Security professionals have many tools in their toolbox. Some are physical in nature. (WireShark, Mimikatz, endpoint detection and response systems and SIEMs come to mind.) Others not so much. (These assets include critical thinking faculties, the ability to analyze complex processes, a willingness—some call it a need—to dig in and find the root cause of an issue and a passion to learn and keep learning.) One such tool that’s often overlooked is, communication.

On 10 July 2019, Atlassian released a security advisory for a critical severity vulnerability in most versions of Jira Server and Jira Data Center. The vulnerability was introduced in version 4.4.0, released in 2011, and affects versions as recent as 8.2.2, released on 13 June 2019. The good news is that users of Jira Cloud are not affected. But how many organizations are running Jira Server or Jira Data Center, and are vulnerable to this attack?

Too many small and medium-sized businesses (SMBs) are under the belief that purchasing “This One Product” or “This One Managed Service” will provide all the security their network requires. If this were true, large corporations with huge IT budgets would never have data breaches! Before you start buying expensive new technology to protect your office network, take some time to examine your internal infosec processes. Make sure you are covering the basics.

Those who have worked in the life sciences industry have undoubtedly observed a sea of change in the discipline over the past twenty years. From new modalities (like CAR-T to microbiome) to external collaborations, the way drugs are developed in the 21st century is more complex, more distributed, and faster. Alongside fundamentally new discoveries is a pan-industry shift from on-premise computing to the cloud.

While every merchant and service provider that processes, stores, or transmits credit card data must comply with the Payment Card Industry Data Security Standard (PCI DSS), not all must travel the same path to PCI compliance. The amount of risk an organization faces depends on a variety of factors. Recognizing these differences, the PCI Security Standards Council developed four compliance levels for merchants and two for service providers.

The cloud certainly offers its advantages, yet as with any large-scale deployment, the cloud can offer some unforeseen challenges. The concept of the cloud just being “someone else’s data center” has always been a cringe moment for me because this assumes release of security responsibility since ‘someone else will take care of it’.

It may be possible to democratize security by making it more accessible to average companies through community resources. We have an idea or two, but we would appreciate your thoughts.

Have you ever seen the bridge of a commercial cargo shipping vessel? It is like a dream come true for every kid out there–a gigantic PlayStation. Unfortunately, maritime computer systems are also attractive to malicious cyber actors. Illustrating this interest by malicious individuals, the U.S. Coast Guard issued a safety alert warning all shipping companies of maritime cyber attacks.

As I discussed in the first blog in this series, the purpose of this series is to guide you on your journey up the Vulnerability Management Mountain (VMM). Like climbing a mountain, there is a lot of planning and work required, but when you get to the top, the view is amazing and well worth the journey. For the first phase, let’s start by planning the trip up Vulnerability Mountain. When you get ready to climb a mountain, you need gear, and you need to know what to ask for at the store.