Benchmarks and You: Making the Right Match
11/13/20 • 50 min
On this episode, we talk about November Patch Tuesday - Satnam highlights some of the vulnerabilities and we discuss the new, limited format for the advisories from Microsoft. Our guest this month is Grant Dobbe who gives us a crash course on compliance benchmarks and how to pick the right one for you. The key lesson: don’t try to put a jet engine on a Cessna.
Show References:
Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities
Webinar: Ramp-Up Your Response to Latest State Sponsored Attacks
Microsoft’s November 2020 Patch Tuesday Addresses 112 CVEs including CVE-2020-17087
CVE-2020-15999, CVE-2020-17087: Google Chrome FreeType and Microsoft Windows Kernel Zero Days Exploited in the Wild
Google patches two more Chrome zero-days
Apple patches iOS against 3 actively exploited 0-days found by Google
Oracle Critical Patch Update for October 2020 Addresses 402 Security Updates
CVE-2020-14882: Oracle WebLogic Remote Code Execution Vulnerability Exploited in the Wild
Oracle Security Alert Advisory - CVE-2020-14750 (Out-of-Band)
CVE-2020-14871: Critical Buffer Overflow in Oracle Solaris Exploited in the Wild as Zero-Day
CVE-2020-27615: SQL Injection Vulnerability in WordPress Loginizer Plugin Affected Over One Million Sites
CVE-2020-16846, CVE-2020-25592: Critical Vulnerabilities in Salt Framework Disclosed
Webinar: How to Unlock the Security Benefits of the CIS Benchmarks
CIS Benchmarks
DISA STIGs
STIG Viewer
Single Check Audits on Github
Github: Audit file for CVE-2020-14871
On this episode, we talk about November Patch Tuesday - Satnam highlights some of the vulnerabilities and we discuss the new, limited format for the advisories from Microsoft. Our guest this month is Grant Dobbe who gives us a crash course on compliance benchmarks and how to pick the right one for you. The key lesson: don’t try to put a jet engine on a Cessna.
Show References:
Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities
Webinar: Ramp-Up Your Response to Latest State Sponsored Attacks
Microsoft’s November 2020 Patch Tuesday Addresses 112 CVEs including CVE-2020-17087
CVE-2020-15999, CVE-2020-17087: Google Chrome FreeType and Microsoft Windows Kernel Zero Days Exploited in the Wild
Google patches two more Chrome zero-days
Apple patches iOS against 3 actively exploited 0-days found by Google
Oracle Critical Patch Update for October 2020 Addresses 402 Security Updates
CVE-2020-14882: Oracle WebLogic Remote Code Execution Vulnerability Exploited in the Wild
Oracle Security Alert Advisory - CVE-2020-14750 (Out-of-Band)
CVE-2020-14871: Critical Buffer Overflow in Oracle Solaris Exploited in the Wild as Zero-Day
CVE-2020-27615: SQL Injection Vulnerability in WordPress Loginizer Plugin Affected Over One Million Sites
CVE-2020-16846, CVE-2020-25592: Critical Vulnerabilities in Salt Framework Disclosed
Webinar: How to Unlock the Security Benefits of the CIS Benchmarks
CIS Benchmarks
DISA STIGs
STIG Viewer
Single Check Audits on Github
Github: Audit file for CVE-2020-14871
Previous Episode
Security Advisories: the Good, the Bad, and the Weird
This month, Luke Tamagna-Darr is back and he and Satnam have a lot to say about security advisories. As always, we walk through the latest vulnerability news - specifically diving into “Zerologon” and “Bad Neighbor” as well as multiple alerts from CISA. Many advisories recently were focused on chaining vulnerabilities, providing insight into how attackers are leveraging bugs together in attacks.
Show References:
Writing Security Advisories: 5 Best Practices For Vendors
Microsoft’s October 2020 Patch Tuesday Addresses 87 CVEs including “Bad Neighbor” Windows TCP/IP Vulnerability (CVE-2020-16898)
CVE-2020-1472: 'Zerologon' Vulnerability in Netlogon Could Allow Attackers to Hijack Windows Domain Controller
CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched Vulnerabilities
US Cybersecurity Agency CISA Alert: Foreign Threat Actors Continue to Target Unpatched Vulnerabilities
CVE-2020-2040: Critical Buffer Overflow Vulnerability in PAN-OS Devices Disclosed
Multiple Vulnerabilities in CodeMeter Leave Managed Industrial Control Systems Open to Attack
CVE-2020-6925, CVE-2020-6926, CVE-2020-6927: Multiple Vulnerabilities in HP Device Manager
Next Episode
Security Research in 2020
We’re joined by four members of the Zero Day Research team - Nick Miles, Jimi Sebree, Chris Lyne, and Evan Grant - to talk about what it’s like being a security researcher in 2020. Conferences mostly cancelled, vendor responses fluctuating, concerns about selecting targets and promoting work - it’s complicated out there for researchers. As always, Satnam Narang breaks down the latest vulnerability news for us.
Show References:
Microsoft’s December 2020 Patch Tuesday Addresses 58 CVEs including CVE-2020-25705 (SAD DNS)
Cloudflare’s Blog Post on SAD DNS
CVE-2020-4006: VMware Command Injection Flaw Exploited by Russian State-Sponsored Threat Actors
CVE-2020-27125, CVE-2020-27130, CVE-2020-27131: Pre-Authentication Vulnerabilities in Cisco Security Manager Disclosed
Spam warning on Cash Ash
Zero Day Research
COVID-19 Pandemic Data: As Attack Surface Expands, Software Vendors Improve Vulnerability Response Times
PsExec Local Privilege Escalation
Hacking in Among Us
TP-Link Takeover with a Flash Drive
Inside Amazon’s Ring Alarm System
Follow along for more from Tenable Research:
Subscribe to the blog
Follow Tenable’s Zero Day team on Medium
Tenable Research Podcast Musical References
If you like this episode you’ll love
Episode Comments
Generate a badge
Get a badge for your website that links back to this episode
<a href="https://goodpods.com/podcasts/tenable-research-podcast-314462/benchmarks-and-you-making-the-right-match-45425645"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to benchmarks and you: making the right match on goodpods" style="width: 225px" /> </a>
Copy