US, UK, Australia list highly exploited hacking risks and urge getting patches up to speed

[lizkat]

Feds list the top 30 most exploited vulnerabilities. Many are years old

Hackers continue to exploit publicly known—and often dated—software vulnerabilities.

arstechnica.com

This is all well and good, and I applaud these three governments' cyber-risk agencies for their effort, but I got news for them. We must each know at least half a dozen laggards on data security, some of them small biz owners, who are running old computers with old operating systems, don't run patches in timely fashion (and will not only click on anything with a link in their email) but forward it to everyone they know.

And, most of us have heard every excuse in the book about why "the great unpatched" don't address their (or their companies') risks.

What to do, what to do... well this is maybe a start, at least for small biz owners whose insurers might raise a question or two. I'm surprised if business insurance companies don't already demand security audits, and jack up rates for unpatched vulnerabilities that have been addressed by updates already released (sometimes YEARS ago).

 

[User.191]

Feds list the top 30 most exploited vulnerabilities. Many are years old

Hackers continue to exploit publicly known—and often dated—software vulnerabilities.

arstechnica.com

This is all well and good, and I applaud these three governments' cyber-risk agencies for their effort, but I got news for them. We must each know at least half a dozen laggards on data security, some of them small biz owners, who are running old computers with old operating systems, don't run patches in timely fashion (and will not only click on anything with a link in their email) but forward it to everyone they know.

And, most of us have heard every excuse in the book about why "the great unpatched" don't address their (or their companies') risks.

What to do, what to do... well this is maybe a start, at least for small biz owners whose insurers might raise a question or two. I'm surprised if business insurance companies don't already demand security audits, and jack up rates for unpatched vulnerabilities that have been addressed by updates already released (sometimes YEARS ago).

It’s a real problem - especially when a company is saddled with legacy software that can’t be executed on weber operating systems. You tell the business they need to upgrade and they turn back and say they can’t afford it.

Then..blammo.

I’ve had first had experience of this taking place - I still remember my usul dull morning turned to shit when I realized that my adult trails were showing odd activity. By the next day I was in fill blown conversation with the banks legal team as to the scope of the incursion.

And then I had to tell them “I told you all so in my email from a few months ago this was a risk that you all ignored”.

 

[lizkat]

And then I had to tell them “I told you all so in my email from a few months ago this was a risk that you all ignored”

Even big corporations can talk a good game... and want to look in their annual reports like they've made an effort on cybersecurity, but when push comes to shove, the average senior VP still ends up caring about security only so long as it doesn't get in the way of their conducting business as desired right now. The goalpost is about the quarterly profit margin hike, end of discussion.

And if on the IT side you properly say no to a request to work around some security issue, you can bank on it getting escalated up the chain on the client side and then across to his peer on the IT side and back down to you and the message is almost invariably "make it happen." All you can do is log every untoward request -- and your understanding of the "chain of custody" of what may well turn into a demand. And leave footprints of your own about what you did and when, so if the auditors end up called in on something that goes south, it's clear what you said and did and that you weren't trying to hide anything.

So it's not just about unpatched software. It can be about opportunists looking for that or for any other breach in what's supposed to be a firewall.

 

[lizkat]

Not starting a new thread about the log4j server vulnerability when this thread seems adaptable...

I'm eager to read more about progress against further exploitation of weakness in log4j, a popular bit of open source software used for logging events on servers. There were some articles about the flaw late last week but not much news since then. Exploitation is already occurring.

So far as I can tell, Twitter, Apple, Amazon etc have not commented, although there have been news reports that companies all over the world are scrambling to patch their servers against the (too easy) exploitation of this flaw.

Hackers launch over 840,000 attacks through Log4J flaw

Researchers claim Chinese government groups are among the perpetrators.

arstechnica.com

 

[SuperMatt]

Not starting a new thread about the log4j server vulnerability when this thread seems adaptable...

I'm eager to read more about progress against further exploitation of weakness in log4j, a popular bit of open source software used for logging events on servers. There were some articles about the flaw late last week but not much news since then. Exploitation is already occurring.

So far as I can tell, Twitter, Apple, Amazon etc have not commented, although there have been news reports that companies all over the world are scrambling to patch their servers against the (too easy) exploitation of this flaw.

Hackers launch over 840,000 attacks through Log4J flaw

Researchers claim Chinese government groups are among the perpetrators.

arstechnica.com

They mentioned this on NPR this afternoon as well.