http://sei.cmu.edu/feeds/tag/Updates on changes and additions to the SEI Blog for posts matching Security Vulnerabilitiesen-usMon, 26 Jun 2023 00:00:00 -0400https://www.sei.cmu.edu/blog/uefi-5-recommendations-for-securing-restoring-trust/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis blog post expands on concerns brought to light from recent UEFI attacks, such as BlackLotus, and highlights 5 recommendations to secure and restore trust in the UEFI ecosystem.Vijay SarvepalliMon, 26 Jun 2023 00:00:00 -0400https://www.sei.cmu.edu/blog/uefi-5-recommendations-for-securing-restoring-trust/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSecurity VulnerabilitiesCERT/CChttps://www.sei.cmu.edu/blog/vultron-a-protocol-for-coordinated-vulnerability-disclosure/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis post introduces Vultron, a protocol for multi-party coordinated vulnerability disclosure (MPCVD).Allen HouseholderMon, 26 Sep 2022 00:00:00 -0400https://www.sei.cmu.edu/blog/vultron-a-protocol-for-coordinated-vulnerability-disclosure/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSecurity VulnerabilitiesCERT/CChttps://www.sei.cmu.edu/blog/uefi-terra-firma-for-attackers/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis blog post focuses on how the vulnerabilities in firmware popularized by the Uniform Extensible Firmware Interface create a lucrative target for high-profile attackers.Vijay SarvepalliMon, 01 Aug 2022 00:00:00 -0400https://www.sei.cmu.edu/blog/uefi-terra-firma-for-attackers/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSecurity VulnerabilitiesCERT/CChttps://www.sei.cmu.edu/blog/probably-dont-rely-on-epss-yet/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis post evaluates the pros and cons of the Exploit Prediction Scoring System (EPSS), a data-driven model designed to estimate the probability that software vulnerabilities will be exploited in practice.Jonathan SpringMon, 06 Jun 2022 00:00:00 -0400https://www.sei.cmu.edu/blog/probably-dont-rely-on-epss-yet/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSecurity VulnerabilitiesCERT/CChttps://www.sei.cmu.edu/blog/how-easy-is-it-to-make-and-detect-a-deepfake/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThe technology underlying the creation and detection of deepfakes and assessment of current and future threat levelsCatherine Bernaciak, Dominic RossMon, 14 Mar 2022 00:00:00 -0400https://www.sei.cmu.edu/blog/how-easy-is-it-to-make-and-detect-a-deepfake/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSecurity VulnerabilitiesVulnerability DiscoveryVulnerability MitigationSecurity-Related RequirementsArtificial Intelligence EngineeringAdvanced Computinghttps://www.sei.cmu.edu/blog/the-latest-work-from-the-sei-coordinated-vulnerability-disclosure-cybersecurity-research-cyber-risk-and-resilience-and-the-importance-of-fostering-diversity-in-software-engineering/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis post highlights the latest work from the SEI in coordinated vulnerability disclosure, cyber risk and resilience management, automation, and the science of cybersecurity.Douglas SchmidtMon, 06 Sep 2021 00:00:00 -0400https://www.sei.cmu.edu/blog/the-latest-work-from-the-sei-coordinated-vulnerability-disclosure-cybersecurity-research-cyber-risk-and-resilience-and-the-importance-of-fostering-diversity-in-software-engineering/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSecurity VulnerabilitiesCERT/CChttps://www.sei.cmu.edu/blog/certcc-comments-on-standards-and-guidelines-to-enhance-software-supply-chain-security/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis SEI Blog post shares insights from the CERT Coordination Center (CERT/CC) on proposed software supply chain security standards and guidelines.Jonathan SpringTue, 01 Jun 2021 00:00:00 -0400https://www.sei.cmu.edu/blog/certcc-comments-on-standards-and-guidelines-to-enhance-software-supply-chain-security/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSecurity VulnerabilitiesCERT/CChttps://www.sei.cmu.edu/blog/cat-and-mouse-age-net/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis SEI Blog post explores evolving .NET threat landscape with challenges faced by red and blue teams and suggests ways to stay ahead of attackers.Brandon MarzikThu, 19 Nov 2020 00:00:00 -0500https://www.sei.cmu.edu/blog/cat-and-mouse-age-net/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSecurity VulnerabilitiesCERT/CCCybersecurityBest Practices in Network Securityhttps://www.sei.cmu.edu/blog/adversarial-ml-threat-matrix-adversarial-tactics-techniques-and-common-knowledge-of-machine-learning/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis SEI Blog post introduces the Adversarial ML Threat Matrix, a list of tactics to exploit machine learning models, and guidance on defense against them.Jonathan SpringThu, 22 Oct 2020 00:00:00 -0400https://www.sei.cmu.edu/blog/adversarial-ml-threat-matrix-adversarial-tactics-techniques-and-common-knowledge-of-machine-learning/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesVulnerability MitigationSecurity VulnerabilitiesCERT/CCAutonomy and Counter-Autonomyhttps://www.sei.cmu.edu/blog/three-places-to-start-in-defending-against-ransomware/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesLearn three initial efforts for defending against ransomware in this informative SEI Blog post.Timothy ShimeallMon, 12 Oct 2020 00:00:00 -0400https://www.sei.cmu.edu/blog/three-places-to-start-in-defending-against-ransomware/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSecurity VulnerabilitiesRansomwareCERT/CChttps://www.sei.cmu.edu/blog/ransomware-as-a-service-raas-threats/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThis blog post explores the economics behind why ransomware remains a top tool for cybercrime and presents the current active ransomware variants that utilize ransomware as a service (RaaS), a change in the ransomware business model that could lead to a significant upswing in ransomware activity.Marisa MidlerMon, 05 Oct 2020 00:00:00 -0400https://www.sei.cmu.edu/blog/ransomware-as-a-service-raas-threats/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSecurity VulnerabilitiesRansomwareCERT/CChttps://www.sei.cmu.edu/blog/snake-ransomware-analysis-updates/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesIn January 2020, Sentinel Labs published two reports on Snake (also known as Ekans) ransomware.[1][2] The Snake ransomware gained attention due to its ability to terminate specific industrial control system (ICS) processes....Kyle O'MearaMon, 23 Mar 2020 00:00:00 -0400https://www.sei.cmu.edu/blog/snake-ransomware-analysis-updates/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesMalware AnalysisSecurity VulnerabilitiesCERT/CChttps://www.sei.cmu.edu/blog/bridging-the-gap-between-research-and-practice/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesA fundamental goal for a federally funded research and development center (FFRDC) is to bridge the gap between research and practice for government customers....Leigh MetcalfMon, 23 Mar 2020 00:00:00 -0400https://www.sei.cmu.edu/blog/bridging-the-gap-between-research-and-practice/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSecurity VulnerabilitiesCERT/CChttps://www.sei.cmu.edu/blog/security-automation-begins-at-the-source-code/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesHi, this is Vijay Sarvepalli, Information Security Architect in the CERT Division. On what seemed like a normal day at our vulnerability coordination center, one of my colleagues asked me....Vijay SarvepalliWed, 11 Mar 2020 00:00:00 -0400https://www.sei.cmu.edu/blog/security-automation-begins-at-the-source-code/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesVulnerability AnalysisSecurity VulnerabilitiesVulnerability DiscoveryVulnerability MitigationCERT/CChttps://www.sei.cmu.edu/blog/comments-on-nist-ir-8269-a-taxonomy-and-terminology-of-adversarial-machine-learning/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesThe U.S. National Institute of Standards and Technology (NIST) recently held a public comment period on their draft report on proposed taxonomy and terminology of Adversarial Machine Learning (AML)....Jonathan SpringThu, 13 Feb 2020 00:00:00 -0500https://www.sei.cmu.edu/blog/comments-on-nist-ir-8269-a-taxonomy-and-terminology-of-adversarial-machine-learning/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesSecurity VulnerabilitiesCERT/CCAutonomy and Counter-AutonomySoftware and Information AssuranceSystem Verification and ValidationMission Assurancehttps://www.sei.cmu.edu/blog/prioritizing-vulnerability-response-with-a-stakeholder-specific-vulnerability-categorization/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesWe've just released a follow-up paper in our research agenda about prioritizing actions during vulnerability management, Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization....Allen HouseholderThu, 05 Dec 2019 00:00:00 -0500https://www.sei.cmu.edu/blog/prioritizing-vulnerability-response-with-a-stakeholder-specific-vulnerability-categorization/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesVulnerability AnalysisSecurity VulnerabilitiesVulnerability MitigationCERT/CCSoftware and Information Assurancehttps://www.sei.cmu.edu/blog/vpn-a-gateway-for-vulnerabilities/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesVirtual Private Networks (VPNs) are the backbone of today's businesses providing a wide range of entities from remote employees to business partners and...Vijay SarvepalliWed, 13 Nov 2019 00:00:00 -0500https://www.sei.cmu.edu/blog/vpn-a-gateway-for-vulnerabilities/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesVulnerability AnalysisSecurity VulnerabilitiesVulnerability DiscoveryVulnerability MitigationCERT/CChttps://www.sei.cmu.edu/blog/its-time-to-retire-your-unsupported-things/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updates"If it ain't broke, don't fix it." Why mess with something that already works? This is fair advice with many things in life. But when it comes to software security, it's important to....William DormannWed, 23 Oct 2019 00:00:00 -0400https://www.sei.cmu.edu/blog/its-time-to-retire-your-unsupported-things/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesVulnerability MitigationSecurity VulnerabilitiesCERT/CCBest Practiceshttps://www.sei.cmu.edu/blog/update-on-the-cert-guide-to-coordinated-vulnerability-disclosure/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesIt's been two years since we originally published the CERT Guide to Coordinated Vulnerability Disclosure. In that time, it's influenced both the US Congress and EU Parliament....Allen HouseholderMon, 16 Sep 2019 00:00:00 -0400https://www.sei.cmu.edu/blog/update-on-the-cert-guide-to-coordinated-vulnerability-disclosure/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesVulnerability AnalysisSecurity VulnerabilitiesVulnerability DiscoveryVulnerability MitigationCERT/CCBest Practiceshttps://www.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesRecently, I gave a presentation at BSidesPGH 2019 called Death By Thumb Drive: File System Fuzzing with CERT BFF....William DormannWed, 04 Sep 2019 00:00:00 -0400https://www.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/?utm_source=blog&utm_medium=rss&utm_campaign=my_site_updatesVulnerability AnalysisSecurity VulnerabilitiesVulnerability DiscoveryVulnerability MitigationCERT/CC