THE BLOG
-
Nov 21, 2022Closing out the Year
Here in the Northeast, the seasons are changing. The leaves have fallen, and the mornings are crisp, which means it’s that time of year when CISOs must focus on the year-end cycles of the business: budgeting, regulatory audits, risk mitigation, year-end reviews. Taking stock of the good, the bad and the ugly of the past 12 months and setting the stage for a productive and secure year ahead. We know you have a lot to consider, but here are 3 items we hope you have on your list of to-dos:
1. Completing Regulatory Requirements. Did you complete your audits for the year - PCI, NIST, ISO, HIPAA? If not, get on that before the year is done! If so, great job. Now set the stage for any remediation that might be needed in the coming year. If a penetration test is needed, is it done? If not, schedule a test asap.
2. Evaluating Your External Network. Do you know your external network risk? Maybe the year got away from you and the testing you meant to complete was never done. If nothing else, make sure you have evaluated your organization’s external network and public footprint. Even if no major changes were put in place this year, the external network should always be evaluated, scanned and penetration tested annually. If mitigations are needed, make plans to put them into place soon.
3. Assessing Your Security Staff. Have you assessed your team's capabilities and gaps this year? Maybe you are lacking in threat intelligence personnel, or the security compliance position has been vacant for some time and you are just making due. Maybe you need a security team to help fill in with technical validation and internal penetration testing (like us). Whatever the need, now is the perfect time to set the stage for the upcoming year. Move around team members if needed, but make sure the major areas of risk and responsibility are covered in your team, internally, or using a vendor to help.As the year closes out and you set the stage for a safe and effective year ahead, let us know if we can help!
-
Nov 03, 2022OpenSSL In the News
Everywhere you look the past few days you read about OpenSSL. Recent news reported two vulnerabilities (CVE-2022-3602 and CVE-2022-3786) listed as 'critical' and initially comparable to the vulnerability Heartbleed. Since the initial reporting, these CVEs have been downgraded to 'high' so they are no longer the 'Heartbleed' status, but none-the-less, they are still important.
There are lots of articles out there right now regarding these and other OpenSSL vulnerabilities, the associated risks, and how to patch, so we won't go deep into that here. From our perspective, here are the top things you need to do to address this and other high priority updates
1. Keep tabs on news sources. In this case, guidance was issued on October 25th warning IT administrators to check their asset inventory and prepare to patch when the update was available.
2. Know your inventory. Are you at risk? Do you have OpenSSL in your environment? If you don't know, you cannot address the critical issues as they arise. Know where the software - in this case OpenSSL - is deployed in your environment so that you can ensure it is properly secured.
3. Patch. Once you understand the issue, you have your inventory, and the patch is out, it is time to patch and/or upgrade. The updated version of OpenSSL was released on November 1st, so it is time to patch right now. What is your plan?
4. Scan Regularly. Not every vulnerability will be highly publicized so make sure you (or a third-party) are performing vulnerability scans regularly so that you are not caught off-guard when an important vulnerability arises. Keep especially close tabs on your external environment and critical assets.