It’s been another fantastic year on The State of Security blog. With over 350 blogs published from all walks of the security community, we like to think of the blog as more of an industry resource that caters to not only experienced security professionals but also to those who are new to the community. To finish the year off, I wanted to look back on some of my personal favorites. I’ve tried to include a mixture of different styles, topics and authors. If you haven’t already, have a read of the 10 State of Security blog posts below and sign up to our daily feed here.
Mitigating Risk and High-Risk Vulnerabilities in Unsupported Operating Systems: BlueKeep Edition | By Gary DiFazio BlueKeep (CVE- 2019-0708) was big news in 2019. The vulnerability was described as “wormable” by Microsoft, and users were warned that BlueKeep might be exploited in a similar fashion to how the WannaCry ransomware used the Eternal Blue vulnerability to spread widely in 2017. As with WannaCry, many organizations were vulnerable to this exploit, especially those who use operating systems like Windows XP. In this blog, ICS security expert, Gary DiFazio looks at the impact this vulnerability has on the ICS environment and provides some tips to help users stay secure. Read the full blog here.
6 Common Phishing Attacks and How to Protect Against Them | By David Bisson
It’s almost 2020, and phishing attacks still don’t show any sign of slowing down. In this blog, David Bisson looks at six of the most common methods of phishing attacks and then provides useful tips for readers on how they can protect themselves. Also, this blog is complemented by some great graphics to share with your colleagues, family and friends. Read the full blog on the State of Security here.
Ransomware victim hacks attacker, turning the tables by stealing decryption keys | By Graham Cluley What happens when a software developer gets hit by ransomware and has to pay over $700 to get the decryption key? Well, this developer decided to hack the very people who were responsible for the attack. Not only did he get the decryption keys; he then searched out other victims so he could provide them with the decryption keys for free. Read the full blog here.
ATT&CK Structure Part II: From Taxonomy to Ontology | By David Lu This is part two of a series written by Tripwire security researcher David Lu. Part one describes some structural problems in MITRE’s ATT&CK adversarial behavior framework. In Part 2, David looks at the background of formal ontology, some basic concepts, its uses, its failures and successes, and how to think about ATT&CK as an adversarial behavior ontology. Read the full blog on the State of Security here.
The 7 Habits of Highly Effective Vulnerability Management | By Tim Erlin We’ve all read the 7 habits of highly effective people, haven’t we? In this blog, Tim Erlin, VP of product and strategy at Tripwire, takes the principles behind the book and applies that to vulnerability management. Not only is it a great read for anyone who is interested in vulnerability management. Tim also explains it all in a video at the end. Read the full blog here. You should also check out Angus Macrae’s follow-on blog post, Living the 7 Habits of Highly Effective Cybersecurity.
Journey to OSCP – 10 Things You Need to Know | By John Wenning In this blog, John Wenning talks us through his OSCP journey. He provides a brief description of what OSCP is and how it differs from other certifications. He also provides some excellent advice that will be of help if you choose to pursue certification. Read the full blog here.
Vulnerability Management: Myths, Misconceptions and Mitigating Risk | By Various Authors Vulnerability Management is a much-talked-about practice in the IT security industry. Whether it is the debate on vulnerability scoring, how to implement a suitable vulnerability management program, or trying to convince leadership that a vulnerability management solution alone won’t solve all your cybersecurity issues, the debate is still strong. To help us understand this topic further, we asked a range of industry experts two questions:
- What’s one common myth or misconception around vulnerability management?
- What is a key factor to consider when prioritizing vulnerability risk?
Answers come from the likes of @TheRealKhimji, @MrJeffMan, @martijn_grooten, @kwestin, @3ncr1pt3d, @pink_tangent and more! You can read the full blog on the State of Security here.
Why OPSEC Is For Everyone, Not Just For People With Something To Hide – Part II | By Stuart Peck What is OPSEC? Why is OPSEC important for EVERYONE to understand, not just people with something to hide? In this blog, Stuart Peck looks at how oversharing can impact your online safety. This is done by highlighting impactful online case studies. Read the full blog here.
How to Implement an Efficient Cloud Security Strategy: The Experts Guide | By Various Authors We asked 15 cloud security experts to share their thoughts on some of the key cloud security challenges and to provide advice on how organizations can implement a cloud security strategy that will keep them secure. Including videos from @shehackspurple, @terlin and @phat_hobbit along with written responses from @treguly, @TrialByTruth and @lmacvittie, this was one of the most insightful and inspiring blogs from 2019! Interested in reading their responses? Check out the answers here.
What is GOLDENDOODLE Attack? | By Craig Young And finally, we come to GOLDENDOODLE! GOLDENDOOLE is the name Tripwire VERT principal security researcher Craig Young gave to exploiting modern TLS stacks using the classic CBC padding oracle technique. Back in March of 2019, GOLDENDOODLE could be used to hijack authenticated TLS sessions. To learn more about Craig’s discovery earlier in the year and how it was being used, read the full blog on the State of Security here.