Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Santa and the Zero-Trust Model: A Christmas Story
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 1:04:02 PM
Re: Risk
Agreed, I think I would follow that up with even with Santa having diminished access, it still requires scrutiny to a degree. A lot of the time we completely neglect this aspect in lieu of review for more privileged/authoritative access but there is a point where lower level accounts will need to be reviewed.

An escalation vulnerability could turn Santa from the kind hearted low level access into a full blown Krampus and tht is the last thing as Security Practioners we would want.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 1:01:27 PM
Re: Authentication
Definitely agree here. I think one platform that can very much help in these instances are Privileged Access Management (PAM) platforms. Not a silver bullet of course but a step in the right direction.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 1:00:06 PM
Re: zero-trust security
The opposite sentiment of the old KGB addage, "Trust but Verify". As a security professional, I much prefer Zero-Trust and Verify to its Russian counterpart.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:58:30 PM
Re: Supply chain
Contractors tend to be the weakest link because their access isn't as heavily regulated typically as full time employees. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:57:43 PM
Re: Basics
Background checks are pivotal. It seems now that background checks are very much singling in on financial background checks in lieu of other categories which is somewhat of a paradigm shift for how they use to be performed.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:56:01 PM
Re: zero-trust security
Most definitely, I also find it entertaining that many of the articles being written currently are holiday centric. Adds to the enjoyment of these insightful reads.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 2:14:09 PM
Risk
the risk of Santa-inflicted damage is low. Still, that doesn't mean Santa should necessarily be given free rein within the household. Another good point. We can accept some risks but we need to do risk analysis to identify that.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 2:11:46 PM
Authentication
it's about the one-time decision and then long-term follow-up to make sure that the authorization is still appropriate. Agree. Authentication should not be a point in time, it should be as needed process. Authenticate as services being asked.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 2:09:41 PM
Re: zero-trust security
Yes, I like it very much too. Zero-trust and verify is a good approach in security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 2:08:22 PM
Supply chain
Santa seems to have an extensive supply chain, and that the supply chain and support staff should come under scrutiny, as well. This is another good point. Contractors are tend to be the weakest link.
Page 1 / 2   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12393
PUBLISHED: 2020-05-26
The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execut...
CVE-2020-12394
PUBLISHED: 2020-05-26
A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulnerability affects Firefox < 76.
CVE-2020-12395
PUBLISHED: 2020-05-26
Mozilla developers and community members reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Fi...
CVE-2020-12396
PUBLISHED: 2020-05-26
Mozilla developers and community members reported memory safety bugs present in Firefox 75. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 76.
CVE-2020-10719
PUBLISHED: 2020-05-26
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.