June 13, 2023

Good morning, everyone!

This week’s critical vulnerabilities: KeePass has released an update to fix a critical vulnerability Barracuda is now urging replacing, not patching, its Email Security Gateway (ESG) devices, due to "a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes." Active exploitation has been underway since October. VMware Aria Operations for Networks should be patched ASAP Cisco has released a critical fix for Cisco Secure Client (formerly AnyConnect Secure Mobility Client) software The recently-patched zero day in MOVEit Transfer is under active exploitation Gigabyte has released a patch for backdoord motherboards Critical patches have been released for Zyxel ZyWALL Devices

Let's look at "Identify"

Last week's newsletter talked about detection, one of the five core functions of the NIST Cyber Security Framework (CSF). Personally, I love the CSF and think that more organizations should incorporate it into their risk management program. Let's talk a bit about the first core function this week, Identify. Why is this important? You can't secure it if you don't know it's there.

What needs to be identified?

• Hardware
• Software
• Network devices
• Wireless access points
• Smart "things"

Awhile back, we were conducting a security assessment for a local company with multiple locations. In one of the locations, we found a wireless access point that was unknown to the IT person and the business owner. We learned that the sales manager had purchased and installed it on his own, so he'd have wireless for his tablet when working from that location. He configured the device so it couldn't see the local network, and thought it was safe. Unfortunately, he didn't understand that the local network was connected to headquarters and all other branches via a wide area network, and every one of these computers was fully visible to that wireless access point -- which had NO PASSWORD!

Remember that time that NASA's Jet Propulsion laboratory was hacked because of an unauthorized device? Printers are a common problem, too.

And hey, this applies to home networks too! If you have network segmentation in place for your IoT devices, and someone gets a new toy but they put it on the wrong network ... How do you know? What do you do? What about that new thermostat the A/C guy just installed -- did he ask for wifi credentials because it's "smart"? Did you give him the right ones? Did you put this on your list of active devices? Did you check for firmware updates?

Ever heard of Grammarly? Ever used it? Do you know how it works? It's a plug-in you can install on your computer or mobile device that will make suggestions to improve your grammar as you type. How does this work? Everything you type is live-streamed to a Grammarly server and analyzed for suggested improvements. Read that sentence again. Everything you type is live-streamed to a Grammarly server ... If your employees have installed Grammarly on a work device, are they sending sensitive corporate and/or customer data offsite without your knowledge? If a family member has installed Grammarly on your home computer, is everyone in the family unknowingly sending private data offsite?

We recently did a security assessment for a client with a new branch office. We discovered a remote access device on the corporate network there. No one could identify the device or explain why it was there. Ultimately it was determined to be part of the security system, managed by a third party, which was supposed to be segmented on its own virtual network, to protect the corporate network. BUT the installation was not done properly. The entire corporate network, every branch office and headquarters, was exposed. Yikes!

Securing Remote Access Software

Speaking of remote access, last week CISA released a very useful Guide to Securing Remote Access Software. Since many organizations use remote access software of some sort these days, I urge you to make certain your IT group, whether in-house or outsourced, are aware of this guide and follow its recommendations.

Important information for all US Dept of Defense contractors If you do work for the US DoD, or for any of its contractors, there's a lot going on right now in the realm of cyber security requirements. My latest CMMC Update newsletter discusses some of these, and there is a lot of good info in the archived editions as well. If you aren't a DoD contractor but know someone who is, please share!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Have a great week!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺