Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/7/2013
01:15 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Putting Vulnerabilities And Threats Into Context

Advanced security research should play a role in your security program and be ready when science projects become weaponized attacks

Since I'm the new blogger in Dark Reading's Vulnerabilities & Threats Tech Center, it probably makes sense to explain a bit about my views on the role of advanced security research in your general security program. Security research is a critical aspect of your ability to defend yourself. To get a feel for why, go no further than the Great One's quote on a great hockey player:

"A good hockey player plays where the puck is. A great hockey player plays where the puck is going to be." -- Wayne Gretzky

Research and understanding emerging attack vectors help you understand where attackers are going to be. Breach reports and quarterly threat summaries only tell you where attackers have been. If you are trying to stay ahead of the game, then you should not be focusing the short amount of time during the day fighting fires, waging political battles, beating back auditors, and hanging up on vendor sales droids. That's right: Think about where things are going, not where they've been.

To be clear, my perspectives only apply if you do a decent job on blocking and tackling. The fact that a smart researcher will show how you can own an iPhone via the charger matters only if your security program and control set is sufficiently mature. If not, you've got some work to do. But since this is a forward-looking column in a forward-looking Tech Center, I'm not going to tell you what that work is. You can mine the rest of Dark Reading or the Securosis research library for lots of good guidance on security fundamentals.

But if you are ready to systematically factor advanced security research into your program, then I suggest you set up a firm monthly lunch meeting with the security team, ensuring you have something scheduled. You know how it goes with ad hoc meetings, which are always canceled in the wake of some emergency.

In the time between the meetings, use a collaboration tool like Instapaper, Evernote, or (shudder) SharePoint to aggregate interesting links and news items discussing cool, new exploits and/or research findings. It's easy to stay on top of this information because the media loves new attacks; there will be plenty of coverage for anything that's interesting -- and plenty for the stuff that's not.

Once you have your list of things to discuss, ask the team two questions: The first is whether you are exposed to this new attack? Do you have the devices shown to be exploitable by the research? Do you use the applications or technologies in question? If the answer to that question is yes, then ask yourself, what would we do differently to close this exploit? Pretty simple, eh?

You may need to do more research into the attack to understand what's really involved in stopping it. Once you know what's required to address the issue, you can put it on your list of things to address. Understand there may not be a great urgency to fix the issue immediately since a lot of advanced security research is not weaponized yet. But you know what you need to do when the time comes.

And amazingly enough, you'll be where the puck is, and the rest of the industry will be cleaning up the mess. The Great One will be proud.

Mike Rothman is President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.