Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
First US Federal CISO Shares Security Lessons Learned
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
11/30/2017 | 8:32:12 PM
Re: Executives wait for "technologists" to lock their own front doors
@SchemaCzar: Not just executives -- even the very top executives. An MIT professor once told me a story of how a company sent out "fake" phishing emails to its employees as a test, and one of the people who clicked on the link was a C-suite executive. When asked why he clicked on the link, the C-suiter responded, "I wanted to see what would happen."
SchemaCzar
SchemaCzar,
User Rank: Strategist
11/30/2017 | 9:32:07 AM
Executives wait for "technologists" to lock their own front doors
Reading security news and the general news, I conclude that Touhill needs to talk tougher to executives.  There are too many stories of executives who can't be bothered to follow the same security policies that must be followed by others in the organization.  They are the highest-value person targets in the organization, and they often feel they can dump their own security on an underling, or worse, that security is the organization's problem rather than their personal responsibility.  I recently heard of a high-level VP in a large, regulated business who flat-out refused to follow password change, or even password complexity policy.  This was before password change policies were brought into question, but long after secure password managers were available that make password change and complexity requirements manageable.

Touhill is right that these executives think cybersecurity is a technology problem.  So is the physical security of their own homes: a technology problem.  If they treated home security the way they do organizational security, they wouldn't even lock their own front doors.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
11/29/2017 | 8:30:55 PM
Basics
Reminds me of that old reality show "To Catch a Thief," which demonstrated to people how easy it was for burglars to break in and steal them blind in a matter of about ten minutes. Almost all the time, there was an unlocked window or unlocked door.

Same thing in cybersecurity. The bad guys don't go right to sophisticated techniques. They go to basic, common passwords and they go to recently announced zero-days to check for a lack of a patch.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-42247
PUBLISHED: 2022-10-03
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
CVE-2022-41443
PUBLISHED: 2022-10-03
phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.
CVE-2022-33882
PUBLISHED: 2022-10-03
Under certain conditions, an attacker could create an unintended sphere of control through a vulnerability present in file delete operation in Autodesk desktop app (ADA). An attacker could leverage this vulnerability to escalate privileges and execute arbitrary code.
CVE-2022-42306
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can send a crafted packet to pbx_exchange during registration and cause a NULL pointer exception, effectively crashing the pbx_exchange process.
CVE-2022-42307
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.