Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19698PUBLISHED: 2019-12-10marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.
CVE-2019-4428PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611PUBLISHED: 2019-12-09IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612PUBLISHED: 2019-12-09IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621PUBLISHED: 2019-12-09IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.
User Rank: Ninja
8/7/2018 | 6:45:14 PM
Where Adam has "What you don't know can hurt you.", I'd add: You can't protect what you don't know you have. You can't protect data unless you know you have it, and know where it's stored - EVERYWHERE it's stored: every copy, every version, every device, every service, every B2B partner, even the data which can be reconstituted from disparate stores and sources, even the bio-memory of your knowledge workers, past and present. Too many places? Next time, limit the places to where it's needed.
For vast amounts of data, it's too late to regain control (control which was an illusion to begin with); but new data is generated all the time - you do have a chance to a better job of data governance with that. However, if you don't have an understanding of the fundamental nature of data and information, you're bound to repeat the old mistakes even if you find new ways (or new ways find you), to do that. Forget the idea of just protecting your "sensitive" data; in time, someone will find a way to make use of any data you leave unprotected to get at the crown jewels.
You have to start somewhere, start with this: don't put any data in front of anyone or on anything that doesn't need that specific data to do a specific job, and only while they are doing that specific task (not whenever they feel like it). I mean a specific person, not a job title. Make sure your authentication and authorization always resolves to an entity - not a type.