Bitglass’ fifth annual Healthcare Breach Report analyzes the data from the US Department of Health and Human Services’ “Wall of Shame.” The database contains information about breaches of PHI that affected more than 500 individuals.

From the report, “The Prioritization to Prediction series is an ongoing research initiative between Kenna Security and the Cyentia Institute. The first volume proposed a model for predicting which of the numerous hardware and software vulnerabilities published each month were most likely to be exploited, and thus deserving of priority remediation. The second volume sought to apply and test that theoretical model using empirical data collected on billions of observed vulnerabilities. We ended the last report by analyzing vulnerability remediation timeframes across a sample of 12 firms. This third volume picks up where we left off and expands the analysis to roughly 300 organizations of different types and sizes. We leverage a technique called survival analysis to draw out important lessons about remediation velocity and capacity, concepts we explore and define during the course of this report. Overall, our goal is to understand what it means to survive—nay thrive—in the race of vulnerability remediation.” Read on to find out more.

From the report, ““Realized coverage & efficiency vary greatly among firms—over 50% between top and bottom performers—indicating different remediation strategies lead to very different outcomes.” Where is your strategy leading?” Read on to find out more.

Using information from Rapid7’s Project Sonar internet telemetry service, this report reviews several dimensions of demonstrated security controls for companies in the S&P 200 and ASX (Australian) stock indices.

From the report, “Two years ago, the authors assessed 20 mobile applications that worked with ICS software and hardware. At that time, mobile technologies were widespread, but IoT mania was only beginning. In that paper, the authors stated, “convenience often wins over security. Nowadays, you can monitor (or even control!) your ICS from a brand-new Android [device].” Today, the idea of putting logging, monitoring, and even supervisory/control functions in the cloud is not so farfetched. The purpose of this paper is to discuss how the landscape has evolved over the past two years and assess the security posture of SCADA systems and mobile applications in this new IoT era.”

This paper offers insight and direction to election officials seeking to assess the security of their entire election ecosystem.

This report offers insight into issues that Global Banks have in maintaining Global Compliance.

This brief but important report offers information into the events and data from the holiday shopping season of 2018.

A review of the observed (externally facing) security practices of the Fortune 1000 firms.

From the report, “Partnering with retailers for over a decade to detect and prevent online fraud has unearthed many insights about eCommerce criminals. One insight is that while detecting and preventing fraudster attacks is good, it is even better to catch and prosecute. But gathering evidence and building a case can be complex. Kount asked Skip Myers and Chad Evans to share best practices and firsthand success stories with building, submitting cases and engaging with law enforcement to not only catch fraudsters, but to bring them to justice.”

Kount and The Fraud Practice designed the State of CNP False Positives survey because false positives are one of the least, if not the least, understood aspects of risk management. While merchants tend to focus directly on chargebacks and fraud losses, false positives are another major source of lost revenue but are often underestimated if not ignored altogether.

This report offers the latest trends and insights into securing digital identities and transactions.

From the report, “At Feedzai, we recently completed a project: building a machine learning system to perform transaction fraud detection for a global payment service provider. This client does over a million transactions a day. We designed, trained, tested, and compared hundreds of models in just over a month. In the end we achieved a 16 percentage point increase in money recall with 20x fewer alerts. The fact that we’re continuing to deliver on projects of this scale, in this speed, makes me excited for the future. In this paper, I want to discuss why speed of data science matters, why we’re able to achieve it, and why it helps us deliver value for enterprises fighting fraud. ” Read on to find out more.

In this paper the CTO of Feedzai writes about several of the misconceptions related to organizations leveraging in-house resources to create their own machine learning system for risk. He discusses the lack of success surrounding those decisions.

From the report, “This report shares Feedzai’s original research. We found that fraudsters are attacking in methods that are faster and faster – and continuously new. The time horizon for the future of fraud has been shrinking. Today, the time horizon has shrunk to now. What does this new now look like?” Read on to find out more.

From the report, “The advent of big data happened to coincide with the advent of better computing, better algorithms, and new AI-focused organizations, allowing us to take this data and turn it into something even better: meaning. This brings us to machine learning. Later in this guide, we’ll look at how machine learning works and how it can work for you. But first, let’s take a closer look at all the ingredients that got us here.” Read on to learn more.

This report offers insights and guides into the new Help America Vote Act.

This report offers 14 tips to fortify your public cloud environment. From the report, “This edition of RedLock’s Cloud Security Trends marks the report’s one year anniversary, and it’s been a sobering year in terms of public cloud breaches, disclosures and attacks. This report highlights key learnings from these incidents along with research by the RedLock Cloud Security Intelligence (CSI) team to shed light on the trends that we can expect this year.”

From the report, “To understand current levels of exposure and resiliency, Rapid7 Labs measured 4532 of the 2017 Fortune 500 List3 for: • Overall attack surface (the number of exposed servers/devices); • Presence of dangerous or insecure services; • Phishing defense posture; • Evidence of system compromise; • Weak public service and metadata configurations; and • Joint third-party website dependency risks.” Read on to find out more.

In 2016, Rapid7 Labs launched the National Exposure Index in order to get a measurable, quantitative answer to a fairly fundamental question: What is the nature of internet exposure—services that either do not offer modern cryptographic protection, or are otherwise unsuitable to offer on the increasingly hostile internet—and where, physically, are these exposed services located? Now in our third year, we continue this ongoing investigation into the risk of passive eavesdropping and active attack on the internet, and offer insight into the continuing changes involving these exposed services. We’ve also added a third dimension for exposure, “amplification potential,” in the wake of the disastrous memcached exposure uncovered in 2018.

As the end of 2018 approaches and the last year of the decade dawns, the challenges faced by cyber security teams are a blend of “more of the same” and “let’s change the approach”.