Industry News
Ed Cartier's monthly roundup of industry news
Articles relating to asset management, technology, security and cloud computing

Industry News - Jun 2023

As Software Migrates to Cloud, IT Spending Waste Follows

Unneeded, surplus and uncatalogued IT assets are the targets of enterprise budget managers. As organizations move workloads out of on-premises data centers to the cloud, identifying sources of overspending is leading IT asset managers to examine cloud assets. In a recent survey, 40% of respondents indicated that identifying overlapping software and finding ways to get the most value out of license use rights were priorities. While tracking traditional software usage remained the most common responsibility of asset management teams, the proliferation of cloud services is driving a realignment in priorities. IT asset management teams are rapidly working to reduce in cloud-based software bloat. Nearly 50% of respondents expressed concerns about containerized applications deployed in hybrid ecosystems. In addition, the number of respondents focused on cloud-based software grew by 10 percentage points year over year. A robust IT asset management solution that can measure and identify cloud asset can be a key tool in controlling cloud costs.
Click here to read more

Shadow IT Is Increasing And So Are The Associated Security Risks

CISOs continue to contend with shadow IT, that is technology that operates within an enterprise but is not officially sanctioned by, or on the radar of, the IT department. Unvetted software, services, and equipment can be nightmare fuel for the security team. Shadow IT potentially introduces a variety of vulnerabilities, entry points for bad actors, and malware. In fact, the problem may even worsen. Gartner found that over 40% of employees acquired, modified, or created technology outside of IT s visibility in 2022. The firm expects that number to climb to 75% by 2027. Meanwhile, Capterra s 2023 shadow IT and project management survey found that nearly 60% of small and midsize businesses have had high-impact shadow IT programs occurring outside of their IT departments. A fully functional IT asset management system can identify shadow IT and become a valuable tool in reducing cyber-vulnerabilities.
Click here to read more

Microsoft Patches Critical Windows Vulns, Warn of Code Execution Risks

Microsoft s security response team recently issued a massive number of software updates to address major security gaps in the Windows operating system and software components. The updates cover at least 70 documented vulnerabilities affecting the Windows ecosystem, including six critical issues that expose users to dangerous code execution attacks. Microsoft noted that none of the vulnerabilities have been publicly discussed or exploited in the wild. Network administrators are being urged to pay special attention to a trio of highly critical bugs in Windows Pragmatic General Multicast. All three Windows Pragmatic General Multicast (PGM) vulnerabilities carry a CVSS severity score of 9.8/10. They can be exploited by a remote unauthenticated attacker to execute code on an affected system. IT managers can use their It asset management tools to identify unpatched or vulnerable systems.
Click here to read more

Patch Tuesday: Critical Flaws in Adobe Commerce Software

Adobe recently shipped patches for critical flaws in multiple products. These included several issues that expose Adobe Commerce users to code execution attacks. Adobe documented at a number of security problems in the widely deployed Adobe Commerce (formerly Magento) product. The company warned that successful exploitation could lead to arbitrary code execution, security feature bypass and arbitrary file system read. Adobe also noted that the Magento Open Source product is vulnerable to the documented issues. Fixes for four documented bugs that could lead to exploits targeting the Adobe Experience Manager software were also included. Adobe said in a separate advisory that These updates resolve vulnerabilities rated important and moderate. Successful exploitation of these vulnerabilities could result in arbitrary code execution and security feature bypass. IT asset managers can use their ITAM systems to identify unpatched systems.
Click here to read more

SaaS Sprawl Muddies Software Contracts, Risks Compliance Gaps

According to a recent ITAM report published by Flexera the broad move to cloud-based software has made the process of managing enterprise IT assets more complex. As cloud solutions proliferate, IT asset managers are struggling to track of all the corporation s software assets. Less than fifty percent of the IT asset managers surveyed by Flexera reported they could accurately track usage, rightsize contracts and control cost. Although the number of vendor audits didn t increase year over year, IT asset managers are examining the fine print of cloud-based software contracts. Brian Adler, senior director of cloud market strategy at Flexera, noted that The more complex the licensing scheme, the more likely you re going to have noncompliance problems. An IT asset management tool that can manage and track SaaS applications can make identifying those assets significantly easier.
Click here to read more

Industry News - May 2023

If Your Cloud Mix Isn t Working, Tweak The Recipe

Currently, many organizations are reexamining their cloud usage and the costs associated with it. According to IDC estimates over 60% of organizations are spending more on cloud than initially budgeted. Widespread adoption of cloud-based collaboration platforms often resulted in a multicloud by default approach without a clear strategy to support workload needs. Now, Organizations are looking at to optimize their existing resources, enable greater visibility into cloud-based resources and control spend. A well-thought-out cloud strategy will assist in maximizing resources, optimizing operations and driving innovation. A coherent cloud strategy involves assessing the current IT infrastructure, identifying which applications to move to the cloud and determining the best migration strategy. A comprehensive IT asset management tool with cloud management capabilities can be a key tool on optimizing cloud budgets and implementations.
Click here to read more

Desk Workers Use Nearly Twice As Many Apps As They Did In 2019, Gartner Finds

It is axiomatic that the right digital tools enable employees to be more efficient, an excess of systems can lead to data gridlock. Tori Paulman, senior director analyst at Gartner, noted that Digital workplace leaders need to create a process for their employees that enables them to agree on applications they use to accomplish work. Employees feel the impact of an expanding catalog of digital tools. To complicate matters, mixed in the field of enterprise apps is shadow IT, which, according to a Zylo report, comprises over 30% of enterprise applications fall in this category. A robust IT asset management solution can help CIO s better manage their deployed software and standardize on applications.
Click here to read more

How To Reduce Tech Bloat in The Enterprise

As so many enterprises operate globally, technology bloat has become not only a burden to most CIOs and CISOs, but a significant security risk. The sheer number of applications makes governance nearly impossible and can also be a significant drain on the IT budget. Eliminating redundant technology is the obvious first tactic, but the mistake many too many tech leaders implement a one-time app-consolidation effort but do not follow-up. Software bloat creeps back in, and at some time organizations end up with too many apps and a lack of centralized governance around them. An IT asset management solution can help identify excess software licenses, redundant software and shadow technology, thus helping to optimize spending.
Click here to read more

Microsoft Patch Tuesday: 40 Vulnerabilities, 2 Zero-Days

Microsoft s recent patches and updates address the elevation of privilege and remote code execution bugs, information disclosure vulnerabilities, along with denial-of-service, and security feature bypass flaws. In addition to the 40 Microsoft-specific vulnerabilities, the release notes address nine Chrome security defects that the tech giant is now addressing. Some of the important vulnerabilities patched inn these updates include remote code execution flaws in Windows Network File System (CVE-2023-24941), Windows Pragmatic General Multicast (CVE-2023-24943), and Windows OLE (CVE-2023-29325). The tech giant also resolved CVE-2023-24955, a remote code execution flaw in SharePoint Server. An IT asset management tool can help identify unpatched and thus vulnerable systems.
Click here to read more

Industry News - Apr 2023

PC Demand Keeps Falling As Enterprises Defer New Orders

The surge in demand for laptops and workstations that was driven by the pandemic subsided lain 2022. Business leaders cut back purchases amidst the threat of recession, persistent inflation, rising interest rates and low levels of unemployment. During the first three months of the year shipments were noticeably lower than the number of units shipped during the same period in 2019 and in Q1 2018. Gartner now expects total IT spend to reach $4.6 trillion in 2023, a year-over-year increase of just over five percent. However, segment that includes PCs and laptops is forecast to contract by nearly 5% in 2023. IDC doesn t expect the market to rebound fully until 2024. By then many aging devices will be due for a refresh. That said, if concerns of a recession spill over into next year, recovery might be slower than expected. As the age of the infrastructure increases, it is more critical than ever for IT professionals to have a full understanding of what devices and software versions are deployed. A robust IT asset management is a key tool in achieving that goal.
Click here to read more

Shadow IT Accounts for More Than One-Third of Enterprise Apps: Report

In addition, the report shows that over half of SaaS purchases are not properly categorized as software within expense platforms. According to Brian Adler, senior director of cloud market strategy at Flexera, wasted budget generally comes from oversubscription, unused subscriptions or over-purchasing software. Adler said There s been a lot of attrition, particularly in the tech industry lately, and oftentimes these SaaS subscriptions are associated with seats or a particular person. When that person leaves, if you don t have good onboarding and offboarding processes in place, these seats can linger and go unused. An IT asset management solution that can manage SaaS applications and reconcile usage can greatly improve software spend efficiency.
Click here to read more

Google Patches Second Chrome Zero-Day Vulnerability of 2023

The latest Chrome update includes eight security fixes, five which address vulnerabilities reported by external researchers. The Google patches underscore the need for IT professionals to regularly install software patches and utilize their IT asset management solutions to identify unpatched devices.
Click here to read more

Microsoft Patches Another Already-Exploited Windows Zero-Day

Microsoft is currently pushing out urgent patches to deal with an already-exploited vulnerability in its Windows operating system. The zero-day vulnerability is described as an elevation of privilege issue in the Windows Common Log File System driver. In an advisory Microsoft warns users that an attacker who successfully exploits this vulnerability could gain SYSTEM privileges. The latest zero-day warning is part of a Patch Tuesday that includes fixes for at least 98 documented vulnerabilities across the Windows ecosystem. It comes exactly a month after Redmond confirmed a major no-interaction Outlook vulnerability exploited by Russian hackers. System administrators can use their IT asset management to identify vulnerable and unpatched devices.
Click here to read more

Apple Rolls Out Zero-Day Patches to Older iOS, macOS Devices

Apple recently released updates for older versions of its iOS and macOS operating systems to patch newly identified zero-day vulnerabilities. Apple informed customers that iOS and iPadOS 16.4.1 and macOS Ventura 13.3.1 patch CVE-2023-28206 and CVE-2023-28205, two zero-day vulnerabilities that can be exploited for arbitrary code execution. CVE-2023-28206 impacts the IOSurfaceAccelerator component. It can allow a malicious application to execute code with kernel privileges. CVE-2023-28205 affects WebKit and it can be exploited by directing the targeted user to a malicious website. Apple has released iOS and iPadOS 15.7.5 to patch the vulnerabilities in iPhone 6s, iPhone 7, iPhone SE and older iPads. It also released macOS Monterey and Big Sur updates to fix CVE-2023-28206. Users should apply the patches as soon as possible and IT managers should use their IT asset management tools to identify vulnerable devices.
Click here to read more

Microsoft Exchange Server 2013 Reaches End of Support

The tech giant has provided detailed instructions for users who have yet to migrate to Exchange 2019 or Exchange Online. It s important that organizations stop using Exchange 2013 as the product has often been targeted in cyber-attacks. An IT asset management tool can herp identify vulnerable systems.
Click here to read more

1 in 5 Connected Medical Devices Run On Unsupported Operating Systems

Information from a recent study conducted by Armis, an asset visibility and security company indicated that 20% of all connected medical devices run on and unsupported operating system. In its research, Armis analyzed data collected by its Asset Intelligence and Security Platform, which tracks more than 3 billion assets. Outdated operating systems remain a top medical device security challenge. Healthcare organizations continue to rely on legacy devices due to the longevity and cost of medical equipment. As old Windows versions go out of support and the devices on which they are running do not b receive security updates and patched. For example, over 30% of medication dispensing systems run on unsupported versions of Windows. Healthcare IT professionals can benefit from information provided by their IT asset management solutions to identify obsolete software and operating systems.
Click here to read more

Industry News - Mar 2023

Two Patch Tuesday Flaws You Should Fix Right Now

Microsoft recently released its monthly security bulletin, which covered patches for over 80 vulnerabilities across multiple products. That said, two products had previously been used by attackers prior to the release of the patches. One vulnerability affects all supported versions of Outlook for Windows. It enables attackers to steal Net-NTLMv2 hashes and consequently use them in NTLM (New Technology LAN Manager) and relay attacks against other systems. The other vulnerability allows attackers to bypass Microsoft SmartScreen, that performs checks on files downloaded from the internet through browsers. IT managers can utilize their IT asset management tools to identify unpatched and vulnerable systems, helping to avoid attacks.
Click here to read more

Unpatched Old Vulnerabilities Continue To Be Exploited: Report

The top five exploited vulnerabilities in 2022 include high-severity flaws in Microsoft Exchange, Zoho ManageEngine, and Fortinet, Citrix and Pulse Secure virtual private network solutions. The Tenable report indicated that four most exploited vulnerabilities in 2022 were Log4Shell, Follina, Atlassian Confluence Server and Data Center flaw, and ProxyShell. CIOs can identify un patched systems using their IT asset management solutions.
Click here to read more

Research Shows Two-Thirds Of Orgs Have Had Breaches Caused By Remote Working

The adoption of work-from-anywhere has introduced new security risks. Fortinet s research shows that over 60% of companies had a data breach that could at least partially be attributes to work-from-anywhere employee vulnerabilities. These breaches highlight that remote working exposes threats that are being actively exploited by threat actors to access sensitive information. Securing decentralized working environments is complicated because organizations have limited visibility of user s home environments, branch offices and off-site locations. This makes asset ownership unclear, masking it difficult to enforce zero trust access controls and deploy patches to devices. An IT asset management tool that discovers and inventories remote devices connected to the network can be an invaluable asset in managing remote devices.
Click here to read more

Industry News - Feb 2023

Businesses Are Wasting Millions On Unused Software Licenses

New research has uncovered information indicating that businesses are wasting millions of dollars annually on unused software licenses. Nexthink surveyed six million customers across nine industries in 12 regions. The research examined the usage of over 30 popular software tools and uncovered that 5halfof all licenses were not being used. The cost for the unused licenses alone was calculated to be putting a $45 million drain on the companies each single month. That figure equates to nearly $53o million worth of cumulative wasted software budget annually. To reduce the huge unnecessary expenditures, Nexthink stated that companies should conduct software regular usage audits which can identify unused software and may help them negotiate more favorable contracts and terms in the future. An IT asset management solution is a key tool in identifying unused software.
Click here to read more

3 PC Giants Saw Purchasing Plummet Last Year

According to Gartner s analysis, worldwide PC shipments dropped by almost 30 percent in the last three months of 2022, as compared to the last quarter of 2021. That was the largest quarterly decline since the mid-1990s. Corporate demand fell during the previous quarter as well. PC shipments fell to just below 290 million units in 2022, comparted to 340 million units in 2021. Anticipation of a recession, high inflation and increasing interest rates impacted consumer and enterprise demand. CIO s not replacing aging units can use the information from their IT asset management toolset to insure that existing systems are up-to-date and do not constitute security vulnerabilities.
Click here to read more

'New Class of Bugs' in Apple Devices Opens the Door to Complete Takeover

Apple users should update their system software, as the newest versions include fixes for the vulnerabilities so described. That doesn't mean, however, that vulnerabilities of this kind won't pop up again. Using an IT asset management tool can help IT professionals to identify unprotected devices.
Click here to read more

CIO Role: 6 Ways to Do More with Less

Many enterprises retain obsolete applications long beyond their useful lifecycle. Often this is done because they need to retain access to key historical data, or the lack an understanding interdependencies with other systems. Finding a way to retire these systems is well worth the effort. Retiring legacy systems frees up maintenance and support budget which can then be reallocated to more productive uses. Analysts expect price rises for IT hardware and software to persist for the next two years. CIOs will be looking for ways to rein in spending on upgrades and replacements. One option is to extend the refresh cycles for end-user and data center hardware. The average replacement cycle for hardware is 3 to 5 years. IT departments can generate budget savings by extending the use of current equipment another year or more, provided the hardware remains fit for purpose and meets all security requirements. However, using old hardware for too long could also mean more frequent downtime due to reliability issues resulting in increased support costs. The data generated by an IT asset management toolset can provide key information to assist in decision-making.
Click here to read more

Patch Tuesday: Microsoft Warns of Exploited Windows Zero-Days

Microsoft s issued software updates to fix at least 76 vulnerabilities in Windows and OS components. The software giant is warning that some of the bugs have already been exploited in the wild. Microsoft posted critical-severity ratings on seven of the 76 bulletins. It warned users that these issues could result in remote code execution attacks targeting Microsoft Word, Visual Studio and the Windows iSCSI Discovery Service. The company also distributed important-severity updates for Microsoft Defender, Microsoft Exchange Server, Microsoft Dynamics, 3D Builder, Sharepoint and Microsoft SQL Server. IT managers can utilize the information from their IT asset management tools to identify vulnerable and unpatched systems.
Click here to read more

Adobe Plugs Critical Security Holes in Illustrator, After Effects Software

Adobe recently released security fixes for numerous vulnerabilities that expose Windows and macOS users to malicious hacker attacks. According to Adobe the Illustrator and After Effects patches carry critical-severity ratings because of the risk of code execution attacks. Another critical bulletin was released to cover documented Adobe After Effects vulnerabilities that also expose Windows and macOS users to code execution attacks. Adobe said in a bulletin that This update addresses critical security vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user. Once again, IT asset management solutions can be key tools in identifying vulnerable unpatched systems.
Click here to read more

Industry News - Jan 2023

Tips for Health Systems on Managing Legacy Systems to Strengthen Security

only 9 percent of healthcare organizations have prioritized the removal of legacy systems as part of their overall cybersecurity strategy. A full featured IT asset management solution can assist medical IT professionals in pinpointing obsolete and vulnerable legacy systems.
Click here to read more

Older Apps Could Be Putting Your Smartphone At Risk Here s Why

Although reminders to update your apps may be annoying, users and IT professionals should install any updates when they become available. This practice will help to avoid successful cyberattacks that exploit any security flaws they may have. An IT asset management solution that can discover and inventory mobile devices is an indispensable tool in keeping devises updated.
Click here to read more

Microsoft Patch Tuesday: 97 Windows Vulns, 1 Exploited Zero-Day

On the same day tyhe Microsoft patches were released Adobe sent out patchers for just under 30 security vulnerabilities in a range of enterprise-facing products. The most prominent update addresses critical-severity flaws in the Adobe Acrobat and Reader software that expose Windows and macOS users to code execution attacks. IT professionals can utilize their IT asset management tools to identify unpatched and vulnerable systems.
Click here to read more

Windows 7 Extended Security Updates, Windows 8.1 Reach End of Support

On January 10, 2023, Microsioft ended support for Windows 7 Extended Security Updates (ESU) and Windows 8.1. Windows 7 reached end of life on January 14, 2020. However, Microsoft provided customers the option to continue receiving important security updates through its ESU program. ESUs will no longer be available for purchase after January 10, 2023. Windows 8.1 support also ended January 10, 2023,. Computers with this version of Windows will continue to function, but will no longer receive technical support, software updates and, importantly, security updates or patches. Microsoft will not be offering an ESU program for Windows 8.1. Microsoft warned users that Continuing to use Windows 8.1 after January 10, 2023 may increase an organization s exposure to security risks or impact its ability to meet compliance obligations. System administrators can utilize the information from their IT asset management tools to identify systems running obsolete software.
Click here to read more

Android's First Security Updates for 2023 Patch 60 Vulnerabilities

Eleven elevation of privilege bugs were resolved in the Framework component, along with three denial-of-service (DoS) vulnerabilities. Five other elevation of privilege vulnerabilities were addressed in the System component. The second part of this month s security update addresses over 40vulnerabilities in Kernel and third-party components. An IT asset management solution that discovers and inventories mobile devices is a key tool in identifying vulnerable devices.
Click here to read more

Microsoft Urges Customers to Patch Exchange Servers

Microsoft recently reminded its customers of the continuous wave of attacks targeting Exchange server. The company urged them to install the latest available cumulative update (CU) and a security updates (SU) that are available for Exchange as soon as possible. Microsoft noted that, Attackers looking to exploit unpatched Exchange servers are not going to go away. There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts. Attackers not only after the sensitive information that user mailboxes but are also looking to access the copy of the company address book stored on the Exchange server. Microsoft also noted that, Exchange has deep hooks into and permissions within Active Directory, and in a hybrid environment, access to the connected cloud environment. A robust IT asset management solution is a vital tool in identifying vulnerable or unpatched systems.
Click here to read more

Lexmark Security Bug Leaves Thousands Of Its Printers Open To Attack

Following the publication of a proof-of-concept exploit which permits remote code execution, Lexmark has advised its customers to update their printer s firmware. The exploit enables attackers access to print job queues, reveal Wi-Fi network credentials, and grant access to other devices on the user s network. Lexmark wrote in a security advisory (click to read) that while there is no evidence that the exploit is being widely used, over 100 printer models are at risk of compromise if they remain unpatched. Users can utilize the information from their IT asset management solution to identify unpatched or vulnerable models on their networks.
Click here to read more

Industry News - Apr 2022

Cost Management Woes Continue for Cloud Adopters: Report

According to Foundry s 2022 Cloud Computing Survey controlling costs is the top challenge for over 35 percent of cloud adopters, The survey found that companies plan to devote over 30 percent of IT budget toward cloud in the next 12 months. However, decentralized IT and multicloud strategies create cost challenges. Too often firms using decentralized IT and multicloud strategies struggle to determine how specific departments or developers utilize the cloud resources. A cloud oversight and governance structure is important a multicloud environment, as companie must be aware of the resources available to optimize costs. An IT asset management software application designed to discover and report on cloud assets can be a useful tool to control cloud costs and utilization.
Click here to read more

2 Years Later: Enterprise Hardware Shifts Are Here to Stay

In the time since the initial response to the pandemic, hardware purchasing trends at the enterprise level have changes. Companies needed to ensure that they did not neglect their hardware needs. Today many are moving purchasing away from fixed assets such as desktop PCs in favor of more mobile gadgets. adjusting their provider strategy to match their needs. Analysts expect that the changes will become permanent. In some cases, companies provided employees with stipends to purchase the equipment they needed for remote work they need on their own. This approach took the burden of buying, and shipping everything to their newly minted work-from-home workforce away from the IT department. An IT asset management tool that can discover and inventory a wide range of assets in a distributed environment can help the IT department into manage and support remote equipment and software.
Click here to read more

Five Key Considerations for Improving IT Supply Chain Security

Many organizations do not maintain a comprehensive and current inventory of products, capabilities and services obtained from third-party IT providers. With the prevalence of cloud services, open-source software and multitiered service providers, organizations can easily lose track of what equipment, software and services have been acquired from various vendors. It is critical for an organization to be able toto identify the applications, services, solutions, infrastructure and data they rely on for day-to-day operations. A configuration management database (CMDB) is often the ideal repository for the storage of technical details of all third-party IT products and capabilities operating within the organization. IT personnel can then use the CMDB to identify if and where an organization is vulnerable to an exposure if third-party vulnerabilities are made evident. The CMDB should also include dependency data on the business processes with which the products and services interact. This information will enable the organization to make any risk-based decisions regarding protective and remedial actions needed to mitigate the risk posed by identified vulnerabilities.
Click here to read more

NIST Highlights Enterprise Patch Management in Latest Guidance

The National Institute of Standards and Technology s (NIST) National Cybersecurity Center of Excellence (NCCoE) recently issued its final guidance regarding enterprise software patch management. The guidance is intended to assist organizations to prevent vulnerabilities and exploitation within their IT systems. The two publications (SP-800-40 - a guide to enterprise patch management planning and SP 1800-31 - cases and approaches for improving enterprise patching practices) focused on the need to prioritize patching and preventive maintenance as a means to prevent data breaches and disruptions within the IT infrastructure. The documents make it clear that unpatched devices and systems are easy network entry points for cybercriminals. Patching may become problematic as organizations may not know how many devices are on their networks at any given time. A fully functional IT asset management solution can provide detailed information on all installed devices, software and their patch status.
Click here to read more

Organizations Warned of Attacks Exploiting Recently Patched Windows Vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) reported that a newly patched Windows Print Spooler vulnerability has been exploited in attacks. The vulnerability, which is tracked as CVE-2022-22718, was addressed by Microsoft with its February 2022 Patch Tuesday update. However, according to Microsoft, CVE-2022-22718 can be exploited by a local attacker to escalate privileges without t any user interaction. CISA noted that the vulnerability to its Known Exploited Vulnerabilities Catalog, which includes almost 650 exploited flaws. CISA advises all organizations to prioritize the patching of the vulnerabilities included in this catalog. Many IT professionals consider CISA s catalog to be a Must Patch list. An IT asset management solution can provide IT management with detailed information on the patch status of each device in the network.
Click here to read more

Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA

According to tracking data from Zero Day Initiative (ZDI), Microsoft patched 128 new Windows vulnerabilities in April of this year. The April patches cover serious vulnerabilities in Microsoft Defender, Microsoft Dynamics, Exchange Server, Microsoft Office, SharePoint Server, Windows Hyper-V, DNS Server, Windows App Store, and Windows Print Spooler Components. ZDI researchers are urging Windows administrators to prioritize the zero-day update along with a handful of critical bugs that could result in worm attacks. These include CVE-2022-26809 (CVSS 9.8), a vulnerability that can enable an attacker to execute code at high privileges on an affected system. An IT asset management solution can provide IT management with detailed information on unpatched or vulnerable systems.
Click here to read more

Industry News - Mar 2022

Shadow IT Is Evolving as Businesses Sanction More Apps

According to Gartner, with the growth of Software-as-a service (SaaS), shadow IT in the traditional sense, is on the decline. This trend has because IT has either sanctioned a group of useful SaaS tools that it does not provide directly, or business units are requesting IT's clearance to use a new service. Lane Severson, senior research director at Gartner, noted that "It's clear that we are moving away from shadow IT in the classic sense and moving into the era of business-led IT where workers are making decisions about what apps they want to use to get their job done. But they are working with IT to make sure those apps are sanctioned. They aren't just buying random cloud applications and expensing them as much as they were pre-COVID[-19]." Rob Zahn, CIO at AAA of Ohio concurred, stating that The idea of business-led IT has some validity to it. During the pandemic, everyone was asking for IT's help. Because of that, the incidents of people using unsanctioned apps actually went down in his organization
Click here to read more

CIOs Tout Guardrails as Prevention For Shadow IT Woes

Business unit technology acquisition frees CIOs from technology minutiae, creating more time to focus on strategy. However, compliance gaps and security and vulnerability concerns persist. Sheila Jordan, chief digital technology officer at Honeywell, noted that every SaaS software application the business unit acquires can have implications for the business if no one oversees the data flow. One approach is to place guardrails around the use of technology, prioritizing the key priorities credo while protecting the company's assets. Successful shadow IT deployments operate in an environment with centralized governance. Business unit technology acquisitions are inevitable, but technology leaders can use governance to reduce risk. On effective governance tool is a fully functional IT asset management tool, which can identify unauthorized ort on-standard software acquisitions.
Click here to read more

7 Old Attack Vectors Cybercriminals Still Use

Targeting old, identified vulnerabilities is a common practice used by attackers. Known vulnerabilities can be exploited for years if they are not patched, Forrester analyst Allie Mellen noted that, A classic example of this is the exploit EternalBlue. Despite patches being released for the vulnerability in March of 2017, the exploit was used in May of 2017 by the WannaCry ransomware, then again in June of 2017 in the NotPetya cyberattack. This is why patching systems quickly and effectively is so important. Ryan Linder, risk and vulnerability engineer at Censys said that the exploit affects the Server Message Block (SMB) protocol. Today there remain over 200,000 systems exposed to the internet which support SMBv1 (created in 1983). Too many companies fail to keep their software up to date, leaving them vulnerable to critical exploits. and even when exploits are disclosed publicly, many still fail to patch their systems. An IT asset management solution is an effective tool to identify unpatched and vulnerable systems.
Click here to read more

CISA Adds 14 Windows Vulnerabilities to 'Must-Patch' List

The US Cybersecurity and Infrastructure Security Agency (CISA) recently added 15 vulnerabilities to its Known Exploited Vulnerabilities Catalog. Since November 2021 over 500 security flaws have been added to the Must-Patch list. The recently added flaws are older issues, some of which have been patched for more than half a decade. One new addition affects SonicWall SonicOS and 14 are Microsoft Windows vulnerabilities. CISA is requesting that federal agencies to address the newly flagged security defects by April 5. CISA created the Known Exploited Vulnerabilities Catalog to assist federal agencies manage their vulnerabilities. All organizations are advised to review the list and address the identified flaws as soon as possible. A fully features IT asset management tool could help government agencies to identify unpatched or vulnerable systems.
Click here to read more

Apple Patch Day: Gaping Security Holes in iOS, macOS, iPadOS

Apple also released software updates to address security vulnerabilities in macOS (Catalina, Big Sur, Monterey), tvOS, WatchOS, iTunes and Xcode. At least five of the iOS/iPad vulnerabilities could lead to remote code execution attacks. An iPhone user would need to open a malicious PDF file or view malicious web content to enable the attack. According to Apple, the newest iOS 15.4 and iPadOS 15.4 address multiple memory safety issues in several OS components. IT p[professionals can utilize their IT asset management tools to identify unpatched systems.
Click here to read more

Adobe Patches 'Critical' Security Flaws in Illustrator, After Effects

Adobe recently shipped urgent security updates to fix code execution vulnerabilities in its Illustrator and After Effects products. The patches address several arbitrary code execution and memory leak vulnerabilities that could expose data to hacker attacks. Adobe rated the Illustrator flaw as critical with a CVSS base score of 7.8. The company described the bug as a buffer overflow affecting Illustrator 2022 version 26.0.3on both Windows and macOS machines. Adobe is strongly urging users to upgrade to Illustrator 2022 version 26.1.0. An IT asset management solution can assist IT professionals in identifying vulnerable and unpatched systems.
Click here to read more

Vulnerability Management: Addressing Your Weaknesses Before They Can Be Exploited

A robust IT asset management solution can assist in identifying vulnerabilities within the network.
Click here to read more

Western Digital App Bug Gives Elevated Privileges in Windows, MacOs

Western Digital's recently issued an advisory that its EdgeRover desktop app for Windows and Mac is vulnerable to local privilege escalation and sandboxing escape bugs. That vulnerability could allow access to and disclosure of sensitive information. EdgeRover is a centralized content management solution for Western Digital and SanDisk products. It us used to unify multiple digital storage devices under a single management interface. Considering the wide use opf of Western Digital s products, it is likely that there are likely a significant number of systems using EdgeRover. The vulnerability, tracked as CVE-2022-22998, and has has been given a CVSS v3 severity rating of 9.1; making it a critical flaw. Western Digital is advising its customers to update their EdgeRover desktop applications to version 1.5.1-594 or later. These versions were recently released last week to resolve the vulnerabilities. IT managers can use their IT asset management tools to identify vulnerable systems.
Click here to read more

Short-Term Defense Strategies Against Russian Cyberaggression

To companies that haven t prioritized cybersecurity, one wonders whether frequent alerts from the government may go unnoticed. But what if the overall level of cyberaggression does spike so such that businesses must address the issue pay? When the intrusion alarms go off, advice about running cybersecurity drills, installing new security tools and encrypting data will be no help. A panel experts made a list of cybersecurity preventative actions a business could reasonably complete in about five business days. Matt Gyde, chairman and CEO of Foresite noted that Patching is the single most important security process an organization can do to drastically improve their security posture. Threat actors are lazy, so they go for the easiest approach. If a threat actor knows that your front door is unlocked [you have a clear vulnerability]. Gyde continued to say that Besides aggressively patching all systems in the environment, the best thing to do is to have robust monitoring of the environment. You cannot defend what you cannot see, and every organization has black holes of rogue IT within them. Every asset must be monitored. A robust IT asset management solution can easily identify unpatched systems and inventory every device and software application on the network
Click here to read more

Industry News - Feb 2022

Culture, Technical Barriers Hinder IT Asset Management

IT asset management (ITAM) has been a challenge CIOs and CFOs for some time. With the technology available today, tracking IT assets should not be difficult. Device discovery, network monitoring and cybersecurity tools can report when a device connects or disconnects from a network. Software asset management can report the total number of licenses in use and the number if licenses that are paid for. Automated asset discovery tools can scan for equipment not owner by IT. All of these processes are made that much easier since every purchase should go through procurement or the accounting department. And, if a CIO lacks the in-house resources, most of these services can be obtained through a managed service provider. ITAM can become a valuable tool in managing the IT infrastructure and controlling overall IT costs.
Click here to read more

Interoperability A Long Way Off as Enterprises Target Multicloud

Multicloud computing environments are becoming the standard enterprise computing strategy. Over thirty percent of IT managers operate in a multicloud framework. That number is expected to exceed 60% within three years according to a Nutanix-sponsored Vanson Bourne survey. Multi-cloud deployment is even more widespread in large enterprises. Over fifty percent of large organizations use multicloud, and that is expected to grow to 80% within three years. The critical challenge facing companies is navigating a tech stack where interoperability is very difficult to achieve. Clouds remain segmented and businesses have few tools or strategies to effectively navigate the complexity. Firms can, however, adopt an IT asset management solution that can help manage various cloud solutions and identify potential waste and overlap in a multi-cloud environment.
Click here to read more

More Line of Business Leaders Drive Tech Buying

IT remains involved in the process for sign-off on cybersecurity, data privacy or regulatory issues. However, rogue IT is still a major issue. IT leaders can utilize their IT asset management software to identify independently acquired software that could be injurious to the network or cause compatibility problems.
Click here to read more

Shadow IT Is Evolving as Businesses Sanction More Apps

IT departments were unprepared to support thousands of remote employees after Covid-19 forced workers out of the office. However, with nearly everyone working from home (WFH) the tools employees relied on were not as effective when accessed from outside the corporate network. Consequently, WFH employees sourced the needed software themselves. However, according to Gartner, shadow IT, in the traditional sense, is on the decline. In many cases IT has either sanctioned a wide array of useful SaaS tools for individual or departmental use, or the business units are asking IT's permission to use a new service. Lane Severson, senior research director at Gartner noted that "It's clear that we are moving away from shadow IT in the classic sense and moving into the era of business-led IT where workers are making decisions about what apps they want to use to get their job done. But they are working with IT to make sure those apps are sanctioned. They aren't just buying random cloud applications and expensing them as much as they were pre-COVID-19." IT asset management tools are an effective way for IT to monitor exactly what is running on the network, both for on-premises and remote workers.
Click here to read more

CISA Warns About 15 Actively Exploited Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) has included 15 additional vulnerabilities to its catalog of flaws that are actively exploited by hackers in the wild. Some date back to 2014. However, but two are in Windows components from the past two years. The agency noted in its advisory that "These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise." The CISA Known Exploited Vulnerabilities Catalog is updated regularly based on real world attacks. Each vulnerability receives a deadline by which federal agencies must patch it on their systems. CIOs can use the IT asset management solution to identify systems that continue to have unpatched vulnerabilities identified by CISA.
Click here to read more

Unpatched Vulnerabilities Remain Primary Ransomware Attack Vector

A recent report by Ivanti ,working with Cyware and Cyber Security Works, determined that cyber-criminals continually leverage unpatched vulnerabilities as their main ransomware attack vector,. Researchers discovered 65 new vulnerabilities associated with ransomware in 2021. This number was nearly a 30% growth compared to 2020. More than a third of those new vulnerabilities were being actively searched for on the internet. This fact further empasizes the need to prioritize patching. The report noted that Unpatched vulnerabilities are the main attack vectors that ransomware groups exploit to gain entry into vulnerable networks. However, our research also identified ransomware groups expanding their focus to not just single unpatched instances but to combinations of vulnerabilities, vulnerable third-party applications, technology protocols, and even insider recruiting as a means to take that first step in launching an attack. IT asset management solutions are a first line of defense in identifying vulnerable systems and software.
Click here to read more

Microsoft Patches for 51 Windows Security Defects

Microsoft also issued a patch an Office for Mac security vulnerability that enables exploitation via the Preview Pane to expose sensitive user data. IT managers can identify unpatched systems using their It asset management tools.
Click here to read more

Integrating New Vulnerability Management Capabilities Into A Comprehensive Cybersecurity Strategy

FCVM overlaps with other capabilities such as digital risk protection services (DRPS) and IT asset management (ITAM). FCVM includes software and processes, including cloud agents, active scanner capability and network analysis that are designed to automatically discover all infrastructure assets without the need for human intervention. On-premises assets, remote assets, cloud and mobile assets should be discoverable. FCM also includes virtual scanning technology to actively locate assets and vulnerabilities anywhere in the network environment. The system should also provide a cyber risk score to inform IT teams about the overall vulnerability of the network and prioritizes. An FCVM solution should also initiate a remediation processes and provide automatic follow-up enabling IT and security teams to know which critical vulnerability will be patched.
Click here to read more

BLS: More Than One-Third of Employers Embraced Telework Due To The Pandemic

According to a recent U.S. Bureau of Labor Statistics (BLS) report, since the start of the pandemic more than 30% of private-sector employers increased telework for some or all employees. The study included data from over 80,000 private-sector employers between July of2 021, and September of 2021. In addition, 25% of private-sector employers offered flexible or work hours. Over the past 2 years, many reports indicated that remote and hybrid work would be become a more permanent model for many employees. The BLS confirms that observation. The BLS survey showed that employers that increased telework, 60% and they expect it to be a permanent change. The move to remote work further underscores the need for IT asset management tools that can identify devices and software in corporate and distributed networks.
Click here to read more

Industry News - Jan 2022

5 Trends Shaping Enterprise SaaS Use In 2022

Software-as-a-Service (SaaS) impacts how companies operate, from back-office operations to automated manufacturing processes. according to a report from Spiceworks Ziff Davis in 2022 productivity tools taking up the largest share of the overall software budgets. Prioritizing productivity is a broader trend in IT this year. The top goal for 2022 is improving day-to-day operations, and to use the best technologies and strategies are used to accomplish the goal. As a result, SaaS buying will continue to decentralize in 2022, redefining which groups are doing the buying and how the tools are acquired. This article outlines five trends that will shape enterprise SaaS use in 2022:
Click here to read more

Nearly One-Third of SaaS Spend Goes to Waste, Survey Says

According to Flexera's State of ITAM 2022 report, almost thirty percent of SaaS software spend is underutilized or wasted. The survey included 465 global IT professionals at companies with 1,000 or more employees. Companies also have difficulty managing desktop software. The report noted that employees estimated that over thirty percent of the company s spend in this category is either underutilized or wasted. Only one-third of surveyed IT asset management teams said that they currently SaaS usage, and almost half of respondents plan to start tracking SaaS usage. Most respondents noted that their main priority is responding to audits. Clearly, an IT asset management solution that can help manage cloud services, especially SaaS, will yield real benefits to the IT organization.
Click here to read more

Log4j Threats Expected to Play Out Well Into 2022

Security researchers are warning the impacts of the Log4j vulnerability will continue to leave organizations open to potential threats during the first months of 2022. Microsoft said in an updated blogpost that "Exploitation attempts and scanning remained high during the last weeks of December." Attackers have added additional exploits to existing malware kits and tactics, ranging from coin miners to hands-on-keyboard attacks. The Apache Software Foundation recently released version 2.17.1 of Log4j. It is the latest in a series of updates since the vulnerability was disclosed in December. The newly released fix addresses the risk of remote code execution when an attacker with certain permissions can create a malicious configuration using a JDBC Appender. The Log4j attacks underscore the need to patch on an ongoing basis and to use an It asset management solution to identify vulnerable systems,
Click here to read more

VMware Plugs Security Holes in Workstation, Fusion and ESXi

Tracked as CVE-2021-22045, the vulnerability exists in the CD-ROM device emulation function of Workstation, Fusion and ESXi. Disabling or disconnecting the CD-ROM/DVD devices on all running virtual machines should prevent any potential exploitation. CVE-2021-22045 affects ESXi 6.5, 6.7, and 7 versions, Workstation 16.x, and Fusion 12.x. VMware Cloud Foundation (ESXi) 4.x and 3.x are affected as well. IT managers can use their IT asset management tools to identify vulnerable and/or unpatched systems.
Click here to read more

Recognizing the Customer s Responsibility in a Shared Responsibility Model

Every industry, regardless of its size, is working to realize the benefits of the cloud. However, it is crucial to align the cloud strategy with the business goals and desired outcomes. From a security standpoint, it s also important to be aware of the regulatory and compliance requirements and how they can be achieved using cloud platforms. It is naive to believe that the cloud provider is entirely responsible for its customers security. Too many enterprises are failing to address how their employees use external applications, leaving them free to share huge amounts of proprietary information. A cloud providers Software as a Service (SaaS) model does not mean IT does not need a holistic program that covers people, processes, and technology. A fully functional IT asset management solution that helps manage cloud applications and vendors provides a good platform to fgain control over cloud assets.
Click here to read more

Push to Explain What Software Contains Gains Steam After Log4j Flaw

In order to secure their technology against cyber-criminals, firms must know what is inside their software. This was highlighted in 2021to secure it against hackers and prevent the type of upheaval seen at the end of 2021 when widely used Log4j software was found to have a serious security flaw. The lack of visibility into the components of corporate software has given rise to an old idea; developers must provide a complete inventory of what software components are built into their software packages That would include open-source components used by programmers during development. Many open-source projects are maintained by only a handful of developers generally aren t vetted by security teams. This combination opens a software system to attack. The U.S. Cybersecurity and Infrastructure Security Agency has promoted such a listing known as a software bill of materials (SBOM) as a means to better respond to new vulnerabilities.
Click here to read more

Critical, Wormable Microsoft Vulnerability Could Lead to Cyberattacks

One vulnerability, labeled CVE-2022-21907, is a remote code execution (RCE) flaw in the HTTP Protocol Stack. This vulnerability can be enabled in Windows server 2022, 20H2 core, along with Windows 10 and Windows 11 versions. The vulnerability is wormable, as it does not require human interaction to spread its attack surface. Microsoft recommends that organizations prioritize patching this vulnerability immediately. IT managers can utilize their IT asset management software to identify unpatched or vulnerable servers.
Click here to read more

Apple Patches 'Actively Exploited' iOS Security Flaw

Apple recently released an urgent iOS update with fixes for 11 documented security flaws. The company noted that one of the vulnerabilities may have been actively exploited. The CVE-2022-22587 flaw is a memory corruption issue that enables a malicious application to execute arbitrary code with kernel privileges. In addition, the iOS 15.3 patch repairs code execution flaws in ColorSync, kernel, and the WebKit rendering engine. IT managers can identify unpatched systems using their IT asset management tools.
Click here to read more
© xAssets 2023 All rights reserved.