Software vulnerabilities are an unfortunate part of working with technology. A developer puts out a software release with millions of lines of code. Then, hackers look for loopholes that allow them to breach a system through that code.
The developer issues a patch to fix the vulnerability but it’s not long before a new feature update causes more. It’s like a game of “whack-a-mole” to keep your systems secure.
Keeping up with new vulnerabilities is one of the top priorities of IT management firms. It’s important to know which software and operating systems are being attacked.
Without ongoing patch and update management, company networks are vulnerable while these attacks are completely avoidable. 82% of U.S. cyberattacks in Q1 of 2022 were due to exploiting patchable vulnerabilities.
What new vulnerabilities are lurking in products from Microsoft, Google, Adobe, and others? We’ll go through several. These were recently noted in a warning by the Cybersecurity and Infrastructure Security Agency (CISA).
Make Sure to Patch Any of These Vulnerabilities in Your Systems
Microsoft vulnerabilities include those in three of its products. Internet Explorer (IE) is one of them. Microsoft discontinued IE in June of 2022. You should remove this from any computers that still have it installed.
You’ll see the acronym “CVE” used in the vulnerability names. This is an industry-standard naming structure. It stands for Common Vulnerabilities and Exposures.
Here is a rundown of these vulnerabilities and what a hacker can do:
- CVE-2012-4969: This Internet Explorer vulnerability allows the remote execution of code. This is a “critical” vulnerability because of the damage it enables. Hackers can release this via a website. Thus, formerly safe sites can become phishing sites when hackers exploit this loophole.
- CVE-2013-1331: This is a flaw in the code for Microsoft Office 2003 and Office 2011 for Mac. It enables hackers to launch remote attacks. It exploits a vulnerability in Microsoft’s buffer overflow function. This allows hackers to execute dangerous code remotely.
- CVE-2012-0151: This issue impacts the Authenticode Signature Verification function of Windows. It allows user-assisted attackers to execute remote code on a system. “User-assisted” means that they need the user to assist in the attack. Such as by opening a malicious file attachment in a phishing email.
Google Chrome and applications built using Google’s Chromium V8 Engine are also on the list. These applications are targets of the following vulnerabilities.
- CVE-2016-1646 & CVE-2016-518: These both allow attackers to conduct denial of service attacks. They do this against websites through remote control. This means they can flood a site with so much traffic that it crashes.
- Those aren’t the only two code flaws that allow hackers to crash sites this way. CVE-2018-17463 and CVE-2017-5070 are two others that both do the same thing. Like all these others, they both have patches already issued that users can install to fix these holes.
People use Adobe Acrobat Reader widely to share documents. It makes it easy to share them across different platforms and operating systems. But it’s also a tool that’s on this list of popular vulnerabilities.
- CVE-2009-4324: This is a flaw in Acrobat Reader that allows hackers to execute remote code via a PDF file. This is why you can’t trust that a PDF attachment is going to be safer than other file types. Remember this when receiving unfamiliar emails.
- CVE-2010-1297: This memory corruption vulnerability. It allows remote execution and denial of service attacks through Adobe Flash Player. Like IE, the developer retired Flash Player. It no longer receives support or security updates. You should uninstall this from all PCs and websites.
Netgear is a popular brand of wireless router. The company also sells other internet-connected devices. These are also vulnerable, due to the following flaws.
- CVE-2017-6862: This flaw allows a hacker to execute code remotely. It also enables bypassing any needed password authentication. It’s present in many different Netgear products.
- CVE-2019-15271: This is a vulnerability in the buffer overflow process of Cisco RV series routers. It gives a hacker “root” privileges. This means they can basically do anything with your device and execute any code they like.
Patch & Update Regularly!
These are a few of the security vulnerabilities listed on the CISA list. You can see all 36 that were added here.
How do you keep your network safe from these and other vulnerabilities? You should patch and update regularly. Work with a trusted IT professional to manage your device and software updates. This ensures you don’t have a breach waiting to happen lurking in your network.
Automate Your Cybersecurity Today
Patch and update management is just one way that we can automate your cybersecurity. Contact us today at 716-373-4467 x 115, email@example.com or fill out the form below to learn how else we can help by scheduling a consultation today.
Article used with permission from The Technology Press.
After being the main entry to the internet in the late 1990s and early 2000s, Internet Explorer (IE) is gone. As of June 15, 2022, Microsoft dropped the web browser from support.
IE ushered in the age of connection to the world in 1995 and held a majority of the browser market share for many years. But the release of newer technologies like Google Chrome made it less relevant.
In 2014, Internet Explorer still held about 59% of the global market share, with Chrome at 21%. But just two years later, IE lost its top spot to Chrome and trailed behind another newcomer, Safari.
In 2015, the writing was already on the wall when Microsoft released a new browser, Edge. With Edge destined to take IE’s place as the official browser installed on Windows systems.
It’s inevitable, the longer technology is driving work and home life, that we’re going to lose some of our favorites. Adobe Flash Player is another technology that used to be widely used and is now gone.
So, now that IE has reached its end of life (EOL), what happens next?
Microsoft Will Redirect Users to IE Mode in Edge
According to Microsoft, now that IE is officially out of support it will redirect users. Over the next few months, a new experience will happen. Those opening this outdated browser will instead land in Microsoft Edge with IE mode.
To ease the transition away from Internet Explorer, Microsoft added IE Mode to Edge. This mode makes it possible for organizations to still use legacy sites that may have worked best in IE. It uses the Trident MSHTML engine from IE11 to do this.
When in IE mode, you’ll still see the Internet Explorer icon on your device. But if you open it, you’ll actually be in Microsoft Edge
Microsoft Will Be Removing Internet Explorer Icons in the Future
Microsoft isn’t yet getting rid of the IE icons that appear in places like the taskbar and Start menu on Windows, but it will in a future update. This means users can expect to see those removed at some point.
Edge Will Import Browser Data from IE
What about your favorites, saved passwords, and other settings that you have in IE? Microsoft Edge will import these from Internet Explorer for you, so they’re not lost. This will include things like your browsing history and other data stored in the browser. You’ll then be able to access these in the Microsoft Edge’s settings area.
With IE Retired, What Do You Need to Do Now?
Uninstall the Browser
It’s risky to keep older technology that is no longer supported on your system. Cybercriminals love to exploit older tools that are not receiving any security updates. This leaves an open invitation to breach your network. Manufacturers are never going to address these because they retired the software.
Outdated technology costs enterprises approximately 47% more when they suffer a data breach. As compared to those with updated tools.
You should transition your stored information to Microsoft Edge (or another trusted browser). Then uninstall IE from your device or devices.
Ensure Employees Know How to Use IE Mode in Edge
A scenario that businesses want to avoid is what happened to many organizations in Japan. Several government and corporate users weren’t prepared for the retirement of IE.
It was reported that IT and engineering departments received many calls for help. This was due to unpreparedness for the browser’s demise. Although it came with warnings, it was a shock to many that used legacy sites that need IE to work. This included the customers of government agencies, financial institutions, and other organizations.
This left them scrambling to try to figure out what to do at the last minute. They still needed access to employee attendance management, and other online tools.
Of course, with IE mode in Edge, this transition didn’t need to be so chaotic. But without communication or training, more than 20% of affected users hadn’t figured out what to do.
Make sure you communicate with your team what to do. Companies can automate IE mode for their users so that it launches automatically.
Train Employees on Microsoft Edge Features
Microsoft Edge has a lot of benefits over IE and other browsers. It’s faster and more responsive than Internet Explorer. It also has comprehensive security controls (including password breach monitoring) and has unique features such as “collections.”
But with all new tools, if you want employees to use them proficiently, they need to have a chance to learn them. Take the time to transition right, and have your employees trained on Edge.
Need Help Upgrading Your Digital Tools?
You don’t have to panic when a technology you use retires. We can help you upgrade well ahead of any deadlines. Reach out today at 716-373-4467 x 115 or firstname.lastname@example.org to schedule a technology consultation.
Article used with permission from The Technology Press.
Have you felt more secure from cyberattacks because you have a smaller business? Maybe you thought that you couldn’t possibly have anything that a hacker could want? Didn’t think they even knew about your small business.
Well, a new report by the cybersecurity firm Barracuda Networks debunks this myth. Their report analyzed millions of emails across thousands of organizations. It found that small companies have a lot to worry about when it comes to their IT security.
Barracuda Networks found something alarming. Employees at small companies saw 350% more social engineering attacks than those at larger ones. It defines a small company as one with less than 100 employees. This puts small businesses at a higher risk of falling victim to a cyberattack. We’ll explore why below.
Why Are Smaller Companies Targeted More?
There are many reasons why hackers see small businesses as low-hanging fruit and why they are becoming larger targets of hackers out to score a quick illicit buck.
Small Companies Tend to Spend Less on Cybersecurity
When you’re running a small business, it’s often a juggling act of where to prioritize your cash. You may know cybersecurity is important, but it may not be at the top of your list. So, at the end of the month, cash runs out, and it’s moved to the “next month” wish list of expenditures.
Small business leaders often don’t spend as much as they should on their IT security. They may buy an antivirus program and think that’s enough to cover them. But with the expansion of technology to the cloud, that’s just one small layer. You need several more for adequate security.
Hackers know all this and see small businesses as an easier target. They can do much less work to get a payout than they would trying to hack into an enterprise corporation.
Every Business Has “Hack-Worthy” Resources
Every business, even a 1-person shop, has data that’s worth scoring for a hacker. Credit card numbers, SSNs, tax ID numbers, and email addresses are all valuable. Cybercriminals can sell these on the Dark Web. From there, other criminals use them for identity theft.
Here are some of the data that hackers will go after:
- Customer records
- Employee records
- Bank account information
- Emails and passwords
- Payment card details
Small Businesses Can Provide Entry Into Larger Ones
If a hacker can breach the network of a small business, they can often make a larger score. Many smaller companies provide services to larger companies. This can include digital marketing, website management, accounting, and more.
Vendors are often digitally connected to certain client systems. This type of relationship can enable a multi-company breach. While hackers don’t need that connection to hack you, it is a nice bonus. They can get two companies for the work of one.
Small Business Owners Are Often Unprepared for Ransomware
Ransomware has been one of the fastest-growing cyberattacks of the last decade. So far in 2022, over 71% of surveyed organizations experienced ransomware attacks.
The percentage of victims that pay the ransom to attackers has also been increasing. Now, an average of 63% of companies pay the attacker money in hopes of getting a key to decrypt the ransomware.
Even if a hacker can’t get as much ransom from a small business as they can from a larger organization, it’s worth it. They often can breach more small companies than they can larger ones.
When companies pay the ransom, it feeds the beast and more cyber criminals join in. Criminals who are newer to ransomware attacks will often go after smaller, easier-to-breach companies.
Employees at Smaller Companies Usually Aren’t Trained in Cybersecurity
Cybersecurity Training is another thing is usually not too high on the list of priorities for a small business owner. They may be doing all they can just to keep good staff. Plus, priorities are often sales and operations.
Training employees on how to spot phishing and password best practices often isn’t done. This leaves networks vulnerable to one of the biggest dangers, human error.
In most cyberattacks, the hacker needs help from a user. It’s like the vampire needing the unsuspecting victim to invite them inside. Phishing emails are the device used to get that unsuspecting cooperation.
Phishing causes over 80% of data breaches.
A phishing email sitting in an inbox can’t usually do anything. It needs the user to either open a file attachment or click a link that will take them to a malicious site. This then launches the attack.
Teaching employees how to spot these ploys can significantly increase your cybersecurity. Security awareness training is as important as having a strong firewall or antivirus.
Need Affordable IT Security Services for Your Small Business?
Reach out today at 716-373-4467 x 115 or email@example.com to schedule a technology consultation. We offer affordable options for small companies. This includes many ways to keep you protected from cyber threats.
Article used with permission from The Technology Press.
Heads Up Financial Institutions!
The Federal Trade Commission (FTC) announced the first cybersecurity updates to the Gramm Leach-Bliley Act (GLBA) Safeguards Rule since 2003. The new rule strengthens the required security safeguards for customer information. This includes formal risk assessments, access controls, regular penetration testing and vulnerability scanning, and incident response capabilities, among other things.
Most of these changes go into effect in December 2022, to provide organizations time to prepare for compliance. Below, details the changes in comparison to the previous rule.
Background on the Safeguards Rule
GLBA requires, among other things, a wide range of “financial institutions” to protect customer information. Enforcement for GLBA is split up among several different federal agencies, with FTC jurisdiction covering non-banking financial institutions in the Safeguards Rule. Previously, the Safeguards Rule left the implementation details of several aspects of the information security program up to the financial institution, based on its risk assessment.
The Safeguards Rule broad definition of “financial institutions” includes non-bank businesses that offer financial products or services — such as retailers, automobile dealers, mortgage brokers, non-bank lenders, property appraisers, tax preparers, and others. The definition of “customer information” is also broad, to include any record containing non-public personally identifiable information about a customer that is handled or maintained by or on behalf of a financial institution.
Updates to the Safeguards Rule
Many of the other updates’ concern strengthened requirements on how financial institutions must implement aspects of their security programs. Below is a short summary of the changes.
Overall Security Program
Current rule: Financial institutions must maintain a comprehensive, written information security program with administrative, technical, and physical safeguards to ensure the security, confidentiality, and integrity of customer information.
Updated rule: The updated rule now requires the information security program to include the processes and safeguards listed below (i.e., risk assessment, security safeguards, etc.).
Effective date: December 2022
Current rule: Financial institutions are required to identify internal and external risks to security, confidentiality, and integrity of customer information. The risk assessment must include employee training, risks to information systems, and detecting and responding to security incidents and events.
Updated rule: The update includes more specific criteria for what the risk assessment must include. This includes criteria for evaluating and categorizing of security risks and threats, and criteria for assessing the adequacy of security safeguards. The risk assessment must describe how identified risks will be mitigated or accepted. The risk assessment must be in writing.
Effective date: December 2022
Current rule: Financial institutions must implement safeguards to control the risks identified through the risk assessment. Financial institutions must require service providers to maintain safeguards to protect customer information.
Updated rule: The updated rule requires that the safeguards must include
- Access controls, including providing the least privilege;
- Inventory and classification of data, devices, and systems;
- Encryption of customer information at rest and in transit over internal networks;
- Secure development practices for in-house software and applications;
- Multi-factor authentication;
- Secure data disposal;
- Change management procedures; and
- Monitoring activity of unauthorized users and detecting unauthorized access or use of customer information.
Effective date: December 2022
Testing and Evaluation
Current rule: Financial institutions must regularly test or monitor the effectiveness of the security safeguards and make adjustments based on the testing.
Updated rule: Regular testing of safeguards must now include either continuous monitoring or periodic penetration testing (annually) and vulnerability assessments (semi-annually).
Effective date: December 2022
Current rule: Financial institutions must include cybersecurity incident detection and response in their risk assessments and have safeguards to address those risks.
Updated rule: Financial institutions are required to establish a written plan for responding to any security event materially affecting confidentiality, integrity, or availability of customer information.
Effective date: December 2022
Workforce and Personnel
Current rule: Financial institutions must designate an employee to coordinate the information security program. Financial institutions must select service providers that can maintain security and require service providers to implement the safeguards.
Updated rule: The rule now requires designation of a single “qualified individual” to be responsible for the security program. This can be a third-party contractor. Financial institutions must now provide security awareness training and updates to personnel. The rule now also requires periodic reports to a Board of Directors or governing body regarding all material matters related to the information security program.
Effective date: December 2022
Scope of Coverage
Updated rule: The FTC update expands on the definition of “financial institution” to require “finders” — companies that bring together buyers and sellers — to follow the Safeguards Rule. However, financial institutions that maintain customer information on fewer than 5,000 consumers are exempt from the requirements of a written risk assessment, continuous monitoring or periodic pen testing and/or vulnerability scans, incident response plan, and annual reporting to the Board.
Effective date: November 2021 (unlike many of the other updates, this item was not delayed for a year)
In addition to the above, the FTC is also considering requirements that financial institutions report cybersecurity incidents and events to the FTC. Similar requirements are in place under the Cybersecurity Regulation at the New York Department of Financial Services. If the FTC moves forward with these incident reporting requirements, financial institutions could expect the requirements to be implemented in early 2023.
Financial institutions with robust security programs will already be performing many of these practices. For them, the updated Safeguards Rule will not represent a sea change in internal security operations. However, by making these security practices a formal regulatory requirement, the updated Safeguards will make accountability and compliance even more important.
Interested in speaking with an experienced team member about the material covered in this article? Contact us today at 716-373-4467 x 115 or firstname.lastname@example.org to schedule your appointment.
Annual MSP 501 Identifies Industry’s Best-in-Class Businesses
Databranch has been named as one of the world’s premier managed service providers in the prestigious 2022 Channel Futures MSP 501 rankings.
We have been selected as one of the technology industry’s top-performing providers of managed services by the editors of Channel Futures. For the past 16 years, managed service providers (MSPs) from around the globe have submitted applications to be included on this prestigious and definitive listing. The Channel Futures MSP 501 survey examines organizational performance based on annual sales, recurring revenue, profit margins, revenue mix, growth opportunities, innovation, technology solutions supported, and company and customer demographics.
MSPs that qualify for the list must pass a rigorous review conducted by the research team and editors of Channel Futures. It ranks applicants using a unique methodology that weighs financial performance according to long-term health and viability, commitment to recurring revenue and operational efficiency.
Channel Futures is pleased to name Databranch to the 2022 MSP 501
This year’s list once again attracted a record number of applicants, making it one of the most competitive in the survey’s history. Winners are being recognized on the Channel Futures website and were honored at a special ceremony at the Channel Futures MSP Summit + Channel Partners Leadership Summit, Sept. 13-16, in Orlando, Florida.
Since its inception, the MSP 501 has evolved from a competitive ranking into a vibrant group of innovators focused on high levels of customer satisfaction at small, medium and large organizations in public and private sectors. Today, many of their services and technology offerings focus on growing customer needs in the areas of cloud, security, collaboration and support of hybrid work forces.
“The 2022 Channel Futures MSP 501 winners are the highest-performing and most innovative IT providers in the industry today,” said Allison Francis, senior news editor for Channel Futures. “The 501 has truly evolved with the MSP market, as showcased by this year’s crop of winners. This is also the fifth consecutive year of application pool growth, making this year’s list one of the best on record.”
“We extend our heartfelt congratulations to the 2022 winners, and gratitude to the thousands of MSPs that have contributed to the continuing growth and success of the managed services sector,” said Kelly Danziger, general manager of Informa Tech Channels. “These providers are most certainly driving a new wave of innovation in the industry and are demonstrating a commitment to moving the MSP and entire channel forward.”
The complete 2022 MSP 501 list is available on Channel Futures’ website.
The 2022 MSP 501 list is based on confidential data collected and analyzed by the Channel Futures editorial and research teams. Data was collected online from Feb. 1-April 30, 2022. The MSP 501 list recognizes top managed service providers based on metrics including recurring revenue, profit margin and other factors.
About Channel Futures
Channel Futures is a media and events platform serving companies in the information and communication technologies (ICT) channel industry with insights, industry analysis, peer engagement, business information and in-person events. We provide information, perspective, and connection for the entire channel ecosystem. This community includes technology and communications consultants, integrators, sellers, MSPs, agents, vendors and providers.
Our properties include the Channel Futures MSP 501, a list of the most influential and fastest-growing providers of managed services in the technology industry; Channel Partners events, which delivers unparalleled in-person events including Channel Partners Conference & Expo, the MSP 501 Summit and Channel Partners Europe; and Allies of the Channel Council (ACC) and DEI Community Group, our initiatives to educate, support and promote diversity, equity and inclusion (DE&I) in the ICT channel industry. Channel Futures is where the world meets the channel; we are leading Channel Partners forward. More information is available at channelfutures.com.
Channel Futures is part of Informa Tech, a market-leading B2B information provider with depth and specialization in ICT sector. Every year, we welcome 14,000+ subscribers to our research, more than 4 million unique monthly visitors to our digital communities, 18,200+ students to our training programs and 225,000 delegates to our events.
Interested in learning more about our Managed Services? Contact us today at 716-373-4467 x 115, email@example.com or click here to talk to one of our experience team members.