fro

New Law Prohibits Florida Businesses from Requiring Vaccine Passport from Patrons and Customers

On May 3, Governor Ron DeSantis signed into law SB 2006 (codified as Section 381.00316, Florida Statutes).  The law prevents business entities from requiring that patrons or customers provide documentation certifying COVID-19 vaccination or post-infection recovery to enter or obtain service from a business in Florida. It also prohibits educational institutions from requiring students or residents, and governmental entities from requiring persons, to provide vaccination passports or proof of post-infection recovery.




fro

Temperatures Sizzle at Cal/OSHA Standards Meeting After Indoor Heat Illness Proposal Removed from Agenda

Update: On June 20, 2024, the Cal/OSHA Standards Board unanimously approved an amended version of the proposed indoor heat illness prevention regulation which specifically excluded the government entities (mainly correctional facilities) whose inclusion had led to the earlier rejection by the Director Finance. The Board also requested that the Office of Administrative Law (OAL) expedite their review and allow the regulation to become effective immediately upon OAL approval.

*  *  *




fro

Phoenix City Council Requires Heat Safety Plans from City Contractors

On March 26, 2024, the Phoenix (Arizona) City Council unanimously passed an ordinance requiring all city contractors and subcontractors to develop and maintain a written heat safety plan to prevent heat-related illnesses and injuries in the workplace. Outdoor workers in Phoenix may be susceptible to heat-related illness and injury due to the extreme Arizona temperatures.




fro

Deploying AI for Worker Safety Needs Legal Prep From Employers

Bradford Kelley talks about the promise of AI tools to increase worker health and safety in the workplace.

Bloomberg Law

View (Subscription required)




fro

From Michael Scott to Bill Lumbergh: Legal Strategies for When a Manager Goes Rogue




fro

Littler Attains 2023-2024 Mansfield Certification Plus Status From Diversity Lab

(October 2, 2024) – For the seventh consecutive year, Littler, the world’s largest employment and labor law practice representing management, has achieved 2023-2024 Mansfield Certification Plus status through Diversity Lab. This year-long, structured certification process confirms that all talent at participating law firms have fair and equal opportunities to advance into leadership. To achieve “Plus” designation, firms voluntarily provide data showing their progress and the outcomes of their efforts to broaden talent pools and increase visibility of advancement processes.




fro

Illinois Guidance Finds Law Does Not Prohibit Private Employers from Using E-Verify

The Illinois Department of Labor (IDOL) has just issued some much-needed guidance, through Frequently Asked Questions (FAQs), on whether enrollment and use of E-Verify is prohibited in Illinois for private employers that do not have federal contracts. The answer is NO.




fro

Court Thwarts Efforts to Conceal Driving History Information from Employers

Rod M. Fliegel and Cirrus Jahangiri discuss what a recent court of appeal decision means for employers in California, who are often restricted from access to employees’ public records, including criminal history information.

SHRM Online

View (Subscription required)




fro

Few of Workers’ Biggest Gains From Biden Era Are Safe From Trump

Michael Lotito says everything is on the table when it comes to changes the Trump administration will make in American labor.

Bloomberg Law

View (Subscription required)




fro

ETSI launches new group on 5th generation Fixed Network shifting the paradigm from Fibre to the Home to Fiber to Everything Everywhere

ETSI launches new group on 5th generation Fixed Network shifting the paradigm from Fibre to the Home to Fiber to Everything Everywhere

Sophia Antipolis, 26 February 2020

ETSI announces today the launch of a new group dedicated to specifying the fifth generation of Fixed Network (ETSI ISG F5G). In a launch via an online press and industry briefing yesterday, various speakers expressed their view on the need for standardization in this area.

Read More...




fro

ETSI releases the first Group Report on Encrypted Traffic Integration, protecting end users from malicious attacks

ETSI releases the first Group Report on Encrypted Traffic Integration, protecting end users from malicious attacks

Sophia Antipolis, 1 September 2021

ETSI’s Industry Specification Group on Encrypted Traffic Integration (ISG ETI) has concluded the early part of its work, by identifying problems arising from pervasive encrypted traffic in communications networks.

Read More...




fro

ETSI Protection Profile for securing smartphones gains world-first certification from French Cybersecurity Agency

Sophia Antipolis, 12 January 2024

In a significant step highlighting the critical importance of security for mobile device users, the French National Cybersecurity Agency (ANSSI) has certified ETSI's Consumer Mobile Device Protection Profile under the Common Criteria global certification framework. This represents the first certification by a national administration of a comprehensive suite of specifications for assessing the security of smartphones.

Read More...




fro

New York: Tanya Taylor - From McGill to Madison Avenue

Starts: Wed, 13 Nov 2024 20:00:00 -0500
11/13/2024 06:00:00PM
Location: New York, U. S. A.




fro

A Galaxy Within: Single-Cell Genomics Open a New Frontier to Understanding the Brain

Starts: Thu, 14 Nov 2024 20:00:00 -0500
11/14/2024 06:00:00PM
Location: montreal, Canada




fro

The New Negro and the Black Image: From Booker T. Washington to Alain Locke

New essay, "The New Negro and the Black Image: From Booker T. Washington to Alain Locke," by Henry Louis Gates, Jr., the Alphonse Fletcher University Professor and the Director of the W. E. B. Du Bois Institute for African and African American Research at Harvard University, added to Freedom's Story: Teaching African American Literature and History, TeacherServe from the National Humanities Center.




fro

CSA Notice Regarding Coordinated Blanket Order 96-932 Re Temporary Exemptions from Certain Derivatives Data Reporting Requirements

This document is only available as a PDF.




fro

From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25

Twenty five years after the launch of CVE, the Tenable Security Response Team has handpicked 25 vulnerabilities that stand out for their significance.

Background

In January 1999, David E. Mann and Steven M. Christey published the paper “Towards a Common Enumeration of Vulnerabilities” describing an effort to create interoperability between multiple vulnerability databases. To achieve a common taxonomy for vulnerabilities and exposures, they proposed Common Vulnerabilities and Exposures (CVE). In September 1999, the MITRE Corporation finalized the first CVE list, which included 321 records. CVE was revealed to the world the following month.

As of October 2024, there are over 240,000 CVEs. including many that have significantly impacted consumers, businesses and governments. The Tenable Security Response Team has chosen to highlight the following 25 significant vulnerabilities, followed by links to product coverage for Tenable customers to utilize.

25 Significant CVEs

CVE-1999-0211: SunOS Arbitrary Read/Write Vulnerability

Arbitrary ReadArbitrary WriteLocalCritical1999Why it’s significant: To our knowledge, there is no formally recognized “first CVE.” However, the GitHub repository for CVE.org shows that the first CVE submitted was CVE-1999-0211 on September 29, 1999 at 12:00AM. Because it was the first one, we’ve chosen to highlight it. The vulnerability was first identified in 1991 and a revised patch was issued in 1994.

CVE-2010-2568: Windows Shell Remote Code Execution Vulnerability

Remote Code ExecutionExploitedZero-DayLocalStuxnetHigh2010Why it’s significant: Regarded as one of the most sophisticated cyberespionage tools ever created, Stuxnet was designed to target SCADA systems in industrial environments to reportedly sabotage Iran's nuclear program. Stuxnet exploited CVE-2010-2568 as one of its initial infection vectors, spreading via removable drives. Once a compromised USB drive was inserted into a system, Stuxnet was executed automatically via the vulnerability, infecting the host machine, propagating to other systems through network shares and additional USB drives.

CVE-2014-0160: OpenSSL Information Disclosure Vulnerability

HeartbleedInformation DisclosureExploitedZero-DayNetworkCybercriminalsHigh2014Why it’s significant: Dubbed “Heartbleed” because it was found in the Heartbeat extension of OpenSSL, this vulnerability allows an attacker, without prior authentication, to send a malicious heartbeat request with a false length field, claiming the packet contains more data than it does. The receiving system would then return data from its memory extending beyond the legitimate request, which may include sensitive private data, such as server keys and user credentials. OpenSSL is used by millions of websites, cloud services, and even VPN software, for encryption, making Heartbleed one of the most widespread vulnerabilities at the time.

CVE-2014-6271: GNU Bash Shellshock Remote Code Execution Vulnerability

Shellshock Bash Bug Remote Code ExecutionExploitedZero-DayNetworkCybercriminalsCritical2014Why it’s significant: An attacker could craft an environment variable that contained both a function definition and additional malicious code. When Bash, a command interpreter used by Unix-based systems including Linux and macOS, processed this variable, it would execute the function, but also run the arbitrary commands appended after the function definition. “Shellshock” quickly became one of the most severe vulnerabilities discovered, comparable to Heartbleed’s potential impact. Attackers could exploit Shellshock to gain full control of vulnerable systems, leading to data breaches, service interruptions and malware deployment. The impact extended far beyond local systems. Bash is used by numerous services, particularly web servers, via CGI scripts to handle HTTP requests.

CVE-2015-5119: Adobe Flash Player Use After Free

Remote Code Execution Denial-of-ServiceExploitedZero-DayCybercriminalsAPT GroupsCritical2015Why it’s significant: Discovered during the Hacking Team data breach, it was quickly weaponized, appearing in multiple exploit kits. CVE-2015-5119 is a use-after-free flaw in Flash’s ActionScript ByteArray class, allowing attackers to execute arbitrary code by tricking users into visiting a compromised website. It was quickly integrated into attack frameworks used by Advanced Persistent Threat (APT) groups like APT3, APT18, and Fancy Bear (APT28). These groups, with ties to China and Russia, used the vulnerability to spy on and steal data from governments and corporations. Fancy Bear has been associated with nation-state cyber warfare, exploiting Flash vulnerabilities for political and military intelligence information gathering​. This flaw, along with several other Flash vulnerabilities, highlighted Flash’s risks, accelerating its eventual phase-out.

CVE-2017-11882: Microsoft Office Equation Editor Remote Code Execution Vulnerability

Remote Code ExecutionExploitedNetworkCybercriminalsAPT GroupsHigh2017Why it’s significant: The vulnerability existed for 17 years in Equation Editor (EQNEDT32.EXE), a Microsoft Office legacy component used to insert and edit complex mathematical equations within documents. Once CVE-2017-11882 became public, cybercriminals and APT groups included it in maliciously crafted Office files. It became one of 2018’s most exploited vulnerabilities and continues to be utilized by various threat actors including SideWinder.

CVE-2017-0144: Windows SMB Remote Code Execution Vulnerability

EternalBlueRemote Code ExecutionExploitedNetworkWannaCry NotPetyaHigh2017Why it’s significant: CVE-2017-0144 was discovered by the National Security Agency (NSA) and leaked by a hacker group known as Shadow Brokers, making it widely accessible. Dubbed “EternalBlue,” its capacity to propagate laterally through networks, often infecting unpatched machines without human interaction, made it highly dangerous. It was weaponized in the WannaCry ransomware attack in May 2017 and spread globally. It was reused by NotPetya, a data-destroying wiper originally disguised as ransomware. NotPetya targeted companies in Ukraine before spreading worldwide. This made it one of history’s costliest cyberattacks.

CVE-2017-5638: Apache Struts 2 Jakarta Multipart Parser Remote Code Execution Vulnerability

Remote Code ExecutionExploitedNetworkEquifax BreachCritical2017Why it’s significant: This vulnerability affects the Jakarta Multipart Parser in Apache Struts 2, a popular framework for building Java web applications. An attacker can exploit it by injecting malicious code into HTTP headers during file uploads, resulting in remote code execution (RCE), giving attackers control of the web server. CVE-2017-5638 was used in the Equifax breach, where personal and financial data of 147 million people was stolen, emphasizing the importance of patching widely-used frameworks, particularly in enterprise environments, to prevent catastrophic data breaches.

CVE-2019-0708: Remote Desktop Services Remote Code Execution Vulnerability

BlueKeep DejaBlue Remote Code ExecutionExploitedNetworkRansomware GroupsCybercriminalsCritical2019Why it’s significant: Dubbed "BlueKeep," this vulnerability in Windows Remote Desktop Services (RDS) was significant for its potential for widespread, self-propagating attacks, similar to the infamous WannaCry ransomware. An attacker could exploit this flaw to execute arbitrary code and take full control of a machine through Remote Desktop Protocol (RDP), a common method for remote administration. BlueKeep was featured in the Top Routinely Exploited Vulnerabilities list in 2022 and was exploited by affiliates of the LockBit ransomware group.

CVE-2020-0796: Windows SMBv3 Client/Server Remote Code Execution Vulnerability

SMBGhost EternalDarknessRemote Code ExecutionExploited NetworkCybercriminalsRansomware GroupsCritical2020Why it’s significant: Its discovery evoked memories of EternalBlue because of the potential for it to be wormable, which is what led to it becoming a named vulnerability. Researchers found it trivial to identify the flaw and develop proof-of-concept (PoC) exploits for it. It was exploited in the wild by cybercriminals, including the Conti ransomware group and its affiliates.

CVE-2019-19781: Citrix ADC and Gateway Remote Code Execution Vulnerability

Path TraversalExploitedNetworkAPT GroupsRansomware GroupsCybercriminalsCritical2019Why it’s significant: This vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway is significant due to its rapid exploitation by multiple threat actors, including state-sponsored groups and ransomware affiliates. By sending crafted HTTP requests, attackers could gain RCE and take full control of affected devices to install malware or steal data. The vulnerability remained unpatched for a month after its disclosure, leading to widespread exploitation. Unpatched systems are still being targeted today, highlighting the risk of ignoring known vulnerabilities.

CVE-2019-10149: Exim Remote Command Execution Vulnerability

Remote Command ExecutionExploitedNetworkAPT GroupsCybercriminalsCritical2019Why it’s significant: This vulnerability in Exim, a popular Mail Transfer Agent, allows attackers to execute arbitrary commands with root privileges simply by sending a specially crafted email. The availability of public exploits led to widespread scanning and exploitation of vulnerable Exim servers, with attackers using compromised systems to install cryptocurrency miners (cryptominers), launch internal attacks or establish persistent backdoors. The NSA warned that state-sponsored actors were actively exploiting this flaw to compromise email servers and gather sensitive information.

CVE-2020-1472: Netlogon Elevation of Privilege Vulnerability

ZerologonElevation of PrivilegeExploitedLocalRansomware GroupsAPT GroupsCybercriminalsCritical2020Why it’s significant: This vulnerability in the Netlogon Remote Protocol (MS-NRPC) allows attackers with network access to a Windows domain controller to reset its password, enabling them to impersonate the domain controller and potentially take over the entire domain. Its severity was underscored when Microsoft reported active exploitation less than two months after disclosure and the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to patch the flaw. Despite available patches, it continues to be exploited by ransomware groups, APT groups, and others, highlighting its broad and ongoing impact on network security.

CVE-2017-5753: CPU Speculative Execution Bounds Check Bypass Vulnerability

SpectreSpeculative Execution Bounds Check BypassLocalMedium2018Why it’s significant: In a speculative execution process, an idle microprocessor waiting to receive data speculates what the next instruction might be. Although meant to enhance performance, this process became a fundamental design flaw affecting the security of numerous modern processors. In Spectre’s case, an attacker-controlled process could read arbitrary memory belonging to another process. Since its discovery in January 2018, Spectre has affected nearly all modern processors from Intel, AMD and ARM. While it’s difficult to execute a successful Spectre attack, fully remediating the root cause is hard and requires microcode as well as operating system updates to mitigate the risk.

CVE-2017-5754: CPU Speculative Execution Rogue Data Cache Load Vulnerability

MeltdownSpeculative Execution Rogue Data Cache LoadLocalHigh2018Why it’s significant: Meltdown, another speculative execution vulnerability released alongside Spectre, can allow a userspace program to read privileged kernel memory. It exploits a race condition between the memory access and privilege checking while speculatively executing instructions. Meltdown impacts desktop, laptop and cloud systems and, according to researchers, may affect nearly every Intel processor released since 1995. With a wide reaching impact, both Spectre and Meltdown sparked major interest in a largely unexplored security area. The result: a slew of research and vulnerability discoveries, many of which were also given names and logos. While there’s no evidence of a successful Meltdown exploit, the discovery showcased the risk of security boundaries enforced by hardware.

CVE-2021-36942: Windows LSA Spoofing Vulnerability

PetitPotamSpoofingExploitedZero-DayNetworkRansomware GroupsHigh2021Why it’s significant: This vulnerability can force domain controllers to authenticate to an attacker-controlled destination. Shortly after a PoC was disclosed, it was adopted by ransomware groups like LockFile, which have chained Microsoft Exchange vulnerabilities with PetitPotam to take over domain controllers. Patched in the August 2021 Patch Tuesday release, the initial patch for CVE-2021-36942 only partially mitigated the issue, with Microsoft pushing general mitigation guidance for defending against NTLM Relay Attacks.

CVE-2022-30190: Microsoft Windows Support Diagnostic Tool Remote Code Execution

FollinaRemote Code ExecutionExploitedZero-DayLocalQakbot RemcosHigh2022Why it’s significant: Follina, a zero-day RCE vulnerability in MSDT impacting several versions of Microsoft Office, was later designated CVE-2022-30190. After public disclosure in May 2022, Microsoft patched Follina in the June 2022 Patch Tuesday. After disclosure, reports suggested that Microsoft dismissed the flaw’s initial disclosure as early as April 2022. Follina has been widely adopted by threat actors and was associated with some of 2021’s top malware strains in a joint cybersecurity advisory from CISA and the Australian Cyber Security Centre (ACSC), operating under the Australian Signals Directorate (ASD).

CVE-2021-44228: Apache Log4j Remote Code Execution Vulnerability

Log4ShellRemote Code ExecutionExploitedNetworkCybercriminalsAPT GroupsCritical2021Why it’s significant: Log4j, a Java logging library widely used across many products and services, created a large attack surface. The discovery of CVE-2021-44228, dubbed “Log4Shell,” caused great concern, as exploitation simply requires sending a specially crafted request to a server running a vulnerable version of Log4j. After its disclosure, Log4Shell was exploited in attacks by cryptominers, DDoS botnets, ransomware groups and APT groups including those affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC).

CVE-2021-26855: Microsoft Exchange Server Server-Side Request Forgery Vulnerability

ProxyLogonServer-Side Request Forgery (SSRF)ExploitedZero-DayNetworkAPT Groups Ransomware GroupsCybercriminalsCritical2021Why it’s significant: CVE-2021-26855 was discovered as a zero-day along with four other vulnerabilities in Microsoft Exchange Server. It was exploited by a nation-state threat actor dubbed HAFNIUM. By sending a specially crafted HTTP request to a vulnerable Exchange Server, an attacker could steal the contents of user mailboxes using ProxyLogon. Outside of HAFNIUM, ProxyLogon has been used by ransomware groups and other cybercriminals. Its discovery created a domino effect, as other Exchange Server flaws, including ProxyShell and ProxyNotShell, were discovered, disclosed and subsequently exploited by attackers.

CVE-2021-34527: Microsoft Windows Print Spooler Remote Code Execution Vulnerability

PrintNightmareRemote Code ExecutionExploitedLocalAPT GroupsRansomware GroupsCybercriminalsHigh2021Why it’s significant: This RCE in the ubiquitous Windows Print Spooler could grant authenticated attackers arbitrary code execution privileges as SYSTEM. There was confusion surrounding the disclosure of this flaw, identified as CVE-2021-34527 and dubbed “PrintNightmare.” Originally, CVE-2021-1675, disclosed in June 2021, was believed to be the real PrintNightmare. However, Microsoft noted CVE-2021-1675 is “similar but distinct” from PrintNightmare. Since its disclosure, several Print Spooler vulnerabilities were disclosed, while a variety of attackers, including the Magniber and Vice Society ransomware groups exploited PrintNightmare.

CVE-2021-27101: Accellion File Transfer Appliance (FTA) SQL Injection Vulnerability

SQL InjectionExploitedZero-DayNetworkRansomware GroupCritical2021Why it’s significant: The file transfer appliance from Accellion (now known as Kiteworks) was exploited as a zero-day by the CLOP ransomware group between December 2020 and early 2021. Mandiant, hired by Kiteworks to investigate, determined that CLOP (aka UNC2546) exploited several flaws in FTA including CVE-2021-27101. This was CLOP’s first foray into targeting file transfer solutions, as they provide an easy avenue for the exfiltration of sensitive data that can be used to facilitate extortion.

CVE-2023-34362: Progress Software MOVEit Transfer SQL Injection Vulnerability

SQL InjectionExploitedZero-DayNetworkRansomware GroupCritical2023Why it’s significant: CLOP’s targeting of file transfer solutions culminated in the discovery of CVE-2023-34362, a zero-day in Progress Software’s MOVEit Transfer, a secure managed file transfer software. CLOP targeted MOVEit in May 2023 and the ramifications are still felt today. According to research conducted by Emsisoft, 2,773 organizations have been impacted and information on over 95 million individuals has been exposed as of October 2024. This attack underscored the value in targeting file transfer solutions.

CVE-2023-4966: Citrix NetScaler and ADC Gateway Sensitive Information Disclosure Vulnerability

CitrixBleedInformation DisclosureExploitedZero-DayNetworkRansomware GroupsAPT GroupsCritical2023Why it’s significant: CVE-2023-4966, also known as “CitrixBleed,” is very simple to exploit. An unauthenticated attacker could send a specially crafted request to a vulnerable NetScaler ADC or Gateway endpoint and obtain valid session tokens from the device’s memory. These session tokens could be replayed back to bypass authentication, and would persist even after the available patches had been applied. CitrixBleed saw mass exploitation after its disclosure, and ransomware groups like LockBit 3.0 and Medusa adopted it.

CVE-2023-2868: Barracuda Email Security Gateway (ESG) Remote Command Injection Vulnerability

Remote Command InjectionExploitedZero-DayNetworkAPT GroupsCritical2023Why it’s significant: Researchers found evidence of zero-day exploitation of CVE-2023-2868 in October 2022 by the APT group UNC4841. While Barracuda released patches in May 2023, the FBI issued a flash alert in August 2023 declaring them “ineffective,” stating that “active intrusions” were being observed on patched systems. This led to Barracuda making an unprecedented recommendation for the “immediate replacement of compromised ESG appliances, regardless of patch level.”

CVE-2024-3094: XZ Utils Embedded Malicious Code Vulnerability

Embedded Malicious CodeZero-DayUnknown Threat Actor (Jia Tan)Critical2024Why it’s significant: CVE-2024-3094 is not a traditional vulnerability. It is a CVE assigned for a supply-chain backdoor discovered in XZ Utils, a compression library found in various Linux distributions. Developer Andres Freund discovered the backdoor while investigating SSH performance issues. CVE-2024-3094 highlighted a coordinated supply chain attack by an unknown individual that contributed to the XZ GitHub project for two and a half years, gaining the trust of the developer before introducing the backdoor. The outcome of this supply chain attack could have been worse were it not for Freund’s discovery.

Identifying affected systems

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages:




fro

Context Is King: From Vulnerability Management to Exposure Management

Vulnerability management remains a cornerstone of preventive cybersecurity, but organizations still struggle with vulnerability overload and sophisticated threats. Tenable’s new Exposure Signals gives security teams comprehensive context, so they can shift from vulnerability management to exposure management and effectively prioritize high-risk exposures across their complex attack surface.

A critical vulnerability has been disclosed and attackers worldwide are actively exploiting it in the wild. Your vulnerability management team jumps into action and determines that the vulnerability is present in hundreds of your organization’s assets. Which ones do you patch first? How do you prioritize your remediation efforts? What criteria do you use? The clock is ticking. Hackers are on the prowl.

Historically, your vulnerability management team would rely on severity scores like Vulnerability Priority Rating (VPR). This is a great start, but only gives you one indicator of risk. To prioritize remediation precisely and effectively, you need to consider a variety of other criteria, such as a vulnerable asset’s type, owner, and function; the access-level and privileges on the asset; and critical attack paths into your environment.

This type of comprehensive, holistic context will let you prioritize correctly, but it can only be achieved with a different approach that goes beyond traditional vulnerability management. That approach is exposure management. 

With exposure management, your vulnerability management team would be able to pinpoint the subset of assets affected by our hypothetical vulnerability that, for example, are externally accessible, possess domain-level privileges and are part of a critical attack path. That way they would know where the greatest risk is and what they need to remediate first. Having this deep insight, context and visibility transforms the risk assessment equation, and allows your vulnerability management team to move decisively, quickly and strategically.

In this blog, we’ll outline why it’s imperative for your vulnerability management teams to shift to an exposure management mindset, and we’ll explain how Tenable can help them do it.

To pinpoint riskiest vulns, vulnerability management needs broader exposure context 

In today's evolving cybersecurity landscape, vulnerability management remains one of the foundational pieces of an organization's proactive defense strategy. However, these teams still have difficulty in addressing the increased level of risks posed by the continuous surge of Common Vulnerabilities and Exposures (CVEs) and other flaws.

Many security teams are frequently overwhelmed by the sheer volume of vulnerabilities with limited resources to manage them effectively. The sophistication and speed of threat actors has escalated, with attackers having more entry points and using new tactics, techniques and procedures to access other critical areas of the business - demonstrating that attacks are no longer linear but multifaceted.

It’s common for security teams to struggle with:

  • Vulnerability overload - This long-standing problem keeps getting worse. Security teams are finding it more difficult than ever to sift through the avalanche of CVEs and identify the areas of the business that have the most risk.
     
  •  Lack of exposure context for prioritization - Your teams are making decisions while missing layers of context. Threat intelligence and vulnerability severity are a great start, but limiting yourself to them doesn’t give you the full context you need to prioritize properly. 
     
  • Slow remediation response - Both proactive and reactive security teams devote massive amounts of time to responding to critical vulnerabilities. Resources are spread thin, making it more important than ever for teams to confidently identify the most high risk exposures when recommending remediation efforts.

Need to shift from a vulnerability to an exposure mindset

Knowing the struggles that you are dealing with today can help illuminate the benefits of exposure management. The missing links between a vulnerability and an exposure are the additional layers of context. Having multidimensional context enables you to understand not just the vulnerabilities themselves but their potential impact within the broader attack surface. This approach provides a more comprehensive view of an organization's security posture by considering factors such as threat intelligence, asset criticality, identities and access, as well as other pieces of context. With this additional information, you spend significantly less time sorting through stacks of similar vulnerabilities and you can be more focused on identifying key issues that pose risk - exposures.

For those who have never heard of exposure management or are just getting started, there are many benefits to this discipline. When it comes to Tenable’s approach, we adopt that same mentality with our exposure management platform. The goal is simple: exposure management empowers organizations to prioritize remediation efforts more effectively. It surfaces information that helps develop strategies to address not only the vulnerabilities themselves but the emergence of exposures that could lead to significant breaches.

The jump from vulnerability to exposure

Bridging the gap from vulnerability management to exposure management requires connecting context across the entire attack surface. Vulnerability management provides context that predicts the likelihood of an attack and displays key drivers, age of vulnerability and threat sources. These attributes are helpful, but we can go much further to improve our prioritization effectiveness. This requires having broader visibility and deeper insights across the attack surface to understand the bigger picture of exposures.

Specifically, security teams need additional context around:

  • Asset context - There are many levels to an asset that can help drive prioritization decisions. It’s key to understand the criticality of an asset related to its type, function, owner name and its relationships to other assets. Even knowing if the asset is accessible from the internet or not will shape how its remediation is prioritized.
     
  • Identities - Identities serve as the cornerstone for successful attacks, so it’s key to contextualize them for exposure management. Understanding user-privilege levels, entitlements and user information can help prevent attackers from gaining privilege escalation and moving laterally. Focusing prioritization efforts on vulnerable assets with domain and admin-level privileges is a critical best practice in order to reduce the likelihood of a breach.
     
  • Threat context - Having various levels of threat context is also important to prioritize exposures. We know that threats change over time, so leveraging dynamic scoring like VPR or Asset Exposure Score (AES) can show indicators of risk. We can also bring in context from attack path modeling to influence remediation decisions based on the attacker’s perspective by understanding the number of critical attack paths or choke points in your environment.

When security analysts have this additional information, they can now truly understand the breadth and depth of the exposure. This is how prioritization is done in this new world of exposure management.

Introducing Exposure Signals

To help make it easier for you to shift to this exposure management mindset, we have developed a new prioritization capability called Exposure Signals. Available in Tenable One, Tenable’s exposure management platform, Exposure Signals allows security teams to have more comprehensive context in a centralized place for a focused view of risk. 

There are two ways to use these new Exposure Signals. The first is to access a comprehensive library of high-risk, prebuilt signals. Easy to refer to, they signal potential risk in your environment and create a great starting point for you to get your exposure management juices flowing. For example, you can easily see and refer to: 

  • Domain admin group on internet-exposed hosts with critical vulnerabilities
  • Devices exposed to the internet via RDP with an associated identity account with a compromised password
  • Cloud assets with critical severity findings and asset exposure score above 700

Exposure Signals allow you to track the number of violations that signal high-risk scenarios in your environment. View this list on a regular basis to see how it changes over time with its unique trendline. Take exploration into your own hands by viewing the impacted asset and its contextual intelligence in our Inventory Module. 

The second way to use Exposure Signals is by creating your own signals using a query builder or natural language processing (NLP) search powered by ExposureAI. That way, you can go as broad or as precise as needed. For example, let’s say there is a new zero day vulnerability that sweeps the industry, similar to Log4Shell. You can easily create a signal to target which assets have the vulnerability, are internet facing and have domain admin-level privileges. We are stringing these components together so that you can understand your true risk and better direct your prioritization efforts.

To learn more about Tenable One and Exposure Signals, check out our interactive demo:




fro

Social Media for Science Outreach – A Case Study: Lessons From a Campaign Twitter Account

James King is a geomorphologist interested in exploring the processes that govern sediment transport and




fro

Canadian securities regulators publish coordinated blanket orders to provide temporary exemptions from certain derivatives data reporting requirements

TORONTO – The Canadian Securities Administrators (CSA) today published




fro

SpotOn London 2012 Storify: Fixing the fraud: how do we safeguard science from misconduct?

#solo12fraud




fro

You look like death : tales from the Umbrella Academy / story, Gerard Way and Shaun Simon ; art & colors, I.N.J. Culbard ; letters, Nate Piekos of Blambot ; cover and chapter breaks by Gabriel Bá.

"When 18-year-old Klaus gets himself kicked out of the Umbrella Academy and his allowance discontinued, he heads to a place where his ghoulish talents will be appreciated— Hollywood. But after a magical high on a stash stolen from a vampire drug lord, Klaus needs help, and doesn't have his siblings there to save him." -- Provided by publisher.




fro

Innovations of targeted poverty reduction governance and policy in Zhejiang Province: Insights from China’s post-2020 anti-poverty strategy [in Chinese]




fro

Reflections on rural revitalization from a global perspective [in Chinese]




fro

Armed conflict and business operations in Sudan: Survey evidence from agri-food processing firms [in Arabic]




fro

Do safety net programs reduce conflict risk? Evidence from a large-scale public works program in Ethiopia

Summary of the findings • We find that the PSNP did not significantly alter the risk of violent events. • However, it had a negative impact on demonstrations (protests and riots) as well as fatalities. • These effects are most pronounced during the period of 2014-18, coinciding with widespread protests in Amhara and Oromia, the […] Source: IFPRI Ethiopia: Ethiopia Strategy Support Program




fro

Do social protection programs reduce conflict risk? Evidence from a large-scale safety net program in rural Ethiopia

PSNP is largest public works program in Africa • Started in 2005 in four main highland regions • Approximately 8 million participants • We examine the effect of PSNP on both high-intensity and low-intensity conflict • Using Govt. of Ethiopia administrative PSNP records and geocoded data on conflict events (Armed Conflict Location & Event Data […] Source: IFPRI Ethiopia: Ethiopia Strategy Support Program





fro

How can African agriculture adapt to climate change: The impact of climate change and adaptation on food production in low-income countries: Evidence from the Nile Basin, Ethiopia [in Amharic]

Growing consensus in the scientific community indicates that higher temperatures and changing precipitation levels resulting from climate change will depress crop yields in many countries over the coming decades. This is particularly true in low-income countries, where adaptive capacity is low. Many African countries are particularly vulnerable to climate change because their economies largely depend on climate-sensitive agricultural production.




fro

How can African agriculture adapt to climate change: Risk aversion in low-income countries: Experimental evidence from Ethiopia [in Amharic]

Agricultural production remains the main source of livelihood for rural communities in Sub-Saharan Africa, providing employment to more than 60 percent of the population and contributing about 30 percent of gross domestic product. With likely long-term changes in rainfall patterns and shifting temperature zones, climate change is expected to significantly affect agricultural production, which could be detrimental to the region’s food security and economic growth.




fro

Dear Juliet : letters from the lovestruck and lovelorn to Shakespeare's Juliet in Verona.

Every year, over 10,000 letters addressed to Juliet Capulet arrive in Verona, Italy, the famous hometown of Shakespeare's Romeo & Juliet. These handwritten letters come from people all over the world, seeking guidance and support from Juliet herself. Capturing the pain, joy, humor, and confusion of love, the 60 letters in this book offers encouragement, comfort, hope-and a nod to the human condition. Including responses from Juliet herself, this romantic and relatable, and perfect as a Valentine's Day gift, Dear Juliet proves that love is the universal language.




fro

Dear Lilly : from father to daughter : the truth about life, love, and the world we live in.

A father offers his advice, opinions, and the many useful stories gleaned from his past experiences in order to help his beloved daughter not only survive, but thrive in the dangerous and unpredictable world of young adulthood. From the pen of a former abused child, drug addict, womanizing frat boy, and suicidal depressive, comes forth the emotionally stirring account of a young man's battle with crippling inner demons and his eventual road to enlightenment. Peter Greyson calls upon his wisdom as both father and school teacher to gently lead teenage girls through a maze of truth, deception, and adolescent uncertainty. Greyson's literary style sparkles with a youthful enthusiasm that will capture your heart and provide boundless inspiration. Dear Lilly is a survival guide that offers the brutally honest male perspective to young women struggling for answers to life's deepest questions. Topics include: Boys lie What every guy wants from his girlfriend Tales from the drug world Everybody hurts High school exposed




fro

Dear Mary : lessons from the mother of Jesus for the modern mom / Sarah Jakes.

Hopeful, Inspiring Message for Moms from Sarah Jakes Mary, the mother of Jesus, is a remarkable example of quiet, resilient faith and courage in the face of adversity. From the angel's first announcement of her pregnancy to the death and resurrection of her son, Mary was witness to our Lord and Savior in a unique and special way. And as a mother herself, she speaks to the modern-day mom in a way few have explored before. Writing in the form of letters, Sarah Jakes examines the life of Mary--and through Mary, Jesus--to better understand what a life of faith looks like. Maybe you struggle to trust God's will for your life. Perhaps you have fears and insecurities that keep you from realizing the joy God wants for you, or the thought of raising little ones overwhelms you. Through the example of Mary, discover the freedom that only true faith can bring.




fro

Dear Mendl, dear Reyzl : Yiddish letter manuals from Russia and America / Alice Nakhimovsky and Roberta Newman.

At the turn of the 20th century, Jewish families scattered by migration could stay in touch only through letters. Jews in the Russian Empire and America wrote business letters, romantic letters, and emotionally intense family letters. But for many Jews who were unaccustomed to communicating their public and private thoughts in writing, correspondence was a challenge. How could they make sure their spelling was correct and they were organizing their thoughts properly? A popular solution was to consult brivnshtelers, Yiddish-language books of model letters. Dear Mendl, Dear Reyzl translates selections from these model-letter books and includes essays and annotations that illuminate their role as guides to a past culture.




fro

Reducing food loss and waste for climate outcomes: Insights from national consultations in Bangladesh, Malawi and Nepal

Reducing food loss and waste for climate outcomes: Insights from national consultations in Bangladesh, Malawi and Nepal

Integrating key goals of food system transformation.

The post Reducing food loss and waste for climate outcomes: Insights from national consultations in Bangladesh, Malawi and Nepal appeared first on IFPRI.






fro

Does conflict-driven internal displacement influence demand for agricultural inputs? Evidence from Nigeria

Does conflict-driven internal displacement influence demand for agricultural inputs? Evidence from Nigeria

Examining the effectiveness of vouchers and marketing information.

The post Does conflict-driven internal displacement influence demand for agricultural inputs? Evidence from Nigeria appeared first on IFPRI.




fro

From risk to resilience: How strategic government partnerships can enhance access to insurance-linked credit for smallholders in Zambia

From risk to resilience: How strategic government partnerships can enhance access to insurance-linked credit for smallholders in Zambia

The power of bundled solutions

The post From risk to resilience: How strategic government partnerships can enhance access to insurance-linked credit for smallholders in Zambia appeared first on IFPRI.





fro

Rules for resistance : advice from around the globe for the age of Trump / edited and with an introduction by David Cole ; co-edited by Melanie Wachtell Stinnett.




fro

Novel destinations : a travel guide to literary landmarks from Jane Austen's Bath to Ernest Hemingway's Key West / Shannon McKenna Schmidt & Joni Rendon ; foreword by Matthew Pearl.

"Follow in the footsteps of much loved authors, discover the landscapes that sparked their imaginations, and learn behind-the-scenes stories in this expanded and completely updated second edition of Novel Destinations. Across more than 500 literary locales in the United States, Europe, and elsewhere, experience famous authors' homes, book festivals, literary walking tours, lodgings, restaurants, bars for bibliophiles, and much more."--page 4 of cover.




fro

Science Café: A problem so small you can see it from space (November 13, 2024 5:30pm)

Event Begins: Wednesday, November 13, 2024 5:30pm
Location: Off Campus Location
Organized By: Museum of Natural History


Do we really consume a credit card’s worth of microplastics in a week? If microplastics are so small, how can they have such a big impact on our waterways? What are microplastics, anyway?

Explore these questions and more at November's Science Café! Please join Chris Ruf, Principal Investigator of the Remote Sensing Group (RSG) in the Climate and Space Sciences and Engineering Department (CLaSP) and graduate student Gopal Sundaram of the College of Engineering; Melissa Duhaime, Associate Professor in the Department of Ecology and Evolutionary Biology; and members of the Duhaime Lab (Rachel Cable, Lizy Michaelson, Skyler Har), for a discussion about one of our planet’s biggest tiny problems.




fro

Mrs. Dalloway and WWI: Home Front and War Front (November 13, 2024 9:00am)

Event Begins: Wednesday, November 13, 2024 9:00am
Location: Hatcher Graduate Library
Organized By: University Library


This exhibit explores the characters of Mrs. Dalloway through the lens of WWI and its aftershocks. It looks at those who fought in the trenches and those who watched from afar.

[The exhibit includes references to suicide and Post Traumatic Stress Disorder, which might be distressing for some visitors. Viewer discretion is advised.]

While all of the action in Virginia Woolf’s modernist masterpiece takes place on a single day, as preparations are made for Clarissa Dalloway’s evening party, Woolf’s stream of consciousness writing takes us in the characters’ minds all the way from English drawing rooms to colonial India to the trenches of World War I.

Check today's Hatcher Gallery Exhibit Room hours: https://myumi.ch/PkQ2x




fro

WCEE Exhibition. Verses from a Nation in Transition. Ukraine in Photographs by Joseph Sywenkyj (November 13, 2024 8:00am)

Event Begins: Wednesday, November 13, 2024 8:00am
Location: Weiser Hall
Organized By: Weiser Center for Europe and Eurasia


Joseph Sywenkyj is the 2024-25 Weiser Center for Europe and Eurasia’s Distinguished Fellow, and a Knight-Wallace Fellow at the University of Michigan. An award-winning American photographer of Ukrainian descent, Sywenkyj has lived and worked in Ukraine for the last two decades. He has worked throughout Europe and Central Asia for numerous publications and is a frequent contributor to *The Wall Street Journal*. His photographs have been exhibited in galleries and museums, including the United Nations Visitor’s Lobby in New York and the Taras Shevchenko National Museum in Kyiv.

If there is anything we can do to make this event accessible to you, please contact us. Please be aware that advance notice is necessary as some accommodations may require more time for the university to arrange.




fro

World Food Prize 2024 Borlaug International Dialogue: Side Event on “Reducing the Impact of GHGs Through Managing Food Loss and Waste (FLW): Insights from Bangladesh, Guatemala, Malawi, and Nepal”

World Food Prize 2024 Borlaug International Dialogue: Side Event on “Reducing the Impact of GHGs Through Managing Food Loss and Waste (FLW): Insights from Bangladesh, Guatemala, Malawi, and Nepal”

October 22, 2024 8:30 – 10:00 am (CDT) 9:30 – 11:00 am (EDT) Register IFPRI is participating in the 2024 Norman E. Borlaug International Dialogue. This year’s theme, “Seeds of Opportunity: Bridging Generations and Cultivating Diplomacy”, will emphasizes the vital role of integrating past wisdom, current innovations and the pressing needs of tomorrow, by leveraging […]

The post World Food Prize 2024 Borlaug International Dialogue: Side Event on “Reducing the Impact of GHGs Through Managing Food Loss and Waste (FLW): Insights from Bangladesh, Guatemala, Malawi, and Nepal” appeared first on IFPRI.




fro

How do we prioritize agrifood system policies and investments? Insights from the RIAPA modeling system

Virtual Event: June 12, 2024 at 10:00am-11:00am EDT. In this webinar, we will demonstrate how RIAPA has been used to identify priority agricultural value chains that most effectively contribute to development outcomes.




fro

Reviving public extension for climate-resilient agriculture: Lessons and insights from India, Indonesia, and Nepal

Integrating reforms with global goals.




fro

Pivotal: Confronting hunger and poverty in Nigeria (Africa Independence Television)

Pivotal: Confronting hunger and poverty in Nigeria (Africa Independence Television)

Nigeria’s current economic crisis continues to attract media attention. On 26 June 2024 Africa Independence Television (AIT) hosted a panel discussion on the television program “Pivotal” focused on confronting hunger and poverty. The panel, moderated by Nabila Usman, included Kwaw Andam, Country Program Leader, IFPRI-Nigeria, Andrew Mamudu, Country Director, Action Aid, and Abdullahi Mohammad, Associate, […]

The post Pivotal: Confronting hunger and poverty in Nigeria (Africa Independence Television) appeared first on IFPRI.




fro

Sudan is now confronting its most severe food security crisis on record (The Conversation Africa)

Sudan is now confronting its most severe food security crisis on record (The Conversation Africa)

An op-ed by IFPRI’s Khalid Siddig and Rob Vos analyses Sudan’s ongoing severe food crisis: “After 14 months of escalating internal conflict, Sudan is now confronting its most severe food security crisis on record. The latest situation report, released on 27 June, reveals a grim picture: more than half the population of 47.2 million is […]

The post Sudan is now confronting its most severe food security crisis on record (The Conversation Africa) appeared first on IFPRI.