Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×

Submission + - The SSRF Blocker That Didn't: NPM Private-IP Flaw Could Affect Millions of Apps (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: Private-IP (https://www.npmjs.com/package/private-ip) may be the most widely used security package you've never heard of. And a massive security gap buried in its code may be undermining the security of your own applications as we speak, according to The Security Ledger (https://securityledger.com/2020/11/exploitable-flaw-in-npm-private-ip-app-lurks-everywhere-anywhere/), which reports that researchers, including experts from Shutterstock and Squarespace, have identified a Server Side Request Forgery (SSRF) vulnerability, CVE-2020-28360 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28360), in all previous versions of private-ip, a little known, single developer security module that is downloaded more than 10,000 times a week and may be used by hundreds of thousands — or millions of other applications.

According to John Jackson of Shutterstock, who helped discover the flaw, the SSRF flaw could allow malicious attackers to launch local or remote attacks against vulnerable apps: installing malicious code or gaining access to protected data and resource.(https://johnjhacking.com/blog/cve-2020-28360/)

It is just the latest incident to raise questions about the security of the “software supply chain. Private-IP is a single developer project created by Damir Mustafin (aka "frenchbread"), a Montenegro-based developer, in August 2016. In four years, the code had been updated just once, in April, 2017, prior to the security hold being discovered and patched this month. Despite that, its reach is massive. It has an average of 14,000 downloads weekly, according to data from GitHub. And direct downloads of private-ip are just one measure of its use. Fully 355 publicly identified npm modules are dependents of private-ip v1.0.5, which contains the SSRF flaws. An additional 73 GitHub projects have dependencies on private-ip. All told, that accounts for 153,374 combined weekly downloads of private-ip and its dependents. One of the most widely used applications that relies on private-ip is libp2p, an open source network stack that is used in a wide range of decentralized peer-to-peer applications, according to Jackson. The total population of applications that use private-ip, knowingly or unknowingly, could number in the millions he said. In fact, private-ip may be the true source of a long list of SSRF vulnerabilities that have been independently discovered and reported in the last five years, Jackson said."This may be why a lot of enterprises have struggled with SSRF and block list bypasses,” he said.

Submission + - Researchers: Security Holes Opened Back Door To TCL Android Smart TVs (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: Millions of Android smart television sets from the Chinese vendor TCL Technology Group Corporation (https://www.tcl.com/) contained gaping software security holes that researchers say could have allowed remote attackers to take control of the devices, steal data or even control cameras and microphones to surveil the set’s owners.

The security holes appear to have been patched by the manufacturer in early November. However the manner in which the holes were closed is raising further alarm among the researchers about whether the China-based firm is able to access and control deployed television sets without the owner’s knowledge or permission, according to a report published on Monday by two security researchers. (https://sick.codes/extraordinary-vulnerabilities-discovered-in-tcl-android-tvs-now-worlds-3rd-largest-tv-manufacturer/)
The report describes two serious software security holes affecting TCL brand television sets. First, a vulnerability in the software that runs TCL Android Smart TVs allowed an attacker on the adjacent network to browse and download sensitive files over an insecure web server running on port 7989.

That flaw, CVE-2020-27403 (https://nvd.nist.gov/vuln/detail/CVE-2020-27403), would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned.

Second, the researchers found a vulnerability in the TCL software that allowed a local unprivileged attacker to read from- and write to critical vendor resource directories within the TV’s Android file system, including the vendor upgrades folder. That flaw was assigned the identifier CVE-2020-28055. (https://nvd.nist.gov/vuln/detail/CVE-2020-28055)

The researchers, John Jackson (@johnjhacks), an application security engineer for Shutter Stock, and the independent researcher known by the handle “Sick Codes,” (@sickcodes) said the flaws amount to a “back door” on any TCL Android smart television.

“Anybody on an adjacent network can browse the TV’s file system and download any file they want,” said Sick Codes in an interview via the Signal platform. That would include everything from image files to small databases associated with installed applications, location data or security tokens for smart TV apps like Gmail. If the TCL TV set was exposed to the public Internet, anyone on the Internet could connect to it remotely, he said, noting that he had located a handful of such TCL Android smart TVs using the Shodan search engine.

Submission + - Tyler Technologies, Largest Public Sector IT Vendor, Offline after Cyberattack (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: Tyler Technologies (https://www.tylertech.com/), the U.S.’s largest provider of software and services to the public sector said on Wednesday that it was hacked by unknown assailants, who gained “unauthorized access” to the company’s IT and phone systems, according to a report by The Security Ledger (https://securityledger.com/2020/09/public-sector-mega-vendor-tyler-technologies-says-it-was-hacked/).

Tyler, which sells software that supports a wide range of public sector functions such as permitting, inspections, 311 systems and utility billing said that it has hired independent IT experts to investigate the incident. The company’s MUNIS ERP (enterprise resource planning) technology is widely used by local governments across the U.S.

“We are treating this matter with the highest priority and working with independent IT experts to conduct a thorough investigation and response,” wrote Matt Bieri, the company’s Chief Information Officer in an email obtained by The Security Ledger. Tyler is also working with law enforcement to investigate the issue.

The company’s web page on Thursday displayed a message saying it was “temporarily unavailable."

In the email message to customers, Bieri said that the company discovered the intrusion Wednesday morning after the intruder “disrupted access to some of our internal systems” – a possible reference to ransomware.

Bieri told customers the intrusion was “limited to our internal network and phone systems” and that the company has “no reason to believe that any client data, client servers, or hosted systems were affected.”

The incident raises concerns that hackers may have used access to Tyler's networks to steal credentials needed to compromise the company's thousands of municipal customers. The average length of time that malicious actors "dwell" on victim networks is 56 days, according to data from the firm FireEye. “If that amount of time goes by, there’s plenty of time to look around for passwords,” said Michael Hamilton, the CISO of CI Security and a former Vice-Chair for the DHS State, Local, Tribal and Territorial Government Coordinating Council.

Comment Re:Please, please, please, please!!! (Score 1) 30

But - this is a medical device. Only an authorized technician can repair it properly. Joe the shade tree mechanic is going to screw up the repair and harm you. The FDA is in the business of protecting you from yourself and deplorable morons like Joe.

We have to relax and let experts do their thing. They're know the issues better than us and can make better decisions. That's the logic behind letting the FDA regulate these devices.

I don't agree with it personally. I believe when we buy something that we buy it, and can do whatever we want with it. But those are the arguments, and if you're going to win you need to address them head-on and make convincing counter-arguments. Plus, deal with the fact that medical experts are currently highly respected and saying that you know better than them is going to entail significant blowback.

Actually - no. Most biomeds would tell you that the vast majority of med device repairs are dead simple, as the devices are designed to be easily serviceable and to have long lives. You know what's _not_ easy to fix? A Microsoft Surface or an iPhone 10. Arguments about safety are scare mongering - there is no data that supports the conclusion that repair done by OEMs - at far greater cost - is any safer or more effective than repair done by in-house biomeds working for the customer.

Submission + - Inside Project BioMed: Librarians crowdsourcing Medical Device Repair (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: We've all read the stories about faulty ventilators and the heroic efforts (https://www.fastcompany.com/90484261/this-fuel-cell-company-has-pivoted-to-fixing-old-ventilators-to-give-to-hospitals) of companies like Bloom Energy, a fuel cell manufacturer, to get them back online. One of the less-reported stories of this pandemic is the myriad of ways in which COVID has exposed changes to the medical device market and the increasingly draconian software licensing practices that have made servicing and repairing medical devices much more difficult, slow and expensive. (https://uspirg.org/news/usp/statement-after-public-outcry-ventilator-repair-restrictions-loosen)

In its latest episode, Security Ledger Podcast goes behind the scenes of Project BioMed, an effort headed up by repair site iFixit (https://www.ifixit.com) to democratize access to repair and servicing information for medical devices including (and especially) ventilators and respirators. Kylie Wiens, CEO of iFixit talks the critical role played by Biomedical Technicians, who keep hospital equipment up and running and about the growing efforts by medical device OEMs to deny hospitals and biomeds access to the information they need to service equipment. The podcast also interviews Jonathan Krones, an Assistant Professor at Boston College and one of an army of volunteers, including hundreds of librarians and archivists who sorted through and cataloged hundreds of thousands of pages of medical device servicing information donated by biomedical technicians as part of the project.

Submission + - 7 Years Later, Emergency Alert Systems Still Un-Patched, Vulnerable (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: The Security Ledger is reporting (https://securityledger.com/2020/01/seven-years-later-scores-of-eas-systems-sit-un-patched-vulnerable/) that more than 50 Emergency Alert System (EAS) devices made by Monroe Electronics (now Digital Alert Systems) are un-patched and accessible from the public Internet, seven years after security researchers alerted the public about security flaws in the devices. (https://ioactive.com/article/ioactive-uncovers-vulnerabilities-in-united-states-emergency-alerting-system/)

More than 50 EAS deployments across the United States still use a shared SSH key, a security vulnerability first discovered and reported by IOActive in 2013, according to a warning posted by the security researcher Shawn Merdinger on January 19, seven years after the initial vulnerability report was issued.

Security Ledger viewed the exposed web interfaces for Monroe/Digital Alerts Systems EAS hardware used by two, FM broadcasters in Texas and an exposed EAS belonging to a broadband cable provider in North Carolina. Also publicly accessible: EAS systems for two stations (FM and AM) serving the Island of Hawaii. Residents there received a false EAS alert about an incoming ICBM in 2018. That incident was found to be the result of human error (https://www.cnn.com/2018/01/30/us/hawaii-false-alarm-investigation/index.html) but prompted the FCC to issue new guidance about securing EAS systems. (https://docs.fcc.gov/public/attachments/DOC-352524A1.pdf)

Digital Alert Systems said it is aware of the problem and is contacting the customers whose gear is exposed. However, a search using the Shodan search engine suggests that few have taken steps to remove their EAS systems from the public Internet in the past week. Security Ledger is withholding the names of the broadcasters whose EAS systems were exposed for security reasons. None of the stations contacted for the story was able to provide comment prior to publication.

Submission + - Estée Lauder suit highlights growing 401k distribution fraud

Submitted by chicksdaddy
chicksdaddy writes: A former employee of the New York based cosmetics giant Estée Lauder is suing the company and a third party benefits firm alleging they breached their fiduciary duty to secure her 401k retirement account after $99,000 was fraudulently distributed from the account without her knowledge, The Security Ledger reports (https://securityledger.com/2019/11/suit-against-estee-lauder-spotlights-401k-distribution-fraud/)

The case, Naomi Berman vs. Estée Lauder et. al, (https://securityledger.com/wp-content/uploads/2019/11/1-main.pdf) comes amid increasing concern about cyber fraud targeting the $5.7 trillion 401k industry, in which more than 100 million Americans participate.

The case hinges on a series of three 401k distributions from Ms. Berman’s Estée Lauder 401k plan in September and October of 2016. Those distributions, for $37,000, $52,000 and $12,000, were sent by Lauder’s plan administrator, Alight Solutions LLC, to three, separate bank accounts. Berman only learned of the distributions after receiving mailed 401k statements from the administrator. Subsequent efforts by Berman to get Alight, which ran the plan’s web portal, and Estée Lauder to investigate the transfers and restore the stolen funds were fruitless.

401k accounts are particularly vulnerable to fraud, because they are typically not accounts that account holders interact with frequently, according to Teresa Renaker, an attorney who is representing Ms. Berman in her case against Estée Lauder and Alight. “You don’t check your 401k every day or even every month,” she noted. Plans are only required to mail statements every quarter. “Indeed, participants are generally advised to leave their 401k accounts alone,” Renaker said.

In the case of Ms. Berman, who worked for Estée Lauder’s MAC Cosmetics subsidiary from 1998 to 2006, the complaint alleges that she did not learn of the distributions until all three had taken place. After notifying the plan administrator of the fraud, Ms. Berman made at least 23 calls to the administrator’s Customer Service Center regarding the unauthorized distributions to between October 24, 2016, and January 2, 2017. Eventually, the Customer Service Center informed Ms. Berman that it had completed its investigation, that no money had been recovered, and that her Lauder Plan account would not be made whole for the losses. That's unusual, said Renaker and others: plan administrators have historically opted to make fraud victims whole when unauthorized distributions happen. And the change in approach has some worried about what might be coming.

An analysis by Washington D.C. based Groom Law Group (https://www.groom.com/resources/new-case-raises-difficult-questions-about-erisa-remedies-for-401k-account-thefts/) said the facts of the Berman case “expose some ugly truths” for the 401k industry “about the potential vulnerability of 401(k) plan assets to theft.” In such cases, Groom noted, the fraudsters “typically have acquired sufficient amounts of personal information about the participant to penetrate security protocols.” Historically, 401k plan administrators and record keepers have responded to such fraud incidents by making the victim whole without involving distributions from the plan itself. As Groom notes, the Berman case may suggest that “at least for some plan service providers, the willingness to cover fraudulent withdrawals may have run out.”

Submission + - From China with Love: New York Firm sold millions in PRC Surveillance Gear to US (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: Uncle Sam’s supply chain woes just got a lot worse. A complaint unsealed by the U.S. District Court for the Eastern District of New York (https://www.justice.gov/usao-edny/pr/aventura-technologies-inc-and-its-senior-management-charged-fraud-money-laundering-and) alleges that Aventura Technologies, a Long Island, firm sold more than $88 million worth of Chinese-made security equipment to the U.S. government for more than a decade, including networked surveillance cameras used in military bases and U.S. Department of Energy facilities.

A 56 page complaint unsealed in the U.S. District Court for the Eastern District of New York (https://www.justice.gov/usao-edny/press-release/file/1215951/download) names seven individuals employed by Aventura Technologies of Commack, Long Island as participants in a years-long scheme that sold Chinese security hardware to a wide range of U.S. government agencies including the U.S. Army, Navy and Air Force, as well as the Department of the Treasury. In all, the company sold technology across more than 60 contracts with the U.S. Government.

The DOJ outlines an extensive fraud, including import fraud, defrauding the government and money laundering. The government arrested six individuals on Thursday. The government also seized a 70-foot luxury yacht and froze approximately $3 million in 12 financial accounts, according to a statement.

Though Aventura claimed in its dealings with the U.S. Government that its cameras, night vision cameras, turnstiles and other technology were manufactured in a factory in New York, they were actually sourced from a range of manufacturers in China, some with ties to the Chinese government.

Cameras manufactured in China were outfitted with Aventura’s logo and the phrase “Made in USA” before being resold to U.S. government agencies. Cabasso and others took extensive measures to conceal the source of the hardware, urging their partners in China to remove the manufacturer’s name from circuit boards and communications sent between client and server software used by its networked cameras and other equipment.

Submission + - SPAM: New York Firm sold millions in PRC Surveillance Gear to US Military, Government

Submitted by chicksdaddy
chicksdaddy writes: Uncle Sam’s supply chain woes just got a lot worse. A complaint unsealed by the U.S. District Court for the Eastern District of New York ([spam URL stripped]) alleges that Aventura Technologies, a Long Island, firm sold more than $88 million worth of Chinese-made security equipment to the U.S. government for more than a decade, including networked surveillance cameras used in military bases and U.S. Department of Energy facilities.

A 56 page complaint unsealed in the U.S. District Court for the Eastern District of New York ([spam URL stripped]) names seven individuals employed by Aventura Technologies of Commack, Long Island as participants in a years-long scheme that sold Chinese security hardware to a wide range of U.S. government agencies including the U.S. Army, Navy and Air Force, as well as the Department of the Treasury. In all, the company sold technology across more than 60 contracts with the U.S. Government.

The DOJ outlines an extensive fraud, including import fraud, defrauding the government and money laundering. The government arrested six individuals on Thursday. The government also seized a 70-foot luxury yacht and froze approximately $3 million in 12 financial accounts, according to a statement.

Though Aventura claimed in its dealings with the U.S. Government that its cameras, night vision cameras, turnstiles and other technology were manufactured in a factory in New York, they were actually sourced from a range of manufacturers in China, some with ties to the Chinese government.

Cameras manufactured in China were outfitted with Aventura’s logo and the phrase “Made in USA” before being resold to U.S. government agencies. Cabasso and others took extensive measures to conceal the source of the hardware, urging their partners in China to remove the manufacturer’s name from circuit boards and communications sent between client and server software used by its networked cameras and other equipment.
Link to Original Source

Submission + - They're Not Even Trying: Survey of Firmware Finds No Security Gains in 15 Years (securityledger.com) 1

Submitted by chicksdaddy
chicksdaddy writes: Hardware vendors like DLink, NETGEAR and Linksys frequently claim that security is their top priority, but The Security Ledger reports (https://securityledger.com/2019/08/huge-survey-of-firmware-finds-no-security-gains-in-15-years/) that a survey of more than 6,000 firmware images from those device makers and more than a dozen others found lax security standards for the software running connected devices and no improvement in firmware security over the past 15 years.

“Nobody is trying,” said Sarah Zatko, the Chief Scientist at the Cyber Independent Testing Lab (CITL) (https://cyber-itl.org/), a non-profit organization that conducts independent tests of software security. “We found no consistency in a vendor or product line doing better or showing improvement. There was no evidence that anybody is making a concerted effort to address the safety hygiene of their products,” she said.

Zatko presented the findings of CITL’s extensive study in Las Vegas on Friday on the sidelines of the Black Hat and DEF CON conferences at an event hosted by The Hewlett Foundation (https://hewlett.org/). CITL was started by Sarah and her husband Peiter (aka “Mudge”) Zatko. It bills itself as a kind of “Consumer Reports” for cyber security, partnering with that organization as well as The Ford Foundation, The Digital Standard and online payments firm Stripe.

In what it bills as the "first longitudinal study of IoT software safety," CITL study surveyed firmware from 18 vendors including ASUS, D-link, Linksys, NETGEAR, Ubiquiti and others. In all, more than 6,000 firmware versions were analyzed, totaling close to 3 million binaries created from 2003 to 2018.

CITL researchers studied publicly available firmware images and evaluated them for the presence of standard security features such as the use of non-executable stacks, Address Space Layout Randomization (ASLR) and stack guards, which prevent buffer overflow attacks.

The results were not encouraging. Time and again, firmware from popular brands failed to implement basic security features as part of the software build process — even when researchers studied the most recent versions of the firmware.

The use of stack guards to protect against buffer overflow attacks and non-executable stacks to protect against “stack smashing" and address space layout randomization (ASLR) was rare, even though such features are a standard part of modern operating systems and software applications.

CITL's security tests were not comprehensive — just the opposite. “Stack guards and buffer overflow protection are the canaries in the coal mine,” she said: basic protections that all software should employ. The absence of even basic protections suggests that the tested firmware may contain more serious vulnerabilities and that firmware security is years behind the security of applications like Windows, OS X or Google Chrome and FireFox.

“These are the seatbelts and airbags of the software world. These numbers are unheard of in operating systems or (Web) browsers. Its just a sign that they’re not trying,” Zatko said.

Even worse, CITL researchers found no clear progress in any protection category over time, said Zatko. Researchers documented 299 positive changes in firmware security scores over the 15 years covered by the studybut 370 negative changes over the same period. Looking across its entire data set, in fact, firmware security actually appeared to get worse over time, not better, CITL said.

Submission + - Critical flaws in VxWorks RTOS affect billions of connected devices (armis.com)

Submitted by chicksdaddy
chicksdaddy writes: Serious and exploitable security flaws in VxWorks, a commonly used operating system for embedded devices, span 13 years and could leave billions of connected devices vulnerable to remote cyber attacks and hacks, The Security Ledger reports. (https://securityledger.com/2019/07/critical-flaws-in-vxworks-affect-billions-of-connected-things/)

The security firm Armis on Monday published a warning (https://armis.com/urgent11/) about 11 critical, zero day vulnerabilities in the VxWorks operating system, which is owned and managed by the firm Wind River. (https://www.windriver.com/products/vxworks/) The vulnerabilities were found in VxWorks implementation of TCP/IP. They affect more than 200 million devices and billions of deployed endpoints. They could allow attackers to remotely take control of everything from networked printers and security appliances to industrial and medical devices, according to Ben Seri, the Vice President of Research at Armis.

At least a couple of the flaws were described as “more serious” than EternalBlue, the Microsoft Windows flaw that powered both the WannaCry and NotPetya malware outbreaks.(https://politics.slashdot.org/story/17/08/11/233200/russian-group-that-hacked-dnc-used-nsa-attack-code-in-attack-on-hotels)

Six of the 11 flaws discovered by Armis are so-called “remote code execution” or “RCE” flaws, which are considered among the most dangerous kinds of software hole, as they allow remote attackers to place and execute their own code on vulnerable devices. The remaining flaws are a mix of denial of service flaws, information leak vulnerabilities and other lower risk security holes.

SCADA and industrial control system devices, healthcare devices like patient monitors and MRI machines, as well as networking equipment, networked printers and VOIP phones are all potentially vulnerable to the flaws, Armis said in a blog post Monday.

Submission + - In letter to FTC, Microsoft calls Repair a Security Risk. It isn't. (securepairs.org)

Submitted by chicksdaddy
chicksdaddy writes: In comments submitted to the Federal Trade Commission, Microsoft Corp. is arguing that repairing its devices could jeopardize the cyber security of Trusted Platform Module (TPM) security chip. Don’t believe them.

The argument comes in an unsigned letter (https://securepairs.org/wp-content/uploads/2019/06/MSFT-COMMENT.pdf) to the FTC from Microsoft and dated May 31st. The statement was submitted ahead of Nixing the Fix (https://www.ftc.gov/news-events/events-calendar/nixing-fix-workshop-repair-restrictions), an FTC workshop on repair restrictions that is scheduled for mid-July.

Microsoft was one of a number of companies that submitted comments to the Commission critical of so-called “right to repair” laws proposed in 20 states (https://uspirg.org/news/usp/california-becomes-20th-state-2019-consider-right-repair-bill) this year. They would legally mandate that manufacturers make diagnostic information, tools and replacement parts available to owners and independent repair professionals.

“The unauthorized repair and replacement of device components can result in the disabling of key hardware security features or can impede the update of firmware that is important to device security or system integrity,” Microsoft wrote. “If the TPM or other hardware or software protections were compromised by a malicious or unqualified repair vendor, those security protections would be rendered ineffective and consumers’ data and control of the device would be at risk,” the company wrote. “Moreover, a security breach of one device can potentially compromise the security of a platform or other devices connected to the network.”

Firms like Microsoft, Lexmark, LG, Samsung and others use arguments like this all the time and then not too subtly imply that their authorized repair professionals are more trustworthy and honest than independent competitors. But that’s just hot air. They have no data to back up those assertions and there’s no way that their repair technicians are more trustworthy than owners, themselves.

As for the underlying argument about repair threatening Microsoft’s device security model? Well, that’s wrong, also, according to securepairs.org, a group of information security professionals who support the right to repair. (https://securepairs.org/)

There’s nothing inherent in repair or the things called for in right to repair laws like providing diagnostic software, diagnostic codes, schematics and replacement parts that puts the integrity of the TPM or the trust model it anchors at risk. Nor does the TPM require that the devices it secures remain pristine: using the same hardware and software configuration as when they were sold by the OEM.

After all, TPMs are in Dell computers. Dell makes diagnostic software and diagnostic codes (https://www.dell.com/support/home/us/en/04/quicktest) and schematics available for their hardware and I haven’t heard Microsoft or anybody else suggest that a TPM on a repairable Dell laptop is any less secure than the TPM on an unrepairable Microsoft Surface.

As securepairs points out: if Microsoft wants to make devices that nobody can service and repair without breaking their security model, they’re entitled to do that. They can make Surface Pros so hardened and tamper proof that merely opening them will destroy them. What they can’t do is make devices that are repairable, and then lock out everyone but their own service technicians. In short: if its safe and possible for a Microsoft authorized technician to service a Surface Pro, then it is safe and possible for an owner of the device to do so, or an independent repair technician. Full stop.

Submission + - Cognitive bias is the cyber threat you can't detect (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: Implicit bias among security workers poses a real risk to industry, prompting cyber security workers to misinterpret critical data and reach incorrect decisions based on that data, a new study by the firm Forcepoint (https://www.forcepoint.com )warns.

Well documented flaws in human reasoning such as confirmation bias, aggregate bias and availability bias can lead security workers to make misinformed decisions about threats or reach inaccurate conclusions based on the information and data their tools provide them. That, in turn, could leave their organizations vulnerable to attack, or make it difficult to properly respond to cyber attacks and other incidents, according to the report, which warns organizations not to overlook bias when interpreting security data.

The report (https://www.forcepoint.com/sites/default/files/resources/files/report_thinking_about_thinking_cybersecurity_bias_en.pdf), by research scientist Dr. Margaret Cunningham of Forcepoint’s X-Labs, examines the role of six common biases in cybersecurity decision-making and offers guidance on how to identify and avoid them using applied insight.

“Decision-making is central to cybersecurity–from regular end users and coworkers who are sharing our network, to people working in (security operations centers), to organizational leaders who deal with purchasing security solutions and hiring security personnel. It is critical to understand that everyone, from novices to experts, is subject to cognitive bias,” said Cunningham in an email interview with The Security Ledger (https://securityledger.com/2019/06/cognitive-bias-is-the-threat-actor-you-may-never-detect/).

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close