Critical infrastructure operators, law enforcement, and every level of government are all busy incorporating drones into their day-to-day operations. Drones are being used to support an array of applications for traditional infrastructure as well as agriculture, utilities, manufacturing, oil and gas, mining, and heavy industries.
Drone makers and industry end-users are just now starting to recognize that all elements of their connected enterprises have what Jono Anderson, principal, strategy and innovation at KPMG, calls “robust capabilities that encompass individual drones, connected fleets of drones, cloud/enterprise capabilities, and all communications between them.”
When a significant vulnerability like Spring4Shell is discovered, how do you determine if you are at risk? Insurance or verification services might require you to run external tests on web properties. These reports often show spurious exposures that may or may not lead to more issues on your website. You must research false-positive reports and inform management whether the item found is acceptable risk.
I’ve seen false positives on external scans due to an open port and associating that port with a known issue even if the service is not run on that port. Whenever you have a pen test or vulnerability scan, know that you can disagree with the findings and explain to the researcher how the item in question is not making you insecure. However, these processes take time away from other security duties, and sometimes we agree with the findings and find workarounds and mitigations as that may be faster than arguing with the auditor.
It was discovered that Bash did not properly drop privileges
when the binary had the setuid bit enabled. An attacker could
possibly use this issue to escalate privileges.