SP 800-189 (Draft), Resilient Interdomain Traffic Exchange | CSRC
https://csrc.nist.gov/publications/detail/sp/800-189/draft
https://csrc.nist.gov/publications/detail/sp/800-189/draft
CSRC | NIST
NIST Special Publication (SP) 800-189 (Draft), Secure Interdomain Traffic Exchange: BGP Robustness and DDoS Mitigation
This document gives technical guidelines and recommendations for secure interdomain traffic exchange. The primary audience include information security specialists and network managers. These guidelines apply to routing and Internet transit service infrastructure…
Радикальный подход-переход в облако как способ избавится от накопленного технического долга в безопасности.
Неоднозначное решение администрации города.
Отдельно эксперты обращают внимание, что скорее всего стоимость страховки больше бюджета на ИБ.
Baltimore Authorizes Purchase of $20M Cyberinsurance Policy
https://www.govtech.com/security/Baltimore-Authorizes-Purchase-of-20M-Cyberinsurance-Policy.html
Отдельно эксперты обращают внимание, что скорее всего стоимость страховки больше бюджета на ИБ.
Baltimore Authorizes Purchase of $20M Cyberinsurance Policy
https://www.govtech.com/security/Baltimore-Authorizes-Purchase-of-20M-Cyberinsurance-Policy.html
GovTech
Baltimore Authorizes Purchase of $20M Cyberinsurance Policy
Months after a ransomware attack cost the city around $18 million, officials approved the purchase of a cyberliability policy to help with any future incidents. The move is one being made by governments across the U.S.
Democratic senator introduces bill to jail tech executives for lying about privacy violations | TheHill
https://thehill.com/policy/technology/466283-democratic-senator-introduces-bill-to-jail-tech-executives-for-lying-about
https://thehill.com/policy/technology/466283-democratic-senator-introduces-bill-to-jail-tech-executives-for-lying-about
TheHill
Democratic senator introduces bill to jail tech executives for lying about privacy violations
Sen. Ron Wyden (D-Ore.), one of the toughest tech critics in Congress, on Thursday introduced his long-awaited bill that would jail tech executives for lying to the government about privacy
Ещё раз - в США обсуждается возможность уголовки для директоров за нарушение требований приватности пользователей и утечку ПДн.
Alexa and Google Home devices leveraged to phish and eavesdrop on users, again | ZDNet
https://www.zdnet.com/article/alexa-and-google-home-devices-leveraged-to-phish-and-eavesdrop-on-users-again/
https://www.zdnet.com/article/alexa-and-google-home-devices-leveraged-to-phish-and-eavesdrop-on-users-again/
ZDNET
Alexa and Google Home devices leveraged to phish and eavesdrop on users, again
Exclusive: Amazon, Google fail to address security loopholes in Alexa and Home devices more than a year after first reports.
Forwarded from Vulnerability Management and more
I just read the 14-page report, "Comparing vulnerability and security configuration assessment coverage of leading VM vendors" by Principled Technologies. Tenable marketing team actively shared it last week.
The main idea of the report: Tenable covers more CVEs and CIS benchmarks than Qualys and Rapid7.
So, my impressions:
1. Hallelujah! Finally, a comparison of Vulnerability Management products based on something measurable - on their Knowledge Bases. And at least one VM vendor is not afraid to use it in marketing and mentions the competitors directly. This is a huge step forward and I hope that this is the beginning of something more serious. We really need to start talking more about the core functionality of VM products.
2. However, this particular report is just a Tenable advertisement. This is not even hidden. I really like Nessus and Tenable, and believe that they have a very good Knowledge Base, but reading on every page how great Tenable's products are is just ridiculous. It would be much better to read it in more neutral form.
3. Using only the CVE IDs for comparing Vulnerability Knowledge Bases is NOT correct (strictly speaking), because for many software products most of vulnerabilities do not have CVEs, only the patch IDs. CVE-based comparison also doesn't distinguish types of vulnerability checks: remote banner-based, remote exploit-based and local. To make a reliable comparison, it's necessary to map all existing vulnerability detection plugins of VM products, but this is MUCH more difficult.
4. CVE-based comparison in this report is not really informative. They only compare absolute numbers of IDs grouping them by year, software product (cpe) and cvss v2 score. Why is this wrong? If VM vendor A covers 1000 CVEs and vendor B covers 1000 CVEs, this does not mean that they have the same database and it is quite complete. The real intersection between the KBs may be only 500 IDs, so these vendors would be able to detect only a half of each other's vulnerabilities. It matters, right? In my old express comparison of Nessus and OpenVAS Knowledge Bases I demonstrated this and tried to suggest reasons why some vulnerabilities are covered by some vendor and others are not. If you compare CVEs as sets of objects, it turns out that each VM product has own advantages and disadvantages.
5. CIS-based comparison in this report uses only information about certificated implementations from the CIS website without regard to versions and levels. CIS Certification is an expensive and complicated procedure, that is NOT mandatory and does not affect anything. I once implemented many CIS standards for Linux/Unix in PT Maxpatrol. Well, yes, they are not certified and you won't see them on the CIS website, but does this mean that they are not supported in the VM/CM product? Of course not! So, it's a very strange way of comparing Compliance Management capabilities.
In conclusion, the idea behind this report is good, but the implementation is rather disappointing. If one of the VM vendors, researchers or customers wants to make similar comparison, public or private, but in a much more reliable and fair way - contact me, I will be glad to take part in this. 😉
#PrincipledTechnologies #Tenable #Rapid7 #Qualys #CVE #CIS #VulnerabilityManagement #ComplianceManagement #CPE #CVSS #PositiveTechnologies #MaxPatrol #OpenVAS #Nessus
The main idea of the report: Tenable covers more CVEs and CIS benchmarks than Qualys and Rapid7.
So, my impressions:
1. Hallelujah! Finally, a comparison of Vulnerability Management products based on something measurable - on their Knowledge Bases. And at least one VM vendor is not afraid to use it in marketing and mentions the competitors directly. This is a huge step forward and I hope that this is the beginning of something more serious. We really need to start talking more about the core functionality of VM products.
2. However, this particular report is just a Tenable advertisement. This is not even hidden. I really like Nessus and Tenable, and believe that they have a very good Knowledge Base, but reading on every page how great Tenable's products are is just ridiculous. It would be much better to read it in more neutral form.
3. Using only the CVE IDs for comparing Vulnerability Knowledge Bases is NOT correct (strictly speaking), because for many software products most of vulnerabilities do not have CVEs, only the patch IDs. CVE-based comparison also doesn't distinguish types of vulnerability checks: remote banner-based, remote exploit-based and local. To make a reliable comparison, it's necessary to map all existing vulnerability detection plugins of VM products, but this is MUCH more difficult.
4. CVE-based comparison in this report is not really informative. They only compare absolute numbers of IDs grouping them by year, software product (cpe) and cvss v2 score. Why is this wrong? If VM vendor A covers 1000 CVEs and vendor B covers 1000 CVEs, this does not mean that they have the same database and it is quite complete. The real intersection between the KBs may be only 500 IDs, so these vendors would be able to detect only a half of each other's vulnerabilities. It matters, right? In my old express comparison of Nessus and OpenVAS Knowledge Bases I demonstrated this and tried to suggest reasons why some vulnerabilities are covered by some vendor and others are not. If you compare CVEs as sets of objects, it turns out that each VM product has own advantages and disadvantages.
5. CIS-based comparison in this report uses only information about certificated implementations from the CIS website without regard to versions and levels. CIS Certification is an expensive and complicated procedure, that is NOT mandatory and does not affect anything. I once implemented many CIS standards for Linux/Unix in PT Maxpatrol. Well, yes, they are not certified and you won't see them on the CIS website, but does this mean that they are not supported in the VM/CM product? Of course not! So, it's a very strange way of comparing Compliance Management capabilities.
In conclusion, the idea behind this report is good, but the implementation is rather disappointing. If one of the VM vendors, researchers or customers wants to make similar comparison, public or private, but in a much more reliable and fair way - contact me, I will be glad to take part in this. 😉
#PrincipledTechnologies #Tenable #Rapid7 #Qualys #CVE #CIS #VulnerabilityManagement #ComplianceManagement #CPE #CVSS #PositiveTechnologies #MaxPatrol #OpenVAS #Nessus
Tenable®
Comparing Vulnerability and Security Configuration Assessment
A new study demonstrates that Tenable stands high above Qualys and Rapid7 in vulnerability assessment (VA) and security configuration assessment (SCA) coverage. Read now.
https://twitter.com/SVSoldatov/status/1186676996845248512?s=09
Первое исследование mitre matrix по endpoint
Первое исследование mitre matrix по endpoint
Twitter
Sergey Soldatov
https://t.co/J6oSKTlfMZ Первые EPP-вендоры прошли тест MITRE (правда, почему-то только первый этап)! Надо бы обновить исследование и починить ссылки.... https://t.co/3VS38K57Q1
Pentagon Receives 2,000 Comments on Vendor Cyber Certification Program - Nextgov
https://www.nextgov.com/cybersecurity/2019/10/pentagon-receives-2000-comments-vendor-cyber-certification-program/160706/
https://www.nextgov.com/cybersecurity/2019/10/pentagon-receives-2000-comments-vendor-cyber-certification-program/160706/
Nextgov.com
Pentagon Receives 2,000 Comments on Vendor Cyber Certification Program
The next iteration of the framework will be released in early November, according to Undersecretary for Acquisition and Sustainment Ellen Lord.