BrakeSec Education Podcast

Adam Baldwin (@adam_baldwin) Amélie Koran (@webjedi)   Log4j vulnerability   https://logging.apache.org/log4j/2.x/license.html https://www.theregister.com/2021/12/14/log4j_vulnerability_open_source_funding/ https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/  F/OSS developer deliberately bricks his software in retaliation for big companies not supporting OSS.  https://twitter.com/BleepinComputer/status/1480182019854327808 https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/ https://developers.slashdot.org/story/22/01/09/2336239/open-source-developer-intentionally-corrupts-his-own-widely-used-libraries   Faker.js -  https://www.npmjs.com/package/faker Generate massive amounts of fake contextual data Colors.js -  https://www.npmjs.com/pafaker - npmckage/colors get color and style in your node.js console   https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/   Should OSS teams expect payment for giving their time/code away for free? What are their expectations   Should open source projects be aware of how popular they are? What happens when they reach a certain level of popularity?    OSS Sustainability - https://github.blog/2019-01-17-lets-talk-about-open-source-sustainability/   https://webjedi.net/2022/01/03/security-puppy/   Apparently, “Hobbyists” were the bane of a young Bill Gates: (can you https://en.wikipedia.org/wiki/Open_Letter_to_Hobbyists   https://en.wikipedia.org/wiki/History_of_free_and_open-source_software History of open source   Licensing Overview: https://youtu.be/Eu_GvrSlShI (this was a talk I gave for Splunk on this)   Event-stream = https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets   https://libraries.io/ Libraries.io monitors 5,039,738 open source packages across 32 different package managers, so you don't have to.   

  Introduction Overview of Log4j vuln (as of 16 December 2021) Why is it a big deal? (impact/criticality/risk) Talk about patching vs. mitigation why wasn’t this given the same visibility in 2009? Because it’s Oracle or Java? Good callout is building slides to brief org leadership, detections, and other educational tools. Vuln fatigue (Java vulns in 2009 and pretty much forever cause us fatigue) Are there other technologies like log4j that prop up the entire world, and we just don’t know? Egress traffic (discussed at length on twitter, what problems it solve?) https://twitter.com/mubix/status/1470430085169745920 Latest: https://www.theregister.com/2021/12/14/apache_log4j_v2_16_jndi_disabled_default/ - apache removed JDNI functionality https://www.reddit.com/r/blueteamsec/comments/rd38z9/log4j_0day_being_exploited/ <- great aggregation https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/ https://issues.apache.org/jira/plugins/servlet/mobile#issue/LOG4J2-313   Lots of discussion about “SBOM solving the issue”. @K8em0 weighs in https://twitter.com/k8em0/status/1469437490691932164   https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592 -list of advisories for log4j Mitigation: https://twitter.com/brunoborges/status/1469186875608875011 https://twitter.com/DannyThomas/status/1469709039911129088 (holy hell, 2009?!?) 2009 in fact, #CVE-2009-1094, then a bypass was fixed in CVE-2018-3149: https://bugzilla.redhat.com/show_bug.cgi?id=1639834. That's when the JDK was fully protected, but other implementations remained vulnerable https://bugzilla.redhat.com/show_bug.cgi?id=1639834 OpenJDK…  https://twitter.com/ThinkstCanary/status/1469439743905697797?s=20  You can use a point & click canarytoken from https://canarytokens.org to help test for the #log4j  / #Log4Shell issue. 1) visit https://canarytokens.org; 2) choose the Log4shell token; 3) enter the email address you wish to be notified at; 4) copy/use the returned string... Discussed in 2016 at Blackhat: https://twitter.com/th3_protoCOL/status/1469644923028656130 The #Log4Shell attack vector was known since 2016…  https://twitter.com/bettersafetynet/status/1469470284977745932 Just got off phone with a client. Log4j is in their network. Vendor claims patch will be available next release... which is multiple months from now. Here's what you do if you're in this situation. 1. Keep calm. There's no need to panic. 2. Carefully read this thread.   When dealing with attacks like this you should remember the acronym IMMA.  I = Isolate  M = Minimize  M = Monitor  A = Active Defense https://github.com/MarkBaggett/srum-dump “SRUM Dump extracts information from the System Resource Utilization Management Database and creates a Excel spreadsheet. The SRUM is one of the best sources for applications that have run on your system in the last 30 days and is invaluable to your incident investigations! To use the tool you will need a copy of the SRUM (located in c:\windows\system32\sru\srudb.dat, but locked by the OS). This tool also requires a SRUM_TEMPLATE that defines table and field names. You can optionally provide the SOFTWARE registry hive and the tool will tell you which wireless networks were in use by applications. If you are looking for a version of this tool that creates CSV files instead of an Excel spreadsheet, dumps targeted tables or processes any ese then check out ese2csv. ese2csv.exe is designed specifically for csv files with the CLI user in mind.” https://support.microsoft.com/en-us/office/digitally-sign-your-macro-project-956e9cc8-bbf6-4365-8bfa-98505ecd1c01  

Introduction Overview of Log4j vuln (as of 16 December 2021) Why is it a big deal? (impact/criticality/risk) Talk about patching vs. mitigation why wasn’t this given the same visibility in 2009? Because it’s Oracle or Java? Good callout is building slides to brief org leadership, detections, and other educational tools. Vuln fatigue (Java vulns in 2009 and pretty much forever cause us fatigue) Are there other technologies like log4j that prop up the entire world, and we just don’t know? Egress traffic (discussed at length on twitter, what problems it solve?) https://twitter.com/mubix/status/1470430085169745920 Latest: https://www.theregister.com/2021/12/14/apache_log4j_v2_16_jndi_disabled_default/ - apache removed JDNI functionality https://www.reddit.com/r/blueteamsec/comments/rd38z9/log4j_0day_being_exploited/ <- great aggregation https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/ https://issues.apache.org/jira/plugins/servlet/mobile#issue/LOG4J2-313   Lots of discussion about “SBOM solving the issue”. @K8em0 weighs in https://twitter.com/k8em0/status/1469437490691932164   https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592 -list of advisories for log4j Mitigation: https://twitter.com/brunoborges/status/1469186875608875011 https://twitter.com/DannyThomas/status/1469709039911129088 (holy hell, 2009?!?) 2009 in fact, #CVE-2009-1094, then a bypass was fixed in CVE-2018-3149: https://bugzilla.redhat.com/show_bug.cgi?id=1639834. That's when the JDK was fully protected, but other implementations remained vulnerable https://bugzilla.redhat.com/show_bug.cgi?id=1639834 OpenJDK…  https://twitter.com/ThinkstCanary/status/1469439743905697797?s=20  You can use a point & click canarytoken from https://canarytokens.org to help test for the #log4j  / #Log4Shell issue. 1) visit https://canarytokens.org; 2) choose the Log4shell token; 3) enter the email address you wish to be notified at; 4) copy/use the returned string... Discussed in 2016 at Blackhat: https://twitter.com/th3_protoCOL/status/1469644923028656130 The #Log4Shell attack vector was known since 2016…  https://twitter.com/bettersafetynet/status/1469470284977745932 Just got off phone with a client. Log4j is in their network. Vendor claims patch will be available next release... which is multiple months from now. Here's what you do if you're in this situation. 1. Keep calm. There's no need to panic. 2. Carefully read this thread.   When dealing with attacks like this you should remember the acronym IMMA.  I = Isolate  M = Minimize  M = Monitor  A = Active Defense https://github.com/MarkBaggett/srum-dump “SRUM Dump extracts information from the System Resource Utilization Management Database and creates a Excel spreadsheet. The SRUM is one of the best sources for applications that have run on your system in the last 30 days and is invaluable to your incident investigations! To use the tool you will need a copy of the SRUM (located in c:\windows\system32\sru\srudb.dat, but locked by the OS). This tool also requires a SRUM_TEMPLATE that defines table and field names. You can optionally provide the SOFTWARE registry hive and the tool will tell you which wireless networks were in use by applications. If you are looking for a version of this tool that creates CSV files instead of an Excel spreadsheet, dumps targeted tables or processes any ese then check out ese2csv. ese2csv.exe is designed specifically for csv files with the CLI user in mind.” https://support.microsoft.com/en-us/office/digitally-sign-your-macro-project-956e9cc8-bbf6-4365-8bfa-98505ecd1c01

New $3 patron! 🎉Thank you John K.!   National Domestic Violence Hotline at 1-800-799-7233, or by online chat. National Sexual Assault Hotline at 1-800-656-4673, or by online chat. https://www.stalkingawareness.org/wp-content/uploads/2019/01/SPARC_StalkngFactSheet_2018_FINAL.pdf TALKING VICTIMIZATION  An estimated 6-7.5 million people are #stalked in a one year period in the United States.  Nearly 1 in 6 women and 1 in 17 men have experienced stalking victimization at some point in their lifetime.  Using a less conservative definition of stalking, which considers any amount of fear (i.e., a little fearful, somewhat fearful, or very fearful), 1 in 4 women and 1 in 13 men reported being a victim of stalking in their lifetime. About half of all victims of stalking indicated that they were stalked before the age of 25.  Stalkers use many tactics including:  Approaching the victim or showing up in places when the victim didn’t want them to be there;  making unwanted telephone calls; leaving the victim unwanted messages (text or voice);  watching or following the victim from a distance spying on the victim with a listening device, camera, or #GPS.  (or #IOT device)   https://www.vice.com/en/article/d3akpk/smart-home-technology-stalking-harassment     https://www.ucl.ac.uk/steapp/sites/steapp/files/giot-report.pdf - Tech Abuse Gender and IoT Research Report    https://www.researchgate.net/publication/260867980_TRAPPED_TECHNOLOGY_AS_A_BARRIER_TO_LEAVING_AN_ABUSIVE_RELATIONSHIP     Center to End Technical #Abuse (CETA) https://www.ceta.tech.cornell.edu/resources https://82beb9a6-b7db-490a-88be-9f149bafe221.filesusr.com/ugd/c4e6d5_20fe31daffd74b2fb4b4735d703dad6a.pdf -disconnect checklist   Tw: stalking resulting in death:  A pattern of fixation and obsession’: How the #pandemic exacerbated stalking cases in the UK https://www.independent.co.uk/life-style/women/stalking-cases-pandemic-gracie-spinks-b1956589.html     https://pathwaystosafety.org/staying-safe/ https://www.techsafety.org/ https://static1.squarespace.com/static/51dc541ce4b03ebab8c5c88c/t/61674c082419497a370af990/1634159630368/2021_T2E+Needs+Assessment+Report.pdf  “Smart” or connected devices often referred to as the Internet of Things (IoT) turn up in cases “all the time” or “often” for a third of advocates and 1 in 5 #legal systems professionals. While this is rather low, people are increasingly using these types of technology. With additional use we may see increases in abuse through them. Additionally, advocates and legal systems professionals are often not aware of how these technologies can be misused, so they may not ask about them.

https://twitter.com/Esquiring - Fred Jennings   Vulnerabilities Equity program (VEP), vuln disclosure program (VDP), and what is the a way for disclosure of 0day? (‘proper’ is different and dependent)   This show was inspired by this Tweet thread from @k8em0 and @_MG_https://twitter.com/k8em0/status/1459715464691535877 https://twitter.com/_MG_/status/1459718518346174465   Legal Safe Harbor? Copy-left for security researchers…? What is a VEP? Not a new concept (2014) https://obamawhitehouse.archives.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities Context: Was written when Heartbleed came out. About transparency, but within reason From the blogpost:“We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability:   How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems? Does the vulnerability, if left unpatched, impose significant risk? How much harm could an adversary nation or criminal group do with knowledge of this vulnerability? How likely is it that we would know if someone else was exploiting it? How badly do we need the intelligence we think we can get from exploiting the vulnerability? Are there other ways we can get it? Could we utilize the vulnerability for a short period of time before we disclose it? How likely is it that someone else will discover the vulnerability? Can the vulnerability be patched or otherwise mitigated?”   Gov orgs involved in VEP: https://en.wikipedia.org/wiki/Vulnerabilities_Equities_Process   Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter   Companies have VEP (every time they issue a patch), but they aren’t always transparent about it. Embargoes a plenty. https://www.redhat.com/en/blog/security-embargoes-red-hat https://xenproject.org/developers/security-policy/  (creates a caste system of ‘haves and not-haves’... important vs. not important) bad guys will target people not on the inside.   0day benefit from non-transparent VEP. https://www.randori.com/blog/why-zero-days-are-essential-to-security/   Randori had 365day… https://twitter.com/_MG_/status/1459024603263557633 https://twitter.com/JimSycurity/status/1459152870490574854 Preferred patch 8.1.17, issued october 2020   VEP does not always have to be 0day… can be solutions to issues: https://www.techdirt.com/articles/20210922/17095747614/fbi-sat-ransomware-decryption-key-weeks-as-victims-lost-millions-dollars.shtml “The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials. The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.   In a perfect world, what does disclosure look like?   Communication (easy, secure, detailed… pick 1) Separating wheat from chaff - ‘lol, i got root, pay me plz’   Fear of NDAs and gag clauses Do people expect to be paid? Setup of a ‘cheap’ program? What if you don’t have a budget to pay out (or more accurately, mgmt won’t pay out)? People won’t disclose? Should you pay? Use a 3rd party?

https://twitter.com/Esquiring - Fred Jennings Vulnerabilities Equity program (VEP), vuln disclosure program (VDP), and what is the best way for disclosure of 0day? (‘proper’ is different and dependent) This show was inspired by this Tweet thread from @k8em0 and @_MG_https://twitter.com/k8em0/status/1459715464691535877 https://twitter.com/_MG_/status/1459718518346174465   Legal Safe Harbor? Copy-left for security researchers…? What is a VEP? Not a new concept (2014) https://obamawhitehouse.archives.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities Context: Was written when Heartbleed came out. About transparency, but within reason From the blogpost:“We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability: How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems? Does the vulnerability, if left unpatched, impose significant risk? How much harm could an adversary nation or criminal group do with knowledge of this vulnerability? How likely is it that we would know if someone else was exploiting it? How badly do we need the intelligence we think we can get from exploiting the vulnerability? Are there other ways we can get it? Could we utilize the vulnerability for a short period of time before we disclose it? How likely is it that someone else will discover the vulnerability? Can the vulnerability be patched or otherwise mitigated?”   Gov orgs involved in VEP: https://en.wikipedia.org/wiki/Vulnerabilities_Equities_Process   Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter   Companies have VEP (every time they issue a patch), but they aren’t always transparent about it. Embargoes a plenty. https://www.redhat.com/en/blog/security-embargoes-red-hat https://xenproject.org/developers/security-policy/  (creates a caste system of ‘haves and not-haves’... important vs. not important) bad guys will target people not on the inside.   0day benefit from non-transparent VEP. https://www.randori.com/blog/why-zero-days-are-essential-to-security/   Randori had 365day… https://twitter.com/_MG_/status/1459024603263557633 https://twitter.com/JimSycurity/status/1459152870490574854 Preferred patch 8.1.17, issued october 2020   VEP does not always have to be 0day… can be solutions to issues: https://www.techdirt.com/articles/20210922/17095747614/fbi-sat-ransomware-decryption-key-weeks-as-victims-lost-millions-dollars.shtml “The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials. The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.   In a perfect world, what does disclosure look like?   Communication (easy, secure, detailed… pick 1) Separating wheat from chaff - ‘lol, i got root, pay me plz’ Fear of NDAs and gag clauses Do people expect to be paid? Setup of a ‘cheap’ program? What if you don’t have a budget to pay out (or more accurately, mgmt won’t pay out)? People won’t disclose? Should you pay? Use a 3rd party?

In this sponsored BDS episode, Bryan Brake and Amanda Berlin interview Emily Eubanks, a Security Operations Analyst for #Blumira. We discuss common business risks like IT staff turnover, a lack of Incident Response procedures, choosing not to follow PowerShell best practices, and MFA use for critical or sensitive applications. We also discuss ways to improve security posture to mitigate these risks as well as how Blumira can help organizations in light of these common business challenges. ADDITIONAL RESOURCES   OUR REDDIT AMA https://www.reddit.com/r/cybersecurity/comments/qao73j/we_are_a_security_team_with_20_years_of_ethical/    MFA https://attack.mitre.org/mitigations/M1032/  https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984  https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/    INCIDENT RESPONSE https://www.nist.gov/cyberframework/respond  https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf    POWERSHELL BEST PRACTICES https://www.blumira.com/analysis-of-a-threat-powershell-malicious-activity/  https://docs.microsoft.com/en-us/mem/configmgr/apps/deploy-use/learn-script-security  https://devblogs.microsoft.com/powershell/secrets-management-module-vault-extensions/  https://www.reddit.com/r/PowerShell/comments/g3b9h5/how_are_you_managing_secrets/    RISK: A lack of MFA where available or using SMS based MFA for critical applications. Please do not use SMS based MFA for critical applications. [6] [7] This is an easy layer of defense that has historically been very effective [5] One-Time Passwords (OTP) good but [8] FIDO U2F better Consider hardware tokens (e.g. Yubico YubiKey, Google Titan Security Key). MITIGATION:  Blumira requires use of MFA MFA related detections (e.g. AWS, Duo) BLUMIRA HELPS:   Incident Response Procedures   RISK: A lack of Incident Response Procedures or the decision to postpone incident response procedures because they would result in a disruption in service typically results in unfavorable outcomes. A written plan that identifies the roles, responsibilities, and procedures that should be set in motion once an incident has been declared.  If this is overwhelming to conceptualize, know there are a good amount of free and openly available resources already in existence to help with creations of new IR plans >> I highly recommend looking at NIST documentation to get an idea of what is possible and then scale to what is appropriate for your organization [4] The plan should be reviewed at a minimum once annually with everyone who is responsible for responding to incidents present. If anybody is unclear with their role, responsibilities or procedures then the Incident Response lead should work with them to get them there.  Incident Response procedures should be like a fire drill so that when there is a real fire, the team can work together to quickly put that fire out and minimize impact to the company and their customers. (Shoutout to the BDS podcast on drawing connections from fire fighting to Incident Response procedures with Dr. Catherine J. Ullman (@investigatorchi)) MITIGATION: Workflows Blumira helps with this by providing built-in guidance with workflows. Workflows ask direct questions and provide specific options to record responses to security findings to guide practitioners towards a conclusion. provides additional details to help operators make informed decisions in response to new findings. Finding analysis  BLUMIRA HELPS:   Recent or Frequent IT Staff Turnover   RISK: impedes troubleshooting logflow and/or investigations due the a lack of familiarity with the network environment Prevention might be the best solution? Giving your workers time during the work week to improve a work related skill can help identify when a team is reaching or exceeding their resource capacity. If your team is overworked they are more likely to make mistakes, will be less prepared to go the extra mile when it is needed because they’ll already be tapped out of energy, and may be more likely to consider opportunities elsewhere. You want to limit keystone employees, meaning that if an employee leaves for whatever reason you do not want that employee’s absence to cause a breakdown in processes for others. Redundancy is best here in most cases IMO. MITIGATION: Blumira works hard to create fewer, more actionable findings.  We strive to keep our alerts simple to provide the information that operators need to make informed decisions. We try to focus on findings that require action and provide workflows to provide additional guidance to help share recommendations on what to investigate next to evaluate the impact of a security event BLUMIRA HELPS:    PowerShell Scripting Best Practices   RISK: Detections will be less helpful if staff are frequently dismissing events in response to approved administrative behavior like maintenance scripts. Follow the PowerShell recommendations shared by Microsoft [1] including: Sign your scripts (lol Microsoft has this bolded by the way hint hint wink wink) “another method for keeping scripts security is vetting and signing your scripts Do not store secrets in PoSH scripts; if you are doing this you’re gonna want to google “secrets management” [2] and learn more about how to secure store and access secrets across an enterprise environment  Briefly, there is a powershell module for vault secret extensions [3] some vault extensions include KeePass, LastPass, Hashicorp Vault, Azure KeyVault, KeyChain, and CredMan Use a recent version of Powershell (we are on version 7, but this article recommends 5+) Enable and collect powershell logs MITIGATION: Blumira detects on malicious powershell usage. BLUMIRA HELPS:     ADDITIONAL LINKS AND SOURCES:  [1] https://docs.microsoft.com/en-us/mem/configmgr/apps/deploy-use/learn-script-security  [2] https://www.reddit.com/r/PowerShell/comments/g3b9h5/how_are_you_managing_secrets/  [3] https://github.com/PowerShell/SecretManagement  [3] https://devblogs.microsoft.com/powershell/secrets-management-module-vault-extensions/  [4] https://www.nist.gov/cyberframework/respond  [5] https://attack.mitre.org/mitigations/M1032/  [6] https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984  [7] https://www.zdnet.com/article/microsoft-urges-users-to-stop-using-phone-based-multi-factor-authentication/ [8] https://www.yubico.com/blog/otp-vs-u2f-strong-to-stronger/  https://www.blumira.com/analysis-of-a-threat-powershell-malicious-activity/

https://www.bleepingcomputer.com/news/security/us-education-dept-urged-to-boost-k-12-schools-ransomware-defenses/ https://securityaffairs.co/wordpress/124570/cyber-crime/fbi-hacked-email-server.html https://www.zdnet.com/article/security-company-faces-backlash-for-waiting-12-months-to-disclose-palo-alto-0-day/   https://www.randori.com/blog/why-zero-days-are-essential-to-security/ https://twitter.com/_MG_/status/1459024603263557633 “Hey... did anyone notice that PAN 0day was fixed in a version that was released over a year ago?    Guess it wasn't easy to notice under all the loud opinions about ethics.”   https://twitter.com/_MG_/status/1459038747807285253/photo/1

News stories covered this week, as well as links of note: https://www.wired.co.uk/article/sweden-stockholm-school-app-open-source https://curtbraz.medium.com/a-konami-code-for-vuln-chaining-combos-1a29d0a27c2a    https://docs.google.com/presentation/d/17gISafUZzEyjV7wkdHaTQZmtxstBqECa/edit#slide=id.p4   https://www.securityweek.com/braktooth-new-bluetooth-vulnerabilities-could-affect-millions-devices   https://offsec.almond.consulting/intro-to-file-operation-abuse-on-Windows.html   https://searchsecurity.techtarget.com/news/252509040/CISA-cracks-the-whip-on-patching-vulnerabilities https://cyber.dhs.gov/bod/22-01/   https://www.cisa.gov/known-exploited-vulnerabilities-catalog  

https://securityaffairs.co/wordpress/123948/security/2021-list-of-most-common-hardware-weaknesses.html?   https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf   https://www.darkreading.com/application-security/tech-companies-create-security-baseline-for-enterprise-software   https://security.googleblog.com/2021/10/launching-collaborative-minimum.html   https://mvsp.dev/mvsp.en/index.html https://www.standardfusion.com/blog/assessing-vendor-risk-with-questionnaires/