It’s that time of year again where Black Hat and DEF CON are fast approaching and everyone interested in security will descend upon Las Vegas. While Craig Young will be there with his sold out Introduction to IoT Pentesting with Linux, I will be keeping my 2008 promise to myself and avoiding Vegas like the plague. I am, however, happy to announce...

On 16 July 2019, UK’s National Cyber Security Centre (NCSC) released the second annual report of the Active Cyber Defence (ACD) program. The report seeks to show the effects that the program has on the security of the UK public sector and the wider UK cyber ecosystem.The Active Cyber Defence ProgramNCSC was set up in 2016 to be the single...

The subject of the cyber security talent shortage has been over-reported to the extent that no one wants to talk about it anymore. Even more than that, the only solution that really ever gets mentioned is developing more university cyber programs. But that solution is dead wrong—or at least it misses the crux of the issue completely. Before I go any...

Wouldn’t it be an easier life if we didn’t have to worry about the exploitation of vulnerabilities in solutions and software on which we have spent good time and resources? A world where correctly configured systems configured were left alone to perform their functions until they became redundant and/or needed replacing? It is a beautiful dream....

A multi-cloud network is a cloud network that consists of more than one cloud services provider. A straightforward type of multi-cloud network involves multiple infrastructure as a service (IaaS) vendors. Can you use AWS and Azure together? For example, you could have some of your cloud network’s servers and physical network provided by Amazon Web...

Too many small and medium-sized businesses (SMBs) are under the belief that purchasing “This One Product” or “This One Managed Service” will provide all the security their network requires. If this were true, large corporations with huge IT budgets would never have data breaches! Before you start buying expensive new technology to protect your...

It may be possible to democratize security by making it more accessible to average companies through community resources. We have an idea or two but we would appreciate your thoughts. At the 2019 RSA conference, Matt Chiodi, Chief Security Officer of Palo Alto Networks stated: “… small organizations are using on average between 15 and 20 tools,...

As I discussed in the first blog in this series, the purpose of this series is to guide you on your journey up the Vulnerability Management Mountain (VMM). Like climbing a mountain, there is a lot of planning and work required, but when you get to the top, the view is amazing and well worth the journey. For the first phase, let's start by planning...

Have you ever seen the bridge of a commercial cargo shipping vessel? It is like a dream come true for every kid out there--a gigantic PlayStation. Unfortunately, maritime computer systems are also attractive to malicious cyber actors. Illustrating this interest by malicious individuals, the U.S. Coast Guard issued a safety alert warning all shipping...

A malvertising campaign is redirecting users to the RIG exploit kit for the purpose of loading ERIS ransomware onto vulnerable machines. Over the 5-7 July weekend, security researcher nao_sec discovered a malvertising campaign that was abusing the popcash ad network to redirect users to a landing page for the RIG exploit kit. The researcher told...

Today’s VERT Alert addresses Microsoft’s July 2019 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-839 on Wednesday, July 10th. In-The-Wild & Disclosed CVEs CVE-2019-0865 This vulnerability describes a denial of service that occurs when SymCrypt processes specially crafted digital...

In Part I, I described some structural problems in MITRE’s ATT&CK adversarial behavior framework. We looked at a couple of examples of techniques that vary greatly in terms of abstraction as well as techniques that ought to be classified as parent and sub-technique. Both examples are borne out of the lack of hierarchical structure among techniques...

Speed and security. Old-fashioned thinking contended that the two were incompatible; that high-velocity development and deployment of apps and software services invariably introduced higher levels of risk. However, it has become increasingly apparent that speed is a necessary aspect of security. The stakes are sky-high, with some estimates...

If you are a security practitioner, then you may have noticed that much of the security industry exists because of vulnerabilities. Regardless of what job position you occupy, vulnerabilities are oftentimes the reason why you wake up every morning and ultimately engage infosec from within your cutting-edge working environment. Vulnerabilities will...

The United States Senate has passed a bill to help strengthen the defenses of the U.S. energy grid against digital attacks. On 27 June, the Senate passed the Securing Energy Infrastructure Act. Introduced by U.S. Senators Angus King (I-Maine) and Jim Risch (R-Idaho), the main purpose of the bipartisan bill...

Tripwire's June 2019 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Oracle, and Adobe. First and most importantly this month are patches available to resolve 2 deserialization vulnerabilities in Oracle WebLogic. These vulnerabilities are identified as CVE-2019-2725 and CVE-2019-2729. Both of these...

Vulnerability management (VM) is an essential process through which organizations can reduce risk in their environments. But myths and misconceptions surrounding VM abound. For instance, organizations commonly approach vulnerability management in the same way as they do patch management. Others are guilty of believing that all attacks rely on...

Following last year’s exceedingly successful inaugural MITRE ATT&CK™ conference, this year’s highly anticipated ATT&CKcon 2.0 conference will be held from Oct 28-30 at MITRE’s McLean headquarters. MITRE’s always open to hearing feedback about the limitations of the ATT&CK framework and how to make ATT&CK more useful. Today, I want to look at the...

In the attacker's world, all vulnerabilities and potential exploits work toward the hacker's advantage — not yours, not mine. This includes WordPress hacks. While living back east (over a decade ago), I was friends with several small business owners. One weekend morning, the owner of the local photography studio called me at 7 am and said: "I think...