The Cisco Adaptive Security Appliance (ASA) is vulnerable to a remote code execution vulnerability (CVE-2016-1287). This vulnerability was publicly disclosed on Cisco’s website at 16:00 on the 10th February and affects numerous devices and versions. At the time of writing this bulletin, there were no denial of service (DoS) or remote code execution (RCE) exploits currently available or known to exist publicly.
Richard Hibbert – SureCloud CEO
With IT Security standards increasing, automation is key to sustaining compliance. Learn how to fast track process implementation and reduce reliance on spreadsheets.
Customer Case Studies
Pain Free and Cost Effective Compliance
The top heavy, more expensive solutions (typically developed to help meet Sarbanes-Oxley...
What has SureCloud given us? They have minimised the threat of non-compliance, enhanced the...
SureCloud has given us a fantastic tool, as well as a higher level of customer service. We can...
SureCloud does a lot more than ensuring we have ticks in all our compliance boxes. The quality...
We gain a complete picture of our information security and PCI DSS posture at any one moment in...
We’ve not only gained a cost effective way of meeting our evolving security compliance...
Latest News & Press
Read SureCloud’s most recent news coverage and press releases
Application breaks down departmental silos to give companies a clear, unified view of their risk profile; automates risk assessments, alerts and reporting
SureCloud, a specialist in Cloud-based Security, Risk and Compliance solutions and services, has launched Risk Manager, a cloud application that enables organisations to identify, assess and manage all types of risk, streamlining risk management processes and giving a central view of risk across the enterprise.
On December 18, 2015, Juniper Networks released details of two critical vulnerabilities in their ScreenOS software.
The first, which effects ScreenOS 6.3.0r17 through 6.3.0r20, can allow remote administrative access to the Netscreen device by bypassing the authentication system on SSH or TELNET (CVE-2015-7755). An attacker would need a valid username and the widely published backdoor password to login with “system” privileges.
The second vulnerability, which effects ScreenOS versions 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through to 6.3.0r20 can allow someone with access to VPN traffic to potentially decrypt the data passing through (CVE-2015-7756).
Earlier this year SureCloud conducted a survey of 130 IT and security professionals based in the UK. The purpose of the survey was to understand current trends and attitudes in risk and compliance, investigate issues such as budget availability, data breaches and the regulatory standards businesses are obligated and/or choose to meet. In addition we looked at the priority IT and senior management placed on risk and compliance as well as the systems organisations had in place to manage it.
On November 10, 2015, Microsoft® released details about a vulnerability that allows an attacker with physical access to bypass the Windows® login screen and gain access to the operating system logged in as a user. There are a number of pre-requisites required, however they are all common configurations that are found in many organisations. What makes this attack even more devastating is the time taken to perform the attack, and the fact that it also affects BitLocker® when deployed using Microsoft’s own recommended strategy. So, corporate assets such as laptops that are considered secure can be accessed in a matter of seconds.
Nearly half of businesses have static compliance budgets and rely on labour-intensive manual processes, despite 72% of organisations now viewing compliance as a priority.
72% of businesses view regulatory compliance as a high priority, but despite this more than half (53%) have cut or frozen their budgets for compliance and risk management, according to a new survey conducted by SureCloud.
Leading online and mobile market place for takeaway food now using SureCloud Platform to manage and monitor its PCI compliance
JUST EAT plc (“JUST EAT”), the world’s leading online and mobile market place for takeaway food, has deployed SureCloud’s PCI Compliance Manager application to manage and monitor its compliance with PCI DSS requirements internationally, enabling the company to undertake targeted remediation to ensure continual PCI compliance.
Since PCI DSS 3.0, it has been a requirement that businesses no longer outsource their PCI obligation, as the standard has specified that when using third party services, the business is not exempt from accountability and its obligation to secure cardholder data. Therefore when a third party supplier or partner shares information relating to payment cards, each and every party involved must document and monitor their respective responsibilities.
Software patching for the business is comparable to servicing a car annually: you know its essential but it can often lead to unpleasant, unexpected issues than then need urgent attention.
Application will help organisations achieve and manage Cyber Essentials accreditation via SureCloud’s cloud-based platform
On the 13th May 2015, a critical vulnerability was publicly disclosed that affects the QEMU legacy virtual floppy disk controller (CVE-2015-3456). The vulnerability, which has existed since 2004, was discovered by CrowdStrike, who contacted the respective mailing lists privately in order to perform responsible disclosure.
What is the impact?
Officially disclosed by Microsoft on April 14th 2015, information on a vulnerability affecting the HTTP protocol stack (HTTP.sys) on Windows based systems was publicly released. The vulnerability has been rated as Critical by Microsoft.
SureCloud®, a supplier of Cloud-based Governance, Risk and Compliance (GRC) solutions and security services, today announced its formal membership of CREST, a not-for-profit accreditation body that represents the technical information security industry.
Critical vulnerability in the Linux glibc library
On the 27th January 2015, a vulnerability affecting the GetHost functions within the GNU C Library ‘glibc’ was publicly disclosed. The vulnerability has been named GHOST, and is thought to be comparable to both Heartbleed and ShellShock in terms of potential impact.
SureCloud's Toby Scott-Jackson, adept at delivering vulnerability testing in call centres throughout his career in information security, lists eight key vulnerabilities to be wary of – some old, some new. An oversight in any of them will leave a call centre vulnerable which poses a significant barrier to achieving and maintaining PCI compliance.
Extract from the Institute of Risk Management’s Extended Enterprise study advances benefits of moving from supplier assessment to supplier risk management
Richard Hibbert's article proposes a new approach to compliance management, one that raises the its profile as a discipline and delivers tangible benefits to the organisation rather than it being a tick-box obligation. The article outlines that compliance needs to evolve in three ways; become control-centric, continuous and collaborative.
Read the full article entitled Thinking Beyond Tick-Box Compliance.
On the 18th November 2014, Microsoft published information relating to a vulnerability that exists within all versions of Windows, and Windows Server operating systems. The vulnerability lies within the Kerberos Key Distribution Center (KDC) in Microsoft Windows.
The vulnerability itself could allow an attacker to escalate their privileges from that of a Domain User to those of a Domain Admin. The Domain Admin would then have full control of the Windows Domain from this point.
On the 11th November 2014, Microsoft revealed the existence of a critical vulnerability residing in all versions of their flagship operating system since Windows 95. The vulnerability lies within the Microsoft Secure Channel (SChannel) Security Support Provider (SSP) component...
In terms of SSL-related vulnerabilities, we’ve been through some serious threats like BEAST, CRIME, HEARTBLEED, and now… POODLE. POODLE is newly discovered attack against the 15-year-old, but extremely common, SSL version 3 protocol. It’s not a cute as it sounds.
A new vulnerability was discovered earlier this week by security researcher Stephane Chazelas and is breaking over various news and security related sites. This has been assigned CVE identifier CVE-2014-6271 and affects all *nix (Unix and Linux) distributions using GNU Bash through to version 4.3.
Patches have been released this week for six newly discovered OpenSSL vulnerabilities, one of which (CVE-2014-0224) allows an attacker with access to SSL traffic to decrypt communications if they have gained access to the SSL traffic. The attack requires vulnerable versions of both client and server software to be in use and will not work if just the client or server is vulnerable.