Is Vulnerability Management Broken?

Vuln Mngt is Broken

In today’s IT landscape, organizations face a relentless range of cyber threats. To counter these, vulnerability management has become a cornerstone of good cybersecurity management. However, despite significant investments in tools and personnel, many businesses still struggle to protect their systems effectively, with countless examples of unpatched systems becoming a key stepping stone in any […]

The Illusion of Security: How Rules of Engagement Can Mislead

ROE preference

In the realm of cybersecurity pen-testing, the Rules of Engagement (ROE) are pivotal for structured, ethical hacking and vulnerability assessments. They specify what can and cannot be done during a red team engagement, ensuring that the testing is both controlled and ethical. However, while these rules are essential, they can sometimes foster a false sense […]

The Conundrum of Legacy Applications

legacy Applications

Legacy applications are software systems that have been in use for a long time and are based on outdated/ unpatched software. Despite their age, these applications continue to be critical to the operations of many organizations. They often run on older hardware and may not be compatible with modern systems or software. The term “legacy” […]

Recent Events & the Patch Gap

Recent events and the Patch Gap

Let me be clear this isn’t a blog about apportioning blame to anyone. These sort of events have happened multiple times in the past, perhaps not on the same scale, but this certainly isn’t the first nor will it be the last time an update from a supplier causes production issues. As we are all […]

Who to Blame? – PR and a Cyber Breach Blame Evolution

Who gets the Blame PR 101

Having worked in cyber security for a very long time it has always been an interest to us when we see a data breach get announced, how it is messaged and how it is controlled by the organisation affected. Let me be clear right at the start- This is not a victim blaming exercise, but […]

The Joys of Honeypotting

Honeypot

Time to talk about one of my favourite concepts in cyber security- Honeypots. I don’t know why, but the idea of honeypotting an attacker has always held a special place in my mind, as a method to attack the attacker. But first, some term clarifications. Honeypot : a decoy system intentionally designed to look like […]

Mind the Patch Gap

The Patch Gap

Its time to discuss what tends to be overlooked when it comes to cyber defences for an organisation. What is known in the industry as the “Patch Gap”. This is the time a CVE is known and patch is available to the time it then takes to get it patched.  This number is very important, […]

Know your Signatures

Lets start at the basics, Network IPS and IDS – Intrusion Prevention and Detection. IPS usually sits inline with the traffic flow and allows packets to be stopped and prevent an attack whereas IDS will simply alert the SecOPS team that there is a potential threat then needs investigating, IPS can be troublesome in routing […]

Accepting the Risk

Accepting Risk

In the cyber security industry a phrase gets used when looking at legacy applications – “Accept the Risk”. This is often said when it comes to legacy applications as there isn’t too much an organisation can do about them by their very nature. In speaking with CISO’s it is often said in the context of […]

Too many JVM’s – The Java Security Challenge

Too many JVM's

Understanding the JVM and Security Implications In the realm of application development, Java has long stood as a stalwart, known for its platform independence and versatility. At the heart of Java’s capabilities lies the Java Virtual Machine (JVM), a powerful intermediary that facilitates seamless execution of Java applications across diverse devices and operating systems. However, […]