NSPM-33 Research Cybersecurity Guidance

NSPM-33 Research Cybersecurity Guidance This post provides background on the National Security Presidential Memorandum-33 (NSPM-33) for research institutions that receive federal support, who it applies to and a focus on the research security program requirements.  Recently the National Science and Technology Council developed implementation guidance, in conjunction with the White House Office of Science and […]

Third-Party Cyber Risk Management: Automating Product and Service Specific Assessments

Third Party Cyber Risk Management: Automating Product and Service Specific Assessments Digital transformation and an inter-connected supply chain that leverages third-party software to fulfill business needs is placing a high priority on assessing third parties and their services.    Traditional third-party risk assessments and first-generation security ratings products do not provide the level of visibility […]

FortifyData’s Alignment with NIST SP 800-40

FortifyData’s Alignment with NIST SP 800-40 While patching of systems has long been a common IT function, organizations vary greatly in their processes. NIST SP 800-40 is a “Guide to Enterprise Patch Management Planning” that helps to provide structure to the organizational process of patch management. Within the software vulnerability management lifecycle, found in section […]

How Old Vulnerabilities Introduce Zero-Day Risks

How Old Vulnerabilities Introduce Zero-Day Risks Earlier this year a joint cybersecurity advisory from U.S and allied cybersecurity authorities identified the top exploited vulnerabilities and exposures (CVEs) of 2021. We noted in a blog post about the advisory that out of the vulnerabilities on the list, 25% of them were identified in 2020 and earlier […]

Threat Advisory: Chromium Zero Day (MS Edge and Google Chrome)

Threat Advisory: Chromium Zero Day(MS Edge and Google Chrome) Threat Chromium Zero Day (MS Edge and Google Chrome) Vulnerability CVE-2022-22941 CVSS – 8.8 HIGH Vulnerability Publication Date – 07/07/2022 Exploits Available – Yes, private   Description There is very little information available about this vulnerability other than it has been exploited in the wild. Both […]

What To Know About The Top 15 Exploited Vulnerabilities

What to Know About the Top 15 Exploited Vulnerabilities A recent joint cybersecurity advisory from U.S and allied cybersecurity authorities identified the top exploited vulnerabilities and exposures (CVEs) of last year. Out of the 15 vulnerabilities that made the list, which we’ve placed below, it is interesting to see 11 of the 15 are from 2021. There […]

Threat Advisory: Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2022-26809)

Threat  Remote Code Execution through Microsoft RPC  Vulnerability  Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2022-26809)1  CVSS – 9.8 CRITICAL  Vulnerability Publication Date – 4/12/2022  Exploits Available – Most Likely     Description  Of the 128 vulnerabilities in Microsoft’s April patch, 10 have a critical severity but CVE-2022-26809 is raising the most concern. The vulnerability […]

Threat Advisory: Spring Framework Spring4Shell Vulnerability (CVE-2022-22965)

Threat  Remote Code Execution (RCE) in the Java Spring Framework  Vulnerability  Spring Framework Spring4Shell (CVE-2022-22965)1  CVSS – 9.8 CRITICAL  Vulnerability Publication Date – 3/31/2022  Exploits Available  Description  The Spring4Shell Remote Code Execution vulnerability affects Apache Tomcat servers running JDK9+ with Spring library versions prior to 5.2.20 or 5.3.x prior to 5.3.18.   After 26 years of […]