Security News

Cisco Systems has released security updates to address vulnerabilities in multiple Cisco products that could be exploited by an attacker to log in as a root user and take control of vulnerable systems. Tracked as CVE-2021-40119, the vulnerability has been rated 9.8 in severity out of a maximum of 10 on the CVSS scoring system and stems from a weakness in the SSH authentication mechanism of Cisco Policy Suite.

On the surface, it might seem like configuration errors should be an easily solvable problem: organizations should simply pay more attention to any changes and manually make sure all settings are correct every time a change is made. To successfully control how every update, change and addition is implemented - and to understand how each change affects the environment and other changes that are already "In flight" - the only solution is to embrace automation.

India has announced a new security policy for its power sector and specified a grade of isolation it says exceeds that offered by air gaps. "The much hyped air gap myth between information technology and operational technology systems now stands shattered," the policy states, before going on to offer a slightly odd definition of an air gap.

For the healthcare sector, the impact is far greater; cyberattacks can be a matter of life or death. While investing in these digital transformation technologies, the healthcare sector has yet to put the corresponding resources into cybersecurity to protect them.

The Biden administration, in addition to using its convening power to cajole big tech to invest more in cybersecurity, also issued an Executive Order in May that sought to leverage the Federal government's purchasing power to drive greater software security. The most visible implementation action so far has been the guidance on security measures for federal agency use of critical software developed by NIST. While not groundbreaking in substance - the guidance amounts to an index of best practices citing previous federal advisories - the list will help federal agency CIOs ensure they have addressed key software supply chain risks.

A senior Chief Information Security Officer advisor at Cisco has penned a commentary on the state of US cybersecurity frameworks, criticizing current government infosec and advocating for more autonomy for CISOs and a better understanding of the task at hand from those creating policies. "After nearly two decades of federal cybersecurity and risk management as practiced under the rubric of the Federal Information Security Management Act of 2002 and the Federal Information Security Modernization Act of 2014, billions of dollars in appropriated federal cybersecurity funding have not appreciably improved the overall situation," wrote Bruce Brody.

Satori announced the Satori Data Security Policy Engine to streamline and revolutionize data security for large enterprises. This new extension of Satori's DataSecOps platform enables companies to democratize data access and modernize operations for dynamic enterprise data environments using scalable, universal and holistic data security policies.

Microsoft has added support for layered Group Policies, which allow IT admins to control what internal or external devices users can be installed on corporate endpoints across their organization's network. Using these identifiers, an admin can create an 'allow list' of allowed devices that will block all other devices from being installed.

Styra announced new cloud infrastructure support via Terraform, extending Styra Declarative Authorization Service guardrails to storage, network and compute resource configuration in public clouds including AWS, GCP and Azure. "Until now, DevOps and cloud platform teams had to manage authorization, policy and configuration with disparate tools in each of their clouds, in each of their orchestration clusters, and between the microservices that comprise modern apps," said Tim Hinrichs, co-founder and chief technology officer of Styra.

One of the components of an effective current password policy makes use of what is known as a custom dictionary that filters out certain words that are not allowed as passwords in the environment. First, let's consider crafting a custom dictionary for your password policy, including general guidance on how these are created, configured, and how you can easily use custom dictionaries in an active directory environment.