now browsing by tag
Microsoft’s monthly “Patch Tuesday” is an important part of the cyber hygiene routine for anyone in IT (including home users). This month’s update proved to be a particularly critical one.
Early in January, the National Security Agency (NSA) alerted Microsoft to a major flaw in Windows 10 that could let hackers pose as legitimate software companies, service providers, websites, or others. “It’s the equivalent of a building security desk checking IDs before permitting a contractor to come up and install new equipment,” Ashkan Soltani, a security expert and former chief technologist for the Federal Trade Commission, told CNN.
Fortunately, Microsoft acted quickly and issued a critical update — CVE-2020-0601 — on January 14.
Despite this quick action, businesses and government have a habit of missing, ignoring, or delaying important patches and updates. They do so at their peril. In 2019, the majority of cybersecurity breaches were a result of unapplied patches. However, the reasons for this oversight are complicated and often unintentional.
Patch management — IT’s nightmare
Getting a handle on patch management is an unending challenge for IT and security teams. Last year, 12,174 common vulnerabilities and exposures (CVEs) were reported — making patching an almost impossible task for any organisation. In fact, it takes the average organisation 38 days to patch a vulnerability. Even then, 25% of software vulnerabilities remain unpatched for more than a year.
One of the biggest obstacles to frequent patching is that security teams struggle to identify everything that needs to be fixed. Understaffed and struggling with alert fatigue, it can be hard to identify the systems that are yet to be updated, prioritise remediation, and apply patches quickly.
To add to their workload, IT and cybersecurity teams must also make certain that the appropriate security policies are in place to ensure that users regularly update their PCs and devices, and don’t delay the inevitable “Windows Update”. Risk also extends beyond the four walls of the business.
Third- and fourth-party cyber risk is a big threat to businesses. 59% of breaches have their origins in vulnerable and unpatched third-party systems. The trouble is that vendor risk assessment questionnaires only offer a point-in-time view into the security posture, including unpatched software of suppliers, partners, and sub-contractors. This leaves IT in the dark.
Windows 7 — a new risk
Microsoft has been focused on closing gaps in its Windows 10 OS. This left Windows 7 users walking into a new cybersecurity landmine on January 14, 2020. Microsoft ended support for the nine-year-old OS and will no longer issue security patches or updates.
This is particularly problematic, since almost 70% of organisations are still using Windows 7 in some capacity. It leaves them susceptible to a security issue, attack, or breach — unless they purchase extended support from Microsoft or upgrade to Windows 10.
Fixing the patch management challenge
Maintaining a frequent patching cadence is critical to mitigating cyber risk, but it doesn’t have to be a nightmare.
With the BitSight Security Ratings platform, your organisation can shine a spotlight on vulnerable, unpatched systems and out-of-date operating systems. It provides insight for both internal systems and across nth parties (partners, vendors, customers, etc.). Using these insights, IT teams can prioritise which patches are most critical and take steps to measurably reduce risk. In addition, security ratings make it easier to share actionable security information with other business functions.
This information allows teams to collaborate with each other on pressing security issues. It also helps reduce risk across your business ecosystem. Furthermore, because patching cadence is indicative of the likelihood of a breach, it has stepped into the spotlight as something the Board and C-suite is interested in. Security ratings mean this conversation becomes much easier. Information about vulnerabilities is provided in a straightforward and non-technical way that is easy for everyone to understand.
Organisations can also share security ratings with partners. This allows third parties to identify and rectify issues and blind spots in their systems and software — continuously and in real-time, without waiting on lengthy audits or assessments.
Time is of the essence
As the recent Windows 10 critical update shows, organisations must do everything they can to stay on top of their patching cadence and that of their vendors.
But there’s no need for organisations to be paralysed by the sheer volume of ongoing patches. Learn more about how BitSight can help.
BitSight transforms how companies manage third and fourth party risk, underwrite cyber insurance policies, benchmark security performance, and assess aggregate risk with objective, verifiable and actionable Security Ratings.
View full post on National Cyber Security
The American Civil Liberties Union suffered major defeats on Friday, when two of its cases involving clear violations of civil rights and civil liberties were dismissed, both undone by the judiciary’s deference to executive-branch secrecy. A dramatically divided three-judge panel on the U.S. Court of Appeals for the D.C. circuit ruled in favor of Department of Justice lawyers who argued that Amir Meshal couldn’t sue for damages for his alleged torture at the hands of FBI agents in three African countries because it happened overseas and because the litigation would jeopardize “national security.” Meshal is a U.S. citizen who FBI agents suspected had ties to al Qaeda. And a Maryland district court judge threw out a massive legal challenge to the National Security Agency and its “Upstream” surveillance program on behalf of Wikimedia, Amnesty International USA, The Nation magazine and six other groups, because they couldn’t prove that the NSA had specifically spied on them — despite the troves of publicly available information on how the mass-surveillance program works, primarily from NSA whistleblower Edward Snowden. In both cases, the ACLU had appealed to the judicial branch for relief from the excesses of the executive branch. But both courts allowed the federal […]
For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com
The post Two ACLU Defeats Highlight Judiciary’s Lopsided Deference to Executive Branch Secrecy appeared first on National Cyber Security.
View full post on National Cyber Security
Three federal cyberstalking cases that surfaced within a few days of each other in the Cincinnati area have underscored widening challenges in protecting susceptible youths from wily predators. The three men are all charged with pressuring multiple girls or young women into providing sexually explicit images and threatening them with vengeful acts if they didn’t comply. Read More….
The post Ohio Cases Highlight Online Targeting, ‘Sextortion’ of Teens appeared first on Dating Scams 101.
View full post on Dating Scams 101
Men across the world are painting one in five of their fingernails with nail varnish to raise awareness about the disturbing fact that one in five children are physically or sexually abused before the age of 18.
By uploading their photos to social media with the hashtag #polishedman, the supporters are literally helping to point the finger at child abuse.
It’s part of YGAP’s Polished Man campaign, which runs until October 15 and challenges men to adopt the beauty trend for a good cause.
YGAP’s CEO Elliot Costello came up with the idea for Polished Man after a visit to Cambodia.
The post Talk about MAN-icure! Chaps show off varnished nails to highlight child abuse appeared first on Parent Security Online.
View full post on Parent Security Online