Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.
This week: Zero-day iPhone hack revealed, but the sky is not falling. Don’t worry about zero-days – Worry about 400-days. And why you shouldn’t listen to me.
This week’s action: Patch management: Review how you are ensuring security updates get installed in a timely manner.
>>>>> THREE ARTICLES <<<<<
1: iPhone zero-day hack revealed. The sky is not falling.
A vulnerability has been discovered in Apple devices that allows an attacker to gain unauthorised access to the device without requiring much interaction with the user of the device. Apple released a patch and all Apple users have been advised to install this asap.
There were lots of headlines about the issue and I received a few phone calls from worried clients.
Of course, we must keep your devices up to date and this is no exception.
But we mustn’t lose our minds.
Rather than lose sleep about this specific patch, we should focus on the vulnerabilities that have been known for months (possibly years) and are actively being exploited because we haven’t installed the updates to fix the vulnerability. We’re terrible at doing this ‘boring’, non-headline-grabbing “Patch Management” housekeeping.
The headlines talk about zero-day attacks. But most attacks are 400-day-attacks.
2: Patch management is simple. But not easy.
“Just because a vulnerability was identified and a fix made available in 2018, it’s way too simplistic to argue every enterprise should have patched it by now. ‘Identifying which vulnerabilities to prioritise is a perennial challenge in IT security’.”
Sitting here in my ivory tower, it’s simple to talk about patch management. But this article explains why it is not easy.
Read more: https://www.theregister.com/2021/09/08/patch_now_why_enterprise_exploits/ via https://www.securethevillage.org/news
3: Don’t listen to me.
“Stop making cyber security decisions based on shiny objects and peoples’ opinions, and instead base strategic decisions on a published cyber security framework. [..] Cyber security frameworks are not a new concept [..] industry experts have tried to distil best practices for information security so that organizations would not be left to decide on their own how to best defend their data.”
I couldn’t agree more. Don’t listen to me*.
Rely on a cybersecurity framework that has been formulated by industry experts and is designed to defend against the most likely attacks. Not only will it significantly reduce the likelihood or impact of an attack, it will also make it easier for you to prove that you have ‘reasonable security measures’ in place.
(* One exception: If you don’t know where to start, listen to me for a little while longer.)
Read more: https://www.cshub.com/security-strategy/articles/three-us-state-laws-are-providing-safe-harbor-against-breaches via https://securethevillage.org/news
>>>>> TWO STATISTICS <<<<<
1: 66%
According to the Cybersecurity and Infrastructure Security Agency (CISA) in the USA, two-thirds of the top-12 most regularly exploited software vulnerabilities in 2020 had fixes / updates available in 2019 (or earlier).
Zero-days cause the most headlines. But 400-days cause the most damage.
Read more: https://us-cert.cisa.gov/ncas/alerts/aa21-209a
2: 91%
91% of IT teams “have felt pressured to ignore security concerns in favour of business operations”.
Security is usually a trade off with something else – e.g. operational efficiency; convenience.
But the world is all about trade-offs. IT can’t just always say ‘no, this is risky’.
In theory, an IT team will communicate their expert opinion about the increased security risks of a business choosing a particular path. If the senior management of the business chose to continue down that path, then at least they have made an informed decision. And if the security concerns become a security incident, the senior management will take responsibility.
In reality, the fingers will point to IT when the incident occurs. No-one will dig deeper. It’s why CIO frequently means “Career Is Over”.
And yet we wonder why IT always says “no”.
Read more: https://www.zdnet.com/article/91-of-it-teams-have-felt-forced-to-trade-security-for-business-operations/ via http://securethevillage.org/news
>>>>> ONE ACTION <<<<<
1: Review your patch management strategy
Don’t be driven by news headlines. Be driven by data. And the data tells us that the majority of attacks that exploit a software vulnerability are exploiting a vulnerability for which a fix has existed for more than 12 months (https://us-cert.cisa.gov/ncas/alerts/aa21-209a)
Zero-days cause the most headlines. But 400-days cause the most damage.
Ensure you have an effective patch management strategy in operation to ensure software updates are installed in a timely manner, especially those connected to the internet.
For devices where you are relying on it to do it automatically for you (e.g. through Windows Update; iOS automatic updates), make sure you frequently check that this is working.
Where you are relying on your non-IT staff to do it, find another way. This is not a priority for them. Given the choice between installing an update or finishing their work so they can have their dinner, you can’t blame them for choosing the latter option.