Information Security Solutions Built on Customer Trust

Risk Management Comes Back into Focus Less than 50% of IT Security leaders are able to measure or quantitatively understand their organization’s level of risk. According to a study published by Forrester, just 51% of the security pro’s that were surveyed last month were able to identify their organization’s level of risk from a business perspective. When I read this study by Forrester, I wanted to really understand what they meant by risk management, measuring risk, and reducing risk. A significant number of organizations and security leaders see risk management as theoretical rather than something measurable that their organization should strive to identify and set goals to reduce. Most professionals in the IT security or cybersecurity industry understand it is difficult to set a value to systems, litigation costs, brand damage costs, ransomware costs, data loss costs, compliance penalties and so many other difficult to estimate variables. However, just as security analysts try and predict the expected outcome of an investment using among other variables, the level of risk of that investment, IT security professionals need to work with the business side of the organization to try to estimate the value of the company assets and the risk to those assets of a cyber-attack. Travelers, which offers cybersecurity insurance coverage for cyber-attack losses, conducted a survey that asked business leaders about their security best practices. Several of the questions asked in the survey that drew our attention included the following year over year comparison data: Updated their computer passwords (74%, up from 71%). Purchased a cyber insurance policy (51% of survey participants, up from 39% last year). Created a business continuity or disaster recovery plan in the event of a cyber-attack (47%, up from 38%). Executed a risk assessment across their IT infrastructure (49%, up from 45%) and their vendors…

Continue Reading

ZeroLogon and the Importance of Vulnerability Management In this blog, we have written about regular security hygiene including executing regular vulnerability assessments and implementing a viable vulnerability management program. However, many security professionals see vulnerability management as a cumbersome set of tasks usually comprised of simple scan and patch cycles; ZeroLogon is an excellent example of why vulnerability management is so critical. The ZeroLogon vulnerability allows a hacker to take control of a domain controller (DC), including the root DC. This is done by changing or removing the password for a service account on the controller. The hacker can then simply cause a denial of service or take over and own the entire network. U.S. Department of Homeland Security issued an emergency directive instructing all federal agencies to patch the vulnerability by the end of last month. DHS’s Cybersecurity and Infrastructure Agency (CISA) said in the directive that it expected imminent exploitation of the flaw — CVE-2020-1472 and dubbed “ZeroLogon” — because exploit code which can be used to take advantage of it was circulating online. The CVE Score of the ZeroLogon vulnerability is a 10. This year, among the 20,000 vulnerabilities that will likely be reported – which is again a record over last year; only 30 or so will rank as a 10 in criticality. Windows ZeroLogon EP (ZEP) is a vulnerability in the Netlogon protocol used by Windows Server. Secura’s security expert Tom Tervoort discovered the vulnerability and explained how the flaw in Microsoft’s software would allow hackers to do significant damage. “The vulnerability is an easy exploit for attackers to deploy and will surely cause problems for organizations who have not yet patched their ActiveDirectory systems.” Tervoort, an independent security researcher reported the vulnerability to Microsoft and documented its danger in his blog. 60 days ago,…

Continue Reading

How Vulnerability Assessments Differ Across Providers In our Vulnerability Management – A Best Practice blog post, we suggested vulnerability assessments were the process of scanning for and identifying possible vulnerabilities and risks within an organization’s systems. We further suggested that vulnerability management exists for the purpose of identifying and remediating vulnerabilities in systems quickly before they are exploited. Vulnerabilities, which are essentially flaws or weaknesses within the software can lead to a system or network that can be exploited by attackers. These vulnerabilities must be identified, assessed, and patched regularly to ensure that they are not uncovered and exploited by attackers. To create and maintain a strong security posture, business owners and security staff must be aware of the vulnerabilities or flaws on their systems and create a process by which they can be quickly patched. It has been made clear through countless attacks across small and large businesses as well as government entities that If vulnerabilities are not identified or remediated, companies leave themselves open to an attack. An effective vulnerability assessment can dramatically decrease an organization’s cybersecurity risk. In this blog post, we will describe what to look for when evaluating potential vulnerability assessment services. Vulnerability Assessments Are Not the Same as Penetration Tests First, let’s clear up some inevitable confusion that often leaks into any vulnerability assessment discussion. Vulnerability assessments and penetration tests are both designed to identify vulnerabilities within an organization’s cybersecurity defenses. However, they have different purposes and carry out the vulnerability discovery process in different ways. We spent considerable time discussing the difference between vulnerability assessments and penetration tests in the following blog posts: Penetration Testing vs Vulnerability Assessments – Part 1 of 2Penetration Testing vs Vulnerability Assessments – Part 2 of 2 A vulnerability assessment is designed to provide a surface-level assessment of…

Continue Reading