via SC Magazine
Over the last several weeks, we have seen high-profile cybersecurity breaches involving RSA, the CIA, Sony, the U.S. Senate and the FBI’s InfraGard to name a few. What did we learn from the recent LulzSec rash of high-profile security breaches? To me, it reinforces the concept of “sweating the small stuff,” or, simply, paying attention to the details germane to information security. These breaches are primarily the result of opportunistic attacks waged against exploitable and known vulnerabilities.
To support this position, consider June 27, when the Department of Homeland Security provided a Top 25 list of software errors. This list, called the Common Weakness Enumeration, develops a scoring system and risk analysis framework for evaluating the seriousness of flaws and prioritizing weaknesses. If you thought that this new list looks a lot like the OWASP (Open Web Application Security Project) Top 10 Web Application Security Risks, you would be correct. The OWASP Top 10 list has been around since about 2004, and scanning tools have been built to assess websites against the vulnerabilities included on the OWASP list. It would be reasonable to assume that security-conscious organizations would routinely assess their infrastructure against these standards.