Damned If You Patch, Damned If You Don’t
The furore over Meltdown and Spectre continues. Not only have an abundance of (seemingly rushed) patches been released this week and last, but Intel and Microsoft have finally confessed to performance impacts across workstations and desktops.
Only 4 days into 2018 and the sense of foreboding has already started to resonate across IT security teams with the debut of two major security flaws: Meltdown and Spectre.
If the ominous names haven’t caused enough concern, perhaps it’s the panic caused by the media storm, vendor denials and ambiguity around remediating the vulnerabilities.
Take a breath and read on to find out everything you need to know.
The new SSAE 18 standard was introduced just after we had completed our 2017 SOC 1 assessment (under SSAE 16). We interpreted this as an opportunity to re-run the audit process at the end of the year (and maintained our tradition of passing without exception!).
Before you start making your 2018 resolutions, it’s time to sit down with your last cup of eggnog and reflect on all that 2017 taught us in the cyber security world…
Spam is War
Looks like the hackers may have been too busy preparing for the holidays to develop exploits this month. December’s patch Tuesday brings us one of the lightest CVE counts of the year, with the total count from Microsoft at 34, none of which are known to be exploited.
Microsoft browsers are still the hot topic, with 18 critical CVEs referencing scripting engine vulnerabilities.
So, after three or so years at university you are finally gearing up to put on your graduation cap and get the picture for your parent’s mantelpiece. Of course, a part of this process is asking yourself the question ‘what next!?’
As the saying goes - as one door closes, another opens.
After a hectic month on high alert against Krack and Bad Rabbit, the desktop management team at Options welcomed a less taxing Patch Tuesday this month. Microsoft released 53 updates this month with the usual suspects, namely browsers and Office applications, taking most of the heat. What really shocked us was the 60+ updates released by Adobe.
WannaCry, NotPetya, and now Bad Rabbit! On October 24th, the third major ransomware campaign of 2017 hit Russia, Ukraine, and is now being reported globally. Although not as widespread as the first two attacks, Bad Rabbit has shut down 3 major media companies in Russia, along with Kiev Metro and Odessa International Airport.
If you haven’t been paying attention to the news, it’s time to get patching again! Another vulnerability has been exposed, affecting virtually all WiFi enabled devices globally.
Known as KRACK – short for Key-Reinstallation Attack, this vulnerability can be abused to steal sensitive information such as credit card numbers, chat messages, emails etc.
October’s security updates are now released, but are they tricks or treats? Well, it depends on how prepared your platform is!
Microsoft released a fairly large number of security patches this month, 62 in total spanning across Windows, Skype for Business, Edge and most notably, Office. Four of these were publicly known before patches were released, and one is known to be exploited.