Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
No Silver Bullets for Security
Newest First  |  Oldest First  |  Threaded View
rzw122
50%
50%
rzw122,
User Rank: Apprentice
3/10/2015 | 1:52:21 PM
No Silver Bullets
Another essential component is "buy-in" both from Senior Mgmt and end-users. Unfortunately at present, the majority of regular technology users have no clue of the concept of Info/CyberSecurity- professionals ranging from recruiters and mid & top-level managers to board members, attorneys and physicians give that slack-jawed look whenever the subject is mentioned- they simply do not understand.

And the InfoSec community hasn't necessarily done the best in marketing the concept of Information Security and secure systems, so there's been very little trickle down to average end-users (those most responsible to utilizing all business systems). Recently it seems the government has stepped up efforts in its cybersecurity campaign messages, but it will take a while before the larger community starts getting it.

InfoSec practitioners can't do it alone- we all must join the fight if we are to win this battle.

 

 
LoriWigle
100%
0%
LoriWigle,
User Rank: Strategist
3/5/2015 | 8:20:06 PM
Re: No Bullets for Security?

Yes, we agree. We certainly cannot keep doing things the way we have been and expect to maintain secure environments.

We believe you have to do three things: 1) Harden the Devices, 2) Secure the Comms, and 3) Manage & Monitor. Your suggestions are great examples of addressing the first two. 

In addition, I'd suggest we not forget how important the monitoring and managing aspects to security are. However, the way we monitor and manage our networks will need to be scaled as the number of devices grow – this is done at that onset, by establishing policies that can be automatically enforced.

In looking at how things stand today, there's work to be done. And it's not an option, it is our duty to our customers and company.

macker490
50%
50%
macker490,
User Rank: Ninja
3/3/2015 | 10:13:45 AM
No Bullets for Security?
the title of your essay would better be: "No Bullets for Security?"

the reason is simple: if we keep on doing things the way we have we will continue to get the same results: hackers will makes fools of us all.

the first change that must be taken is to insist on secure operating software.   the operating software must not allow itself to be modified by the activity of an application program -- whether by error or by intent .  product liability law will be needed to insure this .

the next change that must be taken is to adopt the general practice of authenticating transmittals using public key encryption.   transmittals include everything from software distributions, to e/mail, and critical web pages.

next: the current practice of broadcasting x.509 certificates is not secure.    every computer user should establish his|her own public key so that critical certificates can be counter-signed.     what this means is broadcast certificates will be assigned only marginal trust and as such are not acceptable for financial procedures.    you have to countersign the certificate yourself to validate it -- in much the same way we have to call to activate a new credit card.

Credit Unions and similar financial organizations should provide key services to members so that public keys can be countersigned and uploaded onto key servers.    this is necessary so that critical services -- such as the IRS -- can validate critical transactions -- such as Forms 1040.

there is much to be done but it is critical to start at the beginning.   if we have some who resist doing things the Right Way we need to root these out, and discredit them .

Secure Computing in a Compromised Environment

in the electronic network environment we all need an identity that we can produce in public that will verify our documents and identity -- but which cannot be controlled by an imposter or hacker.     to do it all you need is a secure O/S and either PGP/Desktop or the GNU/Privacy Guard (GPG) .    the tools are available and the methods are known. now the question: are we serious about solving the problem ?   I think we need to get serious.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...