorities...
Law Firm Uncovers Exposed Sensitive Details About Top Attorney Online

Law Firm Uncovers Exposed Sensitive Details About Top Attorney Online

November 15, 2018 | 2 Min Read

VIPs and executives who are critical to your...
81,000 Hacked Facebook Accounts for Sale: 5 Things to Know

81,000 Hacked Facebook Accounts for Sale: 5 Things to Know

November 2, 2018 | 5 Min Read

This morning, the British Broadcasting...
Cyber Security Awareness Month: Week 1 – Credential Hygiene

Cyber Security Awareness Month: Week 1 – Credential Hygiene

October 3, 2018 | 5 Min Read

It’s the opening week of the annual National...
GAO’s Equifax Post-mortem Report

GAO’s Equifax Post-mortem Report

September 11, 2018 | 5 Min Read

It’s common for the exciting and novel issues...
Digital Shadows Contributes to Insider Threat Research

Digital Shadows Contributes to Insider Threat Research

August 9, 2018 | 5 Min Read

On July 30, Forrester published its latest...
Reducing Your Attack Surface: From a Firehose to a Straw

Reducing Your Attack Surface: From a Firehose to a Straw

July 5, 2018 | 6 Min Read

What is Attack Surface Reduction? Attack Surface...
Keys to the Kingdom: Exposed Security Assessments

Keys to the Kingdom: Exposed Security Assessments

April 24, 2018 | 4 Min Read

Organizations employ external consultants and...
Out In The Open: Corporate Secrets Exposed Through Misconfigured Services

Out In The Open: Corporate Secrets Exposed Through Misconfigured Services

April 18, 2018 | 4 Min Read

For organizations dealing with proprietary...
When There’s No Need to Hack: Exposed Personal Information

When There’s No Need to Hack: Exposed Personal Information

April 17, 2018 | 4 Min Read

With Equifax‘s breach of 145 million records...
Leveraging the 2018 Verizon Data Breach Investigations Report

Leveraging the 2018 Verizon Data Breach Investigations Report

April 10, 2018 | 5 Min Read

Today, the 11th edition of the Verizon Data...
When Sharing Is Not Caring: Over 1.5 Billion Files Exposed Through Misconfigured Services

When Sharing Is Not Caring: Over 1.5 Billion Files Exposed Through Misconfigured Services

April 5, 2018 | 4 Min Read

Our recent report “Too Much Information”,...
Ransomware in 2018: 4 Things to Look Out For

Ransomware in 2018: 4 Things to Look Out For

March 8, 2018 | 4 Min Read

Ransomware remains an active threat for...
Data Privacy Day: 8 Key Recommendations for GDPR Readiness

Data Privacy Day: 8 Key Recommendations for GDPR Readiness

January 26, 2018 | 4 Min Read

This Sunday is Data Privacy Day, “an...
Don’t Rely on One Star to Manage Digital Risk, The Key is Total Coverage

Don’t Rely on One Star to Manage Digital Risk, The Key is Total Coverage

January 16, 2018 | 5 Min Read

This post originally appeared on...
GDPR: Why You Need to Consider the Personal Data That Lies Outside of Your Organization

GDPR: Why You Need to Consider the Personal Data That Lies Outside of Your Organization

January 4, 2018 | 3 Min Read

In 2010, reports emerged that the Information...
GDPR – Not Just a European Concern

GDPR – Not Just a European Concern

November 20, 2017 | 6 Min Read

This post originally appeared...
Why “Have a Safe Trip” Is Taking On Greater Meaning

Why “Have a Safe Trip” Is Taking On Greater Meaning

November 14, 2017 | 5 Min Read

This post originally appeared...
equifax research report

2017 Equifax Breach: Impact and Lessons Learned

September 28, 2017 | 3 Min Read

Equifax experienced a data breach that occurred...
equifax breach update

An Update on the Equifax Data Breach

September 13, 2017 | 8 Min Read

The credit reporting agency Equifax...
Equifax Breach Assessment

Equifax Breach: The Impact For Enterprises and Consumers

September 8, 2017 | 9 Min Read

What we know about the Equifax breach On...
Credential Exposure Data Loss Blog

Bitglass: Compromised Credentials are Just One Way Your Corporate Data is Being Exposed

August 18, 2017 | 2 Min Read

A guest blog from Bitglass, read the original...
NIST Authentication

Authentication Nation: 5 Ways NIST is Changing How We Think About Passwords

May 9, 2017 | 4 Min Read

Passwords have taken a beating over the past...
Brand Reputation Digital Risk

The 3 Pillars of Digital Risk Management: Part 3 – The Top 5 Main Risks of Reputational Damage

April 27, 2017 | 2 Min Read

In this 3-part blog series, we discuss how each...
Cyber Threats

The 3 Pillars of Digital Risk Management: Part 1 Understanding Cyber Threats

April 13, 2017 | 3 Min Read

What is Digital Risk Management? The National...
Five Tips To Make Your Passwords Better

Five Tips To Make Your Passwords Better

September 26, 2016 | 4 Min Read

While security is everyone’s responsibility,...
breached data

The Industrialized Uses of Breached Data

September 21, 2016 | 4 Min Read

In our first blog, we outlined a number of...
credential compromise

Beauty and the Breach: Leaked Credentials in Context

September 21, 2016 | 4 Min Read

Our analysts recently researched credential...
New report: 97 percent of the top 1,000 companies suffer from credential compromise

New report: 97 percent of the top 1,000 companies suffer from credential compromise

September 20, 2016 | 2 Min Read

Data breaches and credential compromise are not...
Shadow Brokers

Four Things We’ve Learned From the Alleged Equation Group Code Leak

August 22, 2016 | 4 Min Read

The wake of the deeply bizarre auction of...
Wall of Sheep

Gambling with Security in Vegas: Not Your Best Bet

July 27, 2016 | 4 Min Read

With BSides Las Vegas, Black Hat, and DEF CON...
thedarkoverlord

Thedarkoverlord – losing his patients?

July 26, 2016 | 4 Min Read

In late June 2016, we observed a spate of attacks...
breach disclosure

5 Key Lessons From The FDIC’s Breach Disclosure Debacle

July 18, 2016 | 4 Min Read

Last week, the United States House Science, Space...
thedarkoverlord

10 ways to prepare for credential leak incidents

June 30, 2016 | 2 Min Read

From LinkedIn to MySpace, threat actors like...
OpAfrica

Data breaches targeting financial services: 2016 so far

May 26, 2016 | 3 Min Read

It’s been a busy year for data breaches...
Bozkurt Hackers

Bozkurt Hackers continue to leak bank data

May 13, 2016 | 4 Min Read

A threat actor calling itself “Bozkurt...
DBIR

Analyzing the 2016 Verizon Data Breach Investigations Report

May 2, 2016 | 4 Min Read

Last week Verizon released the 2016 Data Breach...
Hacking Team

The Hacking Team breach – an attacker’s point of view

April 22, 2016 | 3 Min Read

On 17 April 2016, two posts were added to...
ransomware

Emerging Markets: Online Extortion Matures via DDoS Attacks

November 9, 2015 | 5 Min Read

Unlike scenes from books or movies where shadowy...
TalkTalk

TalkTalk: Avoiding The Hype

October 28, 2015 | 4 Min Read

There has been no shortage of media coverage on...
Adult Friend Finder

The Adult Friend Finder Breach: A Recap

September 7, 2015 | 5 Min Read

27th May 2015: Last week, news quickly...
Al Hayat

Saudi Arabia MOFA Breach

September 7, 2015 | 5 Min Read

Introduction As of April 2015 there were more...