Keep unexpected holiday security surprises to a minimum

Data from over 200 Pen Tests Shows Most Common Vulnerabilities. Learn more now.

unexpected holiday security surprisesThe chilly weather is setting in here in the northern hemisphere, and as we get ready for the holidays many of us are gathering round a cheery fire. But not everyone is enjoying the warmth of this experience.

It’s only a matter of time before we see more legislation around all types of data protection, company breach disclosures, and associated fines. The Equifax incidents started the fire and there is plenty of fuel to continue feeding the flames.

Last month Uber announced they were breached in 2016 and agreed to pay the hackers $100,000 to delete the data and keep the breach secret. In addition to rider data and the driver licenses of Uber employees, the names, email addresses and mobile phone numbers of 57 million Uber riders were taken. The EU Parliament approved the General Data Protection Regulation (GDPR) in April 2016 which will go into effect in May of next year. This regulation is designed to strengthen and unify data protection for all individuals within the European Union and it may not be long before the US introduces something similar.

The heat is always on our major vendors to analyze and release patches for vulnerabilities reported in their systems. This month Intel released patches to address 8 CVEs associated with its Management Engine, Trusted Execution Engine and Server Platform Services. These vulnerabilities affect millions of devices using Intel processors such as 6th, 7th and 8th Generation Intel Core processors and the chipmaker’s Xeon, Atom, Apollo Lake and Celeron processors. The full details can be found in Security Advisory INTEL-SA-00086.

The US CERT announced a potential weakness in Microsoft’s implementation of Address Space Layout Randomization (ASLR), which is used to protect against memory-based attacks. This was discovered in Windows 8, but is also present in Windows 8.1 and Windows 10. Microsoft stated ASLR is functioning properly and provides proper protection in its default configuration, but is investigating the issue.

Although it’s nice to share a fire with family and friends, you definitely want to keep things cool at work. As the holidays approach, you can be assured your employees will be online placing and checking final holiday gift orders, checking the weather for upcoming travel, and other associated activities.

It is an appropriate time to mix in your holiday announcements with security reminders about fishing attacks (don’t click on that email promising a big discount!) and malicious websites (does this look like a legitimate resale vendor?) to keep your employees aware of the security threats. Being proactive can help keep the unexpected holiday security surprises to a minimum.

December forecast:

  • We are expecting the usual Microsoft OS updates this month. This month will include a Flash release to cover those latest vulnerabilities.
  • Adobe will be releasing a new Flash update. They released their quarterly updates last Patch Tuesday, so we may not see anything new for Acrobat and Reader.
  • Google just released their latest Chrome patch on Wednesday, but you never know what might show up.