All posts tagged vulnerability

Three things to remember from Verizon’s Data Brach Investigations Report

Every year around this time, Verizon releases its Data Breach Investigations Report, referred to in the trade as simply the “DBIR.” Verizon is one of two companies you call if you’ve been breached and you really want to get to the bottom of what happened and try to keep it from happening again. (Mandiant is […]

In defense of Anthem declining the OIG audit

Anthem recently refused to allow the Office of Personnel Management’s Office of Inspector General (OIG) to perform an audit of its networks. Coming on the heels of a large breach, there’s been a bit of an uproar about it. There are a few things to keep in mind, the first being that this isn’t driven by […]

Dave Farquhar, lunch ninja

My boss doesn’t think I’m human. His proof: He asks anyone who knows me if he or she has ever seen me eat. No one has. They’ve seen evidence of me eating. But actually taking a bite? No. Not even the time we went out for BBQ.

The Forbes Flash hack is a good example of a watering hole attack

You may have heard people like me talk about watering-hole attacks. It’s an indirect attack on someone by compromising a third party and using that to get in. In this case, back in November, attackers got a Forbes ad server, and from there, attacked visitors from government and bank networks. Here’s the logic: Since ad servers […]

Yes, we need to run vulnerability scans inside the firewall

I got an innocent question last week. We’d been scanning an AIX server with Nexpose, a vulnerability scanner made by Rapid7, and ran into some issues. The system owner then asked a question: The server is behind a firewall and has no direct connection to the Internet and no data itself, it’s just a front-end to […]

How to become an Info Assurance Analyst

So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. The field desperately needs more of us, so I’m happy to share with you how to become […]

Anthem, HIPAA, and encryption

Late last week, the Wall Street Journal reported that Anthem wasn’t encrypting the database containing tens of millions of health records that were stolen by sophisticated hackers. There are numerous problems with that story, the first being that we don’t know yet whether the data was encrypted. There are other unconfirmed reports that say the attackers used […]

Why every breach is different

I’ve grown used to being asked what unpatched vulnerability was used in the most recent breach, in an effort to make sure some other company is protected. I appreciate the desire to learn from other companies’ mistakes and not repeat them. But there are several reasons why the answer to that question is complicated, and not […]

Why a non-web server has Apache and OpenSSL on port 2381

I was doing some scanning with a new vulnerability scanner at work and I found something listening on a lot of servers, described only as Apache and OpenSSL listening on port 2381. The versions varied. Luckily I had another scanner at my disposal that solved the mystery quickly: It’s the HP System Management Homepage, a […]

Age of a vulnerability is not an indicator of future risk

I cited MS14-066, commonly known as Winshock, this week as a reason to take action on a server. Another stakeholder tried to argue with me. The vulnerability was very old, he said–years old, and hadn’t caused a problem yet. He’s right. It’s at least 19 years old. But that’s merely interesting, not important. What’s important […]