Within the last few days, a critical vulnerability has been discovered within OpenSSL, dubbed “Heartbleed,” which can enable an attacker to extract information from the vulnerable server’s memory. OpenSSL is a free implementation of SSL, primarily used on Linux systems and appliances such as VPN concentrators. This blog explains the impact of the OpenSSL heartbeat extension vulnerability, recommends ways to detect if it is in your environment, and how to remediate it.
“Information is power. Do you know what the Internet says about your company?”
Back in 2009 I gave a well-received talk called “Enterprise Open Source Intelligence (OSINT) Gathering” to several conferences and local security groups. More recently, I’ve been part of many discussions with my clients and others in the security community about the increase of company confidential information that is posted by employees, competitors, or even adversaries on the Internet. These conversations have prompted me to revisit this topic to see where we stand since I looked at this several years ago. The short answer is that things have changed, and in many ways quite drastically.
Only a few weeks remain and the April 8, 2014 deadline is looming for the more than 12-year old operating system. Microsoft has even posted a countdown timer on their website to illustrate how many days, hours, minutes and seconds remain until life support ends for the Windows XP operating system.
A current state review of an organization’s security program and risk posture at a specific point in time is known as a point-in-time assessment. Point-in-time assessments are a standard practice for many organizations. This practice leads to a two-month “fire drill” in preparation for the assessment, ensuring systems are hardened, documentation is reviewed and updated, and testing and analysis is performed in an effort to ensure compliance requirements are met.
By: Chintan Davis, Infosec Institute
Every organization has a procurement process. Some of the software products acquired by an organization are COTS (Commercial off The Shelf) Solutions. These products are not built or developed in-house by the organization. While some COTS need to be customized to fit into the client environment, the rest of them only need to be configured according to the organization’s needs. In certain cases, organizations have a team of third-party software consultants working to develop a product on their behalf.
Regulations, industry frameworks, “best practices,” and just good ol’ common sense requires businesses to conduct thorough annual risk assessments. The depth of these risk assessments should be proportional to the size, complexity, and inherent industry risk for your business.
If you follow the start-up industry, specifically crowd-funding, you may have noticed that Kickstarter.com was breached.
The Department of Health and Human Services’ (HHS) Office of the Inspector General (OIG) announced its first investigation into alleged fraud of the 2013 EHR Financial Incentive Program, by the now-shuttered Shelby Regional Medical Center (SRMC), in Center, Texas. Specifically, their former CFO may have filed false attestations of meeting the program’s requirements and subsequently SRMC received $785,000.
Late in 2013, two blogs were released describing in great technical detail the vulnerability identified as CVE-2013-3881. The vulnerability is a NULL page dereference caused by “insufficient pointer validation” in win32k!xxxTrackPopupMenuEx and was patched as part of MS13-081, which affects both Windows 7 and Windows 2008.
A little more than a month after Target announced it suffered one of the largest data breaches in history, we now know that stolen vendor credentials were the keys to the kingdom.