Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Insider Dangers Are Hiding in Collaboration Tools
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/2/2018 | 5:03:15 PM
Re: Insider
@Dr.T: They may be unavoidable, but they can be quickly mitigated with proper network monitoring to detect aberrant behavior.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/2/2018 | 5:02:02 PM
Measuring negative sentiment
I'm kind of concerned about tracking negative sentiment on private-communication employee channels to tie to individuals. It's one thing to look at it as an overall possible indicator of current and future employee satisfaction, but it's another thing altogether to look for "thoughtcrime". Everybody's got a gripe at some point in their work environment; that alone means nothing.

And as for legal risk about discriminatory remarks as well as InfoSec risk about confidential data being spread and maintained in private channels, best to use ephemeral communication channels where communication is encrypted and promptly deleted. That way, no damaging messages of any kind -- security risks, legal risks, etc. -- are kept and maintained. The modern enterprise hoards too much data as it is.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2018 | 9:03:47 AM
Educate employees
According to a recent report, 57% of organizations plan on increasing their spending on collaborative tools in 2018. I am still in favor of enterprise collaboration tools since we can use them to educate employees agains attacks.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2018 | 9:02:25 AM
Insider
"This creates a scenario where inadvertent actors may accidentally and negligently share sensitive data because they put something in writing they wouldn't ordinarily email to a colleague," Insider attacks are unavoidable if somebody wants to do it. Maybe trainings can help here.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2018 | 8:57:49 AM
Confidential
In a study of over 1 million employee messages, the "Human Behavior Risk Analysis" report found that confidential information is shared in one out of every 118 public communications. This number shows quite high level, in a Slack envirment we tend to share confidential information as we do in email.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2018 | 8:54:22 AM
Negative sentiment
The study shows that one out of every 380 public messages receives a negative sentiment score, That makes sense, you can really get a lot out of an ESN site.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2018 | 8:52:17 AM
Passwords in private channels
Private communication channels are worse. Private conversation messages are 165% more likely to contain identification numbers and 76% more likely to contain passwords. I agree, I constanlty see password being shared in slack channels, regardless private or not.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2018 | 8:49:51 AM
Re: IT Security Hygiene for employees
Frequently we find clients that have their entire Google Drives open Obviously a bad practice. It needs to be a least privileged access on the drive. ESNs are a little bit different, you need more collaboration options than not.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2018 | 8:47:59 AM
Re: IT Security Hygiene for employees
I think there is a lot of confusion about what can be seen and who can view it. There are certain level controls on enterprise social networking tools such as Facebook workplace, but I agree it needs to be adjusted to company culture to avoid issues coming with it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2018 | 8:46:13 AM
Re: Similarities to physcal security
Just last week my office ran an active shooter seminar. Congratulation on this practice, it is important to create awareness for the employees on this issue.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3556
PUBLISHED: 2021-10-26
HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pcre-cache, can be used to output cached regular expressions from the current execution context into a file. The handler takes a parameter which specifies where o...
CVE-2021-35499
PUBLISHED: 2021-10-26
The Web Reporting component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Stored Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim...
CVE-2021-41182
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now t...
CVE-2021-41183
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now al...
CVE-2021-41184
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a...