Figure 2: Authentication success! While Intel didn’t come out and tell everyone exactly what the problem was, the guys at Tenable figured it out within minutes,2 and even show how simple it would be to exploit via Burp Suite. They’ve updated Nessus3 to scan for it, and everyone is broadly recommending that we all disable ports…
Read MoreWhat better way to diagnose a failed security program than to point at an inferior assessment of risk? If an organization omits or misjudges a critical risk, then the decisions that flow from that finding will be incorrect. A problem with standardizing risk assessment is that the measurement of relevant risk is going to…
Read MoreI was chatting recently with a coworker who had just returned from a DevOpsy-focused conference. She mentioned she had met a woman whose entire role was focused on finding “lost” cloud instances (that is, virtual servers running in a public or private cloud network). Her entire job is just to find those instances and get…
Read MoreSecurity issues are so prominent in most customers’ minds that CISOs are being pulled into the sales cycle more and more often. In the face of increasing cyber attacks, customers are understandably questioning the resilience of products and services. Even businesses outside of the tech industry are facing scrutiny from customers and major suppliers since…
Read MoreAll too often, I hear colleagues wax poetic on the disdain their directors and managers have towards the mission of cyber security. I’m always eager to provide some sage couples counseling wisdom toward these difficult relationships between CISOs and their colleagues. 1. Designate FUD as your Friend rather than Adversary Someone once said that Fear,…
Read MoreNeed-to-Know Facts CVE-2017-74942 has a CVSS Score of 7.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)3. This vulnerability is the Linux version of WannaCry, appropriately named SambaCry. A malicious Samba client that has write access to a Samba share could use this flaw to execute arbitrary code typically as root. The flaw allows a malicious client to upload a shared library to…
Read More2016 has been called “the year of stolen credentials,” and with good reason. Between the massive breaches at Yahoo, LinkedIn, MySpace, Tumblr,1 Twitter,2 and Dropbox,3 just to name a few, it’s estimated that over 2 billion records were stolen. Although attackers steal all kinds of data, a vast majority of what’s stolen are user credentials,…
Read MoreAh, CISOs. Such magnificent and noble creatures. There’s such a wide variety in the wild that you might have a hard time believing they are all part of the same species. Let’s take a short field expedition to familiarize ourselves with a few common varieties. And wipe all that sunscreen off your face, you won’t…
Read MoreAll businesses watch their bottom line. That’s unsurprising. Those that provide technology to consumers (whether IoT device manufacturers or your local ISP that provides your home router) are particularly careful about balancing product support with ease of use. That can lead to what the inventors no doubt believe is an ingenious method of determining passwords…
Read More
For the past 15 years, American organizations have lived in the shadow of breach disclosure. It all began in California under SB-13861 in 2002, which mandated written notification of victims of privacy breaches of unencrypted personal data. The law covers organizations located in or doing business in California. Because California is the most populous state…
Read More