Category: Patch Management

[By Lydia Zhang, President and Co-founder of Ridge Security]

Organizations face constant threats from vulnerabilities that can exploit their systems and compromise sensitive data. Common Vulnerabilities and Exposures (CVEs) are one such concern, posing significant risks to organizations of all sizes.

Adopting a comprehensive security framework like continuous threat management helps to mitigate these threats effectively. So, let’s explore how this helps protect organizations from CVEs and fortifies their security posture.

Before diving into the role of continuous threat management, it is essential to grasp the basic concept of CVEs. CVEs are publicly disclosed security vulnerabilities and exposures that are assigned unique identifiers. They can exist in software, hardware, or network components, making them prime targets for cybercriminals to exploit weaknesses and gain unauthorized access.

The Role of Continuous Threat Management

Continuous threat management is a comprehensive security framework that combines threat intelligence, event management, and proactive monitoring and testing to strengthen an organization’s security posture. Here’s how it plays a crucial role in protecting against CVEs.

Threat Intelligence – Intelligence feeds gather information about emerging vulnerabilities and threats, including CVEs. By continuously monitoring reputable sources such as vulnerability databases, security bulletins, and threat intelligence platforms, organizations are informed about the latest CVEs relevant to their systems. This early awareness enables proactive measures to address vulnerabilities promptly. By generating reports and visualizations, security teams can track vulnerabilities, patch progress, and identify patterns or trends related to CVEs.

Vulnerability Assessment – Conducted across an organization’s infrastructure, applications, and network components, these assessments identify known CVEs and assess their potential impact on the organization’s systems. By performing comprehensive vulnerability scans and analyzing and validating the results, remediation efforts can be prioritized to eliminate the risk and impact of exploitation.

Patch Management – This process facilitates the deployment of security patches, updates, and fixes for identified vulnerabilities and exposures across the organization’s systems. Automated patch management tools integrated within the continuous threat management framework ensure timely patch application, reducing the window of opportunity for cybercriminals to exploit CVEs.

Incident Detection and Response – Continuously monitoring network traffic, logs, and security events will reveal any signs of exploitation related to CVEs. Continuous threat management identifies potential attacks and alerts security teams by correlating security events and applying behavioral analysis. Rapid incident detection and response minimizes the impact of CVE-related incidents.

Empowering Organizations to Unlock Operational Efficiencies

Advanced correlation and analysis allow security teams to identify patterns, anomalies, and indicators of compromise in real-time. With streamlined incident response workflows and automated alerts, continuous threat management platforms enable organizations to respond swiftly and effectively to mitigate the impact of CVE-related incidents.

A common platform for collaboration promotes cross-functional coordination, enhancing operational efficiencies and ensuring that security tasks are effectively executed. Security teams can easily share critical information, track vulnerability management progress, and monitor the status of patches and configuration changes. Continuous monitoring, testing, validating, and applying patches promptly enable organizations to adhere to security best practices and support regulatory requirements.

Designed to scale with the organization’s needs as they grow and face new threats, continuous threat management accommodates increased data volumes, expands monitoring capabilities, and integrates with other security tools. This scalability ensures that operational efficiencies gained are sustained over time and aligned with the organization’s evolving security requirements.

Security Validation Platforms Support Continuous Threat Management

Today’s new generation of AI-powered security validation platforms stands at the forefront of proactive security measures, offering a dynamic and continuous cycle of testing, validation, prioritization, and resolution of vulnerabilities and exposures.

At the heart of AI-powered security validation is automated penetration testing. By thoroughly scanning an organization’s network to identify and exploit vulnerabilities, it mimics the tactics of actual cyber attackers. Adeptly uncovering threats, such as software flaws, unauthorized command executions, credentials exposure, distributed denial of services attacks, sensitive data leakage, and database intrusions, it provides tangible proof of attack consequences and executes automated remediation. The result is a set of risk assessment reports that are both prioritized and accurate – with zero false positives.

Comprehensive reporting can include intricate details such as the attack structure, the specific pathways taken, the exposed surfaces, and the particulars of the vulnerabilities and risks involved, with actionable solutions for each identified issue. These platforms can also shed light on the mechanics of the attack, providing insights into the payloads used, exploit codes, and snapshots of the attack in progress.

Beyond mere detection, cybersecurity risk management and governance are elevated to new heights, empowering organizations to bolster their defenses and resilience by supplying critical data and guidance on cybersecurity risk management, strategic planning, and governance. This can include detailed information on each vulnerability and risk, such as the Common Vulnerability Scoring System (CVSS) score, severity ranking, descriptions, and references.

AI-powered security validation can go further by suggesting specific remediation strategies, whether patching, updating, reconfiguring, or encrypting, to address and mitigate each identified risk. Insights can be provided into the network’s security policies, rules, and configurations and how to enhance them using state-of-the-art reinforcement learning techniques and sophisticated algorithms.

Shielding Organizations from CVEs

A continuous threat management security framework helps organizations protect themselves from CVEs that cybercriminals can exploit. By deploying technology such as security validation with automated penetration testing, they can significantly improve operational efficiencies, collaboration, and compliance by using threat intelligence, vulnerability assessment, automated patch management, and incident detection and response. Their security posture is strengthened by identifying, prioritizing, and remediating CVEs across the organization’s digital systems.

About the author

Lydia Zhang is the President and Co-founder of Ridge Security. She holds an impressive entrepreneurial-focused resume that includes 20 years of leadership roles in network and cyber security. Lydia leads a Silicon Valley cybersecurity startup that develops automated penetration testing with the goal of delivering innovative security technologies to all.  Prior to founding Ridge Security, Zhang held Senior Vice President and Product Management roles at Hillstone Networks and Cisco Systems. She holds a double Master’s, MA, and MS from USC and a degree from Tsinghua University in Biomedical Engineering.

The post Continuous Threat Management’s Strong, Proactive Protection Against CVEs appeared first on Cybersecurity Insiders.

[By Christoph Nagy, SecurityBridge]

In the high-stakes world of cybersecurity, even a tiny miscue can lead to giant consequences. Human error, whether it be something as small as a misplaced password or a misconfigured Amazon S3 Bucket, can compromise the data of millions of customers—and incur many millions more in fines and penalties after a successful attack takes place.

As new threats evolve, companies must concentrate on reducing attack surfaces and not leaving doors open to give bad actors easy wins. There are no small mistakes—every mistake in cybersecurity is potentially catastrophic.

Several oversights that have quietly grown into some of the most significant cybersecurity missteps can be found within SAP software configurations and include underestimating security risks, being overconfident that native SAP security is good enough, and assuming prior patches are all that is needed to harden the system well into the future.  These seemingly small oversights often promote significant cybersecurity gaps.

A False Sense of Security

Despite SAP software housing some of the most sensitive company data imaginable (most notably customer and financial data), SAP-specific cybersecurity is a lower priority at an alarming percentage of organizations.

The fact is SAP dramatically increases the attack surface a company must safeguard—it follows, then, that additional security measures should be applied. Mistakenly, organizations believe that out-of-the-box SAP security is good enough, redirecting the vast majority of the cybersecurity budget to other systems.

That disconnect between where the most risk is and where security resources are deployed is an enormous hole in a company’s defense; hackers are penetrating networks at lightning speed and quickly finding the easy-entry security holes. If companies ignore that they are exposing their enormous SAP data trove, it’s only a matter of time before a breach happens.

The Biggest Mistake

To close these security gaps, companies must consider SAP as core to every cybersecurity initiative. Unfortunately, when organizations regularly install patches to keep their software landscape current, they often push off many SAP patches to be handled later. In other words, SAP cybersecurity is considered last among other core IT operations.

This is a mistake that can cost companies dearly. Any IT system could be attacked from the very second it’s activated. If patches or security updates don’t happen until a later date, that interim is putting the systems at a much higher risk. Given the number of trouble tickets at most organizations, it’s not unusual for security updates that aren’t considered a priority to languish on the “to-do” list for a long time. And when such an essential data source, like an SAP system, goes improperly guarded for that long, it’s only a matter of time before a hacker discovers this weakness.

How to Avoid That Mistake

Simply put, SAP cybersecurity needs to be established as an ongoing process across all IT departments and be well-staffed. Sure, every department head loves to argue that they could use more staffing, but remember that SAP cybersecurity is often at the core of many companies. During an attack, nearly everything shuts down, and business is ceased as all focus goes into stopping the intruders and assessing the damage. Suppose you aren’t putting the people and the funding into SAP cybersecurity. In that case, it doesn’t matter how much you pour into the other parts of the company—it all grinds to a halt if there aren’t intelligent people with security tools capable of keeping up with cybercriminals.

Conclusion 

Cybersecurity is not solely infrastructure security; complex business applications like SAP that run on top of the infrastructure bring vulnerabilities to the IT risk scenario. Even though those systems are often valuable targets for cybercriminals, thanks to the sensitive nature of their data, many organizations don’t adequately work security for these platforms into their processes. As previously mentioned, SAP’s out-of-the-box security does not provide adequate protection. SAP system landscapes have their architecture, which requires unique solutions and tactics to protect them.

Organizations aware of the potential SAP risk can find a fix through third-party solutions that can utilize automation, establish baselines, and harden the framework to shrink attack surfaces—rather than performing much of this work manually.

About the author:
Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member and CEO at SecurityBridge–a global SAP security provider, serving many of the world’s leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.

The post The Biggest SAP Cybersecurity Mistake Businesses Make—And How To Prevent It appeared first on Cybersecurity Insiders.

[By Mike Walters, President and co-founder of Action1]

Two years have passed since the cybersecurity world was rocked by the discovery of Log4Shell, a critical vulnerability in the Log4j library. First discovered on December 9, 2021, this legendary flaw exposed hundreds of thousands of systems to potential attacks. Jen Easterly, head of the Cybersecurity and Infrastructure Security Agency (CISA), called it “the most serious flaw” she has seen in her decades-long career. Since Log4Shell emerged, bad actors have been spreading various payloads through this vulnerability, including coin miners, botnets, and malware that helped them establish backdoors and carry out other illegal activities. The most notorious threats that have used Log4Shell are Dridex and Conti.

Even today, Log4Shell remains a haunting presence in the digital realm, demanding attention of cybersecurity professionals. As we approach the second anniversary of Log4Shell, let’s delve into the ongoing dangers it poses, the measures organizations should take to protect themselves, and the broader question of whether vulnerabilities in common libraries will continue to rise.

Understanding Log4Shell and Its Enduring Impact

Log4j, a logging library fundamental to Java-based applications, had been prone to the Log4Shell vulnerability for decades before its official discovery. With Java being widely used on billions of systems, including IoT devices and critical infrastructure, the vulnerability’s reach is extensive. Log4Shell exploits Log4j’s ability to resolve requests to LDAP and JNDI servers without proper validation, granting attackers the ability to execute arbitrary Java code or access sensitive information.

This vulnerability, assigned a critical score of 10 and tagged as CVE-2021-44228, affected major companies like Microsoft, Amazon, and IBM.  As we enter 2023, its effects linger. The Cybersecurity and Infrastructure Security Agency (CISA) has recently warned organizations that threat actors are still frequently using the Log4Shell exploit in their attacks due to its ease of discovery through vulnerability scanning and open-source research. The agency advises organizations to prioritize patching Log4Shell in their environments.

The 2023 Arctic Wolf Labs research found that Log4j was among four of the top five external software exploits utilized by threat actors in 2022. According to Tenable, 72% of organizations remained vulnerable to Log4Shell in October 2022. We can suggest that their percentage hasn’t reduced much since then.

Why Log4Shell Persists as a Threat

The Log4Shell vulnerability presents a unique set of challenges in its detection and remediation. Despite the availability of the patch that is easy to install, identifying every system vulnerable to Log4Shell within complex infrastructures remains a formidable task. This difficulty arises from the extensive use of the Log4j library by enterprises across a wide range of infrastructures and applications, both directly and through third-party integrations.

Within this landscape, there exists a multitude of vulnerable software titles, numbering in the hundreds. Some of this software has regrettably been forgotten over time, slipping under the radar of traditional vulnerability management solutions. Even custom, homebrew software often relies on the Log4j library, further complicating the detection process.

Crucially, the task of detection should not be entrusted solely to the software itself. Instead, a more effective approach involves direct examination of the library files, specifically the lib and jar files, by third-party solutions. This shift in focus addresses the challenge of identifying Log4Shell in the software that may not be readily apparent through standard software-level scans.

Despite concerted efforts over the past two years to mitigate the risks associated with Log4Shell, significant gaps persist in our defenses. It is incumbent upon software companies to play a pivotal role in enforcing the security-by-design approach.

Firstly, software companies should take proactive steps by implementing specific scripted detections. Using languages such as PowerShell or Python, they can develop detection mechanisms tailored to their own software utilizing the Log4j library.

Secondly, software companies must adopt a compositional analysis approach during vulnerability scanning. This advanced technique enables them to go beyond merely identifying the software itself and its version. It extends to detecting the libraries used by the software, providing a comprehensive view of the potential vulnerabilities. While some virtual machine (VM) software currently possesses this capability, not all solutions are equipped for this level of analysis.

The Future of Library Vulnerabilities

In September of this year, a vulnerability (CVE-2023-4863) emerged in libwebp, a library used for handling WebP bitmap images. Though not identical, it drew comparisons to Log4Shell.

First, similar to Log4j’s role in Java-based applications, libwebp is indispensable for displaying WebP-formatted images. Its widespread use elevates the risk, potentially affecting a vast array of software. Second, both vulnerabilities earned a critical severity rating of 10.0 on the CVSS scale.

Just as Log4j allowed remote code execution, libwebp’s flaw permits maliciously crafted files to breach expected boundaries, leading to unauthorized access, data leaks, and malicious activity.

In both cases, initial assessments underestimated the extent of the vulnerabilities. Libwebp’s impact initially seemed confined to Google Chrome but extended further. Similarly, Log4Shell was initially associated with web services but later revealed its reach across multiple software types. Notably, both vulnerabilities were quickly exploited by threat actors after disclosure.

The parallel between the libwebp incident and Log4j/Log4Shell suggests a potential trend in the proliferation of vulnerabilities in common libraries.

Conclusion: The Path Forward

To rid ourselves of vulnerabilities like Log4Shell in the future, a security-by-design strategy is paramount. Software vendors should regularly update all libraries used in their software. Software consumers must remain vigilant, conducting regular vulnerability scans on internet-facing hosts, fixing vulnerabilities, conducting regular penetration tests, and having a proper Web Application Firewall (WAF) in place.

As we approach the second anniversary of Log4Shell’s discovery, its enduring presence serves as a stark reminder of the ever-evolving cybersecurity landscape. By learning from the lessons it presents, we can better prepare for the challenges of tomorrow and secure our digital environments against the next Log4Shell.

The post Log4Shell: A Persistent Threat to Cybersecurity – Two Years On appeared first on Cybersecurity Insiders.

By Joao Correia

The persistent neglect of patching legacy systems has long affected critical infrastructure as well as nearly all major industries. At a time when the cyberthreat environment is teeming with new malware variants, cybercriminal groups and data-hungry hackers, the consequences of failing to properly and consistently patch vulnerabilities has often become detrimental to organizations and has forced many to face costly security breaches, increased compliance risks, and experience expansive operational inefficiencies. And unfortunately, the avoidance of proper patch management is deeply rooted in a fear of change and the overwhelming complexities that outdated software brings into the process.

The Challenge of Legacy Systems 

A legacy system is any outdated computer system, hardware or software that is still in use but no longer supported by the original vendor. These systems remain in operation for a variety of reasons, the biggest being that the cost of replacing a system of that magnitude is a financial burden and stands as an extensive and time consuming migration task. Banks and other financial institutions are a prime example of this – but by no means the only – where old systems are kept running because those systems are resilient and replacing them would incur considerable operational and financial risk. Additionally, most legacy systems still in operation today are single-handedly supporting core company operations – and the benefits of keeping things as is outweigh the risky and time-consuming process of reconfiguration.

However, it is not a secret to anyone that using outdated systems presents a variety of challenges for cybersecurity professionals. From increased security risks when they fail to no longer receive updates, to roadblocks when trying to pass compliance audits, the use of legacy systems can bring headaches for Sysadmins everywhere.  Because of this, legacy systems become a treasure trove for malicious actors and a prime target for repeated attacks.  Hackers know that outdated technology lacks the necessary threat intelligence tools needed to provide instant detection and prevention capabilities for discovered vulnerabilities. These open-door vulnerabilities then go unpatched for long periods of time and ultimately create the perfect cover for cybercriminals to enter and repeatedly exploit on a large scale.

Prioritizing Critical Systems

Aging technology combined with a failure to patch is a recipe for disaster. so properly addressing the neglect of legacy system patching requires a proactive approach. The first step is to prioritize critical systems. Identify which legacy systems are mission-critical or contain sensitive data and require immediate attention. Next, conduct a thorough risk assessment to understand the potential consequences of a security breach involving your legacy systems. By continuously enforcing vulnerability scanning and threat monitoring IT teams can better understand risk and determine the urgency of patching.

Newer technologies like automated patching software can help legacy sysadmins seamlessly step up their security posture.  For organizations of any size, manually patching vulnerabilities can appear to be a time-consuming and difficult task, especially if the network contains a mix of different software and applications that need ongoing updates. The downtime and maintenance windows required are even longer than normal and trying to manually squeeze in time for patch management can cost an organization significant time and money. .

Enhancing Patch Management Efficiency Through Automation 

Patch management has always been viewed as a disruptive yet necessary process. But striking the right balance between a labor-intensive task or accepting elevated risk has been a conundrum for many security teams and Managed Security Service Providers (MSSPs). Managing patches effectively is crucial in maintaining the security and integrity of systems, but it often requires substantial time and effort to implement patches across a network, making it a challenging task for organizations to navigate.

However, with advancements in automation and more streamlined patch deployment methods, finding a solution that minimizes disruption while reducing risk is becoming increasingly attainable. Live patching streamlines the process for overworked security teams significantly. It alters and intercepts code during runtime, without interrupting or modifying the system’s regular operations. As a result, security teams can confidently ensure that patches are automatically applied to running software systems without disrupting their functionality.

Opting to safeguard legacy systems through a live patching approach is proactive in addressing vulnerabilities as soon as patches become available. This significantly reduces the window of opportunity for attackers, minimizing the risk of successful exploitation. Applying live patches also minimizes the risk of system crashes, network failures and extended downtime that result from ignored vulnerabilities. Not only does this quickly close exploitable gaps, but it also ensures smooth operations and increased customer confidence. Lastly, the process of live patching eliminates the need for scheduled maintenance windows in which a system gets rebooted or serviced. Rolling reboots and restarts can be risky to a business, especially if daily operations are forced to shut down temporarily.

Legacy systems can be your best ally or biggest security risk. But by properly and proactively maintaining a regular patch management routine, outdated technology can continue to operate as a valuable asset.

Joao Correia currently serves as a technical evangelist at TuxCare (www.tuxcare.com). 

The post Addressing Legacy System Patching Neglect appeared first on Cybersecurity Insiders.

News is breaking about a software supply chain attack on the 3CX voice and video conferencing software. 3CX, the company behind 3CXDesktopApp, states to have more than 600,000 customers and 12 million users in 190 countries. Notable names include American Express, BMW, Honda, Ikea, Pepsi, and Toyota.

Experts believe the supply chain attack, which was maliciously sideloaded, targets downstream customers by installing popular phone and video conferencing software that has been digitally authenticated and modified.

Known Details

Cybersecurity vendors have identified an active supply chain attack on the 3CX Desktop App, a voice and video conferencing software used by millions. SentinelOne researchers are tracking the malicious activity under the name SmoothOperator, which began as early as February 2022, with the attack possibly commencing around March 22, 2023.

The trojanized 3CX desktop app serves as the first stage of a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub, ultimately leading to a third-stage infostealer DLL. The attack affects the Windows Electron client (versions 18.12.407 and 18.12.416) and macOS versions of the PBX phone system.

The final payload is an information stealer capable of gathering system information and sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers. The macOS sample carries a valid signature and is notarized by Apple, allowing it to run without the operating system blocking it.

Huntress reported 242,519 publicly exposed 3CX phone management systems. Symantec said the information gathered could allow attackers to gauge if the victim was a candidate for further compromise. CrowdStrike attributed the attack with high confidence to North Korean nation-state actor Labyrinth Chollima (aka Nickel Academy), a sub-cluster within the Lazarus Group.

3CX CEO Nick Galea stated the company is working on a new build and advises customers to uninstall the app and reinstall it or use the PWA client as a workaround. The Android and iOS versions are not affected.

3CX is urgently working to release a software update in response to the SmoothOperator supply chain attack that targets millions of users. The affected 3CX Desktop App is popular for voice and video conferencing, with over 600,000 customers and 12 million users worldwide, including American Express, BMW, Honda, Ikea, Pepsi, and Toyota.

The attack exploits the DLL side-loading technique, and telemetry data reveals the attacks are limited to Windows Electron (versions 18.12.407 and 18.12.416) and macOS versions of the PBX phone system. The GitHub repository hosting the malicious files has been taken down.

The final payload can steal sensitive data from popular browsers, including Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox. CrowdStrike has attributed the attack to a North Korean nation-state actor known as Labyrinth Chollima, a sub-cluster within the Lazarus Group.

As a temporary solution, 3CX has urged customers to uninstall and reinstall the affected app or use the PWA client while the company works on a new build. Android and iOS versions remain unaffected. Further updates on the situation will be provided as new information emerges.

Expert Comments

Tyler Farrar, CISO, Exabeam

“Any adversary, regardless of whether it is a novice or the work of nation-state actors like the Lazarus Group, is going to go for the path of least resistance to meet their end goal. Weaknesses in the supply chain are one of the simplest, yet most successful, ways to do that. In the case of 3CX, the threat actors were likely not going after the company itself, but the data from its 12 million global customers. Rather than attempt to attack each of the customers individually, the adversaries figured it would be easier to break through 3CX — and they were correct.

Unfortunately, attacks like these are going to become more and more common and I anticipate software supply chain attacks to be the No.1 threat vector of 2023. As a result, I encourage organizations to create a thorough vendor risk management plan to vet third parties and require accountability to remain vigilant, and potentially stop devastating consequences when third-parties are compromised.”

Anand Reservatti, CTO and co-founder, Lineaje

“The 3CX VOIP ‘Trojanizing’ the software supply chain attack is the latest proof point of why companies need to know ‘what’s in their software?’

Companies are still suffering from the fallout of SolarWinds, and now another software supply chain attack is playing out and putting millions of software producers and consumers at risk. The 3CX CEO today asked customers to uninstall the application, but for those who might have missed the notification or who don’t know what’s in their software bill of materials (SBOM) risk destroying their brand and business.

It is critical to understand that not all software is created equal. The 3CX attack was caused when the Electron Windows App got compromised due to an upstream library. It is clear that 3CX has not deployed any tools to accurately discover and manage their software supply chain. So, in order to protect the software supply chain you have to shift to the “left of the shift-left mentality.” Because the software itself is malicious and not straight malware, vulnerability and malware scans fall short as well.

This type of attack is particularly challenging for technologies such as vulnerability and malware scans or CI/CD to detect. You need a solution that can do the following:

1) Discover software components and creating entire genealogy-including all transitive dependencies

2) Establish integrity throughout the supply chain without relying on any external tooling and their assertion

3) Evaluate inherent risk by determining examining each component of the software

4) Remediate inherent risks strategically in order to address the most critical components based on the genealogy

Knowing what’s in your software comes only by knowing what’s in your software supply chain. It’s why it is critical to work with solutions that can attest to the integrity of your software supply chain of all software built and bought. With more details surfacing including possible ties to a nation-state hacking group, it is essential for software producers and consumers to be able to attest to what exactly is in their software to prevent devastating consequences.”

Kayla Underkoffler, Lead Security Technologist, HackerOne

“Cybersecurity professionals already face an uphill battle as defenders; our 2022 Attack Resistance Report found that about one-third of respondents monitor less than 75% of their attack surface, and almost 20% believe that over half of their attack surface is unknown or not observable. The complexity of attack surface monitoring compounds as attackers take the fight to a more granular level by targeting supply chain vulnerabilities.

And unfortunately, that’s exactly what we’re seeing. Malicious actors now strive to embed themselves more deeply within the enterprise tech stack because cybercriminals understand the potential impact of accessing the most sensitive areas of an organization’s network. This can be done through critical dependencies within the software supply chain or a seemingly unchecked corner of the environment.

That’s why it’s critical organizations understand what’s in their environment and how that software  interacts with their critical business processes. It’s no longer enough to just document components and dependencies once in the development lifecycle and be done. Today, organizations must proactively consider new solutions to prevent attacks.

An example of tools in use today for active monitoring of software include IBM’s recently developed SBOM Utility and License Scanner: two open-source tools that facilitate and standardize SBOM policies for organizations. These help build a living, breathing inventory of what’s in use in an organization’s current environment so organizations can respond quickly to software supply chain disruptions. Ethical hackers are also proven to be creative resources, skilled at identifying open source and software supply chain vulnerabilities, as well as undiscovered assets that may impact an organization’s software supply chain.”

The post 3CX Desktop App Supply Chain Attack Targets Millions – Known Facts and First Expert Comments appeared first on Cybersecurity Insiders.

If you’re in any software sector, you’re dealing with bugs. But you need patch management when each patch is a piece of software, another place for bugs to hide.

Whether you’re maintaining an e-commerce site or a SalesForce CRM integration, you have businesses relying on your software to serve their customers. You need to keep as close to 100% reliability as possible, and patch management is the way to stay there.

With the cost of fixing those bugs being 10x higher after release than in testing, it’s crucial to use patch management to catch them early. This article will cover patch management and how you can set up a successful patch management process for your company.

What is patch management?

Software gets more complex every year; with the rise of AI, grasping the data ingestion meaning leads to more of the action happening in “black boxes” we can’t examine. As web3 – the blockchain-based internet – becomes more important, money is moving around “unstoppable” code like smart contracts. All this software is inherently flawed, and hackers can exploit those flaws.

Patches are software updates sent out from the developer to users. Where an “update” might add anything from a new setting to a suite of new features, a “patch” is an update focused on fixing glitches, and security issues.

Why don’t all companies do this?

Companies might fail to manage patches because of a lack of resources. That could be a lack of qualified IT staff who aren’t already putting out fires all day.

They might resort to only patching the most critical issues and, even then, not doing formal change-management work. And if that patch causes problems in testing, it might get delayed until the IT staff have time to figure it out.

In an older organization, especially in government, there might be a legacy system that can’t be updated. In this case, a proper fix would require replacing huge chunks of infrastructure, so the team might just try to isolate the old system as much as possible from potential threats.

It’s easy for companies to keep everyone on the latest version of Microsoft Word, and maybe they don’t even need actual patch management processes. But if they included third-party plugins in their asset inventory, they’d find their situation is very complicated, and requires automated patch management tools.

Benefits of patch management

The benefit of patch management is that your software is more secure. By keeping your software up to date, you keep up in the arms race of a changing cybersecurity landscape. If hackers manage to compromise your software at all, it won’t be because of an old, and well-known bug in one of your plugins. Patches to protect yourself and your customer could be anything from implementing 2FA authentication to using machine learning in fraud detection.

A good patch management system allows you to combat bugs while staying productive. In a constantly-changing supply chain, the top inventory management software will be the one that gives businesses a steady stream of new features, and upgrades. But you can’t afford to spend much time on bug-squashing in any industry when you have an ambitious product roadmap.

If you rely on third-party plugins to run your business smoothly, patch management software can highlight old plugins or dependencies that aren’t updated. You can work in total confidence that you don’t have to check on many plugins, and all their dependencies every quarter.

The risks of not doing patch management

There are many risks of not doing patch management properly. If you’re running anything to do with enterprise hybrid cloud, your whole brand relies on the assurance that you can keep businesses’ data secure.

There are also plenty of direct financial consequences. Not only will a cybersecurity breach lose your business, but you might be fined by one or several regional authorities for failing to protect user data. In light of that, the upfront cost required of a patch management system is more than worth the investment.

A strategy for patch management

Patch management can seem daunting, but approaching it with a good strategy will ensure everything goes right the first time.

Patch governance

Patch management for cybersecurity is about managing risk. Since no software is bug-free, since you can never be 100% safe, it’s about prioritizing what risks you want to tolerate.

In an ideal world, you’d patch every possible issue as soon as possible. But with limited time and resources, much of which will be spent on testing, you have to have a protocol for giving issues different threat levels.

You can assign issues into different categories with varying timelines for patching. Critical issues could be patched within 24-72 hours, while you could give less urgent issues a 7/14/30-day timeline for patching. It depends on what your company does and how the specific issue would affect your customers, and your brand if exploited.

Since issues might be tricky to fix correctly – maybe the problem is with a third-party plugin – you should go into each patch with a backup plan. If you’re using an open-source plugin and your patch isn’t accepted by the deadline, you should have a plan to switch to another provider or issue a temporary fix that just lowers the risk.

The threat-level protocol and processes for testing and applying patches should be documented, and specified in one place. This will enable the whole team to work quickly and independently, which is critical in cybersecurity.

Change management

Part of good patch management is change management. So all stakeholders impacted by patches are informed about what’s happening before it happens.

Internal teams don’t have patches that break things unexpectedly. If they can read patch notes ahead of time, they can raise issues around stability or compatibility with the tools they need to work.

Problems like this can be mitigated with a staggered rollout, where different network parts will be patched at other times. If the patch is urgently needed, it can be agreed upon in advance that it can be implemented immediately, and then flagged as needing review by the teams later. A patch management plan should cover the protocol for that, and what happens next.

Patch rollout

Once you’ve satisfied all the requirements of your governance and change management processes, including testing, you’re ready to roll out your patch.

Manually rolling out a patch is acceptable for small teams, but you need automatic updates at scale. Not only does this save IT teams time, but it also frees them up to address any issues that come up while the patch is rolling out across systems.

Automated patch management doesn’t just speed the process up; it also collects detailed analytics on how the patch spreads throughout the system.

This means the team can quickly spot if some hardware, like a server, isn’t responding to the update. It could be an issue with the specific machine or point to a more widespread issue affecting other machines. It also enables the team to track KPIs like the % of installations that worked perfectly or the “mean time to remediate” (MTTR), tracking the time from spotting an issue to fixing it.

Best practices for patch management

A few best practices will ensure everything runs smoothly.

Automate away

As logistics companies can only grow with automated product matching to maintain inventories, patch management at scale can only happen with automation. By reducing the manual sysadmin work your team has to do, you can focus on quality code, and catching security issues.

Automating your patch management system is a massive gain if you work on a cloud platform like SageMaker with servers in different locations. Automation tools can gather the information you need on those servers as patches go out, allowing you to quickly diagnose any problems with individual computers.

Analyze the problems

It’s crucial to analyze the impact of your patches to figure out what issues to tackle first.

If your customers rely on your software for their affiliate marketing tracking methods, a lot of very granular data is being processed through many moving parts. Many services are integrated, and data must be carefully managed to make sense.

If your patches aren’t applied correctly, you could see issues with that data. And it doesn’t stop there. If your system is spread around different states or countries, you could find that different servers need to be patched sooner than others.

Additionally, good patch management ensures your software development work is aligned with business goals. While there might be plenty of issues your perfectionist coders are annoyed by, you have to focus their time on the solutions that will grow the business in the short term. Making a plan for what needs to be patched, and when will help with this.

Update consistently

When cybercrime is on the rise, it’s important to patch your software regularly. Many apps publish updates monthly, getting all low-severity patches out at once. Keeping to a schedule ensures that patches are being worked on regularly.

Test everything

While sticking to a schedule is a good idea, you must test patches thoroughly before they go out. If more lines of code mean more bugs, then every patch has the potential to cause a new issue. Perhaps your patch for a low-severity issue could introduce a critical-severity problem that poses a risk to your customers.

Testing patches at scale can only happen automatically, with a suite of automated unit-test to make sure your software’s critical functions are all working as expected. You should test your software on all the hardware your customers are running to prevent new bugs.

Secure it with a Code Signing Certificate

Security should always be a very important factor when allowing your customers to download patches. You want to make sure they get the patch you release without any interference from malicious actors. If someone was able to perform a man-in-the-middle attack on your patching solution, which caused your customers to download a milhouse patch instead of yours, it could cause havoc for you customers and your business.

It is a good idea to sign your patches with a digital certificate. So when the patch is downloaded, the signature can be verified before it is applied, to make sure it was indeed you that released it. This can be done with a code signing certificate which is a small cost for the benefits it provides. We use ourselves and highly recommend the team over at SSLTrust which provides Code Signing Certificates at some great prices, along with a very helpful team. You can find their Code Signing Certificates here. It can be a good idea to buy a 2-3 year one if you’re active in your development and patches, so you can keep pushing them out without interruption.

Make recovery plans

A lot can go wrong in software development, which is why version control is so important. Similarly, your patch management process should have a recovery plan if something goes wrong.

For a start, you should be backing up your servers regularly. This will protect you in the event of a power failure or a ransomware cyberattack. In those cases, you can revert the whole server to its previous state, and undo what’s happened. Like version control on GitHub, you can revert the condition of your test or production servers if a patch causes a problem.

The patch management process

The patch management process can – and should – look different for every company’s needs. But in any case, there are a few steps that you’ll see followed everywhere.

1. Asset inventory

You can start building a patch management process by listing all the software you rely on just now. Before you choose the tools you’ll use to manage the whole process; you need to know every piece of software those tools will need to be compatible with.

Keeping a single list of all your software vendors will help you with patches. Still, it’s also necessary for you to keep an eye on those vendors for security vulnerabilities, and issues. Every third-party plugin you use adds that vendor’s entire attack surface to your own.

It will also make it easy to build a test network that mimics your actual “production” network. This enables you to uncover issues with your patches that you would overlook until they were sent out.

2. Choosing tools

Then, choose the patch management tool that suits your software stack best. Now that you have a list of your vendors and can prioritize them based on security risk, you’re in a position to shop around for patch management tools.

This tool can listen for available patches on your software and help you decide which patches are necessary, and which you should hold off on for security reasons. Then at the push of a button, it can apply those patches across your system, and monitor for issues.

3. Setting policy

Once you have the tools, you need to establish policies for patch governance. This is important to ensure that best practices are followed consistently, especially across a big organization with IT teams in different offices.

The policy should specify how to use the tools, what should and should not be automated, appropriate timelines for patching, and protocol for security issues. All of these processes should be documented, and you can create a pre-recorded webinar to explain the stand procedure that must be followed, including some documentation of the outcome of patches. This ensures any mistakes aren’t repeated, and that you can improve your patch management process over time.

The importance of patch management

Patch management is essential for cybersecurity. With hackers innovating all the time, companies need to stay on top of software updates. At scale, the only possible way is with a robust, highly-automated patch management process. It allows even a small IT team to monitor all the software a company uses and push priority changes out quickly and efficiently.

Bio:

Pohan Lin – Senior Web Marketing and Localizations Manager #1:

Pohan Lin is the Senior Web Marketing and Localizations Manager at Databricks. Databricks ML pipeline is a global AI provider connecting the features of data warehouses and data lakes to create lakehouse architecture. With over 18 years of experience in web marketing, online SaaS business, and ecommerce growth. Pohan is passionate about innovation and is dedicated to communicating the significant impact data has in marketing.Pohan Lin also published articles for domains such as SME-News.  Here is Pohan’s LinkedIn.

The post What You Need to Know About The Role of Patch Management For Cyber Security appeared first on Cybersecurity Insiders.

Organizations are always concerned with improving efficiencies to make business flow smoother. Some of the biggest inefficiencies in any business revolve around time wasted on operational tasks. Whether it is a stale accounting process, or something as trivial as routing phone calls to the proper department, saving time by improving a process can mean more profits, which […]… Read More

The post Improve your patching efficiency with Tripwire State Analyzer appeared first on The State of Security.