UpGuard Blog

It's Like Updating OpenSSL All Over Again

A new high severity vulnerability in the OpenSSL protocol was announced today that could allow an attacker to cause memory corruption in devices handling SSL certificates. The vulnerability was caused by a combination of bugs, one a mishandling of negative zero integers, and the other a mishandling of large universal tags. When both bugs are present, an attacker can trigger corruption by causing an out-of-bounds memory write.

Filed under: configuration testing, security, vulnerabilities, openSSL

Cybersecurity and the State

Last week the Australian government announced a new cybersecurity initiative that will cost upwards of AU$240 million and create 100 “highly specialized” jobs. This comes on the heels of Obama’s February announcement of the Cybersecurity National Action Plan, which hopes to establish a cybersecurity committee and create a 3.1 billion dollar “modernization fund.” With business and communications now done almost entirely online, it makes sense that governments are taking cybersecurity seriously, but what does it mean for the state to establish a cybersecurity presence and how will these initiatives ultimately play out? We’ll look at the details of both plans and how they align with their government’s cybersecurity actions, as well as their potential impact on citizens.

Filed under: government, cybersecurity

The Email Security Checklist

You’ve hardened your servers, locked down your website and are ready to take on the internet. But all your hard work was in vain, because someone fell for a phishing email and wired money to a scammer, while another user inadvertently downloaded and installed malware from an email link that opened a backdoor into the network. Email is as important as the website when it comes to security. As a channel for social engineering, malware delivery and resource exploitation, a combination of best practices and user education should be enacted to reduce the risk of an email-related compromise. By following this 13 step checklist, you can make your email configuration resilient to the most common attacks and make sure it stays that way.

Filed under: configuration testing, cyber risk, IT operations, email, checklist

The Website Security Checklist

Putting a website on the internet means exposing that website to hacking attempts, port scans, traffic sniffers and data miners. If you’re lucky, you might get some legitimate traffic as well, but not if someone takes down or defaces your site first. Most of us know to look for the lock icon when we're browsing to make sure a site is secure, but that only scratches the surface of what can be done to protect a web server. Even SSL itself can be done many ways, and some are much better than others. Cookies store sensitive information from websites; securing these can prevent impersonation. Additionally, setting a handful of configuration options can protect both your full website presence against both manual and automated cyber attacks, keeping your customer’s data safe from compromise. Here are 13 steps to harden your website and greatly increase the resiliency of your web server.

Filed under: security, apache, IIS, nginx, webscan, checklist

The Nightmare Scenario: When Your Security Provider Becomes a Security Problem

You’ve spent months with your team designing your company’s security strategy-- you’ve demoed and chosen vendors, spent money, and assured your users that this investment will pay off by keeping their business safe. The next thing you know, the very software you’ve put in place to protect your data is exposing it instead. This nightmare scenario has turned into reality for some companies when major security software was compromised or had fatal flaws that exposed sensitive information to unknown third parties. Just because you sell security doesn’t mean you always practice it.

Filed under: security, data breaches, IT security

10 Essential Steps for Configuring a New Server

That’s a nice new Linux server you got there… it would be a shame if something were to happen to it. It might run okay out of the box, but before you put it in production, there are 10 steps you need to take to make sure it’s configured securely. The details of these steps may vary from distribution to distribution, but conceptually they apply to any flavor of Linux. By checking these steps off on new servers, you can ensure that they have at least basic protection against the most common attacks.

Filed under: configuration, linux, server management, IT operations

Tax Day 2016: Auditing the IRS, E-file and Tax Software Websites

Are you filing your taxes online this year? As e-filing and internet connected tax software becomes more and more standard, the security of the sites accepting your sensitive information becomes more and more important. You've probably heard about some of the various data breaches facing the tax industry, including one of the IRS in May of 2015, potentially exposing hundreds of thousands of tax records. UpGuard's external risk grader measures the security of a company's internet presence. We ran ten tax-related websites through to see how they stacked up and the results are interesting. Perhaps most interesting of all, IRS.gov received a rare perfect score of 950 out of 950. Tax software websites such as TaxSlayer fared well too. But as we'll see, the external information is just the tip of the iceberg.

Filed under: security, CSTAR, vulnerabilities, webscan

Top Retailers Who Should Know Better


There's no arguing that internet retailers have it tough these days: web server vulnerabilities, expiring SSL certificates, PCI DSS compliance, and a host of other issues keep the most vigilant of etailers on their toes—all this, mind you, against a harsh backdrop of increasing cyber threats.

Even still, a handful manage to slip up when it comes to the most basic security measures, putting both their infrastructures and the data security of customers at risk. The following is a list of 11 online retailers who should know better.

Filed under: cyber security, retail

Security Through Visibility

People commonly use the phrase “security through obscurity” to refer to the idea that if something is “hidden” or difficult to find, it becomes more secure by virtue of other people not knowing it’s even there to be exploited. But in reality, security through obscurity usually means that the only people who find obscure resources are the people looking to exploit them for a way in. This is why visibility, rather than obscurity, increases security. Our website risk grader provides people with an easy way to view a website's security rating by offering visibility into their internet-facing footprint. This also allows businesses to monitor their own improvement over time.

Filed under: security, CSTAR, visibility

A New Season for Baseball and Cyber Threats

Another regular season is underway as teams—fresh from spring training—dive head first into a sea of possibilities: will the Cubs win a World Series this year? How about those Mariners? Who will be this year's Hall of Famers? For fans, another question is increasingly becoming the subject of bar room chatter: which team will be hacked this season?

Filed under: data breaches, baseball

The Healthcare Security Epidemic

Your medical records live in a database or file system on servers somewhere, on someone’s network, with someone’s security protecting them. A recent PBS article about cyber security in the healthcare industry reports that over 113 million medical records were compromised in 2015. Medical records, perhaps even more than financial data, are the epitome of sensitive, private data, yet the healthcare industry has reported breach after breach, with over a dozen separate breaches already logged in March of this year.

Filed under: security, CSTAR, data breaches, healthcare, webscan

Flash is Trash

When it comes to Flash, the only thing you hear more about than its ubiquity are its problems. Despite denunciations from some of technology’s biggest names, Adobe’s Flash player still seems to be everywhere. For almost ten years now, people have been dealing with the security warnings, critical updates and browser incompatibilities for which Flash is infamous. Yet even now, 0-day exploits of Flash’s seemingly unending vulnerabilities threaten users as third-party Flash ads on otherwise trusted websites are used to breach security.

Filed under: cyber security, vulnerabilities, Flash,

Gambling with Security: Online Sports Betting, March Madness Edition


In the last few years, sports betting websites like DraftKings and FanDuel have exploded in popularity and controversy. Anyone who watched last year’s NFL season shouldn’t be surprised that those two sites alone spent over $200M on national television advertising in 2015, amounting to around 60,000 commercials. At the same time, betting sites have been in the news due to their questionable legality and the lawsuits being brought against them from various parties. With March Madness in full effect, people are turning to online gambling sites to place their bets. Aside from the increasing legal resistance these companies face, should users be concerned about the security of sharing their information with these sites? As it turns out, it depends on the site.

Filed under: security, CSTAR, cyber risk, webscan, ssl

Write Once, Infect Anywhere, or: The Rise of Cross-platform Malware

Cyber attackers are, above all else, opportunists—malware and viruses require time and resources to develop and are therefore created with the greatest returns in mind. In terms of operating systems, Windows typically gets a bad rap for security—the price of popularity, as it were. But as other OS platforms have whittled down Windows' market share in recent years, cyber attackers have had an increasingly broad playing field for exploitation. 

Filed under: malware, cyber security

The Amex Partner Data Breach and Downstream Liability

If you're one of its 140 million cardholders around the globe, American Express wants you to know that your data is safe. The data breach recently announced by the U.S.' second largest credit card network reportedly involved a partner merchant and not Amex itself. However, if you're one of the customers whose credit card and personal information was stolen, the difference is negligible.

Filed under: cyber security, data breaches

Usability: A Security Concern?

The usability of software is usually defined in relation to the efficiency with which people can manipulate it. Is it time-saving, intuitive, likable? But often overlooked is how usability indirectly affects security, especially when dealing with enterprise software. The basic thesis is this: an application that's easier to use, easier to configure and manage both initially and over time, will also be more resilient than an application that's difficult or frustrating, even if the two have identical feature sets. This is because in practice, software is rarely, if ever, used in an ideal fashion. 

Filed under: usability, IT security

Using UpGuard to Validate Your CIS Critical Security Controls for Effective Cyber Defense

First circulated in 2009, the CIS Critical Controls are used by both the U.S. and U.K. governments as the preeminent framework for securing critical infrastructures. Consisting of 20 security controls that cover areas from malware defense to incident response and management, the CIS Critical Controls offers a prioritized set of security measures for assessing and improving a firm's security posture. Though not a cybersecurity panacea, the controls help to address the vast majority of security issues faced by organizations today.

Filed under: security, compliance, CIS

What is Digital Resilience?

The 10-second version is this: Digital resilience is a fundamental change in understanding and accepting the true relationship between technology and risk. IT risk (or cyber risk, if you prefer) is actually business risk, and always has been.

Filed under: digital resilience

The Cost of Downtime At The World's Biggest Online Retailer

Amazon.com suffered a glitch today leaving its website inaccessible for approximately 13 minutes. Seem like a paltry number? Only if these lost minutes aren't translated to sales revenue losses. And while outages with the company's AWS cloud computing offering are not uncommon, Amazon's online retail division—as well as all retailers that transact online—have much at stake literally every minute their websites stay up—or go down.

Filed under: amazon, Cloud Computing

Cybersecurity Incidents Cost Companies Hundreds of Billions in 2015


According to the recently released 2016 Data Breach Investigations Report (DBIR) digest, produced annually by Verizon to help educate the industry, companies spent hundreds of billions of dollars last year as a result of cybersecurity incidents.

Filed under: CSTAR, insurance, cyber risk, digital resilience

10 DevOps Communities to Follow If You Need to Get Things Done

Chances are you’ve browsed to an online IT community looking for information about a technology. But taking full advantage of them means understanding how they work and what they can do for you. Interaction with a tech community usually happens for one of three reasons:

Filed under: DevOps Resources, devops

Team Mimr's Experience at UpGuard

We are students from National University of Singapore on a one year entrepreneurship program that brought us to Silicon Valley, where we have the opportunity to intern at a startup while taking courses at Stanford. Our primary reason for choosing UpGuard was the excitement of working in a fast-paced DevOps environment with experts and solving challenging, large-scale enterprise problems. The product enables complete visibility into IT infrastructure, tracks and manages change, and ultimately helps prevent downtime and breaches. Our time at UpGuard has not only contributed to our education, it has been nothing short of amazing.

Filed under: culture, working at upguard

Making Your Organization Digitally Resilient to Natural Disasters

The high likelihood of falling victim to security compromises has led firms to adopt more digitally resilient strategies. Unfortunately, these measures do not address the ominous threat of natural disasters looming on the horizon. A myriad of business continuity solutions exist to mitigate the effects of natural disaster-induced downtime, but there's no telling at the end of the day how digitally-dependent organizations will fare when catastrophic events of unprecedented proportions occur.

Filed under: amazon, cloud, Azure

#RSAC: Put Your Money Where Your Mouth Is

RSA 2016 is underway with the tagline "Where The World Talks Security," but for the most part it’s just that—a lot of talk. Attendees, speakers and vendors have come from all over the world to share insight and new products with their security-minded peers, and there will certainly be a few novel takeaways as in years past, but who is serious about security and who is just putting on a show for potential clients and investors?

Filed under: webscan, RSA

Hackers Publish Time Warner Business Database

On February 28th 2016, “grey-hat security research group” TeaMp0isoN breached Time Warner Cable’s Business Class customer support portal with a SQL injection attack, defacing the site and snatching a database dump with more than 4,000 records including usernames, email addresses and (encrypted) passwords. 

Filed under: data breaches

Is DevOps the Latest Secret Weapon in the Hacker's Tool Chest?

The Sony Pictures hack is turning out to be quite an intricate saga of misdeeds. From the tools and methods used to the ever-expanding sphere of destruction attributed to the Lazarus Group, ongoing forensics are shedding light on strikingly similar advanced persistent threat (APT) campaigns targeted at various other media, finance, and manufacturing firms around the global. And while the sophistication of the attackers' tooling and methods is certainly to be reckoned with, the apparent emergence of DevOps-like enablement in the digital underworld is arguably greater cause for concern.

Revisiting the Perils of Wifi on Planes

Fortune recently published an article listing the airlines with the best in-flight wifi service. Coming in at the top of the list with the most onboard wifi connections globally were 3 American carriers: Delta, United, and American Airlines, respectively. But what defines best? Security is clearly not part of the equation, as one journalist famously discovered last week on a domestic American Airlines flight. But then again, if we're talking about wifi and commercial aircraft, all airlines get a failing grade.

Filed under: cyber security, cyber risk

UpGuard And Retrospective Security

We've all heard the saying: hindsight is 20/20. This applies to many scenarios but is seldom the case when it comes to IT security: most organizations develop shortsightedness when it comes to data breaches—even those that may be happening right under their noses. Like a vehicle's side and rearview mirrors, retrospective security improves visibility by eliminating blind spots using past trends and historical data.

Filed under: cyber security, upguard, cyber risk

Remediating The glibc DNS Bug Or: How To Survive An Inherently Flawed Digital Landscape

Buffer overflowing—or the stuffing of more data into a block of memory than allocated—has been one of the more common security vulnerabilities to be exploited in recent years. Last week Google and RedHat security researchers discovered a particularly distressing buffer overflow vulnerability in one of the key underpinnings of the internet: the glibc DNS bug. And while the glibc team has provided a fix for most Linux distros, it's questionable whether the flaw can be eradicated any time soon, especially given the ubiquity of Linux systems and the GNU Project's implementation of the C standard library.

Filed under: digital resilience

Looking for Love in All the Wrong Places

When we think of protecting our information online, it’s usually in the context of traditionally sensitive data-- credit card numbers, addresses, SSNs, and so on. But as anyone who has taken a picture of themselves wearing nothing but a smile can tell you, the information exchanged during online dating can be just as personal. I haven’t done that, though. Ever. I have never done it.

Filed under: cyber security, upguard, cyber risk, webscan

The Need for Complete Risk Assessment

As the digital economy has matured, so has the recognition that cyber risk cannot be eliminated; it must be managed. Insurance is the mechanism by which we distribute risk so that rare but catastrophic events don't ruin the unfortunate person (or company) that they happen to. Accurately pricing cyber insurance, however, is still in its infancy. Comparing the methods for assessing cyber risk to those used in property and casualty insurance points the way forward for better methodologies.

Filed under: cyber security, insurance, cyber risk

Why Companies Will Keep Getting Breached In 2016 And Beyond

The answer is simple: because it's highly profitable. Credit card numbers are still the best we've got for transacting digitally and health records are 10 times more valuable on the black market. And despite efforts from the infosec community at large, cybercrime continues to increase in frequency and severity. The more important and difficult question is not why, but howthat is, how can companies not just survive, but thrive in a landscape of digital threats?

Filed under: cyber security, insurance, cyber risk, data breaches

How CSTAR Works

With the rate of data breaches increasing along with the complexity of modern IT infrastructures, the cyber insurance industry has been experiencing significant growing pains. Cyber risk determination had historically been done with employee surveys or contextual information about industries at larger. Without reliable data on an organization’s actual working state, many insurers came to realize there was no way to formulate a fair and accurate cyber insurance policy, especially for more complex and ever-changing IT environments.

Filed under: security, cyber security, CSTAR, cyber risk

What's In the Website Risk Grader?

From day one at UpGuard, we have been all about visibility. Before you can automate, validate desired or detect unwanted changes, you must first know what your infrastructure looks like; you must have a starting spot. We take the same approach to assessing cyber risk.

Filed under: CSTAR, webscan

Understanding Risk in the 21st Century

For as much as "cyber risk" sounds like a 1990's board game involving robots, cyber risk is actually serious business—in fact, it is continually becoming more important as organizations old and new find themselves relying on a variety of connected technologies and services. And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.

So what is cyber risk, and what can be done about it? 

Third party risk is your risk

Filed under: cyber security, CSTAR, cyber risk

Casino Data Breaches And Doubling Down On Digital Resilience

In what is being described as a landmark case, Nevada-based casino operator Affinity Gaming is suing cybersecurity firm Trustwave for inadequately investigating and containing a 2014 data breach. The lawsuit not only marks the first time a security firm is sued over post-breach remediation efforts—it also highlights the complexities around managing cyber risk for high risk organizations in today's threat landscape. 

Filed under: cyber security, cyber risk, data breaches, digital resilience

Bringing Digital Resilience Back to the Digital Economy: ScriptRock Becomes UpGuard

As the saying goes, there are two certainties in life: death and taxes. As we all look ahead to 2016, it’s clear that a third certainty has entered the mix: breaches. 

Filed under: cyber security, upguard, cyber risk, digital resilience

Fixing The New OpenSSH Roaming Bug

Call it an experiment gone wrong: a bug in a test feature of the OpenSSH client was found to be highly vulnerable to exploitation today, potentially leaking cryptographic keys to malicious attackers. First discovered and announced by the Qualys Security Team, the vulnerability affects OpenSSH versions 5.4 through 7.1. Here's what you need to know about bug, including remediation tips.

Filed under: security, vulnerabilities

Snoop Dogg to Server Admins: "Fix Your Sh*t"

One of our main objectives is to explain the costs of unplanned outages and help you prevent them from ever occurring in the first place. It's never merely time and money lostcustomer trust and your reputation take hits, too. We've written many articles about it and work with companies on improving their service reliability every day. 

Filed under: outage, server management, upguard

7 Hackable IoT Devices To Watch Out For At CES 2016

Yes, it's that time of the year again. Time for global electronics vendors and eager enthusiasts from far and wide to converge at the world's largest annual consumer electronics/technology tradeshow. CES 2016 is in full swing, and IoT innovations have unsurprisingly taken center stage once again. Of course, who can forget the debut of Samsung "Smart" Fridge at last year's show, followed by the publicized hacking of the device soon thereafter. Judging by this year's exhibitor turnout, consumers can expect to see more hacked IoT devices making headlines in 2016. The following are the top 7 hackable IoT devices to watch out for at CES this year.

Filed under: cyber security, cyber risk, hacked

The Mysterious Case Of The Leaked Voter Database

The election year is officially underway, but for non-voters and the apatheticanother reason not to register to vote has surfaced: on December 20th, 2015, a security researcher discovered a publicly exposed database of 191 million voter registrant records—names, addresses, dates of birth, phone numbers, party affiliations, state voter IDs, and more—posted online and freely accessible.

Filed under: cyber security, cyber risk, data breaches, hack, cyber attack

Top 10 Data Breaches Of 2015—A New Year's Day Retrospective

2015 may have come and gone, but the effects of last year's data breaches are far-reaching—for both millions of consumers and internet users as well as the companies and organizations whose systems were breached. Such events are no less devastating in terms of brand damage, and 2016 will undoubtedly bring forth a heightened collective security awareness in both organizations as well as consumers.

Filed under: cyber security, cyber risk, data breaches, hack

The OPM Data Breach And Threat Of Compromised Nuclear Data

The figures are staggering: 21.5 million records containing social security numbers, names, places of birth, addresses, fingerprints, and other highly sensitive personal data—stolen by cyber attackers.

Filed under: cyber security, cyber risk, data breaches, cyber attack

Sanrio's Data Leak And The New Data Privacy Normal For Minors

It's been barely a month since the VTech data breach resulted in the theft of over 6.4 million children's records, and yet another massive compromise affecting kids' data privacy is upon us—this time involving venerable children's toy and accessory brand Sanrio (of Hello Kitty fame). The data leak resulted in the exposure of details from more than 3 million user accounts: first/last names, birth dates, genders, countries, and email addresses, all openly available to the public. With children becoming prime targets for cyber criminals seeking low hanging fruit, companies that deal with and manage minors' data are increasingly under pressure to bolster their security controls and practices.

Filed under: cyber security, data breaches, hacked, cyber attack

Exorcising Juniper Networks And FireEye's Ghosts of Christmas Past From Your IT Infrastructure

Last week was a busy one for leading network and security appliance manufacturers FireEye and Juniper Networks. Critical flaws were discovered in hardware products from both vendors, bringing the distressing but unavoidable question to the forefront once again: what recourse is there when the very security mechanisms in place to protect our data assets are themselves highly flawed?

Filed under: Juniper, vulnerabilities

Introducing Friction-Free DevOps from Docker and… HP?

As you may recall, earlier last month HP completed its division into two parts: an enterprise focused products/services entity—HP Enterprise (HPE)—and a personal computing/printing firm known as HP, Inc. CEO Meg Whitman gave a nod to DevOps-enabled organizations such as Vimeo and Uber at the initial announcement of the split half a year ago at HP’s Discover conference, presumably setting the course for a newly DevOps-focused HPE in helping companies scale ideas to valuation. How does an IT giant go about transforming itself from an aged enterprise monolith to an agile, open, service-oriented solutions provider for today's business IT environments?

Filed under: devops, HP, docker

DevOps Year in Review 2015

There can be absolutely no question anymore that DevOps isn't just a fad—it's here to stay, it's a big deal, and it's coming to the enterprise. Speakers from relatively new companies like SurveyMonkey and Docker took the stage at the 2015 DevOps Enterprise Summit in San Francisco alongside old standards like IBM and General Electric to prove that the transition to a DevOps culture in established enterprises is not only possible, but probably inevitable.

Filed under: devops, upguard

The VTech Data Breach And Exploding Teddy Bears

What's the difference? The former offers no legal recourse, at least for now. Just in case you've been de-sensitized by the recent ongoing barrage of security compromises, the latest data breach involving electronics and educational toy manufacturer VTech is sure to instill new fear in the hearts of parental consumers, putting at stake the one thing they arguably hold nearest and dearest: the safety of their children.

Filed under: cyber security, cyber risk, data breaches, hack

Grokking The DevOps Toolchain

Methodologies and frameworks may come and go, but at the end of the day—tools are what make the IT world go 'round. DevOps is no exception: as the term/practice/movement/[insert-your-descriptor-here] rounds its 6th year since entering public IT vernacular, a bounty of so-called DevOps tools have emerged for bridging development and operations, ostensibly to maximize collaborative efficiencies in the IT and service delivery lifecycle. Subsequently, a common issue these days is not a dearth of competent tools, but how to integrate available tooling into one cohesive toolchain.

Filed under: devops

Inside Microsoft’s Open Source And DevOps Initiatives For The Enterprise

Polylithic, vendor-neutral, platform agnostic. Microsoft may not exactly come to mind when hearing these descriptors, but it will soon enough—if recent developments are any indication. And despite the software behemoth's DevOps zeitgeist purveyance as of late, open source initiatives have always been alive and well inside Redmond’s hallowed walls.

Filed under: devops, Microsoft

The New Linux Encoder Ransomware And Rising Data Hostage Crisis

At the start of the year, the FBI issued an alert warning internet users about the rising threat of ransomware, detailing its dramatic increase in both frequency and sophistication. Looks like the feds were on point: as it stands, 2015 has turned out to be a record year for data hostage-taking. So what can be done to defend oneself against this new insidious threat to data sovereignty?

Filed under: linux

Four Winds Casino Data Breach Is Not The First—Or The Last—Of Its Kind

There's a classic line (one out of many) in the movie Casino by DeNiro's character Ace Rothstein:

"Since the players are looking to beat the casino, the dealers are watching the players. The box men are watching the dealers. The floor men are watching the box men. The pit bosses are watching the floor men. The shift bosses are watching the pit bosses. The casino manager is watching the shift bosses. I'm watching the casino manager. And the eye-in-the-sky is watching us all.”

Filed under: cyber security, cyber risk, data breaches, hack, cyber attack

Will Software-Defined Security Usher In A New Era Of Digital Resilience?

By now, you've probably heard of software-defined networking (SDN): the emerging IT paradigm that abstracts networking hardware into programmable components for unprecedented data center agility and flexibility. In the same vein, parallel infosec developments currently underway are transforming rigid and complex physical security architectures into highly-adaptable, easily-managed, and ubiquitous mechanisms for IT security. This is software-defined security (SDSec)—a new model of infosec that just might save us from digital armageddon.

Filed under: digital resilience

The "Hacking" Of 000webhost—Or Why Free Should Never Be Synonymous With Unsecure

Advertising-based revenue models may be a standard facet of today's internet businesses, but firms peddling free/freemium services are still on the hook for providing strong information security to their user bases. In fact, they arguably have an even greater responsibility protect user data than paid-for services. So how do events like yesterday's massive data breach involving free web hosting providing 000webhost transpire? In a word, negligence. Gross negligence, to be precise.

[Infographic] Trick-or-Threat: If Cyber Attacks Were Monsters


UpGuard's platform for integrity monitoring can exorcise your vulnerability demons automatically and painlessly. Try it on us this Halloween-- no money, crucifixes, holy water, wooden stakes or garlic cloves required.

Gotta Get Back In Time: New NTP Vulnerabilities and NTPSec

The Network Time Protocol (NTP) has been seeing quite a bit of publicity this year, starting with the NTP Leap Second Bug in June promising—but greatly under delivering—digital calamity of Y2K proportions. Ultimately, the fallout resulted in little more than sporadic Twitter interruptions, but last week newly discovered critical vulnerabilities in the timeworn clock synchronization protocol have increased the urgency of recent NTP-hardening projects like NTPSec.

2016's Presidential Candidate Websites: Who Sucks at the Internet?

It's practically a national tradition that Americans collectively spend about one year out of every four obsessing over the group of people who are in the running for a job which is undoubtedly awful to actually have. Every part of their campaign is put under heavy scrutiny—their clothes, their hair, their past, their associations—and today, their websites. Let's examine how candidates are fairing online using data from tools such as BuiltWith, Alexa, Google and Twitter.

Why We Made Our Vulnerability Assessment Free for Everyone

Known vulnerability assessment– evaluating a machine's state for the presence of files, packages, configuration settings, etc. that are known to be exploitable– is a solved problem. There are nationally maintained databases of vulnerabilities and freely available repositories of tests for their presence. Search for "free vulnerability scanner" and you'll see plenty of options. So why are breaches due to known vulnerabilities still so common? Why, according the Verizon Data Breach Investigation Report, were 99.9% of the vulnerabilities exploited in data breaches last year over a year old?

Filed under: upguard, vulnerabilities

DevOps and Integrity at FinDEVr San Francisco

Technology conference season is in full swing, with so many events going on that even large ones like PuppetConf and Amazon Re:Invent have been forced to overlap. While part of the UpGuard team traveled to Las Vegas, two of us stayed in San Francisco for a different style of conference. Far from the madding crowds of general interest vendor-backed extravaganzas, we presented at FinDEVr, a conference with a few hundred people and a sharp focus: improving the technology of financial services.

Filed under: devops

Free and Easy: A Guide to Your New Vulnerability Scanner

UpGuard's core functionality solves a really basic problem– how is everything configured and is it all the same across like nodes– by scanning configuration state and visualizing anomalies. We're pretty happy with how we've solved that problem so we've started expanding to other fundamental problems that deserve elegant solutions. One of those is vulnerability management. Sure, there are ways to detect vulnerabilities today, but they suck to use and are over-priced. Since we have the core architecture in place to scan and evaluate machine state, testing for vulnerabilities is a natural addition.

Can DevSecOps Save The U.S. Government From Certain InfoSec Doom?

Though the widely publicized failure of the ObamaCare website (a.k.a Healthcare.gov) back in October of 2013 has all but faded from memory, the public sector’s persistent lag in technological innovation coupled with recent calamitous data breaches means there is no shortage of press fodder for critics. What will it take for the U.S. government to transcend its current dearth of agility and innovation?

Filed under: devops, infosec, IT security

Today's Banking And Finance: Convenient, Ubiquitous, And Highly Perilous

The banking and finance sector has been hit particularly hard by cyber attackers this year—the month so far has seen disclosures from Scottrade, E-Trade, and Dow Jones regarding customer data breaches. It’s become readily apparent that industries dealing in the world’s most sensitive and critical data are poorly poised to defend against the rising threat of cyber crime. 

Latest Pawn Storm Campaign Exploits Adobe Flash Zero-Day Vulnerability

Researchers at Trend Micro have discovered a new zero-day vulnerability in the much-maligned Adobe Flash Player that leaves users vulnerable to remote attacks. The exploit code is being used by the politically-motivated cyberespionage group Pawn Storm in a widespread spear phishing campaign targeted at various government entities. Adobe has yet to patch this vulnerability and will likely issue an emergency fix in the next couple days. Here's what can be done in the interim to protect yourself. 

On Experian’s Poor Cyber Security Credit Rating

By now, news of the Experian/T-Mobile hack has traveled far and wide, stirring up public ire and prompting demands for a broader investigation around the data breach. And while the event is just one of many high profile compromises to make headlines lately, it stands out from the rest for a number of reasons. How does the rising tide of cyber threats impact consumers in a world that revolves so heavily around credit?

Critical Security Flaw Impacts All Versions Of Windows

Microsoft announced on Tuesday that a serious remote code execution flaw in Internet Explorer could allow remote attackers to gain access to Windows systems. Unfortunately, no versions of Windows are spared from this critical flaw, and users are highly recommended to patch their systems immediately to avoid being exploited.

Everything’s Amazing And Nobody’s Secure

Frequent fliers and international travelers are well familiar with these seatback devices (i.e., in-flight entertainment consoles) that serve as the only connection to the outside world while cruising at 30,000 feet. Soon, however, wifi on commercial flights will be generally available, rendering these devices obsolete—at least to the average laptop-toting flyer. This raises a series of concerns around their future obsolescence and resulting security gaps, as well as the potentially grave consequences of compromised wifi networks on planes.

Filed under: cyber security, cyber risk

Systema Systems' Data Exposure and Cloud Security For The Insurance Industry

The insurance industry has been consistently targeted for cyber attacks as of late, for good reason: sensitive data is at the heart of every process—from handling health insurance claims to archiving medical histories. And because medical records are worth ten times more than credit card information on the black market, firms handling said data are required to take extra precautions in bolstering information security. However, every once in a while hackers are granted freebies—as was the case recently with Systema Software, a small insurance claims management solution provider.

Filed under: cyber security, IT security

Getting Familiar with Our Updated Policies Feature

We've just updated the architecture of our Policies feature to optimize them for scale and usability. Once you've scanned your first node, creating policies to validate desired state is the next step.

Improved Policies Make Testing and Compliance Even Easier

UpGuard's "three waves" methodology helps businesses achieve digital maturity through a three step process: gain visibility, establish test driven infrastructure, and then automate what you can also validate. In our last release we focused on improving visibility with an improved data visualization, a search engine, and group differencing. Now we've revisited our testing platform to make both incremental improvements and fundamental changes.

Filed under: upguard, IT operations, process

Company Values

UpGuard Team

Done wrong, as they often are, company values are bullshit. They are bullshit in the sense Harry Frankfurt defines in On Bullshit: empty assertions designed only to satisfy some tactical need, worse even than lies in their distance from the truth. "When an honest man speaks, he says only what he believes to be true; and for the liar, it is correspondingly indispensable that he considers his statements to be false. For the bullshitter, however, all these bets are off: he is neither on the side of the true nor on the side of the false. His eye is not on the facts at all, as the eyes of the honest man and of the liar are, except insofar as they may be pertinent to his interest in getting away with what he says."

Filed under: culture

Using UpGuard’s Integration With Remedyforce To Build Your IT Helpdesk In The Cloud

 Integration capabilities these days serve as a litmus test for a software solution’s longevity: the degree to which it can play well with others ultimately determines how much long-term value can be realized from the platform. Monolithic solutions are falling to the wayside as enterprise complexity—both from a business and IT infrastructure perspective—requires an ecosystem of complementary tools to effectively manage today’s environments. 

Closing The Loop On Notifications with UpGuard and Slack

Though still a relatively new player on the market, group messaging upstart Slack has steadily expanded its footprint into the business and enterprise arena with its polished, streamlined offering for team collaboration. For the uninitiated, Slack is essentially a tool for collaborating amongst teams—chat rooms on steroids, if you will. And like UpGuard, Slack’s integration capabilities are among its most lauded features. When used in conjunction with each other, the two together can give organizations a highly effective feedback loop for staying on top of system/configuration changes and vulnerabilities.

Filed under: upguard, slack

Fear Of An IoT Planet

Technology professionals walk a perpetual tight rope between innovation and security—new computing paradigms emerge and IT security scrambles behind to catch up. Nowhere is this more evident than in cloud computing and the rising frequency of data breaches targeting cloud infrastructures. And as computing enters another transitional epoch—namely the age of the Internet of Things (IoT)—similar challenges are emerging, but with much more at stake this time around.

Filed under: IoT

FireEye, Kaspersky Labs' Zero-Day and Application Stack Vulnerabilities

A rising concern amongst IT professionals is the degree to which security vendors and products are themselves susceptible to compromises. This past weekend critical flaws were discovered in the products of not one, but two leading security vendors: FireEye and Kaspersky Labs. Because all systems are exploitable—even security products—a layered approach to security is crucial for maintaining a strong security posture in today’s cyber landscape. Enterprises heavily reliant on a single monolithic solution are best advised to diversify their security strategies to combat ongoing threats.

Filed under: vulnerabilities

Group Differencing: How We Designed Our Variance Report

UpGuard is built to answer the fundamental questions of configuration management: how are my systems configured, are they configured correctly, what's changed since yesterday, what's for lunch– the stuff you absolutely need to know. In its first release, UpGuard satisfied the first three by scanning and recording configuration state, continuously testing with policies, and giving users the ability to difference configuration state over time or between nodes. But one thing was missing: the ability to difference a group of nodes all at one time.

Filed under: upguard

HTTPS Everywhere And The Future Of Unencrypted Websites

For those still holding out for a better alternative to SSL, it’s time to give up the ghost. Though implementations like OpenSSL have seen many a vulnerability as of late, the protocol remains the best ubiquitous technology we have for end-to-end encryption. And with Google’s announcement last year regarding SSL’s impact on a website’s search rankings, the question stands: why are so many organizations still holding out on implementing SSL site-wide?

Filed under: ssl

Introducing UpGuard's Powerful New Configuration Search Engine

From rudimentary topologies to multi-cloud deployments, UpGuard was designed to provide end-to-end visibility for all types of infrastructures. Our platform gives organizations unprecedented macro and micro-level visibility in even the most complex and heterogeneous IT environments. And now—with UpGuard’s powerful new Search feature—identifying and locating items of interest or concern is as easy as typing text into a search box.

Filed under: upguard

Know What You Have: Baselining, Change Anomalies, and Group Differencing

More than ever, UpGuard provides the ability to know how your environments are changing and to identify the deviations that increase your risk for failed change, outages, and security incidents. Here we quickly cover how UpGuard addresses the needs that every IT organization has through visualizations that allow you to start solving your problems today.

Filed under: upguard

The Lucrative Rewards of Hacking Higher Education

In a news flash buried beneath a slew of other notable security news items, UCLA Health revealed last week it was the victim of a massive data breach that left 4.5 million patient records compromised. Like previous attacks on Anthem and Premera Blue Cross, the intrusion gave hackers access to highly sensitive information: patient names, addresses, date of births, social security numbers, medical conditions, and more. And while matters around healthcare IT have taken center stage as of late, the ineffective security at leading institutions of higher education and research is equally distressing.

Filed under: cyber security, data breaches, cyber attack

Your Secret's Safe With No One: Lessons Learned From The Ashley Madison Hack

For those of you harboring secrets behind a website paywall, a word of warning: your skeletons are now easy targets for cyber criminals and nefarious 3rd parties around the globe. The recent data breach and compromise of 3.5 million Ashley Madison user accounts may turn out to be largest case of broad-scale extortion the world has ever seen, but for many—the outcome is hardly surprising.

Filed under: cyber security, data breaches

Fixing Oracle's Latest Zero-Day and 193 Other Vulnerabilites

Oracle released a critical patch on Tuesday to fix a whopping 193 new security vulnerabilities across its line of database solutions and products. Included in the update are fixes to 25 vulnerabilities in the Java platform alone, including a new high-risk, zero-day vulnerability already used in several high-profile, yet-to-be publicized attacks.

How To Fix The OpenSSL Alternate Chains Certificate Forgery Bug

The OpenSSL Project Team announced a high severity bug in their open source implementation of SSL today that could allow the bypassing of checks on untrusted certificates (read: man-in-the-middle attacks). Find out which versions of OpenSSL are impacted, and what you need to patch this critical vulnerability.

Filed under: openSSL

What You Need To Know About The Leap Second Bug

For those of you planning on enjoying the sunset on June 30, 2015an extra second of bliss awaits, compliments of the Earth’s inconsistent wobble. However, if Y2K sent you running for the hills, start packing again.

Analysts predict technological fallout ranging from undeliverable tweets to outright digital armageddon, but for faithful IT folks with more grounded concerns like SLAs and business continuity, keeping critical systems up and running trump all other concerns. Fortunately, resolving potential issues related to the Leap Second Bug is a fairly straightforward matter—as long as you know what to look for and where to find it.

Filed under: cyber risk

Full Stack Blues: Exploring Vulnerabilities In The MEAN Stack

Full stack development is all the rage these days, and for good reason: developers with both front-end web development skills and back-end/server coding prowess clearly offer substantially more value to their respective organizations. The ability to traverse the entire stack competently also makes interacting and cooperating with operations and security an easier affaira key tenet of DevOps culture.

Filed under: developer, mean stack

Sound Security Strategies from Cisco's 2015 Annual Security Report

Networking giant Cisco recently released its Annual Security Report highlighting trends in data breaches and threats from the previous year, and its findings—while similar to other recent reports (e.g., Verizon DBIR, Trend Micro Security Roundup)—offer some unique insights regarding the current threat landscape. No stranger to IT security, Cisco details in its report shifting patterns in cyberattack methods, emerging vulnerabilities, and best practices on how to mitigate future threats.

Filed under: security

Congrats Golden State Warriors, You’ve Just Become Cybercrime Target #1

Sports is big business, and where money and competition collidelaws will be broken. This aptly describes the latest hack involving the St. Louis Cardinals and Houston Astros, though admittedlyit sounds more like a teaser for a Hollywood blockbuster. Corporate espionage in sports has largely been a nascent phenomenon but will soon become commonplace as intrusion methods grow in sophistication and data moves into the cloud.

Filed under: cyber security, cyber risk

How Effective Is Your Security Against $50 Million Dollar Malware?

The short answer: it’s not. This was certainly the case for Kaspersky Labs, who announced yesterday that its corporate networks were hacked using a sophisticated advanced persistent threat (APT) dubbed Duqu 2.0. Though the word “sophisticated” is used rather liberally these days when describing data breaches, this new threat is by all accounts the most advanced of its kind.

Filed under: cyber security, cyber risk

Which Web Programming Language Is The Most Secure?

The question is indeed a contentious one, never failing to incite heated arguments from all camps. Many ways exist to cut the cake in this regardWhiteHat Security took a stab at it in a recent edition of its Website Security Statistics Report, where it analyzed statistics around web programming languages and their comparative strengths in security.

Filed under: developer, programming, net, php, java, asp

Rolling Your Own Continuous Security Toolchain

When it comes to IT security, how do you roll? Many tools exist, but the fact is that in most cases, to do it right— you have to roll your own. This is especially true in today’s environments, where infrastructures can vary widely in composition from organization to organization. The truth is that factors such as degree of DevOps and Agile adoption, skill set of IT staff, corporate culture, and even line of business come into play when crafting a security solution for an organization. How well these tools align with the organization ultimately dictate the success and failure of a company’s security architecture. And when existing tools don’t fit or don’t work well, sometimes the only option is to build them yourself.

Filed under: security, cyber risk, IT security

Database Node Type Now Available in UpGuard

Databases—like all IT assets—are subject to drift that can wreak serious havoc across an organization’s infrastructure. Furthermore, the usual suspects are in play when it comes to database drift: manual ad-hoc changes, frequent software updates/patches, and general entropy, among others. Undetected malicious activity and attempts to compromise database security are also growing causes of database configuration drift. Monitoring for these unexpected changes should therefore be a critical component of any information-driven organization’s configuration management (CM) activities. To this end, UpGuard is happy to announce that support for database node types is now available.

Rethinking Information Security To Battle POS RAM-Scraping Malware

Home Depot. Target. Neiman Marcus. Albertsons. Michaels. Most Americans have shopped at one of these national chains recently. If you’re one of them, your credit card information may already be on the black market. And if you’re a retailer using a POS system, proposed legislation like the The Consumer Privacy Protection Act may hold you financially accountable in the event of a data breach. Here’s the skinny on RAM scraping, and what can be done to prevent it.   

Filed under: cyber risk, IT security

Why Security Needs DevOps: OpenSSL and Beyond

On March 18, 2015, system administrators and developers received ominous news: two high severity vulnerabilities in OpenSSL would be announced the next day. Since Heartbleed, OpenSSL had been on a bad streak, and it looked like things were only going to get worse. Operations, development, and security teams braced for impact and then– it wasn't really that bad.

Filed under: security, devops, IT security

Insights from Verizon's 2015 Data Breach Investigations Report

Every year, Verizon compiles data from a list of prominent contributors for its annual report highlighting trends and statistics around data breaches and intrusions from the past year. The 70-page Data Breach Investigations Report (DBIR) covers a myriad of data points related to victim demographics, breach trends, attack types, and more. Reviewing these shifting security trends can give indications as to how well-postured one’s organization is against future threats. And just in case you’ve got your hands full patching server vulnerabilities, we’ve done the legwork of expanding on a few critical key points from the report.

Filed under: cyber security, cyber risk, data breaches, cyber attack

Secure Your Hosts from VENOM

Today, a new vulnerability called VENOM was announced in CVE-2015-3456. It stands for “Virtualized Environment Neglected Operations Manipulation” which sounds, frankly, like an indictment of anyone aloof enough to let it sneak up on them. And wading through other blog posts on the subject—with their snake-related clipart and all—is like looking through the first few pages of the book when you visit a tattoo shop. Here’s the gist from its discoverers at CrowdStrike:

Filed under: upguard, vulnerabilities

Can DevSecOps Save The Healthcare Industry?

The Ponemon Institute just released some unsurprisingly bleak findings in its annual study on healthcare data privacy/security, including data showing deliberate criminal attacks now accounting for most medical data breaches. The report goes on to illustrate how the healthcare industry— sitting on a treasure trove of valuable data— is ill-equipped to counter these attacks. Perhaps forward-thinking enterprise healthcare leaders should start considering DevSecOps as a viable strategy for surviving the perils of the information age.

Filed under: devops, IT security

Lenovo and Security Lessons Learned

Technology giant Lenovo has come under heavy criticism again for subjecting users to undue security risks– this time in the form of three vulnerabilities discovered by researchers at security firm IOActive. Flaws in Lenovo's System Update service– a feature that enables users to download updated drivers, software, and security patches from Lenovo-- enables hackers to surreptitiously slip malware onto user’s laptops and systems through a man-in-the-middle attack. Lenovo has since issued a patch for these vulnerabilities, but it’s doubtful the PC giant will regain consumer credibility any time soon.

Filed under: security, cyber security, IT security

WordPress' Zero Day Vulnerability and Weaponized Code

Yesterday, open source content management system (CMS) WordPress made headlines with the announcement of yet another critical zero day vulnerability. The newly discovered flaw is markedly different than other WordPress vulnerabilities surfacing as of late in this case, the problem exists in WordPress’ core engine and codebase, rather than 3rd party plugins and extensions. WordPress.org was quick to release a patch to fix the vulnerability and has since advised users to upgrade to WordPress 4.2.1, the latest version of the CMS.

Filed under: vulnerabilities

The Ongoing Perils of Wifi on Planes

In a widely publicized report released last week titled "FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen," the US Government Accountability Office (GAO) details the potential vulnerabilities and dangers of offering in-flight wifi services during air transit. By essentially granting customers IP networking capabilities for their devices, airlines may be opening up their avionics systems for attacks:

Filed under: cyber security, cyber risk

UpGuard for IoT

Whenever there's a lot to lose, UpGuard is the solution to ensure correct configuration state. Often this means working the enterprises in banking, transportation, and ecommerce, but the Internet of Things introduces risks to the most mission critical system of them all: your home. 

Filed under: upguard

ChefConf 2015 Debriefing

Last week, we repped our set at ChefConf 2015 and gave a couple hundred live UpGuard demos to attendees. We saw a few talks and caught up with some old friends, too. It was a great time and we’ll definitely be back next year.

Filed under: chef, upguard