Caitlin Condon

If you think Russian cyber actors are a threat, the time to start increasing your native CTI capability is NOW. As of last week, it's clear the federal government has its fingers on the attribution scale. Even commercial attribution is suspect given retribution against contractors.

87

4 Comments

I haven't seen any announcement about this, but the PCI Security Standards Council has published an update in the last few days to the "Guidance for PCI DSS Requirements 6.4.3 and 11.6.1" Information Supplement. In the original version, it said "Note that PCI DSS Requirements 6.4.3 and 11.6.1 do not apply to merchants with webpages that redirect to a TPSP’s page (for example, via an HTTP 30x redirect, a meta redirect tag, or a JavaScript redirect)." That's been removed, and in its place it now says "Note that, where scripts are used as part of a redirection mechanism, PCI DSS Requirements 6.4.3 and 11.6.1 will apply to those scripts." The thing is, by fully-redirecting to a PCI DSS-compliant payment service provider or processor to take payments, the merchant doesn't have a payment page - and it's only the payment page (or parent page when iframes are used) that these requirements apply to. While I think protecting all JavaScript on a website is a really good security best practice - whether that's using CSP+SRI, Jscrambler's Webpage Integrity product, or something else, I'm currently scratching my head as to how this change to the guidance - which "does not replace or supersede requirements in any PCI SSC Standard" - currently applies. I'm curious to hear what others think...

54

17 Comments

Are #cybersecurity incidents growing more costly? Cyentia Institute's recent Information Risk Insights Study points to a 15-fold increase in the cost of #incidents and #databreaches over the last 15 years. The chart on the left shows the distribution of known/reported financial losses from incidents across the time period of study. The typical (median) incident costs about $600K, while more extreme (95th percentile) losses swell to $32M. Note that the chart uses a log scale, so the tail of large losses is a lot longer than it appears. The chart on the right trends the escalating costs of cyber events over time. Median losses from a security incident have absolutely exploded over the last 15 years, rising 15-fold from $190K to almost $3 million! The cost of extreme events has also risen substantially (~5x). So, yeah—cyber events are definitely growing more costly. That said, this picture looks a lot different among different types and sizes of organizations. How are cyber losses trending for orgs like yours? Download the full IRIS 2025 to find out! Link in the comments.

102

15 Comments

Helpful read: CISA and FBI's Secure by Design Alert on buffer overflows Memory safety vulnerabilities like buffer overflows are responsible for up to 2/3 of all vulnerabilities in memory unsafe code, and a significant portion of vulnerabilities exploited in the wild. Check out the guidance for the business case on why companies should adopt memory-safe languages, in line with secure by design principles. https://lnkd.in/gVSu67Hq

57

1 Comment

2024 set in motion major changes for certificate lifespans and DCV. In this Root Causes Podcast lookback episode Jason Soroko and I discuss the Apple 47-day proposal, stepping down certificate term, public versus private CA use cases, DCV reuse periods, MPIC, WHOIS, and other topics. Audio: https://lnkd.in/gH3Z-adY Video: https://lnkd.in/gN_VpVPy #pki #security

29

This week, MITRE minted a new CNA (Saviynt). They stood out to me because not only do they break from a long-term historical policy, again, they do it in a new way. Traditionally MITRE was adamant that a CVE must reference a publicly available source for provenance. The last few years they have broken from that, largely due to being hands-off and doing zero QA on the submissions, but they allowed for IDs to be assigned to advisories behind a paywall. Saviynt is a bit different in that not only do they have a paywall that requires them approving access to, but then you must sign a mutual NDA to view the advisory. There is only one advisory published there, and despite being approved still can't see it. So, I don't know if there is a new CVE ID there, an existing ID (e.g. third-party library usage), or an advisory without a CVE ID. MITRE is not making this whole vulnerability tracking thing any easier.

54

12 Comments

Vulnerability Assessments CIP-010-r3 Requires paper or active vulnerability assessment 95% doing paper assessments because of fragility of control system networks Introducing a network based Digital Twin as a way to do vulnerability scanning Including an AI reasoning agent as an adversary simulation Purely offline. -Brian Proctor Frenos Brian Proctor EnergySec

55