What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2019-10-29 13:00:00 | Was the largest breach in history a misconfiguration problem? (lien direct) |
Earlier this week, I heard a fascinating interview with the former Chief Information Officer of Equifax, Graeme Payne. If you are unfamiliar with Graeme, he was the scapegoat for the Equifax breach; described in Congressional testimony as “the human error” that caused the breach. Graeme, however, is a true gentleman who is very gracious about his situation. He explained that the servers that were breached were “under his watch”, so it makes sense that he was the person who was ultimately held responsible for the breach.
In Graeme’s recently published a book, The New Era of Cybersecurity Breaches, Graeme describes the events of the Equifax breach and offers practical steps to secure a company from the same fate that was suffered by Equifax. The only reason I have not yet read the book is because I did not know it existed. Now, it is on my wish list, and, if the description lives up to the book contents, I anticipate an excellent read!
One item that struck me as peculiar during Graeme’s interview was that he stated, contrary to all the reports about the breach, that the breached server was patched against the Apache Struts. To be clear, all of the news reports indicated that Equifax received notice of the vulnerability, the available patch, yet did nothing to prevent it.
I asked the following question: Didn’t you scan the servers after the patches were applied? (It is excellent that BrightTalk offers interactive webcasts like this.) Graeme responded that they scanned the servers for vulnerabilities, and the patch was reported as successfully applied to the server. How is that possible?
A further discussion ensued, in which the importance of authenticated versus unauthenticated scans was mentioned. It even drifted into the idea that a company should use two different scanners! We are not all the size of an Equifax corporation. Running two scanners is simply unmanageable for many medium sized enterprises.
I posted a follow-up question: How did the vendor of the vulnerability scanner respond once the breach occurred. Unfortunately, Graeme was not at liberty to discuss that. (If you are unfamiliar with the legal system, it probably means that the terms of his dismissal are confidential, and he cannot discuss various topics, such as any impending action against a vendor.)
Whatever the vendor’s response, it doesn’t matter. What matters is that the largest breach in history (to date), may not have been the result of human error or negligence. It may have been just another case of a misconfiguration problem, this time, with a vulnerability scanner.
Given the recent breaches that have involved cloud misconfigurations, it is important to remember that these problems can still exist within the cozy confines of an organization.
Graeme seems to be doing fine in his new existence, not as a scapegoat, but as a Phoenix. I empathize with how he was treated, and I am confident that I speak for all the security community by saying, we wish him well.
  |
Vulnerability | Equifax | |
 |
2019-10-22 13:39:47 | COMMENT: Equifax Used Default \'Admin\' User Name And Password To Secure Hacked Portal (lien direct) | Equifax staffers used the default user name and password – 'admin’ – to secure a portal containing sensitive customer information, Computing reported. That’s according to a class-action lawsuit launched against the company in the US, claiming securities fraud by the company over the 2017 data breach that spilled information on around 148 million accounts of people in … The ISBuzz Post: This Post COMMENT: Equifax Used Default ‘Admin’ User Name And Password To Secure Hacked Portal | Data Breach | Equifax | |
 |
2019-10-14 03:00:00 | Equifax data breach FAQ: What happened, who was affected, what was the impact? (lien direct) | In March 2017, personally identifying data of hundreds of millions of people was stolen from Equifax, one of the credit reporting agencies that assess the financial health of nearly everyone in the United States.As we'll see, the breach spawned a number of scandals and controversies: Equifax was criticized for everything ranging from their lax security posture to their bumbling response to the breach, and top executives were accused of corruption in the aftermath. And the question of who was behind the breach has serious implications for the global political landscape.How did the Equifax breach happen? Like plane crashes, major infosec disasters are typically the result of multiple failures. The Equifax breach investigation highlighted a number of security lapses that allowed attackers to enter supposedly secure systems and exfiltrate terabytes of data. | Data Breach | Equifax | |
 |
2019-09-23 08:46:59 | NEW TECH: How \'cryptographic splitting\' bakes-in security at a \'protect-the-data-itself\' level (lien direct) | How can it be that marquee enterprises like Capital One, Marriott, Facebook, Yahoo, HBO, Equifax, Uber and countless others continue to lose sensitive information in massive data breaches? Related: Breakdown of Capital One breach The simple answer is that any organization that sustains a massive data breach clearly did not do quite enough to protect […] | Data Breach | Equifax Yahoo Uber | |
 |
2019-09-20 15:43:55 | 200,000 Sign Petition Against Equifax Data Breach Settlement (lien direct) | 200,000 Sign Petition to "Force Equifax to Pay for Their Greed" | Data Breach | Equifax | |
 |
2019-09-09 21:25:03 | Don\'t Get Screwed Out of Your Equifax Settlement Money (lien direct) | If you signed up for $125 payout in the Equifax settlement, you just hit another hurdle. But this isn't over. | Equifax | ||
 |
2019-09-05 13:22:05 | (Déjà vu) Breach costs increasing due to rising Fines. (lien direct) | The cost of breaches will rise by two-thirds over the next five years, exceeding an estimated $5 trillion in 2024, primarily driven by higher fines as more jurisdictions punish companies for lax security. Equifax, $700 million. British Airways, $221 million. Marriott, $120 million. Companies are seeing much heftier fines in 2019, and the near future […] | Equifax | ||
 |
2019-08-22 13:13:01 | UK cybersecurity agency warns devs to drop Python 2 due to looming EOL & security risks (lien direct) | NCSC likens companies continuing to use Python 2 past its EOL to tempting another WannaCry or Equifax incident. | Wannacry Equifax | ||
|
2019-08-05 16:25:04 | ID Theft Stings, But it\'s Hard to Pin on Specific Data Hacks (lien direct) | Equifax 2017. Marriott 2018. Capital One 2019. | Data Breach | Equifax | |
 |
2019-08-05 15:44:03 | A week in security (July 29 – August 4) (lien direct) |
A roundup of security news from July 29 - August 4 including Capital One breach, Lord Exploit Kit, more Magecart skimming, ATM attacks, QR code scams, and Equifax payout.
Categories:
Malwarebytes news
Tags: android qatm attacksboard of directorsCapital OneEquifaxEquifax breachexploit kitexploit kitsgermanwipergovernment cybersecurityLord exploit kitMagecartMageCart attacks
(Read more...)
|
Equifax | ||
|
2019-08-05 03:00:00 | Looking for answers at Black Hat 2019: 5 important cybersecurity issues (lien direct) | Judging by last week's Capital One breach and Equifax settlement, cybersecurity remains a topical, if not ugly, subject. The timing couldn't be better for these unfortunate events. Why? Because the cybersecurity community gets together this week in Las Vegas for Black Hat and DEF CON to discuss how to better deal with security vulnerabilities and improve threat prevention, detection, and response. [ Keep up with 8 hot cyber security trends (and 4 going cold). Give your career a boost with top security certifications: Who they're for, what they cost, and which you need. | Sign up for CSO newsletters. ] I'll be there along with an assortment of my ESG colleagues. Here are some of the things we'll be looking for: | Threat | Equifax | |
|
2019-08-02 16:00:00 | Capital One breach exposes over 100 million credit card applications (lien direct) |
The Capital One data breach is an exceptional example, if only because of how much we already know. Not only that, but the breach happened to one of the technical front-runners in banking.
Categories:
Reports
Tags: Amazon Elastic Compute CloudAmazon web servicesawsCapital OneCapital One data breachdata breachEC2EquifaxEquifax breachfintechiamidentity access managementPaige Thompson
(Read more...)
|
Data Breach | Equifax | |
|
2019-08-01 15:20:05 | FTC Warns Cash Option May be Small for Equifax Settlement (lien direct) | The Federal Trade Commission on Wednesday told consumers affected by the Equifax data breach that they are unlikely to get the full $125 cash payment that many sought. | Data Breach | Equifax | |
|
2019-08-01 10:42:01 | FTC: Too many people signed up for Equifax cash, so they\'ll be getting less than $125 (lien direct) | FTC recommends that users switch some of their claims from cash payments to free credit monitoring services, as they provide a better value. | Equifax | ||
|
2019-08-01 00:37:02 | You\'ll Get Your Equifax Money. It Just Might Take a While (lien direct) | Despite the FTC pushing people away from an Equifax cash payout, there's a good chance you'll get all $125. Eventually. | Equifax | ||
 |
2019-07-31 19:31:02 | FTC Tells Equifax Victims to Opt for Credit Monitoring Over $125 (lien direct) | The FTC says that Equifax data breach victims who already have credit monitoring and opted to get a $125 cash payment might not get it in full and should choose the free credit monitoring option instead. [...] | Data Breach | Equifax | |
 |
2019-07-31 10:33:00 | The latest large-scale data breach: Capital One | TECH(feed) (lien direct) | Just a few days after Equifax settled with the FTC over its 2017 data breach, Capital One announced it was the target of a March attack. Identifying information and bank account numbers are among some of the data breached in the attack that affects 100 million people. A software engineer is behind the attack and is awaiting a hearing. In this episode of TECH(feed), Juliet discusses the consequences of the attack and how to find out if you've been affected. | Equifax | ||
|
2019-07-31 05:55:00 | IDG Contributor Network: Is the cloud lulling us into security complacency? (lien direct) | The recent CapitalOne breach has certainly made lots of headlines in less than a day since the story broke out. And sadly, it has already thrust the $700M settlement that was reached from the largest ever data breach – the Equifax one – onto the sidelines just days after the news of that settlement broke out.But going back to CapitalOne, there are lots of lessons to be learned there certainly. I want to focus on where CapitalOne's data centers were and what that means for the rest of the planet from a security perspective. CapitalOne has been one of the most vocal AWS customers. They have appeared at numerous AWS events and touted how they have completely shuttered all their data centers and run exclusively on Amazon. And to be fair, they have also shared their best practices and use of AWS services. | Data Breach | Equifax | |
|
2019-07-30 15:00:00 | How to get your Equifax money and stay safe doing it (lien direct) |
Equifax has been ordered to pay at least $650 million in relation to its enormous 2017 data breach. Users who were affected might be eligible for a claim. But watch out for scams!
Categories:
Awareness
Tags: credit monitoringdata breachdata breach settlementEquifaxEUEuropean UnionFederal Trade Commissionfraudfraud preventionFTCgdprGeneral Data Protection Regulationidentity theftphishingscamssettlementsocial security numbers
(Read more...)
|
Equifax | ||
|
2019-07-26 20:43:03 | SpaceX\'s Starship Rocket Test, Equifax Owes You, and More News (lien direct) | Catch up on the most important news from today in two minutes or less. | Equifax | ||
|
2019-07-26 17:09:00 | How to Get Your Equifax Settlement Money (lien direct) | A settlement with the FTC means Equifax will pay victims of its breach $125 or more. Make sure they pay up. | Equifax | ||
|
2019-07-26 03:00:00 | The biggest data breach fines, penalties and settlements so far (lien direct) | Sizable fines assessed for data breaches in 2019 suggest that regulators are getting more serious about organizations that don't properly protect consumer data. In the UK British Airways was hit with a record $230 million penalty, followed shortly by a $124 million fine for Marriott, while in the US Equifax agreed to pay a minimum of $575 million for its 2017 breach. [ How much does a data breach cost? Here's where the money goes. | Get the latest from CSO by signing up for our newsletters. ] | Data Breach | Equifax | |
|
2019-07-24 04:38:00 | Equifax\'s billion-dollar data breach disaster: Will it change executive attitudes toward security? (lien direct) | Equifax announced on Monday that it has agreed to a record-breaking settlement related to its massive 2017 data breach, which exposed the personal and financial records of more than 148 million people. The settlement requires the beleaguered credit ratings agency to spend at least $1.38 billion to resolve consumer claims against it. It creates a non-reversionary fund of $380.5 million to pay benefits to the class of consumers harmed by the breach, including cash compensation, credit monitoring, and help with identity restoration. [ How much does a data breach cost? Here's where the money goes. | Get the latest from CSO by signing up for our newsletters. ] | Data Breach | Equifax | |
|
2019-07-23 17:26:01 | Experts Commentary On Equifax Settlement (lien direct) | Reuters is reporting that credit-reporting company Equifax Inc will pay up to a record $650 million to settle U.S. federal and state probes into a massive 2017 data breach of personal information, authorities said on Monday. The largest-ever settlement for a data breach draws to a close multiple probes into Equifax by the Federal Trade Commission, the … The ISBuzz Post: This Post Experts Commentary On Equifax Settlement | Data Breach | Equifax | |
 |
2019-07-23 00:55:00 | Equifax to Pay up to $700 Million in 2017 Data Breach Settlement (lien direct) | Equifax, one of the three largest credit-reporting firms in the United States, has to pay up to $700 million in fines to settle a series of state and federal investigations into the massive 2017 data breach that exposed the personal and financial data of nearly 150 million Americans-that's almost half the country.
According to an official announcement by the U.S. Federal Trade Commission (FTC |
Data Breach | Equifax | |
|
2019-07-22 19:58:00 | $700 Million Equifax Fine Is Still Too Little, Too Late (lien direct) | For failing to safeguard Social Security numbers, credit card numbers, and more, Equifax will pay up-but not enough, experts say. | Equifax | ||
 |
2019-07-22 19:56:03 | 700 million reasons for Equifax to remember to patch its vulnerable IT systems in future (lien direct) | Equifax has agreed to pay up to $700 million in a FTC settlement following its 2017 data breach. | Equifax | ||
 |
2019-07-22 19:27:01 | What You Should Know About the Equifax Data Breach Settlement (lien direct) | Big-three credit bureau Equifax has reportedly agreed to pay at least $650 million to settle lawsuits stemming from a 2017 breach that let intruders steal personal and financial data on roughly 148 million Americans. Here's a brief primer that attempts to break down what this settlement means for you, and what it says about the value of your identity. | Data Breach | Equifax | |
 |
2019-07-22 18:23:00 | Equifax to Pay Up to $700mn for Data Breach Damages (lien direct) | In a settlement with the FTC, consumers affected by the breach are eligible for up to $20,000 in a cash settlement, depending on damages they can prove. | Data Breach | Equifax | |
|
2019-07-22 14:31:00 | (Déjà vu) Equifax, regulators sign $700m deal to settle data breach lawsuits (lien direct) | The massive security incident exposed personal details belonging to almost 150 million customers. | Data Breach | Equifax | |
 |
2019-07-22 13:21:05 | WSJ says Equifax to Pay $700 million settlement for 2017 breach (lien direct) | The Wall Street Journal revealed that Equifax will pay around $700 million to settle with the Federal Trade Commission over the 2017 data breach. According to The Wall Street Journal, Equifax will pay around $700 million to settle with the Federal Trade Commission over the 2017 data breach. The security breach suffered by Equifax in 2017 exposed […] | Equifax | ||
|
2019-07-22 13:16:00 | Equifax to Pay up to $700 Million to Consumers, Authorities Over 2017 Breach (lien direct) | Equifax and U.S. government agencies announced on Monday that the credit reporting agency is prepared to pay up to $700 million to settle charges related to the massive 2017 data breach that impacted roughly 147 million people. | Equifax | ||
 |
2019-07-22 11:21:04 | Equifax to pay up to $700m to settle data breach (lien direct) | The credit score agency has agreed a settlement after hackers stole 147 million people's details. | Data Breach | Equifax | |
|
2019-07-22 08:06:05 | Equifax, regulators close to signing $700m deal to settle data breach lawsuits (lien direct) | The massive security incident exposed personal details belonging to almost 150 million customers. | Data Breach | Equifax | |
|
2019-07-08 15:08:03 | A week in security (July 1 – 7) (lien direct) |
A roundup of cybersecurity news from July 1-7, including stalkerware, Bitcoin generators, app permissions, Chinese spyware, some giant leaks, and a new malware attack method.
Categories:
A week in security
Tags: bitcoinbitcoin generatorscash generatorschinaEquifaxgermanygodluaironpythonopenpgppermissionsryuksmart homestalkerware
(Read more...)
|
Malware | Equifax | |
|
2019-07-01 16:15:00 | Ex-Equifax CIO, who knew about huge data breach, jailed for insider trading (lien direct) | So, just what was Equifax doing during those 40 days between discovering it had been hacked and sharing the bad news with the world? Well, now we know. Or at least what Jun Ying, the CIO of Equifax US Information Solutions, was doing. | Equifax | ||
 |
2019-07-01 16:00:02 | Ex-Equifax executive sent to jail for insider trading after breach (lien direct) | >“Sounds bad”, the former Equifax CIO wrote in a text after learning of the breach that ended up affecting almost half the US population | Equifax | ||
|
2019-07-01 11:30:03 | Former Equifax executive sent behind bars for insider trades, profiting on data breach (lien direct) | An opportunity to cash in on the data breach was seized, with prison as a consequence. | Data Breach | Equifax | |
|
2019-06-28 04:58:04 | Former Equifax Executive Gets 4 Months for Insider Trading (lien direct) | A former Equifax executive who sold stock a week and a half before the company announced a massive data breach was sentenced Thursday to serve four months in federal prison for insider trading. | Data Breach | Equifax | |
|
2019-06-17 14:19:00 | Federal Agencies Still Using Knowledge-Based Identity Verification (lien direct) | Some U.S. government agencies still rely on knowledge-based identity verification despite the fact that this system has been easy to beat following the massive data breaches suffered by the Office of Personnel Management (OPM) and Equifax | Equifax | ||
|
2019-06-17 10:31:00 | Equifax breach impacted the online ID verification process at many US govt agencies (lien direct) | Impacted agencies include the Centers for Medicare and Medicaid Services (CMS), the Social Security Administration (SSA), the US Postal Service (USPS), and the Department of Veterans Affairs (VA). | Equifax | ||
|
2019-05-28 14:50:02 | Equifax stripped of \'stable\' outlook over 2017 breach (lien direct) | Add that to the US$1.4 billion that the massive incident has cost the company so far | Equifax | ||
|
2019-05-28 11:30:05 | Downgrade Of Equifax By Moody\'s Due To Cyber Breach (lien direct) | In response to this week’s downgrade by Moody’s of Equifax as a result of its 2017 massive breach of consumer data, six cybersecurity and risk experts offer perspective on this ongoing issue. Laurence Pitt, Strategic Security Director at Juniper Networks: “A stock downgrade following cyber-attack is not a surprise, in fact it cements what we … The ISBuzz Post: This Post Downgrade Of Equifax By Moody’s Due To Cyber Breach | Equifax | ||
|
2019-05-24 09:12:01 | Equifax rating outlook decimated over cybersecurity breach (lien direct) | A Moody's downgrade shows that poor security can have severe financial fallout. | Equifax | ||
|
2019-05-23 12:04:01 | Moody\'s Downgrades Equifax Outlook to Negative Over 2017 Data Breach (lien direct) | Moody's has revised its Equifax outlook from stable to negative, citing the effect of the 2017 data breach. This is the first time that a cybersecurity incident has resulted in a Moody's outlook downgrading. | Data Breach | Equifax | |
|
2019-05-15 13:00:00 | Critical Cyber Security features that your business needs to survive (lien direct) |
_(1).jpg)
Recent statistics show that 60% of businesses are forced to suspend operations after a cyber-attack are never able to reopen for business. This is largely due to revenue lost due to downtime as well as damage to the company’s reputation. The good news is that most of these threats can be mitigated with reliable cybersecurity. When it comes to cyberattacks, time is of the essence. Businesses should install systems that will enable them to detect potential threats so as to respond in a timely manner. One of the recommended solutions is a combination of services and products from AT&T Cybersecurity, which provides edge-to-edge protection to enable businesses stay ahead of threats.
Data Breach Prevention
Data breaches happen when cyber criminals successfully attack systems that hold sensitive information. In the case of businesses, this may include crucial information such as employee and customer records. The exfiltration of such data outside organizational boundaries can lead to costly fines and massive monetary losses. This is evident by the fining of Equifax after it experienced a breach that exposed data belonging to 146 million people. However, businesses can employ standard security software such as antivirus and intrusion detection systems to defend against data leakages by monitoring sensitive files and data transfers.
Phishing prevention
Phishing involves the use of digital messages by cyber criminals to steal credit card information, user logins and other types of sensitive data. Cases of phishing attacks have been on the rise and any business on the web can be targeted. As more businesses are aware of the risks posed by suspicious emails and links, hackers have upped the ante by using machine learning to distribute malicious messages with the aim of targeting frail businesses.
Sensitive data can also be compromised by third parties, such as partners and contractors. Businesses should employ effective strategies for finding partners and contractors so as to reduce security risks posed by them. Employee training, installation of security systems and updating of all software are essential methods to greatly reduce phishing attacks.
.jpg)
Ransomware prevention & detection
For many businesses around the world, ransomware can be a nightmare. The average ransomware attack costs a company a whopping $133,000. Cyber criminals make use of malicious software to encrypt a victim’s data and then demand ransoms in order to decrypt the data. Paying these ransoms doesn’t always guarantee access, since criminals cannot be trusted and so businesses should take measures to avoid such situations. One of the measures is to use updated security software, have a good backup and restore plan and also to train employees on how to avoid emails that may carry ransomware.
The importance of cybersecurity cannot be stressed enough. Companies have been reduced to rubble because of inadequate security to their systems. Cyber criminals are |
Ransomware Guideline | Equifax | ★★★★ |
 |
2019-05-12 16:08:00 | Equifax : le pirate à plus de 1,4 milliard de perte (lien direct) | Le piratage informatique a un vrai coût qu’il est difficile à quantifier tant les ramifications venant s’y greffer ne se découvrent pas du jour au lendemain. Un exemple avec le piratage de 2017 de la banque Equifax. Deux ans après l’intrusion, la facture ne cesse de gonfler. Le piratage informatique est déjà psychologiquement difficile à […] | Equifax APT 15 | ||
|
2019-05-12 13:27:02 | Security breach suffered by credit bureau Equifax has cost $1.4 Billion (lien direct) | Equifax revealed its earnings release related to the security breach suffered in 2017, the incident has cost about $1.4 billion plus legal fees. Equifax revealed this week its earnings release related to the security breach suffered by the credit bureau back in 2017, the incident has cost about $1.4 billion plus legal fees. In 2017 Equifax confirmed it has suffered […] | Equifax | ||
|
2019-04-12 13:00:00 | Things I hearted this week 12th April 2019 (lien direct) |
Hello again to another weekly security roundup. This week, I have a slightly different spin on the roundup in that the net has been slightly widened to include broader technology topics from more than just this last week. However, all of the articles were written by ladies. With that, let’s dive straight in.
A beginner's guide to test automation
If you’re new to automated testing, you’re probably starting off with a lot of questions: How do I know which tests to automate? Why is automated testing useful for me and my team? How do I choose a tool or framework? The options for automated testing are wide open, and you may feel overwhelmed.
If so, this is a great article on how to get started.
A Beginner's Guide to Test Automation | Sticky Minds
.jpg)
All roads lead to exploratory testing
When I’m faced with something to test – be it a feature in a software application or a collection of features in a release, my general preference is weighted strongly towards exploratory testing. When someone who doesn’t know a great deal about testing wants me or my team to do testing for them, I would love to educate them on why exploratory testing could be a strong part of the test strategy.
All roads lead to exploratory testing | Womentesters
While on the topic of testing
Testing Behaviours — Writing A Good Gherkin Script | Medium, Jo Mahadevan
Single-page, server-side, static… say what?
An emoji-filled learning journey about the trade-offs of different website architectures, complete with gifs, diagrams, and demo apps.
If you’ve been hanging around the internet, trying to build websites and apps, you may have heard some words in conversation like static site or server-side rendered (SSR) or single-page app (SPA).
But what do all of these words mean? How does each type of application architecture differ? What are the tradeoffs of each approach and which one should you use when building your website?
Single-Page, Server-Side, Static… say what? | Marie Chatfield
If, like me you enjoyed this post by Marie, check out some of her other posts which are great. Quick plug to Protocol-andia: Welcome to the Networking Neighborhood. A whimsical introduction to how computers talk to each other, and what exactly your requests are up to.
Strengthen your security posture: start with a cybersecurity framework
The 2017 Equifax data breach is expected to break all previous records for data breach costs, with Larry Ponemon, chairman of the Ponemon Institute, estimating the final cost to be more than $600 million.
Even non-enterprise-level organizations suffer severe consequences for data breaches. According to the National Cyber Security Alliance, mid-market companies pay more than $1 million in post-attack mitigation, and the average cost of a data breach to an SMB is $117,000 per incident. While estimates vary, approximately 60% of businesses who suffer a breach are forced to shut down business within 6 months.
It is mor |
Guideline Prediction | Equifax APT 39 | |
|
2019-04-02 13:00:00 | Information on open source vulnerabilities is as distributed as the community (lien direct) |
Nothing gets the AppSec / InfoSec community abuzz quite like a good old 0-day vulnerability.
I mean, what’s not to love here? These vulnerabilities involve the thrill of adversaries knowing something we don’t, giving them a path to sail through our defenses to break into that sweet data inside. They are the James Bond of the security space — suave, sexy, and deadly.
However, once we get past the veneer of the 0-day mystique, we are quickly reminded that the far bigger threat to our software comes more from the known vulnerabilities that are floating around in public available for all to see and exploit.
.jpg)
Known security vulnerabilities: hidden in plain sight
While there are always going to be those exploits kicking around in the darker corners of the hackerverse and require an effective threat intelligence solution, the vast majority of vulnerabilities for both commercial and open source products end up on security advisories like the National Vulnerability Database (NVD), the popular U.S. government-backed database that analyzes reported software vulnerabilities (CVE’s).
For years now, we have been seeing a moderate yet steady climb in the number of software vulnerabilities (CVEs) being reported. However, the count for 2017 more than doubled the previous year’s number, spiking from 6,447 to 14,714 CVEs in the books. Hardly a fluke - 2018 recorded 16,555 vulnerabilities.
I have theorized on why we are seeing more of these vulnerabilities coming to light, due in part to bug bounties and corporate sponsorship for research into open source security efforts. Frankly, more money being thrown at the problem is helping to play a positive role in making software safer, but it only tells a part of the story.
Where do software security vulnerabilities go once they are discovered?
While the NVD is generally considered to be the authoritative listing for vulnerabilities and is where many security folk and developers go to search for known vulnerabilities, their details, and their fixes. Not all, but most known vulnerabilities can be found there, and that’s the good news.
The bad news is that the information pertaining to these vulnerabilities is spread out across multiple sources, making the job of keeping track of them considerably more difficult.
Not every vulnerability makes its way directly to the NVD through the standard CVE route. Vulnerabilities reach the CVE, another U.S.-government-backed organization run by the non-profit MITRE Corporation, through reports from security researchers, project maintainers, or companies in the case of commercial software.
When a vulnerability is discovered by a researcher, the common practice is to notify the vendor or project maintainer and then reach out to the CVE to reserve an identification number. Information about what has been found to be vulnerable and how to exploit it is withheld during a grace period, (typically 60-90 days) which is meant to allow the product/project’s team time to develop a fix for the vulnerability.
Vulnerabilities reported for commercial products like Microsoft’s Win |
Equifax |
To see everything:
Our RSS (filtrered)
