October 18, 2022
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things!
I'll fix it later
How many times have you rigged up something as a temporary solution, thinking to yourself "Eh, I'll fix it later" ? but ... somehow it never got on the to-do list? A lot of organizations did this when the pandemic first hit, opening ports on firewalls and permitting all kinds of unsafe access as a temporary fix ... and more than two years later, those ports are still open and that unsafe access is still available. And the bad guys are taking advantage of it!
This story set my mind on this path. Fascinating story, drones were used to hack the network of a financial services firm. Here's the kicker:
The only reason this [attack] had some success was that the company was on a temporary network that wasn't fully secured. "The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company (e.g. restructuring/rebranding, new building, new building lease, new network setup or a combination of any of these scenarios)," Linares told The Register.
Oops! Those temporary fixes can come back to bite you! Right now, go check on those temporary measures that were put into place in early 2020, and make sure that a safe, secure, permanent solution is in place now.
You can't secure it if you don't know it's there
A couple weeks ago, I read this great article by one of my favorite infosec rock stars, Lesley Carhart, "Your Cyber Response Plan Needs These 6 Components" -- the whole thing is well worth reading, but I have to point out that she started off singing my song:
To secure against—much less investigate—an intrusion into an environment, we must know what exists in it. This includes network topology, asset inventories, and industrial process documentation. Without this information, it is difficult to focus incident response efforts on the right systems, quantify impacted systems, and calculate the risk an incident poses. We don’t know what we don’t know, and that could include the presence of network connections, systems, or critical process components.
Singing my song! I can't tell you how often we do a basic security assessment for an organization and find all kinds of things that IT and/or management didn't know were on the network. Remember that time that NASA's Jet Propulsion laboratory was hacked because of an unauthorized device? Printers are a common problem. And software, oh! don't get me started. Maybe I'll talk about that next week. 😉
And hey, this applies to home networks too! If you have network segmentation in place for your IoT devices, and someone gets a new toy but they put it on the wrong network ... How do you know? What do you do? What about that new thermostat the A/C guy just installed -- did he ask for wifi credentials because it's "smart"? Did you give him the right ones? Did you put this on your list of active devices? Did you check for firmware updates?
Food for thought this week!
Upcoming Virtual Workshop
Eight years after its release, many organizations still find themselves struggling with how to
implement the NIST CSF. In this virtual workshop, we will break it down into a simple, 7-step process that
anyone can follow.
Have a great week!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺