Podcasts about NVD

Was war das bitte für eine unglaubliche Woche in Österreich? Im Finalflight am Sonntag waren zwei Deutsche unterwegs. Am Ende gewinnt Nicolai Von Dellingshausen sein erstes Turnier auf der DP World Tour. WOW! Flo, Zille und Bernd besprechen diesen Sieg in dieser Folge ausführlich. Die beiden Exprofis haben natürlich spannende Tipps für den frischen Toursieger und Zille wünscht sich mehr Party vor Ort! Das - was man dazu von Miguel Angel Jimenez lernen kann - und noch sehr viel mehr in dieser Episode von Tee Time - der Golf Podcast.

“Laundry Bear” airs dirty cyber linen in the Netherlands. AI coding agents are tricked by malicious prompts in a Github MCP vulnerability.Tenable patches critical flaws in Network Monitor on Windows. MathWorks confirms ransomware behind MATLAB outage. Feds audit NVD over vulnerability backlog. FBI warns law firms of evolving Silent Ransom Group tactics. Chinese hackers exploit Cityworks flaw to breach US municipal networks. Everest Ransomware Group leaks Coca-Cola employee data. Nova Scotia Power hit by ransomware.  On today's Threat Vector, ⁠David Moulton⁠ speaks with ⁠his Palo Alto Networks colleagues Tanya Shastri⁠ and ⁠Navneet Singh about a strategy for secure AI by design.  CIA's secret spy site was… a Star Wars fan page? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector In this segment of Threat Vector, host ⁠David Moulton⁠ speaks with ⁠Tanya Shastri⁠, SVP of Product Management, and ⁠Navneet Singh⁠, VP of Marketing - Network Security, at Palo Alto Networks. They explore what it means to adopt a secure AI by design strategy, giving employees the freedom to innovate with generative AI while maintaining control and reducing risk. You can hear their full discussion on Threat Vector ⁠here⁠ and catch new episodes every Thursday on your favorite podcast app. Selected Reading Dutch intelligence unmasks previously unknown Russian hacking group 'Laundry Bear' (The Record) GitHub MCP Server Vulnerability Let Attackers Access Private Repositories (Cybersecurity News) Tenable Network Monitor Vulnerabilities Let Attackers Escalate Privileges (Cybersecurity News) Ransomware attack on MATLAB dev MathWorks – licensing center still locked down (The Register) US Government Launches Audit of NIST's National Vulnerability Database (Infosecurity Magazine) Law Firms Warned of Silent Ransom Group Attacks  (SecurityWeek) Chinese Hackers Exploit Cityworks Flaw to Target US Local Governments (Infosecurity Magazine) Everest Ransomware Leaks Coca-Cola Employee Data Online (Hackread) Nova Scotia Power Suffers Ransomware Attack; 280,000 Customers' Data Compromised (GB Hackers) The CIA Secretly Ran a Star Wars Fan Site (404 Media) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Episode #499 consacré aux référentiels de vulnérabilités Références :  – l'annonce du NVD :https://nvd.nist.gov/general/news/nvd-program-transition-announcement– xkcd https://xkcd.com/927/– Vidéo sur les CNNVD vs CVE de Kristin Del Ross de SentinelOnehttps://www.youtube.com/watch?v=6BtnGo3-K6Y The post Référentiels de vulnérabilités appeared first on NoLimitSecu.

Forecast = Prepare for scattered CVEs, rising bot storms, and real-time threat lightning. Keep your digital umbrellas handy! ‍ On this episode of Storm⚡️Watch, we're breaking down the latest shifts in the vulnerability tracking landscape, starting with the ongoing turbulence in the CVE program. As the MITRE-run CVE system faces funding uncertainty and a potential transition to nonprofit status, the global security community is rapidly adapting. New standards and databases are emerging to fill the gaps—Europe's ENISA is rolling out the EU Vulnerability Database to ensure regional control, while China continues to operate its own state-mandated systems. Meanwhile, the CVE ecosystem's chronic delays and the NVD's new “Deferred” status for tens of thousands of older vulnerabilities are pushing teams to look elsewhere for timely, enriched vulnerability data. Open-source projects like OSV.dev and commercial players such as VulnCheck and Snyk are stepping up, offering real-time enrichment, exploit intelligence, and predictive scoring to help organizations prioritize what matters most. The result is a fragmented but innovative patchwork of regional, decentralized, open-source, and commercial solutions, with hybrid approaches quickly becoming the norm for defenders worldwide. We're also diving into Imperva's 2024 Bad Bot Report, which reveals that nearly a third of all internet traffic last year came from malicious bots. These bots are getting more sophisticated—using residential proxies, mimicking human behavior, and bypassing traditional defenses. The report highlights a surge in account takeover attacks and shows that industries like entertainment and retail are especially hard hit, with bot traffic now outpacing human visitors in some sectors. The rise of simple bots, fueled by easy-to-use AI tools, is reshaping the threat landscape, while advanced and evasive bots continue to challenge even the best detection systems. On the threat intelligence front, GreyNoise has just launched its Global Observation Grid—now the largest deception sensor network in the world, with thousands of sensors in over 80 countries. This expansion enables real-time, verifiable intelligence on internet scanning and exploitation, helping defenders cut through the noise and focus on the threats that matter. GreyNoise's latest research shows attackers are exploiting vulnerabilities within hours of disclosure, with a significant portion of attacks targeting legacy flaws from years past. Their data-driven insights are empowering security teams to prioritize patching and response based on what's actually being exploited in the wild, not just theoretical risk. We're also spotlighting Censys and its tools for tracking botnets and advanced threats, including collaborative projects with GreyNoise and CursorAI. Their automated infrastructure mapping and pivoting capabilities are helping researchers quickly identify related malicious hosts and uncover the infrastructure behind large-scale attacks. Finally, VulnCheck continues to bridge the gap during the CVE program's uncertainty, offering autonomous enrichment, real-time exploit tracking, and comprehensive coverage—including for CVEs that NVD has deprioritized. Their Known Exploited Vulnerabilities catalog and enhanced NVD++ service are giving defenders a broader, faster view of the threat landscape, often surfacing critical exploitation activity weeks before it's reflected in official government feeds. As the vulnerability management ecosystem splinters and evolves, organizations are being forced to rethink their strategies—embracing a mix of regional, open-source, and commercial intelligence to maintain visibility and stay ahead of attackers. The days of relying on a single source of truth for vulnerability data are over, and the future is all about agility, automation, and real-time insight. Storm Watch Homepage >> Learn more about GreyNoise >>  

In the security news this week: You should really just patch things, the NVD backlog, Android phones with malware pre-installed, so convenient, keyloggers and a creepy pharmacist, snooping on federal workers, someone stole your browser history, NSA director fired, deputy director of NSA also fired, CrushFTP the saga continues, only steal the valid credit cards, another post that vanished from the Internet, hiding in NVRAM, protecting the Linux kernel, you down with MCP?, more EOL IoT, bypassing kernel protections, when are you ready for a pen test, red team and bug bounty, what EDR is really missing, and based on this story you should just patch everything all the time! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-869

In the security news this week: You should really just patch things, the NVD backlog, Android phones with malware pre-installed, so convenient, keyloggers and a creepy pharmacist, snooping on federal workers, someone stole your browser history, NSA director fired, deputy director of NSA also fired, CrushFTP the saga continues, only steal the valid credit cards, another post that vanished from the Internet, hiding in NVRAM, protecting the Linux kernel, you down with MCP?, more EOL IoT, bypassing kernel protections, when are you ready for a pen test, red team and bug bounty, what EDR is really missing, and based on this story you should just patch everything all the time! Show Notes: https://securityweekly.com/psw-869

In the security news this week: You should really just patch things, the NVD backlog, Android phones with malware pre-installed, so convenient, keyloggers and a creepy pharmacist, snooping on federal workers, someone stole your browser history, NSA director fired, deputy director of NSA also fired, CrushFTP the saga continues, only steal the valid credit cards, another post that vanished from the Internet, hiding in NVRAM, protecting the Linux kernel, you down with MCP?, more EOL IoT, bypassing kernel protections, when are you ready for a pen test, red team and bug bounty, what EDR is really missing, and based on this story you should just patch everything all the time! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-869

In the security news this week: You should really just patch things, the NVD backlog, Android phones with malware pre-installed, so convenient, keyloggers and a creepy pharmacist, snooping on federal workers, someone stole your browser history, NSA director fired, deputy director of NSA also fired, CrushFTP the saga continues, only steal the valid credit cards, another post that vanished from the Internet, hiding in NVRAM, protecting the Linux kernel, you down with MCP?, more EOL IoT, bypassing kernel protections, when are you ready for a pen test, red team and bug bounty, what EDR is really missing, and based on this story you should just patch everything all the time! Show Notes: https://securityweekly.com/psw-869

Forecast: Patchy with a 32% backlog surge, CVE squalls causing auth bypass showers, and Lazarus fronts looming—keep your threat umbrellas handy!"

Dein Golf Podcast **``` In dieser Folge zu Gast: Nicolai von Dellingshausen Das wurde aber jetzt auch mal Zeit. NvD mal wieder in da House. Was nimmt er aus 2024 mit? Wie plant er das neue Jahr? **``` Alles zum ersten Spieltag der TGL ** Wie war der erste Tag der TGL? Zille hat ein etwas durchwachsenes Feedback. **``` What happened to Jon Rahm? Bekommt da noch jemand was mit? Spielt der noch? Ja klar....aber es wird immer offensichtlicher: Auf der LIV gehts um die Teams. Auf der DP und PGA Tour um die Einzelspieler. **``` Bryson DeChambeau muss 100.000 Dollar zahlen? ...Du möchtest deinen Podcast auch kostenlos hosten und damit Geld verdienen? Dann schaue auf www.kostenlos-hosten.de und informiere dich. Dort erhältst du alle Informationen zu unseren kostenlosen Podcast-Hosting-Angeboten. kostenlos-hosten.de ist ein Produkt der Podcastbude.Gern unterstützen wir dich bei deiner Podcast-Produktion.

Vai "Rail Baltica" būvniecības problēmas būs iemesls izmaiņām valdībā? Eiropas Parlaments apstiprinājis jauno Eiropas Komisijas sastāvu. Nacionālo bruņoto spēku militārajā bāzē Lielvārdē noslēgusies NATO Baltijas gaisa telpas patrulēšanas misijas uzturēšanās Latvijā. Latvijas Slimnīcu Biedrība nākusi klajā ar paziņojumu, ka Nacionālais veselības dienests šogad plānojot samazināt šim gadam piešķirto finansējumu. NVD gan šādus apgalvojumus sauc par nekorektiem. Saeimā pieņemtie likuma grozījumi paredz, ka civiltiesiskās atbildības obligātā apdrošināšana (OCTA) būs nepieciešama arī transportlīdzekļiem, kuri nepiedalās satiksmē, ja nav pārtraukta to reģistrācija.

Forecast: High pressure systems of infrastructure attacks continues to build over U.S. utilities with scattered exploitation attempts, while the vulnerability forecast shows increasing cloudiness around CPE data availability. ‍ In today's episode, we're diving into network fingerprinting and vulnerability management with some fascinating developments in the cybersecurity landscape. Our featured guest is John Althouse, the creator of JA4+, who has developed an innovative suite of network fingerprinting methods that's making waves in threat detection. JA4+ builds on previous fingerprinting techniques but takes things further with human-readable formats and enhanced detection capabilities. John's work comes at a critical time, as we've seen an uptick in zero-day exploits targeting enterprise networks throughout 2023. The latest CISA report highlights how threat actors are becoming more sophisticated in their approaches, particularly in exploiting vulnerabilities before patches can be deployed. Speaking of vulnerabilities, we've got some concerning news about critical infrastructure security. Recent findings have exposed potential vulnerabilities in around 300 U.S. drinking water systems, highlighting the ongoing challenges in protecting our essential services. This ties directly into the importance of tools like JA4+ for detecting and preventing unauthorized access to critical systems. We're also discussing an interesting development in vulnerability management - VulnCheck's NVD++ initiative. They're outpacing NIST's National Vulnerability Database by providing CPE data for nearly 77% of CVEs published in 2024, compared to NIST's 41%. This is particularly relevant given the recent disruption in CPE data availability from the NVD. Throughout our conversation, we'll explore how these developments intersect and what they mean for the future of cybersecurity, especially in protecting critical infrastructure and managing vulnerabilities effectively. John's insights on JA4+ and its applications in real-world threat detection scenarios are particularly valuable as organizations face increasingly sophisticated cyber threats. Storm Watch Homepage >> Learn more about GreyNoise >>  

The Feds confirm Chinese penetration of U.S. telecom wiretap systems. Anne Neuberger outlines top cybersecurity challenges facing the upcoming Trump administration. Former Air National Guardsman Jack Teixeira gets a 15-year prison sentence for leaking classified U.S. military documents. A Chinese national faces up to 20 years in prison after pleading guilty to money laundering for “pig-butchering” scams. Researchers say a popular pregnancy app has serious, unaddressed security vulnerabilities. NIST misses its deadline for clearing the NVD backlog. A B2B demand generation company confirms a leak affecting 122 million people. HHS warns healthcare organizations to be on the lookout for Godzilla. Moody's designates the industries at highest risk of cyber attack. Guest Sarah Hutchins, Partner at Parker Poe, discusses the growing number of state data privacy laws. An AI grandma keeps scammers on the line.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Sarah Hutchins, Partner at Parker Poe, discusses the growing number of state data privacy laws. You can listen to Sarah's full conversation including litigation trends related to targeted advertising and wiretapping, and key takeaways for companies on cybersecurity practices and risk reporting on today's Caveat episode.  Selected Reading FBI confirms China-backed hackers breached US telecom giants to steal wiretap data (TechCrunch) Top White House cyber official urges Trump to focus on ransomware, China (The Record) Chinese national faces 20 years in US prison for laundering pig-butchering proceeds (The Record) IT specialist Jack Teixeira jailed for 15 years after leaking classified military documents on Discord (Bitdefender) Pregnancy Tracking App ‘What to Expect' Refuses to Fix Issue that Allows Full Account Takeover (404 Media) NIST Explains Why It Failed to Clear CVE Backlog (SecurityWeek) Leaked info of 122 million linked to B2B data aggregator breach (Bleeping Computer) Feds Warn of Godzilla Webshell Threats to Health Sector (BankInfo Security) Industries with highest cyber risk unveiled by Moody's Rating (SC Media) O2 unveils Daisy, the AI granny wasting scammers' time (Virgin Media O2)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

In this Risky Business News sponsored interview, Tom Uren talks to Feross Aboukhadijeh, CEO and Founder of Socket about how open source repositories are riddled with horrible software. Feross explains why it makes a difference if a package is vulnerable, malicious or just unwanted and how current transparency mechanisms such as CVEs and the NVD just aren't suitable for the challenge of open source repositories.

In Folge 5 von Passwort geht es um eindeutige Kennzeichnungen von "Common Vulnerabilities and Exposures", also die bekannten CVE-Nummern, mit denen Sicherheitslücken identifiziert werden. Die Hosts Christopher und Sylvester besprechen, welchen Zweck CVEs haben, wie und von wem die Nummern vergeben werden und wo es hapert. Allzu rosig sieht die Zukunft von CVE-Nummern nämlich nicht aus. Es gibt diverse Probleme und Kritiker, unter anderem die Entwickler des Linux-Kernels. Die halten wenig von speziellen Kennzeichnungen für Security-Bugs und vermitteln ihre Sicht der Dinge mit dem Holzhammer. CVE-Datenbanken: * CVE-Suche von Mitre: https://www.cve.org * CVE-Suche der NVD: https://nvd.nist.gov/vuln/search Beispiele für Problem-CVEs * Curl: https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/ & https://daniel.haxx.se/blog/2023/09/05/bogus-cve-follow-ups/ * PostgreSQL: https://www.postgresql.org/about/news/cve-2020-21469-is-not-a-security-vulnerability-2701/ * KeePassXC: https://keepassxc.org/blog/2023-06-20-cve-202335866/ * Azure: https://heise.de/-9755370 CVE-Regeln * Regelwerk für CNAs: https://www.cve.org/ResourcesSupport/AllResources/CNARules * Vorgehen der Kernel-CNA: https://docs.kernel.org/process/cve.html * Talk von Greg KH zu CVEs: https://kernel-recipes.org/en/2019/talks/cves-are-dead-long-live-the-cve/

In this episode of the Leadmore podcast, I dive into the world of philanthropy with Cindy Elifrits Peterson, founder of Maximizing Excellence. We explore why people give, the strategic role of philanthropy in leadership, and Cindy's NVD framework (Need, Value, Differentiation). If you're involved in the nonprofit sector or a leader considering philanthropy, this episode is a must-listen!

- For those that don't know you or haven't come across you quite yet, can you tell us a bit about your background in tech/cyber and your role with GitHub?- What exactly is the GitHub Advisory Database and what is the mission of the team there?- There's been a big focus on vulnerability databases, especially lately with some of the challenges of the NVD. What role do you see among the other vulnerability databases in the ecosystem, including GHAD and how it fits into the ecosystem?- GitHub has a very unique position, being the most widely used development platform in the world, boasting millions of users. How do you all use that position and the insights from it to help drive vulnerability awareness across the ecosystem?- There's been a large focus on software supply chain security, including securing OSS. What are your thoughts on these trends and some ways we can combat these risks?- You're also involved with the CVE program, can you tell us about that?- We know you collaborate with another group, out of OpenSSF, known as the Vulnerability Disclosure Working Group. What does that group do and what role do you play?

Josh comes on the show to discuss all things related to vulnerability tracking and scoring, including the current issues with various systems and organizations including NIST, CVE, Mitre, CVSS, NVD, and more! Segment Resources: NVD blog post Josh wrote: https://anchore.com/blog/navigating-the-nvd-quagmire/ Josh's Latest post: https://opensourcesecurity.io/2024/06/03/why-are-vulnerabilities-out-of-control-in-2024/ Josh's podcasts: https://opensourcesecurity.io/category/podcast/ https://hackerhistory.com/ This week: Take on the upstream, how hard is it to patch end-of-life software, hack millions of routers, take over millions of routers, 0-days, and no responses, hack Taylor Swift wristbands, can you detect that covert channel?, and breach reports from Ticketmaster, Snowflake, Santander, and TikTok, and top it all of with C-level DNS servers dropping off the Internet! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-831

Josh comes on the show to discuss all things related to vulnerability tracking and scoring, including the current issues with various systems and organizations including NIST, CVE, Mitre, CVSS, NVD, and more! Segment Resources: NVD blog post Josh wrote: https://anchore.com/blog/navigating-the-nvd-quagmire/ Josh's Latest post: https://opensourcesecurity.io/2024/06/03/why-are-vulnerabilities-out-of-control-in-2024/ Josh's podcasts: https://opensourcesecurity.io/category/podcast/ https://hackerhistory.com/ Show Notes: https://securityweekly.com/psw-831

Josh comes on the show to discuss all things related to vulnerability tracking and scoring, including the current issues with various systems and organizations including NIST, CVE, Mitre, CVSS, NVD, and more! Segment Resources: NVD blog post Josh wrote: https://anchore.com/blog/navigating-the-nvd-quagmire/ Josh's Latest post: https://opensourcesecurity.io/2024/06/03/why-are-vulnerabilities-out-of-control-in-2024/ Josh's podcasts: https://opensourcesecurity.io/category/podcast/ https://hackerhistory.com/ This week: Take on the upstream, how hard is it to patch end-of-life software, hack millions of routers, take over millions of routers, 0-days, and no responses, hack Taylor Swift wristbands, can you detect that covert channel?, and breach reports from Ticketmaster, Snowflake, Santander, and TikTok, and top it all of with C-level DNS servers dropping off the Internet! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-831

Josh comes on the show to discuss all things related to vulnerability tracking and scoring, including the current issues with various systems and organizations including NIST, CVE, Mitre, CVSS, NVD, and more! Segment Resources: NVD blog post Josh wrote: https://anchore.com/blog/navigating-the-nvd-quagmire/ Josh's Latest post: https://opensourcesecurity.io/2024/06/03/why-are-vulnerabilities-out-of-control-in-2024/ Josh's podcasts: https://opensourcesecurity.io/category/podcast/ https://hackerhistory.com/ Show Notes: https://securityweekly.com/psw-831

Podcast: PrOTect It AllEpisode: Tools and Techniques for Better Network Visibility and Vulnerability Management with Kylie McClanahanPub date: 2024-06-03In Episode 10 of Protect It All, titled "Tools and Techniques for Better Network Visibility and Vulnerability Management with Kylie McClanahan," host Aaron Crow and guest Kylie McClanahan dive into the critical elements of enhancing cybersecurity through advanced tools and strategies. Kylie, CTO of a company specializing in this field, shares her insights on overcoming the challenges of consistent naming conventions, accurate vendor data, and breaking down silos for effective communication across teams. They explore the utility of tools like Spartan and Network Perception in visualizing network vulnerabilities, mapping asset inventories, and planning effective patch management. They emphasize the importance of correlating vulnerabilities with business priorities rather than just CVSS scores and the need for a layered security approach. The episode also discusses cybersecurity risks to non-technical stakeholders, highlighting the business implications. The duo discusses the evolving landscape in the power utility sector, the dual nature of physical and cyber threats, and the ever-present need for continuous adaptation. Kylie shares her excitement about machine learning and graph neural networks for grid state estimation while expressing caution about AI tools' accuracy. Aaron and Kylie stress the importance of reliable data, automated processes, and vendor security advisories in maintaining effective asset management. Key Moments: 03:47 Discussion focused on improving cybersecurity classifications and communication. 08:48 Compliance sometimes leads to minimum effort for benefit. 11:17 Vendor security advisories prioritize patch tracking. 14:46 Testing for security vulnerabilities and potential exploits. 17:20 Understanding and communicating cybersecurity risk to non-professionals. 20:50 Disagreement on consistent product naming causes confusion. 25:46 NVD website publishes overwhelming recent vulnerabilities. 27:07 Understanding the importance of asset management. 32:13 Challenges of tracking change management in organizations. 33:33 People, process, and technology are crucial investments. 37:34 Spartan takes any scan, offers change management. 39:55 Vision of the future: a dynamic ecosystem. 43:19 Vendors acknowledge changes in control systems effectiveness. 48:09 Equations useful, AI for optimization, caution with models. 49:28 Questioning truthfulness of AI in HR replacement. 53:01 Toyota and Lexus prioritize reliable, tested technology. About the guest : Kylie McClanahan is the Chief Technology Officer of Bastazo, Inc and a doctoral candidate in Computer Science at the University of Arkansas. She has nearly a decade of experience with cybersecurity in the electric industry, including both professional experience and frequent collaborations with industry as a graduate researcher. Her research explores the automation of vulnerability analysis and remediation using natural language processing and machine learning. She holds a GCIP certification from GIAC and speaks frequently about cybersecurity in industrial control systems. How to connect Kylie: https://www.linkedin.com/in/kyliemcclanahan/ https://www.bastazo.com https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc Connect With Aaron Crow: Website: www.corvosec.com LinkedIn: https://www.linkedin.com/in/aaronccrow Learn more about PrOTect IT All: Email: info@protectitall.co Website: https://protectitall.co/ X: https://twitter.com/protectitall YouTube: https://www.youtube.com/@PrOTectITAll FaceBook: https://facebook.com/protectitallpodcast To be a guest or suggest a guest/episode, please email us at info@protectitall.co The podcast and artwork embedded on this page are from Aaron Crow, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Podcast: PrOTect It AllEpisode: Tools and Techniques for Better Network Visibility and Vulnerability Management with Kylie McClanahanPub date: 2024-06-03In Episode 10 of Protect It All, titled "Tools and Techniques for Better Network Visibility and Vulnerability Management with Kylie McClanahan," host Aaron Crow and guest Kylie McClanahan dive into the critical elements of enhancing cybersecurity through advanced tools and strategies. Kylie, CTO of a company specializing in this field, shares her insights on overcoming the challenges of consistent naming conventions, accurate vendor data, and breaking down silos for effective communication across teams. They explore the utility of tools like Spartan and Network Perception in visualizing network vulnerabilities, mapping asset inventories, and planning effective patch management. They emphasize the importance of correlating vulnerabilities with business priorities rather than just CVSS scores and the need for a layered security approach. The episode also discusses cybersecurity risks to non-technical stakeholders, highlighting the business implications. The duo discusses the evolving landscape in the power utility sector, the dual nature of physical and cyber threats, and the ever-present need for continuous adaptation. Kylie shares her excitement about machine learning and graph neural networks for grid state estimation while expressing caution about AI tools' accuracy. Aaron and Kylie stress the importance of reliable data, automated processes, and vendor security advisories in maintaining effective asset management. Key Moments: 03:47 Discussion focused on improving cybersecurity classifications and communication. 08:48 Compliance sometimes leads to minimum effort for benefit. 11:17 Vendor security advisories prioritize patch tracking. 14:46 Testing for security vulnerabilities and potential exploits. 17:20 Understanding and communicating cybersecurity risk to non-professionals. 20:50 Disagreement on consistent product naming causes confusion. 25:46 NVD website publishes overwhelming recent vulnerabilities. 27:07 Understanding the importance of asset management. 32:13 Challenges of tracking change management in organizations. 33:33 People, process, and technology are crucial investments. 37:34 Spartan takes any scan, offers change management. 39:55 Vision of the future: a dynamic ecosystem. 43:19 Vendors acknowledge changes in control systems effectiveness. 48:09 Equations useful, AI for optimization, caution with models. 49:28 Questioning truthfulness of AI in HR replacement. 53:01 Toyota and Lexus prioritize reliable, tested technology. About the guest : Kylie McClanahan is the Chief Technology Officer of Bastazo, Inc and a doctoral candidate in Computer Science at the University of Arkansas. She has nearly a decade of experience with cybersecurity in the electric industry, including both professional experience and frequent collaborations with industry as a graduate researcher. Her research explores the automation of vulnerability analysis and remediation using natural language processing and machine learning. She holds a GCIP certification from GIAC and speaks frequently about cybersecurity in industrial control systems. How to connect Kylie: https://www.linkedin.com/in/kyliemcclanahan/ https://www.bastazo.com https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc Connect With Aaron Crow: Website: www.corvosec.com LinkedIn: https://www.linkedin.com/in/aaronccrow Learn more about PrOTect IT All: Email: info@protectitall.co Website: https://protectitall.co/ X: https://twitter.com/protectitall YouTube: https://www.youtube.com/@PrOTectITAll FaceBook: https://facebook.com/protectitallpodcast To be a guest or suggest a guest/episode, please email us at info@protectitall.co The podcast and artwork embedded on this page are from Aaron Crow, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Operation Endgame takes down malware operations around the globe. A major botnet operator is arrested. Ticketmaster's massive data breach is confirmed, and so is Google's SEO algorithm leak. Journalists and activists in Europe were targeted with Pegasus spyware. Okta warns users of credential stuffing attacks. NIST hopes to clear out the NVD backlog. On our Threat Vector segment, host David Moulton speaks with Greg Jones, Chief Information Security Officer at Xavier University of Louisiana. Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, joins us to discuss software security. LightSpy surveillance malware comes to macOS. ChatGPT briefly gets a god mode. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, joins us to discuss software security. Threat Vector In this Threat Vector segment, host David Moulton speaks with Greg Jones, Chief Information Security Officer at Xavier University of Louisiana. Greg brings a wealth of knowledge from his military background and applies a disciplined, adaptive approach to securing one of America's most vibrant educational institutions. You can listen to David and Greg's full discussion here.  Selected Reading Police seize malware loader servers, arrest four cybercriminals (Bleeping Computer) Is Your Computer Part of ‘The Largest Botnet Ever?' (Krebs on Security) Ticketmaster hacked. Breach affects more than half a billion users. (Mashable) Google confirms the leaked Search documents are real (The Verge) Phones of journalists and activists in Europe targeted with Pegasus (CyberScoop) Okta Warns of Credential Stuffing Attacks Targeting Cross-Origin Authentication (SecurityWeek) NIST says NVD will be back on track by September 2024 (Help Net Security) macOS version of elusive 'LightSpy' spyware tool discovered (Bleeping Computer) Hacker Releases Jailbroken "Godmode" Version of ChatGPT (Futurism)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.

¡APRENDE SecTY Podcast!  EP4.21 Zero-Day para correr!    Zero-Day significa que tienes “0” días para corregir una vulnerabilidad. Escucha sobre el caso de Google de las vulnerabilidades de Zero-Day que publicaron recientes y que son estas vlnerabilidades en el episodio junto con Aeronet.  Si deseas orientación o evaluación sobre ciberseguridad para tu negocio o capacitar a tus empleados sobre seguridad de información en tu negocio, entra a nuestra página en https://wwwaprendesecty.com o escríbeme a aprende@sectycs.com para poder ayudarte porque ofrecemos capacitación de seguridad a grupos de usuarios para pequeños negocios.     Fuente: https://www.securityweek.com/google-patches-fourth-chrome-zero-day-in-two-weeks/    (CISA) (BleepingComputer)  (BleepingComputer) (CERT-EU)  (Qualys Security Blog) (BleepingComputer)  Episodios relacionados:    Ep 6: Vamos a remediar vulnerabilidades: https://aprendesecty.libsyn.com/ep-6-vamos-a-remediar-vulnerabilidades  Ep 41: Maneja vulnerabilidades aplicando un proceso: https://aprendesecty.libsyn.com/ep-41-maneja-vulnerabilidades-aplicando-un-proceso   EP3.31: Las vulnerabilidades te cerrarán tu negocio: https://aprendesecty.libsyn.com/ep331-las-vulnerabilidades-te-cerrarn-tu-negocio      Taller Fortalece tu Primera Línea Contra las Amenazas Cibernéticas: https://www.aprendesecty.com/taller    Este episodio es presentado por AeroNet. Empresa de tecnología 100% puertorriqueña, líder en soluciones de conectividad para negocios y residencias en Puerto Rico. Go Faster, Go Save. AeroNet Wireless - Reliable High Speed Internet (aeronetpr.com)   ¡Escucha el video sobre este tema en el canal de YOUTUBE de Aprende SecTY y suscríbete!     https://www.youtube.com/channel/UC1E9yilgLf5HZMQVDf_ViRw    Recuerda: Síguenos en Facebook, Instagram, X y LinkedIN como: @SecTYCS  Envíame tus preguntas o recomendaciones a: aprende@sectycs.com  Deja tu reseña en iTunes/Apple Podcast y compártelo con personas que necesiten mejorar la seguridad en su negocio y en su vida.  Puedes escucharnos también por medio de: iTunes/Apple Podcast, Spotify, YouTube Music, Amazon Music y iHeartRadio. 

The Security Weekly crew and special guest Seemant Sehgal explore what PTaaS involves, how it differs from traditional penetration testing, and why it's becoming a crucial service for companies of all sizes to protect their digital assets. We'll discuss the how PTaaS is using the latest technologies (e.g machine learning), the benefits of having a third-party service, and real-world scenarios where PTaaS has successfully thwarted potential security breaches. PTaaS can be a game-changer in enhancing your organization's security posture! This segment is sponsored by Breachlock. Visit https://securityweekly.com/breachlock to learn more about them! An exploit that makes you more secure, pardon the interruption, water heater company in hot water, IoT devices are vulnerable, Squeege and RDP scraping, free laundry for everyone!, Wifi routers and Apple Air tags, North Koreans fill US IT positions, taking out drones, the NVD backlog, IBM is no longer a security company?, and DNSBombs! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-830

An exploit that makes you more secure, pardon the interruption, water heater company in hot water, IoT devices are vulnerable, Squeege and RDP scraping, free laundry for everyone!, Wifi routers and Apple Air tags, North Koreans fill US IT positions, taking out drones, the NVD backlog, IBM is no longer a security company?, and DNSBombs! Show Notes: https://securityweekly.com/psw-830

The Security Weekly crew and special guest Seemant Sehgal explore what PTaaS involves, how it differs from traditional penetration testing, and why it's becoming a crucial service for companies of all sizes to protect their digital assets. We'll discuss the how PTaaS is using the latest technologies (e.g machine learning), the benefits of having a third-party service, and real-world scenarios where PTaaS has successfully thwarted potential security breaches. PTaaS can be a game-changer in enhancing your organization's security posture! This segment is sponsored by Breachlock. Visit https://securityweekly.com/breachlock to learn more about them! An exploit that makes you more secure, pardon the interruption, water heater company in hot water, IoT devices are vulnerable, Squeege and RDP scraping, free laundry for everyone!, Wifi routers and Apple Air tags, North Koreans fill US IT positions, taking out drones, the NVD backlog, IBM is no longer a security company?, and DNSBombs! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-830

An exploit that makes you more secure, pardon the interruption, water heater company in hot water, IoT devices are vulnerable, Squeege and RDP scraping, free laundry for everyone!, Wifi routers and Apple Air tags, North Koreans fill US IT positions, taking out drones, the NVD backlog, IBM is no longer a security company?, and DNSBombs! Show Notes: https://securityweekly.com/psw-830

Aprende Secty Podcast EP4.20 Como se ve tu cocina, es como manejas tus vulnerabilidades  Imagina que eres un chef en tu propio restaurante y debes revisar tu cocina para que todo salga bien. Pues imagínate eso pero con las vulnerabilidades! Acompáñame junto con Aeronet en este episodio para apliques el proceso de vulnerabilidades como si fuera tu cocina. 2024 Verizon Data Breach Investigations report: https://www.verizon.com/business/resources/Ta18/reports/2024-dbir-data-breach-investigations-report.pdf Taller Fortalece tu Primera Línea Contra las Amenazas Cibernéticas: https://www.aprendesecty.com/taller Este episodio es presentado por AeroNet. Empresa de tecnología 100% puertorriqueña, líder en soluciones de conectividad para negocios y residencias en Puerto Rico. Go Faster, Go Save. AeroNet Wireless - Reliable High Speed Internet (aeronetpr.com) ¡Escucha el video sobre este tema en el canal de YOUTUBE de Aprende SecTY y suscríbete! https://www.youtube.com/channel/UC1E9yilgLf5HZMQVDf_ViRw Recuerda: Síguenos en Facebook, Instagram, X y LinkedIN como: @SecTYCS Envíame tus preguntas o recomendaciones a: aprende@sectycs.com Deja tu reseña en iTunes/Apple Podcast y compártelo con personas que necesiten mejorar la seguridad en su negocio y en su vida. Puedes escucharnos también por medio de: iTunes/Apple Podcast, Spotify, Google Podcast, Amazon Music y iHeartRadio.  

¡APRENDE SecTY Podcast! EP4.19 CVE más que una lista de vulnerabilidades Escucha lo que es un CVE y para que se usa. No te lo pierdas y escucha el episodio junto con Aeronet. Si deseas orientación o evaluación sobre ciberseguridad para tu negocio o capacitar a tus empleados sobre seguridad de información en tu negocio, entra a nuestra página en https://wwwaprendesecty.com o escríbeme a aprende@sectycs.com para poder ayudarte porque ofrecemos capacitación de seguridad a grupos de usuarios para pequeños negocios. Ep 6: Vamos a remediar vulnerabilidades: https://aprendesecty.libsyn.com/ep-6-vamos-a-remediar-vulnerabilidades Ep 41: Maneja vulnerabilidades aplicando un proceso: https://aprendesecty.libsyn.com/ep-41-maneja-vulnerabilidades-aplicando-un-proceso EP3.31: Las vulnerabilidades te cerrarán tu negocio: https://aprendesecty.libsyn.com/ep331-las-vulnerabilidades-te-cerrarn-tu-negocio   2024 Verizon Data Breach Investigations report: https://www.verizon.com/business/resources/Ta18/reports/2024-dbir-data-breach-investigations-report.pdf Taller Fortalece tu Primera Línea Contra las Amenazas Cibernéticas: https://www.aprendesecty.com/taller Este episodio es presentado por AeroNet. Empresa de tecnología 100% puertorriqueña, líder en soluciones de conectividad para negocios y residencias en Puerto Rico. Go Faster, Go Save. AeroNet Wireless - Reliable High Speed Internet (aeronetpr.com) ¡Escucha el video sobre este tema en el canal de YOUTUBE de Aprende SecTY y suscríbete! https://www.youtube.com/channel/UC1E9yilgLf5HZMQVDf_ViRw Recuerda: Síguenos en Facebook, Instagram, X y LinkedIN como: @SecTYCS Envíame tus preguntas o recomendaciones a: aprende@sectycs.com Deja tu reseña en iTunes/Apple Podcast y compártelo con personas que necesiten mejorar la seguridad en su negocio y en su vida. Puedes escucharnos también por medio de: iTunes/Apple Podcast, Spotify, Google Podcast, Amazon Music y iHeartRadio.

NVD checked out, then they came back? Maybe? Should the xz backdoor be treated as a vulnerability? Is scan-driven vulnerability management obsolete when it comes to alerting on emerging threats? What were some of the takeaways from the first-ever VulnCon? EPSS is featured in over 100 security products, but is it properly supported by those that benefit from it? How long do defenders have from the moment a vulnerability is disclosed to patch or mitigate it before working exploits are ready and in the wild? There's SO much going on in the vulnerability management space, but we'll try to get to the bottom of some of in in this episode. In this interview, we talk to Patrick Garrity about the messy state of vulnerability management and how to get it back on the rails. Segment Resources: Exploitation TImelines NVD Sources for known exploitation Exploitation in the Wild - Rockstar As we near RSA conference season, tons of security startups are coming out of stealth! The RSA Innovation Sandbox has also announced the top 10 finalists, also highlighting early stage startups that will be at the show. In this week's news segment, We discuss the highlights of the Cyber Safety Review Board's detailed and scathing report on Microsoft's 2023 breach We spend a bit of time on the xz backdoor, but not too much, as it has been covered comprehensively elsewhere We discover half a dozen of the latest startups to receive funding or come out of stealth: Coro, Skyflow, Zafran, Permiso, Bedrock Security, Abstract Security, and Sandfly Apple is reportedly going to have some big AI announcements this summer, and we discuss how overdue voice assistants are for an LLM makeover. Finally, we discuss the amazing innovation that is the Volkswagen RooBadge! By the way, the thumbnail is a reference to the xz backdoor link we include in the show notes: https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-356

NVD checked out, then they came back? Maybe? Should the xz backdoor be treated as a vulnerability? Is scan-driven vulnerability management obsolete when it comes to alerting on emerging threats? What were some of the takeaways from the first-ever VulnCon? EPSS is featured in over 100 security products, but is it properly supported by those that benefit from it? How long do defenders have from the moment a vulnerability is disclosed to patch or mitigate it before working exploits are ready and in the wild? There's SO much going on in the vulnerability management space, but we'll try to get to the bottom of some of in in this episode. In this interview, we talk to Patrick Garrity about the messy state of vulnerability management and how to get it back on the rails. Segment Resources: Exploitation TImelines NVD Sources for known exploitation Exploitation in the Wild - Rockstar As we near RSA conference season, tons of security startups are coming out of stealth! The RSA Innovation Sandbox has also announced the top 10 finalists, also highlighting early stage startups that will be at the show. In this week's news segment, We discuss the highlights of the Cyber Safety Review Board's detailed and scathing report on Microsoft's 2023 breach We spend a bit of time on the xz backdoor, but not too much, as it has been covered comprehensively elsewhere We discover half a dozen of the latest startups to receive funding or come out of stealth: Coro, Skyflow, Zafran, Permiso, Bedrock Security, Abstract Security, and Sandfly Apple is reportedly going to have some big AI announcements this summer, and we discuss how overdue voice assistants are for an LLM makeover. Finally, we discuss the amazing innovation that is the Volkswagen RooBadge! By the way, the thumbnail is a reference to the xz backdoor link we include in the show notes: https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-356

NVD checked out, then they came back? Maybe? Should the xz backdoor be treated as a vulnerability? Is scan-driven vulnerability management obsolete when it comes to alerting on emerging threats? What were some of the takeaways from the first-ever VulnCon? EPSS is featured in over 100 security products, but is it properly supported by those that benefit from it? How long do defenders have from the moment a vulnerability is disclosed to patch or mitigate it before working exploits are ready and in the wild? There's SO much going on in the vulnerability management space, but we'll try to get to the bottom of some of in in this episode. In this interview, we talk to Patrick Garrity about the messy state of vulnerability management and how to get it back on the rails. Segment Resources: Exploitation TImelines NVD Sources for known exploitation Exploitation in the Wild - Rockstar Show Notes: https://securityweekly.com/esw-356

NVD checked out, then they came back? Maybe? Should the xz backdoor be treated as a vulnerability? Is scan-driven vulnerability management obsolete when it comes to alerting on emerging threats? What were some of the takeaways from the first-ever VulnCon? EPSS is featured in over 100 security products, but is it properly supported by those that benefit from it? How long do defenders have from the moment a vulnerability is disclosed to patch or mitigate it before working exploits are ready and in the wild? There's SO much going on in the vulnerability management space, but we'll try to get to the bottom of some of in in this episode. In this interview, we talk to Patrick Garrity about the messy state of vulnerability management and how to get it back on the rails. Segment Resources: Exploitation TImelines NVD Sources for known exploitation Exploitation in the Wild - Rockstar Show Notes: https://securityweekly.com/esw-356

Google agrees to delete billions of user records. NIST addresses the NVD backlog. India rescues hundreds of citizens from scam jobs in Cambodia. The UK and US agree to collaborate on AI safety. The FTC tracks an explosion in impersonation fraud. A PandaBuy breach exposes over 1.3 million customers. Prudential Financial informs over 36,000 customers of a data breach. A look at safeguarding sensitive data. Our guest is Jeff Reich, Executive Director of the Identity Defined Security Alliance (IDSA), with insights on identity security best practices. A dash of curiosity reveals a hotel chain vulnerability.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Jeff Reich, Executive Director of the Identity Defined Security Alliance (IDSA), sharing insights on identity security best practices, identity and access sprawl, and how Generative AI is helping and hurting identity management. The IDSA's Identity Management Day 2024 is coming up on April 9, 2024. Selected Reading Google agreed to erase billions of browser records to settle a class action lawsuit (Security Affairs) Vulnerability database backlog due to increased volume, changes in 'support,' NIST says (The Record) India rescues 250 citizens enslaved by Cambodian cybercrime gang (Bleeping Computer) The US and UK are teaming up to test the safety of AI models (Engadget) Impersonation Scams Net Fraudsters $1.1bn in a Year ( Infosecurity Magazine) PandaBuy data breach allegedly impacted +1.3M customers (Security Affairs) Prudential Financial Data Breach Impacts 36,000 (SecurityWeek) How to bridge the gap between the IT and legal staffs to better combat insider risk (SC Media) IBIS hotel check-in terminal keypad-code leakage (Pentagrid AG) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.

Today's episode of the Business of Tech covers critical industry news. NIST's National Vulnerability Database is facing delays, impacting security efforts. Microsoft warns about cloud services in Russia due to European sanctions. Enforcing software agreements through resellers is a pivotal decision.  The NVD slowdown and its implications for security are discussed, along with criticism of MITRE for not addressing the issue. The episode also mentions CISA's budget requests, highlighting key challenges in the tech industry. Three things to know today 00:00 NIST's National Vulnerability Database Faces Delays, Compromising Security Efforts03:40 Microsoft Halts Cloud Services in Russia, Citing European Sanctions and Urging Data Backup06:03 Enforcing Software Agreements Through Resellers: A Pivotal Court Decision with Industry-Wide Implications   Supported by:  https://coreview.com/msp/https://mspradio.com/engage/    Looking for a link from the stories? The entire script of the show, with links to articles, are posted in each story on https://www.businessof.tech/ Do you want the show on your podcast app or the written versions of the stories? Subscribe to the Business of Tech: https://www.businessof.tech/subscribe/ Support the show on Patreon: https://patreon.com/mspradio/ Want our stuff? Cool Merch? Wear “Why Do We Care?” - Visit https://mspradio.myspreadshop.com Follow us on:LinkedIn: https://www.linkedin.com/company/28908079/YouTube: https://youtube.com/mspradio/Facebook: https://www.facebook.com/mspradionews/Instagram: https://www.instagram.com/mspradio/TikTok: https://www.tiktok.com/@businessoftechBluesky: https://bsky.app/profile/businessoftech.bsky.social

- First off, for folks that don't know you can you give them a brief overview of your background/organizations?- Josh, let's start with you. Can you explain some of what is going on with the drama around NVD and what happened that caught everyone's attention?- Dan - I know you've raised concerns around the implications for the community when it comes to the lack of CVE enrichment, how do you see this impacting the vulnerability management ecosystem?- Josh - Your team has started providing some accompanying resources to try and address the gap, can you tell us a bit about that?Dan - You've spun up an open letter to congress and have kicked off a bit of a grass roots effort to raise awareness around the problem. How is it going so far and what are you hoping to accomplish with the letter?- Why do you both think this is such a big deal, and how can something so critical to the entire software ecosystem be so underfunded, overlooked and taken for granted?- What are some things you all hope to see in the future to resolve this, both from NIST/NVD and the Government but also from industry as well?

Josh Corman joins us to explore how we can make things more secure, making companies make things more secure, and making regulations that make us make things more secure! We will also touch on supply chain security and the state of vulnerability tracking and scoring. We discuss the always controversial Flipper Zero devices the hidden risks in the undersea cables, and the landscape of government oversight, revealing the intricacies of CVE, KEV, and NVD systems that are the linchpins of our digital safety. The conversation takes a turn to the practicalities of risk management and the impact of individuals on the industry, like Daniel from the curl project, striking a chord with the significance of cybersecurity vulnerabilities compared to environmental pollution. We tackle the challenges of vulnerability prioritization and the importance of a comprehensive approach to managing the ever-evolving threats that target our digital infrastructure. (00:01) Security Practices and Flipper Zero (07:01) Technology and Privacy Concerns in Cars (17:33) Undersea Cables and NVD Issues (27:45) Government Oversight and Funding for Cybersecurity (33:33) Improving Vulnerability Prioritization in Cybersecurity (45:37) Risk Management and CVE Implementation (58:06) Cybersecurity Budget and Risk Management (01:10:48) Unique Challenges in Cybersecurity Industry (01:16:41) Discussion on Open Source and CNAs (01:26:44) Bluetooth Vulnerabilities and Exploits Discussed (01:39:46) Email Security and Compromised Accounts (01:46:23) Cybersecurity Threats and Vulnerabilities (01:52:06) GPU Security Vulnerabilities Explained Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-821

We discuss the always controversial Flipper Zero devices the hidden risks in the undersea cables, and the landscape of government oversight, revealing the intricacies of CVE, KEV, and NVD systems that are the linchpins of our digital safety. The conversation takes a turn to the practicalities of risk management and the impact of individuals on the industry, like Daniel from the curl project, striking a chord with the significance of cybersecurity vulnerabilities compared to environmental pollution. We tackle the challenges of vulnerability prioritization and the importance of a comprehensive approach to managing the ever-evolving threats that target our digital infrastructure. (00:01) Security Practices and Flipper Zero (07:01) Technology and Privacy Concerns in Cars (17:33) Undersea Cables and NVD Issues (27:45) Government Oversight and Funding for Cybersecurity (33:33) Improving Vulnerability Prioritization in Cybersecurity (45:37) Risk Management and CVE Implementation (58:06) Cybersecurity Budget and Risk Management (01:10:48) Unique Challenges in Cybersecurity Industry (01:16:41) Discussion on Open Source and CNAs (01:26:44) Bluetooth Vulnerabilities and Exploits Discussed (01:39:46) Email Security and Compromised Accounts (01:46:23) Cybersecurity Threats and Vulnerabilities (01:52:06) GPU Security Vulnerabilities Explained Show Notes: https://securityweekly.com/psw-821

Josh Corman joins us to explore how we can make things more secure, making companies make things more secure, and making regulations that make us make things more secure! We will also touch on supply chain security and the state of vulnerability tracking and scoring. We discuss the always controversial Flipper Zero devices the hidden risks in the undersea cables, and the landscape of government oversight, revealing the intricacies of CVE, KEV, and NVD systems that are the linchpins of our digital safety. The conversation takes a turn to the practicalities of risk management and the impact of individuals on the industry, like Daniel from the curl project, striking a chord with the significance of cybersecurity vulnerabilities compared to environmental pollution. We tackle the challenges of vulnerability prioritization and the importance of a comprehensive approach to managing the ever-evolving threats that target our digital infrastructure. (00:01) Security Practices and Flipper Zero (07:01) Technology and Privacy Concerns in Cars (17:33) Undersea Cables and NVD Issues (27:45) Government Oversight and Funding for Cybersecurity (33:33) Improving Vulnerability Prioritization in Cybersecurity (45:37) Risk Management and CVE Implementation (58:06) Cybersecurity Budget and Risk Management (01:10:48) Unique Challenges in Cybersecurity Industry (01:16:41) Discussion on Open Source and CNAs (01:26:44) Bluetooth Vulnerabilities and Exploits Discussed (01:39:46) Email Security and Compromised Accounts (01:46:23) Cybersecurity Threats and Vulnerabilities (01:52:06) GPU Security Vulnerabilities Explained Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-821

We discuss the always controversial Flipper Zero devices the hidden risks in the undersea cables, and the landscape of government oversight, revealing the intricacies of CVE, KEV, and NVD systems that are the linchpins of our digital safety. The conversation takes a turn to the practicalities of risk management and the impact of individuals on the industry, like Daniel from the curl project, striking a chord with the significance of cybersecurity vulnerabilities compared to environmental pollution. We tackle the challenges of vulnerability prioritization and the importance of a comprehensive approach to managing the ever-evolving threats that target our digital infrastructure. (00:01) Security Practices and Flipper Zero (07:01) Technology and Privacy Concerns in Cars (17:33) Undersea Cables and NVD Issues (27:45) Government Oversight and Funding for Cybersecurity (33:33) Improving Vulnerability Prioritization in Cybersecurity (45:37) Risk Management and CVE Implementation (58:06) Cybersecurity Budget and Risk Management (01:10:48) Unique Challenges in Cybersecurity Industry (01:16:41) Discussion on Open Source and CNAs (01:26:44) Bluetooth Vulnerabilities and Exploits Discussed (01:39:46) Email Security and Compromised Accounts (01:46:23) Cybersecurity Threats and Vulnerabilities (01:52:06) GPU Security Vulnerabilities Explained Show Notes: https://securityweekly.com/psw-821

Josh and Kurt talk about what's going on at the National Vulnerability Database. NVD suddenly stopped enriching vulnerabilities, and it's sent shock-waves through the vulnerability management space. While there are many unknowns right now, the one thing we can count on is things won't go back to the way they were. Show Notes Anchore's Blog Grype Josh's Cyphercon Talk Ecosyste.ms Episode 266 – The future of security scanning with Debricked

Microsoft Patch Tuesday March 2024 https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20-%20March%202024/30736 Death Knell of NVD https://resilientcyber.substack.com/p/death-knell-of-the-nvd Unrestricted file upload vulnerability in ManageEngine Desktop Central https://www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-file-upload-vulnerability-manageengine-desktop-central Siemens Fire Protection System Updates https://cert-portal.siemens.com/productcert/html/ssa-225840.html

Microsoft Patch Tuesday March 2024 https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20-%20March%202024/30736 Death Knell of NVD https://resilientcyber.substack.com/p/death-knell-of-the-nvd Unrestricted file upload vulnerability in ManageEngine Desktop Central https://www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-file-upload-vulnerability-manageengine-desktop-central Siemens Fire Protection System Updates https://cert-portal.siemens.com/productcert/html/ssa-225840.html

We kick off with a report from BleepingComputer about Ov3r_Stealer malware, a devious program disseminated through Facebook job ads, illustrating the ever-present dangers lurking on social media. Then, we pivot to a strategic cyber assault attributed to Chinese hackers exploiting a FortiGate vulnerability to breach Dutch military defenses, as detailed by The Hacker News. Wrapping up, we delve into the Linux world, confronting a dire remote code execution flaw in the shim bootloader that threatens every distribution supporting Secure Boot, a saga reported by Dark Reading and the NVD. Tune in to decrypt the complexities of cybersecurity in our digital age. Ov3r_Stealer Malware Alert: Read more at BleepingComputer Dutch Military Cyber Breach: Read more at The Hacker News Linux Bootloader Vulnerability Exposed: NVD CVE-2023-40547 & Dark Reading Article

Wexford's growing tech community have a new place to get together, share ideas and network thanks to the re-launch of Wexford Tech Meetup. The first event took place at Scurri offices on Selksar Street on Tuesday December 5th 2023, with upcoming events planned for 2024. Over thirty tech professionals from a wide range of companies were in attendance, including employees from Iarnród Éireann, Distilled, South East Technological University (SETU), NVD, Teamwork.com and Scurri. Open to all tech professionals in the South East Area, Wexford Tech Meetup was organised by Gary Meehan (CTO and Founder, Retrograde), Alan Moran (Software Engineering Manager, Mastercard) and Colm O'Connor (Brand Manager, Scurri). "There is a thriving tech scene in Wexford and the South East," mentioned Gary Meehan, "With a wide selection of start ups, scale-ups and established tech companies at the forefront of Irish tech emerging from the area. Wexford Tech Meetup provides a space for tech professionals and enthusiasts from the South East to share ideas, concepts and build connections." The first speaker of the event was Gary Meehan (Founder at Retrograde) who discussed how a high-stakes scenario in a dynamic startup environment propelled his team to deploy GPT-4 into production swiftly and efficiently. This presentation was followed by Stephen White (Software Developer at Scurri) who presented on the power of automation in software development. Strong audience participation took place throughout the evening. "We are delighted to have had such a strong turnout for the first of the new Wexford Tech Meetups," mentioned Colm O'Connor, Brand Manager at Scurri, "When Alan and Gary posted on LinkedIn to gauge interest in such an event, our founder Rory O'Connor was only delighted to sponsor the event having previously set up the Wexford Tech Meetup in 2011. This time round Scurri were pleased to provide a location at our central Wexford town office, along with snacks and refreshments. Having received 9 million in series A funding in 2021, eCommerce delivery management software provider Scurri is one example of how tech companies from the South East are going from strength to strength. The next Wexford Tech Meetup will take place in Scurri offices in early 2024. Practitioners and enthusiasts from all backgrounds and experience levels are welcome to the Wexford Tech Meetup. People interested in attending can join the Wexford Tech Meetup group at Meetup.com.

100 Episoden Engineering Kiosk: Das Jubiläum, das Quiz, der Tech-Look-Back und die Tech-Predictions 2024Vor fast zwei Jahren hat der Engineering Kiosk das Licht der Welt erblickt. Seitdem wird jede Woche eine neue Episode veröffentlicht. Und auf einmal wird die Episoden-Nummer dreistellig. Happy Birthday - Dies ist unser Engineering Kiosk Jubiläum.Eine etwas andere Folge mitViele Stimmen von Freunden und BekanntenEinem Quiz-BattleDer Tech-Look-Back aus den Jahren 2022 und 2023Unsere Tech-Predictions 2024Ein besonderer Dank geht anMatthias EndlerArne ClausDominik SiebelMarkus PoerschkeChristian Schepp Schaefer vom WorkingDraft-PodcastChristian Braun vom Index Out Of Bounds-PodcastNils Langner vom Super Duper Developers ClubEllen Schwartau und Doreen Sacker vom Unmute IT PodcastRoland Golla von Never Code AlonePatrick Terlisten und Claudia Kühn vom Wartungsfenster PodcastBonus: 100€ gehen an Open Source.Das schnelle Feedback zur Episode:

Guests Daniel Stenberg | Dan Lorenc Panelist Richard Littauer Show Notes Today, we are switching things up and doing something new for this episode of Sustain, where we'll be talking about current events, specifically security challenges. Richard welcomes guest, Daniel Stenberg, founder, and lead developer of the cURL project. Richard and Daniel dive into the complexities of Common Vulnerabilities and Exposures (CVEs), discussing issues with how they are reported, scored, and the potential impact on open source maintainers. They also explore the difficulty of fixing the CVE system, propose short-term solutions, and address concerns about CVE-related DDOS attacks. Dan Lorenc, co-founder, and CEO of Chainguard, also joins us and offers insights into the National Vulnerability Database (NVD) and suggests ways to improve CVE quality. NDS's response is examined, and Daniel shares his frustrations and uncertainties regarding the CVE system's future. Hit download now to hear more! [00:01:00] Richard explains that they will discuss Common Vulnerabilities and Exposures (CVEs) and mentions that CVEs were launched in September 1999, briefly highlighting their purpose. He mentions receiving an email about a CVE related to the cURL project, which wasn't acknowledged by the cURL team. [00:01:50] Daniel explains that the email about the CVE was sent to the cURL library mailing list by a contributor who noticed the issue. He describes the confusion about the old bug being registered as a new CVE. discusses the process of requesting a CVE. He also mentions the National Vulnerability Database (NVD) and how it consumes and assigns severity scores to CVEs. [00:03:54] Daniel discusses the process of requesting a CVE which involves organizations like MITRE, and he mentions the National Vulnerability Database (NVD) and how it consumes and assigns severity scores to CVEs. [00:06:21] Richard asks about how NVD assigns severity scores to CVEs and specifically in the case of CVE 2020, and Daniel describes the actual bug in curl, which was a minor issue involving retry delays and not a severe security threat. [00:09:57] Richard questions who at NVD determines these scores and whether they are policy makers or coders, to which Daniel admits he has no idea and discusses his efforts to address the issue. He expresses frustration with NVD's scoring system and their lack of communication. [00:11:18] Daniel and Richard discuss their concerns about the accuracy and relevance of CVE ratings, especially in cases where those assigning scores may not fully understand the technical details of vulnerabilities. [00:14:37] We now welcome Dan Lorenc to get his point of view on this issue. Dan introduces himself and talks about his experience with the NVD, highlighting some of the issues with CVE scoring and the varying quality of CVE reports. [00:16:11] Dan mentions the problems with the CVSS scoring and the incentives for individuals to report vulnerabilities with higher scores for personal gain, leading to score inflation. Dan suggests that NVD could improve the quality of CVEs by applying more scrutiny to high-severity and widely used libraries like cURL, which could reduce the noise and waste of resources in the industry. [00:18:23] Richard presents NVD's response to their inquiry. Then, Daniel and Richard discuss NVD's response and the discrepancy between their assessment and that of open source maintainers like Daniel who believe that some CVEs are not valid security issues. [00:20:44] Richard asks if anyone offered to fund the work to fix vulnerabilities in important open source projects like cURL when a CVE is reported. Daniel replies that no such offers have been made, as most involved in the project recognize that some CVEs are not actual security problems, but rather meta problems caused by the CVE rating system. [00:21:40] Daniel explains his short-term solution of registering his own CNA (CVE Numbering Authority) to manage CVEs for his products and prevent anonymous users from filing CVEs. [00:23:04] Richard raises concerns about the potential for a CVE DDOS attack on open source, overwhelming them with a flood of CVE reports. [00:24:20] Daniel comments on the growing problem of both legitimate and invalid CVEs being reported, as security scanners increasingly scan for them. Richard reflects on the global nature of the problem, and Daniel emphasizes the importance of having a unique ID for security problems like CVEs. Links SustainOSS (https://sustainoss.org/) SustainOSS Twitter (https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) SustainOSS Discourse (https://discourse.sustainoss.org/) podcast@sustainoss.org (mailto:podcast@sustainoss.org) SustainOSS Mastodon (https://mastodon.social/tags/sustainoss) Open Collective-SustainOSS (Contribute) (https://opencollective.com/sustainoss) Richard Littauer Twitter (https://twitter.com/richlitt?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Richard Littauer Mastodon (https://mastodon.social/@richlitt) Daniel Stenberg Twitter (https://twitter.com/bagder?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) Daniel Stenberg Mastodon (https://mastodon.social/@bagder) Daniel Stenberg Website (https://daniel.haxx.se/) Dan Lorenc Twitter (https://twitter.com/lorenc_dan?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor) National Vulnerability Database (https://nvd.nist.gov/) CVE (https://www.cve.org/) cURL (https://curl.se/) Chainguard (https://www.chainguard.dev/) Sustain Podcast-Episode 185: Daniel Stenberg on the cURL project (https://podcast.sustainoss.org/guests/stenberg) Sustain Podcast-Episode 93: Dan Lorenc and OSS Supply Chain Security at Google (https://podcast.sustainoss.org/93) Credits Produced by Justin Dorfman (https://www.justindorfman.com) & Richard Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at Peachtree Sound (https://www.peachtreesound.com/) Show notes by DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/) Special Guests: Daniel Stenberg and Dan Lorenc.

Shannon Sabens of CrowdStrike and Kent Landfield of Trellix, both of whom are CVE Board members and CVE Working Group chairs, speak about how the new CVE Record format — with its new structured data format and optional information fields — will benefit and provide enhanced value to consumers of CVE content moving forward. Specific topics discussed include how the new CVE Record format will enable more complete vulnerability information to be captured early on in the advisory process and how that will benefit consumers; the ability for CVE content consumers to streamline and more easily automate their use of CVE Records because the data format is standardized and machine-readable; the automated creation and publication of CVE Records by CVE Numbering Authorities (currently, 320+ CNAs from 35+ countries!), which means more quality CVE Records can be produced at a faster pace than ever before for use by the worldwide community; and, for the ability of official CVE Program “Authorized Data Publishers (ADPs)” to enrich the content of already published CVE Records with additional risk scores, affected product lists, versions, references, translations, and so on, (learn more about ADPs in this CVE podcast). Vulnerability scoring methods for CVE Records are also discussed, including NVD's use of CVSS, CISA's Known Exploited Vulnerabilities (KEV) Catalog, and more.

Josh and Kurt talk about why CVE is making the news lately. Things are not well in the CVE program, and it's not looking like anything will get fixed anytime soon. Josh and Kurt have a unique set of knowledge around CVE. There's a lot of confusion and difficulty in understanding how CVE works. Show Notes Curl blog post Now it's PostgreSQL's turn to have a bogus CVE GitHub Advisory Database Josh's "CVE tried to get me fired" story

Podcast: Unsolicited Response (LS 33 · TOP 5% what is this?)Episode: SBOMs & CycloneDX with Steve SpringettPub date: 2023-08-23Steve Springett is the Chair of the OWASP CycloneDX Core Working Group. CycloneDX is one of the two main machine readable formats that SBOMs are being created in, although CycloneDX can capture all sorts of BOMs. In this episode we assume listeners know what a SBOM is and why it might be desired by a vendor and asset owner. The beginning of the show we cover some basics of CycloneDX If you know the basics, skip to 14:24 where we get into the details Statistics on who is generating and using CycloneDX SBOMs, and the impact of governement regulations on the use. Steve's view of the NTIA Minimum Elements for SBOM v. CycloneDX elements. How CycloneDX tries to capture the completeness of and confidence in the SBOM. The naming problem. CPE, CVE, NVD, SWID, PURL and more. Steve describes the problem and what he thinks is the way forward. Vulnerabilities ... and why Steve thinks VEX is a missed opportunity. Outdated component analysis (this could be very useful in a procurement decision) and more Links CycloneDX document: Authoritative Guide To SBOM ICS-Patch (what to patch when in ICS / risk based decision tree) S4x24 CFPThe podcast and artwork embedded on this page are from Dale Peterson: ICS Security Catalyst and S4 Conference Chair, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Steve Springett is the Chair of the OWASP CycloneDX Core Working Group. CycloneDX is one of the two main machine readable formats that SBOMs are being created in, although CycloneDX can capture all sorts of BOMs. In this episode we assume listeners know what a SBOM is and why it might be desired by a vendor and asset owner. The beginning of the show we cover some basics of CycloneDX If you know the basics, skip to 14:24 where we get into the details Statistics on who is generating and using CycloneDX SBOMs, and the impact of governement regulations on the use. Steve's view of the NTIA Minimum Elements for SBOM v. CycloneDX elements. How CycloneDX tries to capture the completeness of and confidence in the SBOM. The naming problem. CPE, CVE, NVD, SWID, PURL and more. Steve describes the problem and what he thinks is the way forward. Vulnerabilities ... and why Steve thinks VEX is a missed opportunity. Outdated component analysis (this could be very useful in a procurement decision) and more Links CycloneDX document: Authoritative Guide To SBOM ICS-Patch (what to patch when in ICS / risk based decision tree) S4x24 CFP

It's 5:05, on Monday, December 12 , 2022. This is your daily update of open source and cybersecurity news.This is Pokie Huang, coming from the 5:05 offices in New York City. Stories for today come from Katy Craig in california gives highlights from Fiscal Year 2023, The National Defense Authorization Act, Edwin Kwan in Australia reporting on Australia's largest telecommunication suggers privacy breach, Olimpiu Pop in Romania on Kali Linux newest released.We will start today with Mark Miller in New York city on why CVE and NVD do not workLet's get to it!

In aflevering 186 is het pakjesavond BIJ zoo inside en krijgen alle NVD een cadeautje van ons ➤ Reageer op deze podcast: zooinside.nl/contact of info@zooside.nl ➤ Volg Zoo Inside op Twitter: twitter.com/Zooinsidenl ➤ Volg Zoo Inside op Instagram: www.instagram.com/zooinside_podcast

- You recently wrote an article about the SBOM Frenzy being Pre-Mature. For those not familiar with SBOM's, what is an SBOM and what has led to the frenzy as you call it?- In your article you discuss challenges related to the build environments and hosts that can cause different outputs and SBOM's unless a build occurs on two identical machines. Can you explain why that is? - What role do you think emerging frameworks such as SLSA or SSDF and higher maturity requirements for things such as Reproducible Builds or Hermitic Builds play in alleviating some of these concerns?- Given the challenges of dynamic ephemeral build environments and hosts, do you think this undermines the usefulness of SBOM's as an industry artifact related to software supply chain security?- You also recently wrote a follow-up article about why Software Composition Analysis (SCA) is really hard. What are some of the reasons you think that is the case?- You mentioned challenges with CVE's and their accuracy. As many know, CVE's are created via CNA's and as part of NVD. Do you think alternative vulnerability databases such as the Global Security Database (GSD) or OSV will alleviate any of the vulnerability issues in the industry? - You were involved in founding OWASP. I personally, and I suspect many others would love to hear about that a bit, given just how much of an industry staple OWASP is from Top 10 lists, CycloneDX and countless other widely used projects.- You recently ran a campaign to be elected to the OWASP Board to try and modernize it and address many gaps you state lead to OWASP being on a path to irrelevance. Can you tell us what some of those issues are and your plan to address it to keep such a great organization a key part of our industry in the modern era of Cloud-native and DevSecOps?

Chris: Before we dive into too many specific topics, one thing I wanted to ask is, you've been working in/around the topic of SBOM and Software Supply Chain for sometime via NTIA, CycloneDX, SCVS etc. How did you have the foresight or what drove you to focus on this topic well before many others in the industry?Nikki: You mentioned recently about the SBOM Forum and their recommendation of the NVD adopt Package URL. I think the recommendations are great for NVD, because the NVD, CVE ID mechanisms, and CWE's weren't technically built for al ot of the updated vulnerabilities and concerns we see today, especially in the software supply chain. Can you talk a little bit about the challenges around vulnerability management when it comes to software supply chain?Chris: I wanted to ask you about SaaSBOM which has been a topic of discussion in the CISA SBOM WG that I know you and I participate in. What is a SaaSBOM in your mind and where does it begin and end, given most of the Cloud, including Infrastructure is software-defined.  Nikki: I liked your article titled "SBOM should not exist! Long live the SBOM" - what really caught me was the idea that BOM's or Bill of Materials have been around for a while, and in other industries as well. I'm curious because there are a lot of potential implications for using BOM's outside of software. What are you thoughts on how we could potentially use the idea of BOMs in other cybersecurity or software development areas? Chris: I want to discuss some critiques of SBOM. VEX Is promising but of course requires information from software producers, and then of course trusting their assertions. VEX: Do you see a future where both SBOM and VEX and automated in terms of generation and ingestion to inform organizational vulnerability management and potentially procurement activities? Nikki: I would be re-missed if I didn't ask you about the human element in all of this. I fee like the complexity of the software supply chain, on top of infrastructure, operations, cloud deployments, etc, can get somewhat complex. How do you think the increased complexity around software supply chain is affecting the management and operations groups?Chris: You have long been the lead on the wildly popular Dependency Track project. Can you tell us a bit about its origins, where it stands today and where it is headed?Chris: There has been a lot of guidance lately on Software Supply Chain, such as NIST EO outputs from Section 4, NIST SSDF, guidance from CSA, CNCF et. al - how does SCVS fit into the mix and do you see organizations using all, or rallying around some of the guidance? Chris Follow Up: Some have claimed that these requirements are simply impractical for anyone except large enterprise organizations and software producers. Any thoughts on the practicality of the guidance for smaller organizations who still play a major role in the software ecosystem?

Shannon Sabens of CrowdStrike and Tod Beardsley of Rapid7, both of whom are CVE Board members and CVE Working Group chairs, chat about the CVE Program from their insider's perspectives.Topics include the value of a federated program of CVE Numbering Authorities (CNAs) from around the world for increased assignment of CVE Records; the upside and minimal requirements to becoming a CNA; the types of organizations that are CNAs; how CNAs are a community with a mentoring program; how CNAs assigning CVE Identifiers (CVE IDs) benefits the global IT community; CVE versus NVD; how CNAs impact the program by participating in CVE Working Groups, be it for one-off or longer-term contributions; and how the CVE Program is about people working to improve cybersecurity for all.Tod also writes about many of these topics in his article, An Inside Look at What Makes the CVE Program Tick, on SCMagazine.

Kylie McClanahan, a University of Arkansas doctoral student and senior developer at Bastazo, joins the Aperture podcast to discuss her research into automating the gathering of vulnerability remediation and mitigation information from vendors and third-party sources. McClanahan explains how she and colleagues have used machine learning, natural language processing, and keyword techniques, among others, to parse mitigation advice from vendor advisories and alerts from third-party sources such as NVD. These advisories often have incomplete mitigation information that's especially valuable in OT environments where asset owners must rely on mitigations when patches aren't either available or devices cannot be patched. McClanahan has coauthored two papers explaining different approaches to solving this problem that can be downloaded here. 

Josh and Kurt start the show with the reading of a security themed Christmas poem. We then discuss some of the new happenings around Log4j. The basic theme is that even if we were over-investing in Log4j, it probably wouldn't have caught this. There are still a lot of things to unpack with this event, I'm sure we'll be talking about it well into the future. Log before Christmas poem 'Twas the night before Christmas, when all through the stack Not a scanner was scanning, not even a rack, The SBOMs were uploaded to the portal with care, In hopes that next year would be boring and bare The interns were nestled all snug at their beds; While visions of dashboards danced in their heads; The CISO in their 'kerchief, and I in my cap, Had just slept our laptops for a long winter's nap, When all of a sudden the pager went ack ack I sprang to my laptop with worries of attack Away to the browser I flew like a flash, Tore open the window and cleared out the cache The red of the dashboard the glow of the screen Gave a lustre of disaster my eyes rarely seen When what to my wondering eyes did we appear, But a new advisory and eight vulnerabilities to fear, Like a little old hacker all ready to play, I knew in a moment it must be Log4j More rapid than gigabit its coursers they came, And it whistled, and shouted, and called them by name: "Now, Log4Shell! now CVE! now ASF and NVD! On, CISA! on, LunaSec! on, GossiTheDog! To the top of the HackerNews! to the top of the wall! Now hack away! hack away! hack away all!" Like the bits that before the wild CDN fly by When they meet with a firewall, they mount to the sky; So up to the cloud like bastards they flew With tweets full of vulns, and Log4j too— And then, in a twinkling, I read in the slack The wailing and screaming of each analyst called back As I drew in my head, and was turning around, Down the network Log4j came with a bound. It was dressed in a hoodie, black and zipped tight, The clothes were all swag from a conference one night A bundle of vulns it had checked in its git And it looked like a pedler just being a twit The changelog—how it twinkled! its features, how merry! Its versions were like roses, its logo like a cherry! Its droll little mouth was drawn up like an at, And the beard on its chin made it look stupid and fat The stump of a diff it held tight in its teeth, And the bits, they encircled the repo like a wreath; It had a flashy readme an annoying little fad That shook when it downloaded, like a disk drive gone bad It was chubby and plump, an annoying old package, And I laughed when I saw it, in spite of the hackage A wink of its bits and a twist of its head Soon gave me to know I had everything to dread It spoke not a word, but went straight to its work, And pwnt all the servers; then turned with a jerk, And laying its patches aside of its nose, And giving a nod, up the network it rose; It sprang to its packet, to its team gave them more, And away they all fled leaving behind a back door But I heard it exclaim, ere it drove out of sight— “Merry Christmas you nerds, Log4j won tonight!”

Hello everyone! In this episode I want to highlight the latest changes in my Vulristics project. For those who don't know, this is a utility for prioritizing CVE vulnerabilities based on data from various sources.. Currently Microsoft, NVD, Vulners, AttackerKB. Watch the video version of this episode on my YouTube channel. Read the full text of this episode with all links on avleonov.com blog.

Lielākoties cilvēki, kas saslimuši ar Covid-19, ārstējas mājas apstākļos, bet mūsu klausītāji ir satraukti par informācijas trūkumu, kas slimniekam ir jādara, lai palīdzētu organismam tikt galā ar šo ligu. Vai šobrīd ir pieejamas vadlīnijas slimības ārstēšanai mājas apstākļos, skaidrojam raidījumā Kā labāk dzīvot. Ģimenes ārsts, Lauku ģimenes ārstu asociācijas pārstāvis Ainis Dzalbs norāda, ka izmaiņas nav saistītas ar ambularoto ārstēšanu, bet novērošanu, jo galvenais uzdevums mājās ir atšķirt vieglu un smagu slīmības gaitu un savlaicīgi noķert mirkli, kad vajadzīga nopietnāka palīdzība un jādodas ārstēties uz stacionāru. Viņš norāda, ka ap 90% no saslimušajiem var ārstēties ģimenes ārsta vai cita speciālista, visticamāk, attālinātā uzraudzībā mājās. Stacionārā nonāk tie, kuriem ir smagāka slimības gaita, kuriem nepieciešama nopietnāka terapija. Medicīnas zinātņu doktore, sertificēta dietoloģe Laila Meija atzīst, ka nav speciālas Covid diētas, jo slimība ir jauna, bet uzturs ir svarīgs slimības laikā, lai būtu organisma atjaunošanās. "Ja slimības gaita nav smaga, galvenās rekomendācijas ir, ka uzturam jābūt veselīgam un pilnvērtīgam," norāda Laila Meija. "Bet slimības gaita var būt ļoti dažāda. Lai kāda ir slimības fāze, svarīgi, lai būtu pietiekami daudz nodrošināts ar labām olbaltumvielām. Ja ir smaga situācija, kad ir  augsta temperatūra, nogurums, cilvēks nevar ēst, jāsaprot, ka tas ir hipermetabolisms, kas nozīmē, ka viss organismā vārās un sadeg. Un ja vēl cilvēks nevar ieēst, būtībā organisms zināmā mērā apēd pats sevi. Turklāt šādā situācija gandrīz nemaz nelieto taukus, vairāk muskuļu audus - organisma olbaltumvielu rezerves." Rekomendācijas, ja ir elpošanas grūtības, ēst biežāk un mazākām porcijām, kā arī sekot, cik apēd. Ja apēd pusi no tā, cik iepriekš ēdis, ir jādomā, kā situāciju koriģēt. Tie var būt mājās gatavoti kokteiļi, kur koncentrētas olbaltumvielas. Vēl labāk medicīniskais uzturs papildus. Radiniekiem jāseko līdzi, cik daudz cilvēks apēd. Lai mazā porcijā būtu kalorijas un olbaltumvielas. Ja ir apetītes trūkums, jāpiedāvā tas, ko cilvēks grib ēst. Un, protams, svarīgi uzņemt daudz šķidruma, to atgādina gan Laila Meija, gan Ainis Dzalbs. Ainis Dzalbs aicina neaizrauties ar dažādiem uztura bagātinātājiem vai nepārbaudītām alternatīvām metodēm imunitātes uzturēšanai. Raidījumā kāda klausītāja minēja ožamā spirta inhalācijas, tāpat cilvēki stāsta par citrona sulas pilināšanu degunā vai sodas dzeršanu. "Tas visas ir metodes, kurām nav pierādījumu, ka būtu kāds pasargāts vai izglābies no Covid-19, vai šāda veida darbības būtu pasargājušas no saslimšanas.  Efektīvākie profilakses veidi ir vakcinācija, veselīgs dzīves veids un uzturs, pastaigas svaigā gaisā, sports, iespējams, arī pirts, ievērojot epidemioloģiskās drošības prasības," atzīst Ainis Dzalbs. Nacionālā Veselības dienesta „Covid-19 sertifikāts - drošākai ikdienai!” kampaņas vadītāja un NVD sabiedrisko attiecību daļas vadītāja Evija Štālberga atgādina, kā lejupielādēt Covid-19 pārslimošanas vai vakcinācijas digitālo sertifikātu mājaslapā Covid19sertifikats.lv Cilvēki, kas internetu neizmanto, to var lūgt izdarīt tuviniekiem, vai vērsties valsts un pašvaldību apkalpošanas centros, vispirms sazinoties pa informatīvo tālruni 80001234. Tiem, kas būs saņēmuši trešo vakcīnas devu būs pieejams jauns sertifikāts, bet arī iepriekšējais sertifikāts būs derīgs. "Sertifikāta izmantošana par trešās potes saņemšanu var būt aktuāla gadījumā, ja iedzīvotājs plāno doties ārpus Latvijas un konkrētajā valstī ir prasība par trešās potes nepieciešamību, vai sertifikāts nepieciešams citiem mērķiem," norāda Evija Štālberga. Viņa arī atgādina, ka vēl pirms doties uz kādu valsti, noteikti jāpārbauda, kādi tur ir prasības ieceļošanai, sertifikāta izmantošanai.

There are infinite vulnerabilities out there that make us susceptible to instances of cyberattack, and as of this year, we're on track to have identified 20,000 of them. While there's a whole risk mitigation ecosystem in place, CVE (formerly known as the Common Vulnerabilities and Exposures Program) has played a huge role in establishing a dictionary-esque database with IDs and definitions for each known vulnerability. On this episode of What That Means, Camille is joined by returning guest Katie Trimble-Noble (Intel - Director, PSIRT & Bug Bounty) to describe the critical nature of CVE in greater detail.   They cover: -  The origins and evolution of CVE (formerly known as the Common Vulnerabilities and Exposures Program) -  Why CVE matters, and what it does and doesn't do -  How NVD (the National Vulnerability Database) and CVSS (the Common Vulnerability Scoring System) differ from and apply to CVE -  How risk severity is actually scored -  Who and what CVE Naming Authorities (CNA) are, why they're important, and the process of becoming one ... and more.  Really interesting stuff, so tune in!   *And if you like what you hear, catch an earlier conversation Camille had with Katie in WTM Episode 26: Bug Bounty and Crowdsourced Security; Alexander (RoRo) Romero joins them for a great discussion, and you don't want to miss it: https://bit.ly/3mv9yVr   The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.   Here are some key takeaways: -  CVE makes up an important part of the mitigation ecosystem, and its main mission is to catalog and identify known vulnerabilities; we can think of it as a sort of dictionary in that it tells you the definitions of vulnerabilities. -  Although CVE does not expand on the severity of vulnerabilities, it does list which ones are in your network; NVD and CVSS help to paint a clearer picture of risk level. -  While ideally everything would be patched, there has to be a hierarchy of priority; that's what makes CVE so crucial, because it enables system admins to differentiate and decide what to patch first based on risk analysis. -  CVE also helps to identify vulnerabilities in a universally recognizable way. -  Some vulnerabilities can intersect to form an attack chain, which is a common phenomenon that's often referred to as a “daisy chain.” -  CNAs are vendors, government agencies and research organizations that have a deep knowledge of vulnerabilities because they own a product or have done extensive research on it; these CNAs can publish directly to the CVE Master List. -  There are currently 161 CNAs around the world, one of which is Intel. -  In 2021, 20,000 vulnerabilities are on track to be identified to date. -  There is no cookie cutter response to risk, because the things that get fixed and in what order are dependent upon implementation. -  It's important for consumers to put pressure on manufacturers to be transparent about vulnerabilities, because in the end, it strengthens the entire ecosystem.   Some interesting quotes from today's episode: “Everyone uses CVE. And the reason that you use CVE is when you're doing your risk analysis to patch management, your system admins need to know what are we vulnerable to so that they can make that risk-based decision of what gets patched first.”   “Really risk is in the eye of the beholder. I can't say what's more important for you to patch because you have certain mitigating compensating controls on your end, the implementation end of the user. The implementation really dictates how things get fixed in what order they get fixed.”   “It's not the mission of the CVE program to really get into some of those kind of theoretical details. It's more sticking to the mission of the CVE program to identify and catalog those vulnerabilities so that you can enable the user end with the best risk-based program that can be available. It's all about transparency and truth.”   “There was a lot of back and forth about what exactly is an exposure. So ultimately it was decided that in the best interest of the community, it was better to focus on CVEs in the form of vulnerability identification.”   “The CVE Master List is really just a reflection of the known vulnerabilities; there are an infinite number of vulnerabilities out there.”   “I mean, my Fitbit could have vulnerabilities and that's not something you saw 10 years ago.”   “I think that we're going to continue to see a rapid increase in the quantity of vulnerabilities that have been identified. And that's why it's so important to have that community based approach, those CNAs, those people who are sitting there cataloging vulnerabilities in their systems.”   “As the consumer, you want to put pressure on your product manufacturer to build a secure product.”   “If you can attack that insulin pump and you can cause an insulin pump to dump all the insulin in one minute, you can kill a person. That is a frightening vulnerability and those kinds of real-world sort of impacts they're not theoretical anymore. They're very real today.”   “When you disclose vulnerabilities, you make the overall ecosystem stronger and better and smarter.”

Chris and Flynn sit down with Malcolm from NVD to discuss all things Night Vision.

Raidījumā Globālais latvietis. 21. gadsimts interesējamies, kādi dokumenti nepieciešami, lai ceļotu pa Eiropu un kā atbildīgās iestādes interpretē to, kas ceļotājiem no trešajām valstīm jāuzrāda, ierodoties Latvijā. Skaidrojam arī, kam ir pieejama Eiropas digitālā Covid-19 sertifikāta vārteja un kā izsekot katras valsts papildus nosacījumiem? Raidījuma viesi - NVD projektu vadītāja Diāna Nagle, Satiksmes ministrijas Aviācijas departamenta direktors Artūrs Kokars, Latvijas tūrisma aģentu un operatoru asociācijas valdes loceklis Ēriks Lingebērziņš, LTV korespondente Lielbritānijā Ilze Kalve un portāla baltic-ireland.ie redaktore Inguna Mieze.

Episode 5 – David Waltermire of NVD speaks with Milind Kulkarni of NVIDIA and Kris Britton of the CVE Program to discuss the CVE Program's automated CVE Numbering Authority (CNA) services. Topics include the automation architecture being developed and deployed by the CVE Automation Working Group (AWG); the benefits of using JSON for the CVE Record format; how automation simplifies and increases the speed of CNA processes; the currently deployed CVE ID Reservation (IDR) service; the upcoming release of the CVE Record Submission and Upload (RSUS) service; and future automation plans. CVE automated services on GitHub - https://github.com/CVEProject CVE AWG - https://cve.mitre.org/working_groups.html#awgNVD - https://nvd.nist.gov/NVIDIA - https://www.nvidia.com/How to become a CNA - https://cve.mitre.org/cve/cna.html#become_a_cna

For those new to showing or those who are thinking of showing in the new future I've put together my top dos and don'ts many of which I have learned the hard way!Let's start with the positives!Do·     come ready to learn, meet new friends  collaborate and ask questions. Being part of a show is very collegiate. We all help where we can, sharing advice and resources that we have in our show box. I had a few scouring rams and Darren stepped in recently with a great remedy mentioned below.·     attend to the food and water for your sheep before the public arrive each morning·     clean each pen and replenish the straw at least once a day·        hold your sheep close to their face when you are standing with them so you have as much control as possible ·        watch the judges at all times and turn to face the judge if they are walking behind you·        congratulation your fellow breeder including shaking their hand if appropriate ·        thank the judge including shaking their hand if appropriate ·        get your sheep used to the food you will be giving them at the show, grain will need weeks for the rumen to adjust·        have all your paperwork in order, you OB cert, your sheep health declaration and your NVD for inspection ·        attend to your sheep's feet at least a week before the show. The better and shorter the hoof is the better your sheep will stand and look.·        do a full health check of your sheep before they leave your property, are their eyes clear, are their feet all clean and healthy, are their gums nice and pink, is your animal free from any signs of inflammation. ·        scrub your sheep's horns - they come up a treat! wash your halter before the show or have a set for showing and another for halter training·     get your sheep out to walk around if you notice they are not themselves, ideally do this before the public arrive.·     if you are someone else's sheep is being stubborn use 'gooseing' which is where you grab their tail area to encourage them to move forward·     be ready to help with general set up and take down like the association banners, displays and flags·     manage your bio-security when you return to your farm, drench your sheep and quarantine them for 5 days if you can after an event·     be ready to help other's unload and load their animals, this includes other breeders·        The general etiquette here is that those who have a longer distance to travel go first. ·        get to know your breed captain and check with them if you have any questions or doubts.To bring in your show kit: ·     pins for your scan data cards·     a marker ·     cordial or apple cider vinegar to mask the chlorine in the water·     halters and lead ropes, you will need one halter and one lead rope for each animal·     D scour horse paste or berg oil for tummy upsets in animals·     rags to wipe noses and clean your sheep -a curry comb or similar to brush your animals. Kristy was raving about a pet mit kit recently! The options are endless here so find whatever works best for you. ·     a small bucket for hot water·     pet shampoo for dirty bums or similar·     a scrubbing brush ·     one feed containe

Nvd 210301 RJ Conf CFO

One of John's Top 5 Napa Valley Venues, John & Cristian discuss the Napa Valley Distillery, a family-owned and operated micro-distillery founded by Arthur & Lusine Hartunian out of their passion for premium, small-batch craft spirits & their love of the Napa Valley. NVD features a unique variety of fruit-based distilled spirits, shrubs, tonics, & syrups from around the world. Book a tour & Tasting and see their combination of the old with new; the old copper alembic still sitting directly next to the cutting-edge technology Still. Tell Head Distiller Tim Espinoza & Senior Hospitality Coordinator Theodore that John V. Pinto sent you, join their Bar Club and be sure to visit their Hollywood Room Lounge & Patio. --- Send in a voice message: https://anchor.fm/john-pinto2/message

Covid-19 slimniekiem un viņu kontaktpersonām ir jāievēro pašizolācija, tomēr arī šie cilvēki var saņemt ambulatoros medicīniskos pakalpojumus. Kādos gadījumos un kā tas notiek, skaidrojam raidījumā Kā labāk dzīvot. Nacionālā veselības dienesta eksperte Ārstniecības pakalpojumu departamenta Ambulatoro pakalpojumu nodaļas vadītājas vietniece Jūlija Voropajeva norāda, ka ambulatoriem pakalpojumiem ierobežojumi tikai dienas stacionāram un arvien vairāk arī parādās pieprasījumi pēc dažādiem ambulatoriem medicīnas pakalpojumiem. Informācija par pakalpojumiem pieejama NVD mājaslapā. Veselības Centru apvienības veselības aprūpes vadības ārste Anna Maruškina atzīst, ka pieaug gan pieprasījums pēc ambulatoriem pakalpojumiem, gan arī speciālistu attālinātām konsultācijām. Vislielākais pieprasījums ir pēc plaušu rentgena izmeklējumiem. Anna Maruškina arī skaidro, kāda ir kārtība Veselības Centru apvienībā, lai saņemtu speciālista konsultāciju vai ambulatoros pakalpojumus. Ja speciālists pieņem lēmumu, ka nepieciešama konsultācija klātienē, organizējam atsevišķā telpā un attiecīgā apģērbā. Lielākā problēma nokļūšana uz nozīmēto izmeklējumu, jo uz izmeklējumiem nedrīkst doties ar sabiedrisko transportu, bet slimam braukt pašam ar savu automašīnu nebūtu vēlams.

Episode 1 - Tod Beardsley of Rapid7, Tom Millar of CISA, Chris Levendis of the CVE Program, and Dave Waltermire of NIST's NVD discuss how their organizations and the community all work together to advance the CVE Program's mission to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. 

In this special episode Jimmy Ferguson, Captain Russ and NVD talk to FPLTIPZ (Harry) to get the inside scoop on how he claimed a top 10k finish in his first ever FPL season. This FPL genius has the blueprint and know how that enables him to consistently finish in the top 1% of managers. Tune in now to uncover the tricks & strategies that have propelled FPLTIPZ to a premium FPL Manager.

Josh and Kurt talk about CVSSv3 and how it's broken. We started with a blog post to explain why the NVD CVSS scores are so wrong, and we ended up researching CVSSv3 and found out it's far more broken than any of us expected in ways we didn't expect. NVD isn't broken, CVSSv3 is. How did we get here? Are there any options that work today? Where should we go next? Show Notes Josh's blog post NVD Red Hat security data Josh's CVE data project Microsoft security ratings scale

I det här avsnittet av FoU-podden har vi besök av Christine Gustafsson och Anders Widmark från Mälardalens högskola. De berättar om tre nya program, en master i välfärdsteknik och två magisterprogram till specialistsjuksköterska, där man använder digitalisering i utbildningen. Även Karl Schulz, som är projektledare för NVD - noden för välfärdsteknik och digitalisering delar med sig av sina tankar. Du hittar alla länkar vi nämner i podden på www.fou.sormland.se/materialpublicerat/fou-podden

Lai informētu sabiedrību par valsts apmaksātu paliatīvās aprūpes pakalpojumu saņemšanas iespējām, Veselības ministrija sadarbībā ar Nacionālo veselības dienestu (NVD) un Labklājības ministriju ir izstrādājusi informatīvus bukletus jeb ceļvežus par paliatīvo aprūpi gan pieaugušajiem, gan bērniem. Par informatīvo materiālu plašāk stāsta Nacionālā veselības dienesta Ārstniecības pakalpojumu departamenta direktore Alda Reinika. Viedokli izsaka Dod pieci vēstnese, raidījuma “Krustpunktā” producente Evija Unāma un Ziedot.lv vadītāja Rūta Dimanta.

This week the guys recap the opening round the VHSL football playoffs and the 1st round of the state playoffs for volleyball. Brad Fauber from the NVD talks Strasburg Rams ahead of their game against Stuarts Draft and Coach Stapleton talks about her Riverheads Gladiators after their win against Middlesex. Joe and Leland talk about Virginia Tech's big wins on the football field and the basketball court. UVA keeps winning in hoops while they enjoy a bye in football. JMU beats another CAA doormat. Joe gets fired up about baseball? Leland talks Disney.

Back at with one of Phoenix's dopest designers in the game, my good pal NVD and on this one we go in about Drake and Pusha T beef, who is NVD? And some advice to aspiring designers ! --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app

Back at it with the boy NVD! Dope Convos about our Top 3 Producers, Creepy Strangers , Sneaker Collections & More!! --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app

A Their Story interview with Sean Martin & Marco Ciappelli Guest: Willy Leichter, Vice President, Marketing, Virsec Systems The organization telling us their story today is Virsec Systems. Keep it simple, they say. With technology—and cybersecurity—most of the time, this is way easier said than done; especially when you set out from the start to solve very complex problems. But you know what you can do? You can look at these problems from a different angle and make your mission and goal to find solutions that are simple to deploy and manage. Virsec's founder and CTO, Satya Gupta, has been working on these problems for over a decade, mapping the correct memory usage of an application and then enforce it, and by doing so solving complex problems; problems that can't be explained or simplified overnight, and where the barrier to entry is set pretty high. The differentiator here is looking at everything possible to observe about an application, including memory usage, the integrity of files, the system's hygiene, etc. With this information in-hand, Virsec can create a map of virtually everything the app is supposed to do. If a picture helps to describe what this looks like, you can use an analogy like Google Maps. Virsec maps what's supposed to happen within the app and then, in real-time—since they have it mapped—they can see if it's going off the rails, going somewhere different than where is supposed to go, or in our case, if it's doing what it's supposed to do. It's a fundamentally different view of security. You can sum it up like this: Instead of worrying about what bad stuff is out there, make sure that the app does what is supposed to do and act as it is supposed to work; that is doesn't get corrupted; that it doesn't have someone change a DLL or corrupt the memory. With the national vulnerability database (NVD) breaking 20,000 entries and organizations running 10's of thousands of "endpoints" that could be compromised if the vulnerability exposure is not closed, is patching the answer? Shouldn't there be a better way? But don't take my word for it. Listen to Willy and hear how he tells this story. Learn more about Virsec on ITSPmagazine here: https://www.itspmagazine.com/company-directory/virsec Learn more about Their Story podcasts here: https://www.itspmagazine.com/their-infosec-story

Paliatīvā aprūpe ir starpdisciplināra, tai ir jāaptver pacientu, ģimeni un sabiedrību. Vai un kā Latvijā ir iespējams rūpēties par saviem tuvākajiem, nodrošinot katra cilvēka pamattiesības – dzīvi bez sāpēm un ciešanām, vairāk runājam raidījumā Kā labāk dzīvot. Diskutē Neatliekamās medicīniskās palīdzības dienesta vadītāja Liene Cipule, Nacionālā veselības dienesta (NVD) Ambulatoro pakalpojumu nodaļas vadītāja Ieva Melišus, NVD Stacionāro pakalpojumu nodaļas vadītāja Lelde Ģiga un Sociālo darbinieku biedrības pārstāvis Viesturs Kleinbergs. Par paliatīvās aprūpes un sociālās aprūpes mājās pieejamību Latvijas reģionos stāsta Latvijas Lauku ģimenes ārstu asociācijas vadītāja Līga Kozlovska. Ambulatoro paliatīvo pakalpojumu pieejamību skaidro NVD Ambulatoro pakalpojumu nodaļas vadītāja Ieva Melišus. Informāciju par medicīniska rakstura paliatīvās aprūpes aspektiem menedžē un tālāk nodod ģimenes ārsts.  Viņš izvērtē pacientus, izvērtē viņu dzīves apstākļus un nepieciešamības gadījumā var izrakstīt nosūtījumu veselības aprūpei mājās.  Galvenokārt tie ir pacienti, kam ir hroniskas saslimšanas, arī onkoloģiskas, un viņiem ir pārvietošanās traucējumu.  Ja ir onkoloģisks pacients, kuram ir funkcionāli ierobežojumi, bet viņš spēj sevi aprūpēt pats, un viņa galvenā problēma ir sāpes, tad viņš šo terapiju var menedžēt pats.Ārsts var izrakstīt nosūtījumu pie paliatīvas aprūpes speciālista. No šī gada šāds pakalpojums ir valsts apmaksāts.  Šādi speciālisti pieeja Rīgas Austrumu klīniskajā slimnīcā, arī Liepājas reģionālajā slimnīcā un Jēkabpilī. Daugavpils reģionālajā slimnīcā ir pieejams paliatīvās aprūpes kabinets, kurā ir pieejamas paliatīvās aprūpes iespējas, kur pacients, ja ģimenes ārstam  ir grūtības atsāpinošo terapiju nostabilizēs, vai viņam pietrūks kompensējamo zāļu kompetences, var nosūtīt pacientu atvieglināt ciešanas. Pacienti, saņemot nosūtījumu veselības aprūpei mājās, vai viņu radinieki, vai tuvinieki vēršas attiecīgā ārstniecības iestādē. Kurā vietā pieejamas šādas ārstniecības iestādes, ir publicēts Nacionālā Veselības dienesta mājaslapā sadaļā Veselības aprūpes pakalpojumi.  Var arī vērsties NVD, ja ir kādi problēmjautājumi.

Paliatīvā aprūpe ir starpdisciplināra, tai ir jāaptver pacientu, ģimeni un sabiedrību. Vai un kā Latvijā ir iespējams rūpēties par saviem tuvākajiem, nodrošinot katra cilvēka pamattiesības – dzīvi bez sāpēm un ciešanām, vairāk runājam raidījumā Kā labāk dzīvot. Diskutē Neatliekamās medicīniskās palīdzības dienesta vadītāja Liene Cipule, Nacionālā veselības dienesta (NVD) Ambulatoro pakalpojumu nodaļas vadītāja Ieva Melišus, NVD Stacionāro pakalpojumu nodaļas vadītāja Lelde Ģiga un Sociālo darbinieku biedrības pārstāvis Viesturs Kleinbergs. Par paliatīvās aprūpes un sociālās aprūpes mājās pieejamību Latvijas reģionos stāsta Latvijas Lauku ģimenes ārstu asociācijas vadītāja Līga Kozlovska. Ambulatoro paliatīvo pakalpojumu pieejamību skaidro NVD Ambulatoro pakalpojumu nodaļas vadītāja Ieva Melišus. Informāciju par medicīniska rakstura paliatīvās aprūpes aspektiem menedžē un tālāk nodod ģimenes ārsts.  Viņš izvērtē pacientus, izvērtē viņu dzīves apstākļus un nepieciešamības gadījumā var izrakstīt nosūtījumu veselības aprūpei mājās.  Galvenokārt tie ir pacienti, kam ir hroniskas saslimšanas, arī onkoloģiskas, un viņiem ir pārvietošanās traucējumu.  Ja ir onkoloģisks pacients, kuram ir funkcionāli ierobežojumi, bet viņš spēj sevi aprūpēt pats, un viņa galvenā problēma ir sāpes, tad viņš šo terapiju var menedžēt pats.Ārsts var izrakstīt nosūtījumu pie paliatīvas aprūpes speciālista. No šī gada šāds pakalpojums ir valsts apmaksāts.  Šādi speciālisti pieeja Rīgas Austrumu klīniskajā slimnīcā, arī Liepājas reģionālajā slimnīcā un Jēkabpilī. Daugavpils reģionālajā slimnīcā ir pieejams paliatīvās aprūpes kabinets, kurā ir pieejamas paliatīvās aprūpes iespējas, kur pacients, ja ģimenes ārstam  ir grūtības atsāpinošo terapiju nostabilizēs, vai viņam pietrūks kompensējamo zāļu kompetences, var nosūtīt pacientu atvieglināt ciešanas. Pacienti, saņemot nosūtījumu veselības aprūpei mājās, vai viņu radinieki, vai tuvinieki vēršas attiecīgā ārstniecības iestādē. Kurā vietā pieejamas šādas ārstniecības iestādes, ir publicēts Nacionālā Veselības dienesta mājaslapā sadaļā Veselības aprūpes pakalpojumi.  Var arī vērsties NVD, ja ir kādi problēmjautājumi.

Each year, security firm NopSec publishes their annual State of Vulnerability Risk Management Report, analyzing all of the vulnerabilities listed in the National Vulnerability Database, the NVD, along with those uploaded to their own platform by their clients. They consider a number of factors, including CVSS score, description, type, and vendor affected, to see which factors contribute to vulnerabilities being incorporated into malware and exploited in the wild. For this year's report, NopSec invited Recorded Future to contribute their unique insights into how geopolitics affect government run vulnerability databases. Joining us today are Sanja Nedic, data scientist at NopSec, and Adrian Sanabria, VP of strategy and product marketing at NopSec.

Each year, security firm NopSec publishes their annual State of Vulnerability Risk Management Report, analyzing all of the vulnerabilities listed in the National Vulnerability Database, the NVD, along with those uploaded to their own platform by their clients. They consider a number of factors, including CVSS score, description, type, and vendor affected, to see which factors contribute to vulnerabilities being incorporated into malware and exploited in the wild. For this year’s report, NopSec invited Recorded Future to contribute their unique insights into how geopolitics affect government run vulnerability databases. Joining us today are Sanja Nedic, data scientist at NopSec, and Adrian Sanabria, VP of strategy and product marketing at NopSec.

De laatste aflevering van dit jaar. Met een jaaroverzicht, een bezoek aan de warme winter dagen in dierenpark Amersfoort, en breaking nieuws uit Harderwijk dat het dolfinarium uit de NVD gaat.

In deze aflevering een uitgebreide rondleiding door het nieuwe Serpo in aanbouw. Daarnaast natuurlijk het laatste zoo nieuws met o.a. de komst van neushoorns naar een NVD dierentuin.

Omdat we zoveel reacties kregen van luisteraars die het jammer vinden dat we i.v.m. onze vakantie niet kunnen uitzenden hierbij onze eerste proef opname als bonus! Waarin wij de Nvd dierentuinen de revue laten passeren.

Researchers from Recorded Future's Insikt Group have previously analyzed both the U.S. and Chinese national vulnerability databases, examining the speed of publication of cybersecurity vulnerabilities, and how each respective country considers its NVD in the broader context of the national mission of cyber defense and operations. Recorded Future's research team recently set their investigative sights on Russia's vulnerability database to see how it compares. Priscilla Moriuchi is director of strategic threat development at Recorded Future, and she joins us to share what they found.

Researchers from Recorded Future’s Insikt Group have previously analyzed both the U.S. and Chinese national vulnerability databases, examining the speed of publication of cybersecurity vulnerabilities, and how each respective country considers its NVD in the broader context of the national mission of cyber defense and operations. Recorded Future’s research team recently set their investigative sights on Russia’s vulnerability database to see how it compares. Priscilla Moriuchi is director of strategic threat development at Recorded Future, and she joins us to share what they found.

The U.S. National Vulnerability Database, or NVD, is, in part, a collection of security-related reports. Software vulnerabilities are assigned CVE numbers, which stands for common vulnerabilities and exposures, which help track the issues and provide a common reference for referring to a specific flaw. China has a database of their own, the Chinese National Vulnerability Database, or CNNVD.  Our guest today is Dr. Bill Ladd, chief data scientist at Recorded Future. His team noticed that publicly known vulnerabilities were showing up more quickly in China’s database than in the U.S., quite often taking days instead of weeks. This not only has the potential to put U.S. defenders at a disadvantage, it could also give black hats the upper hand.  In this episode we’ll learn why the NVD lags behind the CNNVD, why it matters, and what could be done to correct it.

The U.S. National Vulnerability Database, or NVD, is, in part, a collection of security-related reports. Software vulnerabilities are assigned CVE numbers, which stands for common vulnerabilities and exposures, which help track the issues and provide a common reference for referring to a specific flaw. China has a database of their own, the Chinese National Vulnerability Database, or CNNVD.  Our guest today is Dr. Bill Ladd, chief data scientist at Recorded Future. His team noticed that publicly known vulnerabilities were showing up more quickly in China's database than in the U.S., quite often taking days instead of weeks. This not only has the potential to put U.S. defenders at a disadvantage, it could also give black hats the upper hand.  In this episode we'll learn why the NVD lags behind the CNNVD, why it matters, and what could be done to correct it.

ControlTalk NOW for the week ending August 16, 2015 focuses on Cyber Security Awareness with a vulnerability summary from the National Cyber Awareness System, Tridium’s Niagara AX security updates, and Fred Gordy’s BAS exposure report from the Shodan site. Delta Controls’ Und de Boer shares her insights about “Doing Things Right.” Join Chris Ryan and “30 Minutes with Lynxspring,” and another great application from Data Center Monitoring experts, Sierra Monitor Corporation. National Cyber Awareness System: SB15-222: Vulnerability Summary for the Week of August 3, 2015 08/10/2015 06:14 AM EDT. Original release date: August 10, 2015 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). Sierra Monitor’s Featured Application — Data Center Monitoring. Sierra Monitor — Experts in Data Center Monitoring Applications. A data center is a facility used to house networked computer servers and storage systems that are securely connected to the Internet. A data center generally includes redundant or backup power supplies, redundant data communications connections, environmental controls (e.g., air conditioning, gas detection, fire suppression), and physical access control systems. Niagara AX Updates Available Now — Versions 3.6, 3.7, and 3.8 are Affected. Niagara AX updates available now. Versions 3.6, 3.7, and 3.8 are affected. The August 2015 Update Releases are available for download on Niagara Central. The updates include important enhancements that increase the security of a Niagara AX system, including a newer revision of the Java Virtual Machine. VYKON strongly encourages all customers to update Niagara AX to one of the newly available releases. “30 Minutes with Lynxspring” Webinar Series – August 19, 2015. We are always thinking of ways we can help you maximize your company’s productivity and profitability.This month’s “30 minutes with Lynxspring” discusses the services we provide through our Professional Services Group and how they will help you turn projects over quicker, maximize resources and productivity, allow you more time to increase your customer base, pay more attention to your existing customers, and have the time to spend in front of them discussing additional opportunities. What Makes a Company Great? It starts with their Philosophy. As we prepare for the nomination period for the 2015 ControlTrends Awards, I am reminded of how many great people, products and companies we have in our industry. It made me wonder what is at the core of these amazing players that make up the Building Automation Controls and HVAC Group. I came across this video and post from Una de Boer, the director of marketing at Delta Controls. Una is one of the bright, hardworking, thoughtful people in our Industry and does a wonderful job of answering my question. So, with her permission, please check out the following video and Una’s words from one of her LinkedIn posts. Top US Cities With Exposed Niagara Systems. (Disclaimer – It is not the intent of this post to point out a particular BAS software vendor. The intent is to show that we, the system integrator, still have work ahead of us to do our part.) The information I list below I got by running a report on Shodan today (8/13/2015). And it didn’t cost a dime and I didn’t have to use any query language… just plain ole English. I opened the site (https://www.shodan.io/) and in the search bar I typed “niagara”. The post ControlTalk NOW Week Ending August 16, 2015 appeared first on ControlTrends.