Risk
News & Commentary
5 Pitfalls to Avoid When Running Your SOC
Jeff Schilling, CSO, FirehostCommentary
The former head of the US Army Cyber Command SOC shares his wisdom and battle scars about playing offense not defense against attackers.
By Jeff Schilling CSO, Firehost, 12/18/2014
Comment0 comments  |  Read  |  Post a Comment
2014: The Year of Privilege Vulnerabilities
Marc Maiffret, CTO, BeyondTrustCommentary
Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of "least privilege" could limit the impact of malware and raise the bar of difficulty for attackers.
By Marc Maiffret CTO, BeyondTrust, 12/16/2014
Comment0 comments  |  Read  |  Post a Comment
Shadow IT: Not The Risk You Think
Tal Klein, VP Strategy, AdallomCommentary
Enterprise cloud services such as Box, Office 365, Salesforce, and Google Apps can make a better case for being called sanctioned than many legacy, on-premises, IT-provisioned applications.
By Tal Klein VP Strategy, Adallom, 12/12/2014
Comment0 comments  |  Read  |  Post a Comment
Cyber Security Practices Insurance Underwriters Demand
Natalie Lehr, Co-Founder & VP Analytics, TSC AdvantageCommentary
Insurance underwriters aren’t looking for companies impervious to risk. They want clients that understand the threat landscape and have demonstrated abilities to mitigate attacks.
By Natalie Lehr Co-Founder & VP Analytics, TSC Advantage, 12/11/2014
Comment2 comments  |  Read  |  Post a Comment
Smartphones Get Headlines, But Lax USB Security Is Just As Risky
Cam Roberson, Director Reseller Channel, Beachhead SolutionsCommentary
Most companies use no software to detect or secure sensitive data when it is moved to a USB flash drive, or even check USB drives for viruses or malware.
By Cam Roberson Director Reseller Channel, Beachhead Solutions, 12/10/2014
Comment7 comments  |  Read  |  Post a Comment
3 Steps To Solidifying Air-Gap Security
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Your isolated systems may not be as secure from exfiltration or external control as you think.
By Ericka Chickowski Contributing Writer, Dark Reading, 12/8/2014
Comment0 comments  |  Read  |  Post a Comment
Open Source Encryption Must Get Smarter
Matt Little, VP Product Development, PKWARECommentary
When it comes to cryptography, there are quite a few myths in the age-old debate about proprietary versus open source application security.
By Matt Little VP Product Development, PKWARE, 12/8/2014
Comment3 comments  |  Read  |  Post a Comment
The Real Cost of Cyber Incidents, According To Insurers
Sara Peters, Senior Editor at Dark ReadingNews
Healthcare is hit by the most malicious insiders and the highest legal costs, according to a NetDiligence report.
By Sara Peters Senior Editor at Dark Reading, 12/3/2014
Comment3 comments  |  Read  |  Post a Comment
With Operation Cleaver, Iran Emerges As A Cyberthreat
Jai Vijayan, Freelance writerNews
A hacker group's actions suggest that it is laying the groundwork for a future attack on critical infrastructure targets.
By Jai Vijayan Freelance writer, 12/3/2014
Comment0 comments  |  Read  |  Post a Comment
How Startups Can Jumpstart Security Innovation
Rick Gordon, Managing Partner, Mach37 Cyber AcceleratorCommentary
One of the best places for CISOs to turn for a cutting-edge cyber security strategy is the burgeoning world of startups. Here’s how to find them.
By Rick Gordon Managing Partner, Mach37 Cyber Accelerator, 12/3/2014
Comment1 Comment  |  Read  |  Post a Comment
Leveraging The Kill Chain For Awesome
Sean Mason, VP, Incident Response, Resolution1 SecurityCommentary
There are good reasons the Kill Chain is being used by some of the most successful information security teams around. Here are three.
By Sean Mason VP, Incident Response, Resolution1 Security, 12/2/2014
Comment1 Comment  |  Read  |  Post a Comment
Senate Explores Outsourcing Security Services
Jai Vijayan, Freelance writerNews
The US Senate might outsource core cyber security support to a managed security service. Candidate tasks include network security monitoring, threat analysis, incident reporting, vulnerability analysis, and security engineering and research.
By Jai Vijayan Freelance writer, 12/2/2014
Comment3 comments  |  Read  |  Post a Comment
Cybercrooks Expand Sights To Market Manipulation
Ericka Chickowski, Contributing Writer, Dark ReadingNews
A new FireEye report shows attacks with simple technical roots but sophisticated knowledge of the investment world are stealing information that could be used for insider trading.
By Ericka Chickowski Contributing Writer, Dark Reading, 12/1/2014
Comment2 comments  |  Read  |  Post a Comment
10 Ways Security Gurus Give Thanks
Ericka Chickowski, Contributing Writer, Dark ReadingNews
From board-level awareness to bug bounty programs and everything in between, the security world's maturation offers security practitioners something to be thankful for.
By Ericka Chickowski Contributing Writer, Dark Reading, 11/25/2014
Comment5 comments  |  Read  |  Post a Comment
6 Million+ Email Accounts Worldwide Exposed In Past 3 Months
Kelly Jackson Higgins, Executive Editor at Dark ReadingQuick Hits
Spike in number of stolen accounts likely due to uptick in major data breaches, researchers say.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 11/25/2014
Comment4 comments  |  Read  |  Post a Comment
Data Management Vs. Data Loss Prevention: Vive La Différence!
Todd Feinman,  President & CEO, Identity FinderCommentary
A sensitive data management strategy can include the use of DLP technology, but it also involves a comprehensive understanding of where your data is and what specifically is at risk.
By Todd Feinman President & CEO, Identity Finder, 11/25/2014
Comment4 comments  |  Read  |  Post a Comment
Cyber Security Needs Its Ralph Nader
Tsion Gonen , Chief Strategy Officer, SafeNetCommentary
It took thousands of unnecessary traffic fatalities to create an environment for radical transformation of the auto industry. What will it take for a similar change to occur in data security?
By Tsion Gonen Chief Strategy Officer, SafeNet, 11/24/2014
Comment14 comments  |  Read  |  Post a Comment
The Week When Attackers Started Winning The War On Trust
Kevin Bocek, VP Security Strategy & Threat Intelligence, VenafiCommentary
The misuse of keys and certificates is not exotic or hypothetical. It’s a real threat that could undermine most, if not all, critical security controls, as recent headlines strongly show.
By Kevin Bocek VP Security Strategy & Threat Intelligence, Venafi, 11/21/2014
Comment1 Comment  |  Read  |  Post a Comment
OCR Audits: Don’t Fall Victim To Past Mistakes
Mark Fulford, Partner at LBMC’s Security & Risk ServicesCommentary
The Office of Civil Rights is not out to get you. But it does expect you to make good-faith efforts at protecting patient data.
By Mark Fulford Partner at LBMC’s Security & Risk Services, 11/21/2014
Comment2 comments  |  Read  |  Post a Comment
New Citadel Attack Targets Password Managers
Jai Vijayan, Freelance writerNews
IBM researchers have found signs that the prolific data steal Trojan is now being used to attack widely used password managers.
By Jai Vijayan Freelance writer, 11/20/2014
Comment4 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
PR Newswire
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7241
Published: 2014-12-19
The TSUTAYA application 5.3 and earlier for Android allows remote attackers to execute arbitrary Java methods via a crafted HTML document.

CVE-2014-7249
Published: 2014-12-19
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 992...

CVE-2014-7267
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the output-page generator in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7268.

CVE-2014-7268
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the data-export feature in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7267.

CVE-2014-8272
Published: 2014-12-19
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.