SEI Blog | CERT/CC Vulnerabilitieshttps://insights.sei.cmu.edu/feeds/topic/certcc/atom/?utm_source=blog&utm_medium=rss2023-06-26T00:00:00-04:00Updates on changes and additions to the SEI Blog for posts matching CERT/CC VulnerabilitiesUEFI: 5 Recommendations for Securing and Restoring Trust2023-06-26T00:00:00-04:002023-06-26T00:00:00-04:00Vijay Sarvepallihttps://insights.sei.cmu.edu/blog/uefi-5-recommendations-for-securing-restoring-trust/This blog post expands on concerns brought to light from recent UEFI attacks, such as BlackLotus, and highlights 5 recommendations to secure and restore trust in the UEFI ecosystem.Vultron: A Protocol for Coordinated Vulnerability Disclosure2022-09-26T00:00:00-04:002022-09-26T00:00:00-04:00Allen Householderhttps://insights.sei.cmu.edu/blog/vultron-a-protocol-for-coordinated-vulnerability-disclosure/This post introduces Vultron, a protocol for multi-party coordinated vulnerability disclosure (MPCVD).UEFI – Terra Firma for Attackers2022-08-01T00:00:00-04:002022-08-01T00:00:00-04:00Vijay Sarvepallihttps://insights.sei.cmu.edu/blog/uefi-terra-firma-for-attackers/This blog post focuses on how the vulnerabilities in firmware popularized by the Uniform Extensible Firmware Interface create a lucrative target for high-profile attackers.Probably Don’t Rely on EPSS Yet2022-06-06T00:00:00-04:002022-06-06T00:00:00-04:00Jonathan Springhttps://insights.sei.cmu.edu/blog/probably-dont-rely-on-epss-yet/This post evaluates the pros and cons of the Exploit Prediction Scoring System (EPSS), a data-driven model designed to estimate the probability that software vulnerabilities will be exploited in practice.The Latest Work from the SEI: Coordinated Vulnerability Disclosure, Cybersecurity Research, Cyber Risk and Resilience, and the Importance of Fostering Diversity in Software Engineering2021-09-06T00:00:00-04:002021-09-06T00:00:00-04:00Douglas Schmidthttps://insights.sei.cmu.edu/blog/the-latest-work-from-the-sei-coordinated-vulnerability-disclosure-cybersecurity-research-cyber-risk-and-resilience-and-the-importance-of-fostering-diversity-in-software-engineering/This post highlights the latest work from the SEI in coordinated vulnerability disclosure, cyber risk and resilience management, automation, and the science of cybersecurity.Vulnerabilities: Everybody’s Got One!2021-06-16T00:00:00-04:002021-06-16T00:00:00-04:00Leigh Metcalfhttps://insights.sei.cmu.edu/blog/vulnerabilities-everybodys-got-one/In this post, Leigh Metcalf describes how she pulled data from the malvuln project to explore recent vulnerabilities in both malware and non-malware to study the differences.CERT/CC Comments on Standards and Guidelines to Enhance Software Supply Chain Security2021-06-01T00:00:00-04:002021-06-01T00:00:00-04:00Jonathan Springhttps://insights.sei.cmu.edu/blog/certcc-comments-on-standards-and-guidelines-to-enhance-software-supply-chain-security/This SEI Blog post shares insights from the CERT Coordination Center (CERT/CC) on proposed software supply chain security standards and guidelines.Cat and Mouse in the Age of .NET2020-11-19T00:00:00-05:002020-11-19T00:00:00-05:00Brandon Marzikhttps://insights.sei.cmu.edu/blog/cat-and-mouse-age-net/This SEI Blog post explores evolving .NET threat landscape with challenges faced by red and blue teams and suggests ways to stay ahead of attackers.Adversarial ML Threat Matrix: Adversarial Tactics, Techniques, and Common Knowledge of Machine Learning2020-10-22T00:00:00-04:002020-10-22T00:00:00-04:00Jonathan Springhttps://insights.sei.cmu.edu/blog/adversarial-ml-threat-matrix-adversarial-tactics-techniques-and-common-knowledge-of-machine-learning/This SEI Blog post introduces the Adversarial ML Threat Matrix, a list of tactics to exploit machine learning models, and guidance on defense against them.Three Places to Start in Defending Against Ransomware2020-10-12T00:00:00-04:002020-10-12T00:00:00-04:00Timothy Shimeallhttps://insights.sei.cmu.edu/blog/three-places-to-start-in-defending-against-ransomware/Learn three initial efforts for defending against ransomware in this informative SEI Blog post.Ransomware as a Service (RaaS) Threats2020-10-05T00:00:00-04:002020-10-05T00:00:00-04:00Marisa Midlerhttps://insights.sei.cmu.edu/blog/ransomware-as-a-service-raas-threats/This blog post explores the economics behind why ransomware remains a top tool for cybercrime and presents the current active ransomware variants that utilize ransomware as a service (RaaS), a change in the ransomware business model that could lead to a significant upswing in ransomware activity.Snake Ransomware Analysis Updates2020-03-23T00:00:00-04:002020-03-23T00:00:00-04:00Kyle O'Mearahttps://insights.sei.cmu.edu/blog/snake-ransomware-analysis-updates/In January 2020, Sentinel Labs published two reports on Snake (also known as Ekans) ransomware.[1][2] The Snake ransomware gained attention due to its ability to terminate specific industrial control system (ICS) processes....Bridging the Gap Between Research and Practice2020-03-23T00:00:00-04:002020-03-23T00:00:00-04:00Leigh Metcalfhttps://insights.sei.cmu.edu/blog/bridging-the-gap-between-research-and-practice/A fundamental goal for a federally funded research and development center (FFRDC) is to bridge the gap between research and practice for government customers....Security Automation Begins at the Source Code2020-03-11T00:00:00-04:002020-03-11T00:00:00-04:00Vijay Sarvepallihttps://insights.sei.cmu.edu/blog/security-automation-begins-at-the-source-code/Hi, this is Vijay Sarvepalli, Information Security Architect in the CERT Division. On what seemed like a normal day at our vulnerability coordination center, one of my colleagues asked me....Comments on NIST IR 8269: A Taxonomy and Terminology of Adversarial Machine Learning2020-02-13T00:00:00-05:002020-02-13T00:00:00-05:00Jonathan Springhttps://insights.sei.cmu.edu/blog/comments-on-nist-ir-8269-a-taxonomy-and-terminology-of-adversarial-machine-learning/The U.S. National Institute of Standards and Technology (NIST) recently held a public comment period on their draft report on proposed taxonomy and terminology of Adversarial Machine Learning (AML)....Prioritizing Vulnerability Response with a Stakeholder-Specific Vulnerability Categorization2019-12-05T00:00:00-05:002019-12-05T00:00:00-05:00Allen Householderhttps://insights.sei.cmu.edu/blog/prioritizing-vulnerability-response-with-a-stakeholder-specific-vulnerability-categorization/We've just released a follow-up paper in our research agenda about prioritizing actions during vulnerability management, Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization....Machine Learning in Cybersecurity2019-12-02T00:00:00-05:002019-12-02T00:00:00-05:00Jonathan Springhttps://insights.sei.cmu.edu/blog/machine-learning-cybersecurity-2019/Our technical report provides an overview of the relevant parts of an ML lifecycle--selecting the right problem, the right data, and the right math and summarizing the model output for consumption--as well as questions that relate to those areas of focus.VPN - A Gateway for Vulnerabilities2019-11-13T00:00:00-05:002019-11-13T00:00:00-05:00Vijay Sarvepallihttps://insights.sei.cmu.edu/blog/vpn-a-gateway-for-vulnerabilities/Virtual Private Networks (VPNs) are the backbone of today's businesses providing a wide range of entities from remote employees to business partners and...It's Time to Retire Your Unsupported Things2019-10-23T00:00:00-04:002019-10-23T00:00:00-04:00William Dormannhttps://insights.sei.cmu.edu/blog/its-time-to-retire-your-unsupported-things/"If it ain't broke, don't fix it." Why mess with something that already works? This is fair advice with many things in life. But when it comes to software security, it's important to....Update on the CERT Guide to Coordinated Vulnerability Disclosure2019-09-16T00:00:00-04:002019-09-16T00:00:00-04:00Allen Householderhttps://insights.sei.cmu.edu/blog/update-on-the-cert-guide-to-coordinated-vulnerability-disclosure/It's been two years since we originally published the CERT Guide to Coordinated Vulnerability Disclosure. In that time, it's influenced both the US Congress and EU Parliament....