Cybersecurity Tech Accord Adopts Bug Disclosure Policies

Deep Dive: How Healthcare Organizations Practice Privacy and Security

In April, the Online Trust Alliance published the 11th annual Online Trust Audit assessing the security and privacy of 1,200 top organizations across several industry sectors. For the first time, this year’s Audit covered 100 of the top healthcare organizations, including lab testing companies, pharmacies, hospital chains, and insurance providers. 

How did they do?

Since this is the first year these organizations were included, we do not have historical comparisons, but we can compare how healthcare sites fared against the other audited sectors. Overall, 57% of healthcare sites made this year’s Honor Roll, the lowest of all the sectors we studied. By far the most common reason for failure in the healthcare sector was weak email security (35%, nearly triple the overall average). Failure due to privacy was better than average, while failure due to site security was slightly worse than average. 

Email Security

SPF and DKIM help protect against forged email. Overall 87% of healthcare organizations had SPF on their top-level domain and 67% had DKIM (the lowest of any sector, and the main source of healthcare’s failing scores).  DMARC builds on SPF and DKIM results, provides a means for feedback reports, and adds visibility for Continue reading

AWS ABCs: Granting A Third-Party Access to Your Account

There can be times when you’re working on the AWS Cloud where you need to grant limited access to your account to a third-party. For example:

• A contractor or a specialist needs to perform some work on your behalf
• You’re having AWS Professional Services or a partner from the Amazon Partner Network do some work in your account
• You’re conducting a pilot with AWS and you want your friendly neighborhood Solutions Architect to review something

In each of these cases you likely want to grant the permissions the third-party needs but no more. In other words, no granting of AdministratorAccess policies because it’s easy and just works. Instead, adherence to the principle of least privilege.

This post will describe two methods–IAM users and IAM roles–for proving limited access to third-parties.

Comparing the Two Approaches

The big difference with the IAM user approach vs the role-based approach is the way the credentials for each entity are handed out.

IAM users have long-term credentials that only change by a manual action (either the user or an administrator changes the credentials). Those credentials will continue to provide access to the account until they’re either changed or the user is disabled/deleted.

By contrast, roles Continue reading

VMworld 2019: Sneak Peak at Our Keynote Sessions. Plus a Chance to Win!

Networking & Security Keynotes at VMworld 2019

About a month ago, we published a VMworld security guide with shortlisted 100 to 300 level sessions that best illustrate real-world application of our products. This time, we’ll be focusing on two networking and security keynotes. The first keynote will highlight how VMware’s single-stack, complete networking and security platform can achieve a consistent operational network fabric for hybrid cloud environments, and the second keynote will focus on how users can leverage existing VMware infrastructure to implement a more effective, intrinsic security.

In addition, you will have a shot at winning Bose headphones simply by attending each event. Although chances are slim (1250 times harder to win both as opposed to just one), duplicate winners will be acknowledged so if you are looking for a present for yourself and a significant other, make sure to register and save on your yearly bonus! Winners will be announced at the end of each keynote, so make sure to stay until the end!

Showcase Keynote: Networking and Security for the Cloud Era [NETS3413KU]

There has never been a more exciting and challenging time in the networking space. As the cloud, application developers, IoT, Continue reading

U.S. Delays Huawei Ban Another 90 Days

Cisco and F5 Networks Discuss the Value of Tech Partnerships

Cloudflare Files IPO Paperwork to Battle AWS, Cisco, and Oracle

Cisco Software Subscriptions Hit 70%, China Trade War Spooks Investors

Key Steps and Pitfalls to Avoid in Cloud Security, with Valtix’s CEO Vishal Jain

VMware SVP Tom Corn: Security Is a Team Sport and vAdmins Play a Starring Role

Hacker Jeopardy, Wrong Answers Only Edition

Fast Friday- Black Hat USA 2019

I just got back from my first Black Hat and it was an interesting experience. It was crazy to see three completely different security-focused events going on in town all at once. There was Black Hat, B-Sides Las Vegas, and DEFCON all within the space of a day or so of each other. People were flowing back and forth between them all and it was quite amazing.

A wanted to share a few quick thoughts about the event from my perspective being a first timer.

• The show floor wasn’t as bit as VMworld or Cisco Live, but it was as big as it needed to be. Lots of companies that I’ve heard of, but several more that were new to me. That’s usually a good sign of lots of investment in the security space.
• Speaking of which, I talked to quite a few companies about a variety of analytics, telemetry, and insider threat monitoring solutions. And almost all of them had a founder from Israel or someone that was involved in the cybersecurity areas of the IDF. That’s a pretty good track record for where the investment is going.
• The Vegas booth gimmicks never change. I think I’ve spent too Continue reading

Introducing Certificate Transparency Monitoring

Today we’re launching Certificate Transparency Monitoring (my summer project as an intern!) to help customers spot malicious certificates. If you opt into CT Monitoring, we’ll send you an email whenever a certificate is issued for one of your domains. We crawl all public logs to find these certificates quickly. CT Monitoring is available now in public beta and can be enabled in the Crypto Tab of the Cloudflare dashboard.

Background

Most web browsers include a lock icon in the address bar. This icon is actually a button — if you’re a security advocate or a compulsive clicker (I’m both), you’ve probably clicked it before! Here’s what happens when you do just that in Google Chrome:

This seems like good news. The Cloudflare blog has presented a valid certificate, your data is private, and everything is secure. But what does this actually mean?

Certificates

Your browser is performing some behind-the-scenes work to keep you safe. When you request a website (say, cloudflare.com), the website should present a certificate that proves its identity. This certificate is like a stamp of approval: it says that your connection is secure. In other words, the certificate proves that content was not intercepted or Continue reading

Securing devices for DEFCON

Dynatrace Scores $544M IPO, Cloudflare to Follow Suit

Cisco Pays $8.6M in First-Ever Security Software Whistleblower Payout

IBM Packs Red Hat OpenShift Into Cloud Paks

Lanner and GTT Leverage uCPE to Bolster SD-WAN Performance

Cohesity Adds Security Capabilities With CyberScan

Juniper Pushes Security Into MX Routers, Updates Containerized Firewall