Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
97% of Americans Can’t Ace a Basic Security Test
Newest First  |  Oldest First  |  Threaded View
REISEN1955
REISEN1955,
 User Rank: Ninja
5/24/2019 | 8:40:13 AM
Re: OK but websites are not everything
I addressed just home users - my bad as most people go to work and therein, not having a basic idea, also commit stupid mistakes in judgment.  There is a video here of the subject on user education being critical as the front line of defense - all true. An amazing number of issues could be avoided IF people had just a basic idea of maybe 10 or 20 NO NO NO moves.  But that rarely is done. One great inside email campaign spoofed a spoof email and if users clicked on the link, it brought them to an internal site that said in effect BAD YOU, you need corporate education and here is where to find it.  Register now.  Great idea. 
miriamguimel
miriamguimel,
 User Rank: Apprentice
5/22/2019 | 4:18:42 PM
Re: OK but websites are not everything
Lots of websites use passwords that are at least 8 characters long, but most websites unfortunately don't have 2FA, I think it's too soon for these settings

 

 
REISEN1955
REISEN1955,
 User Rank: Ninja
5/22/2019 | 1:47:46 PM
Re: OK but websites are not everything
This should really be a FULL discussion of security.  Before moving to Georgia in 2014, I performed self-employed managed services for small  business and residential - the latter was not huge money but it was a bit of income that kept good dinners on the reservation list.  And the security knowledge in sum total of all homeowners was about nill!!!   One charming older couple got whacked by the Microsoft tech scam - lost everything.  (They called when I was in Georgia and I faulted myself for lacking a domestic backup strategy).

My other residentials were technically non-compliant (read that plain dumb).  In hindsight, I should have done far more them than I did and that is through my current position in a malware forensics CSirt department - increased knowledge across the board.  I did not have THAT up north and did not pass it to my clients, my bad.  But by basis knowledge alone they were all lacking in sophistication and not one would know HTTP from HTTPS at all - even less dual authentication, complex passwords, clicking on links, etc.  
escortrides
escortrides,
 User Rank: Apprentice
5/21/2019 | 6:49:47 PM
Re: OK but websites are not everything
 


 
nYdGeo
nYdGeo,
 User Rank: Apprentice
5/21/2019 | 9:54:10 AM
More website creators is simply better?
After reading the entire post and seeing again and again how much the average citizen does not know about Cyber Security, can someone explain to me why more Americans planning on creating websites is a good thing?  Is this based on the assumption that by doing so, we're confident that they'll take the time and put forth the effort to learn the basics of website security?  If so, that seems like an assumption as best.  If anyone can help me understand this point, I'd appreciate it.
R.Hicks
R.Hicks,
 User Rank: Author
5/20/2019 | 4:41:29 PM
Re: OK but websites are not everything
While I tend to agree with you Whislock, there are also several elements missing from the story that could greatly affect the results. For example, there is no mention of the average age (only that all participants were over 16 years old) and I'd expect poorer performance from an octogenarian than a millenial. If the average age were 30 though I would be more concerned. Alsom the sample size was only 2,000, which is not a representative sample of all Americans. I do see REISEN1955's point though - whether or not a website uses HTTP vs. HTTPS isn't necessarily indicative of whether or not the link is "OK" as the article states and there is far more to security than URL analysis. I think a link to the poll and more information about the sample that participated would help clarify the severity of the findings.
whislock
whislock,
 User Rank: Apprentice
5/20/2019 | 2:17:29 PM
Re: OK but websites are not everything
I have to ask why you'd even say this. There's a certain "hierarchy of knowledge" when it comes to non-technical users. Below multi-factor authentication, below VPNs (commercial VPN services are a massive security issue, why would you say this?), below the recognition of suspect software, you have the base of the pyramid, which is a basic understanding of the everyday security concepts of using the Internet and what threats exist. No, websites aren't everything, but websites are 99% of what the everyman does on the Internet day to day. If they lack even that basic understanding, why would you even suggest more advanced security concepts? That's like telling them to install a state-of-the-art home security system with all the bells and whistles when they can't even figure out to close the front door.
REISEN1955
REISEN1955,
 User Rank: Ninja
5/20/2019 | 12:40:41 PM
OK but websites are not everything
What about complex passwords?  Dual authentication?  Reading suspect emails and acting on them?  Patch updating a system?  Intallation of suspect software often with PUPs?  Usage of a VPN service?  All important too and many likely to infection and perhaps destroy a system.  Websites are not everything. 


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1142
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
CVE-2023-1143
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-1144
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
CVE-2023-1145
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
CVE-2023-1655
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.