Industry News
Ed Cartier's monthly roundup of industry news
Articles relating to asset management, technology, security and cloud computing

Industry News - Jan 2024

CISA Adds Patched MS Sharepoint Server Vulnerability to KEV Catalog

the US Cybersecurity and Infrastructure Security Agency (CISA) has added a patched privilege escalation vulnerability impacting Microsoft SharePoint servers to the known exploited vulnerabilities (KEV) catalog. The agency cited evidence of active exploitation and has tagged the critical severity bug Microsoft previously released fixes for as part of its June 2023 Patch Tuesday updates. Tracked as CVE-2023-29357. The vulnerability (CVSS 9.8) allows an attacker, who has gained access to spoofed JSON Web Token (JWT) authentication tokens, to use them for executing a network attack. CISA has advised users to update their systems by January 31 to secure against active threats. IT administrators can utilize their IT asset management tools to identify vulnerable systems.
Click here to read more

Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations |

IT asset management (ITAM) is the process by which organizations manage their IT assets. ITAM is critical to ensuring proper cyber hygiene controls are in place across all assets in the organization. The use of discovery tools reduces unknowns across the network. ITAM should be implemented for endpoints, servers, application, and networking equipment. ITAM cybersecurity practices should be incorporated into every lifecycle stage of IT operations to maintain data accuracy and integrity. The lifecycle includes procurement, deployment, maintenance, and decommissioning. As part of its public private partnership with the NIST National Cybersecurity Center of Excellence (NCCOE), the financial sector has written a detailed ITAM practice guide: IT Asset Management (https://www.nccoe.nist.gov/sites/default/files/legacy-files/fs-itam-nist-sp1800-5b-draft.pdf)
Click here to read more

Apple Ships iOS 17.3, Warns of WebKit Zero-Day Exploitation

Apple announced that the newest iOS 17.3 and macOS Sonoma 14.3 updates address at least 16 vulnerabilities that can expose Apple users to code execution, denial-of-service and data exposure attacks. In a separate advisory the company documents a pair of WebKit bugs (CVE-2023-42916 and CVE-2023-42917) that it says may have been exploited against versions of iOS before iOS 16.7.1. The recent updates also fix security problems in the Apple Neural Engine, CoreCrypto, Mail Search, Reset Services, Shortcuts and Time Zone. IT professionals can utilize their IT asset management tools to identify unpatched devices.
Click here to read more

45% of Critical CVEs Left Unpatched in 2023

In 2023 cyberwarfare became more widespread. Manufacturing, educational services and public administration were widely exposed to attack from cybercriminals. Older Windows server OS versions (2012 and earlier) are nearly 80% more likely to experience attack attempts compared to newer Windows Server versions. This vulnerability is especially evident in the server environment. Almost 25% of server versions are facing end-of-support (EoS) scenarios. Industries still using end-of-life (EoL) or EoS OSs that are no longer actively supported or patched for vulnerabilities are particularly vulnerable. IT professionals can use the information generated by their IT asset management solutions to pinpoint legacy, obsolete and/or unpatched systems.
Click here to read more

Industry News - Dec 2023

3 Steps to Proactive IT Cost Optimization

Modern CIOs are expected to do more with less. Although digital transformation and improved customer experiences remain priorities, efficiency improvements and cost reductions increase in importance in a time, of as economic uncertainty. Increased borrowing costs, skilled labor shortages, rising cloud pricing and supply chain disruptions are causing re-prioritization of new projects and reevaluation of ROI for ongoing and new projects. In this environment, CIOs should institue proactive IT cost optimization efforts across their business, leveraging cost reduction initiatives to act as a funding mechanism for the broader transformational initiatives. Using an IT asset management tool to identify obsolete, redundant and under-utilized systems and software can make any cost-management program more efficient.
Click here to read more

Software Spend to Rebound In 2024 as ERP, Database Move to SaaS

Cloud and software-as-a-service (SaaS) are becoming intertwined as vendors shift to Service delivery models and usage-based pricing. Premises-based software s footprint is shrinking as legacy vendors move to cloud-based delivery and usage-based pricing. The shift indicates a clear link between cloud and ERP, CRM, data management and other enterprise software products. Liz Herbert, Forrester VP and principal analyst, noted that We are definitely tracking the continued shift to the cloud. Leading software companies are all moving to cloud and SaaS that s almost without question. CIUOs can utilize the information generated by their IT asset management solutions to identify the software systems that would best benefit from a migration to an SaaS model.
Click here to read more

Microsoft Windows 10 Security Support Extension No Excuse to Put Off Patching, Asset Review

Microsoft has acknowledged that more time is needed for users to migrate to Windows 11, officially announcing that when Windows 10 support comes to an end in October 2025 there will be a means to allow consumers and businesses to purchase extended Windows support patches. This extension provides CIOs with an opportunity to review aging assets and projects. IT managers should consider those workstations that would actually benefit from upgrading to Windows 11 and identify the systems that do not have the necessary TPM or CPU to support Windows 11, or it are running applications that won't support Windows 11. In many cases CIOs are delaying an upgrade to Windows 11 because a hardware refresh is required. An IT asset management solution can help to prioritize and inventory the systems on the network and determine which roles and positions would benefit from a Windows 11 deployment.
Click here to read more

Microsoft Patch Tuesday: Critical Spoofing and Remote Code Execution Flaws

Microsoft recently released fixes for several critical security flaws in the Windows ecosystem. The company warned users hat hackers could target these issues to take complete control of unpatched machines. The Redmond firm documented at least 33 vulnerabilities across a range of products. It called urgent attention to remote code execution bugs in the MSHTML Platform, the Microsoft Power Platform Connector and the Internet Connection Sharing (ICS) components. In all, Microsoft s security response team documented at least 42 vulnerabilities with four tagged with the critical-severity rating. According to ZDI the firm has patched more than 900 CVEs in 2023. Windows administrators should pay special attention to CVE-2023-36019, which addresses a critical spoofing bug in the Microsoft Power Platform Connector. The vast number of patches released underscores the need for IT professionals to identify vulnerable and unpatched systems.
Click here to read more

Threat Actors Still Exploiting Old Unpatched Vulnerabilities, Says Cisco

According to Cisco Systems, the most targeted vulnerabilities in 2023 were older security flaws in common applications. Cisco s Talos threat intelligence division noted that threat actors clearly prefer to target unpatched systems that can cause major disruptions. In many cases the vulnerabilities were more than 10 years old. It is obvious that users had plenty of time to patch those problems. Government data indicates that 80% of the most targeted vulnerabilities were also cited by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as being frequently exploited in prior years. Using their IT asset management tools, IT managers can easily pinpoint unpatched and vulnerable systems, thwarting potential hackers.
Click here to read more

CISA Highlights Cybersecurity Guidelines For Healthcare CIOs and CISOs

The Cybersecurity and Infrastructure Security Agency (CISA) recently released a healthcare-specific cybersecurity vulnerability mitigation guide. CISA s document encourages CIOs to address key vulnerabilities including web application flaws, encryption weaknesses, and the use of unsupported software. CISA encourages healthcare IT professionals to implement and maintain an asset inventory. Cybersecurity leaders need to have a detailed listing of tall he assets on their network. They must be able to identify and comprehend each asset's relationships, interdependencies, functionalities, and the software on the network. This information is critical to protect electronic Protected Health Information (ePHI) and ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA). Organizations should carry out asset inventories using active scans, passive processes, or a blend of these methods. An IT asset management solution is a key tool in acquiring this information.
Click here to read more

Industry News - Nov 2023

Escalating SaaS Prices Outpace Consumer Price Index Inflation

According to Vertice, currently, SaaS spending accounts for over 14% of a typical company s expense line. That is up from over 12 last year. That is an average spend of $7,900 per employee on software, compared to $5,760 in 2022. The Vertice research shows that while overall SaaS spending is growing by nearly 18%, only about 9% comes from growth in prices. The remainder is driven by shrinkflation, where vendors charge the same price for reduced functionality. IT managers should consider alternate vendors for non-critical applications and utilize their IT asset management solutions to monitor use and over-licensing of SaaS software.
Click here to read more

Most Businesses Buy the Wrong Software, Report Finds

The adoption of new software products coupled with vendor price hikes, are significant drivers of accelerated software spending. Unanticipated onboarding costs and the shift from on-premises licensing to usage-based fee structures can exacerbate budget complications. The data generated by an IT asset management solution can provide valuable information on licensing needs, past over-spending and under-utilized software.
Click here to read more

Cisco Patches Serious Flaws in Firepower and Identity Services Engine

Cisco recently released several patches for high and critical vulnerabilities that affect several products including Firepower network security devices, Identity Services Engine (ISE)) network access control platform, and Adaptive Security Appliance (ASA). The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging administrators to apply the Cisco patches noting that a cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. IT managers can utilize their IT asset management tools to identify vulnerable devices.
Click here to read more

Outdated Operating Systems Remain Key Medical Device Security Challenge

Microsoft s support of Windows 8.1 ended on January 10, 2023. Consequently, the company will no longer provide software updates and technical assistance for that OS version. Microsoft recommended that users upgrade to Windows 11 to reduce cyber-risks. The company stated that continuing to use Windows 8.1 may increase an organization s exposure to security risks or impact its ability to meet compliance obligations. Ending support for older operating systems after several years is typical. Microsoft typically announces end-of-support dates years in advance. For example, Windows 10 will retire on October 14, 2025. However, in healthcare, many medical devices remain in use for a decade or longer and may rely on operating systems that are no longer receiving patches or updates. Foe many facilities, replacing expensive devices every time an operating system goes out-of-date is not a sustainable strategy. A robust IT asset management solution can help identify the most vulnerable devices in use.
Click here to read more

Hands Off the Security Budget! Find Efficiencies to Reduce Risk

CXOs seeking to reduce budgets are taking a long look at their security budgets. Gartner forecasts that, over the next four years, spending on security technology will grow annually at 11%. The frequency and cost of cyberattacks combined with rapidly evolving regulatory and compliance requirements will impact spending priorities. Consequently, many executives are examining ways to streamline and reprioritize, rather than reduce, their security budgets. As an alternative to reducing security budgets, organizations should examine opportunities to eliminate inefficiencies and extraneous costs. One approach is to identify duplication and waste. An IT asset management solution can help complete a detailed infrastructure audit can uncover opportunities to reduce or reallocate spending. It can identify over-licensed applications and those that can be retired or hardware assets that can be decommissioned or consolidated. Maintenance or licensing fees can be reduced or renegotiated once unused or over licensed software is identified. Such an exercise can also help accelerate cloud adoption. Identifying on-prem software that can be replaced by SaaS applications can reduce overall software costs. Moving to the cloud can lower infrastructure costs, reduce management requirements, and speed applications development and rollout times. Cloud migration can also reduce capital and human resource costs.
Click here to read more

Microsoft Patches

Microsoft recently released patches with cover for at least 59 documented security vulnerabilities, including two critical-severity zero-days already being exploited in the wild. Redmond s security response team documented a wide range of security defects in a range of Windows OS and components and called special attention to two vulnerabilities (CVE-2023-36033 and CVE-2023-36036) which are currently being exploited in active attacks. The patch rollout also fixes the known WepP flaw affecting its Microsoft Edge (Chromium-based browser) and remote code execution issues in the Windows cURL Implementation. The company also issued a patch to address feature bypass issues that continue to haunt its Windows SmartScreen tool and major updates to fix remote code execution and privilege escalation issues in Windows Pragmatic General Multicast (PGM). The PGM flaw (CVE-2023-36397) carries a CVSS severity score of 9.8 out of 10 and should be considered a patch for high-priority deployment. IT managers can utilize their IT asset management tools to identify unpatched and vulnerable devices.
Click here to read more

Industry News - Oct 2023

How to Stay Safe from Evolving Cybersecurity Threats

To minimize the impact of potential cyberattacks, organizations should work to become compliant with the Securities and Exchange Commission's new cybersecurity rules. Firms should adopt prevention measures against threats and should be prepared to respond if an attack happens. Cybersecurity expert Roger Grimes has proposed that firms have a plan in place for to deal with a cybersecurity incident. He noted that "You don't want to be making those sorts of decisions in the midst of the crisis. It's nice to have a thoughtful plan ahead of time. If the worst happens, you can approach it in the best way." Grimes said firms should be cautious of social engineering such as fake emails and websites, mend unpatched software, regularly update software, firmware and routers; and use multifactor authentication and different passwords for every site as preventative measures. He said that. "Those four things," If you can do them, it will probably mean that you're very unlikely to get compromised." A robust IT asset management tool can help pinpoint unpatched and obsolete software, facilitating cybersecurity efforts.
Click here to read more

CISA's Top 10 Misconfigurations Reveal 'Systemic Weaknesses'

The National Security Agency and Cybersecurity and Infrastructure Security Agency (CISA) recently noted that the systemic weakness in large organizations' network infrastructure is that common problems go unrepaired. According to cybersecurity experts and analysts the ten most-common misconfigurations reads like a list of basic standards and best practices. CISA reported that these weaknesses are abundant in enterprises with mature cybersecurity postures. The list of problems contained, among other things, the use of default software and application configurations and poor patch management. IT managers can use their IT asset management tools to identify unpatched and poorly configured systems, enabling targeted remediation.
Click here to read more

Apple Ships Major iOS, macOS Security Updates

Apple recently issued major security updates for its macOS and iOS platforms. The company warned that several security defects make users vulnerable to remote hacker attacks. Apple documented over 20 iOS security vulnerabilities and more than 40 macOS flaws that could enable code execution, privilege escalation and exposure of sensitive data. Apple also released a patch for an older version of the mobile OS to cover an currently exploited vulnerability reported by Kaspersky. iOS 17.1 covers security problems in several components, including Contacts, CoreAnimation, kernel, ImageIO and IOTextEncryptionFamily. The iOS patch repairs major security issues in WebKit, the web browser rendering engine used in Apple's products. The macOS update covers code execution flaws in AppSupport, kernel, Model I/O, Vim and Webkit. IT managers can utilize their IT asset management tools to identify unpatched and vulnerable devices.
Click here to read more
© xAssets 2024 All rights reserved.