Software vulnerabilities are an unfortunate part of working with technology. A developer puts out a software release with millions of lines of code. Then, hackers look for loopholes that allow them to breach a system through that code.
The developer issues a patch to fix the vulnerability but it’s not long before a new feature update causes more. It’s like a game of “whack-a-mole” to keep your systems secure.
Keeping up with new vulnerabilities is one of the top priorities of IT management firms. It’s important to know which software and operating systems are being attacked.
Without ongoing patch and update management, company networks are vulnerable while these attacks are completely avoidable. 82% of U.S. cyberattacks in Q1 of 2022 were due to exploiting patchable vulnerabilities.
What new vulnerabilities are lurking in products from Microsoft, Google, Adobe, and others? We’ll go through several. These were recently noted in a warning by the Cybersecurity and Infrastructure Security Agency (CISA).
Make Sure to Patch Any of These Vulnerabilities in Your Systems
Microsoft vulnerabilities include those in three of its products. Internet Explorer (IE) is one of them. Microsoft discontinued IE in June of 2022. You should remove this from any computers that still have it installed.
You’ll see the acronym “CVE” used in the vulnerability names. This is an industry-standard naming structure. It stands for Common Vulnerabilities and Exposures.
Here is a rundown of these vulnerabilities and what a hacker can do:
- CVE-2012-4969: This Internet Explorer vulnerability allows the remote execution of code. This is a “critical” vulnerability because of the damage it enables. Hackers can release this via a website. Thus, formerly safe sites can become phishing sites when hackers exploit this loophole.
- CVE-2013-1331: This is a flaw in the code for Microsoft Office 2003 and Office 2011 for Mac. It enables hackers to launch remote attacks. It exploits a vulnerability in Microsoft’s buffer overflow function. This allows hackers to execute dangerous code remotely.
- CVE-2012-0151: This issue impacts the Authenticode Signature Verification function of Windows. It allows user-assisted attackers to execute remote code on a system. “User-assisted” means that they need the user to assist in the attack. Such as by opening a malicious file attachment in a phishing email.
Google Chrome and applications built using Google’s Chromium V8 Engine are also on the list. These applications are targets of the following vulnerabilities.
- CVE-2016-1646 & CVE-2016-518: These both allow attackers to conduct denial of service attacks. They do this against websites through remote control. This means they can flood a site with so much traffic that it crashes.
- Those aren’t the only two code flaws that allow hackers to crash sites this way. CVE-2018-17463 and CVE-2017-5070 are two others that both do the same thing. Like all these others, they both have patches already issued that users can install to fix these holes.
People use Adobe Acrobat Reader widely to share documents. It makes it easy to share them across different platforms and operating systems. But it’s also a tool that’s on this list of popular vulnerabilities.
- CVE-2009-4324: This is a flaw in Acrobat Reader that allows hackers to execute remote code via a PDF file. This is why you can’t trust that a PDF attachment is going to be safer than other file types. Remember this when receiving unfamiliar emails.
- CVE-2010-1297: This memory corruption vulnerability. It allows remote execution and denial of service attacks through Adobe Flash Player. Like IE, the developer retired Flash Player. It no longer receives support or security updates. You should uninstall this from all PCs and websites.
Netgear is a popular brand of wireless router. The company also sells other internet-connected devices. These are also vulnerable, due to the following flaws.
- CVE-2017-6862: This flaw allows a hacker to execute code remotely. It also enables bypassing any needed password authentication. It’s present in many different Netgear products.
- CVE-2019-15271: This is a vulnerability in the buffer overflow process of Cisco RV series routers. It gives a hacker “root” privileges. This means they can basically do anything with your device and execute any code they like.
Patch & Update Regularly!
These are a few of the security vulnerabilities listed on the CISA list. You can see all 36 that were added here.
How do you keep your network safe from these and other vulnerabilities? You should patch and update regularly. Work with a trusted IT professional to manage your device and software updates. This ensures you don’t have a breach waiting to happen lurking in your network.
Automate Your Cybersecurity Today
Patch and update management is just one way that we can automate your cybersecurity. Contact us today at 716-373-4467 x 115, email@example.com or fill out the form below to learn how else we can help by scheduling a consultation today.
Article used with permission from The Technology Press.
Heads Up Financial Institutions!
The Federal Trade Commission (FTC) announced the first cybersecurity updates to the Gramm Leach-Bliley Act (GLBA) Safeguards Rule since 2003. The new rule strengthens the required security safeguards for customer information. This includes formal risk assessments, access controls, regular penetration testing and vulnerability scanning, and incident response capabilities, among other things.
Most of these changes go into effect in December 2022, to provide organizations time to prepare for compliance. Below, details the changes in comparison to the previous rule.
Background on the Safeguards Rule
GLBA requires, among other things, a wide range of “financial institutions” to protect customer information. Enforcement for GLBA is split up among several different federal agencies, with FTC jurisdiction covering non-banking financial institutions in the Safeguards Rule. Previously, the Safeguards Rule left the implementation details of several aspects of the information security program up to the financial institution, based on its risk assessment.
The Safeguards Rule broad definition of “financial institutions” includes non-bank businesses that offer financial products or services — such as retailers, automobile dealers, mortgage brokers, non-bank lenders, property appraisers, tax preparers, and others. The definition of “customer information” is also broad, to include any record containing non-public personally identifiable information about a customer that is handled or maintained by or on behalf of a financial institution.
Updates to the Safeguards Rule
Many of the other updates’ concern strengthened requirements on how financial institutions must implement aspects of their security programs. Below is a short summary of the changes.
Overall Security Program
Current rule: Financial institutions must maintain a comprehensive, written information security program with administrative, technical, and physical safeguards to ensure the security, confidentiality, and integrity of customer information.
Updated rule: The updated rule now requires the information security program to include the processes and safeguards listed below (i.e., risk assessment, security safeguards, etc.).
Effective date: December 2022
Current rule: Financial institutions are required to identify internal and external risks to security, confidentiality, and integrity of customer information. The risk assessment must include employee training, risks to information systems, and detecting and responding to security incidents and events.
Updated rule: The update includes more specific criteria for what the risk assessment must include. This includes criteria for evaluating and categorizing of security risks and threats, and criteria for assessing the adequacy of security safeguards. The risk assessment must describe how identified risks will be mitigated or accepted. The risk assessment must be in writing.
Effective date: December 2022
Current rule: Financial institutions must implement safeguards to control the risks identified through the risk assessment. Financial institutions must require service providers to maintain safeguards to protect customer information.
Updated rule: The updated rule requires that the safeguards must include
- Access controls, including providing the least privilege;
- Inventory and classification of data, devices, and systems;
- Encryption of customer information at rest and in transit over internal networks;
- Secure development practices for in-house software and applications;
- Multi-factor authentication;
- Secure data disposal;
- Change management procedures; and
- Monitoring activity of unauthorized users and detecting unauthorized access or use of customer information.
Effective date: December 2022
Testing and Evaluation
Current rule: Financial institutions must regularly test or monitor the effectiveness of the security safeguards and make adjustments based on the testing.
Updated rule: Regular testing of safeguards must now include either continuous monitoring or periodic penetration testing (annually) and vulnerability assessments (semi-annually).
Effective date: December 2022
Current rule: Financial institutions must include cybersecurity incident detection and response in their risk assessments and have safeguards to address those risks.
Updated rule: Financial institutions are required to establish a written plan for responding to any security event materially affecting confidentiality, integrity, or availability of customer information.
Effective date: December 2022
Workforce and Personnel
Current rule: Financial institutions must designate an employee to coordinate the information security program. Financial institutions must select service providers that can maintain security and require service providers to implement the safeguards.
Updated rule: The rule now requires designation of a single “qualified individual” to be responsible for the security program. This can be a third-party contractor. Financial institutions must now provide security awareness training and updates to personnel. The rule now also requires periodic reports to a Board of Directors or governing body regarding all material matters related to the information security program.
Effective date: December 2022
Scope of Coverage
Updated rule: The FTC update expands on the definition of “financial institution” to require “finders” — companies that bring together buyers and sellers — to follow the Safeguards Rule. However, financial institutions that maintain customer information on fewer than 5,000 consumers are exempt from the requirements of a written risk assessment, continuous monitoring or periodic pen testing and/or vulnerability scans, incident response plan, and annual reporting to the Board.
Effective date: November 2021 (unlike many of the other updates, this item was not delayed for a year)
In addition to the above, the FTC is also considering requirements that financial institutions report cybersecurity incidents and events to the FTC. Similar requirements are in place under the Cybersecurity Regulation at the New York Department of Financial Services. If the FTC moves forward with these incident reporting requirements, financial institutions could expect the requirements to be implemented in early 2023.
Financial institutions with robust security programs will already be performing many of these practices. For them, the updated Safeguards Rule will not represent a sea change in internal security operations. However, by making these security practices a formal regulatory requirement, the updated Safeguards will make accountability and compliance even more important.
Interested in speaking with an experienced team member about the material covered in this article? Contact us today at 716-373-4467 x 115 or firstname.lastname@example.org to schedule your appointment.
Benjamin Franklin once said, “An ounce of prevention is worth a pound of cure.” This age old advice is easily applied to the digital world we live in today. Computers, applications and networks are under constant attack by hackers who are extremely motivated by big financial gains.
An effective patch and vulnerability management program has the ability to stop most hackers dead in their tracks. It greatly reduces the risk associated with the exploitation of a neglected or un-patched computer system.
Year after year, we learn that the vast majority of successful cyber-attacks have exploited unpatched computers and / or unpatched applications. What is even more interesting is that most of the patches for these compromised systems had been available to install for months, if not years prior to the cyber-attack.
There is no doubt that the combination of routine vulnerability scanning and the timely installation of system patches will make it much more difficult for a hacker to compromise your computer systems and information.
Here are 7 steps to help you build an effective patch and vulnerability management program:
Inventory Systems and Applications
Before we attempt to patch computers, operating systems and applications, we first must know of their existence. It is important to maintain an inventory of all computing assets. If possible, use inventory software to assist with the task but at the least, make sure the inventory is completed using manual means.
Monitor for Vulnerabilities
Vendors will release patches at regular intervals as new vulnerabilities are discovered. You must know when new patches are available to install otherwise, you risk not installing patches in a timely manner – or installing them at all. Good mechanisms to use for monitoring vulnerabilities include a combination of:
- Checking the vendor website and subscribing to mailing list
- Regular vulnerability scanning
- Checking vulnerability databases, such as the National Vulnerability Database
- Relying on an enterprise patch management tool.
Click here to learn more about our Security Assessment and to request your Free Baseline Security Assessment.
Selecting Patches to Apply
Deciding which patches are ultimately installed is typically based on the criticality of the patch, importance of the system being patched, the resources required to install the patch and assurance of post install system functionality. It is good practice to at a minimum, install all “Critical” and “Security” patches.
Prior to installing patches, it is important to install patches in a test or non-production computing environment. This will assure that the installation of the patch will not cause any adverse outages or system disruption when it is ultimately installed in a production computer environment.
Despite the testing efforts completed in the previous section, it is still conceivable that the installation of a patch will create unanticipated issues or outages. For this reason, it is important that you verify the system or application being patched has recent data backup that can easily be restored if needed.
The National Institute of Standards and Technology (NIST) recommends that patch installation should be automated using enterprise patch management tools or alternative options. Manually installing patches is expensive and inconsistent. Where possible, be sure that systems are automatically updated according to your patch management program parameters.
The installation of a patch should always be confirmed by either re-scanning the system with a vulnerability scanner and / or reviewing log files.
Patching Equals Prevention
All Databranch Comprehensive Care and Foundation Security clients have scheduled automatic patching and Windows updates on their devices. To learn more about how we can help take this off your IT plate, call 716-373-4467 x 15, email email@example.com or visit us here to learn more.
Request your free security risk assessment and consultation with a Databranch Security Expert here:
Article curtesy of CyberStone.
One constant about technology is that it changes rapidly. Tools that were once staples, like Internet Explorer and Adobe Flash, age out and get replaced by new tools. Continuing to use discontinued technology can leave computers and networks vulnerable to attacks.
While older technology may still run fine on your systems that doesn’t mean that it’s okay to use. One of the biggest dangers of using outdated technology is that it can lead to a data breach.
Outdated software and hardware no longer receive vital security updates. Updates often patch newly found and exploited system vulnerabilities. No security patches means a device is a sitting duck for a cybersecurity breach.
Approximately 1 in 3 data breaches are due to unpatched system vulnerabilities.
Important reasons to keep your technology updated to a supported version are:
- Reduce the risk of a data breach or malware infection
- Meet data privacy compliance requirements
- To keep a good reputation and foster customer trust
- To be competitive in your market
- To mitigate hardware and software compatibility issues
- To enable employee productivity
Older systems are clunky and get in the way of employee productivity. The efficiency of your employee is only as good as the technology they are working on. Slower machines mean a decrease in progress which can negatively impact your business over time.
Dig you know that 49% of surveyed workers say they would consider leaving their jobs due to poor technology?
Following is a list of outdated technology tools that you should replace as soon as possible. Are any of these still in use within your business?
Get Rid of This Tech Now If You’re Still Using It
1) Internet Explorer
Internet Explorer (IE) used to be the number one browser in the world. But, over time, Google Chrome and other browsers shadowed it out. Including its replacement, Microsoft Edge.
Microsoft began phasing out IE with the introduction of Microsoft Edge in 2015. In recent years, fewer applications have been supporting use in IE. The browser loses all support beginning on June 15, 2022.
2) Adobe Flash
Millions of websites used Adobe Flash in the early 2000s. But other tools can now do the animations and other neat things Flash could do. This made the tool obsolete, and Adobe ended it.
The Adobe Flash Player lost all support, including security updates, as of January 1, 2021. Do you still have this lingering on any of your computers? If so, you should uninstall the browser plugin and any Flash software.
3) Windows 7 and Earlier
Windows 7 was a very popular operating system, but it’s now gone the way of the dinosaur. Replacements, Windows 10 and Windows 11 are now in widespread use. The Windows 7 OS lost support on January 14, 2020.
While it may still technically run, it’s very vulnerable to hacks. Microsoft Windows OS is also a high-value target for hackers. So, you can be sure they are out there looking for systems still running this obsolete version of Windows.
4) macOS 10.14 Mojave and Earlier
Because of the cost of iMacs and MacBooks, people tend to hang onto them as long as possible. Once these devices get to a certain point, updates no longer work. This leaves the hardware stuck on an older and non-supported macOS version.
If you are running macOS 10.14 Mojave or earlier, then your OS is no longer supported by Apple and you should consider an upgrade.
5) Oracle 18c Database
If your business uses Oracle databases, then you may want to check your current version. If you are running the Oracle 18C Database, then you are vulnerable. Breaches can easily happen due to unpatched system vulnerabilities.
The Oracle 18C Database lost all support in June of 2021. If you have upgraded, then you’ll want to keep an eye out for another upcoming end-of-support date. Both Oracle 19C and 21C will lose premiere support in April of 2024.
6) Microsoft SQL Server 2014
Another popular database tool is Microsoft’s SQL. If you are using SQL Server 2014, then mainstream support has already ended. Plus, in July of 2024 all support, including security updates will stop.
This gives you a little more time to upgrade before you’re in danger of not getting security patches. However, it is better to upgrade sooner rather than later. This leaves plenty of time for testing and verification of the upgrade.
Get Help Upgrading Your Technology & Reducing Risk
Upgrades can be scary, especially if everything has been running great. You may be afraid that a migration or upgrade will cause issues. We can help you upgrade your technology smoothly and do thorough testing afterward. You can also contact Databranch today at 716-373-4467, firstname.lastname@example.org , or fill in the form below to set up a vulnerability assessment.
Request your Free Baseline Security Assessment here:
Article used with permission from The Technology Press.
Public networks expose your business to security threats. Switching to a VPN can greatly help in reducing those threats.
Many companies rely on public networks for communication and data sharing. It allows them to cut costs and allocate their funds elsewhere.
However, it also raises several security issues.
For starters, the network provider might be monitoring the activity, which gives them access to customer details, emails, and critical files. As a result, sensitive information can end up in the wrong hands, compromising the organization’s reputation.
Another potential consequence is losing access to bank accounts, credit cards, and invaluable resources. These issues can lead to huge losses for any business.
Your business might be facing the same risk whenever a team member connects to a public network.
To eliminate it, you need to switch to a virtual private network (VPN). They offer online anonymity and privacy, enabling you to conduct your operations away from prying eyes.
Still, you can’t go for just any VPN. This article features the 10 factors to consider when choosing the right one.
The 10 Factors for Choosing a VPN
Factor 1. Location
The location of your VPN servers is essential for a few reasons.
For example, the greater the distance between your server and your business, the higher the chances of facing latency issues. That’s why to ensure a seamless surfing experience, stick to the nearest server available.
Furthermore, you can also consider a VPN from the same place as the content your team needs to access to overcome geographic restrictions. If your work requires research from the UK, for example, find servers from that country.
Factor 2. Price
Using free VPNs might be tempting, but they deliver a lackluster experience. To start with, they can log you out of internet activities and are often chock-full of disruptive ads.
You’re much better off investing in a paid platform. They come with various robust features, a larger number of servers, and configurations to bolster your security.
Factor 3. Device Compatibility
Another detail you should consider is the compatibility of your VPN.
In most cases, you need software that can work with several devices, such as your smartphone, laptop, and tablet. Otherwise, cross-platform work will suffer.
Factor 4. Capacity
Before choosing your VPN, make sure to determine the amount of data you can use. That means if your operations warrant tons of online resources, you should pick a solution that supports considerable data allocation.
Moreover, check the number of online servers. The higher the number, the more efficiently your platform can support resource-intensive tasks.
Factor 5. Protocol Support
Protocols are rules that stipulate connections between the client (software on your device) and the server.
There are different protocols, but the most widely used ones include PPTP, OpenVPN, IPSec, SSL, SSH, and SSTP. Each offers varying speeds and levels of security, both of which are vital to your company.
For instance, OpenVPN is an open-source protocol and one of the safest options for enterprises. It runs on 256-bit encryption keys and advanced ciphers, offering robust protection against cyberattacks. Plus, it features excellent firewall compatibility.
Factor 6. Data Logging Policies
VPNs log user data to streamline customer support and limit available connections. However, you need to consider what information they’re logging.
In most cases, this includes session times and IP addresses. But some providers can also log your software, downloaded files, and web pages you visit.
When looking for a suitable VPN, be sure to read the data logging policy to determine the information the app will store. You should also verify the company is transparent; if someone tries to deceive you, turn down their offer.
Factor 7. Availability of a Kill Switch
No cybersecurity measure is fail proof – VPNs are no exception. Overloaded platforms can trigger IP leaks, interrupting your private connection and exposing your true address when online.
To avoid this scenario, look for platforms with a built-in kill switch. It disrupts your devices’ access to the internet in case of IP leaks. The kill switch stops transfers of unencrypted information and can help prevent cybercriminals from obtaining your data.
Factor 8. Updates
Your VPN provider needs to roll out regular updates to ensure you can perform your operations safely and efficiently.
If they don’t openly specify the update frequency on their webpage, find out when the last update was on your app store. It should give you a clue on how frequently the updates get sent out.
Factor 9. Centralized Management
Centralized management enables you to control VPN distribution more easily, allowing you to manage access permissions and user accounts. Some of the best apps even feature gateway or role-based access management. It permits users to access only those segments of the network they need to perform their jobs.
Another important consideration here is control from your console. IT administrators should have permission to open and delete accounts as well as check the devices linked to the platform.
Lastly, your organization might benefit from VPNs with IP whitelisting. They allow administrators to approve the IP addresses of your enterprise to ensure only members with a verified IP can use corporate resources. This feature provides granular control over network accessibility.
Factor 10. Customer Support
Customer support might be the most significant factor. Your provider should be easy to contact through different portals such as telephone and email.
Easy accessibility lets you inform the VPN developer about various issues. For instance, they can help restore your network if it goes down and prevents unwanted exposure.
Most client support teams are highly accessible, but make sure to verify this by reading customer reviews.
SAFEGUARD AGAINST CYBERATTACKS WITH A BULLETPROOF VPN
Loss of data can happen at any time, which can give your competitors the upper hand and tarnish your reputation. Switching to a VPN can greatly increase your businesses cybersecurity. Users will also need to enable multi-factor authentication when they are connecting to a business network via a VPN connection, and Databranch can help identify and configure the best solution.
Contact us today at 716-373-4467 x 15 or email@example.com if you would like to discuss your VPN options. You’ll also want to patch up any other cybersecurity vulnerabilities and we can help you make that happen.
Article used with permission from The Technology Press.
Conducting a vulnerability assessment is important because the exercise will identify security flaws that exist in your IT environment before they are discovered by a malicious computer hacker. Once the vulnerabilities are discovered you can correct them and lower your risk of becoming a victim of a cybersecurity attack.
What Will a Vulnerability Assessment Do?
A vulnerability assessment will discover common security weaknesses such as:
- Operating systems and applications that are not current with the latest security updates or patches.
- Unsecure legacy operating systems that are no longer supported by manufacturer.
- Open ports on perimeter defenses and other devices that allow malicious attackers to easily gain access to your private computer network.
- All Common Vulnerabilities and Exposures (CVE) that exist on the computer network.
Common Vulnerabilities and Exposures (CVE) is a database of publicly disclosed information security issues. There are currently over 163 thousand CVE records catalogued and made publicly available by the CVE program. You can explore the database at www.cve.org.
Why does this matter? Because it is important to recognize that new information security flaws are discovered regularly and then shared publicly. Sharing the information is not restrictive. Everyone can search the CVE database, including the hackers that intend to attack your computer network!
What Happens After the Assessment?
Executing routine vulnerability assessments will discover all the known vulnerabilities on your network before the bad actors have an opportunity to exploit them. Vulnerability assessments are nonintrusive and not disruptive.
Typically, a vulnerability assessment can be completed in a day or two. The results of a vulnerability assessment are documented and provided to the stakeholder complete with recommendations around remediating any weaknesses found.
It is important to conduct vulnerability assessments regularly, at least every quarter if not more frequently. This is due to the dynamic nature of information technology. Many changes occur on a day-to-day basis that can introduce new exposures associated with information security. Examples include:
- The introduction or removal of employees and business process.
- The implementation or elimination of hardware, software, or business applications.
- Configuration changes made to any element of the technology environment.
- Newly discovered bugs and flaws found in off the shelf commercial software products.
Security shortcomings found during a vulnerability assessment can almost always be fixed. Many times, the fixes are very easy to accomplish. Roughly 60% of all reported cybersecurity breaches occurred because the bad actors exploited common vulnerabilities and exposures (CVE).
This means that roughly 60% of all reported cybersecurity breaches could have been prevented if the victim had simply conducted a vulnerability assessment and made small improvements to their cybersecurity posture that would have eliminated a substantial amount of risk.
Interested in setting up a vulnerability assessment? Contact Databranch today at 716-373-4467, firstname.lastname@example.org , or click here to set up a meeting with one of our experienced team members.
Content was provided courtesy of CyberStone.