A selection of this week’s more interesting vulnerability disclosures and cyber security news. After last week’s news about a part of Docker Hub being exposed, things have got just a little bit worse. One of the most popular images has a root account vulnerability. Now, with someone knowing what people have, and that there is a potential hole, a target list becomes massively reduced…
A control weakness is a failure in the implementation or effectiveness of internal controls. Malicious actors leverage internal control weakness to circumvent even the most robust security measures. The wide range of internal controls, the increased number of new technologies, and the rate at which malware evolves necessitate data security control monitoring. Regularly monitoring allows organizations to test the effectiveness of their internal controls and expose weaknesses in their implementation.
Today, software is being developed at a breakneck speed. Agile development and the aggressive adoption of DevOps is leading to an abundance of functionality and feature sets, or pieces of code pushed out to consumers at a record pace. These one-click opportunities may indeed get us what we want, however, the game remains the same. The Achilles Heel is security vulnerabilities, regardless of technology maturity or speed of release.
One of the best parts of working on the Open Policy Agent at Styra is that we get to help people design authorization systems for both their platform and their custom applications. The other day we were talking someone through the design tradeoffs of authorization for their application, and the first decision they had to make was whether they wanted a centralized authorization system or a distributed authorization system. Both OPA and Styra support either, so we have no real bias.
In the world of cyber warfare, the internet has become a vital part of every walk of life. When it comes to downloading a file from the internet to your laptop or PC, you cannot be guaranteed a 100% safety due to the existence of fast and sophisticated cyber threats. Security vulnerabilities, data breaches, viruses, and malware have become very common and result in exploitation of the originality, integrity, and authenticity of any file you download from the internet.
On 18th April 2019, @ATTCyber gathered a panel of CISOs (and recovering CISOs) for a tweetchat to discuss some of the questions that we’ve always wanted to put to senior security folk. The virtual panel consisted of Thom Langford, Quentyn Taylor, James Gosnold, Andy Rose and Raj Goel; with participation from many others. Below I’ve summed up some of the key discussion points around each questions.
Modern digital & cloud technology underpins the shift that enables businesses to implement new processes, scale quickly and serve customers in a whole new way. Historically, organisations would invest in their own IT infrastructure to support their business objectives, and the IT department’s role would be focused on keeping the ‘lights on.’ To minimize the chance of failure of the equipment, engineers traditionally introduced an element of redundancy in the architecture.
When it comes to sorting through project information, most construction professionals waste more time than you think searching for the right data. In fact, it eats up around 5.5 hours a week on average, according to a recent study by FMI.
The US Department of Labor states that most people work an average of eight hours a day, but the question is, how many of those hours are productive? Employee productivity has been getting a lot of attention lately, and some studies show that workers spend only three hours per day on work tasks. Even if that figure is somewhat exaggerated, the point is that your employees may be busy with unproductive activities while they are on the job.
Monitoring is an established component of the information security process which goes hand in hand with auditing. Auditing is used to document an organization’s compliance activities. Where monitoring protects the data by responding to threats, Auditing provides proof of a continued compliance effort. By taking a “security-first” approach, companies can use continuous auditing and monitoring to provide evidence of their cybersecurity protections.
