Question An IS auditor is informed that several spreadsheets are being used to generate key financial information. What should the auditor verify NEXT? A. Whether adequate documentation and training is available for spreadsheet users B. Whether the spreadsheets meet the minimum IT general controls requirements C. Whether there is a complete inventory of end-user computing …
CISA
In a joint cybersecurity advisory, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) warn that threat actors used legitimate remote monitoring and management software to gain access to the networks of multiple federal civilian executive branch agencies. The advisory includes technical details, indicators of …
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a dozen advisories warning of vulnerabilities in various Industrial Control Systems (ICS). Affected products include Sewio RTLS Studio, 2 RONDS Equipment Predictive Maintenance Solution, InHand Networks InRouter, Panasonic Sanyo CCTV Network Camera, SAUTER Controls Nova 200 – 220 Series (PLC 6), Johnson Controls Metasys, Hitachi …
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two privilege elevation vulnerabilities – one in Microsoft Exchange Server and one in Windows – to its Known Exploited Vulnerabilities (KDEV) Catalog. US Federal Civilian Executive Branch Agencies have until January 31 to mitigate the flaws. Note CVE-2022-41080 – an Exchange privilege escalation flaw from …
Updated on 2023-01-09: Hitachi Energy Vulnerabilities The US Cybersecurity and Infrastructure Security Agency (CISA) has published three Industrial Control System (ICS) advisories regarding vulnerabilities in Hitachi Energy products. The flaws affect Hitachi Energy UNEM, Hitachi Energy FOXMAN-UN, and Hitachi Energy Lumada Asset Performance Management. Hitachi has addressed the vulnerabilities and urges users to update to …
Updated on 2022-12-30 The US Cybersecurity and Infrastructure Security Agency (CISA) has added two JasperReports vulnerabilities to its known exploited vulnerabilities catalog: CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9). The flaws were disclosed in 2018; fixes are available for both flaws. CISA says it has become aware that the vulnerabilities – an information …
The US Cybersecurity and Infrastructure Security Agency (CISA) has published three advisories regarding vulnerabilities in Rockwell Automation controllers. Rockwell has released updates to address two of the vulnerabilities: an improper access control issue in Rockwell Automation Studio 5000 Logix Emulate and an improper input validation issue in Rockwell Automation GuardLogix and ControlLogix controllers. Rockwell has …
Updated on 2022-12-15: 5G network slicing guidance CISA and the NSA have released new guidance this week for 5G network operators as part of a larger series they started earlier this week. This new one [PDF] touches on how mobile networks can best set up and defend 5G networks that have been split into smaller …
The US Cybersecurity and Infrastructure Security Agency (CISA) has added an unspecified vulnerability in Oracle Fusion Middleware to its Known Exploited Vulnerabilities (KEV) catalog. The flaw affects Oracle Fusion Middleware Access Manager and “allows an unauthenticated attacker with network access via HTTP to take over the Access Manager product.” CISA has specified a mitigation due …
Updated on 2022-12-12 The Hive ransomware group claimed responsibility for ongoing disruptions to computer systems at Knox College, Illinois. It claimed to have encrypted critical infrastructure and data. Read more: Knox College president addresses ransomware incident as notorious group claims credit Updated on 2022-12-09 The Hive ransomware group claimed to have posted the customer data …
Updated on 2022-12-29 The Log4Shell vulnerability remains a big threat to organizations even after a year since it received security patches. It is found that around 40% of software continues to use vulnerable versions of Apache Log4j. Read more: Lessons Learned: The Log4J Vulnerability 12 Months On Updated on 2022-12-12: Log4Shell one-year anniversary Happy birthday …
Updated on 2022-11-14: CISA Publishes Stakeholder-Specific Vulnerability Categorization Guide The US Cybersecurity and Infrastructure Security Agency (CISA) has published a Stakeholder-Specific Vulnerability Categorization Guide to help government agencies and other organizations prioritize vulnerability management. The guide includes information about how CISA scores vulnerabilities, and describes its decision tree model. Note The SVCC guide derives from …
The US Cybersecurity and Infrastructure Security Agency (CISA) has published three separate industrial control system (ICS) advisories. The vulnerabilities affect ETIC Telecom remote Access Server, Nokia ASIK AirScale System Module, and Delta Industrial Automation DIALink. Note Updates to the affected ETIC and DIALink products have been published. Implement mitigations from Nokia until a fix is …
Updated on 2022-11-17: Securing the Supply Chain Guidance for Customers The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence have published Securing Software Supply Chain Series – Recommended Practices Guide for Customers. The publication is the third in a series of guidance …
Updated on 2022-10-26 The CISA has reportedly sought out public comments on security configuration baselines for eight Microsoft products, as part of its Securing Cloud Business Applications (SCUBA) project. Read more: CISA Seeks Feedback on Baseline Measures to Secure Cloud Configuration Overview The US Cybersecurity and Infrastructure Security Agency (CISA) has released security configuration baseline …