top | item 39218704

(no title)

t3rabytes | 2 years ago

More info in a directive from 1/14/24, https://www.cisa.gov/news-events/directives/ed-24-01-mitigat...:

> CISA has observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions, hereafter referred to as “affected products.” Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.

discuss

nonrandomstring|2 years ago

> Agencies running the affected products must assume domain accounts associated with the affected products have been compromised.

This looks like a right shitshow.

Ross Anderson did a big group research "The Changing Cost of Cybercrime" [0]. I forget the number but it came out at several trillion.

After Solarwinds and the UK Horizon Post Office scandal I am wondering, how does cybercrime compare against simple incompetence and hopelessly broken software engineering? How can we measure that to see just how bad things really are?

[0] https://weis2019.econinfosec.org/wp-content/uploads/sites/6/...

1oooqooq|2 years ago

question is cyclical because cyber crime doesn't exist without incompetence.

There's very little cyber crime that happens by bribing someone. Most of it is just walking past an open door.

> How can we measure that to see just how bad things really are?

hence, cost of incompetence = cost of all cybercrime + n.