Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
0 Comments
Tweet This
User Rank: Apprentice
3/15/2013 | 4:46:32 AM
Lately, I've been asking myself whether the lack of 'success' achieved by DiD is due entirely to the factors already mentioned by many of those who responded to this article or if in fact its our 'thinking' about such strategies that is really the issue. Reading the quotes in this article, I was reminded of that line from Samuel Beckett's play, 'Waiting for Godot" .. -á-áThereGÇÖs man all over for you, blaming on his boots the faults of his feet".-á
It's my view that while there is ample evidence that the DiD strategy, when executed incorrectly, does not-áyield-áthe expected results; it can also be argued that successful, ongoing-áexecution of the strategy relies too heavily on factors and resources not readily available to most users (knowledge, skills, etc.)
It also is apparent that our 'adversaries' have the-áadvantage-áof fighting a-águerrilla-style-áwar against security professionals in which the very tools we use to blunt their attacks are being turned against us. I've noticed an inherently,-áasymmetrical aspect to each battle-ásecurity professionals fight; -áthe advantage is our adversaries' learn more about our defenses,-áadapt-áfaster, and with greater agility of deployment than we obtain from our analysis of their attacks. The evidence cited by the article about the continuing increase in security breaches despite greater security spend suggests that we defenders are missing something-áfundamental in our attempts to build better security systems and controls.-á
So in what new direction should we be looking to find a way to turn the tide of this war in our favor? I've taken a closer look at the fundamental underpinnings of my own approach to thinking about security strategy and I found a few insightful and thought-provoking ideas in the work done by-áJames A. Dewar of the RAND Corporation on Assumption-Based Planning (ABP) and that of Prof. Richard Heeks of the University of Manchester's, "design reality gap" model. I hope to have a paper submitted to ISACA by the end of the summer which discusses how one might apply these ideas to develop a new-áapproach in-ábuilding security infrastructure.-á