You likely heard last week about the new Spectre and Meltdown vulnerabilities that affect nearly every processor. If you haven’t followed all the reports, here’s a quick rundown about these vulnerabilities:
Security and privacy experts – not to mention federal government agencies - are still reeling from the disclosure by WikiLeaks of the CIA’s cachet of hacking and surveillance technologies that was released a few weeks ago. Among those disclosures, however, was a particularly interesting finding: the existence of “HammerDrill 2.0,” a cross-platform security toolkit that can breach the air gap.
The past week has provided some interesting revelations around the Internet of Things (IoT). As we all know, the IoT is that collection of generally unmanaged devices with embedded connectivity to the Internet. From cars, to refrigerators, thermostats, televisions and more, the IoT seeks to connect everything it can to the world’s largest global network. Conceptually, the IoT is a great thing: it can lead to more efficient use of energy, customized manufacturing, faster transportation and much more. However, as we’ve seen in the past ten days, there’s a dark side to the IoT.
Over the past two weeks, the security industry has seen some disclosures (or in one case, a half-disclosure) of vulnerabilities within their products. In at least two of these cases, we know that these vulnerabilities could have led to a significant compromise of data and systems. But what’s really interesting about these two vendors is how they responded to the discovery.
Businesses must take IT security seriously because their financial future depends on it. IT security is a broad topic that covers a range of different fields.
Here we'll discuss common vulnerabilities and why companies must ensure their operational systems are well-protected from cybercriminals.
"Interjection vulnerabilities are one of the most common and oldest web application vulnerabilities."
1. Injection vulnerabilities
Interjection vulnerabilities, such as cross-site scripting and CRLF injection, are one of the most common and oldest web application vulnerabilities because it's easy for cybercriminals to access and affect (or infect) them.
In a recent article on Credit Union Journal, I wrote about how to go beyond risk management to assess vulnerabilities in order to secure your data. It’s important to understand that vulnerability and risk are not the same thing. Risk is the probability of the vulnerability being exploited multiplied by the cost of damage it will cause. This is required for risk evaluation and will help you focus your remediation efforts as well as define compliance boundaries. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities especially in software and firmware. It works by analyzing computer systems for known vulnerabilities such as open ports, insecure software configuration, susceptibility to malware, etc.
If your organization is subject to PCI DSS 3.2 compliance, you’re likely aware of the looming deadline mandating the migration away from the use of SSL and TLS v1.0 to a “secure” version of TLS, as defined by NIST (currently v1.1. or higher). The PCI Security Standards Council previously released a bulletin on the migration to help explain the reasons for the change and what steps are necessary. While the PCI Security Standards Council has extended the deadlines for compliance, there are very real reasons not to wait to make the move.
In spite of the headline-making hacks of Sony, Anthem, and many other organizations, many business executives still haven’t prioritized cybersecurity as a top concern. A 2015 NTT Com Security survey showed that half of its participants were not prepared for a cyber attack. Yet hacks are becoming more frequent, and hackers are taking more creative approaches and finding more opportunities to strike. Executives that neglect cybersecurity place their companies at greater risk of a data breach.
With bugs like the glibc vulnerability announced nearly every day, it’s important to consider how your organization handles vulnerability management. How do you know which of your critical systems are exposed to which new vulnerabilities? If you had only one server or device to keep track of, you might know all the details of the device’s configurations; which software is running, and which versions are installed. But even then, keeping up with the latest CVE announcements and identifying which of these affect your system may be overwhelming, particularly if maintaining the device is not your only job. If you’re like many of the IT professionals we speak with every day, you’re wearing many hats and fighting constant fires. Therefore, it becomes critical to construct a comprehensive vulnerability management program to protect your organization. Here are three things every security professional should consider when building a vulnerability management program:
Last week, engineers at Google announced the latest vulnerability to be identified in Linux systems. Like last year’s GHOST vulnerability, this bug affects Linux devices that utilize the GNU C Library (glibc). Because the library is widely used in Linux systems, the vulnerability may be present in nearly any Linux-based device.