Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-29248PUBLISHED: 2022-05-25
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to ...
CVE-2022-29402PUBLISHED: 2022-05-25TP-Link TL-WR840N EU v6.20 was discovered to contain insecure protections for its UART console. This vulnerability allows attackers to connect to the UART port via a serial connection and execute commands as the root user without authentication.
CVE-2021-27783PUBLISHED: 2022-05-25User generated PPKG file for Bulk Enroll may have unencrypted sensitive information exposed.
CVE-2021-27779PUBLISHED: 2022-05-25VersionVault Express exposes sensitive information that an attacker can use to impersonate the server or eavesdrop on communications with the server.
CVE-2021-44719PUBLISHED: 2022-05-25Docker Desktop 4.3.0 has Incorrect Access Control.
User Rank: Apprentice
11/13/2014 | 5:37:46 AM
To get the depth of knowledge in technical subjects that the mitigation of attacks from sophistacted attackers, as well as insider and supply-chain introduced risk, you need a team of people with a deep technical understanding in their field of expertise. Even more importantly, all these silos need to be brought together into a capability that takes into consideration alignment to the threat profile of the business (understanding business isn't just blinky lights, there are people, processes and data that need securing to run as a functional whole and deliver revenye to the company); measuring operational effectiveness of your operational and technical controls); obtaining and retaining the skills in the business (recruitment, skills assessment, training, mentoring, staff retention); the right documented processes that are measureable for continual improvement, yet still flexible enought to handle the changing threat that we face.
A lot of these skills don't get established when you've spent 10 years focusing on firewall policy or IDS signatures. Don't get me wrong, I come from a development and then red-team background, but it's easier to learn the technical concepts to the depth at which you need to meaningfully undertake the above tasks than it is to take someone with a deep silo of knowledge in one aspect of information security and teach them to do the aove.