Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196PUBLISHED: 2023-05-26Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879PUBLISHED: 2023-05-26GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file
User Rank: Apprentice
9/20/2016 | 8:57:32 PM
I see two problems at play here:
CISOs don't know how to measure the return on investment existing security controls are providing, hence they are not able to articulate the value
CISOs are likely not getting the best value out of some investments - not utilising all of the features; purchase was made on a whim raher than rooted in solid discussiosn around risk; etc.
To actually make a difference in the cybersecurity industry, perhaps CISOs should try changing the way they think about the problem:
Move beyond the notion of security and even regulatory compliance (PCI-DSS is good but limited). Even ISO 27001, NIST and other frmaeworks have their flaws. Also forget about the kill chain. It describes only a subset of today's attacks.
Start thinking along these lines. Every devastating impact, be it operational, physical, personal, legal, reputational, financial, or a combination of these we suffer because of cyber crime happens because:
We failed to identify and remediate vulnerabilities in our critical assets;
We failed to predict and prevent threats that took exploited those vulnerabilities;
We failed to detect and respond to the attack that manifested from a threat;
We failed to confirm and recover from a breach in a timely and coordinated fashion.
Translate this into the requirement for a shift in mindset and culture from security or compliance to a healthy dose of:
1. asset management (asset identification and classification)
2. vulnerability management (vulnerability identification and remediation)
3. threat management (threat prediction and prevention)
4. incident management (attack detection and response)
5. continuity management (breach confirmation and recovery)
6. crisis management (impact reduction, acceptance, avoidance and transfer)
I call this "cyber resilience" and, yes, it actually works to reduce the rate and cost of cybercrime.