Ivanti Blog: Security

The Secure-by-Design Pledge: A Commitment to Creating a Safer Digital Future

Wed, 08 May 2024 22:06:03 Z

The exciting benefits of digital transformation and automation — global interconnectedness, efficient operations, greater business outcomes — have come with an equal measure of concern over digital safety. It has become clear that to safely realize the benefits of digital acceleration, as an industry we must take bold steps toward securing the digital landscape and mitigating cybersecurity threats.

At Ivanti this evolution is already under way — and we are committed to being at the very front of the movement. As a company, we have always believed that our customers’ interests – including security – should be a cornerstone of software development. With the threat landscape rapidly evolving, and tactics becoming increasingly aggressive and sophisticated, the imperative to put security first has never been greater.

That is why last month I outlined a bold plan for Ivanti to meet the new reality we are all facing. Our efforts are rooted in Secure by Design principles, weaving security into every stage of our software development lifecycles. Given this commitment, it makes sense that we’re among the first to sign the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design pledge, which they unveiled on May 7, 2024 at the RSA Conference in San Francisco.

The concept of Secure by Design is not new, but it has never been more relevant. It ensures that products are built with security embedded from the ground up, reducing the risk of vulnerabilities and making it more difficult for malicious actors to exploit them. That is why this pledge is so meaningful at this moment in time, and why companies like Ivanti are answering the call. We see this as a meaningful step forward in the industry’s commitment and collaboration around security, and we look forward to setting a new standard for the broader ecosystem.

A bold new level of security

By signing the Secure by Design pledge, we are committing to a set of principles, standards, and actions that will help us further elevate the security of our products and better protect our customers. This includes implementing multi-factor authentication, reducing the use of default passwords, mitigating entire classes of vulnerabilities, increasing the adoption of security patches, establishing a vulnerability disclosure policy and improving our customers' ability to gather evidence of cybersecurity intrusions. I’m pleased that our products and our organization already meet many of these Secure by Design principles, and we are looking closely at opportunities to enhance and accelerate our efforts and practices throughout our organization and product development lifecycle.

For Ivanti, these commitments are far from simply words on paper or empty promises. By signing this pledge, we are making a public commitment to raise the bar and that we will be accountable for delivering. We will work diligently over the coming year to make measurable progress toward each of these goals, and we will update our customers and the wider security community on our progress. We believe that transparency is essential in building trust and fostering a broader culture of security.

Stronger together

We’ve taken a big step by acting as early signers to this pledge. Still, we recognize that we cannot achieve a safer digital future alone. It is crucial that other vendors in the industry also embrace the principles of Secure by Design and take similar steps to prioritize security in their products. We strongly encourage our peers to join us in signing the CISA Secure by Design pledge and to work collaboratively toward our shared goal of protecting our customers and the broader digital ecosystem.

It's good business, and it’s the right thing to do for employees, partners, customers and the communities we serve.

Our recent experience at RSA has only reinforced our belief in the importance of the security community coming together to tackle the challenges we collectively face. Our conversations with customers and partners were invaluable, and they highlighted the need for a collective effort around software security. By sharing knowledge and best practices and holding each other accountable, we can make significant strides toward a stronger and more secure future.

Ivanti is committed to being a leader in this effort, and we look forward to engaging with our customers and the wider community to make Secure by Design the new reality.

What is IRAP Assessment? What to Know About the Latest Compliance for Ivanti Neurons

Sun, 18 Feb 2024 09:24:30 Z

The Australian Information Security Registered Assessors Program (IRAP) assessment is an essential tool for organisations looking to ensure their security posture meets the highest standards.

This assessment, which Ivanti Neurons for IT Service Management (ITSM) and Ivanti Neurons for IT Asset Management (ITAM) went through, is one of the most stringent security assessments available.

The IRAP assessment process

The IRAP program is administered by the Australian Cyber Security Centre (ACSC), a division of the Australian Signals Directorate. The ACSC is responsible for the security of the Australian government’s information and IT systems, and the IRAP assessment process.

The rigorous assessment process conducted by an approved IRAP assessor includes assessing existing policies and procedures, conducting vulnerability scans, and reviewing security measures.

Ivanti Neurons’ IRAP assessment

Under the IRAP assessment, conducted by Aegis9 during the period February to May 2023, using the June 2022 version of the Australian Information Security Manual (ISM) and in line with the ACSC’s Cloud Security Guidance, Ivanti Neurons for ITSM and ITAM were assessed against the requirements to hold, process and communicate Australian government information classified up to and including “PROTECTED.”

Ivanti Neurons for ITSM and ITAM has been assessed in the following areas:

Protection of government and citizen data. Ivanti provides a secure platform for the storage and retrieval of personal and sensitive data.
Secure access to systems. Ivanti uses strong authentication methods and access control measures to ensure that only authorised users can access the system.
Network and system protection. Ivanti provides a robust system for protecting networks and systems from malicious attacks and intrusions.
Security monitoring. Ivanti is equipped with advanced security monitoring capabilities, allowing organisations to monitor their systems and networks for any suspicious activity.

In addition to IRAP assessment, Ivanti Neurons also holds certifications from several other leading organisations, including ISO/IEC 27001:2013, GDPR compliance, SOC 2 Type II, HIPAA Compliance, and FedRAMP Certification.

What Ivanti’s IRAP assessment means for government agencies and public-sector organisations

Federal departments, state agencies and critical infrastructure providers require the highest security standards. The IRAP assessment demonstrates the strong commitment Ivanti has to meeting those strict standards.

Government agencies are continually striving to increase efficiency and reduce costs. To achieve this, they are frequently turning to cloud computing technologies such as SaaS to provide them with a modern platform that will enhance operational efficiency and reduce IT costs.

Ivanti Neurons for ITSM/ITAM is an advanced IT Service Management platform and enables government agencies to improve their Service Delivery across 11 ITIL practices, optimise their assets by understanding what they have, and improve the employee experience through the self-service portal and digital experience management.

In addition, using the same IRAP assessment platform, agencies can expand across to other areas such HR, Facilities, Governance Risk and Compliance, Project and Portfolio Management and Security Operations.

By using Ivanti Neurons for ITSM/ITAM, organisations can achieve their goals faster, improve employee experience and reduce their risk profile. The comprehensive suite of features offered includes automated processes and analytics capabilities that help minimise manual tasks associated with ensuring service quality.

This frees up customers to focus on providing superior customer experiences instead of managing complex back-end operations.

Furthermore, Ivanti Neurons for ITSM is designed to be easily deployable across multiple devices, providing customers with peace of mind that they are using a secure solution from start to finish. Ivanti is committed to assessing more solutions against the IRAP program. Ivanti Neurons for MDM (Mobile Device Management) is currently under IRAP assessment and Ivanti looks forward to sharing the results when complete.

Need additional information? Head over to the Ivanti IRAP page to learn more.

International Inconsistencies: How Cybersecurity Preparedness Varies Across Countries

Tue, 03 Oct 2023 04:02:00 Z

Part three of a four-part series covering Ivanti’s latest research. Get the full series:

An organization’s culture and training programs have a significant influence on security preparedness, but our research shows both are inconsistent at the country-to-country level.

As we’ve seen in the previous posts in this series, employee demographics and their willingness to report security risks are hidden threats to your cybersecurity posture.

But new research from Ivanti shows us there are notable variations between countries in employee beliefs and behaviors regarding cybersecurity. This poses a unique hidden threat to organizations operating in multiple regions.

Get the report: Hidden Threats: How workforce demographics impact your security posture

Security cultures by country

Our research shows important differences in security culture at the country level — both in terms of training provided by the organization and employee-level attitudes. Some examples:

In Germany, 83% said they would feel safe reporting their mistake to the security team, compared to 61% of employees in Japan.
In India, 55% said they believe they have an impact on the company’s cybersecurity efforts, while just 7% said the same in China and 16% said so in France.

“These country-level differences are an interesting lens through which to study preparedness. It’s easy — and common — for a security team to judge security based on what’s taking place in their largest or nearest office. Our latest research shows how important it is to explore more granular data and uncover security procedures at every location — whether at headquarters, R&D facilities, supply chain outposts or manufacturing locations.”

Daren Goesen, SVP, Product Management, Ivanti

How local culture interacts with global security programs

Culture can influence how organizations defend their assets and people, as well as how they respond to an attack. These challenges include:

Employee discomfort with training that was developed at the global level (e.g., poor translation of teaching materials into local language and culture).
Employee unease with new standards or rules that have not been “socialized” at the local level.
A top-down local office culture that leaves little room for individuals to report errors or concerns.
Substandard security support for local offices; for example, employees with questions or concerns must contact a security team member in a different country — and endure language and cultural barriers.

All these issues can make it easier for malicious actors to disrupt day-to-day operations.

Why it matters

Many organizations have a top-down approach to training and security culture, but the research shows it’s critical to understand local security culture — and even local culture — to put together a coherent plan.

No matter where they're from, every new hire introduces their own unique vulnerabilities to the organization, intentionally or not. Undertrained employees risk diluting the strength of the overall organization's preparedness.

To minimize this risk, organizations must invest in strong onboarding and ongoing security training programs at global and regional levels.

In our next post in this series, we’ll detail this and other effective measures an organization can take to address the hidden threats we’ve explored.

Taking a Real Look at Hidden Risk

Tue, 03 Oct 2023 04:01:02 Z

Part four of a four-part series covering Ivanti’s latest research. Get the full series:

Big-picture excellence can hide pockets of risk. It’s time to explore security risk in detail — drilling down to look at vulnerabilities hidden in the data and by taking preventative action.

As the previous posts in this series have shown, employee demographics, their willingness to report security risks and country-to-country security culture differences pose hidden threats to your company’s cybersecurity efforts. They’re threats that have been uncovered in new research from Ivanti.

It’s up to an organization to take concrete steps to mitigate these threats. What are some of the key measures you can take?

Get the report: Hidden Threats: How workforce demographics impact your security posture

Survey your employees to uncover demographic propensities

Use an anonymous survey to surface insights about your employee base — paying close attention to demographic differences.

Are there unexpected findings? Conclusions that run counter to expectations? Use the findings to step up your training and outreach efforts, matching solutions to the segments of your employee base that need additional support.

Sample questions for an anonymous study of employee attitudes:

Can you identify a phishing attempt?

Have you been given resources and/or tools to identify a phishing attempt?

Do you feel comfortable asking the security team a question?

Do you feel safe reporting an error to the security team?

Do you think your actions have an impact on the organization’s security?

Challenge stereotypes about digital savviness and safety

Have your security team complete an anonymous survey that examines their assumptions about different employee groups. Do they believe older employees act less safely? How do those results compare to your general employee survey findings?

Try to shed light on assumptions that are not only unfair but untrue — and on how stereotypes might affect your security readiness.

“Part of understanding chronic repeat [phishing] clickers should involve a bit of investigation. In an organization of 5,000 people, it could be that there are certain roles that naturally encourage people to click even when your awareness program and other training discourages it. I’m thinking about departments that are constantly understaffed, departments whose job it is to process large amounts of email (e.g., recruiting), etc. Before anyone blames the end user, an organization should try to see if they are accidentally putting certain sets of users in no-win situations.”

- Reddit comment on why some employees are more likely to fall for phishing emails

Understand how global security culture is translated into local languages and culture

When developing any new training and guidelines or deploying new security technology, make certain to consult with local divisions to gain their input and buy-in. Simply translating educational materials and communications is not enough.

Solicit feedback from local offices about how well these programs “translate” to regional offices and the challenges they may encounter. Where possible, design materials that are culturally sensitive and appropriate for local offices.

Design the tech stack to minimize pockets of nonconformity and inconsistency

Rather than relying on individual users to conform to security protocols, build stronger back-end automation that is effectively hidden from end users — interventions that make compliance frictionless. For example:

Just-in-time software updates: Most employees don’t relish shutting down their computers and rebooting for software updates, so they tend to postpone the process indefinitely. Instead, use a system that forces a restart within 72 hours; this way, employees have some control over when the reboot takes place, even while enforcing needed updates.
No-stress password hygiene: Instead of asking employees to update passwords on a regular schedule, implement a technology that allows users to access two-factor password apps — no remembering or sticky notes needed.

Address how to build an open and welcoming security culture

It should be a culture in which there are no barriers to contacting security professionals, no matter how small the question or concern or how foolish the mistake is.

What are the key tenets of a strong security culture?

Open: Employees feel safe reporting an incident and are rewarded for their honesty and transparency. They feel comfortable approaching the security team no matter how trivial their question or concern may seem.
Iterative: The organization provides frequent, iterative training that’s compelling to employees. In between formal sessions, IT uses various tactics to keep security top of mind – from gamified security contests to lunchtime workshops.
Designed: Employee behavior is sharpened by tech-driven behavioral interventions. They are designed so well that they eliminate dreaded workarounds and non-compliance. As one security expert explained,

“Repeat clickers aren’t really the problem, or more accurately, they’re a relatively predictable problem. If you know someone has a hard time detecting deception, they need guardrails, not punitive measures or more ineffective training.”

Comment from the r/cybersecurity Reddit forum

Integrated: The responsibility for security is shared by all, and your employees are invested in keeping the organization safe.

Which Gen Is Most Tech-Savvy? A Workforce Dilemma

Tue, 03 Oct 2023 04:01:01 Z

Part one of a four-part series covering Ivanti’s latest research. Get the full series:

According to new cybersecurity research by Ivanti, the employees who are the most tech-savvy aren’t necessarily the ones we’d presume, demographically speaking. Why is that? And what are the issues it creates for an enterprise?

For a new report, Ivanti surveyed 6,500 executive leaders, cybersecurity professionals and office workers across the globe to get a better understanding of:

Employees’ attitudes toward cybersecurity and their perceived role in defending organizations.
Security professionals’ diagnoses of key challenges and vulnerabilities.
Leaders’ tech behaviors, as well as their level of buy-in to cybersecurity strategy.

Some of the results were, in a word, surprising. And that starts with what we’ll examine in this first article in a four-part series about the hidden threats facing even those organizations that have solid cybersecurity programs in place.

Get the report: Hidden Threats: How workforce demographics impact your security posture

The opposite of expectations

Many assume older employees are less tech savvy — and therefore more likely to engage in risky behaviors. In fact, our research found that the opposite is true.

Younger professionals (those under 40) are significantly more likely to disregard important security guidelines compared to Gen X and older. This is true about performing password hygiene, clicking on phishing links and sharing devices with family and friends.

Why it matters

These oversights, lapses and shortcuts add up to significantly higher security vulnerabilities with younger employees.

Stereotypes about age-based tech savviness may be leading organizations astray. And the problem isn't only related to cyberhygiene (e.g., password habits, sharing devices); the research shows younger professionals are also less likely to report red flags when they encounter them.

Among those 40 and under, 77% said they reported the last phishing email or message they received, compared to 88% of those over 40. The most common reason for not reporting? “I didn’t think reporting was important.”

Stereotypes about older workers are particularly insidious because tech workers skew younger — and so may be more likely to believe their older colleagues are uninformed or vulnerable.

For example, a study of 2,250 professionals in the UK found tech workers viewed colleagues as “over the hill” and “too old for their job” when they reached 38 years old. (Keep in mind, this is in relation to their tech industry peers, not average employees, who are less likely to be tech savvy.)

Solution? Automate cybersecurity “savvy”

These findings underline why organizations need to rely less on employees’ individual judgment and more on tech interventions that make rule-following effortless.

Even better: deploy automations that run behind the scenes such that your end users aren’t even aware they exist.

“Assuming that younger employees are more security-conscious and tech-savvy is outdated and even dangerous. Organizations should road test these assumptions by conducting internal research that captures their own employees' attitudes about security risk and their part in managing it.”

Daniel Spicer, Chief Security Officer, Ivanti

In the next post in this series, we’ll examine the hidden threat that comes from employee reluctance to raise red flags about cybersecurity dangers.

Red Flag Reluctance: The Risk to Cybersecurity

Tue, 03 Oct 2023 04:01:01 Z

Part two of a four-part series covering Ivanti’s latest research. Get the full series: 

Keeping an organization safe means getting near-real-time information about security incidents or breaches. But new research shows some employees are less inclined than others to report red ﬂags, which puts your business at risk.

Will your employees get in touch quickly if they have a security concern? Again, it’s dangerous to assume they’ll take action even when they understand the potential risk to their organization.

In the first post in this series, we looked at the hidden cybersecurity threat created by employee demographics and dangerous presumptions companies make about them. In this article, we’ll see what new research from Ivanti reveals about the reluctance of some workers to raise red flags, even about very critical threats.

Get the report: Hidden Threats: How workforce demographics impact your security posture

What groups are less likely to raise alarms?

Ivanti’s research, involving a survey of 6,500 executive leaders, cybersecurity professionals and office workers worldwide, shows specific segments of your employee base may hesitate to reach out to alert your cybersecurity team about issues.

This is something any organization should be aware of as it develops outreach and training programs for its employees. So what are the groups that are more likely and less likely to raise red flags?

Seniority

The biggest swing variable in reporting issues is seniority. Seventy-two percent of leaders we surveyed say they’ve contacted a cybersecurity employee with a question or concern, compared to just 28% of office workers.

Did you know?

Executives are twice as likely to report security interactions as "awkward" or "embarrassing" than office workers. These more frequent, yet negative security interactions may accelerate executives' use of external, non-approved tech support – reportedly at four times the rate of office workers.

Gender

Women are less likely than men to do the same. Twenty-eight percent have contacted a cybersecurity employee with a question or concern, compared to 36% of men.

Region

Willingness to contact security varies greatly by country. For example, nearly half of office workers in China have contacted the security team with a question or concern, compared to just 20% in Australia.

Why it matters

Your security position depends on hundreds or thousands of employees playing defense. Do your employees know they’re valuable members of the extended security team?

Our security preparedness study asked security professionals about their biggest industry-wide vulnerabilities. Ransomware and phishing ranked number one and two. And these threats are becoming more dangerous with each passing year due to advances in generative AI, which make phishing harder to spot.

All this means your employees need to feel comfortable approaching IT and security — even if the only “proof” they have of an incoming attack is a nagging doubt. (Some examples: an atypical wire transfer request, a suspicious invoice reminder, or an unsolicited password reset link.) During an active security incident, speed is the single most important factor in defending against an attack.

When employers conduct sentiment surveys to understand employee attitudes, they should drill down to investigate demographic patterns and vulnerabilities. These insights are key to improving overall security preparedness.

“We’ve experienced a few advanced phishing attempts, and the employees were totally unaware they were being targeted. These types of attacks have become so much more sophisticated in the last two years — even our most experienced staff are falling for it..”

— Ivanti survey respondent

In our next post in this series, we’ll dig into the matter of geography. For a large or multinational organization, it’s vital to understand how employee cybersecurity beliefs and behaviors vary – sometimes considerably – by country.

September 2023 Patch Tuesday

Tue, 12 Sep 2023 21:17:26 Z

September 2023 Patch Tuesday has a lot of activity. The theme this month: "Everyone has a zero-day release!"

Microsoft has resolved 63 total vulnerabilities including two exploited zero-days (CVE-2023-36761 and CVE-2023-36802). Google Chrome resolved one zero-day vulnerability (CVE-2023-4863) on September 11, which is also included in the Microsoft Edge Chromium release. Adobe resolved a zero-day vulnerability in Acrobat and Reader (APSB23-34 CVE-2023-26369) on September 12. Apple resolved two zero-days on September 7 (CVE-2023-41064 and CVE-2023-41061). There aren’t any recent zero-day vulnerabilities on the Linux side, but there are three recent vulnerabilities that are affecting some core capabilities in the Linux Kernel that warrant some attention.

Microsoft updates

Microsoft has resolved a total of 63 vulnerabilities this month, including two exploited vulnerabilities. The zero-day vulnerabilities are in Word (CVE-2023-36761) and the Windows OS (CVE-2023-36802). Microsoft Edge (Chromium) should be releasing shortly and will include a fix for the Chrome zero-day CVE-2023-4863.

Microsoft has resolved an Information Disclosure vulnerability in Word (CVE-2023-36761) that has been exploited in the wild. The vulnerability is only rated as Important by Microsoft and has a CVSSv3.1 score of 6.2, but the confirmed exploitation should raise this on your priority list. The Preview Pane can also be used as an attack vector, making it easier to target users to exploit the vulnerability. If exploited, the attacker could gain access to NTLM hashes.
Microsoft has resolved an Elevation of Privilege vulnerability in the Microsoft Streaming Service Proxy (CVE-2023-36802). The vulnerability is only rated as Important by Microsoft and has a CVSSv3.1 score of 7.8, but the confirmed exploitation should raise this on your priority list. If exploited the attacker could gain SYSTEM privileges on the target system.

Third-party update

Google has resolved a Critical heap buffer overflow vulnerability in the Chrome browser (CVE-2023-4863). Google is aware that an exploit for CVE-2023-4863 exists in the wild. Windows instances should update to 116.0.5845.187/.188 and for MacOS and Linux 116.0.5845.187.
Adobe Acrobat and Reader released APSB23-34, resolving one critical vulnerability (CVE-2023-26369) that is confirmed to be exploited in the wild. The vulnerability is an out-of-bounds write vulnerability that could allow an attacker to execute arbitrary code.
Mozilla has released updates for Firefox and Firefox ESR. No zero-days, just a decent lineup of CVEs resolved.

Linux update

There are three CVEs of note on the Linux platforms:

CVE-2023-3111 is a use after free vulnerability in btrfs in the Linux Kernel affecting all versions of Linux. A use after free vulnerability could allow an attacker to leak data from memory, overwrite critical information, execute arbitrary code and bypass Address Space Layout Randomization (ASLR).
CVE-2023-3390 is a vulnerability in the Linux Kernel’s nftables API in the netfilter subsystem that could allow privilege escalation. The vulnerability affects Debian and Ubuntu.
CVE-2023-35001 is an out of bounds read\write vulnerability in nftables. These types of vulnerabilities can cause a crash, data corruption, code execution, or allow attackers to read sensitive information from other memory locations.

The changes affect two commonly used components in the Linux Kernel. These components are also used by a variety of solutions from Firewalls to SANs and could affect foundational capabilities.

Btrfs is the filesystem utilized by most Enterprise Linux distributions (Ubuntu, Debian, Redhat, etc.).
Nftables is used by any modern firewall solution. Regardless of distribution, it will either be built in through the system itself or third-party applications it will use. The component provides high-performance packet inspection and routing.

None of the vulnerabilities are currently exploited so there is time, but you should take advantage to ensure you are testing the changes across your environment adequately.

Linux vulnerabilities can have a long tail from publishing of the CVE to patches being made available by Linux distributions. To monitor the latest Linux CVEs, check out TuxCare’s detailed CVE Tracker.

Apple update

Apple released updates resolving two exploited vulnerabilities on September 7. The updates affect iOS, iPadOS and macOS. The two CVEs have confirmed exploits in the wild and CISA has updated the KEV list adding these two vulnerabilities.

CVE-2023-41061 is a vulnerability in Apple Wallet affecting iPhone and iPad. The vulnerability allows an attacker to create a specially crafted attachment which could allow them to execute arbitrary code.
CVE-2023-41064 is a vulnerability in Apple ImageIO affecting iPhone, iPad and macOS. The vulnerability could be used to craft a malicious image which would allow an attacker to execute arbitrary code when processed.

Update priorities for September

Windows OS, macOS, iPhone, iPad, all browsers and Adobe Acrobat and Reader. Which pretty much feels like everything.

5 Reasons Why NIS2 Directive Preparation Should Start Now, Part Two: Implementation Takes Time

Mon, 28 Aug 2023 17:43:02 Z

In a previous blog post, I discussed the two main areas to audit before the European Union’s updated Network and Information Security Directive (NIS2) becomes ratified law in October 2024. Specifically, these audits would:

Identify your gaps with the NIS2 directive’s requirements now.

Review your current supply chain security flaws.

Now that we’ve discovered these security flaws, we must fix them — before time runs out in October 2024.

So, in this post, I’ll walk you through how to resolve your weakest security issues before the NIS2 Directive deadline hits by addressing these three key areas:

Inform management about your cybersecurity gaps
Correctly implementing new organisation and technical security measures
Find time to train all of your employees

1. Inform management about your gaps – and get budget to remediate them

The NIS2 Directive imposes significant obligations on organisations that fall under its scope, which may entail substantial costs and resources. The Directive also introduces hefty fines and sanctions for non-compliance, up to a maximum of €10 million or 2% of an organisation's global annual revenue (Article 34).

On top of this, the new directive can extend liability from entities to their individual representatives in certain situations. Moreover, when certain conditions are met, persons in management positions could be temporarily suspended (Article 32-5b).

Therefore, following the NIS2 Directive is a legal necessity and a strategic priority.

To be in compliance, you must:

Inform your management about its implications and benefits and convince them to allocate sufficient budget and resources for implementing compliance.
Present a clear business case that outlines the risks of non-compliance, the opportunities of compliance and the return on investment.
Demonstrate how compliance will enhance your organisation's reputation, trustworthiness, competitiveness and resilience.

Informing management and getting a budget is a challenging task, requiring a persuasive and evidence-based argument that showcases the value of cybersecurity for your organisation.

The sooner you start this process, the more time you’ll have to secure buy-in and support from management.

Possible business case benefits for NIS2 compliance

Some possible benefits that you can highlight in your business case are:

Reducing operational costs by preventing or minimising cyberattack losses, such as downtime, data breaches, ransom payments, lawsuits and so on.
Increasing revenue by attracting or retaining customers who value security, privacy, quality, et cetera.
Improving efficiency by streamlining processes, enhancing performance, reducing errors, etc.
Innovating by adopting new technologies, developing new products or services, creating new markets and more.
Following other cybersecurity regulations or standards beyond NIS2 – such as GDPR, ISO 27001, PCI DSS and others – since global frameworks often have a high overlap with the compliance requirements of NIS2.

Potential information sources for justifying your NIS2 compliance business case

Some sources you can use to support your business case are:

Statistics or facts showing the prevalence, impact or cost of cyberattacks in your sector or region.
Case studies or examples illustrating how other organisations have benefited from complying with the NIS2 Directive or similar regulations. For example, the Enisa NIS Investments 2022 report shows that for 62% of the organisations implementing the older NIS directive, such implementations helped them detect security incidents; for 21%, implementations helped during security incident recovery.
Testimonials or feedback from customers, partners, regulators or experts who endorse or recommend complying with the NIS2 Directive or similar regulations.
Benchmarks or indicators revealing your current or projected cybersecurity performance or progress in relation to the NIS2 Directive or your competitors.
Ivanti’s 2023 Cyberstrategy Tool Kit for Internal Buy-In is also a great resource that explains time-to-functionality and cost, how a solution helps defend against certain types of cyberattacks, and how to react to and overcome common objections.

General business benefits of NIS2 Directive compliance

Some of the benefits of complying with the NIS2 Directive include:

Reducing operational costs by preventing or minimising cyberattack losses, such as downtime, data breaches, ransom payments, lawsuits, et cetera. According to a report by IBM, the average cost of a data breach in 2022 was US$4.82 million for critical infrastructure organisations and the average time to identify and contain a breach was 277 days. If you are taking measures to comply with the NIS2 Directive, the average time spent identifying and containing a breach will be much shorter, and costs of the attack will be lower.
Increasing revenue by attracting or retaining customers who value security, privacy, quality and similar factors. According to a survey by PwC, 87% of consumers say they will take their business elsewhere if they don't trust a company's data practices, and 71% of consumers say they would stop using a company's products or services if they found out it was sharing their data without their permission, which could happen with a data leak.
Improving efficiency by streamlining processes, enhancing performance, reducing errors and so on. Accenture has found that companies that adopt advanced security technologies can reduce the cost of cybercrime by up to 48%.
Complying with other regulations or standards that require cybersecurity, such as GDPR, ISO 27001, PCI DSS or others. Cisco points out that 97% of organisations that follow GDPR see benefits such as gaining competitive advantage, achieving operational efficiency and reducing sales delays. Similar results are probably achievable by following NIS2.

When it comes to budgeting, the proposal for a directive by the European Commission (Anex 7 - 1.4.3) mentions that for companies falling under the scope of the NIS2 framework, it’s estimated they would need an increase of a maximum 22% of their current ICT security spending for the first years following the introduction of the NIS2 framework.

However, the proposal also mentions that this average increase of ICT security spending would lead to a proportionate benefit from such investments, notably due to a considerable reduction in cost of cybersecurity incidents.

2. Correctly implement new organisational and technical security measures

After researching the gaps and obtaining a budget, it’s time to close those gaps. The NIS2 Directive requires companies to implement appropriate organisational and technical measures to manage their cybersecurity risks and ensure a high level of security across their networks and information systems.

These measures include:

Adopting policies and procedures for risk management, incident response, business continuity, data protection, et cetera.
Establishing roles and responsibilities for cybersecurity governance, oversight, coordination and other areas.
Providing training and awareness programs for staff, management, customers, etc.
Implementing basic cyber hygiene such as encryption, authentication (MFA), firewalls, antivirus software, patching, zero trust access and so on.
Conducting regular testing, monitoring, auditing and other measures.

Implementing those organisational and technical measures isn't a one-off or static task. It requires establishing a continuous and dynamic process that adapts to changing threats, technologies, regulations and business needs.

So, the same advice applies for this process as for the other points we’ve already covered: the sooner you start, the more time you'll have to implement the necessary measures and ensure their effectiveness and efficiency.

I would advise starting implementation at least in January 2024, so you’re ready before the summer holidays.

Next steps for NIS2 Directive implementations

Some possible steps that you can take to implement organisational and technical measures are:

Developing and implementing a risk-based management process that defines your objectives, scope, roles, responsibilities, resources, timelines and metrics for managing your cybersecurity risks.
Implementing a security policy that establishes your principles, guidelines, standards and procedures for ensuring the security of your network and information systems.
Conducting risk assessments to identify your assets, threats, vulnerabilities, impacts and likelihoods of cyberattacks; and prioritising your actions based on your risk appetite and tolerance.
Implementing security controls that protect your network and information systems from unauthorised access, use, disclosure, modification or destruction. These controls can be classified into three categories: preventive (e.g., encryption); detective, detective (e.g., monitoring), and corrective (e.g., backup).
Implementing an incident response plan that defines your processes, roles, responsibilities, resources, tools and communication channels for responding to cyberincidents effectively and efficiently.
Implementing a business continuity plan that defines your processes, roles, responsibilities, resources, tools and communication channels for maintaining or restoring your critical business processes during a cyber-related disruption or disaster.
Implementing a review and improvement plan that defines your processes, roles, responsibilities, resources, tools and communication channels for regularly evaluating, reporting and enhancing your cybersecurity measures.
Implementing the technical controls for asset management and basic cyber hygiene.

The Directive’s reference to ‘basic cyberhygiene’ is a bit vague in Article 21, so we’ll dive into this in another blog post. For now, think about basic security measures such as:

MFA.
Patching your OS and applications as quickly as possible.
Securing network connections on public networks.
Encryption of all drives (especially removable ones.)
Privilege management and education of all employees.
Subscribing to channels that give you information about the latest patches and priorities, like Ivanti’s Patch Tuesday webinars.

3. Fix the weakest link: find time to train every employee

The NIS2 Directive recognises that human factors are crucial for cybersecurity and that employees are often the weakest link — as well as the first line of defense – in preventing or detecting cyberattacks.

The Directive requires organisations to provide adequate training and awareness programs for their employees, users of digital services and other stakeholders on cybersecurity issues.

Training all your employees is not a sporadic or optional task. It requires a regular and comprehensive program that covers topics such as:

Basic cybersecurity concepts and terminology.
Common cyberthreats and attack vectors.
Best practices and tips for cyberhygiene.
Cybersecurity policies and procedures, made relevant and simplified for end users.
Every user’s role and responsibilities for organisational cybersecurity.
How to report and respond to incidents.

It is important to note that this training should be received by everyone within the company, not only by IT employees. Even management should undergo this training.

A survey conducted for Ivanti shows that a lot of employees are not even aware of mandatory cybersecurity training. Just 27% of them feel “very prepared” to recognise and report threats like malware and phishing at work. 6% of them feel “very prepared” to recognize and report threats like malware and phishing at work.

In Enisa’s NIS Investments 2022 report, Enisa mentions that 40% of the surveyed OES (Operators of Essential Services) have no security awareness program for non-IT staff.

It is important to monitor who has not been trained yet and act on it. Training all your employees is not only beneficial for compliance but also for productivity, quality, innovation and customer satisfaction.

The best NIS2 advice we can give

The NIS2 Directive is landmark legislation that aims to enhance the cybersecurity of critical sectors in the EU. It imposes significant obligations on organisations that fall under its scope, along with hefty fines and sanctions for non-compliance.

Following the NIS2 Directive is a complex task. It demands a proactive and comprehensive approach involving multiple steps, stakeholders and resources.

The sooner you start preparing for it, the better prepared you will be when it becomes effective in October 2024.

The best advice we can offer? Do not wait till then: start preparing for the NIS2 Directive now!

5 Reasons Why NIS2 Directive Preparation Should Start Now, Part One: Audits Take Time

Mon, 28 Aug 2023 17:14:55 Z

You probably heard about the European Union’s updated Network and Information Security Directive (NIS2). This directive will translate into active law in October 2024. You should be ready for it, as there are high fines and sanctions for non-compliance.

But you might be tempted to think that October 2024 is far away, right? Think twice.

After all, how can you know if you have plenty of time to prepare if you don’t know how well you currently comply with the projected regulations?

So, between now and October 2024, you must audit your current cybersecurity status. Specifically:

Identify gaps in meeting the NIS2 directive’s requirements, starting now
Review your current supply chain security flaws

In the second part of this series, I’ll review the three areas you’ll need to address to fix the gaps your audits uncover — including how to:

Inform management about your cybersecurity gaps.
Implement new organizational and technical security measures correctly.
Find time to train all of your employees.

1. Identify gaps in meeting the NIS2 Directive's requirements, starting now

The NIS2 Directive is the EU-wide legislation on cybersecurity that provides legal measures to boost the overall level of cybersecurity in the EU. It modernises the existing legal framework to keep up with increased digitization and an evolving cybersecurity threat landscape.

The directive expands the scope of the cybersecurity rules to new sectors and entities, improving the resilience and incident response capacities of public and private entities, competent authorities and the entire EU.

The NIS2 directive outlines increased measures for resilience against cyberattacks to minimize vulnerabilities and improve cyberdefense.

To comply with the NIS2 Directive, you must:

Assess your cybersecurity posture and identify any gaps or weaknesses that may expose you to cyber risks.
Map your existing policies, procedures and controls to the directive's requirements and see where to improve or update them.
Evaluate your incident response capabilities and reporting mechanisms and ensure they align with the directive's standards.

A big problem with the NIS2 is that it tells you what you should do, but not how you should do it. Luckily, multiple frameworks can help you with the how, including:

In Belgium, the CCB has created a Cyberfundamentals Framework based on multiple frameworks with references to how the different parts of the frameworks relate to the GDPR and NIS2.

After selecting the framework, you must identify gaps in relation to the chosen framework and the directive's requirements. Identifying gaps is not a simple or quick task; it requires a thorough and systematic analysis of your organization's cybersecurity maturity and readiness.

You not only need to check your cybersecurity strategy and policies, but you also need to do a risk analysis to find the most critical assets and the cybersecurity risks they present, then consider security controls to bring down the risk score of those vital assets.

The sooner you start this process, the more time you’ll have to obtain the budget needed to address any issues and implement any necessary changes.

Possible NIS2 environment gaps

Some possible gaps that you may encounter in your environment are:

Lack of a comprehensive cybersecurity strategy or policy that covers all aspects of risk management, incident response, business continuity, data protection, etc.
Lack of a dedicated cybersecurity team or function that oversees, coordinates and monitors all cybersecurity activities and initiatives across the organization.
Lack of adequate security controls or measures for protecting your network and information systems from unauthorized access, use, disclosure, modification or destruction.
Lack of regular testing or auditing of your security controls or measures to ensure their effectiveness and compliance with the directive's requirements.
Lack of proper training or awareness programs for your staff, management, other employees or other stakeholders on cybersecurity issues and best practices.
Lack of clear communication or reporting channels for notifying relevant authorities or parties of any incidents or breaches that affect your services.

Potential security solutions for your environment to comply with NIS2

To identify and fix these security gaps, you can:

Run gap analysis frameworks or models that help you compare your current state with your desired state and identify areas for improvement.
Implement cybersecurity maturity models or standards that help you measure your level of cybersecurity performance and progress.
Conduct a risk assessment to identify your assets, threats, vulnerabilities, impacts and likelihoods of cyberattacks.
Request external audits or assessments that help you validate your compliance status and identify any weaknesses or deficiencies.

2. Review current supply chain security flaws with enough time to coordinate action with suppliers

The NIS2 Directive also introduces new provisions on supply chain security (chapter 0, point 54, 56), recognizing that cyber threats can originate from third-party providers or subcontractors.

The directive requires organizations to ensure that their suppliers follow appropriate security standards and practices (article 21-2d) and regularly monitor their performance and compliance (article 21–3).

This isn't without reason. Supply chain attacks are on the rise:

In BlackBerry research with over 1500 IT decision-makers in 2022, four-fifths of respondents said they had been notified of an attack or vulnerability in their supply chain within the year. Seventy-seven percent said they uncovered hidden participants in their software supply chain that they weren't previously aware of.

Accenture research also reveals 40% of security breaches are indirect, occurring through the supply chain.

Therefore, securing your supply chain is essential for ensuring business continuity, resilience, reputation and trust.

But in Ivanti’s Press Reset: A 2023 Cybersecurity Status Report, we found that only 42% of the over 1,300 executive leaders and security professionals surveyed said they're prepared to safeguard against supply chain threats, even though 46% call it a high-level threat.

Supply chain threats not only come via attacks on solution providers like Okta, Kaseya or SolarWinds, but also through partners either directly connected to your IT infrastructure or who can log into it.

And don’t forget about attacks on your resource suppliers that may cripple them so they're unable to deliver certain resources you need for your own operations. You have to be prepared and have backup vendors available who can supply those resources if your primary supplier is out of action due to a cyberattack or other cause.

Supply chain security is a complex and challenging issue involving multiple actors, dependencies and interconnections — and cannot be achieved overnight.

You need to:

Establish clear and transparent communication channels with your suppliers and define your expectations and obligations regarding cybersecurity.
Conduct regular audits and assessments of your suppliers' security practices and verify that they meet the directive's requirements.
Establish contingency plans and backup solutions in case of a disruption or compromise of your supply chain.

Furthermore, you must start engaging with your suppliers as soon as possible and work together with them to ensure your supply chain is secure and resilient.

Supply chain security challenges for NIS2

Some possible challenges that you may face in securing your supply chain are:

Lack of visibility or transparency into your suppliers' security practices, policies, or incidents.
Lack of trust or cooperation among your suppliers or between you and your suppliers.
Lack of consistency or alignment in security standards, requirements, or expectations across your supply chain.
Lack of resources or capabilities to monitor, audit or verify your suppliers' security performance or compliance.
Lack of contingency plans or backup solutions to mitigate or recover from any disruptions or compromises of your supply chain.
Lack of information as to what you expect from your supplier’s security practices.

Supply chain security solutions for NIS2

To overcome these supply chain security challenges, you can:

Establish clear contracts or agreements with your suppliers that specify their security obligations, responsibilities and liabilities.
Develop common security criteria, guidelines or frameworks that apply to all suppliers in your supply chain and align with the directive's requirements.
Implement security controls, measures or tools that enable you to track, monitor or verify your suppliers' security activities, incidents or compliance status.
Create joint security teams, committees or forums that facilitate information sharing, collaboration and coordination among your suppliers or between you and your suppliers.
Build trust and mutual understanding with your suppliers through regular communication, feedback and recognition.

When your NIS2 Directive audits are complete, now what?

Now that you’ve determined where you currently stand in relation to the NIS2 Directive, it’s time to implement critical changes to ensure compliance by October 2024. I’m certain that addressing the gaps that your audits identified will require all the time you have — and then some! – before the regulations are officially implemented in your country.

But how can you systematically address these gaps in a timely fashion? We discuss the three areas of security changes you’ll need for NIS2 in our next blog post, as we examine how to:

Inform management about your cybersecurity gaps.
Correctly implement new organization and technical security measures.
Find time to train all of your employees.

July 2023 Patch Tuesday

Tue, 11 Jul 2023 22:31:12 Z

This month is going to be a painful one, with:

Multiple zero-day exploits being resolved by Microsoft,
Some operational changes for Kerberos and Netlogon vulnerability resolutions, and
A large lineup of third-party updates releasing on and after July’s Patch Tuesday – including Oracle's quarterly CPU and Java updates.

Kerberos and Netlogon Vulnerability Changes

July is going to be a big month from an operational perspective.

A number of changes are going into effect regarding two previously resolved CVEs:

An Elevation of Privilege vulnerability resolution in Kerberos (CVE-2022-37967), and
An Elevation of Privilege vulnerability in Netlogon RPC (CVE-2022-38023).

Both CVEs were resolved in 2022, but the code change alone did not resolve the vulnerabilities.

What to expect in July 2023’s updates for Kerberos and Netlogon vulnerabilities

Microsoft outlined a phased rollout of enforcement for both vulnerabilities, due to the fact that they are changing some core behaviors in two commonly used authentication mechanisms.

KB5020805 outlines the timing of changes for the Kerberos vulnerability (CVE-2022-37967). For July, Microsoft is stepping up to initial enforcement. The earlier changes have been to add the capabilities to address the security bypass and audit logging to show if organizations had systems that needed attention to prepare for the change.
- This July 2023 OS update will default the behavior to Enforcement mode, but still allow an Administrator to override and set Audit mode explicitly.
- The future October 10, 2023, update will remove the Admin override and default to full enforcement.
KB5021130 outlines the timing of changes for the Netlogon vulnerability (CVE-2022-38023). For July, Microsoft is stepping up to full enforcement. The earlier changes have been to add the capabilities to address the security bypass and audit logging to show if organizations had systems that needed attention to prepare for the change.
- This July 2023 update will remove the ability to override enforcement and allow compatibility mode for RPC Sealing.
- After deploying the July update, Netlogon will fully enforce RPC Sealing.

Multiple Zero Days and Public Disclosures from Microsoft for July 2023

Microsoft has resolved 130 net new vulnerabilities this month, and there are updates to 9 previously released CVEs. Six CVEs and one Advisory have confirmed exploits.

One of the six exploited vulnerabilities released originally in May, and has been updated this month to address all versions of Microsoft Windows.

This month, I'd specifically like to highlight:

CVE-2023-24932 (Security Feature Bypass - Secure Boot): Critical Confirmed Exploits
CVE-2023-36871 (Security Feature Bypass - AD): Functional Code Maturity
CVE-2023-35311 (Security Feature Bypass - Outlook): Critical Confirmed Exploits
CVE-2023-36884 (Remote Code Execution - Office and Windows HTML): Critical Confirmed Exploits
CVE-2023-36874 (Privilege Escalation - Windows Error Reporting): Reported Exploits
CVE-2023-32049 (Security Feature Bypass - SmartScreen): Critical Confirmed Exploits
CVE-2023-32046 (Privilege Escalation - MSHTML): Important Confirmed Exploits
Microsoft Advisory ADV23001 - Malicious Signed Drivers

Microsoft CVE-2023-24932 (Security Feature Bypass - Secure Boot): Critical Confirmed Exploits

Microsoft has updated CVE-2023-24932, which is a Security Feature Bypass in Secure Boot.

The CVE was originally resolved in May 2023, but Microsoft has expanded the affected OS versions, and is recommending customers update to the July update on all affected Windows OS version this month. The vulnerability has confirmed exploits in the wild.

The CVSS v3.1 base score is 6.7 and it is rated as Important by Microsoft. However, with confirmed exploits and publicly disclosed functional code, this vulnerability should be treated as Critical.

Microsoft CVE-2023-36871 (Security Feature Bypass - AD): Functional Code Maturity

Microsoft has resolved a Security Feature Bypass in Azure Active Directory (CVE-2023-36871). The CVE is rated as Important and has a CVSS v3.1 base score of 6.5, but the temporal metrics list code maturity as functional.

An attacker would require a low privileged session on the user’s device to obtain a JSON web token. The token could thenbe used to create a long-lived assertion using the Windows Hello for Business Key from the victim’s device.

In this case, the fix is to:

Update to the July update on all AD FS servers.
Then, enable the setting required to turn on the EnforceNonceInJWT setting.
- The PowerShell command to enable this setting is provided in the CVE article.

Microsoft CVE-2023-35311 (Security Feature Bypass - Outlook): Critical Confirmed Exploits

Microsoft has resolved a Security Feature Bypass in Microsoft Outlook (CVE-2023-35311). This vulnerability has confirmed exploitation.

The attacker could send a user a specially crafted URL to bypass the Microsoft Outlook Security Notice prompt. The Preview Pane is an attack vector for this vulnerability, but user interaction is required.

Given the fact that phishing a user is a statistical challenge, the priority for getting this fix rolled out is Critical, even though Microsoft’s severity rating is only Important.

Microsoft CVE-2023-36884 (Remote Code Execution - Office and Windows HTML): Critical Confirmed Exploits

Microsoft has resolved a Remote Code Execution vulnerability in Office and Windows HTML (CVE-2023-36884). The CVE is rated as Important, but has confirmed reports of exploitation in the wild and functional code has been publicly disclosed for this vulnerability.

An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim.

Microsoft has not yet released an update to fix this issue, but has provided a configuration level mitigation to block Office applications from creating child processes. Running as least privileged could also help to mitigate the attack and require the attacker to execute additional exploits to elevate their privilege level.

Microsoft has released a blog entry describing steps that can be taken to protect systems until a fix becomes available.

Microsoft CVE-2023-36874 (Privilege Escalation - Windows Error Reporting): Reported Exploits

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Error Reporting (CVE-2023-36874). The CVE is rated as important but has reported cases of exploitation. An attacker – with local access to the target machine with permission to create folders and performance traces on the machine – could gain administrator privileges.

Microsoft CVE-2023-32049 (Security Feature Bypass - SmartScreen): Critical Confirmed Exploits

Microsoft has resolved a Security Feature Bypass vulnerability in Windows SmartScreen (CVE-2023-32049). The CVE is rated as Important, but Microsoft has confirmed reports of exploitation for this vulnerability increasing the urgency to Critical.

The attacker can send a user a specially crafted URL that could allow the "Open File – Security Warning" prompt to be bypassed, opening additional opportunities to further compromise the target system.

Microsoft CVE-2023-32046 (Privilege Escalation - MSHTML): Important Confirmed Exploits

Microsoft has resolved an Elevation of Privilege vulnerability in Windows MSHTML (CVE-2023-32046). Microsoft has rated the CVE as Important and has reports of exploitation in the wild.

An attacker could target a user in a variety of ways, including email- and web-based attack scenarios. If exploited, the attacker would gain the rights of the user that is running the affected application. So, running least privilege would help to mitigate the impact of this vulnerability, forcing the attacker to take additional steps to take full control of the target system.

While IE 11 has been retired, you will see a reference to IE Cumulative updates listed for Windows Server 2008, 2008 R2, 2012 and 2012 R2 due to the MSHTML, EdgeHTML and scripting platforms still being supported.

If you are installing the Security Only updates on these platforms, Microsoft is recommending running the IE Cumulative update as well to fully resolve the CVE.

Microsoft Advisory ADV23001 - Malicious Signed Drivers

Microsoft has released an Advisory (ADV23001) providing guidance on Microsoft Signed Drivers being used maliciously.

Several developer accounts for the Microsoft Partner Center (MPC) were engaged in submitting malicious drivers to obtain a Microsoft signature.

Microsoft has released Window Security updates (see their "Security Updates" table) that untrust drivers and driver signing certificates for the impacted files, and has suspended the partners' seller accounts. All the developer accounts involved in this incident were immediately suspended.

Additionally, Microsoft has implemented blocking detections (Microsoft Defender 1.391.3822.0 and newer) to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity.

For more information about how the Windows Code Integrity feature protects Microsoft customers from revoked certificates, see Microsoft Support's "Notice of additions to the Windows Driver.STL revocation list".

Third-Party Updates for July 2023 – Including Java Updates from Oracle

Mozilla has released updates for Firefox and Firefox ESR.
Adobe Acrobat and Reader has an update that appears to be non-security related, but has released updates for Adobe InDesign and ColdFusion.
Google Chrome is likely to update on July 11^th or shortly after.
Oracle’s quarterly CPU (Critical Patch Update) is due to release on July 18, with updates for the lineup of Oracle products – including Java.

As you begin your maintenance this cycle, keep in mind that – after the Oracle Java release – there is a stream of additional updates that will occur, including:

RedHat OpenJDK,
Amazon Corretto,
Azul Zulu,
Eclipse Adoptium,
Adopt OpenJDK, and
Other Java frameworks.

How Implementing Risk-Based Patch Management Prioritises Active Exploits

Tue, 20 Jun 2023 15:01:46 Z

Resistance to change is always present, especially if you think the processes you have in place are efficient and effective. Many organisations feel this way about their software management procedures until they have a security breach or incident and are left wondering where they went wrong.

The reality is that most patch management programs are built on assumptions and recommendations, rather than facts about actively exploited vulnerabilities. Risk-based patch management is the answer to this issue.

In this article, find:

What’s wrong with keeping typical prioritisations.
What risk-based patch management is.
Why it’s the perfect time to adopt risk-based patch management.

The problems with typical prioritisation

Software feature updates, security fixes, bug fixes, performance enhancements and many other types of software releases have existed since the software industry started. Vendors often assign a severity rating or other score to each of these to let customers know what they think is most important.

Unfortunately, there’s no industry standard associated with these ratings, so we are left to compare and prioritise releases for deployment on our systems based on recommendations. On top of that, such ratings are rarely updated to account for active threat context even as vulnerabilities change.

Overlooking an actively exploited vulnerability

While better than nothing at all, vendor severity ratings often come up short. Consider the Follina vulnerability (CVE-2022-30190) published in May of 2022. This vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) allows for remote code execution.

Follina was under attack for several months before Microsoft finally responded with several updates. Alarmingly, Microsoft only assigned this vulnerability a Common Vulnerability Scoring System (CVSS) v3 rating of 7.8 and severity of Important. If you’re only patching based on Critical severity, you'd have missed this one, leaving a significant gap in your attack surface.

Worse yet, Follina’s CVSS score remained at 7.8 even after it was revealed the vulnerability was being actively exploited to distribute Bisamware ransomware, exposing organisations that had overlooked the vulnerability to even more risk.

Intelligence on the ransomware threat associated with CVE-2022-30190 displayed in Ivanti Neurons for VULN KB

CVSS shortcomings

Severity ratings are ‘augmented’ with CVSS scores from FIRST. Each CVE is assigned a CVSS number, such as the 7.8 given to CVE-2022-30190 in the example above.

One of the major objectives behind calculating the actual CVSS number is to ensure standardisation so all CVEs are scored consistently and can be accurately compared. The higher the CVSS score for a vulnerability and the associated patch, the more critical it is to deploy in most environments.

For software updates that address multiple CVEs, the highest CVSS value is usually considered for prioritisation. But is this value even accurate?

The results of an analysis of CVSS scores in a recent article showed there's a discrepancy for nearly 20% of CVSS scores (25,000). This analysis was based on a comparison of the scores reported in the NIST National Vulnerability Database (NVD) and those reported directly by the vendors themselves.

Vendor severity inconsistencies

One important point to keep in mind is vendors have historically assigned their own terminology to severity (e.g., critical, important). Using vendor severity scoring as a priority mechanism may work well when comparing all patches by a given vendor, but doesn't always provide an accurate comparison of patches between vendors. In fact, many use different terminology entirely.

Likewise, vendor severity isn't always a positive indicator. Many zero-day vulnerabilities are only rated Important by Microsoft but have high CVSS numbers. You can see how patching using severity and CVSS for prioritisation is using assumptions and recommendations and can result in a vulnerable environment.

Why prioritise active exploits over any other prioritisation method?

According to the US Cybersecurity and Infrastructure Security Agency (CISA), an actively exploited vulnerability is “one for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner.” In layman’s terms, a vulnerability under active exploitation is one that's been used by a threat actor to launch a cyberattack.

Thus, to minimise the risk of an attack on your organisation, you must prioritise actively exploited vulnerabilities above all others. This is good news as most vulnerabilities aren't being actively exploited and thus pose little to no risk to your organisation. You can identify those that have been exploited through risk-based patch management.

What's risk-based patch management?

According to the Ultimate Guide to Risk-Based Patch Management:

“Risk-based patch management goes beyond vendor severity and basic CVSS scores to identify and qualify the specific vulnerabilities that pose the most significant risk to an organisation.

As an extension of risk-based vulnerability management, it brings real-world risk context into the patch management process by incorporating updates with known exploited vulnerabilities that matter most to an organisation’s security posture.”

How can my organisation adopt risk-based patch management?

For organisations ready to adopt a risk-based approach to patch management, a good place to start is the CISA Known Exploited Vulnerabilities (KEV) catalog. CISA took a major step forward to help prioritise vulnerabilities when it introduced Binding Operational Directive 22–01 along with its KEV catalog. When originally released, the catalog contained some 200 actively exploited vulnerabilities. It has since grown to almost 900.

CISA builds the list with the knowledge the vulnerabilities it contains are being exploited in the wild by active threats. However, the list does have its shortcomings, as it currently excludes 131 vulnerabilities associated with ransomware.

Is the CISA KEV catalog the only resource available for risk-based patch management?

Organisations with more mature risk-based patch management practices leverage advanced risk scoring methodologies in place of or in addition to CVSS. These methodologies assign scores to every vulnerability identified in an organisation’s environment, allowing those organisations to expand their risk-based approach beyond the CISA KEV.

Many vendors in the risk-based vulnerability management space have developed proprietary scoring methodologies that represent the true risk posed by a vulnerability. They do so by delivering dynamic risk ratings that give extra weight to actively exploited vulnerabilities.

For example, Ivanti’s Vulnerability Risk Rating (VRR) has assigned Follina a score of 10, a score that more accurately represents the risk posed by that vulnerability than its CVSS score of 7.8.

The difference between the VRR and CVSS v3 scores and severity levels for CVE-2022-30190 as shown in Ivanti Neurons for VULN KB

Why it’s the perfect time to adopt risk-based patch management

If you feel you’ve fallen behind on system updates or are overwhelmed by new systems and applications in your company, now is the perfect time to adopt risk-based patch management.

Even if you feel you have a solid program in place based on severity ratings and CVSS scores, it’s time to remove the resistance to change and start a new process before your business is devastated by a data breach stemming from an exploited vulnerability.

Start by using the CISA KEV to prioritise your updates and earmark a budget for a risk-based vulnerability and patch management solution. With the proper tools in place, you can quickly identify the highest risk systems to patch first and work down the list to ensure your systems are secure.

Looking to take the first step? Dive into this eBook for a one-stop guide for implementing a modern risk-based patch management program.

Three Reasons Endpoint Security Can’t Stop With Just Patching

Wed, 14 Jun 2023 20:56:25 Z

With remote work now commonplace, having a good cyber hygiene program is crucial for organisations who want to survive in today’s threat landscape. This includes promoting a culture of individual cybersecurity awareness and deploying the right security tools, which are both critical to the program’s success.

Some of these tools include endpoint patching, endpoint detection and response (EDR) solutions and antivirus software. But considering recent cybersecurity reports, they're no longer enough to reduce your organisation’s external attack surface.

Here are three solid reasons, and real-world situations, that happened to organisations that didn't take this threat seriously.

AI generated polymorphic exploits can bypass leading security tools
Patching failures and patching fatigue are stifling security teams
Endpoint patching only works for known devices and apps
How can organisations reduce their external attack surface?

1. AI generated polymorphic exploits can bypass leading security tools

Recently, AI-generated polymorphic malware has been developed to bypass EDR and antivirus, leaving security teams with blind spots into threats and vulnerabilities.

Real-world example: ChatGPT Polymorphic Malware Evades “Leading” EDR and Antivirus Solutions

In one report, researchers created polymorphic malware by abusing ChatGPT prompts that evaded detection by antivirus software. In a similar report, researchers created a polymorphic keylogging malware that bypassed an industry-leading automated EDR solution.

These exploits achieved this by mutating its code slightly with every iteration and encrypting its malicious code without a command-and-control (C2) communications channel.

This mutation is not detectable by traditional signature-based and low-level heuristics detection engines. This means that security time gaps are created for a patch to be developed and released, for the patch to be tested for effectiveness, for the security team to prioritise vulnerabilities and for the IT (Information Technology) team to rollout the patches onto affected systems.

In all, this could mean several weeks or months where an organisation will need to rely on other security tools to help them protect critical assets until the patching process is completed successfully.

2. Patching failures and patching fatigue are stifling security teams

Unfortunately, updates breaking systems because patches haven't been rigorously tested occur frequently. Also, some updates don't completely fix all weaknesses, leaving systems vulnerable to more attacks and requiring additional patches to completely fix.

Real-world example: Suffolk County’s ransomware attack

The Suffolk County government in New York recently released their findings from the forensic investigation of the data breach and ransomware attack, where the Log4j vulnerability was the threat actor’s entry point to breach their systems. The attack started back in December 2021, which was the same time Apache released security patches for these vulnerabilities.

Even with updates available, patching never took place, resulting in 400 gigabytes of data being stolen including thousands of social security numbers and an initial ransom demand of $2.5 million.

The ransom was never paid but the loss of personal data and employee productivity and subsequent investigation outweighed the cost of updated cyber hygiene appliances and tools and a final ransom demand of $500,000. The county is still trying to recover and restore all their systems today, having already spent $5.5 million.

Real world example: An errant Windows server update caused me to work 24-hours straight

From personal experience, I once worked 24 hours straight because one Patch Tuesday, a Microsoft Windows server update was automatically downloaded, installed which promptly broke authentication services between the IoT (Internet of Things) clients and the AAA (authentication, authorisation and accounting) servers grinding production to a screeching halt.

Our company’s internal customer reference network that was implemented by our largest customers deployed Microsoft servers for Active Directory Certificate Services (ADCS) and Network Policy Servers (NPS) used for 802.1x EAP-TLS authentication for our IoT network devices managed over the air.

This happened a decade ago, but similar recurrences have also occurred over the next several years, including this update from July 2017, where NPS authentication broke for wireless clients and was repeated in May of last year.

At that time, an immediate fix for the errant patch wasn't available, so I spent the next 22 hours rebuilding the Microsoft servers for the company’s enterprise public key infrastructure (PKI) and AAA services to restore normal operations. The saving grace was we took the original root certificate authority offline, and the server wasn't affected by the bad update.

However, we ended up having to revoke all the identity certificates issued by the subordinate certificate authorities to thousands of devices including routers, switches, firewalls and access points and re-enroll them back into the AAA service with new identity certificates.

Learning from this experience, we disabled automatic updates for all Windows servers and took more frequent backups of critical services and data.

3. Endpoint patching only works for known devices and apps

With the pandemic came the shift to Everywhere Work, where employees worked from home, often connecting their personal devices to their organisation’s network. This left security teams with a blind spot to shadow IT. With shadow IT, assets go unmanaged, are potentially out-of-date and cause insecure personal devices and leaky applications.

The resurgence of bring your own device (BYOD) policies and the lack of company-sanctioned secure remote access quickly expanded the organisation’s external attack surface, exposing other attack vectors for threat actors to exploit.

Real-world example: LastPass' recent breach

LastPass is a very popular password manager that stores your passwords in an online vault. It has more than 25 million users and 100,000 businesses. Last year, LastPass experienced a massive data breach involving two security incidents.

The second incident leveraged data stolen during the first breach to target four DevOps engineers, specifically, their home computers. One senior software developer used their personal Windows desktop to access the corporate development sandbox. The desktop also had an unpatched version of Plex Media Server (CVE-2020-5741) installed.

Plex provided a patch for this vulnerability three years ago. Threat actors used this vulnerability to deliver malware, perform privilege escalation (PE), then a remote code execution (RCE) to access LastPass cloud-based storage and steal DevOps secrets and multi-factor (MFA) and Federation databases.

"Unfortunately, the LastPass employee never upgraded their software to activate the patch," Plex said in a statement. "For reference, the version that addressed this exploit was roughly 75 versions ago."

If patching isn’t enough, how can organisations reduce their external attack surface?

Cyber hygiene

Employees are the weakest link to an organisation’s cyber hygiene program. Inevitably, they'll forget to update their personal devices, re-use the same weak password to different internet websites, install leaky applications, and click or tap on phishing links contained within an email, attachment, or text message.

Combat this by promoting a company culture of cybersecurity awareness and practice vigilance that includes:

· Ensuring the latest software updates are installed on their personal and corporate devices.

· Recognising social engineering attack techniques including the several types of phishing attacks.

· Using multi-factor authentication whenever possible.

· Installing and automatically updating the databases on antivirus software for desktops and mobile threat defense for mobile devices.

Continuing education is key to promoting great cyber hygiene within your organisation, especially for anti-phishing campaigns.

Cyber hygiene tool recomendations

In cybersecurity, the saying goes, “You can’t protect what you can’t see!” Having a complete discovery and accurate inventory of all network-connected hardware, software and data, including shadow IT assets, is the important first step to assessing an organisation’s vulnerability risk profile. The asset data should feed into an enterprise endpoint patch management system.

Also, consider implementing a risk-based vulnerability management approach to prioritsse the overwhelming number of vulnerabilities to only those that pose the greatest risk to your organisation. Often included with risk-based vulnerability management solutions is a threat intelligence feed into the patch management system.

Threat intelligence is information about known or potential threats to an organisation. These threats can come from a variety of sources, like security researchers, government agencies, infrastructure vulnerability and application security scanners, internal and external penetration testing results and even threat actors themselves.

This information, including specific patch failures and reliability reported from various crowdsourced feeds, can help organisations remove internal patch testing requirements and reduce the time gap to patch deployments to critical assets.

A unified endpoint management (UEM) platform is necessary to remotely manage and provide endpoint security to mobile devices including shadow IT and BYOD assets.

The solution can enforce patching to the latest mobile operating system (OS) and applications, provision email and secure remote access profiles including identity credentials and multi-factor authentication (MFA) methods like biometrics, smart cards, security keys, certificate-based or token-based authentication.

The UEM solution should also integrate an AI machine learning-based mobile threat defense (MTD) solution for mobile devices, while desktops require next-generation antivirus (NGAV) with robust heuristics to detect and remediate device, network, and app threats with real-time anti-phishing protection.

And finally, to level the playing field against AI-generated malware, cyber hygiene tools will have to evolve quickly by leveraging AI guidance to keep up with the more sophisticated polymorphic attacks that are on the horison.

Adding the solutions described above will help deter cyberattacks by putting impediments in front of threat actors to frustrate them and seek out easier targets to victimise.

Why IT Asset Discovery Is the Foundation of a Risk-Based Vulnerability Management Program

Wed, 14 Jun 2023 14:15:04 Z

With over 236,000 total vulnerabilities currently known – and an average 61 new vulnerabilities added every day to the NVD – it’s impossible to remediate every single CVE or threat vector that appears. So, how do everyday organisations handle the continuously growing threats to their organisation’s end users, customers and data – especially across an increasingly hybrid and remote Everywhere Workplace?

First and foremost, it’s critical to map out your risk surface by understanding what assets are connected to your network at all times. We asked two experts - John J. Masserini, Senior Security Analyst at TAG Cyber, and Chris Goettl, Ivanti’s Vice President of Security Product Management, how to figure out organisation’s unique cyberrisk factors for vulnerability prioritisation.

Check out part of their conversation below and if you’d like to listen to the full discussion, where they share more best practices from real‑world RBVM programs – go to the webinar recording.

Discover every (also the unknown) endpoint on your network

Chris Goettl: I think everybody's got security frameworks that they rely on to help them understand and develop their cybersecurity roadmap. If you look at all of the major cybersecurity frameworks, whether it's NIST, CIS, pick your regional, you know, the cyber essentials, you know the ASD top 20, all of these will have an element in there around discovery and asset management. The reason for this is if we don't know what's in our environment, we cannot secure it. So, discovery is a foundational piece of any security program - active, passive, the ability to connect to multiple data sources and really aggregate a lot of information around your environment.

Ivanti has a lot of capabilities around discovery, and what we have found through engagement with customers and some security surveys that we've done is most organisations have between a 20-30% gap in their understanding of all devices that are actually being managed in their environment.

So, if you take six or seven data points throughout your environment - look at the endpoint management solution, the asset management solution, your endpoint protection - whether it's EDR or threat protection platform of some type - each of those are going to have a set of managed machines. Match that up with your procurement team and I guarantee you, between those different data sources, you're going to start to see double digit percentages of machines that are managed in one, not in another. So that upwards of 30% of my environment is blind to me from any one data source.

One of the most important reasons for this to be in, you know, the base and the foundation of these cybersecurity frameworks is because we need to get a view on that upwards of 30% of our blind spots in our environment because if we don't, threat actors will.

Why unknown IoT devices can pose a threat to your IT environment

Chris Goettl: A couple of things that could be a concern. One, if there's a vulnerability on that device - I mean, we've seen light bulbs used in widespread DDoS attacks. That's just one example of how a simple IoT device that no one would ever expect could be a threat could become part of a much larger scale attack.

There's a possibility that if there's a flaw on that device, could somebody remotely force that device into a state where the heating elements are turned on and left on and could it start a fire. There's a variety of ways that devices like that could be used against us.

There was a recent medical related kind of IoT device. These robots are in hospitals and they're able to move around and assist the staff in doing a variety of things, whether it's, you know, bringing the things they need to work with a patient or delivering something to a lab or something along those lines. A set of vulnerabilities were discovered in those that made it so that somebody could listen to the conversations that that device was in proximity of. Those devices could be forced to stop. They were large enough where they could block a doorway. In a medical facility, blocking a critical doorway and forcing that device to basically lock itself up and be a barrier could be detrimental at times as well.

Each of those types of devices, no matter how benign it may seem, pose potential risks to the environment. And that's where discovery in this case found a device that should be there but could be segmented out because it's something that is not manageable from a - can you patch it? Well, not really. It might have some firmware updates, but it's something that you're not going to take that level of management on. Segment those away, but make sure that you understand what's in your environment and what can be used against you.

How asset information helps prioritise patching

John Masserini: Understanding what's there is kind of like the foundation of building a vulnerability management program. I would argue, though, the next step is really understanding the criticality of those devices to, you know, fundamentally the revenue streams of the organisation.

When we look at what we're patching, how we were patching it, regardless of the program, it really all was around what outages could we afford, what was a level of revenue that was being generated by that device or that stream of devices, and how were we going to manage the outage and or who was going to accept the risk if we chose not to close the vulnerabilities? So really getting that understanding of how critical the devices are to the business lines, I think is a major driver in any kind of risk metric. When we're talking about risk-based vulnerability management, understanding how we can leverage those risks around individual devices, individual workstreams is critical.

I always leveraged a BCP program to provide that. Doing a business impact analysis, which is critical for a business continuity program, is equally as valuable to a vulnerability management program when you're trying to understand the risk of whether it's an application or an environment, whatever. When you do a business impact analysis, it's incredibly enlightening for the business as well as valuable for the IT side of the house.

Every time you walk into a business, you're going to say: ‘We want instant response time. We never want to go down and we want to guarantee customer satisfaction.’ All this kind of stuff. And you go: ‘Okay, well here's the price tag for that.’ And they go, ‘Whoa, whoa, whoa, we don't have that kind of money!’ So, you very quickly get into this discussion about, what is the minimal, acceptable standard for this? How much are you willing to say...we can afford a two-hour outage window from 2 to 4 am every other Friday or something along those lines. And really understanding that this drives 80% of the revenue of the company, so we have to be very sensitive about that. Maybe we roll patches quarterly, but we certainly do a different level of testing on those patches for environments like that compared to some internal site that we use just share memes, or whatever.

There's just fundamentally different criticality around different devices in our infrastructure that really should be evaluated and measured to make sure that we're performing the risk analysis correctly.

A lot of those things are, believe it or not, a lot of legacy things. Whether you're running old mainframes, whether you're running AS/400s, whether you're running brand new devices, but the vulnerability has to be a new firmware flash, rather than just rolling out a patch to a library. They're very different models, very different pieces of very different risk analysis. Patching an application - if you have to patch Chrome on a Windows laptop is a very different risk profile than saying: ‘Okay, I'm going to go out to this critical router and flash the firmware overnight.’ They're just completely different risks.

So, understanding how all of that plays together, I think really is between the asset discovery and the risk analytics that come out of BIA, I think the two of them, really are a phenomenal foundation on building any kind of long-term strategy around risk-based vulnerability management.

Knowing what’s on your network is the first step to understanding how to prioritise your security efforts. Taking a risk-based approach to your vulnerability management ensures you focus on your weakest links – and with asset discovery, you can identify all of them, even the hidden ones.

Continue exploring best practices from real‑world RBVM programs by watching the rest of this discussion.

February 2023 Patch Tuesday

Tue, 14 Feb 2023 21:12:53 Z

Microsoft updates

February 2023 Patch Tuesday includes fixes for 76 CVEs from Microsoft affecting Microsoft Windows, .NET Framework, Microsoft Office, SQL Server, Exchange Server, several Azure services, HoloLens and more. Nine CVEs are rated as Critical, 67 as Important and three CVEs have known exploits in the wild. The three zero-day vulnerabilities are all rated as Important and have CVSS ratings of 7.8 or less. Organizations are urged to expand their prioritization beyond just vendor severity and CVSS score alone, as many exploited vulnerabilities will be less than Critical or CVSS 8.0, which emphasizes the urgent need to utilize risk-based prioritization methods in your vulnerability management program.

Microsoft resolved a Remote Code Execution vulnerability in Windows Graphics Component (CVE-2023-21823), which has been exploited in the wild. The CVE was rated as Important and affects Windows 10 and Server 2008 and later Windows editions. The vulnerability also affects Microsoft Office for iOS, Android and Universal. If exploited, the vulnerability in the Windows OS could allow the attacker to gain SYSTSEM privileges. For the apps, the exploit could lead to Remote Code Execution. Windows customers are urged to update to the latest OS version. For the app updates, Microsoft included additional notes regarding how to update through the Microsoft Store or Play Store.

Microsoft resolved a Security Feature Bypass in Microsoft Publisher (CVE-2023-21715). The CVE was rated as Important and affects Microsoft 365 Apps for Enterprise and has been exploited in the wild. Microsoft noted that, “The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.” The exploit can bypass Office macro policies used to block untrusted or malicious files.

Microsoft resolved an Elevation of Privilege vulnerability in Windows Common Log File System Driver (CVE-2023-23376), which has been exploited in the wild. The CVE was rated as Important and affects Windows 10 and Server 2008 and later Windows editions. If exploited, the attacker could gain SYSTEM privileges. A privilege escalation vulnerability like this would be used in combination with other vulnerabilities in an attack chain.

The Microsoft SQL Server update resolves six CVEs, one of which is rated Critical. This is the most security fixes released in a single update for SQL Server in many years.

The Microsoft Exchange Server update resolves four CVEs, all of which are rated as Important. No public disclosures or known exploits have been included in this update yet, but Exchange has been targeted by sophisticated threat actors in the past couple of years. All four of these are Remote Code Execution vulnerabilities. They shouldn't be left too long.

Third-party update round-up

Mozilla has released updates for Firefox and Firefox ESR, resolving 19 and 14 CVEs, respectively.

Google Chrome released updates for Windows and MacOS editions on February 7th resolving 10 CVEs.

Microsoft Edge (Chromium) released an update on February 9th resolving 11 CVEs.

Apple released updates for MacOS BigSur (8 CVEs), Monterey (18 CVEs), and Safari (3 CVEs) in late January.

Oracle’s quarterly CPU released on January 17th and included an update for Java (4 CVEs). This event triggers the release of many Java frameworks in quick succession. There have been updates for Corretto, Azul Zulu, Node.JS and other Java frameworks since the CPU release.

January 2023 Patch Tuesday

Tue, 10 Jan 2023 21:58:12 Z

Microsoft has released updates resolving 101 total vulnerabilities (CVEs), 98 new and 3 revisions to CVEs from November and December of 2022. 11 CVEs are rated as Critical this month. The most urgent of these are one known exploited vulnerability (CVE-2023-21674), one publicly disclosed vulnerability (CVE-2023-21549) and an update to an advisory from December 2022 (ADV220005).

Advisory 220005 (ADV220005) provides “Guidance on Microsoft Signed Drivers Being Used Maliciously”. Microsoft has included a block list in the January 10, 2023, OS updates which blocks the signing certificates that were compromised. Microsoft recommends all customers update to the January 10, 2023 update to ensure they have the most up-to-date block list.

Microsoft has resolved a known exploited vulnerability (CVE-2023-21674) in Windows Advanced Local Procedure Call (ALPC) which could allow an Elevation of Privileges. The vulnerability is rated as Important and affects all Windows OS versions. The vulnerability could allow a browser sandbox escape and the attacker could gain SYSTEM privileges.

Microsoft has resolved a publicly disclosed vulnerability (CVE-2023-21549) in Windows SMB Witness Service which could allow an Elevation of Privileges. To exploit the vulnerability an attacker could execute a specially crated malicious script which executes an RPC call to an RPC host.

This could result in elevation of privilege on the server. The vulnerability is rated as Important and can be exploited over the network without need for user interaction. Public disclosure means enough information regarding this vulnerability has been disclosed publicly giving attackers a head start on reverse engineering the vulnerability to attempt to exploit it.

For January 10, 2023, Patch Tuesday the majority of the risk is in the Windows OS update across all current versions. It is recommended to prioritize the Windows OS updates as a high priority this month.

Adobe released updates for Adobe Acrobat and Reader (APSB23-01) that resolve a total of 15 CVEs, 8 of which are rated as Critical. The udpate is a Priority 3, which according to Adobe’s rating system means “This update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.”

Oracle’s quarterly CPU will be releasing on Tuesday, January 17. Be prepared for updates for all your favorite Oracle products, but more importantly expect updates for Java and additional updates for Java alternatives like Corretto, AdoptOpenJDK, RedHat OpenJDK, Azul Zulu JDK and others. Oracle’s quarterly CPU starts a domino update effect across the Java solutions.

Windows lifecycle update

January 2023 Patch Tuesday is the final extended support update (ESU) for Windows 7, Server 2008 and 2008 R2. Microsoft will be continuing one additional year of ESU support for Server 2008 and Server 2008 R2, but only if it is running in Azure.

January 2023 Patch Tuesday is also the last security update for Windows 8.1.

Windows Server 2012 and 2012 R2 will reach its end date on October 10, 2023. Microsoft will offer ESU support for three years starting from October 11, 2023. More details, including migration guidance and a lifecycle FAQ, can be found on the Server 2012 R2 lifecycle page.

Guidance for Exchange customers about ProxyNotShell and OWASSRF exploits with the recent Play Ransomware attack against Rackspace customers

Microsoft responded to the initial ProxyNotShell exploit with two recommendations. A “URL Rewrite rule” and “Disable Remote Powershell for non-admins”. Microsoft is still recommending the latter disabling of powershell for non-admins as general guidance. The URL Rewrite rule was modified many times between initial release and November 7th. On November 8th, 2022 when the update for Exchange Server was released, Microsoft’s guidance was updated:

Update 11/8/2022

We have now released November 2022 Security Updates for Exchange Server. Please install those (or newer) updates to address vulnerabilities mentioned in this post. Mitigations are no longer recommended.

Rackspace stated the Nov 8th patch had caused performance issues for their hosted Exchange services, so they decided to continue to run with the mitigation. There is a lot of gray area for interpretation of what was the best or right answer, but this event brings up two critical points that I think all organizations should keep in mind.

Mitigations are not permanent fixes. In any case where there is a mitigation option it is meant as a short-term solution but will come with some tradeoffs. Log4J’s mitigation could still be protecting you today if you implemented the guidance specific to solutions in your environment. This would come at the cost of some logging features not being available, but the mitigation would still be effective.

PrintNightmare was a different story. You needed to turn off the print spooler and have no printing ability until the patch was released. In the case of ProxyNotShell and OWASSRF the original mitigation was intended to stop the initial steps used in the ProxyNotShell attack.

It did not account for other exploit methods that could bypass the URL Rewrite Rule mitigations created to mitigate ProxyNotShell, so it was very narrow in scope to prevent the original attack specifically.

In the case of the Play Ransomware attack the mitigations were never intended to stop OWASSRF’s attack method. Be careful how much long-term trust you put into mitigations as they were never intended to be permanent fixes.

Products and technologies have a shelf life. At some point a vendor does need to move beyond a solution as the cost of completely revamping said solution to meet more modern use cases and needs becomes very difficult. Exchange Server is a good example of the dangers of holding onto a technology too long.

Security researchers have stressed some fundamental risks with running Exchange Server. The complexities and difficulties of running an Exchange Server implementation with the level of security that Microsoft can deliver through O365 is really the key tradeoff.

OWASSRF and ProxyNotShell are the most recent, but the 2021 ProxyShell and HAFNIUM exploits were additional examples of high risk of continuing to invest in Exchange Server.

Can an organization run a secure Exchange server instance? Arguably yes, but a sophisticated threat actor with more intimate knowledge of Exchange Server than your organization will continue to find a way to circumvent how effectively you can secure your email services.

To properly assess this risk, you must assume you are competing with the concerted efforts of very knowledgeable adversaries. If you have not accounted for this in your risk assessment, chances are your organization is continuing to run Exchange Server under false assumptions.

Implementing the ACSC Essential 8: Top Considerations

Wed, 03 Aug 2022 20:29:14 Z

2022 saw the number of cyber incidents and their scale and impact grow exponentially.

After a two-year pandemic where many businesses have suffered to some degree, with looming financial uncertainty, maximising return on investment is a key driver for many on their security journey.

We all know skilled resources are hard to find, hard to hold on to and hard to budget for, so supporting their work through automation is a key strategy to do more with less.

Enter the ACSC Essential 8 – a security framework when implemented appropriately and using the correct tooling, can have three major outcomes:

Improving your security posture by protecting against 86% of targeted threats.
Reducing manual effort to complete common cyber hygiene related work.
Minimising the impact of security measures on user experience and productivity.

Ivanti provides solutions to help organisations perform asset discovery/management, and 7 of the Essential 8 controls

Understanding what you are protecting

Each organisation looking to adopt the ACSC Essential 8 needs to understand what they are trying to protect; from the applications that exist in their environment to the devices they are trying to secure. Maintaining a full real time asset inventory and performing a risk assessment of those assets is a key step to implementing the framework.

Understanding the level of maturity you are aiming for, the controls you need to implement and ensuring they are a good fit for your organisation, is fundamental to your planning.

Many basic tools used to complete patch management or application allow-listing come as part of the Microsoft toolset and enable customers to achieve a basic level of maturity for select controls. However, customers typically tell us these tools come with a large management overhead and associated operating costs.

When you need a more advanced level of maturity or to reduce workforce effort and operational costs when implementing and maintaining ACSC Essential 8 compliance, Ivanti can help.

Our solutions are designed from the ground up to automate, simplify and provide great user experiences, and reduce operational costs, all while driving higher compliance and maturity.

Which controls and how to implement?

The ACSC recommend s that when deciding how to implement the controls organisations should consider the threat that concerns them most. We will look at two common ones here:

Targeted cyber intrusion

When an organisation is targeted due to the sector they operate in, the IP they hold or the sensitivity of the information they work with, preventing malware delivery and execution while limiting the extent of any incident is a key strategy.

Ivanti helps our customers implement Application Control to ensure only approved applications, scripts and binaries can execute on machines, reducing the chances of malware and macro attacks.

For over 20 years, Ivanti’s solution has reduced implementation and ongoing maintenance workload for thousands of organisations.

This is done with a focus on reducing the manual effort to manage lists of approved items, providing flexible and contextual policies and empowering users by providing simple exemption workflows when required.

Patching applications is key to limiting many targeted attacks that use known vulnerabilities, especially in commonly used third-party applications. Adversaries know these applications exist on many machines but are not routinely updated or patched to the same cadence as Microsoft and other operating systems.

Ivanti provides a full catalogue of third-party application updates, allowing you to patch hundreds of applications with almost no manual steps, reducing the cost and time to deploy, and has been securing assets for nearly two decades – assisting thousands of customers and OEM partners worldwide.

Ransomware

For many the fear of a ransomware attack is very real. We all have stories of ransomware attacks etched in our memories. Ransomware is an attack vector that not only disrupts but destroys and sometimes leaves an organisation crippled with months of work to rebuild their business.

The recent collapse of a local housing development company listed a cyber-attack as one of the key triggers behind their demise.

Ivanti helps protect you by ensuring only approved applications can run and users only have the privileges they need to complete their job. So, whether ransomware is introduced by email, download, macros or external devices those executions are denied with no excessive privileges available for compromise.

Many ransomware attacks use known vulnerabilities to attack and later, to move laterally. Protecting against this through regular patching is another key strategy.

Do you know which CVEs are associated with ransomware? Do you know if and where those CVEs are exposed in your environment?

Ivanti’s unique risk-based approach to patching OS and third-party apps shows you where to focus first to protect your most important assets from the biggest risks. Reducing your attack surface by prioritising your team’s focus to achieve quick wins means a better security posture with effort optimised.

Our platform provides visibility of patches that close ransomware exploits and where they need to be applied, leaving your team to automate remediation with a few clicks.

Why Ivanti for the ACSC Essential 8?

If you would like to know more on how Ivanti can help you to implement 7 of the ACSC Essential 8 all from one vendor and help you gain real time visibility to the assets on your network, please have a look at our ACSC compliance site and check out our videos, case studies and testimonials.

You’ll find information on:

Reducing cyber exposure against common threats.
Limiting and reducing manual effort of implementation and operational overhead.
Reducing user impact.

Managing Security Threats Using a Risk-Based Approach

Thu, 19 May 2022 09:23:07 Z

Since the pandemic began its felt like life has been viewed through the lens of continual risk management, “Should I go to the store/pub/shops/cinema”. What’s the risk? What’s the value of taking the risk, how do I mitigate as much of the risk as possible?

With the covid rules relaxing in Australia live in-person conferences are now rolling out so it was with excited anticipation I recently attended the CISO Sydney event to talk about risk!

The topic was not covid risk unsurprisingly but rather: ‘Gain Compliance Using a Risk-Based Approach with Less Effort’. In this blog I’m going to detail how you can achieve this.

Addressing the Skills Shortage with Automation

We have a massive shortage of cyber security professionals in Australia, it’s estimated we need 18,000 in the next four years! For those looking it’s tough to find new hires, it’s also a competitive market so holding onto the skills you have is a challenge, plus they are expensive resources so most organisations can’t afford nearly as many as they need.

So, the logical approach is to do more with less, a topic that really resonated with the conference attendees as we discussed how to prioritise their vulnerability management (VM) programs.

Most of the CISO’s in the audience advised they used one or more VM scanners to identify all the weaknesses in their environment, the challenge came in trying to respond to what was found. The common story being the list gets longer every month and the team can’t keep up, and the work is not that rewarding. It’s a common theme resulting from the impact of covid on the workforce, that unhappy workers tend to find interesting work elsewhere if you can’t satisfy their needs.

What’s the Vulnerability Challenge?

There are 250k vulnerabilities in the National Vulnerability Database (NVD). What’s actually important is how these can be exploited:

Less than 20% of those are actually weaponised and could be used to breach your organisation.
Less than 3% use remote code execution (RCE) and privilege escalation (PE) exploits which are the really dangerous ones, 80% of all breaches use these types of attacks.
If ransomware is your biggest fear only 255 CVEs relate to its use, are you sure you know which they are?

So what’s the takeaway from all these facts and figures?

Well, the problem is if you don’t focus in the right area, you can spend a lot of time, resources and money remediating vulnerabilities that your organisation is very unlikely to be breached by, and you won’t reduce your attack surface significantly.

Apply a Risk-Based Lens to the Problem

Risk Based Vulnerability Management (RBVM) was the number two security project for 2021 based on Gartner insights, with the point being to “focus on vulnerabilities that are actually exploitable”.

Below I have included some data from a customer we’ve recently worked with.

The top analysis shows data that comes from their VM scanner, it illustrates that they had over 27,000 Critical and High severity items to resolve, an insurmountable task for their security team, the reports to the Senior Executives were worse every month and people were burnt out with no progress being made.

Compare this to the results when they used a risk-based approach to prioritise based on those that were weaponised, had RCE/PE exploits, were trending, or, had ransomware exposure. The customer could focus on the Critical and High 6,240 items that were their biggest risk. This meant a huge 75% reduction in their workload, so they could focus on reducing the actual attack surface of the organisation which made a significant impact.

Is Ransomware our Biggest Threat?

At the CISO conference one of the topics spoken about by the Minister for Home Affairs Karen Andrews and the head of the Australian Cyber Security Centre (ACSC) was the threat ransomware poses. This was detailed in a report available on the ACSC website: 2021 Trends show increased globalised threat of Ransomware.

If you look at your VM data through this risk-based lens and you can prioritise based on threat, you can gain visibility into exactly where you are vulnerable to ransomware attacks and should focus effort to improve your security posture.

In this example the security team can provide visibility to their executive team to illustrate the limited exposure they have to ransomware attacks. Of the 10,000 vulnerabilities in the environment across 7,000 devices, only 206 devices and 21 vulnerabilities need attention. It’s also possible to see in green the stats the team achieved to improve protection against ransomware.

Our Prioritisation Offer to You

If you are struggling in a world of too many vulnerabilities and prioritisation with an ability to automate workflows, assignment and service ticket integration doesn’t meet your requirements while your attack surface continues to expand then please get in touch. The only solution isn’t to increase the size of your security team.

Ivanti has proven with customers worldwide that we can help reduce cyber risks with less manual effort.

Provide the Ivanti team an output from any vulnerability management tool and within a few hours we can show you how we can prioritise it, giving you three key outcomes:

Reduce your workload by up to 80% by focusing on risk
Reduce the cost to deliver your vulnerability management program through risk-based prioritisation
Reduce your attack surface faster to reduce the risk of breaches and ransomware infections

Reach out via email to contact-anz@ivanti.com

Fighting Ransomware: Using Ivanti’s Platform to Build a Resilient Zero Trust Security Defense – Part 2

Fri, 10 Sep 2021 01:24:36 Z

Within the initial blog in this series, we discussed ransomware attacks and their remediation on Android mobile devices. Part 2 addresses potential ransomware exploits and their remediation on iOS, iPadOS mobile devices and macOS desktops.

iOS and iPadOS Exploits

The quickest method to check for the presence of malware on your iPhone, iPad or macOS devices is to look for the presence of an unknown configuration profile within the Settings > General > VPN & Device Management settings. Malicious third-party apps commonly sideloaded from non-sanctioned internet websites, or from an infected personal computer, or downloaded from package managers like Cydia or Sileo along with unofficial app stores like TweakDoor (formerly TweakBox) or TutuApp, will add their own configuration profile into the Device Management settings. Package managers, commonly installed after performing a jailbreak of your iOS or iPadOS device, and unofficial app stores that do not require a jailbreak, are repositories for alternative apps, tweaks, and software tools to customize your Apple iDevice. Often these third-party apps have not been rigorously tested for vulnerabilities and can contain malware and malicious exploits that can then take complete control of your device without you knowing.

Apple’s mobile device management (MDM) enables your company’s IT department to remotely enroll and deploy corporate and personally owned iOS, iPadOS or macOS devices over-the-air using a unified endpoint management (UEM) platform like Ivanti Neurons for UEM by deploying a root MDM profile within the same Device Management settings. UEM then fully manages, distributes applications and content, and enforces restrictions and security configurations to these managed devices.

A configuration profile can contain many payloads that store key value pair settings for MDM, with a partial list below. The link to the full itemized list is located here. The good news is as of iOS version 12.2 and later, the profile must be manually installed and then trusted by the user as additional security steps to explicitly approve its installation within the Device Management settings. The partial list includes:

Restrictions on device features
Credentials like identity and chain of trust certificates, secrets, and keys
Wi-Fi profiles
VPN profiles
Email server and Exchange settings
LDAP directory service settings
CalDAV calendar service settings
Web clips.

The other good news is these suspicious or untrusted configuration profiles, malware, and other malicious exploits including the Pegasus spyware will be detected by Ivanti Mobile Threat Defense (MTD) and trigger compliance actions like block access to corporate resources or quarantine actions on the device. Ironically, another indication of the presence of a threat on your mobile device is as part of a quarantine compliance action, UEM provisioned managed apps and their content are removed from an iOS or iPadOS device to prevent data loss. After the threats are removed, the managed apps are restored to allow the user to continue to be productive. (See video below that demonstrates this capability.)

macOS Exploits

Apple macOS desktop devices are also not immune from malicious exploits as evidenced by the list of high severity arbitrary and remote code execution vulnerabilities within the Common Vulnerabilities and Exposures details database. Fortunately, security updates exist for these known and former zero-day vulnerabilities.

More recently, a new variant of the AdLoad malware has been detected out in the wild and been able to evade Apple’s built-in malware XProtect scanner. Adload is a trojan, specifically targeting macOS platforms and is currently used to push malicious payloads like adware, bundleware, and Potentially Unwanted Applications (PUAs). It is capable of harvesting system information that can then be deployed to the infected remote web servers under the control of these malicious threat actors. Other macOS malware strains have been able to bypass XProtect as well and infect macOS devices with chained malicious payloads that exploited zero-day vulnerabilities to evade Apple’s File Quarantine, Gatekeeper, and Notarization security checks. Future versions of AdLoad can also evolve into dropping exploit kits that can harvest your personal information, perform lateral movement onto the network, and potentially ransomware.

iCloud Exploits

Back in June of 2014, an iCloud ransomware attack succeeded with victims in Australia, New Zealand, and the United States.

On infected iOS, iPadOS devices and macOS laptops, their lock screens were overlaid with a demand for payment message to unlock them. How did the malicious threat actors pull this off? Personal user account information was harvested using sophisticated phishing tactics and brute-force password cracking techniques from vulnerable iCloud accounts.

These threat actors used the Find My iPhone, Find My iPad, Find My Mac, or Find My iPod services within iCloud that allow the owner to try to locate their lost device from any web browser. If the lost device were still connected to the internet, the rightful owner could display a message on the screen instructing the person in possession of the device to contact them, remotely set a locking PIN (Personal Identification Number) or wipe the contents of the device.

Once the threat actors obtained the victim’s iCloud account credentials, they remotely changed the PIN and locked the device from the rightful owner. They could then display a ransom message demanding the $100 payment to unlock the device.

Other similar exploits include fake antivirus support pop-up messages that inform the user to call a telephone number to remove the malware. Victims would then be coerced to pay money to remove the malware from their devices or laptops. The simple solution was to restore from a Time Machine backup.

The good news is iCloud exploits have decreased in severity and total count in recent years. Although, credential theft and ransomware attacks, some leveraging the same machine learning (ML) artificial intelligence tactics and techniques applied by reputable security researchers, are now used by nation-state backed advanced persistent threat (APT) actors to evade detection and cover their tracks after a successful data breach, have gone up dramatically in the Everywhere Workplace. According to the Verizon 2021 Mobile Security Index, there was an increase of 364% in phishing attempts in 2020 versus 2019. That is mind blowing! What will the outcome for 2021 reveal?

Additional iOS, iPadOS and macOS Remediation

These settings are applicable within the iOS, iPadOS and macOS device:

Apple devices require a 6-digit, 4-digit, or random length alphanumeric passcode as the entropy source to initiate the Data Protection mechanism that leverages file-based encryption on iOS and iPadOS devices, and disk volume encryption for macOS desktops. The stronger the user passcode, the stronger the encryption key and lessening the likelihood of a successful brute force attack by malicious threat actors. Unified endpoint management platforms like Ivanti Neurons for UEM and Ivanti Mobile Threat Defense (MTD) can enforce strong and complex passcodes onto the managed device.

Only download apps from the iOS or Mac App Stores.

If your company employs a UEM platform and deploys an enterprise app store, download apps from the company app store only, as well.

These settings are configured within Ivanti UEM Neurons for UEM or MobileIron Core:

Create a Software Updates configuration to automatically update to the latest available iOS, iPadOS or macOS version for the device. For iOS and iPadOS only, Ivanti MTD can also enforce that the latest OS version is running on the device and if not, alert the user and UEM administrator that the device is running a vulnerable OS version and apply compliance actions like block or quarantine until the device is updated.
For macOS desktops, create a FileVault 2 configuration to enable volume-based encryption.
For iOS and iPadOS devices, enable Ivanti MTD on-device (using MTD Local Actions) and cloud-based to provide multiple layers of protection for phishing (Anti-phishing Protection) and device, network, and app level threats (using the Threat Response Matrix within the MTD management console).
For macOS desktops, augment the built-in malware scanner by also installing a reputable antivirus agent that updates its detection signatures and engine regularly.
For BYOD (Bring Your Own Device) deployments, create a deny list of disallowed apps on the device. For company-owned devices, create a allow list of allowed apps that can be installed on the device.
Backup data automatically onto a cloud storage provider like iCloud, Google Drive, OneDrive, Box or Dropbox. Make secondary and tertiary copies of backups using two or more of these personal storage providers since some offer free storage. Also, backup personal data onto a local hard drive that is encrypted, password-protected and disconnected from the device and network.
Create a Wi-Fi configuration that enables WPA3 Enterprise for your wireless connection when you are back in the office. At home, enable WPA3 Personal on your home router to secure your wireless connections from eavesdroppers.
Create a Web Content Filter configuration to limit access to adult content and specific websites prescribed by your company’s security and acceptable use policies. Ivanti UEM and MTD also provide a robust and multi-layered anti-phishing protection that updates the on-device engine’s database every 8 hours and is augmented by the cloud-based lookup engine’s database, which is updated every hour.
Create an Encrypted DNS (Domain Name System) configuration setting that enables DNS over HTTPS (DoH) or DNS over TLS (Transport Layer Security) (DoT) to encrypt and secure your DNS queries.
Configure a VPN client on a device like MobileIron Tunnel, Ivanti Secure Connect or Zero Trust Access to protect sensitive data-in-motion between the mobile device and MobileIron Sentry or Connect Secure or ZTA gateways.
Enable Ivanti Zero Sign-On (ZSO) for conditional access rules like trusted user, trusted device, and trusted app authentication to critical work resources on-premises, at the data center, or up in the cloud. Also, enable MFA (Multi Factor Authentication) using the stronger inherence (biometrics) and possession (device-as-identity or security key) authentication factors. Passwords and PINs can be phished, guessed or brute forced.

In the third blog in this series, we will discuss ransomware attacks and remediation of Windows 10 laptops and desktops. Stay tuned.

A Question of When vs If: The Need for Your Security Incident Management Plan

Wed, 08 Sep 2021 22:11:07 Z

Should all incidents be treated the same? Seems like a simple question, but the answer can have big implications.

Think about an employee who contacts the service desk, complaining they can’t log onto their email. If the issue is due to a ‘stale’ password, dropped connection or configuration issue after an update for the email server, then the impact on the organization can be quantified to the lost productivity for the impacted employee or employees. But if the outage is due to some malicious activity and the email outage is the first indicator of a larger security breach potentially affecting more mission critical applications, data or infrastructure, then the impact to the organization can be very far reaching.

The Service Desk as IT’s Front Line for Security Incident Responses

For most service management teams, incident management is focused on resolving incidents quickly and getting employees back up and running again. That practice works for most incidents, but as with the above security breech example, security-related incidents should be handled differently because of the higher potential risks and impacts. Even with dedicated security teams, the service desk will be IT’s face to the organization’s employees and the front line when a security incident occurs, so it needs to be an integral part of a coordinated response. Throw in the fact that service teams often act as the hub for communication and coordination during major incidents and the case becomes even stronger.

Since the worst time to plan for how to deal with a major security incident is in the middle of one, service teams need to proactively plan and prepare for how to handle security incidents. Otherwise, as one IT director said, “You’re trying to build the airplane while on final approach.” Given the increasing frequency and threat of security-related attacks, for most organizations it’s a question of “when” the next major security incident will occur, versus the question of “if.”

Your Security Incident Management Plan

One suggestion for service teams developing their Security Incident Management (SIM) plan is to do so in coordination with not just other IT teams, but ideally also with other departments that may potentially need to be involved. Why? Because a major security incident may have business impacts well beyond the scope of the immediate IT issues, such as legal responsibilities, privacy risks, and governance questions. That’s not to say everyone should be involved with each security incident, but a response plan should be comprehensive in dealing with and mitigating risks from a wide range of potential impacts.

When you start developing your SIM plan with your extended team, define the roles and responsibilities for involved team members. Think about leveraging models like RACI (Responsible, Accountable, Consulted, Informed) to help map out these roles and responsibilities based on type and scope of security incidents. Find and agree on the touch points for each team, not just for the Security team. Don’t wait until a breach occurs to determine who needs to approve specific actions; make it part of your SIM plan, along with response times and alternative approvers so requests don’t “hang” during critical moments and are instead automatically routed for timely approvals.

Also think about what data and information you need to capture during an incident. This can help in the moment when trying to figure out the incident scope and response, but also afterwards when things settle down and you’d like to evaluate and improve your response.

Similar to pilots preparing for a flight, one tactic IT teams use are checklists for what needs to be done, including for operational tasks like isolation, shutdown, recovery, and testing for different types of services, applications, devices, assets, and CIs. They also leverage automation tools as much as possible to remove as many manual steps, checks, notices, and approvals as they can, reducing the risk of things “falling through the cracks” when in the middle of a security response, as well as ensure additional levels of governance.

Once you complete your SIM plan, train and regularly practice the plan with your staff. Train them to quickly identify and confirm possible security incidents. Use practice runs to check the thoroughness and effectiveness of your procedures, including mitigation and recovery, looking for areas to improve.

SIMilar Position as Your Disaster Recovery Plan

One IT directory thinks of their SIM plan similar to their Disaster Recovery (DR) plan—"it’s good to have it ready but you hope you don’t need to use it.” But should you encounter a major security incident and need to activate your SIM plan, be sure to invest time soon after the incident to determine how you would improve your response. Plan to review the incident before memories fade, and gather the data and information collected during the incident.

During a review with the response team, investigate and determine the background for the incident. Answer the “news reporter’s” questions of “Who, What, When, Where, How and Why” for the incident. Keep in mind some of the answers and information may be needed for future legal proceedings.

Also evaluate your organization’s overall response. Analyze and grade how quickly threat identification, mitigation, and recovery happened. Gauge the effectiveness of current defenses and training, look for areas to improve, and apply lessons learned to be better prepared for the next threat.

For major incidents, prepare a report for the executive team along the lines of an “After Action” report used in the military. Summarize some of the key findings from your review, including an analysis of the speed and effectiveness of the response. Don’t forget to include possible financial and legal implications your extended team can provide.

Sample Questions to Begin Your Post-Incident Review

Here are some sample questions you may want to consider asking in your review. There are more questions you may have, but these are meant to help you get started as you work to improve your response to security incidents:

What type of incident was it?
How was the incident first detected?
Was the severity initially gauged correctly?
How well did the response plan work? Any steps not followed? What steps helped? What steps didn’t help?
Was response leadership clear? Was it effective and timely? Does anything need to change?
Any data or insights that could have helped?
How well did the security infrastructure work? Are there improvement opportunities in vulnerability management?
Was communication among teams effective and timely? What worked well? What didn’t work well?
Any other teams who should have been included? At what stage?
What could be improved to handle the next incident? For all types of possible security threats?

Forewarned is Forearmed

Security breaches and incidents, or at least attempted ones, are bound to occur given today’s changing threat landscape. But being forewarned is forearmed. IT service teams—along with the rest of IT and the larger organization—can be better protected and prepared, with well-documented plans for a coordinated team that’s ready to respond to and mitigate the risks from future security incidents.