back to article A year on, CISA realizes debunked vuln actually a dud and removes it from must-patch list

A security vulnerability previously added to CISA's Known Exploited Vulnerability catalog (KEV), which was recognized by CVE Numbering Authorities (CNA), and included in reputable threat reports is now being formally rejected by infosec organizations. CISA removed CVE-2022-28958 from its KEV on December 1, two days after the …

  1. Dimmer Bronze badge

    Test with all the layers

    Working for a bank. Pin testers can’t get access so they request that we add a rule in the firewall to allow them in. Management says we are paying a premium so we need to test everything.

    Failing with firewall access, they ask for drop the ACL In the routers and switches.

    Failing that, please remove the MS firewall on the servers.

    Failing that, we need admin access, and then-

    Oh look at all the vulnerabilities we found! We can see your data!

    Out comes the report with all the vulnerabilities and we look like we are not doing our job. Fed auditors look at the report and lower the bank rating. Management finally took a hit for stupidity.

    Pin testing is when you don’t change any security and they HAVE to prove they can compromise it.

    Network assessment is where you give them access.

    Know the difference.

    Had an auditor as me when we had our last pin test.

    “ We get get tested every few seconds, and it is free. Want to see the logs?”

    1. Pascal Monett Silver badge

      Re: Test with all the layers

      I believe the terme is pen-testing, because penetration.

      I also believe that, if your pen testers can't get through without you deactivating your defenses, you need to find better pen testers.

      1. beardman
        Boffin

        Re: Test with all the layers

        Oh, the irony... :)))

    2. Zola
      WTF?

      Re: Test with all the layers

      Yeah, right. Absolutely none of this sounds plausible, assuming the security firm engaged by the bank is legit.

      I've worked for investment banks, had client-facing systems I'm responsible for PEN tested multiple times, and none of what you described ever happens (and if anyone did ask for that kind of access they would be run out of business).

      Also, the fact you call it "PIN" testing only adds to my suspicion that you don't know what you're talking about.

    3. Throatwarbler Mangrove Silver badge
      Devil

      Re: Test with all the layers

      Maybe their requests were part of the penetration testing: "Are these guys lax enough to comply with all these requests?"

      The answer was "yes," so one could argue the bank deserved its falling grade.

    4. Blazde Silver badge

      Re: Test with all the layers

      We get get tested every few seconds, and it is free. Want to see the logs?

      I believe it's more of a 'no-pen no-fee' arrangement. When they do pen they gouge you..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like