Collaborate Disseminate
I am auditing a financial application that connects to a merchant’s FTP server (SLAs signed) through VPN tunnels and fetches text and csv files from this server and places it on my organisation’s FTP server. This is an automated process; a… Continue reading Risks and controls over access to 3rd party network location [closed]
We’re about to invest in an EDR. However, there’s massive heel-dragging on this.
The solution is SaaS – it would be an agent on hosts that then sends data back to a control element in cloud. It will go via a proxy and the connections are o… Continue reading Risk of SaaS-based endpoint agents [closed]
First some context:
We have software running on a production Windows server that runs within a local network of one of our customers. We installed our software on that server and some tools such as Wireshark and deliver paid support for o… Continue reading Dealing with Wireshark vulnerabilities in practice
is there any way to have a good effort time estimation of a Threat Modeling and Risk Assessment activity for an internal infrastructure (about 30 active nodes)?
In general, is it possible to find a "best practice" to estimate eff… Continue reading Threat Modeling and Risk Assessment Effort Estimation
We are running vulnerability scans on our systems. I can see a few XSS vulnerabilities being reported, such as CVE-2020-14173. Let me quote:
The file upload feature in Atlassian Jira Server and Data Center in
affected versions allows remo… Continue reading can vulnerabilities be treated differently based on ceratin circumstances? [duplicate]
The more “mature” among us may recall when decision-making under uncertainty was based on the concept of “rational economic man.” We estimated or calculated the probability and amount of a loss (or gain) of various courses of action, multiplied the num… Continue reading Cybersecurity Lessons from the Pandemic: Perception of Risk
Looking at a plain system (there are no security controls implemented yet), we need to think about its functions and derive appropriate assets which we’d like to protect in order to ensure the system continues to function as intended (also… Continue reading Are security controls themselves considered assets (e.g., cryptographic keys)
There are a number of different types of models—and the output from each must be viewed and used differently depending on the form of the model. First, you have relationships derived from correlations—they show how one variable changes in concert with … Continue reading Cybersecurity Lessons from the Pandemic: Models and Predictions
I’ve read here that HTTPS replay attacks aren’t possible from MITM attacks but I want to be sure that it’s not saying that HTTPS replay attacks aren’t possible at all. I want to know if I have to implement my own obscure method for tempora… Continue reading Preventing HTTPS Replay Attacks
I’ve seen scenarios in which organizations don’t invest enough in cybersecurity, are short-handed, and thus have a difficult time meeting the policy requirements defined within their Security Programs. I would assume that many companies do… Continue reading Measuring the Risk of Not Managing Risk