Survey of Supply Chain Attacks
The Atlantic Council has a released a report that looks at the history of computer supply chain attacks.
https://www.schneier.com/blog/archives/2020/07/survey_of_suppl.html
The Atlantic Council has a released a report that looks at the history of computer supply chain attacks.
https://www.schneier.com/blog/archives/2020/07/survey_of_suppl.html
Understanding and Leveraging the MITRE ATT&CK Framework: A SANS Roundtable - SANS Institute
https://www.sans.org/webcasts/understanding-leveraging-mitre-att-ck-framework-roundtable-115345
https://www.sans.org/webcasts/understanding-leveraging-mitre-att-ck-framework-roundtable-115345
www.sans.org
Understanding and Leveraging the MITRE ATT&CK Framework: A SANS Roundtable - SANS Institute
In this webcast, sponsor representatives and report author John Hubbard will discuss the new SANS report, "Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework." The discussion will explore themes from the paper, including:What the MITRE…
How to Show Business Benefit by Moving to Risk-Based Vulnerability Management - SANS Institute
https://www.sans.org/webcasts/show-business-benefit-moving-risk-based-vulnerability-management-115970
https://www.sans.org/webcasts/show-business-benefit-moving-risk-based-vulnerability-management-115970
www.sans.org
How to Show Business Benefit by Moving to Risk-Based Vulnerability Management - SANS Institute
Vulnerabilities are relentless and exploited by targeted attacks faster than ever with damaging results to business. Study after study shows that most successful attacks exploit well known vulnerabilities with existing patches. Most businesses already do…
SP 800-53B (Draft), Control Baselines for Information Systems and Organizations | CSRC
https://csrc.nist.gov/publications/detail/sp/800-53b/draft
https://csrc.nist.gov/publications/detail/sp/800-53b/draft
CSRC | NIST
NIST Special Publication (SP) 800-53B (Draft), Control Baselines for Information Systems and Organizations
This publication provides security and privacy control baselines for the Federal Government. There are three security control baselines for low-impact, moderate-impact, and high-impact information systems as well as a privacy baseline that is applied to systems…
SP 800-210, General Access Control Guidance for Cloud Systems | CSRC
https://csrc.nist.gov/publications/detail/sp/800-210/final
https://csrc.nist.gov/publications/detail/sp/800-210/final
CSRC | NIST
NIST Special Publication (SP) 800-210, General Access Control Guidance for Cloud Systems
This document presents cloud access control characteristics and a set of general access control guidance for cloud service models: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service). Different service delivery…
Security & Privacy Compliance in Work from Home Situations
August 06, 2020
12:00 PM (EDT) / 11:00 AM (CDT) / 9:00 AM (PDT) / 4:00 PM (UTC) |Webinar
https://www.isaca.org/education/online-events/lms_w080620
August 06, 2020
12:00 PM (EDT) / 11:00 AM (CDT) / 9:00 AM (PDT) / 4:00 PM (UTC) |Webinar
https://www.isaca.org/education/online-events/lms_w080620
No actively exploited zero-days have been found in Linux, Safari, or macOS since 2014, when Google began tracking this stat.
2019 was the first year when an Android zero-day was discovered.
Not all zero-days impacted the latest version of the OS/software.
Google suspects some software vendors are hiding actively exploited zero-days as mundane bugfixes.
Google says there's a detection bias towards Microsoft, as there are more security tools specialized in detecting Windows bugs.
Google says it's hard to find zero-days on mobile platforms due to walled garden and app sandbox approaches.
63% of 2019's 0-day vulnerabilities were memory corruption bugs (Same 63% figure also applies to 2020 H1's zero-days. This is also in tune with stats released by Microsoft and Google in 2019, both claiming that 70% of all Microsoft security bugs and 70% of all Chrome vulnerabilities are memory safety issues) (In 2020, 63% of all).
Google said that it plans to publish an annual Zero-Day Year in Review report each year, going forward.
2019 was the first year when an Android zero-day was discovered.
Not all zero-days impacted the latest version of the OS/software.
Google suspects some software vendors are hiding actively exploited zero-days as mundane bugfixes.
Google says there's a detection bias towards Microsoft, as there are more security tools specialized in detecting Windows bugs.
Google says it's hard to find zero-days on mobile platforms due to walled garden and app sandbox approaches.
63% of 2019's 0-day vulnerabilities were memory corruption bugs (Same 63% figure also applies to 2020 H1's zero-days. This is also in tune with stats released by Microsoft and Google in 2019, both claiming that 70% of all Microsoft security bugs and 70% of all Chrome vulnerabilities are memory safety issues) (In 2020, 63% of all).
Google said that it plans to publish an annual Zero-Day Year in Review report each year, going forward.
ITL Bulletin , Security Considerations for Exchanging Files Over the Internet | CSRC
https://csrc.nist.gov/publications/detail/itl-bulletin/2020/08/security-considerations-for-exchanging-files-over-the-internet/final
https://csrc.nist.gov/publications/detail/itl-bulletin/2020/08/security-considerations-for-exchanging-files-over-the-internet/final
CSRC | NIST
ITL Bulletin August 2020, Security Considerations for Exchanging Files Over the Internet
Every day, in order to perform their jobs, workers exchange files over the Internet through email attachments, file sharing services, and other means. To help organizations reduce potential exposure of sensitive information, NIST has released a new Information…
Forwarded from Пост Лукацкого
Проект национального стандарта ГОСТ Р
«Защита информации. Обнаружение, предупреждение и ликвидация последствий компьютерных атак и реагирование на компьютерные инциденты. Термины и определения» https://t.co/N0WAs5uirc— Alexey Lukatsky (@alukatsky) August 4, 2020
«Защита информации. Обнаружение, предупреждение и ликвидация последствий компьютерных атак и реагирование на компьютерные инциденты. Термины и определения» https://t.co/N0WAs5uirc— Alexey Lukatsky (@alukatsky) August 4, 2020