The past few weeks left IT professionals overwhelmed as organizations scrambled to assess if they were vulnerable to threats posed by the Log4Shell vulnerability. As if that weren’t enough of a challenge over the holidays, more Log4j CVEs followed, not all of which deserved equal attention.
And Microsoft’s January Patch Tuesday flaws caused even more confusion, with the first batch of updates breaking functionality, forcing another round of updates.
Such is the predicament often faced by IT and cybersecurity professionals: Figuring out which vulnerabilities are most critical and deserve immediate attention, what can wait, and when to trust and apply an update.
The past few weeks left IT professionals overwhelmed as organizations scrambled to assess if they were vulnerable to threats posed by the Log4Shell vulnerability. As if that weren’t enough of a challenge over the holidays, more Log4j CVEs followed, not all of which deserved equal attention.
And Microsoft’s January Patch Tuesday flaws caused even more confusion, with the first batch of updates breaking functionality, forcing another round of updates.
Such is the predicament often faced by IT and cybersecurity professionals: Figuring out which vulnerabilities are most critical and deserve immediate attention, what can wait, and when to trust and apply an update.
The U.S. federal government has been very active the past year, particularly with the cybersecurity executive order (EO) and associated tasks and goals that have come out of it. One framework and industry source that has been getting increased attention is the NIST Cybersecurity Framework (CSF).
The CSF came out of another EO, 13636, which is from 2013 and directed NIST to work with stakeholders to develop a voluntary framework for reducing risk to critical infrastructure. It was produced through coordinated efforts with industry and government, which have both widely adopted the framework.
Here’s how the CSF is composed, how aspects of it can help meet some of the recent cybersecurity EO objectives, and how any organization can use it to better map risk to threats.
The U.S. federal government has been very active the past year, particularly with the cybersecurity executive order (EO) and associated tasks and goals that have come out of it. One framework and industry source that has been getting increased attention is the NIST Cybersecurity Framework (CSF).
The CSF came out of another EO, 13636, which is from 2013 and directed NIST to work with stakeholders to develop a voluntary framework for reducing risk to critical infrastructure. It was produced through coordinated efforts with industry and government, which have both widely adopted the framework.
Here’s how the CSF is composed, how aspects of it can help meet some of the recent cybersecurity EO objectives, and how any organization can use it to better map risk to threats.
Tavis Ormandy discovered that incorrect parsing of pkcs7 sequences in
nss, the Mozilla Network Security Service library, may result in denial
of service.
Donot Team, a threat actor operating since at least 2016, has been waging a two-year campaign of cyber espionage attacks against South Asian countries bordering India, researchers at cybersecurity company ESET reported last week. International human rights group Amnesty International has alleged that there are links between the attack infrastructure used by Donot Team and Delhi-based information security company Innefu Labs, something the company has denied.
In its report on cyberattacks against a human rights campaigner in the African country of Togo, Amnesty accused Innefu Labs of playing a role in the development of spyware tools linked to Donot Team, although it said there was no technical evidence to suggest Donot Team was directly responsible for or aware of attacks against the campaigner in Togo.
Donot Team, a threat actor operating since at least 2016, has been waging a two-year campaign of cyber espionage attacks against South Asian countries bordering India, researchers at cybersecurity company ESET reported last week. International human rights group Amnesty International has alleged that there are links between the attack infrastructure used by Donot Team and Delhi-based information security company Innefu Labs, something the company has denied.
In its report on cyberattacks against a human rights campaigner in the African country of Togo, Amnesty accused Innefu Labs of playing a role in the development of spyware tools linked to Donot Team, although it said there was no technical evidence to suggest Donot Team was directly responsible for or aware of attacks against the campaigner in Togo.
