This is the conclusion to a three-part series of building a successful vulnerability management program. The first installment focused on Stage One, the vulnerability scanning progress. Without a foundation of people and process, the remaining stages are prone to failure. The second installment focused on Stage Two and Three, using a vulnerability...

For twenty years people have been running Java in their browsers. And for much of that time, malicious hackers have been exploiting vulnerabilities in the plugin to infect computers. Although the number of outbreaks caused by zero-day vulnerabilities found in the Java plugin has reduced in recent years, many users have found it hard to muster move...

Critical infrastructure is under attack with disastrous implications that could alter our environment, such as disrupting service or even threatening public safety. The Ukraine attack resulting in six hours of loss of power for more than 80,000 customers is a recent reminder. According to an October 2015 report in CyberWarNews, “every bit of U.S....

It’s not much of a stretch these days to say that technology is becoming essential to our daily lives. We trust so much to our technology, from our bank accounts and financial statements to sensitive medical records and even (potentially) embarrassing personal information. We have complex interactions with non-human entities in which we share...

In my previous post in this series, we discussed that a "SIEM" is defined as a group of complex technologies that together, provide a centralized bird's-eye-view into an infrastructure. Furthermore, it provides analysis and workflow, correlation, normalization, aggregation and reporting, as well as log management. In this next post, I hope to answer...

Recently, I introduced a three-part series on how to build a successful vulnerability management program. The first installment examined Stage 1, the vulnerability scanning process. My next article investigates Stages 2 (asset discovery and inventory) and 3 (vulnerability detection), which occur primarily using the organization’s technology of choice...

Last September, CloudFlare detected a large-scale browser-based L7 flood. Over the course of the distributed denial of service (DDoS) attack, 650,000 IP addresses sent out a total of 4.5 billion HTTP requests, with the campaign peaking at 250,000 requests per second. After investigating the incident, the security company concluded that the attack...

Today’s VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-652 on Wednesday, January 13th. Ease of Use (published exploits) to Risk Table Automated Exploit Easy ...

eBay has patched a cross-site scripting (XSS) vulnerability that attackers could have exploited in order to steal users' passwords. A researcher who goes by the name MLT explains in a blog post how he was able to exploit a "fairly basic" XSS vulnerability without needing to resort to any additional measures, such as bypassing the WAF, in order to...

Is using ad blocking software stealing or is it a sound security practice? On one hand, many websites and content creators make money from advertising. They certainly deserve to be compensated for their time and effort. On the other hand, advertising – at best – can be annoying, and at worst, can serve up malware, suck up bandwidth and redirect...

An enterprise vulnerability management program can reach its full potential when it is built on well-established foundational goals that address the information needs of all stakeholders, its output is tied back to the goals of the enterprise, and there is a reduction in the overall risk of the organization. Such vulnerability management technology...

Fancy earning $100,000? Of course, you do. Well, now there's an opportunity to earn a huge reward if you can demonstrate how Adobe Flash can be exploited. Sounds good right? Well, here's the bad news for the rest of us: it's not Adobe offering the money in the form of a bug bounty. Less than a month ago, Adobe proudly announced a series of security...

Researchers have confirmed that a variant of the BlackEnergy malware was behind a power outage that occurred around Christmas Eve last year. Reuters reports that the Western Ukrainian power company Prykarpattyaoblenergo reported on outage on December 23rd that affected an area including the regional capital Ivano-Frankivsk. A subsequent...

2015 was an eventful year for cyber security. Major vulnerabilities, including Superfish, "No iOS Zone" and CVE-2015-2502 made waves in the infosec community, as did a variety of criminal collectives – including Lizard Squad, Phantom Squad and DD4BC – that use distributed denial-of-service (DDoS) attack campaigns to get what they want. Let's also...

Adobe has released an out-of-band security update that fixes 19 'critical' vulnerabilities found in Flash Player. On Monday, the United States Computer Emergency Readiness Team (US-CERT) issued an alert advising users and administrators alike to refer to Adobe Security Bulletin APSB16-01. In that bulletin, Adobe provides some context on the...

In the Internet of Things (IoT) era that we have entered, it is becoming apparent to me that nothing follows a linear progression anymore. The abstract models created by start ups, which can and often do disrupt the industry, promote new ways of engaging in business that are not common sense. To illustrate this, I’ve made a list of examples that...

Almost every week, we hear about a new data breach in the news that reports about a major company losing millions of usernames, passwords, credit card numbers, banking transactions after falling victims to a cyber attack. As per a recent report released by Imperva on Web Application attacks, SQL Injection (SQLi) saw the biggest rise compared to last...

A recent article by The Financial Times argues that boards should be looking to employ younger directors to tackle the cyber security “problem." Meanwhile, the EU has unveiled the proposed Network and Information Security Directive. Think about the psychology here, really… The more we raise the bar and levels of expectations, given the volume of...

If your doctor walks into the exam room for your annual physical and listens to your heart, takes a quick look at your throat, and then gives a clean bill of health without asking many questions, a quick interaction might make you feel good if you’re not worried about your health. However, if you haven’t been feeling well, or if you are at risk for...

Earlier this fall, a contributor to The State of Security explained that one of the greatest privacy and security challenges confronting our smartphones today are the apps we choose to install. He noted in his post how app developers often make money by harvesting data from users' devices and in turn selling this information to marketers. They also...