Security News

Many security pros who are doing an excellent job in handling incidents find effectively communicating the ongoing process with their management a much more challenging task. Luckily, there is a template that security leads can use when presenting to management.

Multiple versions of a WordPress plugin by the name of "School Management Pro" harbored a backdoor that could grant an adversary complete control over vulnerable websites. The backdoor, which is believed to have existed since version 8.9, enables "An unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed," Jetpack's Harald Eilertsen said in a Friday write-up.

Security researchers have discovered a backdoor in a premium WordPress plugin designed as a complete management solution for schools. The name of the plugin is "School Management," published by Weblizar, and multiple versions before 9.9.7 were delivered with the backdoor baked into its code.

The National Institute of Standards and Technology has updated its guidance document for helping organizations identify, assess and respond to cybersecurity risks throughout the supply chain. "The guidance helps organizations build cybersecurity supply chain risk considerations and requirements into their acquisition processes and highlights the importance of monitoring for risks. Because cybersecurity risks can arise at any point in the life cycle or any link in the supply chain, the guidance now considers potential vulnerabilities such as the sources of code within a product, for example, or retailers that carry it," NIST notes.

Auth0 vs JumpCloud: Compare identity and access management software We may be compensated by vendors who appear on this page through methods such as affiliate links or sponsored partnerships. Two of the most popular contenders include Auth0 and JumpCloud.

A pre-authenticated remote code execution vulnerability has been disclosed in dotCMS, an open-source content management system written in Java and "Used by over 10,000 clients in over 70 countries around the globe, from Fortune 500 brands and mid-sized businesses." The critical flaw, tracked as CVE-2022-26352, stems from a directory traversal attack when performing file uploads, enabling an adversary to execute arbitrary commands on the underlying system.

During the research, the attack surface management team analyzed instances hosting internet-facing databases. The findings showed that in the second half of 2021, the number of public-facing databases increased by 16% to 165,600 with most of them stored on the servers in the US. The number of databases exposed to the open web has been growing every quarter to reach its peak of 91,200 in Q1 2022.

Oomnitza revealed a snapshot survey, conducted by Gatepoint Research, which found that siloed technology management is increasing operational blind spots and cyber risk. While 76% of enterprises employ multiple systems to oversee the underlying technology that supports their IT and business services, 71% of IT leaders anticipate increased security breaches and operational expenditures.

In this video for Help Net Security, James Mignacca, CEO at Cavelo, talks about cyber asset attack surface management, which Gartner recently identified as an emerging technology. As companies moved to a hybrid workforce model, their assets were not just limited to the office space anymore.

A human-centric, easy-to-use Enterprise Password Management platform bolsters security by reducing the chance of human error. Keeper protects your passwords and secrets with ultimate security, visibility and control from the data center to the front office, Keeper delivers the ultimate in enterprise security and cyberthreat prevention.