Mitre Update of Top Software Bugs

BleepingComputer reported today on an update to the Mitre list of top software attacks, bugs, and vulnerabilities.  This list reports the “most common and dangerous weaknesses plaguing software throughout the previous two years”. The ranked list is based on scoring using Common Vulnerabilities and Exposures (CVE) data from 2019 and 2020 obtained from the National Vulnerability Database (NVD).

I found it interesting that OS command injection and path traversal both moved up the list into the top 10.  Those are two simple weaknesses that have been around for a long time.

The BleepingComputer article also referenced the US Cybersecurity and Infrastructure Security Agency (CISA) publication (May 2020) of the top 10 routinely exploited security vulnerabilities between 2016 and 2019 (Note: Link is to a PDF).  That CISA top 10 list is a valuable resource for information and network defenders as it calls out specific malware that you can then arrange your defenses (anti virus / malware, Firewall & IDS rules, SIEM reporting) around.

Report: Challenges Security Operations Leaders face building Teams

I came across an interesting article in Security Magazine titled “SOC experts report cyber skilling obstacles”.  In the article Cyberbit, a provider of Cyber Skills Development Platforms, revealed the results of the first annual Cyberbit SOC Skills Survey.  The survey (download link in the article) results sheds light on how companies are fulfilling (or not) cyber team skills requirements in order to maintain a strong cyber defense posture.

I thought there were a number of interesting findings in the report.  One was the disparity between human resources and technical hiring managers.  No news there; it’s hard for non technical HR staff to assess candidates for technical job roles.  My take is that you need differentiate yourself to make your resume or C.V. stand out to human resources professionals.

Another finding was how candidates are interviewed and screened.  The report called out that while 70% reported “conversation’; 8% use ‘cyber range simulation’ and 10% use ‘task’.  I believe that having candidates use simulations and complete tasks are great assessments of technical skills.  The challenge posed by using those assessments is in delivering them fairly.  In order to use a simulation or to have a candidate complete some task the employer should advise candidates in advance of the assessment and it’s associated conditions.  Those conditions include some notes about general problem background; what equipment or data will be provided, and how long the candidate will have to complete the simulation or task.

Since the overwhelming number of responses cited ‘conversation’ as the interview technique; candidates have to have a plan for how to guide that interview conversation.  My suggestion is that you be ready to talk about some recent technical topic that you’ve researched or learned about.  Judging applicability of that topic to your interview is something that should be part of the candidate’s interview prep.  Be prepared to talk about how you have recently studied cyber threats linked to open source code (for example).  Have a plan to offer a 2-3 sentence summary (less than 1 minute) of what you learned about Heartbleed.  Be prepared to go deeper.  Have a plan to follow that up with 2-3 minutes about patterns of attack using open source used multiple vectors.

In short, be prepared to drive that initial interview conversation.  Start short and high level.  Be prepared to show some depth.

Another  important skill finding brought up by Cyberbit was regarding skills.  The two most critical skills identified were Intrusion detection and network monitoring.  I read that SIEM and IDS/IPS.  There are so many tools available at little or no cost that not being able to learn and speak about these topics is just wrong.



The Power of Facebook

Welcome to Ford’s Lab!

I recently changed my Facebook setting to point at ‘Ford’s Lab’.

This was an experiment on my part to see how quickly my fellow facebook users would notice the change.  I was sort of shocked that within the first hour a number of my friends had noticed and liked or commented on the change.

Note: I have not changed jobs.