If it was a CMS flaw, it shows that security holes aren’t being patched in a timely fashion.
The American Payroll Association breach shows a number of places where the industry as a whole still needs to do a better job. Attackers were apparently able to leverage a flaw in APA’s content management system (CMS) or a compromised admin account to place their skimmer. If it was a CMS flaw, it shows that security holes aren’t being patched in a timely fashion. Whether it was because the flaw ….
[Read More >>]
APA was able to identify this attack in under 90 days, which is an improvement over previous years in reducing attacker dwell time, but is still much too long. Better analytic tools could have mitigated the situation by recognizing the behaviors associated with an attack, both on the affected servers and in user activity with stolen credentials.
Separately, the US Office of Management and Budget today issued the Federal Acquisition Supply Chain Security Act and a request for comments (open through Nov. 2, 2020) designed to control who supplies the US Federal government with technology and technology services. The Act is intended to help curtail procurements from vendors and organizations that may pose a threat to national security.
