As the Director of National Resilience at NCSC, the announcement of a Cyber Security and Resilience Bill in July 2024 by the government was a pivotal step towards addressing the increasing cyber threats to essential services, including water, power, and healthcare. Today, we appreciate the publication of the Department of Science, Innovation and Technology’s (DSIT)…
This guidance targets private sector organizations that do not qualify to utilize the NCSC’s Protective DNS (PDNS). If your organization does qualify for the NCSC’s PDNS, note that a commercially procured protective DNS service is not a suitable alternative. Reasons to Implement Protective DNS Protective DNS (PDNS) systems block access to malicious domains attempted by…
APIs (application programming interfaces) play a crucial role across various industries, spanning social media, finance, healthcare, and telecommunications. They enable effective data exchange between different systems and services. However, the growing reliance on APIs opens the door for attackers who look to exploit potential vulnerabilities in their design and implementation. Recent high-profile security breaches involving…
The Italian Data Protection Authority (Garante per la protezione dei dati personali) has imposed sanctions on OpenAI due to violations of data protection laws related to the ChatGPT chatbot. OpenAI is required to pay a fine of €15 million (approximately $15.6 million) and undertake a six-month public awareness initiative throughout Italian media. This campaign aims…
Vulnerability / Network Security Fortinet has issued an advisory regarding a recently patched critical security vulnerability affecting its Wireless LAN Manager (FortiWLM), which poses a risk of exposing sensitive information. This vulnerability, identified as CVE-2023-34990, has been rated with a CVSS score of 9.6 out of 10, indicating a severe threat level. “A relative path…
The FBI has issued a warning about new HiatusRAT malware attacks that are actively scanning for and compromising vulnerable web cameras and DVRs that are exposed to the internet. A private industry notification released on Monday outlines how attackers are specifically targeting Chinese-branded devices that either lack important security patches or have been abandoned due…
A significant security vulnerability in Apache Struts 2 was addressed last week, but it is currently being exploited with publicly available proof-of-concept (PoC) code. Struts is a widely used Java-based web application framework, favored by large corporations and government institutions. Issues in this open-source framework can have severe consequences, reminiscent of the Equifax breach in…
Dive Brief Microsoft is enhancing its vulnerability disclosure process by adopting the Common Security Advisory Framework (CSAF), enabling organizations to more efficiently prioritize and remediate CVEs (Common Vulnerabilities and Exposures). This machine-readable format allows for faster and higher volume processing of CVEs, while customers can still access updates through the Microsoft security update guide or…
Selecting an effective password can be challenging. The NCSC has emphasized through various blogs and guidance that it’s crucial to modify password policies to ensure users are encouraged to select secure passwords. One of the strategies includes the utilization of password deny lists, which prevent users from choosing passwords that are frequently exposed in data…
Customers of Marriott International, a prominent hotel group, may find that their personal information has been compromised in connection with the guest reservation database managed by Starwood. Incident Overview Marriott has announced that an internal investigation revealed that unauthorized access to the Starwood guest reservation database began in 2014, potentially impacting approximately 500 million customers….
