February 1, 2017

2016 Reported Data Breaches Expose Over 4 Billion Records, January 25, 2017

Risk Based Security today announced the release of the annual Data Breach QuickView report that shows 2016 broke the previous all-time high, set back in 2013, for the number of records exposed from reported data breaches. The 4,149 data breaches reported during 2016 exposed over 4.2 billion records.

Read More

Global Orgs See 82K Cyber Incidents in 2016

Tara Seals,, January 26, 2017

2016 saw approximately 82,000 cyber incidents that negatively impacted businesses and organizations around the globe; or, more than 225 organizations affected per day. It’s higher when accounting for unreported incidents.

Read More

How Cybercriminals Turn Employees Into Rogue Insiders

Kelly Sheridan,, January 31, 2017

Cybercriminals are ramping up efforts to recruit employees with access to corporate networks. The Dark Web, which promises anonymity to rogue insiders, is driving that trend.

Read More

Lessons Learned From Real-World Data Breach Examples

Chris Evans,, January 27, 2017

We recently spent some time with a client who is at the tail end of response and recovery from a data breach. Although the past few months have taken their toll on the security team, there is finally a light at the end of the tunnel. However, that light is going to dim quickly as the task of preparing for the next breach approaches like an incoming train.

Read More

3 Things Companies Must Do Before a Data Breach

Graham Cluley, John Bruce,, January 31, 2017

As attacks become more complex, more damaging, and more frequent than ever, the quality of your response becomes critical to limiting the impact. In fact, a strong incident response (IR) function saves an average of $400,000 in damages per data breach, according to the Ponemon Institute, in research sponsored by IBM Resilient.

Read More

Explaining Cybersecurity Threats in a Decision-Maker Context

Marvin Marin,, January 26, 2017

As cybersecurity professionals, I’m sure you’ve had this experience: you find a risk to your organization’s systems, data and reputation, and you want to take action — recode, deploy a web application firewall or maybe even disconnect the system.

Read More

Rethinking Vulnerability Disclosures in Industrial Control Systems

Jeremy Kirk, Galina Antova,, January 27, 2017

The red lines once thought to be unapproachable by cyber adversaries have dimmed significantly in industrial control systems (ICS) over the past year. While not yet commonplace, these disruptive and destructive attacks are no longer the thing of fiction. Even if we abandon the “cyber war” scenario, ICS attacks may become attractive to the new wave of ransom-driven cybercrime actors or shift towards the operational technology (OT) networks and systems that support the world’s most critical physical and virtual infrastructure.

Read More

ATM ‘Shimmers’ Target Chip-Based Cards

Brian Krebs,, January 27, 2017

Several readers have called attention to warnings coming out of Canada about a supposedly new form of card skimming called “shimming” that targets chip-based credit and debit cards. Shimming attacks are not new (KrebsOnSecurity first wrote about them in August 2015), but they are likely to become more common as a greater number of banks in the United States shift to issuing chip-based cards. Here’s a brief primer on shimming attacks, and why they succeed.

Read More

Zeus-Derived Malware Continues to Pwn POS Devices

Mathew J. Schwartz,, January 31, 2017

Progeny of the venerable Zeus banking Trojan live on. That’s thanks, in part, to the source code for Zeus leaking via underground forums in 2011. Since then, enterprising developers have continued to refine the banking Trojan to help them steal online banking customers’ credentials as well as to infect point-of-sale devices and harvest payment card details.

Read More

HIPAA Enforcement Under Trump: A Forecast

Marianne Kolbasuk McGee,, January 26, 2017

The Trump administration likely will continue “reasonable enforcement” of HIPAA, following the same strategy as the Obama administration, predicts privacy and security attorney Kirk Nahra.

Read More
Infosecurity Newsletter Archive