med-mastodon.com is one of the many independent Mastodon servers you can use to participate in the fediverse.
Medical community on Mastodon

Administered by:

Server stats:

354
active users

#vulnerabilityassessment

0 posts0 participants0 posts today
Europe Says<p><a href="https://www.europesays.com/2006506/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">europesays.com/2006506/</span><span class="invisible"></span></a> Palm Beach County seeks public input on plan to tackle climate change impacts <a href="https://pubeurope.com/tags/Climate" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Climate</span></a> <a href="https://pubeurope.com/tags/ClimateChange" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClimateChange</span></a> <a href="https://pubeurope.com/tags/CommunityInput" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CommunityInput</span></a> <a href="https://pubeurope.com/tags/ExtremeHeat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ExtremeHeat</span></a> <a href="https://pubeurope.com/tags/FloodingRisk" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FloodingRisk</span></a> <a href="https://pubeurope.com/tags/GlobalWarming" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GlobalWarming</span></a> <a href="https://pubeurope.com/tags/PalmBeachCounty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PalmBeachCounty</span></a> <a href="https://pubeurope.com/tags/ResilienceActionPlan" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ResilienceActionPlan</span></a> <a href="https://pubeurope.com/tags/ResiliencePlan" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ResiliencePlan</span></a> <a href="https://pubeurope.com/tags/VulnerabilityAssessment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VulnerabilityAssessment</span></a></p>
Marcel SIneM(S)US<p><a href="https://social.tchncs.de/tags/SecureCoding" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecureCoding</span></a>: Risiken einschätzen mit dem <a href="https://social.tchncs.de/tags/ExploitPredictionScoringSystem" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ExploitPredictionScoringSystem</span></a> | Developer <a href="https://www.heise.de/hintergrund/Secure-Coding-Risiken-einschaetzen-mit-dem-Exploit-Prediction-Scoring-System-10252792.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">heise.de/hintergrund/Secure-Co</span><span class="invisible">ding-Risiken-einschaetzen-mit-dem-Exploit-Prediction-Scoring-System-10252792.html</span></a> <a href="https://social.tchncs.de/tags/ITSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ITSecurity</span></a> <a href="https://social.tchncs.de/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cybersecurity</span></a> <a href="https://social.tchncs.de/tags/VulnerabilityManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VulnerabilityManagement</span></a> <a href="https://social.tchncs.de/tags/ExploitPrediction" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ExploitPrediction</span></a> <a href="https://social.tchncs.de/tags/EPSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EPSS</span></a> <a href="https://social.tchncs.de/tags/CVSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVSS</span></a> <a href="https://social.tchncs.de/tags/SSVC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSVC</span></a> <a href="https://social.tchncs.de/tags/CWE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CWE</span></a> <a href="https://social.tchncs.de/tags/RiskManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RiskManagement</span></a> <a href="https://social.tchncs.de/tags/ThreatIntelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatIntelligence</span></a> <a href="https://social.tchncs.de/tags/MachineLearning" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MachineLearning</span></a> <a href="https://social.tchncs.de/tags/DataDrivenSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DataDrivenSecurity</span></a> <a href="https://social.tchncs.de/tags/PatchManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PatchManagement</span></a> <a href="https://social.tchncs.de/tags/SecurityBestPractices" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityBestPractices</span></a> <a href="https://social.tchncs.de/tags/ZeroDay" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ZeroDay</span></a> <a href="https://social.tchncs.de/tags/VulnerabilityAssessment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VulnerabilityAssessment</span></a> <a href="https://social.tchncs.de/tags/SecurityTools" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityTools</span></a> <a href="https://social.tchncs.de/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a></p>
(void*)huxley :verified:<p>Zach Wasserman from <span class="h-card" translate="no"><a href="https://discuss.systems/@Fleet" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>Fleet</span></a></span> and I had a fantastic conversation on his podcast where I gave him a sneak peek at what's coming for <span class="h-card" translate="no"><a href="https://infosec.exchange/@BSidesNYC" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>BSidesNYC</span></a></span> 0x04. We also had a great conversation about advanced methods to enumerate vulnerabilities beyond rudimentary vuln scanning.</p><p>Please connect with me if you have any questions.</p><p><a href="https://infosec.exchange/tags/securityconference" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>securityconference</span></a> <a href="https://infosec.exchange/tags/vulnerabilityassessment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilityassessment</span></a> <a href="https://infosec.exchange/tags/vulnerabilitymanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilitymanagement</span></a> </p><p><a href="https://fleetdm.com/podcasts/expeditioners-huxley-barbee" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">fleetdm.com/podcasts/expeditio</span><span class="invisible">ners-huxley-barbee</span></a></p>
Wade Baker<p>Tomorrow (Thurs, July 20) I'm hosting a webinar to share key findings from several years' worth of published research on vulnerability remediation. We have 8 data-packed reports to cover in ~30 minutes. To accomplish that, I've chosen two representative charts from each report - which was TOUGH!</p><p>Register here and let me know how you think I did: <a href="https://us02web.zoom.us/webinar/register/7316732996513/WN_FHnATAyWTzG_lsjH3PkbLQ#/registration" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">us02web.zoom.us/webinar/regist</span><span class="invisible">er/7316732996513/WN_FHnATAyWTzG_lsjH3PkbLQ#/registration</span></a></p><p><a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a>&nbsp;<a href="https://infosec.exchange/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilities</span></a>&nbsp;<a href="https://infosec.exchange/tags/devops" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>devops</span></a>&nbsp;<a href="https://infosec.exchange/tags/devsecops" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>devsecops</span></a>&nbsp;<a href="https://infosec.exchange/tags/vulnerabilitymanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilitymanagement</span></a>&nbsp;<a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a>&nbsp;<a href="https://infosec.exchange/tags/vulnerabilityassessment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilityassessment</span></a>&nbsp;<a href="https://infosec.exchange/tags/vulnerabilityscanning" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilityscanning</span></a>&nbsp;<a href="https://infosec.exchange/tags/exposuremanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>exposuremanagement</span></a>&nbsp;<a href="https://infosec.exchange/tags/remediation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>remediation</span></a>&nbsp;<a href="https://infosec.exchange/tags/cyberriskmanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cyberriskmanagement</span></a>&nbsp;<a href="https://infosec.exchange/tags/informationsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>informationsecurity</span></a>&nbsp;<a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a>&nbsp;<a href="https://infosec.exchange/tags/appsec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>appsec</span></a>&nbsp;<a href="https://infosec.exchange/tags/applicationsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>applicationsecurity</span></a>&nbsp;<a href="https://infosec.exchange/tags/appsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>appsecurity</span></a></p>
Wade Baker<p>Excerpt from my latest Cyentia Institute blog post, “Patching, Fast and Slow”:</p><p>There are many ways one could measure how quickly vulnerabilities are patched. Most go with a simple average, but such point statistics are a poor representation of what’s really happening with remediation timeframes. Our favored method for this is survival analysis. I won’t get into the methodology here other than to say it tracks the “death” (remediation) of vulnerabilities over time to produce a curve that looks like the ones below comparing remediation speed among sectors. </p><p>The lesson? Get remediation strategy advice from your investment firm rather than your insurer, perhaps? We could ask a bunch of other questions about why certain organizations or industries struggle more than others to address vulnerabilities…but this isn’t that post. But I do suspect the “system” guiding the patching strategies of these organizations makes a big difference in the shape of their remediation curves. </p><p>You may have caught the title of this post being a reference to Daniel Kahneman’s book “Thinking, Fast and Slow.” That was partly because it’s catchy and fits the topic. But I also think there’s a parallel to be drawn from one of the main points of that book. Kahneman describes two basic types of thinking that drive human decision-making:</p><p>System 1: Fast, automatic, frequent, emotional, stereotypic, unconscious</p><p>System 2: Slow, effortful, infrequent, logical, calculating, conscious</p><p>Maybe you see where I’m headed here. I’m not saying we can boil all patching down to just two different approaches. But my experience and research support the notion that there are two broad systems at play. Many assets lend themselves to automated, fast deployment of patches without much additional preparation or evaluation (e.g., newer versions of Windows and OSX). Those fall under System 1 patching.</p><p>Other assets require manual intervention, testing, risk evaluation, or additional effort to deploy. That fits the System 2 definition well. The more your organization has to engage in System 2 rather than System 1 patching, the slower and shallower those remediation timelines will appear. Like normal decisions, we can’t do everything via System 1…some assets need that extra System 2 treatment. But problems (and/or delays) arise when there’s a mismatch between the system used and the decision (remediation) scenario.</p><p>My takeaway for vulnerability management programs? Use System 1 patching as much as possible and System 2 patching only where necessary.</p><p>See all the analysis leading up to this conclusion in the full post: <a href="https://www.cyentia.com/patching-fast-and-slow/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">cyentia.com/patching-fast-and-</span><span class="invisible">slow/</span></a></p><p><a href="https://infosec.exchange/tags/patchmanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>patchmanagement</span></a> <a href="https://infosec.exchange/tags/vulnerabilitymanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilitymanagement</span></a> <a href="https://infosec.exchange/tags/vulnerabilityassessment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilityassessment</span></a> <a href="https://infosec.exchange/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilities</span></a> <a href="https://infosec.exchange/tags/exposuremanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>exposuremanagement</span></a> <a href="https://infosec.exchange/tags/riskmanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>riskmanagement</span></a> <a href="https://infosec.exchange/tags/cyberriskmanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cyberriskmanagement</span></a> <a href="https://infosec.exchange/tags/remediation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>remediation</span></a> <a href="https://infosec.exchange/tags/cve" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve</span></a> <a href="https://infosec.exchange/tags/appsec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>appsec</span></a> <a href="https://infosec.exchange/tags/appsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>appsecurity</span></a> <a href="https://infosec.exchange/tags/secops" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>secops</span></a> <a href="https://infosec.exchange/tags/securityoperations" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>securityoperations</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infosecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosecurity</span></a></p>
Wade Baker<p>Did you know that following the advice of several security standards to remediate all vulnerabilities with a CVSS score of 7 or above would barely address half of those known to be exploited and almost 70% of that effort would be wasted on things that don't represent real risk right now?</p><p>Seem impossible to believe? Check our math in Prioritization to Prediction, Volume 1: <a href="https://lnkd.in/eyKzzX25" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="">lnkd.in/eyKzzX25</span><span class="invisible"></span></a></p><p>***<br>Coverage measures the completeness of remediation. Of all vulnerabilities that should be remediated, what percentage was correctly identified for remediation?</p><p>Efficiency measures the precision of remediation. Of all vulnerabilities identified for remediation, what percentage should have been remediated?</p><p><a href="https://infosec.exchange/tags/vulnerabilitymanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilitymanagement</span></a> <a href="https://infosec.exchange/tags/vulnerabilityassessment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilityassessment</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilities</span></a> <a href="https://infosec.exchange/tags/cvss" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cvss</span></a> <a href="https://infosec.exchange/tags/cve" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve</span></a></p>
Cody Dostal :unverified:<p>I decided I need to re-do my <a href="https://infosec.exchange/tags/introduction" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>introduction</span></a> post. Why? I didn't know that full-text search wasn't really a thing on Mastodon (well, particularly cross-instance), so I need to hashtag it. If you've read it before, feel free to move on, or read again. Anything goes!</p><p>I’ve seen a few others do introductory posts so I figured why not for me too. It’s unlikely I was known on <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> Twitter because I didn’t post much on Twitter. I hope to change that here. </p><p>I’ve worked in <a href="https://infosec.exchange/tags/SystemAdministration" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SystemAdministration</span></a>, <a href="https://infosec.exchange/tags/VulnerabilityManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VulnerabilityManagement</span></a>, <a href="https://infosec.exchange/tags/NetworkSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NetworkSecurity</span></a>, and/or <a href="https://infosec.exchange/tags/SystemofSystems" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SystemofSystems</span></a> <a href="https://infosec.exchange/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> for around 8 years. My experience has been solely within the world of <a href="https://infosec.exchange/tags/DOD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DOD</span></a>, first as a civilian and then as a contractor. I’m currently a Senior SA/Deupty PM for Broadleaf-inc, a government contractor. </p><p>Along with that, I’ve been teaching infosec for around two years for a university. I developed many courses, Network Security, OS Security, <a href="https://infosec.exchange/tags/VulnerabilityAssessment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VulnerabilityAssessment</span></a> and <a href="https://infosec.exchange/tags/PenetrationTesting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PenetrationTesting</span></a>, <a href="https://infosec.exchange/tags/OSINT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OSINT</span></a>, IDS &amp; IPS, <a href="https://infosec.exchange/tags/CyberthreatIntelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberthreatIntelligence</span></a>, as well as an Introduction to IT and a CCNA course. I’ll be developing an Advanced Penetration Testing and a Digital Forensics course this upcoming year. </p><p>I am an advocate for helping those with no existing experience and fresh graduates find positions in <a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cybersecurity</span></a>, truly entry level positions. I help run a discord that focuses on that, <a href="https://infosec.exchange/tags/SecurityNewbs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityNewbs</span></a>, as well working on free university-style courses that people can take to learn these skills. Those aren’t ready yet, but my first free course will be Introduction to Cybersecurity. </p><p>On my off-time, I'm a huge <a href="https://infosec.exchange/tags/gamer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>gamer</span></a>. You'll generally find me on the Xbox Series X, although once in a while I'll be on PS5. I generally play <a href="https://infosec.exchange/tags/destiny2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>destiny2</span></a>, probably a little too much. I have 4 kids, 5 cats, and 2 dogs. It can be a hectic house.</p><p>That’s me. Fin.</p>