FreshRSS

πŸ”’
❌ About FreshRSS
There are new available articles, click to refresh the page.
Today β€” May 24th 2018Your RSS feeds

[webapps] Honeywell XL Web Controller - Cross-Site Scripting

Honeywell XL Web Controller - Cross-Site Scripting
  • May 24th 2018 at 00:00

London's Met Police: We won't use facial recognition at Notting Hill Carnival

But cops' trial of controversial tech will continue

London cops will not use controversial and inaccurate facial recognition technology at this year's Notting Hill Carnival – in a departure from the trend over the previous two years.…

  • May 24th 2018 at 09:08

[webapps] OpenDaylight - SQL Injection

OpenDaylight - SQL Injection
  • May 24th 2018 at 00:00

[webapps] Timber 1.1 - Cross-Site Request Forgery

Timber 1.1 - Cross-Site Request Forgery
  • May 24th 2018 at 00:00

I've Taken Over - Enterprise Security Weekly #92

By paul@securityweekly.com

This week, John Strand returns and runs the show solo, presenting his Technical Segment entitled "Build A Purple Team"! In the news, we have updates from Skybox, Wombat Security, McAfee, AlgoSec, and more, on this episode of Enterprise Security Weekly!

Β 

Full Show Notes: https://wiki.securityweekly.com/ES_Episode92

Β 

Visit https://www.securityweekly.com/esw for all the latest episodes!

πŸ’Ύ

  • May 24th 2018 at 09:00

[webapps] PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting

PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting
  • May 24th 2018 at 00:00

SOC Automation: Good or Evil?

Many security operations centers (SOCs) face the same recurring problem β€” too many alerts and too few people to handle them. Over time, the problem worsens because the number of devices generating alerts increases at a much faster rate than the number of people available to analyze them. Consequently, alerts that truly matter can get buried in the noise.

Most companies look at this problem and see only two solutions:Β  decrease the number of alerts, or increase the number of staff. Luckily, there’s a third option: automation, which can greatly maximize the efficiency of analysts’ time

Traditionally, automation has been viewed as an all-or-nothing proposition. But, times change. Companies can implement automation at various points of the incident response process to free analysts from mundane, repetitive tasks, while maintaining human control over how they monitor and react to alerts. Ultimately, the goal should be to strike a balance between low-risk processes that can be automated with minimal impact and the higher-risk ones that need to be handled by analysts.

Before launching into some level of SOC automation, the following should be considered: 1) Is the organization winning or losing the cyber battle?; 2) if it is winning, does it have the right tools to continue doing so?; and 3) if its is losing: what should it do?

Whether an organization is winning or losing, understanding the pros and cons of automation is critical to any project’s success.

Benefits of Automation

Automation has typically been favored in low-impact environments, but it has been frowned upon in high-impact environments such as utility and healthcare because of the negative impact false positives can cause.

The main benefits of SOC automation include:

  • More consistent response to alerts and tickets
  • Higher volume of ticket closure and response to incidents
  • Better focus by analysts on higher priority items
  • Improved visibility into what is happening
  • Coverage of a larger area and a larger number of tickets

Downsides of Automation

Nothing is more taxing than dealing with a false positive, which happens when a system interprets legitimate activity and flags it as an attack. In some industries, a false positive can disrupt business processes resulting in lost revenue, downtime for industrial organizations and even put lives at risk in hospital settings.

Major downsides include:

  • Shutting down operations
  • Misclassifying an attack so the wrong action is taken
  • Automating tickets that should have been handled manually
  • Missing key information or data
  • Making the wrong or inappropriate decision

Best Practices for Automation

In the past, companies typically looked at automation’s potential downsides and then decided to avoid it because doing so seemed safer. However, today, more companies are realizing that if they do not implement some degree of automation, they increase their chances of missing an attack, which could cause more damage than the negative effects of automation.

Given this scenario, security practitioners should look at adopting the following best practices for automation.

Create a Thorough Strategy

The plan should address the following key questions:

  • What areas generate the most alerts?
  • What alerts take up most of the analysts’ time?
  • Which responses are very structured and which ones do the analysts respond to in a predictable way?
  • Can an automated playbook be used to handle certain events?

Take a Measured Approach

One of the key rules of security is to always avoid extremes. For example, automating everything can open a can of worms β€” forcing security executives to justify the approach by claiming analysts could not keep up with the tickets.

Finding a balance by automating tasks/tickets that are manually intensive, are highly repeatable, and distract analysts from importantΒ  functions -- is a good starting point. Automation should allow the company to improve SOC efficiency while maintaining acceptable levels of risk β€” both on the operational side and the security side.

The trick is to manage and control false positives, not eliminate them.

Know, and Don’t Automate, Tasks that Require Human Analysis

These include alerts that affect:

  • Critical applications or systems
  • Business process, financial and operational systems
  • Systems that contain large amounts of sensitive data
  • Large-scale compromise indicators

Conclusion

The need for SOC automation is increasing in urgency since adversaries are also harnessing software and hardware to develop and carry out attacks. Consequently, the velocity and sophistication of threats is rising. Keeping pace with programmatic attacks inevitably requires automating certain SOC functions and processes. Following the recommendations outlined above can help determine those that should be automated, and those that shouldn't.

About the author: John Moran is Senior Product Manager for DFLabs and a security operations and incident response expert. He has served as a senior incident response analyst for NTT Security, computer forensic analyst for the Maine State Police Computer Crimes Unit and computer forensics task force officer for the US Department of Homeland Security. John currently holds GCFA, CFCE, EnCE, CEH, CHFI, CCLO, CCPA, A+, Net+, and Security+ certifications.

Copyright 2010 Respective Author at Infosec Island
  • May 24th 2018 at 07:26

[webapps] ASP.NET jVideo Kit - 'query' SQL Injection

ASP.NET jVideo Kit - 'query' SQL Injection
  • May 24th 2018 at 00:00

[shellcode] Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes)

Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes)
  • May 24th 2018 at 00:00

[local] Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution

Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution
  • May 21st 2018 at 00:00

"Blocked" Does Not Mean "Forget It", (Thu, May 24th)

Today, organisations are facing regular waves of attacks which are targeted... or not. We deploy tons of security controls to block them as soon as possible before they successfully reach their targets. Due to the amount of daily generated information, most of the time, we don’t care for them once they have been blocked. A perfect example is blocked emails. But β€œblocked” does not mean that we can forget them, there is still valuable information in those data.
  • May 24th 2018 at 07:16

Vuln: GNU glibc CVE-2018-11237 Local Buffer Overflow Vulnerability

GNU glibc CVE-2018-11237 Local Buffer Overflow Vulnerability
  • May 24th 2018 at 00:00

Vuln: Apache Batik CVE-2018-8013 Information Disclosure Vulnerability

Apache Batik CVE-2018-8013 Information Disclosure Vulnerability
  • May 23rd 2018 at 00:00

[shellcode] Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (113 bytes)

Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (113 bytes)
  • May 23rd 2018 at 00:00

[webapps] Shipping System CMS 1.0 - SQL Injection

Shipping System CMS 1.0 - SQL Injection
  • May 23rd 2018 at 00:00

[local] FTPShell Server 6.80 - Buffer Overflow (SEH)

FTPShell Server 6.80 - Buffer Overflow (SEH)
  • May 23rd 2018 at 00:00

[webapps] SKT LTE Wi-Fi SDT-CW3B1 - Unauthorized Admin Credential Change

SKT LTE Wi-Fi SDT-CW3B1 - Unauthorized Admin Credential Change
  • May 23rd 2018 at 00:00

[dos] FTPShell Server 6.80 - Denial of Service

FTPShell Server 6.80 - Denial of Service
  • May 23rd 2018 at 00:00

[webapps] PHP Dashboards 4.5 - SQL Injection

PHP Dashboards 4.5 - SQL Injection
  • May 23rd 2018 at 00:00

[webapps] Wecodex Hotel CMS 1.0 - 'Admin Login' SQL Injection

Wecodex Hotel CMS 1.0 - 'Admin Login' SQL Injection
  • May 23rd 2018 at 00:00

[webapps] Online Store System CMS 1.0 - SQL Injection

Online Store System CMS 1.0 - SQL Injection
  • May 23rd 2018 at 00:00

[webapps] eWallet Online Payment Gateway 2 - Cross-Site Request Forgery

eWallet Online Payment Gateway 2 - Cross-Site Request Forgery
  • May 23rd 2018 at 00:00

[webapps] Wecodex Restaurant CMS 1.0 - 'Login' SQL Injection

Wecodex Restaurant CMS 1.0 - 'Login' SQL Injection
  • May 23rd 2018 at 00:00

[webapps] Mcard Mobile Card Selling Platform 1 - SQL Injection

Mcard Mobile Card Selling Platform 1 - SQL Injection
  • May 23rd 2018 at 00:00

[webapps] Honeywell Scada System - Information Disclosure

Honeywell Scada System - Information Disclosure
  • May 23rd 2018 at 00:00

[webapps] NewsBee CMS 1.4 - Cross-Site Request Forgery

NewsBee CMS 1.4 - Cross-Site Request Forgery
  • May 23rd 2018 at 00:00

[dos] Siemens SCALANCE S613 - Remote Denial of Service

Siemens SCALANCE S613 - Remote Denial of Service
  • May 23rd 2018 at 00:00

[webapps] Library CMS 1.0 - SQL Injection

Library CMS 1.0 - SQL Injection
  • May 23rd 2018 at 00:00

[webapps] GPSTracker 1.0 - 'id' SQL Injection

GPSTracker 1.0 - 'id' SQL Injection
  • May 23rd 2018 at 00:00

[webapps] School Management System CMS 1.0 - 'username' SQL Injection

School Management System CMS 1.0 - 'username' SQL Injection
  • May 23rd 2018 at 00:00

[webapps] Gigs 2.0 - 'username' SQL Injection

Gigs 2.0 - 'username' SQL Injection
  • May 23rd 2018 at 00:00

[webapps] SAT CFDI 3.3 - SQL Injection

SAT CFDI 3.3 - SQL Injection
  • May 23rd 2018 at 00:00

[webapps] Mobile Card Selling Platform 1 - Cross-Site Request Forgery

Mobile Card Selling Platform 1 - Cross-Site Request Forgery
  • May 23rd 2018 at 00:00

[webapps] Wecodex Store Paypal 1.0 - SQL Injection

Wecodex Store Paypal 1.0 - SQL Injection
  • May 23rd 2018 at 00:00

[webapps] PHP Dashboards 4.5 - 'email' SQL Injection

PHP Dashboards 4.5 - 'email' SQL Injection
  • May 23rd 2018 at 00:00

[dos] Samsung Galaxy S7 Edge - Overflow in OMACP WbXml String Extension Processing

Samsung Galaxy S7 Edge - Overflow in OMACP WbXml String Extension Processing
  • May 23rd 2018 at 00:00

[webapps] MySQL Blob Uploader 1.7 - 'home-filet-edit.php' SQL Injection

MySQL Blob Uploader 1.7 - 'home-filet-edit.php' SQL Injection
  • May 23rd 2018 at 00:00

[webapps] WordPress Plugin Peugeot Music - Arbitrary File Upload

WordPress Plugin Peugeot Music - Arbitrary File Upload
  • May 23rd 2018 at 00:00

β€˜Significant’ FBI Error Reignites Data Encryption Debate

By Lily Hay Newman
FBI stats about inaccessible cellphones were inflated, undermining already controversial bureau claims about the threat of encryption.
Yesterday β€” May 23rd 2018Your RSS feeds

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data

A newly-disclosed malware infection has compromised more than 500,000 home and small office routers and NAS boxes.…

  • May 23rd 2018 at 20:05

CGEIT Domain 4: Risk Optimization

By Fakhar Imam

Introduction Risk optimization falls under the fourth domain of the ISACA’s Certified in the Governance of Enterprise IT (CGEIT) exam and constitutes 24% of the overall objectives of the exam. This domain ensures that the framework for IT risk management is in place to identify, evaluate, monitor, mitigate, and communicate IT-related business risk. In addition, […]

The post CGEIT Domain 4: Risk Optimization appeared first on InfoSec Resources.


CGEIT Domain 4: Risk Optimization was first posted on May 23, 2018 at 2:17 pm.
Β©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Hunting Threats Inside Packet Captures

Inspection of packet captures -PCAP- for signs of intrusions, is a typical everyday task for security analysts and an essential skill analysts should develop. Malwares have many ways to hide their activities on the system level (i.e. Rootkits), but at the end, they must leave a visible trace on the network level, regardless if it's obfuscated or encrypted. This paper guides the reader through a structured way to analyze a PCAP trace, dissect it using Bro Network Security Monitor (Bro) to facilitate active threat hunting in an efficient time to detect possible intrusions.
  • May 23rd 2018 at 00:00

Stealthy, Destructive Malware Infects Half a Million Routers

By Andy Greenberg
Cisco researchers discover a new router malware outbreak that might also be the next cyberwar attack in Ukraine.

Facebook Is Beefing Up Its Two-Factor Authentication

By Louise Matsakis
The update, now available to most users, comes several months after Facebook was criticized for spamming users' two-factor authentication phone numbers.

Brit Attorney General: Nation state cyber attack is an act of war

And we'll, erm, name and shame bad actors MORE LOUDLY

Hostile states targeting essential infrastructure and services in Britain should be dealt with in the same way as any other attack against the nation, the UK Attorney General said today.…

  • May 23rd 2018 at 16:06

Red Hat Security Advisory 2018-1704-01

Red Hat Security Advisory 2018-1704-01 - Librelp is an easy-to-use library for the Reliable Event Logging Protocol protocol. RELP is a general-purpose, extensible logging protocol. Issues addressed include a buffer overflow vulnerability.
  • May 23rd 2018 at 16:39

Red Hat Security Advisory 2018-1700-01

Red Hat Security Advisory 2018-1700-01 - The procps-ng packages contain a set of system utilities that provide system information, including ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch, and pwdx. Issues addressed include a heap overflow vulnerability.
  • May 23rd 2018 at 16:38

Red Hat Security Advisory 2018-1701-01

Red Hat Security Advisory 2018-1701-01 - Librelp is an easy-to-use library for the Reliable Event Logging Protocol protocol. RELP is a general-purpose, extensible logging protocol. Issues addressed include a buffer overflow vulnerability.
  • May 23rd 2018 at 16:38

Microsoft Security Advisory Notification For May, 2018

This Microsoft advisory notification includes advisories released or updated on May 21, 2018.
  • May 23rd 2018 at 16:17
❌