Navigating Uncertainty in Vulnerability Management🛡

Since mid-February 2024, the National Vulnerability Database (NVD) has been delayed in updating CPE data for new vulnerabilities, resulting in a backlog of over 10,000 CVEs 📉.

The value of the NVD has been underestimated with no simple replacements. Our article details the complexities of this issue.

Data inconsistency from CVE Numbering Authorities (CNAs) complicates matters further. Despite Vulners' efforts to create handlers for each CNA, manual oversight and expert analysis are crucial for reliable assessments. Closing the long tail of vulnerabilities still demands significant human resources.

Read more about strategies to address these challenges in our full article: Navigating Uncertainty

Описание новых функций безопасности в Windows 11.

https://www.microsoft.com/en-us/security/blog/2024/05/20/new-windows-11-features-strengthen-security-to-address-evolving-cyberthreat-landscape

https://vulncheck.com/blog/nvd-backlog-exploitation

"Key Findings
93.4% of new vulnerabilities have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.
50.8% of VulnCheck Known Exploited Vulnerabilities have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.(Source: VulnCheck KEV).
55.9% of Weaponized Vulnerabilities have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.
82% of CVEs with a Proof-of-Concept Exploit have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024."

https://openssf.org/blog/2024/05/20/enhancing-open-source-security-introducing-siren-by-openssf/
"Introducing Siren, a threat intelligence sharing list hosted by Open Source Security Foundation (OpenSSF), a groundbreaking initiative aimed at fortifying the defenses of open source projects worldwide."

https://groups.google.com/a/chromium.org/g/blink-dev/c/R6VOVMt81y8
"Google engineers have proposed a new IETF standard named TLS Trust Expressions that introduces a new TLS extension/mechanism to servers to deploy multiple certificates and transparently select between them. This enables a multi-certificate deployment model, for a more agile and flexible PKI that can better meet security requirements."

Использование LLM в будущих кибер атаках от голландского ФСТЭК.

https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2024/mei/21/index/TNO+2024+M10296+-+Technology+exploration+-+The+future+of+cyber+attacks+with+Large+Language+Models.pdf

https://thehackernews.com/2024/05/report-dark-side-of-phishing-protection.html
"The report provides three paths forward to protecting from phishing page attacks:

Page Reputation Analysis: Analyzing the target page's URL by utilizing threat intelligence feeds and calculating its score. The gap: these feeds are not technologically able to cover all threats and risks.

Browser Emulation: Any suspected web page is executed in a virtual environment to unfold any phishing or other malicious features it embeds. The gap: cannot be applied at scale, as it is resource-heavy and creates latency.

Browser Deep Session Inspection: Analyzing every live web session from within the browser and inspecting the gradual assembly of the web page to detect phishing behavior, which triggers either session termination or disablement of the phishing component."

https://www.hackread.com/ine-security-cisos-to-secur-cybersecurity-training/

"1. Speak the Board’s Language.

2. Use Real-World Examples.

3. Leverage Data and Statistics.

4. Emphasize Regulatory Compliance.

5. Highlight Competitive Advantage..."

https://openai.com/index/openai-board-forms-safety-and-security-committee/

"OpenAI Board Forms Safety and Security Committee
This new committee is responsible for making recommendations on critical safety and security decisions for all OpenAI projects; recommendations in 90 days."