Security News > 2021 > December
The report found that 66% of data and analytics professionals experienced improved data quality as a "Leading benefit" when implementing data governance programs, a trend that rises to a staggering 83% for organizations that already have a mature data governance framework in place. "For reporting and analytics to be trustworthy, the underlying data must be accurate, consistent, and complete. One of the report's key findings was that data governance is a crucial factor in how organizations are achieving the quality of data that builds trust."
The CIS Foundations Benchmarks are a part of the family of cybersecurity standards managed by CIS. CIS Benchmarks are consensus-based, vendor-agnostic secure configuration guidelines for the most commonly used systems and technologies. The CIS Foundations Benchmarks are intended for system and application administrators, security specialists, auditors, help desk, platform deployment, and/or DevOps personnel who plan to develop, deploy, assess, or secure solutions in the cloud.
A Trend Micro report predicts global organizations will emerge more alert and better prepared in 2022 thanks to a comprehensive, proactive, cloud-first approach to mitigating cyber risk. Research, foresight, and automation are critical for organizations to manage risk and secure their workforce.
Let's start with Microsoft, which put out a summary of its security updates here. Microsoft Defender for IoT: A critical remote-code execution flaw in this security product, prior to version 10.5.2, can be exploited over a network by a non-authenticated miscreant.
This past year, the pain was felt in two significant ways: through the supply chain disruptions caused by COVID-19, and through the many security breaches that we saw in our key IT suppliers. Many organizations have been caught off guard by the pervasive and long lasting repercussions of the supply chain crunch from COVID-19, exacerbating other supply chain bottlenecks further downstream and causing headaches for consumers and missed revenue targets for major corporations.
"Based on process lineage data, attackers seemed to use scripts extensively. These may be automated scripts used for collecting information and downloading additional tools," explains Symantec's report. Hidec: Command line tool for running a hidden window.
Last week, version 2.15 of the widely used open-source logging library Log4j was released to tackle a critical security hole, dubbed Log4Shell, which could be trivially abused by miscreants to hijack servers and apps over the internet. In its latest release notes for Log4j 2.x, the Apache Foundation said: "Dealing with CVE-2021-44228 has shown the JNDI has significant security issues. While we have mitigated what we are aware of it would be safer for users to completely disable it by default, especially since the large majority are unlikely to be using it."
Last week, version 2.15 of the widely used open-source logging library Log4j was released to tackle a critical security hole, dubbed Log4Shell, which could be trivially abused by miscreants to hijack servers and apps over the internet. Apache also conceded JNDI "Has significant security issues," so it's decide it is best to just deactivate it by default.
As if the Log4Shell hellscape wasn't already driving everybody starkers, it's time to update iOS 15.2 and a crop of other Apple iGadgets, lest your iPhone get taken over by a malicious app that executes arbitrary code with kernel privileges. To paraphrase one mobile security expert, the iOS 15.2 and iPadOS update - released by Apple on Monday along with updates for macOS, tvOS and watchOS - is as hairy as a Lhasa Apso.
It's worth noting that Microsoft also patched CVE-2021-43883, a privilege-escalation vulnerability in Windows Installer, for which there's been an exploit circulating, and, reportedly, active targeting by attackers - even though Microsoft said it has seen no exploitation. "After gaining the initial foothold, achieving administrator-level access can allow attackers to disable security tools and deploy additional malware or tools like Mimikatz," he said.