Security News > 2020 > August

FireEye on Tuesday announced that Sara Andrews, SVP and Chief Information Security Officer at PepsiCo, has been appointed to the FireEye board of directors. Prior to PepsiCo, Andrews served as Verizon's Chief Network Security Officer, where she led organizations responsible for the security of all Verizon wireline networks serving the company's residential, small business and enterprise customers.

Microsoft has addressed 120 vulnerabilities with its August 2020 Patch Tuesday updates, including a Windows spoofing bug and a remote code execution flaw in Internet Explorer that have been exploited in attacks. The Windows spoofing vulnerability, tracked as CVE-2020-1464, is related to Windows incorrectly validating file signatures.

Microsoft has plugged 120 flaws, two of which are being exploited in attacks in the wild. One is publicly known and being actively exploited, and another one is also under attack.

Adobe has plugged 11 critical security holes in Acrobat and Reader, which if exploited could allow attackers to remotely execute code or sidestep security features in the app. As part of its regularly scheduled security updates, Tuesday, Adobe fixed critical- and important-severity flaws tied to 26 CVEs - all stemming from its popular Acrobat and Reader document-management application - as well as one important-severity CVE in Adobe Lightroom, which is its image manipulation software.

Citrix on Tuesday released patches to address multiple vulnerabilities in Citrix Endpoint Management, which allow an attacker to gain administrative privileges on affected systems. The severity of the identified vulnerabilities, which carry the CVE identifiers CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212, differs based on the installed version of XenMobile.

So far this year, the use of facial recognition by law enforcement has been successfully challenged by courts and legislatures on both sides of the Atlantic. Unconstrained use of facial recognition services by state and local government agencies poses broad social ramifications that should be considered and addressed.

This got me thinking about my own profession, and some of the absolutely bonkers things I've heard lately in terms of the number of tools an organization has at their disposal for cyber security things. I think the biggest number I heard was somewhere around 175 cyber security tools in an enterprise.

A survey by the Enterprise Strategy Group and the Information Systems Security Association of cybersecurity professionals shows that 70 percent believe their organization has been impacted by the global cybersecurity skills shortage. "No single action is working to bridge the cybersecurity skills gap. What's needed is a holistic approach of continuous cybersecurity education, comprehensive career development and career mapping/planning - all with support from and integration with the business."

Adobe on Tuesday informed customers that it has patched 26 vulnerabilities in its Acrobat and Reader products, including 11 critical flaws that can be exploited to bypass security features and for arbitrary code execution. The remaining two critical vulnerabilities can allow an attacker to bypass security features.

British infosec biz NCC Group has admitted to The Register that its internal training materials were leaked on GitHub - after folders purporting to help people pass the CREST pentest certification exams appeared in a couple of repositories. CREST offers a certification called CRT: CREST Registered Tester.