September 22, 2016

Over 6,000 vulnerabilities went unassigned by MITRE's CVE project in 2015

Why does MITRE not have assignments for vulnerabilities identified via other sources? Why haven't the CNAs shared their own disclosures with MITRE so that CVE can reflect the information, instead of leaving entries in RESERVED status, which shows nothing? Why aren’t CNAs assigning IDs to all of the vulnerabilities they disclosed, since some of the unassigned vulnerabilities are in their products? VulnDB shows 14,914 vulnerabilities disclosed in 2015. Within that set, only 8,558 vulnerabilities have CVE-IDs assigned to them. That leaves 6,356 vulnerabilities with no CVE-ID, and likely no representation in a majority of security products. ... While these numbers are bad, what's worse is that the industry has already felt the impact of an attack against a vulnerability that wasn't assigned a CVE-ID.


EastWest Institute Launches Cybersecurity Guide for Technology Buyers

“As cybersecurity vulnerabilities continue to increase, every corporation and government needs guidance to better understand the impact of their purchasing decisions on the security and integrity of their enterprises,” said Steve Nunn, CEO and President, The Open Group. “Every organization should be questioning their suppliers concerning risk management, product development, cyber and supply chain security and best practices. This Buyers Guide supports conformance with international standards and, where appropriate, process-based certification programs that help answer some of these critical questions.”


Lockdown! Harden Windows 10 for maximum security

Windows 10 also introduces Device Guard, technology that flips traditional antivirus on its head. Device Guard locks down Windows 10 devices, relying on whitelists to let only trusted applications be installed. Programs aren’t allowed to run unless they are determined safe by checking the file’s cryptographic signature, which ensures all unsigned applications and malware cannot execute. Device Guard relies on Microsoft’s own Hyper-V virtualization technology to store its whitelists in a shielded virtual machine that system administrators can’t access or tamper with. To take advantage of Device Guard, machines must run Windows 10 Enterprise or Education and support TPM, hardware CPU virtualization, and I/O virtualization. Device Guard relies on Windows hardening such as Secure Boot.


What do IT administrator skills mean now?

The role of the IT administrator will definitely need to change as data centers hybridize across multiple types of private and public clouds, stacks of infrastructure converge and hyper-converge, and systems management develops sentience. Of course, change is inevitable. But how can old-school IT administrators stay current and continue providing mastery-level value to their organizations? I'd recommend paying attention to current trends and emerging capabilities. Become an expert in how the organization can best use those trends. ... The future of IT is about creating higher-level value individually while leveraging core expertise widely -- developing the deepest insights, but sharing it as widely as needed to get an optimized return on the IT investment that businesses make.


IBM says: ‘Swift is now ready for the enterprise’

With Swift on the Cloud, enterprises will benefit from faster back-end API performance, safer and more reliable transaction and integration support, and the ability to re-purpose Swift developer skills on the client and server-side. This integration delivers tangible benefits to enterprise IT.City Furniture was building an app to handle clearance furniture. They had intended building their front end apps in Swift, but were able to work with early versions of the tools IBM introduced today to build the back end code in the same language. “They were able to build that in an incredibly short time, a few weeks,” he said. City Furniture is a perfect example of the kind of small, nimble development teams that will underpin the future of enterprise IT. “They had one developer and we helped them a bit. That one developer was also able to contribute to the project


9 Ways To Ensure Cloud Security

Whether you’ve migrated some or all of your infrastructure to the cloud, or are still considering the move, you should be thinking about security. Too often, organizations assume a certain level of protection from a cloud service provider and don’t take steps to ensure applications and data are just as safe as those housed in the data center. The sheer range of cloud technology has generated an array of new security challenges. From reconciling security policies across hybrid environments to keeping a wary eye on cloud co-tenants, there is no shortage of concerns. An increasingly complex attack landscape only complicates matters and requires security systems that are vigilant and able to adapt. Here are nine tips to consider before, during, and after a cloud migration to stay ahead of the curve when evaluating security solutions for your cloud service.


Cyber Security Threat Detection – The Case for Automation

The good news is that advances in threat detection technology have significantly improved the enterprise’s ability to detect and stop these threats and prevent extensive damage. The challenge, however, is that many of these technologies demand an army of human security analysts to interpret threat indicators and determine the appropriate course of action, including elimination and clean up. With hundreds, if not thousands, of varying levels of threat flags per day, this task is like holding back the tide; it is nearly impossible for security teams to keep up with the flow of information and still perform other ongoing responsibilities in prevention and analysis. Not surprisingly given their frequency, many of these alerts are often ignored.


Taking Risks To Manage Risk: The Life Of The Modern IT Security Executive

Risk isn’t something that many IT security professionals are comfortable with. After all, they’re often employed to reduce the risk of attacks on corporate IT. ... Doing things differently often comes with the risk of failure, which can have negative consequences to a company’s IT security. But the IT security space is dynamic; new technologies, solutions and strategies come out regularly and CISOs need to keep pace with these developments. “The biggest risk at the moment is doing nothing — you’re at risk of becoming irrelevant,” CSIRO CISO and lead architect Angus Vickery said at SINET61. “You have to do something to ensure you’re continually relevant because the horse will bolt without you anyway. “… Modern CISOs need to have an open mind.”


Security framework released for industrial Internet of Things

The security framework goes along with reference architecture, connectivity and other guides previously published by the consortium. This document separates security evaluation into endpoint, communications, monitoring and configuration building blocks, each with implementation best practices. It also breaks the industrial space down into three roles: Component builders (who build hardware and software), system builders (better known to readers here a system integrators) and operational users. To ensure end-to-end security, the consortium notes industrial users must assess the level of trustworthiness of a complete system. As for the future, the concluding note in the framework points out that as the sheer volume of data required for managing devices increases, there’s a point where centralized security management ceases to be effective and efficient.


Five Strategies For Creating a Culture of Data Security

When data protection is prioritized and done well, it provides more disciplined operations, increased customer and stakeholder trust, and minimized risk. One of the best ways to protect company information is to create a corporate culture that views information security as a shared responsibility among all employees. This can be done by implementing regular and comprehensive training programs for all employees on the right way to manage, store and destroy physical and digital data. ... Experts suggest that employees may forget 50 percent of training information within one hour of a presentation, 70 percent within 24 hours and an average of 90 percent within a week. When you consider this, it is clear that training once a year or on an ad-hoc basis is insufficient to ensure valuable customer, employee and business data is being protected.




Quote for the day:


"Relative to all the other risks companies face, the cyber risks often aren't as big a deal as we think. It may be bad for you if you are the victim, but it doesn't change the behavior or strategy of a company." -- Sasha Romanosky