Ivanti Blog

The Secure-by-Design Pledge: A Commitment to Creating a Safer Digital Future

Wed, 08 May 2024 22:06:03 Z

The exciting benefits of digital transformation and automation — global interconnectedness, efficient operations, greater business outcomes — have come with an equal measure of concern over digital safety. It has become clear that to safely realize the benefits of digital acceleration, as an industry we must take bold steps toward securing the digital landscape and mitigating cybersecurity threats.

At Ivanti this evolution is already under way — and we are committed to being at the very front of the movement. As a company, we have always believed that our customers’ interests – including security – should be a cornerstone of software development. With the threat landscape rapidly evolving, and tactics becoming increasingly aggressive and sophisticated, the imperative to put security first has never been greater.

That is why last month I outlined a bold plan for Ivanti to meet the new reality we are all facing. Our efforts are rooted in Secure by Design principles, weaving security into every stage of our software development lifecycles. Given this commitment, it makes sense that we’re among the first to sign the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design pledge, which they unveiled on May 7, 2024 at the RSA Conference in San Francisco.

The concept of Secure by Design is not new, but it has never been more relevant. It ensures that products are built with security embedded from the ground up, reducing the risk of vulnerabilities and making it more difficult for malicious actors to exploit them. That is why this pledge is so meaningful at this moment in time, and why companies like Ivanti are answering the call. We see this as a meaningful step forward in the industry’s commitment and collaboration around security, and we look forward to setting a new standard for the broader ecosystem.

A bold new level of security

By signing the Secure by Design pledge, we are committing to a set of principles, standards, and actions that will help us further elevate the security of our products and better protect our customers. This includes implementing multi-factor authentication, reducing the use of default passwords, mitigating entire classes of vulnerabilities, increasing the adoption of security patches, establishing a vulnerability disclosure policy and improving our customers' ability to gather evidence of cybersecurity intrusions. I’m pleased that our products and our organization already meet many of these Secure by Design principles, and we are looking closely at opportunities to enhance and accelerate our efforts and practices throughout our organization and product development lifecycle.

For Ivanti, these commitments are far from simply words on paper or empty promises. By signing this pledge, we are making a public commitment to raise the bar and that we will be accountable for delivering. We will work diligently over the coming year to make measurable progress toward each of these goals, and we will update our customers and the wider security community on our progress. We believe that transparency is essential in building trust and fostering a broader culture of security.

Stronger together

We’ve taken a big step by acting as early signers to this pledge. Still, we recognize that we cannot achieve a safer digital future alone. It is crucial that other vendors in the industry also embrace the principles of Secure by Design and take similar steps to prioritize security in their products. We strongly encourage our peers to join us in signing the CISA Secure by Design pledge and to work collaboratively toward our shared goal of protecting our customers and the broader digital ecosystem.

It's good business, and it’s the right thing to do for employees, partners, customers and the communities we serve.

Our recent experience at RSA has only reinforced our belief in the importance of the security community coming together to tackle the challenges we collectively face. Our conversations with customers and partners were invaluable, and they highlighted the need for a collective effort around software security. By sharing knowledge and best practices and holding each other accountable, we can make significant strides toward a stronger and more secure future.

Ivanti is committed to being a leader in this effort, and we look forward to engaging with our customers and the wider community to make Secure by Design the new reality.

What is IRAP Assessment? What to Know About the Latest Compliance for Ivanti Neurons

Sun, 18 Feb 2024 09:24:30 Z

The Australian Information Security Registered Assessors Program (IRAP) assessment is an essential tool for organisations looking to ensure their security posture meets the highest standards.

This assessment, which Ivanti Neurons for IT Service Management (ITSM) and Ivanti Neurons for IT Asset Management (ITAM) went through, is one of the most stringent security assessments available.

The IRAP assessment process

The IRAP program is administered by the Australian Cyber Security Centre (ACSC), a division of the Australian Signals Directorate. The ACSC is responsible for the security of the Australian government’s information and IT systems, and the IRAP assessment process.

The rigorous assessment process conducted by an approved IRAP assessor includes assessing existing policies and procedures, conducting vulnerability scans, and reviewing security measures.

Ivanti Neurons’ IRAP assessment

Under the IRAP assessment, conducted by Aegis9 during the period February to May 2023, using the June 2022 version of the Australian Information Security Manual (ISM) and in line with the ACSC’s Cloud Security Guidance, Ivanti Neurons for ITSM and ITAM were assessed against the requirements to hold, process and communicate Australian government information classified up to and including “PROTECTED.”

Ivanti Neurons for ITSM and ITAM has been assessed in the following areas:

Protection of government and citizen data. Ivanti provides a secure platform for the storage and retrieval of personal and sensitive data.
Secure access to systems. Ivanti uses strong authentication methods and access control measures to ensure that only authorised users can access the system.
Network and system protection. Ivanti provides a robust system for protecting networks and systems from malicious attacks and intrusions.
Security monitoring. Ivanti is equipped with advanced security monitoring capabilities, allowing organisations to monitor their systems and networks for any suspicious activity.

In addition to IRAP assessment, Ivanti Neurons also holds certifications from several other leading organisations, including ISO/IEC 27001:2013, GDPR compliance, SOC 2 Type II, HIPAA Compliance, and FedRAMP Certification.

What Ivanti’s IRAP assessment means for government agencies and public-sector organisations

Federal departments, state agencies and critical infrastructure providers require the highest security standards. The IRAP assessment demonstrates the strong commitment Ivanti has to meeting those strict standards.

Government agencies are continually striving to increase efficiency and reduce costs. To achieve this, they are frequently turning to cloud computing technologies such as SaaS to provide them with a modern platform that will enhance operational efficiency and reduce IT costs.

Ivanti Neurons for ITSM/ITAM is an advanced IT Service Management platform and enables government agencies to improve their Service Delivery across 11 ITIL practices, optimise their assets by understanding what they have, and improve the employee experience through the self-service portal and digital experience management.

In addition, using the same IRAP assessment platform, agencies can expand across to other areas such HR, Facilities, Governance Risk and Compliance, Project and Portfolio Management and Security Operations.

By using Ivanti Neurons for ITSM/ITAM, organisations can achieve their goals faster, improve employee experience and reduce their risk profile. The comprehensive suite of features offered includes automated processes and analytics capabilities that help minimise manual tasks associated with ensuring service quality.

This frees up customers to focus on providing superior customer experiences instead of managing complex back-end operations.

Furthermore, Ivanti Neurons for ITSM is designed to be easily deployable across multiple devices, providing customers with peace of mind that they are using a secure solution from start to finish. Ivanti is committed to assessing more solutions against the IRAP program. Ivanti Neurons for MDM (Mobile Device Management) is currently under IRAP assessment and Ivanti looks forward to sharing the results when complete.

Need additional information? Head over to the Ivanti IRAP page to learn more.

November 2023 Patch Tuesday

Tue, 14 Nov 2023 22:18:09 Z

November 2023 Patch Tuesday has arrived and has a lower overall CVE count than previous months, but includes some urgent fixes that organizations will want to take note of. This month is also the first patch cycle for Server 2012 and 2012 R2 extended support (ESU). On the third-party side, Adobe has released updates and an update from Google Chrome Stable Channel has been updated.

Microsoft updates

Microsoft has resolved 58 new unique CVEs this month, three of which are critical. Three CVEs have confirmed exploits in the wild. There are also some publicly disclosed vulnerabilities that could be considered at higher risk of being exploited. Products affected include Windows OS, Office 365, .Net, ASP.NET, Azure DevOps Server, Visual Studio, Exchange Server and SQL Server.

Microsoft Server 2012 and 2012 R2 officially reached their end-of-life in October. Today, there are updates available for these server editions if an organization has subscribed to Microsoft ESU.

Microsoft zero-day ulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability is Windows DWN Core Library (CVE-2023-36033). The CVE is rated as Important by Microsoft and has a CVSS score of 7.8, but exploits have been detected in the wild.

There is proof-of-concept code samples publicly available, making it easy for additional attackers to utilize. No user interaction is required to exploit the vulnerability, and if exploited, an attacker could gain system-level privileges. The vulnerability affects all Windows 10, 11 and Server editions. Regardless of severity and CVSS rating, this vulnerability is actively being exploited and warrants higher prioritization.

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Cloud Files Mini Filter Driver (CVE-2023-36036). The vulnerability is rated as Important and has a CVSS score of 7.8, but exploits have been detected in the wild. No user interaction is required to exploit the vulnerability, and if exploited, an attacker could gain system-levelprivileges. The vulnerability affects Windows 10, 11, and Server 2008 and newer server OS editions.

Organizations that are still running Server 2008, 2008 R2, 2012 or 2012 R2 should ensure they are subscribing to a Microsoft ESU subscription or take additional precautions to protect these older server editions. Regardless of severity and CVSS rating, this vulnerability is actively being exploited and warrants higher prioritization.

Microsoft has resolved a Security Feature Bypass vulnerability in Windows SmartScreen (CVE-2023-36025). The vulnerability is rated as Important and has a CVSS score of 8.8, but exploits have been detected in the wild. An attacker can convince a user to click on a specially crafted URL and bypass Windows Defender SmartScreen checks.

The vulnerability affects Windows 10, 11, and Server 2008 and newer server OS editions. Organizations that are still running Server 2008, 2008 R2, 2012 or 2012 R2 should ensure they are subscribing to a Microsoft ESU subscription or take additional precautions to protect these older server editions.

Regardless of severity and CVSS rating, this vulnerability is actively being exploited and warrants higher prioritization.

Microsoft publicly disclosed vulnerabilities

Microsoft has resolved a Denial of Server vulnerability in ASP.NET (CVE-2023-36038). The vulnerability is rated as Important and has a CVSS score of 8.2. The vulnerability has been publicly disclosed, which increases the risk that threat actors may be developing or will develop an exploit. Under the right conditions, an attacker who successfully exploits this vulnerability could cause a total loss of availability.

Microsoft has resolved a Security Feature Bypass in Microsoft Office that allows an attacker to bypass the Office Protected View and open in editing mode rather than protected mode (CVE-2023-36413). The vulnerability is rated as Important and has a CVSS score of 6.5. The vulnerability has been publicly disclosed, which increases the risk that threat actors may be developing or will develop an exploit. The vulnerability affects Microsoft Office and 365 Apps editions.

Microsoft has updated a previously published CVEs (CVE-2023-38039 and CVE-2023-38545) affecting HTTP headers and SOCKS5 heap buffer overflow to include an updated version of curl 8.4.0, which addresses the vulnerabilities. Organizations that implemented the mitigations provided on October 19th, 2023 should follow the guidance provided in the following documentation: Remove Windows Defender Application Control (WDAC) policies.

Microsoft Exchange vulnerabilities of note

Some of these exchange vulnerabilities caught some recent headlines in early November because of timing of the disclosures from the researcher not lining up with Microsoft’s release criteria. Some researchers have very hard timeframes, from informing the vendor to releasing details publicly. If the vulnerabilities didn't meet criteria for out-of-band release, then they would fall into the next release cycle. A few of these Exchange CVEs appear to fall into such a case. No exploits or disclosures were reported against the five Exchanges CVEs.

CVE-2023-36035 Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36039 Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36050 Microsoft Exchange Server Spoofing Vulnerability
CVE-2023-36439 Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-1730 Microsoft Exchange Server Spoofing Vulnerability (information only change)

Third-party updates

Adobe has released updates for 14 products including Adobe Acrobat and Acrobat Reader. Adobe resolved 76 CVEs across the product updates, including 40 Critical CVEs. No exploits or public disclosures have been reported.

Based on Adobe's priorities, these would all fall into their Priority 3 as most of the products are less likely to be targeted (like ColdFusion, InCopy, etc.) Adobe Acrobat and Acrobat Reader is the most likely to be targeted as it is more widely available on systems. Recommendation would be to prioritize APSB23-54 : Security update available for Adobe Acrobat and Reader for remediation to be safe.

Google Chrome has moved to a weekly release cadence for security updates. Chrome's stable channel has been updated to 119.0.6045.159 for Mac and Linux and 119.0.6045.159/.160 for Windows and includes 4 CVEs. Expect Chromium-based browsers to update shortly.

October 2023 Patch Tuesday

Tue, 10 Oct 2023 22:03:02 Z

There's been a long string of zero-day events through September and into the October Patch Tuesday lineup. Apple had five zero-day vulnerabilities across most of their products culminating in their updates that were released on September 26th (which also included the EoL of Big Sur).

Google and Mozilla continued to be busy with several zero-day vulnerabilities in the open-source library, Libwebp. This also impacted chromium-based browsers like Microsoft Edge, Opera and others. For more details on the lineup of CVEs leading up to October Patch Tuesday, check out our Patch Tuesday Forecast on HelpNetSecurity.

Microsoft has resolved 104 new CVEs this month, three of which are flagged as exploited. The lineup from Microsoft includes Windows, Office 365, SQL Server, Exchange Server and multiple Azure components. Along with the large lineup of fixes, October also marks the end-of-life for Windows Server 2012 and 2012 R2.

Microsoft zero-day vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Skype (CVE-2023-41763) which allows an attacker to send a specially crafted network call to a target Skype for Business server. The network call could cause the parsing of an http request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker. The CVE is rated as important and has a CVSSv3.1 of 5.3, but proof-of-concept code has been disclosed and there are exploits detected in the wild. This CVE should be treated as a higher severity than Important due to the risk of exploit.
Microsoft has resolved an information disclosure vulnerability in WordPad (CVE-2023-36563) which allows the disclosure of NTLM hashes. The CVE is rated as Important and has a CVSSv3.1 of 6.5, but proof-of-concept code has been disclosed and there are exploits detected in the wild. This CVE should be treated as a higher severity than Important due to the risk of exploit.
Microsoft has resolved a Denial of Service vulnerability in the HTTP/2 protocol (CVE-2023-44487) which allows request cancellation that can reset many streams quickly. The vulnerability has been exploited in the wild since August. The vulnerability has been resolved in the Windows OS and in Visual Studio, .Net and ASP.Net. The CVE doesn't have a CVSS calculated, and Microsoft’s severity is only rated as Important, but due to active exploitation this CVE should be treated as a higher severity.

Windows Server 2012\2012 R2 and Windows 11 21H2 end-of-life

This patch Tuesday will include the latest updates for Windows 11 21H2 and Microsoft Server 2012/2012 R2. The later go into Extended Security Support (ESU) starting with a November release, and Microsoft also announced the keys used to enable these updates will be managed as part of Azure Arc. They should be released next week.

End-of-life software poses a risk to an organization. No public updates will be available for these OS versions going forward. For Windows 11 users, this means upgrading to a new Windows 11 branch. For Server 2012\2012 R2 it'shighly recommended to subscribe to ESU or migrate to a newer server edition.

Linux zero-day vulnerabilities

CVE-2023-42115 has a whopping 9.8 CVSS and affects the Exim software solution, a message transfer agent (fancy way of saying email server) that’s very popular on Linux (including web hosters), which wasvulnerable to remote code execution. This vulnerability had been reported for over a year to the original developers but never addressed properly and is now public. There's exploit code available in the wild. It particularly affects servers configured with centralized identity management, including in mixed Windows/Linux environments with Active Directory.
Exim announced on October 2nd that a security update for exim-4.96.1 and 4.97 has been created to mitigate this CVE and two other zero-days (with three other zero-days remaining unpatched). Exim is an important MTA software because it’s bundled with “control panel” web hosters, including in docker images.
CVE-2023-4863 is a 9.1 CVSS heap-based buffer overflow that affects libwebp, which is a library used by countless applications (for example Google Chrome, Firefox or Brave) to render images on screen. It's beenfound to be vulnerable to an exploit, which is already in the wild, and all the applications using it'll be affected — which are essentially any applications that show or process images in the "webp" format (or its derivatives). This is remotely exploitable and requires no interaction to trigger – simply viewing a malicious image is enough to trigger it.

Linux vulnerabilities can have a long tail, from the publishing of the CVE to patches being made available by Linux distributions. To monitor the latest Linux CVEs, check out TuxCare’s detailed CVE Tracker.

International Inconsistencies: How Cybersecurity Preparedness Varies Across Countries

Tue, 03 Oct 2023 04:02:00 Z

Part three of a four-part series covering Ivanti’s latest research. Get the full series:

An organization’s culture and training programs have a significant influence on security preparedness, but our research shows both are inconsistent at the country-to-country level.

As we’ve seen in the previous posts in this series, employee demographics and their willingness to report security risks are hidden threats to your cybersecurity posture.

But new research from Ivanti shows us there are notable variations between countries in employee beliefs and behaviors regarding cybersecurity. This poses a unique hidden threat to organizations operating in multiple regions.

Get the report: Hidden Threats: How workforce demographics impact your security posture

Security cultures by country

Our research shows important differences in security culture at the country level — both in terms of training provided by the organization and employee-level attitudes. Some examples:

In Germany, 83% said they would feel safe reporting their mistake to the security team, compared to 61% of employees in Japan.
In India, 55% said they believe they have an impact on the company’s cybersecurity efforts, while just 7% said the same in China and 16% said so in France.

“These country-level differences are an interesting lens through which to study preparedness. It’s easy — and common — for a security team to judge security based on what’s taking place in their largest or nearest office. Our latest research shows how important it is to explore more granular data and uncover security procedures at every location — whether at headquarters, R&D facilities, supply chain outposts or manufacturing locations.”

Daren Goesen, SVP, Product Management, Ivanti

How local culture interacts with global security programs

Culture can influence how organizations defend their assets and people, as well as how they respond to an attack. These challenges include:

Employee discomfort with training that was developed at the global level (e.g., poor translation of teaching materials into local language and culture).
Employee unease with new standards or rules that have not been “socialized” at the local level.
A top-down local office culture that leaves little room for individuals to report errors or concerns.
Substandard security support for local offices; for example, employees with questions or concerns must contact a security team member in a different country — and endure language and cultural barriers.

All these issues can make it easier for malicious actors to disrupt day-to-day operations.

Why it matters

Many organizations have a top-down approach to training and security culture, but the research shows it’s critical to understand local security culture — and even local culture — to put together a coherent plan.

No matter where they're from, every new hire introduces their own unique vulnerabilities to the organization, intentionally or not. Undertrained employees risk diluting the strength of the overall organization's preparedness.

To minimize this risk, organizations must invest in strong onboarding and ongoing security training programs at global and regional levels.

In our next post in this series, we’ll detail this and other effective measures an organization can take to address the hidden threats we’ve explored.

Taking a Real Look at Hidden Risk

Tue, 03 Oct 2023 04:01:02 Z

Part four of a four-part series covering Ivanti’s latest research. Get the full series:

Big-picture excellence can hide pockets of risk. It’s time to explore security risk in detail — drilling down to look at vulnerabilities hidden in the data and by taking preventative action.

As the previous posts in this series have shown, employee demographics, their willingness to report security risks and country-to-country security culture differences pose hidden threats to your company’s cybersecurity efforts. They’re threats that have been uncovered in new research from Ivanti.

It’s up to an organization to take concrete steps to mitigate these threats. What are some of the key measures you can take?

Get the report: Hidden Threats: How workforce demographics impact your security posture

Survey your employees to uncover demographic propensities

Use an anonymous survey to surface insights about your employee base — paying close attention to demographic differences.

Are there unexpected findings? Conclusions that run counter to expectations? Use the findings to step up your training and outreach efforts, matching solutions to the segments of your employee base that need additional support.

Sample questions for an anonymous study of employee attitudes:

Can you identify a phishing attempt?

Have you been given resources and/or tools to identify a phishing attempt?

Do you feel comfortable asking the security team a question?

Do you feel safe reporting an error to the security team?

Do you think your actions have an impact on the organization’s security?

Challenge stereotypes about digital savviness and safety

Have your security team complete an anonymous survey that examines their assumptions about different employee groups. Do they believe older employees act less safely? How do those results compare to your general employee survey findings?

Try to shed light on assumptions that are not only unfair but untrue — and on how stereotypes might affect your security readiness.

“Part of understanding chronic repeat [phishing] clickers should involve a bit of investigation. In an organization of 5,000 people, it could be that there are certain roles that naturally encourage people to click even when your awareness program and other training discourages it. I’m thinking about departments that are constantly understaffed, departments whose job it is to process large amounts of email (e.g., recruiting), etc. Before anyone blames the end user, an organization should try to see if they are accidentally putting certain sets of users in no-win situations.”

- Reddit comment on why some employees are more likely to fall for phishing emails

Understand how global security culture is translated into local languages and culture

When developing any new training and guidelines or deploying new security technology, make certain to consult with local divisions to gain their input and buy-in. Simply translating educational materials and communications is not enough.

Solicit feedback from local offices about how well these programs “translate” to regional offices and the challenges they may encounter. Where possible, design materials that are culturally sensitive and appropriate for local offices.

Design the tech stack to minimize pockets of nonconformity and inconsistency

Rather than relying on individual users to conform to security protocols, build stronger back-end automation that is effectively hidden from end users — interventions that make compliance frictionless. For example:

Just-in-time software updates: Most employees don’t relish shutting down their computers and rebooting for software updates, so they tend to postpone the process indefinitely. Instead, use a system that forces a restart within 72 hours; this way, employees have some control over when the reboot takes place, even while enforcing needed updates.
No-stress password hygiene: Instead of asking employees to update passwords on a regular schedule, implement a technology that allows users to access two-factor password apps — no remembering or sticky notes needed.

Address how to build an open and welcoming security culture

It should be a culture in which there are no barriers to contacting security professionals, no matter how small the question or concern or how foolish the mistake is.

What are the key tenets of a strong security culture?

Open: Employees feel safe reporting an incident and are rewarded for their honesty and transparency. They feel comfortable approaching the security team no matter how trivial their question or concern may seem.
Iterative: The organization provides frequent, iterative training that’s compelling to employees. In between formal sessions, IT uses various tactics to keep security top of mind – from gamified security contests to lunchtime workshops.
Designed: Employee behavior is sharpened by tech-driven behavioral interventions. They are designed so well that they eliminate dreaded workarounds and non-compliance. As one security expert explained,

“Repeat clickers aren’t really the problem, or more accurately, they’re a relatively predictable problem. If you know someone has a hard time detecting deception, they need guardrails, not punitive measures or more ineffective training.”

Comment from the r/cybersecurity Reddit forum

Integrated: The responsibility for security is shared by all, and your employees are invested in keeping the organization safe.

Which Gen Is Most Tech-Savvy? A Workforce Dilemma

Tue, 03 Oct 2023 04:01:01 Z

Part one of a four-part series covering Ivanti’s latest research. Get the full series:

According to new cybersecurity research by Ivanti, the employees who are the most tech-savvy aren’t necessarily the ones we’d presume, demographically speaking. Why is that? And what are the issues it creates for an enterprise?

For a new report, Ivanti surveyed 6,500 executive leaders, cybersecurity professionals and office workers across the globe to get a better understanding of:

Employees’ attitudes toward cybersecurity and their perceived role in defending organizations.
Security professionals’ diagnoses of key challenges and vulnerabilities.
Leaders’ tech behaviors, as well as their level of buy-in to cybersecurity strategy.

Some of the results were, in a word, surprising. And that starts with what we’ll examine in this first article in a four-part series about the hidden threats facing even those organizations that have solid cybersecurity programs in place.

Get the report: Hidden Threats: How workforce demographics impact your security posture

The opposite of expectations

Many assume older employees are less tech savvy — and therefore more likely to engage in risky behaviors. In fact, our research found that the opposite is true.

Younger professionals (those under 40) are significantly more likely to disregard important security guidelines compared to Gen X and older. This is true about performing password hygiene, clicking on phishing links and sharing devices with family and friends.

Why it matters

These oversights, lapses and shortcuts add up to significantly higher security vulnerabilities with younger employees.

Stereotypes about age-based tech savviness may be leading organizations astray. And the problem isn't only related to cyberhygiene (e.g., password habits, sharing devices); the research shows younger professionals are also less likely to report red flags when they encounter them.

Among those 40 and under, 77% said they reported the last phishing email or message they received, compared to 88% of those over 40. The most common reason for not reporting? “I didn’t think reporting was important.”

Stereotypes about older workers are particularly insidious because tech workers skew younger — and so may be more likely to believe their older colleagues are uninformed or vulnerable.

For example, a study of 2,250 professionals in the UK found tech workers viewed colleagues as “over the hill” and “too old for their job” when they reached 38 years old. (Keep in mind, this is in relation to their tech industry peers, not average employees, who are less likely to be tech savvy.)

Solution? Automate cybersecurity “savvy”

These findings underline why organizations need to rely less on employees’ individual judgment and more on tech interventions that make rule-following effortless.

Even better: deploy automations that run behind the scenes such that your end users aren’t even aware they exist.

“Assuming that younger employees are more security-conscious and tech-savvy is outdated and even dangerous. Organizations should road test these assumptions by conducting internal research that captures their own employees' attitudes about security risk and their part in managing it.”

Daniel Spicer, Chief Security Officer, Ivanti

In the next post in this series, we’ll examine the hidden threat that comes from employee reluctance to raise red flags about cybersecurity dangers.

Red Flag Reluctance: The Risk to Cybersecurity

Tue, 03 Oct 2023 04:01:01 Z

Part two of a four-part series covering Ivanti’s latest research. Get the full series: 

Keeping an organization safe means getting near-real-time information about security incidents or breaches. But new research shows some employees are less inclined than others to report red ﬂags, which puts your business at risk.

Will your employees get in touch quickly if they have a security concern? Again, it’s dangerous to assume they’ll take action even when they understand the potential risk to their organization.

In the first post in this series, we looked at the hidden cybersecurity threat created by employee demographics and dangerous presumptions companies make about them. In this article, we’ll see what new research from Ivanti reveals about the reluctance of some workers to raise red flags, even about very critical threats.

Get the report: Hidden Threats: How workforce demographics impact your security posture

What groups are less likely to raise alarms?

Ivanti’s research, involving a survey of 6,500 executive leaders, cybersecurity professionals and office workers worldwide, shows specific segments of your employee base may hesitate to reach out to alert your cybersecurity team about issues.

This is something any organization should be aware of as it develops outreach and training programs for its employees. So what are the groups that are more likely and less likely to raise red flags?

Seniority

The biggest swing variable in reporting issues is seniority. Seventy-two percent of leaders we surveyed say they’ve contacted a cybersecurity employee with a question or concern, compared to just 28% of office workers.

Did you know?

Executives are twice as likely to report security interactions as "awkward" or "embarrassing" than office workers. These more frequent, yet negative security interactions may accelerate executives' use of external, non-approved tech support – reportedly at four times the rate of office workers.

Gender

Women are less likely than men to do the same. Twenty-eight percent have contacted a cybersecurity employee with a question or concern, compared to 36% of men.

Region

Willingness to contact security varies greatly by country. For example, nearly half of office workers in China have contacted the security team with a question or concern, compared to just 20% in Australia.

Why it matters

Your security position depends on hundreds or thousands of employees playing defense. Do your employees know they’re valuable members of the extended security team?

Our security preparedness study asked security professionals about their biggest industry-wide vulnerabilities. Ransomware and phishing ranked number one and two. And these threats are becoming more dangerous with each passing year due to advances in generative AI, which make phishing harder to spot.

All this means your employees need to feel comfortable approaching IT and security — even if the only “proof” they have of an incoming attack is a nagging doubt. (Some examples: an atypical wire transfer request, a suspicious invoice reminder, or an unsolicited password reset link.) During an active security incident, speed is the single most important factor in defending against an attack.

When employers conduct sentiment surveys to understand employee attitudes, they should drill down to investigate demographic patterns and vulnerabilities. These insights are key to improving overall security preparedness.

“We’ve experienced a few advanced phishing attempts, and the employees were totally unaware they were being targeted. These types of attacks have become so much more sophisticated in the last two years — even our most experienced staff are falling for it..”

— Ivanti survey respondent

In our next post in this series, we’ll dig into the matter of geography. For a large or multinational organization, it’s vital to understand how employee cybersecurity beliefs and behaviors vary – sometimes considerably – by country.

September 2023 Patch Tuesday

Tue, 12 Sep 2023 21:17:26 Z

September 2023 Patch Tuesday has a lot of activity. The theme this month: "Everyone has a zero-day release!"

Microsoft has resolved 63 total vulnerabilities including two exploited zero-days (CVE-2023-36761 and CVE-2023-36802). Google Chrome resolved one zero-day vulnerability (CVE-2023-4863) on September 11, which is also included in the Microsoft Edge Chromium release. Adobe resolved a zero-day vulnerability in Acrobat and Reader (APSB23-34 CVE-2023-26369) on September 12. Apple resolved two zero-days on September 7 (CVE-2023-41064 and CVE-2023-41061). There aren’t any recent zero-day vulnerabilities on the Linux side, but there are three recent vulnerabilities that are affecting some core capabilities in the Linux Kernel that warrant some attention.

Microsoft updates

Microsoft has resolved a total of 63 vulnerabilities this month, including two exploited vulnerabilities. The zero-day vulnerabilities are in Word (CVE-2023-36761) and the Windows OS (CVE-2023-36802). Microsoft Edge (Chromium) should be releasing shortly and will include a fix for the Chrome zero-day CVE-2023-4863.

Microsoft has resolved an Information Disclosure vulnerability in Word (CVE-2023-36761) that has been exploited in the wild. The vulnerability is only rated as Important by Microsoft and has a CVSSv3.1 score of 6.2, but the confirmed exploitation should raise this on your priority list. The Preview Pane can also be used as an attack vector, making it easier to target users to exploit the vulnerability. If exploited, the attacker could gain access to NTLM hashes.
Microsoft has resolved an Elevation of Privilege vulnerability in the Microsoft Streaming Service Proxy (CVE-2023-36802). The vulnerability is only rated as Important by Microsoft and has a CVSSv3.1 score of 7.8, but the confirmed exploitation should raise this on your priority list. If exploited the attacker could gain SYSTEM privileges on the target system.

Third-party update

Google has resolved a Critical heap buffer overflow vulnerability in the Chrome browser (CVE-2023-4863). Google is aware that an exploit for CVE-2023-4863 exists in the wild. Windows instances should update to 116.0.5845.187/.188 and for MacOS and Linux 116.0.5845.187.
Adobe Acrobat and Reader released APSB23-34, resolving one critical vulnerability (CVE-2023-26369) that is confirmed to be exploited in the wild. The vulnerability is an out-of-bounds write vulnerability that could allow an attacker to execute arbitrary code.
Mozilla has released updates for Firefox and Firefox ESR. No zero-days, just a decent lineup of CVEs resolved.

Linux update

There are three CVEs of note on the Linux platforms:

CVE-2023-3111 is a use after free vulnerability in btrfs in the Linux Kernel affecting all versions of Linux. A use after free vulnerability could allow an attacker to leak data from memory, overwrite critical information, execute arbitrary code and bypass Address Space Layout Randomization (ASLR).
CVE-2023-3390 is a vulnerability in the Linux Kernel’s nftables API in the netfilter subsystem that could allow privilege escalation. The vulnerability affects Debian and Ubuntu.
CVE-2023-35001 is an out of bounds read\write vulnerability in nftables. These types of vulnerabilities can cause a crash, data corruption, code execution, or allow attackers to read sensitive information from other memory locations.

The changes affect two commonly used components in the Linux Kernel. These components are also used by a variety of solutions from Firewalls to SANs and could affect foundational capabilities.

Btrfs is the filesystem utilized by most Enterprise Linux distributions (Ubuntu, Debian, Redhat, etc.).
Nftables is used by any modern firewall solution. Regardless of distribution, it will either be built in through the system itself or third-party applications it will use. The component provides high-performance packet inspection and routing.

None of the vulnerabilities are currently exploited so there is time, but you should take advantage to ensure you are testing the changes across your environment adequately.

Linux vulnerabilities can have a long tail from publishing of the CVE to patches being made available by Linux distributions. To monitor the latest Linux CVEs, check out TuxCare’s detailed CVE Tracker.

Apple update

Apple released updates resolving two exploited vulnerabilities on September 7. The updates affect iOS, iPadOS and macOS. The two CVEs have confirmed exploits in the wild and CISA has updated the KEV list adding these two vulnerabilities.

CVE-2023-41061 is a vulnerability in Apple Wallet affecting iPhone and iPad. The vulnerability allows an attacker to create a specially crafted attachment which could allow them to execute arbitrary code.
CVE-2023-41064 is a vulnerability in Apple ImageIO affecting iPhone, iPad and macOS. The vulnerability could be used to craft a malicious image which would allow an attacker to execute arbitrary code when processed.

Update priorities for September

Windows OS, macOS, iPhone, iPad, all browsers and Adobe Acrobat and Reader. Which pretty much feels like everything.

ITAM vs. ITSM vs. ITOM: What's the difference?

Thu, 31 Aug 2023 17:42:40 Z

IT asset management (ITAM) and IT service management (ITSM) are critical for any organization that requires IT capabilities to support business objectives. Both technologies provide IT operational support to an organization, but the nature and objectives of these technologies are quite different.

Further, these processes are different than ITOM, or IT operations management, which encompasses managing the operations of an IT infrastructure and involves the monitoring, troubleshooting and maintenance of IT systems, applications and services.

Here, we will explore the differences and similarities between ITAM and ITSM.

ITAM – IT asset management

An “IT asset” refers to both hardware and software that an organization uses to support its business objectives. When organizations have accurate IT asset inventory reports, they’re able to make informed IT purchase decisions. However, IT assets are often updated, moved and refreshed, making it difficult to maintain up-to-date asset information.

When IT asset reports are inaccurate, they expose the organization to unnecessary IT purchases, software audits and security breaches. ITAM provides recommendations and best practices for managing IT assets that support the organization’s objectives. So a short definition would be:

IT asset management involves accounting for, deploying, maintaining, upgrading and disposing of an organization's IT assets as needed. In essence, it's ensuring that all these assets, whether tangible or intangible, are being properly tracked and utilized within the organization.

IT asset management (ITAM) best practices suggest that an IT asset be linked to its associated contractual and financial information so that organizations can track the overall costs associated with their IT assets.

Furthermore, ITAM provides guidance to IT asset managers on creating standards, processes, policies and measurements to increase control. This ensures compliance with business objectives and reduces risk, along with containing or reducing costs.

When ITAM practices are implemented, IT assets will be tracked from purchase to disposal; often called IT asset lifecycle management. For example, an ITAM hardware disposal process will ensure that when old laptops are disposed of during a refresh, the associated software licenses are properly harvested so they can be redeployed.

According to Gartner, IT asset management (ITAM) provides an accurate account of technology asset lifecycle costs and risks to maximize the business value of technology strategy, architecture, funding, contractual and sourcing decisions.

Other aspects of ITAM

To ensure efficient IT asset lifecycle management, ITAM business practices include processes for IT asset requests, approvals, procurement, disposal and redeployment. These processes ensure that IT assets are documented when purchased and properly tracked as they’re deployed and redeployed.

In looking at ITAM vs. ITSM, it’s important to remember that most IT service management (ITSM) solutions provide capabilities that support IT requests and approvals. So it’s important that ITAM solutions selected by an organization integrate with the organization’s ITSM solution.

It's also important to note that most comprehensive ITAM solutions offered by software vendors provide processes that span multiple departments of an organization. This means that most IT asset management solutions are selected and owned by business executives, not IT managers.

ITSM – IT service management

Organizations that require IT assets to support business objectives also require IT services to ensure assets are properly working in the role for which they were purchased. IT service management (ITSM) is not just about software tools; it’s also about processes, people and technology. ITSM software is a component of the overall ITSM solution, one we can define as:

IT service management is a strategic approach for designing, delivering, managing and improving the way you use information technology (IT) within an organization. The goal of IT service management is to ensure that the right processes, people and technology are in place so that the organization can meet its business goals.

ITSM software solutions come with several components such as a database, business objects (users, groups, roles, etc.) and a process engine. Most ITSM solutions offered by vendors today follow industry best practices.

ITOM – IT operations management

ITOM differs from ITAM or ITSM in that it covers a wide range of activities, from managing the physical hardware to managing the software and applications that run on it. It also involves ensuring the security and availability of IT systems. The ultimate goals of ITOM are to optimize the performance and efficiency of IT systems and to ensure they meet the needs of the organization. ITOM also ensures that IT systems comply with industry standards and best practices.

Industry best practices

Another aspect of the ITAM vs. ITSM backstory is that as IT solutions became more widely adopted, a need grew for industry standards. These standards were necessary to define common terminology and establish best practices.

ITAM subscribes to the best practices of the International Association of Information Technology Asset Management (IAITAM), adding a layer of professional insight across its capabilities.

Originally, ITSM was aligned only with the IT Infrastructure Library (ITIL). However, it has since expanded to include other standards such as ISO2000, VeriSM and IT4IT.

In terms of compliance processes, ISO 20000 is more stringent and authoritative than ITIL. ITIL, on the other hand, is a set of recommended best practices that organizations can choose to implement to varying degrees, according to their needs and preferences.

VeriSM is a service management approach for the digital age that helps service providers create a flexible operating model to meet desired business outcomes.

The IT4IT Reference Architecture standard consists of the IT Value Chain and a three-layer reference architecture. The IT Value Chain comprises the four IT value streams, which play a vital role in helping IT control the service model as it advances through its lifecycle.

All these standards have overlaps across all aspects of best practices while looking at them from slightly different angles.

To help IT service employees stay up to date and educated, each of these industry best practices offers certification and training. These certifications emphasize practical skills and procedures rather than specific products.

These software solutions are typically designed to meet most, if not all, of these industry recommendations.

Organizations like Pink Elephant exist to evaluate ITSM software solutions and certify them against industry standards. If you plan to implement best practices, choosing certified ITSM tools is advisable.

CMDB or ITAM?

Another point to understand in looking at ITAM vs. ITSM? Comprehensive ITSM solutions offer configuration management capabilities along with a configuration management database (CMDB) to support and manage IT assets that provide services to the organization.

Both ITAM and ITSM provide guidance for managing IT assets, which can be confusing until you explore the objectives of each practice.

ITAM objectives focus on managing an IT asset’s overall cost, including ownership, associated contracts with asset lifecycle, warranty and refresh information. ITAM focuses on IT assets from an organization’s financial perspective.
An ITSM’s configuration management objectives look at IT assets from an operational and support perspective. Asset availability and stability impact an organization’s day-to-day operations, so assets need to be documented along with their configuration and service offerings.

Can you use a CMDB for ITAM?

To answer this question, let’s take a look at how airlines manage their flights. Airlines manage their flights using a database with flight numbers that describe a service. A separate asset database maintains inventory information listing the physical aircraft, along with relevant maintenance information.

When a problem is found with an aircraft, the airline will sometimes swap the aircraft for another. Because they maintain services and equipment in different databases, the airline can switch out the aircraft without having to change the flight number.

Much as it wouldn’t be practical for this airline to manage its flight services in the same database they use to manage its aircraft inventory, it’s not practical to use a CMDB for both ITAM and Configuration Management.

Most IT assets are refreshed every 3–4 years, while IT configurations with supporting assets are maintained and updated, not replaced. Therefore, you should use a CMDB to maintain and manage the lifecycle of a service while pulling the supporting assets from an IT asset management database.

Summary: ITAM vs. ITSM is really ITAM + ITSM

ITAM and ITSM are both critical for any organization that uses IT assets to support business objectives. In considering ITAM vs. ITSM, it’s really not a matter of choosing between the two but combining as a perfect pairing. Both have an essential role and work more powerfully as a team.

When looking to build, expand or change your IT asset management solution or your IT service management solution, you need to be sure to explore integration capabilities for both solutions.

With the right tools in place, you can automate and improve IT processes that support IT assets. These improvements increase efficiency and control while reducing the inevitable costs and mistakes that occur from manual tasks being performed by an operator or analyst.

5 Reasons Why NIS2 Directive Preparation Should Start Now, Part Two: Implementation Takes Time

Mon, 28 Aug 2023 17:43:02 Z

In a previous blog post, I discussed the two main areas to audit before the European Union’s updated Network and Information Security Directive (NIS2) becomes ratified law in October 2024. Specifically, these audits would:

Identify your gaps with the NIS2 directive’s requirements now.

Review your current supply chain security flaws.

Now that we’ve discovered these security flaws, we must fix them — before time runs out in October 2024.

So, in this post, I’ll walk you through how to resolve your weakest security issues before the NIS2 Directive deadline hits by addressing these three key areas:

Inform management about your cybersecurity gaps
Correctly implementing new organisation and technical security measures
Find time to train all of your employees

1. Inform management about your gaps – and get budget to remediate them

The NIS2 Directive imposes significant obligations on organisations that fall under its scope, which may entail substantial costs and resources. The Directive also introduces hefty fines and sanctions for non-compliance, up to a maximum of €10 million or 2% of an organisation's global annual revenue (Article 34).

On top of this, the new directive can extend liability from entities to their individual representatives in certain situations. Moreover, when certain conditions are met, persons in management positions could be temporarily suspended (Article 32-5b).

Therefore, following the NIS2 Directive is a legal necessity and a strategic priority.

To be in compliance, you must:

Inform your management about its implications and benefits and convince them to allocate sufficient budget and resources for implementing compliance.
Present a clear business case that outlines the risks of non-compliance, the opportunities of compliance and the return on investment.
Demonstrate how compliance will enhance your organisation's reputation, trustworthiness, competitiveness and resilience.

Informing management and getting a budget is a challenging task, requiring a persuasive and evidence-based argument that showcases the value of cybersecurity for your organisation.

The sooner you start this process, the more time you’ll have to secure buy-in and support from management.

Possible business case benefits for NIS2 compliance

Some possible benefits that you can highlight in your business case are:

Reducing operational costs by preventing or minimising cyberattack losses, such as downtime, data breaches, ransom payments, lawsuits and so on.
Increasing revenue by attracting or retaining customers who value security, privacy, quality, et cetera.
Improving efficiency by streamlining processes, enhancing performance, reducing errors, etc.
Innovating by adopting new technologies, developing new products or services, creating new markets and more.
Following other cybersecurity regulations or standards beyond NIS2 – such as GDPR, ISO 27001, PCI DSS and others – since global frameworks often have a high overlap with the compliance requirements of NIS2.

Potential information sources for justifying your NIS2 compliance business case

Some sources you can use to support your business case are:

Statistics or facts showing the prevalence, impact or cost of cyberattacks in your sector or region.
Case studies or examples illustrating how other organisations have benefited from complying with the NIS2 Directive or similar regulations. For example, the Enisa NIS Investments 2022 report shows that for 62% of the organisations implementing the older NIS directive, such implementations helped them detect security incidents; for 21%, implementations helped during security incident recovery.
Testimonials or feedback from customers, partners, regulators or experts who endorse or recommend complying with the NIS2 Directive or similar regulations.
Benchmarks or indicators revealing your current or projected cybersecurity performance or progress in relation to the NIS2 Directive or your competitors.
Ivanti’s 2023 Cyberstrategy Tool Kit for Internal Buy-In is also a great resource that explains time-to-functionality and cost, how a solution helps defend against certain types of cyberattacks, and how to react to and overcome common objections.

General business benefits of NIS2 Directive compliance

Some of the benefits of complying with the NIS2 Directive include:

Reducing operational costs by preventing or minimising cyberattack losses, such as downtime, data breaches, ransom payments, lawsuits, et cetera. According to a report by IBM, the average cost of a data breach in 2022 was US$4.82 million for critical infrastructure organisations and the average time to identify and contain a breach was 277 days. If you are taking measures to comply with the NIS2 Directive, the average time spent identifying and containing a breach will be much shorter, and costs of the attack will be lower.
Increasing revenue by attracting or retaining customers who value security, privacy, quality and similar factors. According to a survey by PwC, 87% of consumers say they will take their business elsewhere if they don't trust a company's data practices, and 71% of consumers say they would stop using a company's products or services if they found out it was sharing their data without their permission, which could happen with a data leak.
Improving efficiency by streamlining processes, enhancing performance, reducing errors and so on. Accenture has found that companies that adopt advanced security technologies can reduce the cost of cybercrime by up to 48%.
Complying with other regulations or standards that require cybersecurity, such as GDPR, ISO 27001, PCI DSS or others. Cisco points out that 97% of organisations that follow GDPR see benefits such as gaining competitive advantage, achieving operational efficiency and reducing sales delays. Similar results are probably achievable by following NIS2.

When it comes to budgeting, the proposal for a directive by the European Commission (Anex 7 - 1.4.3) mentions that for companies falling under the scope of the NIS2 framework, it’s estimated they would need an increase of a maximum 22% of their current ICT security spending for the first years following the introduction of the NIS2 framework.

However, the proposal also mentions that this average increase of ICT security spending would lead to a proportionate benefit from such investments, notably due to a considerable reduction in cost of cybersecurity incidents.

2. Correctly implement new organisational and technical security measures

After researching the gaps and obtaining a budget, it’s time to close those gaps. The NIS2 Directive requires companies to implement appropriate organisational and technical measures to manage their cybersecurity risks and ensure a high level of security across their networks and information systems.

These measures include:

Adopting policies and procedures for risk management, incident response, business continuity, data protection, et cetera.
Establishing roles and responsibilities for cybersecurity governance, oversight, coordination and other areas.
Providing training and awareness programs for staff, management, customers, etc.
Implementing basic cyber hygiene such as encryption, authentication (MFA), firewalls, antivirus software, patching, zero trust access and so on.
Conducting regular testing, monitoring, auditing and other measures.

Implementing those organisational and technical measures isn't a one-off or static task. It requires establishing a continuous and dynamic process that adapts to changing threats, technologies, regulations and business needs.

So, the same advice applies for this process as for the other points we’ve already covered: the sooner you start, the more time you'll have to implement the necessary measures and ensure their effectiveness and efficiency.

I would advise starting implementation at least in January 2024, so you’re ready before the summer holidays.

Next steps for NIS2 Directive implementations

Some possible steps that you can take to implement organisational and technical measures are:

Developing and implementing a risk-based management process that defines your objectives, scope, roles, responsibilities, resources, timelines and metrics for managing your cybersecurity risks.
Implementing a security policy that establishes your principles, guidelines, standards and procedures for ensuring the security of your network and information systems.
Conducting risk assessments to identify your assets, threats, vulnerabilities, impacts and likelihoods of cyberattacks; and prioritising your actions based on your risk appetite and tolerance.
Implementing security controls that protect your network and information systems from unauthorised access, use, disclosure, modification or destruction. These controls can be classified into three categories: preventive (e.g., encryption); detective, detective (e.g., monitoring), and corrective (e.g., backup).
Implementing an incident response plan that defines your processes, roles, responsibilities, resources, tools and communication channels for responding to cyberincidents effectively and efficiently.
Implementing a business continuity plan that defines your processes, roles, responsibilities, resources, tools and communication channels for maintaining or restoring your critical business processes during a cyber-related disruption or disaster.
Implementing a review and improvement plan that defines your processes, roles, responsibilities, resources, tools and communication channels for regularly evaluating, reporting and enhancing your cybersecurity measures.
Implementing the technical controls for asset management and basic cyber hygiene.

The Directive’s reference to ‘basic cyberhygiene’ is a bit vague in Article 21, so we’ll dive into this in another blog post. For now, think about basic security measures such as:

MFA.
Patching your OS and applications as quickly as possible.
Securing network connections on public networks.
Encryption of all drives (especially removable ones.)
Privilege management and education of all employees.
Subscribing to channels that give you information about the latest patches and priorities, like Ivanti’s Patch Tuesday webinars.

3. Fix the weakest link: find time to train every employee

The NIS2 Directive recognises that human factors are crucial for cybersecurity and that employees are often the weakest link — as well as the first line of defense – in preventing or detecting cyberattacks.

The Directive requires organisations to provide adequate training and awareness programs for their employees, users of digital services and other stakeholders on cybersecurity issues.

Training all your employees is not a sporadic or optional task. It requires a regular and comprehensive program that covers topics such as:

Basic cybersecurity concepts and terminology.
Common cyberthreats and attack vectors.
Best practices and tips for cyberhygiene.
Cybersecurity policies and procedures, made relevant and simplified for end users.
Every user’s role and responsibilities for organisational cybersecurity.
How to report and respond to incidents.

It is important to note that this training should be received by everyone within the company, not only by IT employees. Even management should undergo this training.

A survey conducted for Ivanti shows that a lot of employees are not even aware of mandatory cybersecurity training. Just 27% of them feel “very prepared” to recognise and report threats like malware and phishing at work. 6% of them feel “very prepared” to recognize and report threats like malware and phishing at work.

In Enisa’s NIS Investments 2022 report, Enisa mentions that 40% of the surveyed OES (Operators of Essential Services) have no security awareness program for non-IT staff.

It is important to monitor who has not been trained yet and act on it. Training all your employees is not only beneficial for compliance but also for productivity, quality, innovation and customer satisfaction.

The best NIS2 advice we can give

The NIS2 Directive is landmark legislation that aims to enhance the cybersecurity of critical sectors in the EU. It imposes significant obligations on organisations that fall under its scope, along with hefty fines and sanctions for non-compliance.

Following the NIS2 Directive is a complex task. It demands a proactive and comprehensive approach involving multiple steps, stakeholders and resources.

The sooner you start preparing for it, the better prepared you will be when it becomes effective in October 2024.

The best advice we can offer? Do not wait till then: start preparing for the NIS2 Directive now!

5 Reasons Why NIS2 Directive Preparation Should Start Now, Part One: Audits Take Time

Mon, 28 Aug 2023 17:14:55 Z

You probably heard about the European Union’s updated Network and Information Security Directive (NIS2). This directive will translate into active law in October 2024. You should be ready for it, as there are high fines and sanctions for non-compliance.

But you might be tempted to think that October 2024 is far away, right? Think twice.

After all, how can you know if you have plenty of time to prepare if you don’t know how well you currently comply with the projected regulations?

So, between now and October 2024, you must audit your current cybersecurity status. Specifically:

Identify gaps in meeting the NIS2 directive’s requirements, starting now
Review your current supply chain security flaws

In the second part of this series, I’ll review the three areas you’ll need to address to fix the gaps your audits uncover — including how to:

Inform management about your cybersecurity gaps.
Implement new organizational and technical security measures correctly.
Find time to train all of your employees.

1. Identify gaps in meeting the NIS2 Directive's requirements, starting now

The NIS2 Directive is the EU-wide legislation on cybersecurity that provides legal measures to boost the overall level of cybersecurity in the EU. It modernises the existing legal framework to keep up with increased digitization and an evolving cybersecurity threat landscape.

The directive expands the scope of the cybersecurity rules to new sectors and entities, improving the resilience and incident response capacities of public and private entities, competent authorities and the entire EU.

The NIS2 directive outlines increased measures for resilience against cyberattacks to minimize vulnerabilities and improve cyberdefense.

To comply with the NIS2 Directive, you must:

Assess your cybersecurity posture and identify any gaps or weaknesses that may expose you to cyber risks.
Map your existing policies, procedures and controls to the directive's requirements and see where to improve or update them.
Evaluate your incident response capabilities and reporting mechanisms and ensure they align with the directive's standards.

A big problem with the NIS2 is that it tells you what you should do, but not how you should do it. Luckily, multiple frameworks can help you with the how, including:

In Belgium, the CCB has created a Cyberfundamentals Framework based on multiple frameworks with references to how the different parts of the frameworks relate to the GDPR and NIS2.

After selecting the framework, you must identify gaps in relation to the chosen framework and the directive's requirements. Identifying gaps is not a simple or quick task; it requires a thorough and systematic analysis of your organization's cybersecurity maturity and readiness.

You not only need to check your cybersecurity strategy and policies, but you also need to do a risk analysis to find the most critical assets and the cybersecurity risks they present, then consider security controls to bring down the risk score of those vital assets.

The sooner you start this process, the more time you’ll have to obtain the budget needed to address any issues and implement any necessary changes.

Possible NIS2 environment gaps

Some possible gaps that you may encounter in your environment are:

Lack of a comprehensive cybersecurity strategy or policy that covers all aspects of risk management, incident response, business continuity, data protection, etc.
Lack of a dedicated cybersecurity team or function that oversees, coordinates and monitors all cybersecurity activities and initiatives across the organization.
Lack of adequate security controls or measures for protecting your network and information systems from unauthorized access, use, disclosure, modification or destruction.
Lack of regular testing or auditing of your security controls or measures to ensure their effectiveness and compliance with the directive's requirements.
Lack of proper training or awareness programs for your staff, management, other employees or other stakeholders on cybersecurity issues and best practices.
Lack of clear communication or reporting channels for notifying relevant authorities or parties of any incidents or breaches that affect your services.

Potential security solutions for your environment to comply with NIS2

To identify and fix these security gaps, you can:

Run gap analysis frameworks or models that help you compare your current state with your desired state and identify areas for improvement.
Implement cybersecurity maturity models or standards that help you measure your level of cybersecurity performance and progress.
Conduct a risk assessment to identify your assets, threats, vulnerabilities, impacts and likelihoods of cyberattacks.
Request external audits or assessments that help you validate your compliance status and identify any weaknesses or deficiencies.

2. Review current supply chain security flaws with enough time to coordinate action with suppliers

The NIS2 Directive also introduces new provisions on supply chain security (chapter 0, point 54, 56), recognizing that cyber threats can originate from third-party providers or subcontractors.

The directive requires organizations to ensure that their suppliers follow appropriate security standards and practices (article 21-2d) and regularly monitor their performance and compliance (article 21–3).

This isn't without reason. Supply chain attacks are on the rise:

In BlackBerry research with over 1500 IT decision-makers in 2022, four-fifths of respondents said they had been notified of an attack or vulnerability in their supply chain within the year. Seventy-seven percent said they uncovered hidden participants in their software supply chain that they weren't previously aware of.

Accenture research also reveals 40% of security breaches are indirect, occurring through the supply chain.

Therefore, securing your supply chain is essential for ensuring business continuity, resilience, reputation and trust.

But in Ivanti’s Press Reset: A 2023 Cybersecurity Status Report, we found that only 42% of the over 1,300 executive leaders and security professionals surveyed said they're prepared to safeguard against supply chain threats, even though 46% call it a high-level threat.

Supply chain threats not only come via attacks on solution providers like Okta, Kaseya or SolarWinds, but also through partners either directly connected to your IT infrastructure or who can log into it.

And don’t forget about attacks on your resource suppliers that may cripple them so they're unable to deliver certain resources you need for your own operations. You have to be prepared and have backup vendors available who can supply those resources if your primary supplier is out of action due to a cyberattack or other cause.

Supply chain security is a complex and challenging issue involving multiple actors, dependencies and interconnections — and cannot be achieved overnight.

You need to:

Establish clear and transparent communication channels with your suppliers and define your expectations and obligations regarding cybersecurity.
Conduct regular audits and assessments of your suppliers' security practices and verify that they meet the directive's requirements.
Establish contingency plans and backup solutions in case of a disruption or compromise of your supply chain.

Furthermore, you must start engaging with your suppliers as soon as possible and work together with them to ensure your supply chain is secure and resilient.

Supply chain security challenges for NIS2

Some possible challenges that you may face in securing your supply chain are:

Lack of visibility or transparency into your suppliers' security practices, policies, or incidents.
Lack of trust or cooperation among your suppliers or between you and your suppliers.
Lack of consistency or alignment in security standards, requirements, or expectations across your supply chain.
Lack of resources or capabilities to monitor, audit or verify your suppliers' security performance or compliance.
Lack of contingency plans or backup solutions to mitigate or recover from any disruptions or compromises of your supply chain.
Lack of information as to what you expect from your supplier’s security practices.

Supply chain security solutions for NIS2

To overcome these supply chain security challenges, you can:

Establish clear contracts or agreements with your suppliers that specify their security obligations, responsibilities and liabilities.
Develop common security criteria, guidelines or frameworks that apply to all suppliers in your supply chain and align with the directive's requirements.
Implement security controls, measures or tools that enable you to track, monitor or verify your suppliers' security activities, incidents or compliance status.
Create joint security teams, committees or forums that facilitate information sharing, collaboration and coordination among your suppliers or between you and your suppliers.
Build trust and mutual understanding with your suppliers through regular communication, feedback and recognition.

When your NIS2 Directive audits are complete, now what?

Now that you’ve determined where you currently stand in relation to the NIS2 Directive, it’s time to implement critical changes to ensure compliance by October 2024. I’m certain that addressing the gaps that your audits identified will require all the time you have — and then some! – before the regulations are officially implemented in your country.

But how can you systematically address these gaps in a timely fashion? We discuss the three areas of security changes you’ll need for NIS2 in our next blog post, as we examine how to:

Inform management about your cybersecurity gaps.
Correctly implement new organization and technical security measures.
Find time to train all of your employees.

Get IT Right by Focusing on Service Strategy

Thu, 24 Aug 2023 16:06:25 Z

Too often, we in IT get so busy performing the day-to-day work and fighting the many fires that come at us each day that we neglect to take a moment and focus on ways we can be strategic about how we do our jobs.

When building or expanding IT Service Management offerings, it’s important to understand how taking time to focus on service strategy can greatly improve the efficiency of service delivery.

First, let’s begin by defining a few terms.

What is ITSM (IT Service Management)?

IT Service Management is a strategic approach for designing, delivering, managing and improving the way information technology (IT) is used within an organization. The goal of IT Service Management is to ensure that the right processes, people and technology are in place, so that the organization can meet its business goals.

What is IT Infrastructure Library (ITIL)?

IT Infrastructure Library (ITIL) refers to a group of documents created in the 1980s that provide a framework and best practices for building an IT Service Management (ITSM) solution. By following the recommended ITIL processes, organizations supporting an IT infrastructure can increase efficiency, while reducing service management costs.

What is a service strategy process?

ITIL defines five major areas to service strategy that can accelerate organizational success:

Strategy management for IT services: assessment and measurement of IT strategy
Service portfolio management: defining and documenting IT services.
Financial management for IT services: determining IT service costs and budgeting.
Demand management: forecasting future demand for IT services and budgeting resources.
Business relationship management: managing the feedback and improvement of the IT services.

To properly manage your environment, you need to first design a plan, then determine the type of services you are delivering, validate all costs and budgets, forecast demand, learn how to gather feedback and perform continuous service improvements.

How to design a service portfolio strategy

Design the plan

Constructing a service portfolio can be one of the most challenging tasks for an IT organization. It is essential to resist the temptation of continuing outdated practices and strive for success.[EC4]

Try surveying your end user community to understand their challenges and ever-changing needs. You can narrow down the survey results to capabilities you have within your IT organization and put in place services to support these needs. Caution should be taken to ensure that you follow best practice guidelines for enabling services the drive consistency and end-user process improvements.

Determine the type of service(s) you are delivering

Deciding on the type of service you’re offering today and wish to deliver in the future is a critical piece that will help you understand and minimize how many actual services you are delivering.

Consolidate where you can maximize resource usage, improve application management, and simplify the end user’s process for selecting assistance with the desired services. Too many services will complicate the end user’s interactions with the IT support organization.

Ensure that you evaluate your current services regularly to determine if they are necessary and consider potential services you may want to add in the future. Additionally, take the time to properly set up your nomenclature to reduce the need for future changes.

Validate all costs and budgets

Evaluating the cost of services needs to include not only personnel, software, hardware, services, but also soft costs, such as the cost and/or reduction in time for the people consuming those services.

Understanding soft costs can make a significant difference in expressing the value of services you’re delivering.

Forecast resource demand

The ever-changing world of IT and the consumers of the services makes resource demand forecasting very challenging. However, by understanding what services you are delivering and the historical need for them, you can extrapolate what your demand could be.

Resource consumption adaptability and tasks automation can minimize the negative impact of any forecast changes.

Perform continuous service improvement

The only way to improve your capabilities within an organization is with continual service improvement (CSI). Put relevant analysis and reporting in place to better understand the services you are delivering, the SLAs behind them and how they preform from the perspective of end user satisfaction.

Metrics such as mean time to repair (MTTR), cost per ticket, reopen rate of incidents, call avoidance via self-service, and AI bots and volume by department or location are critically important to help establish improvement initiatives.

With accurate metrics, isolate and focus on areas that require improvement. Lastly, assign a cost to each improvement initiative and prioritize strategically based on cost versus value.

It’s been often stated that “if you fail to plan, you plan to fail.” Although some ITIL recommendations might not be practical for every organization, they are a great place to start when building an IT Service Management solution.

The ITIL service strategy processes focus on planning for an outcome and evaluating your performance against customer expectations. ITIL encourages periodic evaluation and amendments of processes to respond to the ever-changing environment, with the aim of being more effective in delivering service value to your organization.

August 2023 Patch Tuesday

Tue, 08 Aug 2023 22:58:39 Z

2023 Year to Date: How Vulnerable Are We?

We are past the mid-way point of 2023. The average ransomware payment is up, but the percentage of victims paying the ransom are down. The shift toward a risk-based approach to vulnerability management is moving along, but slowly. Threat actors are fast to move on zero-day and recently resolved vulnerabilities, but just as likely to target vulnerabilities that have been exposed for years.

The shift to data exfiltration only ransoms

The Ransomware market is constantly shifting and rapidly innovating and trying new things. The latest shift in tactics to skip the encryption and focus on Data Exfiltration only has made a huge impact on the average ransoms being paid this year, but the drop in victims willing to pay is driving the overall percentage of ransoms paid to an all time low.

Coveware’s July 2023 Quarterly Report is tracking the Average Ransom Payment at $740k (+126% from Q1 2023) and attributes this spike to the massive MOVEit campaign executed by CloP impacting over 1000 companies. While the average ransom paid has spiked due to this massive DXF-Only campaign, it has also driven the overall percentage of victims willing to pay to an all time low of 34%.

The shift to risk-based vulnerability management continues

In Ivanti’s May Patch Tuesday Blog, I mentioned the CISA KEV (Known Exploited Vulnerabilities) list had reached 925 CVEs and predicted they would reach 1k CVEs by late August. CISA KEV has reached 982 prior to August Patch Tuesday and appears to be slowing down their additions to the list vs previous years. While my prediction is close, I may have been off by a month or so. We shall see as the month of August progresses.

For those who read Todd Schell’s Patch Tuesday Forecast on Help-Net Security last week or caught some of the recent news regarding the CVSS 4.0 public preview. CVSS 4.0 is the next step towards providing a better risk-based approach to assessing vulnerabilities and prioritizing remediation. The question is, will it be enough of a step forward?

A lot of news focuses on Zero-day vulnerabilities, but CISA KEV is still adding more older CVEs than new ones. Coming into August Patch Tuesday 2023 there have been 114 CVEs added to CISA KEV so far this year. 55 (48.2%) were CVEs first identified in 2023. The additional 59 CVEs (51.8%) were CVEs from 2022 or earlier dating as far back as 2004 (CVE-2004-1464). 76 of the CVEs added in 2023 were CVEs reported in 2022 or 2023 (66%), but one third of the additions were older than 2022. This is a pretty large gap in remediation of exploited vulnerabilities.

Risk-based vulnerability management vs ransomware

A risk-based vulnerability management solution can provide the visibility to shift vulnerability remediation to focus on the vulnerabilities actively being used by threat actors, especially ransomware threat actors. Comparing Ivanti Risk-Based Vulnerability Management data vs CISA KEV you can see that progress is being made, but there is still a gap.

CISA KEV is tracking 982 CVEs currently vs Ivanti RBVM is tracking almost 39k weaponized vulnerabilities.
Ivanti RBVM tracks vulnerabilities tied to Ransomware campaigns and is currently tracking 367 vulnerabilities. CISA KEV contains 132 (~40%) of those CVEs.
26 of the 367 CVEs tied to Ransomware campaigns were from 2022 or 2023. The majority (341 or ~93%) were older than 2022.
In the past 30 days there have been 104 CVEs that are trending amongst threat actors (Ransomware, Malware and other sources of exploitation). 18 of the 104 CVEs are from 2023. CISA currently is tracking only 40 of the 104 CVEs.

This is not a product pitch (although it is a good one) but calling out that we are still falling behind in the vulnerability remediation race. CVSS 4.0 is a step in the right direction, but not nearly good enough to keep up with the challenges we face. CISA KEV is a good start but has many gaps in visibility especially for the vulnerabilities that are trending and that are tied to ransomware campaigns.

August 2023 patch tuesday

Microsoft has released updates resolving 74 new CVEs this month, one of which is confirmed exploited and six are rated by Microsoft as Critical. Microsoft also updated CVE-2023-36884 released in July to split the Office products out into a separate Defense in Depth Advisory (ADV230003). Besides the OS and Office updates, Microsoft has updates for Exchange Server, .NET, Azure, SQL Server, and Teams making for a significant lineup this August.

Additional updates from Google Chrome released on August 3rd and Microsoft Edge (Chromium) updated on August 7th and a lineup of updates from Adobe should also be included in your update activities this month.

Ivanti EPMM vulnerability remediation update

Ivanti continues to collaborate with threat researchers after the joint release of Cybersecurity Advisories on CVE-2023-35078 and CVE-2023-35081 on August 1, 2023, and urged organizations to apply the patches released by the organization. Ivanti is continuing to work actively with customers to upgrade their appliances and helping them apply the fix.

An additional advisory (CVE-2023-35082 - Remote Unauthenticated API Access Vulnerability) was released on August 2nd and updated on August 7th. An update and additional script is required to remediate the vulnerability. Guidance on how to remediate can be found on the Ivanti Community. The update to resolve the previous two CVEs with the additional RPM script will remediate all three vulnerabilities.

While not confirmed to be used in active exploits in the wild, CVE-2023-35082 has been publicly disclosed by the researchers who discovered it. Ivanti is recommending customers update to the latest version and apply the script as soon as possible to respond to confirmed exploits of CVE-2023-35078 and CVE-2023-35081 and to stay ahead of any attempt to utilize CVE-2023-35082.

Microsoft updates

Microsoft updated the affected products listed in CVE-2023-36884 removing the Office products originally listed in the CVE. The Office products listed in ADV230003 are not directly vulnerable, but can be used in an attack chain to exploited CVE-2023-36884. Microsoft has clarified the changes in the Office updates were a Defense in Depth measure. Microsoft recommends applying the Office updates discussed in the advisory in addition to the August Windows OS updates.

Microsoft has resolved a Denial of Service vulnerability in .NET and Visual Studio (CVE-2023-38180). According to the CVE details code maturity has reached proof-of-concept and it is confirmed to be exploited in the wild. The CVE is only rated as Important and the CVSS v3.1 score is 7.5, but taking a risk-based approach this should be treated as a higher priority this month.

Third Party Updates for August 2023 Patch Tuesday

Google Chrome released Chrome 115.0.5790.171 on August 3 resolving 11 CVEs.
Microsoft Edge (Chromium 115.0.5790.171) released on August 7 resolving 11 CVEs.
Adobe released Acrobat and Reader (APSB23-30) resolving 30 CVEs.
Adobe released Commerce (APSB23-42) resolving 3 CVEs.
Adobe released Dimension (APSB23-44) resolving 3 CVEs.
Adobe released XMP Toolkit SDK (APSB23-45) resolving 1 CVE.

WWDC23: What IT Admins Need to Know to Manage Apple Devices

Tue, 25 Jul 2023 19:51:36 Z

Apple’s annual developer conference, WWDC, is a firehose of information for anyone who manages Apple devices.

New operating systems (notably iOS 17, iPadOS 17, macOS 14 and watchOS 10) and new products (15-inch MacBook Air and Apple Vision Pro) might have dominated the headlines, but WWDC23 also brought a host of no less consequential new capabilities for enterprise device management.

So what should IT admins pay attention to in the lead up to this fall’s OS updates?

A big step forward in declarative device management

Apple introduced declarative management in 2021 as an extended functionality to the MDM protocol, and this year they continued the trend of releasing configurations that can coexist on MDM and declarative management at the same time as part of a gradual transition. Apple has announced a transition path from today’s MDM protocol to declarative management, which will make the changeover seamless for end users.

What’s new this year is that Apple is also releasing features that can only be supported via declarative management – passkeys and Apple Watch management. Ivanti’s UEM products will support declarative device management, and therefore these new features, in the next few quarters.

Simpler device enrollment – for IT and for end users

Getting rid of manual processes is a clear theme for the device enrollment enhancements released this year.

Return to service, a new capability for bringing devices back into management, lets IT admins send a command to erase and then re-enroll a device automatically – a process that until now was manual. This feature is particularly useful for devices without dedicated users that need to be remotely reconfigured without manual intervention, for example an iPad that needs to be reset after a patient is discharged from a hospital.

Account-driven device enrollment (an enhancement to account-driven user enrollment, which is already available) enrolls devices automatically when users sign in with their work or school account, rather than requiring the user to install a profile manually. Eliminating this extra step can streamline device onboarding.

On the topic of device enrollment, Setup Assistant also saw enhancements worth paying attention to: the ability to restrict enrollment to devices that meet minimum OS requirements, and the ability to configure FileVault during setup. These features let companies ship devices directly from the supplier to the end user without needing a manual setup to ensure basic security features are in compliance.

Easy end user authentication for a better end user experience

Updates to Managed Apple IDs give organizations access to a range of improved authentication features that make it easier for end users to access their devices and services. Managed Apple IDs now include support for iCloud Keychain, Apple Wallet, and access management controls that enable organizations to restrict access to specific services and dictate the management state of a device when a user signs in. Additionally, passkeys can now be synced across managed devices for an even more secure authentication experience.

Platform single sign-on (SSO) now lets you create local user accounts on a shared Mac using credentials from the Identity Provider (IdP).

Finally, Managed Device Attestation is now available on macOS and offers strong assurances about the security posture and properties of a device.

Useful updates to device and application connectivity

For an alternative to VPN, you can now use a new built-in relay to secure traffic using an HTTP/3 or HTTP/2 tunnel. The configuration is domain-based and can be applied to managed apps, domains, or the entire device.

Apple has also expanded 802.1X support for Ethernet, which previously was only supported for macOS, allowing you to connect an iPhone, iPad or Apple TV to a restricted network that requires authentication without needing to rely on WiFi.

Finally – private network and network slicing support

Long-awaited support for private 5G and LTE networks is finally here for iOS 17 and iPadOS 17.

Administrators can activate private SIMs automatically when a device enters a geofence in order to prioritize cellular over Wi-Fi.

And with 5G network slicing, mobile network operators can customize traffic through a 5G standalone network with specific quality-of-service requirements for network latency, throughput and packet loss.

Discovering new use cases for wearables in the workplace?

Apple Watch is newly supported as a managed device. An Apple Watch that is paired to a Supervised iPhone can now be enrolled and managed with watchOS 10 – with the very important requirement that declarative management configuration must be enabled.

Planning ahead for this fall’s OS updates

Ivanti is actively testing the betas of iOS 17 and macOS 14 to make sure you can take advantage of these new features for a better end-user experience and streamlined IT processes.

Look out for communication on compatibility as we plan for day zero support for Ivanti products.

July 2023 Patch Tuesday

Tue, 11 Jul 2023 22:31:12 Z

This month is going to be a painful one, with:

Multiple zero-day exploits being resolved by Microsoft,
Some operational changes for Kerberos and Netlogon vulnerability resolutions, and
A large lineup of third-party updates releasing on and after July’s Patch Tuesday – including Oracle's quarterly CPU and Java updates.

Kerberos and Netlogon Vulnerability Changes

July is going to be a big month from an operational perspective.

A number of changes are going into effect regarding two previously resolved CVEs:

An Elevation of Privilege vulnerability resolution in Kerberos (CVE-2022-37967), and
An Elevation of Privilege vulnerability in Netlogon RPC (CVE-2022-38023).

Both CVEs were resolved in 2022, but the code change alone did not resolve the vulnerabilities.

What to expect in July 2023’s updates for Kerberos and Netlogon vulnerabilities

Microsoft outlined a phased rollout of enforcement for both vulnerabilities, due to the fact that they are changing some core behaviors in two commonly used authentication mechanisms.

KB5020805 outlines the timing of changes for the Kerberos vulnerability (CVE-2022-37967). For July, Microsoft is stepping up to initial enforcement. The earlier changes have been to add the capabilities to address the security bypass and audit logging to show if organizations had systems that needed attention to prepare for the change.
- This July 2023 OS update will default the behavior to Enforcement mode, but still allow an Administrator to override and set Audit mode explicitly.
- The future October 10, 2023, update will remove the Admin override and default to full enforcement.
KB5021130 outlines the timing of changes for the Netlogon vulnerability (CVE-2022-38023). For July, Microsoft is stepping up to full enforcement. The earlier changes have been to add the capabilities to address the security bypass and audit logging to show if organizations had systems that needed attention to prepare for the change.
- This July 2023 update will remove the ability to override enforcement and allow compatibility mode for RPC Sealing.
- After deploying the July update, Netlogon will fully enforce RPC Sealing.

Multiple Zero Days and Public Disclosures from Microsoft for July 2023

Microsoft has resolved 130 net new vulnerabilities this month, and there are updates to 9 previously released CVEs. Six CVEs and one Advisory have confirmed exploits.

One of the six exploited vulnerabilities released originally in May, and has been updated this month to address all versions of Microsoft Windows.

This month, I'd specifically like to highlight:

CVE-2023-24932 (Security Feature Bypass - Secure Boot): Critical Confirmed Exploits
CVE-2023-36871 (Security Feature Bypass - AD): Functional Code Maturity
CVE-2023-35311 (Security Feature Bypass - Outlook): Critical Confirmed Exploits
CVE-2023-36884 (Remote Code Execution - Office and Windows HTML): Critical Confirmed Exploits
CVE-2023-36874 (Privilege Escalation - Windows Error Reporting): Reported Exploits
CVE-2023-32049 (Security Feature Bypass - SmartScreen): Critical Confirmed Exploits
CVE-2023-32046 (Privilege Escalation - MSHTML): Important Confirmed Exploits
Microsoft Advisory ADV23001 - Malicious Signed Drivers

Microsoft CVE-2023-24932 (Security Feature Bypass - Secure Boot): Critical Confirmed Exploits

Microsoft has updated CVE-2023-24932, which is a Security Feature Bypass in Secure Boot.

The CVE was originally resolved in May 2023, but Microsoft has expanded the affected OS versions, and is recommending customers update to the July update on all affected Windows OS version this month. The vulnerability has confirmed exploits in the wild.

The CVSS v3.1 base score is 6.7 and it is rated as Important by Microsoft. However, with confirmed exploits and publicly disclosed functional code, this vulnerability should be treated as Critical.

Microsoft CVE-2023-36871 (Security Feature Bypass - AD): Functional Code Maturity

Microsoft has resolved a Security Feature Bypass in Azure Active Directory (CVE-2023-36871). The CVE is rated as Important and has a CVSS v3.1 base score of 6.5, but the temporal metrics list code maturity as functional.

An attacker would require a low privileged session on the user’s device to obtain a JSON web token. The token could thenbe used to create a long-lived assertion using the Windows Hello for Business Key from the victim’s device.

In this case, the fix is to:

Update to the July update on all AD FS servers.
Then, enable the setting required to turn on the EnforceNonceInJWT setting.
- The PowerShell command to enable this setting is provided in the CVE article.

Microsoft CVE-2023-35311 (Security Feature Bypass - Outlook): Critical Confirmed Exploits

Microsoft has resolved a Security Feature Bypass in Microsoft Outlook (CVE-2023-35311). This vulnerability has confirmed exploitation.

The attacker could send a user a specially crafted URL to bypass the Microsoft Outlook Security Notice prompt. The Preview Pane is an attack vector for this vulnerability, but user interaction is required.

Given the fact that phishing a user is a statistical challenge, the priority for getting this fix rolled out is Critical, even though Microsoft’s severity rating is only Important.

Microsoft CVE-2023-36884 (Remote Code Execution - Office and Windows HTML): Critical Confirmed Exploits

Microsoft has resolved a Remote Code Execution vulnerability in Office and Windows HTML (CVE-2023-36884). The CVE is rated as Important, but has confirmed reports of exploitation in the wild and functional code has been publicly disclosed for this vulnerability.

An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim.

Microsoft has not yet released an update to fix this issue, but has provided a configuration level mitigation to block Office applications from creating child processes. Running as least privileged could also help to mitigate the attack and require the attacker to execute additional exploits to elevate their privilege level.

Microsoft has released a blog entry describing steps that can be taken to protect systems until a fix becomes available.

Microsoft CVE-2023-36874 (Privilege Escalation - Windows Error Reporting): Reported Exploits

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Error Reporting (CVE-2023-36874). The CVE is rated as important but has reported cases of exploitation. An attacker – with local access to the target machine with permission to create folders and performance traces on the machine – could gain administrator privileges.

Microsoft CVE-2023-32049 (Security Feature Bypass - SmartScreen): Critical Confirmed Exploits

Microsoft has resolved a Security Feature Bypass vulnerability in Windows SmartScreen (CVE-2023-32049). The CVE is rated as Important, but Microsoft has confirmed reports of exploitation for this vulnerability increasing the urgency to Critical.

The attacker can send a user a specially crafted URL that could allow the "Open File – Security Warning" prompt to be bypassed, opening additional opportunities to further compromise the target system.

Microsoft CVE-2023-32046 (Privilege Escalation - MSHTML): Important Confirmed Exploits

Microsoft has resolved an Elevation of Privilege vulnerability in Windows MSHTML (CVE-2023-32046). Microsoft has rated the CVE as Important and has reports of exploitation in the wild.

An attacker could target a user in a variety of ways, including email- and web-based attack scenarios. If exploited, the attacker would gain the rights of the user that is running the affected application. So, running least privilege would help to mitigate the impact of this vulnerability, forcing the attacker to take additional steps to take full control of the target system.

While IE 11 has been retired, you will see a reference to IE Cumulative updates listed for Windows Server 2008, 2008 R2, 2012 and 2012 R2 due to the MSHTML, EdgeHTML and scripting platforms still being supported.

If you are installing the Security Only updates on these platforms, Microsoft is recommending running the IE Cumulative update as well to fully resolve the CVE.

Microsoft Advisory ADV23001 - Malicious Signed Drivers

Microsoft has released an Advisory (ADV23001) providing guidance on Microsoft Signed Drivers being used maliciously.

Several developer accounts for the Microsoft Partner Center (MPC) were engaged in submitting malicious drivers to obtain a Microsoft signature.

Microsoft has released Window Security updates (see their "Security Updates" table) that untrust drivers and driver signing certificates for the impacted files, and has suspended the partners' seller accounts. All the developer accounts involved in this incident were immediately suspended.

Additionally, Microsoft has implemented blocking detections (Microsoft Defender 1.391.3822.0 and newer) to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity.

For more information about how the Windows Code Integrity feature protects Microsoft customers from revoked certificates, see Microsoft Support's "Notice of additions to the Windows Driver.STL revocation list".

Third-Party Updates for July 2023 – Including Java Updates from Oracle

Mozilla has released updates for Firefox and Firefox ESR.
Adobe Acrobat and Reader has an update that appears to be non-security related, but has released updates for Adobe InDesign and ColdFusion.
Google Chrome is likely to update on July 11^th or shortly after.
Oracle’s quarterly CPU (Critical Patch Update) is due to release on July 18, with updates for the lineup of Oracle products – including Java.

As you begin your maintenance this cycle, keep in mind that – after the Oracle Java release – there is a stream of additional updates that will occur, including:

RedHat OpenJDK,
Amazon Corretto,
Azul Zulu,
Eclipse Adoptium,
Adopt OpenJDK, and
Other Java frameworks.

How Consolidating Your Tech Stack Drives DEX Outcomes

Thu, 29 Jun 2023 15:25:35 Z

Every month, it seems that a new “must use” tool hits the market. What ends up happening is IT teams are gifted a hodge-podge of tools — snowballing into unnecessary frustration and increased workloads.

“The issue is there are so many technologies and ways you can have this experience, and it is very easy to fall into a trap of having too many tools and that will dilute your experience and lead to frustration. We have information on multiple SharePoint sites, Teams, Yammer, Service Now, One Drive and who knows what else exists, so we have a very bad experience as you do not know where to find things, and if you do not follow any of those channels, you will miss stuff. Pick your standard and do not fall into the trap of implementing the flavor of the month.”

- Team Lead, Emerson Electric Co

Growing digital environments with too many disparate tools has created a scenario where optimising digital experiences across various devices and locations is falling short, preventing your organisation’s ability to effectively adapt to Everywhere Work.

When laying the foundation for an improved digital employee experience (DEX), consolidating your tech stack is a crucial component.

Why unmanaged tools and assets are hurting your DEX

Some organisations have reported their digital transformation being accelerated by three to five years since 2020. Unlike a few years ago, assets no longer live just in the office. They are scattered across the globe and increasing in quantity. Recent reports show the average employee uses 2.6 devices to get their job done.

But with more assets come more problems. 45% of employees have experienced more tech issues since 2020, with the average employee running into 3.67 endpoint issues a day.

This volume of daily issues means that valuable insights are growing fast and in different places.

Being able to navigate this complex environment in a timely manner to address all issues proactively poses a challenge when your tools and systems don't talk to each other.

A more complex environment without the proper tools has IT and security professionals feeling the heat. 73% report an increased workload since their organisation adopted hybrid/remote work. In fact, nearly 1 in 3 IT and security professionals report losing at least one team member due to burnout.

And these types of work environments aren’t going away anytime soon. According to our Everywhere Work research:

71% of office workers want to work either hybrid (with control over which days they come to the office) or remote.
66% of employees say they have experienced no negative side effects due to remote work.
71% of C-Suite admit hybrid working has had a positive impact on employee morale.

Some organisations are already taking action. A recent survey conducted by EMA, found that a resounding 86% of respondents are looking to consolidate asset-related tools and 18% are actively planning to manage all asset types on one platform.

“Centralisation is critical. Having too many tools is an issue for us.”

- System Administrator, CFCU Community Credit Union

Consolidating your tech stack lays the groundwork for automation, which helps decrease workloads and ultimately deter digital burnouts for your IT and security teams. With technology becoming more entwined with the daily operations of employees, making sure you provide efficient ways to manage, secure and support this environment for your IT teams is crucial to delivering improved experiences.

Benefits of consolidating your tech stack

Consolidating your tech stack aids DEX initiatives in many ways, including: 

1. Reducing complexity for your IT staff

It's time to kick manual processes and inefficient workloads to the curb. Connecting and simplifying your organisation’s workflows streamlines and automates your IT environments. This removes unnecessary complexity and enables improved experiences for your IT teams.

2. More responsive and efficient IT support

28% of employees wish for a more responsive service desk. When IT has all the information in a single place, they can address and resolve tickets quicker and more effectively.

3. Preventing issue before they happen

Quickly resolving issues and, ideally, preventing issues in the first place, creates betterexperiences. Research shows it can take up to 20 minutes for workers to refocus on a task. When you simplify your tech stack and enable access to valuable insights in one place, preventing issues becomes a breeze. You get to keep employees out of the service queue and focused on their jobs, reclaiming thousands of hours of lost productivity across your organisation.

When looking to create better employee experiences in the Everywhere Work era, consolidating your tech stack is a step you can’t afford to skip. Simplifying and streamlining your IT structure makes life easier for your IT and security teams — freeing up their time to understand employee sentiment, track and optimise experiences over time and prevent issues before they occur.

To learn more about DEX, watch our on-demand webinar to get A step-by-step guide to planning and measuring digital employee experience.

How to Use Generative AI for Knowledge Management

Tue, 27 Jun 2023 14:30:00 Z

In the blog “How Generative AI Can Benefit Knowledge Management”, we looked at the benefits of AI to knowledge management to enhance the quality, automating the creation of content and enabling more engaging content. In enabling generative AI to become part of the knowledge management framework introduces concerns about accuracy, data bias, privacy and security.

Now, it’s time to look at how we can make it work well together...

How to use generative AI with knowledge management

Despite concerns of using generative AI in daily operations, this technology has the potential to be a powerful tool to optimise knowledge management. By carefully considering the potential drawbacks and taking steps to mitigate them, organisations can use generative AI to improve their knowledge management practices.

Here are the five things to consider when using generative AI for knowledge management:

Making sure to identify the type of data that will be used to train the generative AI model. Identification of the data type will help to ensure that the data used is accurate and reliable. Are you going to be using existing knowledge articles, incident data, problem data or combinations of all?
Having identified the data type, generative AI is only as good as the data it's trained on. The old saying ‘garbage in, garbage out’ still applies. Ensure that the data you've identified above is accurate, complete and up-to-date.
Monitoring the output of the generative AI model for signs of bias, misinformation, completeness and accuracy. This can help to ensure that the information generated by the model is reliable.
Developing policies and procedures to manage the risks associated with using generative AI for knowledge management. This is an important step in ensuring the success of your project. These policies and procedures should address issues such as data security, privacy and ethical considerations. They should be designed to ensure that using generative AI for knowledge management is conducted in a responsible and ethical way.
Putting an approval process in place before any knowledge information is shared publicly to ensure that the generated outputs are reviewed and authorised.

By taking these steps, organisations can use generative AI to improve their knowledge management practices while minimising the risks.

Combine generative AI and knowledge management with caution

The effectiveness and impact of generative AI on knowledge management will depend on how it's used and implemented. It's important to carefully evaluate the benefits and risks before deciding whether to incorporate it.

Here are some potential pros and cons:

Pros

1. Automatic generation of relevant content

Generative AI can be used to automatically create knowledge articles from existing data sources, such as product documentation, customer support tickets and employee training materials.

With 32% of IT professionals reporting an increase in helpdesk tickets since the move to remote working, there’s a significant opportunity for enhancement of the knowledge base that can enable quicker and more effective issue resolution, freeing up IT professionals to focus on more strategic tasks, such as developing new knowledge management initiatives and improving the quality of existing knowledge articles.

2. Improved search accuracy

Generative AI can help improve search accuracy by personalising the delivery of knowledge to employees, based on their individual needs and preferences. With an average employee spending 3.6 hours a day searching for information, any time savings in the way knowledge is delivered to them is a win.

Enabling easier and quicker access to information will ultimately enhance your employees’ digital experience.

3. Enhanced automation

Generative AI can assist in automating routine task – even if it's not directly related to the creation of knowledge management articles.

With 85% of IT professionals rating automation and AI investments as profitable ventures, identifying new ways of streamlining their processes can free up time for IT professionals to focus on more complex issues.

Cons

1. Risk of misinformation

Generative AI can potentially produce incorrect or misleading information, which can lead to serious consequences in the IT field. For example, the introduction of malware, or the incorrectly recommending turning off functionality which is used to secure the IT environment from malicious actors.

2. Dependence on AI-generated content

If companies become too reliant on AI-generated content, they may not prioritise the human-generated one or critical thinking skills, leading to a potential loss of expertise. Despite all the discussion around generative AI, human oversight is still required to validate accuracy and approve the generated information.

3. Ethical concerns

There are ethical concerns surrounding the use of generative AI, like potential bias in the data used to train the model, which can perpetuate existing inequalities.

There’s no doubt that generative AI can be a valuable tool for IT knowledge management and while a new exciting technology, there's still much to be learned about the benefits and pitfalls that it may bring.

Each organisation needs to review the potential impact individually and choose an appropriate AI solution that meets their own need for privacy, accuracy and security.

Tips for implementing generative AI for knowledge management

Start small and scale up

It's better to start with a small pilot project and then scale up using generative AI as you gain experience.

Get buy-in from stakeholders

It's important to get buy-in from stakeholders before deploying generative AI in production. This will help ensure that the model is used effectively and that its outputs are trusted.

Monitor the model's performance

It's important to monitor the model's performance after it's been deployed in production. This will help identify any potential problems with the model and improve the model's accuracy.

Continuously improve the model

Generative AI models are constantly being improved. It's important to continuously enhance the model by retraining it on new data and addressing any potential problems that may occur.

Learn more about this topic – watch our webinar on Generative AI for InfoSec & Hackers: What Security Teams Need to Know.

How IT Device Discovery Can Identify Your Network's Assets and Vulnerabilities

Thu, 22 Jun 2023 20:09:10 Z

The security of your organisation’s network is paramount to its success. With the ever-changing landscape of cyber threats, it's important to take the necessary steps to ensure that your network is secure and compliant with industry regulations.

Ensuring compliance requires you to know what’s on your network. But how can that be done when only 48% of leaders and security professionals say they run their asset discovery program at least once per week? One of the most effective tools for identifying assets and vulnerabilities on a network is IT asset discovery.

What is IT discovery and why is it important for IT security?

IT discovery is the process of identifying and cataloging the various hardware, software and other components that make up an IT infrastructure. This is an essential process to ensure the smooth functioning of IT networks as it allows IT administrators to identify potential issues and plan for future growth.

Once this identification and cataloging of IT inventory is completed, you can maintain a comprehensive inventory of all your assets. Keeping track of all the components making up your network in one place means IT administrators can quickly identify any problems and take the necessary steps to fix them.

And since, on average, up to 30% of an organisation’s IT assets are ghost assets, missing or unaccounted for, it is even more important to have accurate, up to date information about your device landscape.

To quickly detect changes in the network and respond to potential threats, it’s worth automating the discovery process — ultimately, it'll ensure a secure and compliant network.

How does IT discovery work?

IT discovery typically uses manual scanning or automated scanning tools. Manual scans involve manually entering IP addresses into a scanner, while automated scans are done with specifically designed software programs. These programs will search through an organisation's environment, looking for:

Hardware components such as computers, servers, routers and switches.
Software components such as operating systems and applications.
Network connections such as LANs (Local Area Networks) or WANs (Wide Area Networks).

Additionally, as not every asset will be on the network, the ability to discover devices from other sources via connectors is just as critical in providing a comprehensive picture of your entire IT estate.

Benefits of IT discovery for IT security

Accurate device information is an essential component of any organisation’s IT network. Without it, organisations are unable to identify and track assets on their networks or ensure compliance with relevant regulations and standards.

By automating the process of discovering devices connected to your network, you can capitalise on the following benefits:

Provide real-time alerts regarding any changes in the device inventory. This kind of visibility can help your organisation quickly detect potential threats and respond accordingly. With accurate device information, identifying unknown assets and reducing attack surface by removing outdated or unauthorised hardware.
Ensure that a network is compliant with relevant security regulations and standards such as GDPR (General Data Protection Regulation), PCI DSS (Payment Card Industry Data Security Standard), HIPAA (Health Insurance Portability and Accountability Act) and CCPA (California Consumer Privacy Act).
Accurately monitor the performance of IT infrastructure and ensure that it always remains secure. With real-time visibility into all the devices connected to the network, your IT team can easily identify problems, even before they become critical issues, and respond quickly when issues arise. This helps reduce downtime for employees, which in turn leads to improved productivity and employee experience across the organisation.

Respond Quickly to Potential Threats

When responding to potential threats, it’s important for organisations to act quickly to minimise the impact of the attack. With extended visibility into your entire network, you can quickly locate any malicious actors or vulnerabilities that could lead to an attack.

This also allows for more accurate and timely monitoring of changes in your network's architecture, which are critical in identifying potential weaknesses before exploitation can occur.

Additionally, keeping track of who has access to what parts of your network makes monitoring user activities and maintaining up-to-date user profiles a breeze. With threat actors getting better at disguise, ensuring that only authorised personnel have access to the information they need helps reduce the risk of any unauthorised access or misuse.

And if a threat occurs, it’s much easier to determine where it originated from and take appropriate action against it.

Finally, providing valuable insights into how your organisation is responding to potential threats can help improve your security strategy. By measuring response time and tracking incidents over time, you can evaluate which strategies are working best and which ones to amend.

Hungry for more? Watch our webinar recording and explore 5 Best Practices From Real‑World RBVM Programs.