LulzSec Spree Sparks DHS Response

Tuesday, June 28, 2011

Ron Baklarz



In the wake of the recent LulzSec 50 day hacking spree that left many high profile companies and organizations scrambling, DHS announced on Monday June 27, 2011, "detailed guidance" on the top 25 software vulnerabilities. 

The "Common Weakness Enumeration" list was developed in collaboration among DHS, Mitre, and SANS as well as numerous other private sector organizations. 

In addition to the list, there is also a scoring system and risk analysis framework that can be used to prioritize risk mitigation activities.

Not surprising, SQL Injection flaws top the DHS list which is closely aligned with the vulnerabilities identified in the OWASP Top 10.

Common flaws between the two lists include injection, cross-site scripting (XSS), authentication flaws, and cross-site request forgery (CSRF).

While the generation of these lists is laudable, it is quite another thing for companies and organizations to actually continuously test their environments for these flaws and implement sound security controls.  

While there are the proverbial "low hanging fruit" types of fixes there are no quick fixes for changing corporate cultures. 

A clear example of this is Sony one of the most high profile victims of the LulzSec breaches.

Sony has 1,000 subsidiaries and employs approximately 168,000 people and for some unknown reason has never had a CISO function!  

Until now.

Possibly Related Articles:
Software Vulnerabilities Web Application Security DHS Guidelines Lulzsec
Post Rating I Like this!
Kevin McAleavey As much as I'm completely against everything these skiddies have done and the way they went about victimizing the innocent, so far it appears as though their original intent to shake up the board room has failed miserably. :(
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked