Back to Basics …. Again

It appears that the bad guys who exploited Adobe in August, and stole ColdFusion and Adobe (maybe) source code, as well as millions of credit card numbers, used a well known ColdFusion vulnerability. What seems to have happened is that they were able to exploit an unpatched ColdFusion instance and then follow an attack vector that led them to credit cards and source code. For some of the details on this, see this story by Krebs.

And now it’s time for me to rail, once again, about the need for InfoSec and IT Operations to “do the basics”. C’mon guys, this was your own vulnerability. One you knew about, controlled the source code for, published patches for, etc. And you couldn’t patch it? How many times must the bad guys exploit basics like this, and then follow an internal kill chain to the crown jewels before we get serious about this problem?

This is exactly why I joined CORE Security … to help with this problem. Until these very basic issues are solved, all the advanced security stuff is pointless. CISOs need to stop fretting over BYOD. It’s time for them to get back to patching vulnerabilities and shutting down attack vectors into their networks.

Advertisements

About Eric Cowperthwaite

Nearly 30 year security professional, 11 years in the US Army, and another 18 in the civilian world. Worked for EDS for 9 years, then for Providence Health & Services as their CSO for 7 years. Now I work for CORE Security as their VP, Advanced Security & Strategy. This blog is not just about security, either physical or information. You can expect to read about cigars, my life, things I think are funny and much more. And I will rail about the FUD that so many security practitioners toss around on a regular basis. Plus, once in a great while, I might actually share a thought or two about security. Did I mention that I will probably blog about cigars? Just to be clear, nothing that I write here represents the position or opinion of my employer. Nothing I write here is proprietary or confidential to my employer. Everything I write here is my personal opinion.
This entry was posted in BYOD, InfoSec, Security, Vulnerability Management and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s