Commentary
Content posted in June 2015
Getting To Yes: Negotiating Technology Innovation & Security Risk
Commentary  |  6/30/2015  | 
As enterprises look for ways to leverage the cloud, mobility, Big Data, and social media for competitive advantage, CISOs can no longer give blanket refusals to IT experimentation.
Social Engineering & Black Hat: Do As I Do Not As I Say
Commentary  |  6/29/2015  | 
Yes, I will be at Black Hat, where people will yell at me about NOT giving my PII to anyone, especially if they ask me for it via email.
3 Simple Steps For Minimizing Ransomware Exposure
Commentary  |  6/26/2015  | 
If your data is important enough to pay a ransom, why wasn't it important enough to properly backup and protect in the first place?
What Do You Mean My Security Tools Dont Work on APIs?!!
Commentary  |  6/25/2015  | 
SAST and DAST scanners havent advanced much in 15 years. But the bigger problem is that they were designed for web apps, not to test the security of an API.
Why China Wants Your Sensitive Data
Commentary  |  6/24/2015  | 
Since May 2014, the Chinese government has been amassing a 'Facebook for human intelligence.' Here's what it's doing with the info.
The Dark Web: An Untapped Source For Threat Intelligence
Commentary  |  6/23/2015  | 
Most organizations already have the tools for starting a low-cost, high-return Dark Web cyber intelligence program within their existing IT and cybersecurity teams. Heres how.
What You Probably Missed In Verizon's Latest DBIR
Commentary  |  6/22/2015  | 
Tune in to Dark Reading Radio at 1pm ET/11am Pacific on Wednesday, June 24, when Verizon Data Breach Investigations Report co-author Marc Spitler discusses some of the possibly lesser-noticed nuggets in the industry's popular report on real-world attacks.
Security Surveys: Read With Caution
Commentary  |  6/22/2015  | 
Im skeptical of industry surveys that tell security practitioners what they already know. Dont state the obvious. Tell us the way forward.
9 Questions For A Healthy Application Security Program
Commentary  |  6/19/2015  | 
Teams often struggle with building secure software because fundamental supporting practices aren't in place. But those practices don't require magic, just commitment.
Cybersecurity Advice From A Former White House CIO
Commentary  |  6/18/2015  | 
Today's playbook demands 'human-centered' user education that assumes people will share passwords, forget them, and do unsafe things to get their jobs done.
Time to Focus on Data Integrity
Commentary  |  6/17/2015  | 
Information security efforts have historically centered on data theft. But cybercriminals who alter corporate records and personal information can also cause serious harm.
Is Your Security Operation Hooked On Malware?
Commentary  |  6/16/2015  | 
It may seem counterintuitive, but an overzealous focus on malware may be preventing you from detecting even bigger threats.
Lessons Learned From The Ramnit Botnet Takedown
Commentary  |  6/15/2015  | 
While most organizations wont find themselves in similar circumstances, there are important takeaways they can apply to any security program.
Survival Tips For The Security Skills Shortage
Commentary  |  6/12/2015  | 
No matter how you slice it, creating a security professional with 10 years of experience takes, well, 10 years. Here are six suggestions for doing more with less.
From GitHub to Great Cannon: A Mid-Year Analysis Of DDoS Attacks
Commentary  |  6/11/2015  | 
The new and common face of DDoS today is its use as a smokescreen to conceal malicious activity in an overwhelming burst of traffic that stretch security layers to the brink.
Firewalls Sustain Foundation of Sound Security
Commentary  |  6/10/2015  | 
Simply put, organizations that cannot maintain rigid firewall enforcement are more likely to be compromised.
Why the Firewall is Increasingly Irrelevant
Commentary  |  6/10/2015  | 
It will take a dramatic reimagining of security to dedicate focus to the areas where company data actually resides. It starts with tearing down the firewall.
Security Metrics: Its All Relative
Commentary  |  6/9/2015  | 
What a haircut taught me about communicating the value of security to executives and non-security professionals.
7 Critical Criteria for Data Encryption In The Cloud
Commentary  |  6/8/2015  | 
Encrypting the huge number of data files stored in a public cloud today is like bubble-wrapping an entire house. Better to focus on the fragile items that matter.
Long Cons: The Next Age of Cyber Attacks
Commentary  |  6/5/2015  | 
When hackers know that a big payday is coming they dont mind waiting for months for the best moment to strike.
How The Hacker Economy Impacts Your Network & The Cloud
Commentary  |  6/4/2015  | 
To protect data against growing threats, networks must now act as both sensor and enforcer around traffic that passes through users and data centers to the cloud.
Help Wanted: Security Heroes & Heroines Only Need Apply
Commentary  |  6/3/2015  | 
If we want to do more than simply defend ourselves, we need security champions and equally heroic security solutions.
Shaping A Better Future For Software Security
Commentary  |  6/2/2015  | 
Industry and government leaders discuss ways to improve practices, awareness and education around secure software development. Heres a recap of what you missed.
Todays Requirements To Defend Against Tomorrows Insider Threats
Commentary  |  6/1/2015  | 
At its most basic, a consistent and meaningful insider threat detection program has two components: data and people. Heres how to put them together.


Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.