The Hacker News | Expert Insights — Index Page

Security has always been a game of risk management, not risk elimination. Every decision to address one threat means potentially leaving another unattended. That deciding of which threat to address – and in what order – is the name of the game. In this triage process, abuse vulnerabilities,  i.e. , exploiting legitimate features of a platform in unintended ways to conduct digital misdeeds such as phishing campaigns, can get pushed down the priority list of security issues. I would like to argue that it's time we stop separating the concept of abuse vulnerabilities and security vulnerabilities.  Unlike security vulnerabilities that are, in essence, exploited loopholes or bugs in the code, fixes for abuse vulnerabilities can be slow to come. Yet these openings for abuse can easily lead to disaster if left unattended. Recent figures show that  68% of breaches  originate from these exact types of exploitations involving the human element making a mistake such as phishing attempts or abu

There is a lot of frustration by security experts and legislators, with device OEMs not implementing security measures. Apparently, many OEMs balk at the ongoing effort and expense to create and manage a security team to verify and fix problem reports and to communicate their actions according to the requirements of various security agencies. On their side, OEMs probably prefer a one and done approach to security. I think that I have a solution for this conflict. It is not a perfect solution, but it is a half-step in the right direction. The solution is partitioning. We have found that it is possible to achieve strong isolation between software partitions for the Arm Cortex-M architecture with memory protection units. It is possible to do this without excessive memory waste or processor overhead for both the v7M and v8M architectures. Tasks in one partition cannot access resources in another partition. They must go through  portals . Tasks in client partitions send  protected messag

From a user's perspective, OAuth works like magic. In just a few keystrokes, you can whisk through the account creation process and gain immediate access to whatever new app or integration you're seeking. Unfortunately, few users understand the implications of the permissions they allow when they create a new OAuth grant, making it easy for malicious actors to manipulate employees into giving away unintended access to corporate environments. In one of the  highest-profile examples , Pawn Storm's attacks against the Democratic National Convention and others leveraged OAuth to target victims through social engineering.  Security and IT teams would be wise to establish a practice of reviewing new and existing OAuth grants programmatically to catch risky activity or overly-permissive scopes. And, there are new solutions for  SaaS security  cropping up that can make this process easier. Let's take a look at some best practices for prioritizing and investigating your organization's grants

In today's digital age, financial institutions are tasked with the critical mission of upholding high standards of service, continuity, and resilience while combatting evolving cyber threats. The ability to innovate and enhance the security of digital financial services is essential for growth, differentiation, and for building trust with customers. To address these challenges, financial institutions must establish and maintain robust security processes and adapt their cyber defenses continuously. One key regulatory initiative designed to assist financial institutions in enhancing their operational resilience and cybersecurity posture is the Digital Operational Resilience Act (DORA). Understanding DORA The  Digital Operational Resilience Act  (Regulation (EU) 2022/2554) is a pivotal regulatory framework that focuses on digital operational resilience within financial services. Representing the EU's primary regulatory initiative on operational resilience and cybersecurity, DO