Blog Posts
UEFI – Terra Firma for Attackers
This blog post focuses on how the vulnerabilities in firmware popularized by the Uniform Extensible Firmware Interface create a lucrative target for high-profile attackers.
• By Vijay Sarvepalli
In CERT/CC Vulnerabilities
Probably Don’t Rely on EPSS Yet
This post evaluates the pros and cons of the Exploit Prediction Scoring System (EPSS), a data-driven model designed to estimate the probability that software vulnerabilities will be exploited in practice.
• By Jonathan Spring
In CERT/CC Vulnerabilities
The Latest Work from the SEI: Coordinated Vulnerability Disclosure, Cybersecurity Research, Cyber Risk and Resilience, and the Importance of Fostering Diversity in Software Engineering
This post highlights the latest work from the SEI in coordinated vulnerability disclosure, cyber risk and resilience management, automation, and the science of cybersecurity.
• By Douglas C. Schmidt
In CERT/CC Vulnerabilities
Vulnerabilities: Everybody’s Got One!
In this post, Leigh Metcalf describes how she pulled data from the malvuln project to explore recent vulnerabilities in both malware and non-malware to study the differences.
• By Leigh Metcalf
In CERT/CC Vulnerabilities
CERT/CC Comments on Standards and Guidelines to Enhance Software Supply Chain Security
Art Manion, Eric Hatleback, Allen Householder, Jonathan Spring, and Laurie Tyzenhaus, recently submitted comments to the National Institute of Standards and Technology (NIST), which is seeking positions related to executive …
• By Jonathan Spring
In CERT/CC Vulnerabilities
Cat and Mouse in the Age of .NET
Penetration testers have long exploited the PowerShell scripting language to gain a foothold in systems and execute an attack. Eventually, changes in the PowerShell landscape caused the toolsets to shift …
• By Brandon Marzik
In CERT/CC Vulnerabilities
Adversarial ML Threat Matrix: Adversarial Tactics, Techniques, and Common Knowledge of Machine Learning
My colleagues, Nathan VanHoudnos, April Galyardt, Allen Householder, and I would like you to know that today Microsoft and MITRE are releasing their Adversarial Machine Learning Threat Matrix. This is …
• By Jonathan Spring
In CERT/CC Vulnerabilities
Three Places to Start in Defending Against Ransomware
This blog post, the second of three dealing with ransomware and defending against it, covers three initial efforts that will make it more difficult for attackers and less costly to …
• By Tim Shimeall
In CERT/CC Vulnerabilities
Ransomware as a Service (RaaS) Threats
This blog post explores the economics behind why ransomware remains a top tool for cybercrime and presents the current active ransomware variants that utilize ransomware as a service (RaaS), a …
• By Marisa Midler
In CERT/CC Vulnerabilities
Snake Ransomware Analysis Updates
In January 2020, Sentinel Labs published two reports on Snake (also known as Ekans) ransomware.[1][2] The Snake ransomware gained attention due to its ability to terminate specific industrial control system …
• By Kyle O'Meara
In CERT/CC Vulnerabilities
