“I applaud that this consummate consortium of nonprofits has formed to actively protect us against security threats to our digital infrastructure and uphold our open internet, combining their knowledge, skills, and tools for the greatest effect,” said Govind Shivkumar, director of responsible technology at Omidyar Network.

Nonprofit Cyber will initially focus on two priorities: building awareness of the work of cybersecurity nonprofits globally and aligning their work to achieve the greatest effect. Envisioned as a “collaboration-of-equals,” each member organization has committed to work in coordination to better serve Internet users globally. Coalition members must be a 501(c)(3) or 501(c)(6) nonprofit if organized under U.S. law or hold an equivalent status if organized under the laws of another country. More information is available at the coalition’s website NonprofitCyber.org and on Twitter at @NonprofitCyber.

The twenty-two founding members of Nonprofit Cyber are the Anti-Phishing Working Group, the Center for Internet Security, the Center for Threat-Informed Defense, the Cloud Security Alliance, Consumer Reports, CREST International, the Cyber Defence Alliance, the CyberPeace Institute, the Cyber Readiness Institute, the Cyber Threat Alliance, the Cybercrime Support Network, the CyberGreen Institute, the FIDO Alliance, the Forum of Incident Response and Security Teams, the Global Cyber Alliance, the National Cyber Forensics and Training Alliance, the National Cybersecurity Alliance, the Open Web Application Security Project, SAFECode, the Shadowserver Foundation, Sightline Security, and #ShareTheMicInCyber. Tony Sager of CIS and Philip Reitinger of GCA will serve as co-chairs as the organization begins operations.

Nonprofit Cyber welcomes applications for new members that work to implement best practices and solutions at scale. Nonprofit Cyber is focused on these organizations, rather than lobbying or policy development and advocacy organizations, or industry associations.

Information on joining Nonprofit Cyber can be found at its website.

About the Nonprofit Cyber Founding Members

The Anti-Phishing Working Group (APWG) is the international coalition unifying the global response to cybercrime across industry, government and law-enforcement sectors and NGO communities. Learn more at https://apwg.org.

The Center for Internet Security (CIS) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. Learn more at https://cisecurity.org.

The Center for Threat-Informed Defense (CTID) is a non-profit, privately funded research and development organization whose mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Learn more at https://ctid.mitre-engenuity.org/.

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. Learn more at https://cloudsecurityalliance.org.

Consumer Reports (CR) is an independent, nonprofit member organization that works side by side with consumers for truth, transparency, and fairness in the marketplace. Learn more at https://www.consumerreports.org.

CREST International is an international not-for-profit accreditation and certification body that represents and supports the technical information security market. Learn more at https://crest-approved.org.

The Cyber Defence Alliance (CDA) is a not for profit members organization based in London working on behalf of financial institutions to proactively share threat intelligence and expertise to prevent and disrupt cyber attacks, liaise with Law enforcement agencies to target cybercriminal networks and apprehend the most prolific offenders. The CDA works on a cross sector basis and with like minded organizations on an international basis to address the global threat from cybercrime. The CDA also provides a 24/7 incident response capability to support the member organizations and the UK Financial Services Cybercrime Collaboration Centre (FSCCC) during major cyber incidents.

The Cyber Readiness Institute (CRI) mission is to empower small and medium-sized enterprises with free tools and resources to help them become more secure and resilient. Learn more at https://cyberreadinessinstitute.org.

The Cyber Threat Alliance (CTA) is working to improve the cybersecurity of our global digital ecosystem by enabling near real-time, high-quality cyber threat information sharing among companies and organizations in the cybersecurity field. Learn more at https://www.cyberthreatalliance.org.

The Cybercrime Support Network’s (CSN) mission is to serve individuals and small businesses impacted by cybercrime. Learn more at https://cybercrimesupport.org. ‘

The CyberGreen Institute (CyberGreen) is dedicated to mobilizing a global community of experts, business leaders, and policymakers to revolutionize cybersecurity through the development of a science of Internet Public Health. Learn more at https://www.cybergreen.net.

The CyberPeace Institute is a nongovernmental organization whose mission is to reduce the harms from cyberattacks on people’s lives worldwide, provide assistance to vulnerable communities and call for responsible cyber behaviour, accountability and cyberpeace. At the heart of the CyberPeace Institute’s efforts is the recognition that cyberspace is about people. Learn more at https://cyberpeaceinstitute.org

The FIDO Alliance is an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords. The FIDO Alliance promotes the development of, use of, and compliance with standards for authentication and device attestation. Learn more at https://fidoalliance.org/.

The Forum of Incident Response and Security Teams (FIRST) aspires to bring together incident response and security teams from every country across the world to ensure a safe internet for all. Learn more at https://www.first.org.

The Global Cyber Alliance (GCA) builds practical, measurable solutions and tools that are easy to use, and works with partners to accelerate adoption around the world. Learn more at www.globalcyberalliance.org.

The National Cyber Forensics and Training Alliance (NCFTA) was established in 2002 as a nonprofit partnership between private industry, government, and academia. The NCFTA provides a neutral environment for operational collaboration in the ongoing effort to identify, mitigate, and disrupt cyber crime. Learn more at https://www.ncfta.net.

The National Cybersecurity Alliance (NCA) advocates for the safe use of all technology and educates everyone on how best to protect ourselves, our families, and our organizations from cybercrime. Learn more at www.staysafeonline.org.

The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. Learn more at https://owasp.org.

SAFECode is a global industry forum where business leaders and technical experts come together to exchange insights and ideas on creating, improving, and promoting scalable and effective software security programs. Learn more at https://safecode.org.

The Shadowserver Foundation’s (Shadowserver) mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Learn more at https://shadowserver.org.

#ShareTheMicInCyber (#STMIC) is an online movement to address issues stemming from systemic racism in cybersecurity. The social media campaign highlights the experiences of Black practitioners in this field, catalyzes a critical conversation on race in the industry, and shines a light on Black practitioners’ accomplishments to showcase them as experts in their fields all while creating professional opportunities and bringing the cyber community together. Learn more at www.sharethemicincyber.com.

Sightline Security is a nonprofit security organization whose mission is to equip, empower, and support global nonprofits to navigate and embed cybersecurity into their organizations with confidence—founded to address the lack of cybersecurity adoption in the nonprofit sector by offering a holistic, business, and community-centric approach designed to embrace cybersecurity best practices. At Sightline, there is a world where nonprofits have the confidence, knowledge, and business acumen to stay protected in a digital world. Learn more at https://sightlinesecurity.org.

The post Cybersecurity Nonprofits Team Up to Form “Nonprofit Cyber” Coalition appeared first on Digital IT News.

CRSA is a new Registered level practical penetration testing certification.  It has a slightly broader scope than the CREST Registered Penetration Tester (CRT) and includes desktop breakout assessments and a larger web application component. CRSA will run in parallel with CRT.

The UK’s National Cyber Security Centre (NCSC) has confirmed that the CRSA certification will be recognized alongside the CRT for technical entry for CHECK Team Member.  This applies to all CRSA certifications awarded, wherever in the world candidates take the examination.

The existing CREST Practitioner Security Analyst (CPSA) certification, which is already a prerequisite for the CRT, is also a prerequisite for the new CRSA examination.  Please note that a CPSA qualification attained via equivalency cannot be used as the pre-requisite for booking the CRSA examination.

The CRSA is available to book from today through Pearson Vue CREST :: Pearson VUE.

The CRSA is the first in a suite of new practical certifications being developed by CREST.  The others, which have not yet been recognized by NCSC, are:

• CREST Certified Security Consultant (Red Team) – CCSC RED
• CREST Certified Security Consultant (Networks) – CCSC NET
• CREST Certified Security Consultant (Web) – CCSC WEB

“The examinations for all four new practical penetration testing certifications have been designed to be delivered entirely through Pearson Vue centers,” said Ian Glover, President of CREST International. “This opens up the opportunity to individuals working in the cyber security industry to get the access to certify with CREST wherever they are in the world.”

Pearson Vue centers offer a distraction-free, secure testing environment with continuous candidate surveillance. There are number of mandatory security measures at all test centers to ensure the integrity of the examinations and the safety of the candidates.

For full details on the CRSA please visit: https://www.crest-approved.org/professional-qualifications/crest-exams/index.html

Image licensed by pexels.com

Related News:

Want to Learn about Digital Marketing? Talk to a Cybercriminal.

CREST Launches Remote Audit Facility for SOC Accreditation

For future updates on Penetration Testing Certifications and announcements, follow Digital IT News on Twitter, LinkedIn, or Facebook, or visit our Contact Page for subscription options.

The post Launched by CREST Accreditation: New Globally Available Practical Penetration Testing Certification appeared first on Digital IT News.

Microsoft Power Apps is a browser-based platform that allows non-developers to build low-code personalized business apps by simply dragging and dropping objects to a Web browser. PowerApps targets business users and works across mobile and the web with options to retrieve and store information.

An analyst for UpGuard first discovered that the OData API for a Power Apps portal had anonymous accessible list data including personally identifiable information. UpGuard’s view that this isn’t precisely a software vulnerability, it is a platform issue that necessitates product code updates, and thus should be handled in the same way as vulnerabilities.

“The real scale of the issue is hard to assess. On one hand, it is obvious that headlines are overstating it: the majority of the exposed 38 million records did not include the most sensitive details like SSN or health information. Security researchers from UpGuard give some examples of data the exposed records included in their blog post. For the majority of records this was limited to names and email addresses. That said, more sensitive information was still exposed for at least hundreds of thousands of individuals. On the other hand, there is no way to be certain these records had not been harvested before UpGuard reported the issue to Microsoft and the application owners,” according to Ilia Sotnikov, VP of User Experience & Security Strategist at Netwrix.

Kenn White, director of the Open Crypto Audit Project, said it was a wakeup call for the industry as a whole. ‘Secure default settings matter,’ he told Wired. ‘When a pattern emerges in web-facing systems built using a particular technology that continue to be misconfigured, something is very wrong. ‘If developers from diverse industries and technical backgrounds continue to make the same missteps on a platform, the spotlight should be squarely on the builder of that platform.’

Ilia Sotnikov also said, “This news should hopefully lead to both vendors and companies to think more about the balance between time to market and security of their solutions. Power Aps allow to build and quickly launch no code or low code applications. Since this is hosted by Microsoft, this may create a false sense of security for a customer that just puts together the building blocks. Companies still must take time to learn the security features and the access model of the cloud platforms they use. They also should do at least basic threat modelling and security review for the applications they build and launch.”

“Hats off to the UpGuard team for their efforts not only to report the issue to the vendor (Microsoft), but working closely with affected parties to remediate the impact of potential exposure of sensitive data,” continued Netwrix VP of User Experience & Security Strategy. “Great way to handle security research and coordinate the response and disclosure efforts across multiple parties.”

The prevalence of sensitive data being leaked with more and more information moved online, increasing cyberattacks, and hackers around every corner, it is more important than ever that businesses need to extensively safeguard their IT department. Consistently it’s the “bad” news surrounding data breaches that we become aware of and not the good Samaritan offering a hand.

Image licensed by unsplash.com

Related News:

Saudi Aramco’s Data Breach with a 28 Day Puzzle Twist

Lack of Budget and Cloud Security Skills are Top Obstacles Keeping Organizations from Protecting Data in the Cloud, According to Netwrix Study

The post Microsoft’s Power Apps New Vector of Data Exposure appeared first on Digital IT News.

The post CompTIA ISAO Adds Real-time Cybersecurity Threat Analysis and Intelligence Resources from Sophos appeared first on Digital IT News.

Teaming with Red Hat, Qualys is offering a unique approach providing a containerized Qualys Cloud Agent that extends security to the operating system. The Cloud Agent for Red Hat Enterprise Linux CoreOS on OpenShift combined with the Qualys solution for Container Security provides continuous discovery of packages and vulnerabilities for the complete Red Hat OpenShift stack. Built on the Qualys Cloud Platform, Qualys’ solution seamlessly integrates with customers’ vulnerability management workflows, reporting and metrics to help reduce risk.

“Security is one of the biggest areas of concern for nearly every organization, and we believe that a strong partner ecosystem helps to address these concerns by giving our customers a wide range of solution choices,” said Aaron Levey, Head of Security Partner Ecosystem at Red Hat. “Qualys’ Cloud Platform and Cloud Agent helps administrators gain deeper visibility into known vulnerabilities that may be present on their Red Hat Enterprise Linux CoreOS nodes with pointers to associated Red Hat Security Advisories, leaning on the expertise of Red Hat as well as Qualys’ own skills in driving cloud-native security.”

The Qualys Cloud Agent for Red Hat Enterprise Linux CoreOS on Red Hat OpenShift helps customers:

• See the Full Inventory – Continuous visibility of installed software, open ports, and Red Hat Security Advisories (RHSA) for all Red Hat Enterprise Linux CoreOS nodes with comprehensive reporting.
• Manage Host Hygiene – Fully integrated on the Qualys Cloud Platform to automatically detect and manage host status related to patches and compliance adherence for known vulnerabilities.
• Easily Deploy to the Host – Simplified deployment via the Qualys Cloud Agent to secure the host operating system. This approach eliminates the need to modify the host, open ports, or manage credentials.
• Get Complete Coverage – Full coverage of Red Hat OpenShift and Qualys Container security delivers comprehensive visibility from the host operating system through to images and containers running on OpenShift.

“As security teams look to support modern applications built on cutting edge technology like Red Hat OpenShift, they need to secure both the running container images and the underlying OpenShift cluster,” said Sumedh Thakar, president and CEO of Qualys. “By collaborating with Red Hat, we have built a unique approach to secure Red Hat Enterprise Linux CoreOS that provides complete control over containerized workloads enhancing Qualys’ ability to help customers discover, track and continuously secure containers.”

Image licensed by Adobe Stock

Related News:

IGEL and NVIDIA Collaborate to Power High-Performance End User Computing

68% of Sysadmins Say Their Organizations Faced Increased Risk of Cybersecurity Attacks Due to the Shift to Remote Work

The post Qualys Collaborates with Red Hat to Enhance Security for Red Hat Enterprise Linux CoreOS and Red Hat OpenShift appeared first on Digital IT News.

The post Optiv Security Launches Next-Gen Managed XDR to Stop Threats Earlier in Attack Lifecycle appeared first on Digital IT News.

The post PC Matic Selected by NIST’s National Cybersecurity Center of Excellence to Demonstrate Zero Trust Architectures appeared first on Digital IT News.

ITES-SW2 is a firm-fixed price, indefinite delivery/indefinite quantity contract vehicle for commercial off-the-shelf software products and related services and hardware. The contract has no fees, and ordering is open to all Army, DoD and federal agencies and authorized systems integrators on a worldwide basis. Under this contract, Carahsoft provides cybersecurity and data access governance software from Stealthbits to support the IT infrastructure goals of federal agencies.

Federal agencies often find it difficult to properly govern access to structured and unstructured sensitive data due to multiple layers of oversight, compliance requirements and lack of data governance. Stealthbits solutions help agencies overcome these challenges by enabling them to control data access, enforce security policy and detect threats to their most critical assets.

“We are excited to become a part of the Carahsoft ITES-SW2 contract, as it will be easier for our federal clients to purchase our products for cybersecurity and data access governance using this trusted purchase vehicle. By expanding our partnership with Carahsoft, we will increase Stealthbits’ ability to help the Army, the DoD and federal agencies mitigate their cybersecurity risks,” said Steven Hollins, Chief Revenue Officer at Netwrix (including Stealthbits).

Stealthbits software is available through Carahsoft’s ITES-SW2 contract W52P1J-20-D-0042. For procurement information, contact Carahsoft’s ITES-SW2 contract team at (703) 871-8681 orITES-SW2@carahsoft.com or visit Carahsoft’s dedicated ITES-SW2 contract resource center.

To learn more about Stealthbits’ offerings under ITES-SW2, contact the Stealthbits Team at Carahsoft at (866) 421-4683 or Stealthbits@carahsoft.com.

Image licensed by: Pixabay.com

Related News:

Malwarebytes Launches VPN for Mobile, Expanding Privacy & Cyberprotection Across Devices

Survey Finds User Experience is IT’s Top Remote Work Challenge

The post Stealthbits, Now Part of Netwrix, Named to Carahsoft ITES-SW2 Contract to Support U.S. Army Enterprise Infrastructure Goals appeared first on Digital IT News.

The post PC Matic Survey: 20% of Employers Never Require Employees to Change Passwords appeared first on Digital IT News.

“When developing a corporate security strategy and program, it is imperative to identify the areas and assets with the highest business value and those with the most significant threats and vulnerabilities. Mandiant Cyber Risk Management Services are designed to balance business and technical considerations and provide executives with risk-based decision support,” said Jurgen Kutscher, Executive Vice President, Service Delivery, Mandiant Consulting. “Mandiant brings unparalleled frontline expertise and analysis to help business leaders focus on running their businesses more securely by prioritizing their security investments to maximize risk reduction.”

The Cyber Risk Management Services offering incorporates Mandiant threat intelligence, incident response data, and proven risk methodologies to help organizations shine a light on where harmful risk exists. This allows business and security leaders to shift from a reactive security approach to a risk-based, informed program for better decision-making and critical asset protection.

Structured as building blocks that work independently and collectively, Mandiant Cyber Risk Management Services include:

1. Security Program Assessment – evaluate existing capabilities and maturity, coupled with an actionable improvement roadmap focused on the areas with the highest risk based on Mandiant’s frontline expertise
2. Crown Jewels Assessment – identify critical assets to shift security efforts and prioritize investment on the assets that matter most
3. Cyber Due Diligence – surface and manage inherited cyber risks outside of an organization’s control like those found in supply chain, third-party vendors, or during corporate acquisitions and divestment
4. Cyber Risk Operations – design and operationalize risk programs that leverage threat intelligence and frontline experience to determine custom risk profiles and tolerances, including how to best invest in security capabilities
5. Threat and Vulnerability Management – build and improve the capability to identify and manage specific threats with significant technology impact and vulnerability if left exposed
6. Threat Modeling – uncover unknown risks in both current and future state for improved planning

Learn more about Mandiant Cyber Risk Management Services: https://www.fireeye.com/mandiant/cyber-risk-management-services.html

Image licensed by Unsplash.com

Related News:

Growing Security Operation Center Challenges, Increasing Complexity and Rising Costs Drive Investments in XDR and Security Automation

Netwrix Reports: 4 of the Top 6 Types of Cybersecurity Incidents Are Now Related to Insider Actions

The post New Mandiant Services Help Organizations Balance Effective Cyber Security and Business Risk appeared first on Digital IT News.