TCT is committed to helping you keep your organization secure and compliant. Every quarter, we publish compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.
As an added bonus, we’ve highlighted some developing security trends and featured a quick tip to get more out of your compliance management.
Get Proactive with Vulnerability Management
Vulnerability management is a proactive approach to addressing vulnerabilities that serves as your first line of defense. A lot of companies rely on reactive detection mechanisms — such as vulnerability scanning and penetration testing — and use those detection mechanisms to drive vulnerability management. But that means you’re always running behind, discovering things when they’re already an issue.
Instead of only relying on a detection tool to tell you that you have a vulnerability, be proactively aware before your detection mechanisms even pick it up. Here’s a brief overview of proactive vulnerability management.
The first thing to do is make sure that you’re including all of the hardware and software within your organization. Gather up-to-date versions of three things:
- Your inventory
- Your network diagram
- Your firewall rules
Those three inputs should all match each other, but occasionally someone will update one or two and forget the others. Resolve any discrepancies between them.
Once you have a solid inventory, make sure to keep it properly maintained. As you add or remove devices, all of the appropriate systems and assets should also be updated as an integral part of the overall change control process. Now you know you’re looking at a reliable inventory as you look for vulnerabilities within the environment.
The inventory should contain a list of all hardware in your environment — whether it’s a physical firewall device or switch, or virtual boxes. It should also contain a list of all of your software. That includes everything that runs on your servers, development boxes, workstations (physical / virtual), down to the operating systems and firmware running on hardware.
Most hardware and software vendors have product update feeds you can subscribe to. Confirm that you have a feed for every vendor supplying either hardware or software to your organization, which goes to your internal team responsible for patching. If a feed isn’t automatically available, you’ll need to set up a manual process of checking that vendor’s update site regularly, preferably weekly.
Assign someone to review the feeds on a regular basis — weekly is recommended — and determine if the content of the alert is pertinent to your environment. Move it over through change control to your team to address the issue and appropriately address the alert. This could include upgrading software / firmware, changing a setting, removing an insecure cipher and more.
If you’re running systems for your clients such as a SaaS product, establish up front the fact that you will be doing patching on a specific cadence — for example, the first Friday of every month. Set a time that is least likely to interfere with your clients’ business. Send reminders to your clients a couple days ahead of each patch so they can plan for it, without any unpleasant surprises.
Quick Tip: Requirement Splitting Lets You Get Granular
TCT Portal’s requirement splitting function allows you to handle certain requirements in multiple ways. For example, PCI requires a network diagram for your hosting environment. If your organization is using several facilities, that means several diagrams.
Requirement splitting lets you divide the requirement into different tracking and workflow for each hosting environment. Assign the tasks and responsibilities for each environment to the appropriate people. Now you have a completely separate workflow and evidence repository for each environment, and you can track progress at a granular level.
When generating outbound reporting, the Portal combines everything together into one entry in the report, with custom labels.
What’s Going on in Security Today
Fortinet has confirmed that someone acting with malicious intent has disclosed VPN credentials associated with 87,000+ Fortigate SSL-VPN devices. The login details were obtained from Fortinet/Fortigate systems that were not patched against a particular vulnerability, bulletin CVE-2018-133379. If passwords on those devices have not been reset, even after being patched, those user accounts should still be considered compromised.
Microsoft just had “patch Tuesday,” fixing 66 different CVEs, 3 critical, 62 important, and 1 moderate. One of the criticals is called Windows MSHTML zero-day. The attackers, who originally broke news of this vulnerability at the beginning of September, have released blueprints on how to exploit this vulnerability. The patch from 9/14/2021 is stated to fix this, through Windows Update.
Apple has announced and released an emergency fix for NSO Zero-click Zero Day vulnerability. The flaw is called ForcedEntry, and it can be found on iPhones, iPads, Macs, and Apple Watches. iOS 14.8 will have this fix within its code. This particular bug targets iMessage. It is installed via a spyware called Pegasus. This zero-click attack can get full access to phone data, and the microphone/camera.
Cyberpion, an Isareali startup company, conducted a scan of public/internet-facing assets for Fortune 500 firms. Almost 25% of the devices in these companies have vulnerabilities, or fail security tests. The average fortune 500 company had 126 different login pages within their infrastructure, 10% of which, on average, transmit login information over http (Unsecured clear-text) or have insecure security certificates.
The Massachusetts Attorney General has begun investigating a recent T-Mobile data breach. T-Mobile has stated that 54.6 million individuals had some data exposed, such as name, address, birth date, phone numbers, SSNs, some driver’s license information, IMEI numbers (number given to each phone, to show uniqueness, internationally). The investigation is looking at the safeguards T-Mobile had in place prior to the breach to protect their customer’s data.