Comments
Newest First | Oldest First | Threaded View
But the cloud is supposed to be more secure!
Isn't that what everyone tells us? The cloud is more secure. Why worry? (sarcasm assumed)
plaintext credentials
I was hoping that we would not hear this again, plaintext credential means no credential basically.
devops-oriented world
"devops-oriented world" in which those who write the code are responsible for pushing it to production."
I do not have problem with this, therebcna still be enough chekcs to make sure no security vulnerability.
cloud providers failing to secure data centers
This is something we can argue but it is still both cloud provers and consumers to encrypt the databases. Cloud providers could make this a default features on their services.
51% web traffic
51% web traffic being not encrypted is more troubleing than database encryption at rest. So individuals who are registering those sites not having https are competely at risk.
Not surprised
This is not surprising at all. I bet it is the same on on-premises. We tend to think it is important to encrypt data but not doing that when it comes to data at rest.
What exactly is the threat vector of an unencrypted cloud database?
What exactly is the threat vector of an unencrypted cloud database? Considering this is headline I'm curious if you or anyone could describe a scenario where someone accesses data by attacking an unencrpted database. Unless I misunderstand something the encryption protects attempts to access the data at the disk level. For RDS users(the most common case) wouldn't an attacker first have to compromize AWS infrastructure to get at the disk layer of RDS? There's no public access to the disk of an RDS instance. Help me understand the risk.
Yes we encrypt our cloud databases and noticed that we have to spend more hourly on many due to the additional size requirements of encrypting them.
Yes we encrypt our cloud databases and noticed that we have to spend more hourly on many due to the additional size requirements of encrypting them.
This article and the cited report are misleading
This article, and the cited report, suggest that the 82% of unecrpyted databases in the public cloud would suddenly become safe if they were all encrpyed but that's far from the truth. This will only protect the database from an attack vector where the threat actor attempts to steal the DB in its entirety at the filesystem level. If an attack exploids weak DB credentials via an exposed port they will still have full read access to the encrypted DB unless the DB is utililzing field level encryption, which is not even mentioned in this article. The way in which the cited report collected their data is also not very scienctic; the 82% is probably not an accruate reflection of the real number. This article reads more like sponsered content than anything.
White Papers
Video
1 Comments
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Ben saw that management takes locked-down situations very seriously.
Latest Comment: Ben saw that management takes locked-down situations very seriously.
Current Issue
Building and Managing an IT Security Operations ProgramAs cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
How Enterprises Are Developing Secure Applications
IT security and application development are disparate processes that are increasingly coming together. Here's a look at how that's happening.
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database CVE-2019-11873
PUBLISHED: 2019-05-23
PUBLISHED: 2019-05-23
PUBLISHED: 2019-05-23
PUBLISHED: 2019-05-22
PUBLISHED: 2019-05-22
From DHS/US-CERT's National Vulnerability Database CVE-2019-11873
PUBLISHED: 2019-05-23
wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when a current identity size is greater than a client identity size. An attacker sends a crafted hello client packet over the network to a TLSv1.3 wolfSSL server. The length fields of the packet: record length, client hello length, to...
CVE-2019-12295PUBLISHED: 2019-05-23
In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the dissection engine could crash. This was addressed in epan/packet.c by restricting the number of layers and consequently limiting recursion.
CVE-2019-12293PUBLISHED: 2019-05-23
In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths.
CVE-2018-7201PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...
- Terms of Service
- Privacy Statement
- Legal Entities
- Copyright © 2019 UBM, All rights reserved
Tweet This
User Rank: Strategist
5/30/2017 | 9:45:46 AM
"'Average' is a statistical fiction". Under three hours average TTL for a cloud resource? Based on what? People creating something, realizing it's misconfigured, destroying it and then doing it right? Trial and error, experimentation? transient convenience builds? dynamic honeypots? the possibilities are endless and so are the questions left unanswered.
Without any discussion of the distribution curve, a single value is a data point without meaning. Imagine trying to read a graph with unlabeled axes. Pretty picture, but with what meaning?
You can do better.