Week 04

https://www.darkreading.com/vulnerabilities—threats/anatomy-of-an-attack-on-the-industrial-iot-/a/d-id/1331097

This article details an attack on an IoT device. Similar to the kill chain, the attacker follows a recon, development, execution and command and control phase. Reminds the vulnerabilities with IoTs supporting critical infrastructure.

Developers of Drupal recently patched two critical vulnerabilities this week in its content management system platform. The first critical vulnerability is a comment reply form bug in Drupal version 8 that granted unauthorized users access to restricted content. It allowed them to view and add comments as well as content in within restricted areas. The another vulnerability that was in Drupal 7 and 9 were a Javascript function that lead to a cross-site-scripting vulnerability.

Drupal Patches Critical Bug That Leaves Platform Open to XSS Attack

https://www.technewsworld.com/story/85002.html

People who bought HP laptops had a free keylogger program installed but it wasn’t on purpose. A user found out while troubleshooting it, but by default it was turned off. The user contacted HP and they applied a patch to remove it. The keylogger program was found to be a software bug that wasn’t finalized before being deployed. Issues about keyloggers are consumers don’t really know what it is and if hackers or other malicious people know about it, they can expose it for their own purpose.

The SEC has issued new guidance for public companies, calling on them to be more forthcoming when disclosing cyber-security risks, even before a breach or attack happens. This expands on guidance they previously issued in 2011 and it also warns that corporate insiders must not trade shares when they have information about cyber-security issues that aren’t public. The SEC added that even though companies are not required to reveal sensitive information that could compromise cyber-security measures, they also cannot use internal or law enforcement investigations as an excuse for not informing the public. Many individuals on the SEC say the guidance doesn’t go far enough and that many public companies still provide disclosures about cyber-security risks that are far from robust and that the commission has only taken limited action. They also mention that the SEC could have helped companies formulate more meaningful disclosure for investors however the new guidance issued does not give them the ability to do so and it only provides modest changes to the 2011 staff guidance. It remains to be seen what other actions or guidance the SEC provides on cyber-security related issues.

 

The SEC says companies must disclose more information about cybersecurity risks

https://www.digitaltrends.com/computing/getting-flu-could-harm-cybersecurity-healh/

I never considered that that a health crisis could also cause cyber security issues but this article makes a good point about why it occurs. With anything that causes the volume of what a user is asked to do to increase, that user is going to find ways to save time. Unfortunately what the user tends to do to save time is ignore protocols put in place to protect information. As hospital personnel are seeing many more patients than usual this flu season they are doing things like leaving themselves logged into terminals and leaving doors open that require a badge to enter. This is opening hospitals up to cyber attacks and putting patient’s information at risk.