Archive

Go to:

November 2017
SMTWTFS
1234
567891011
12131415161718
19202122232425
2627282930
< Oct Dec >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Don't Be the Next Equifax—Patch!
Tuesday, October 3, 2017 6:35 AM

Kevin Hood, CISA, IT Consultant, Credit Union Resources

By now we’ve all heard of the massive breach at Equifax that exposed personal data of more than 143 million people. But have you heard how it happened? In mid-May, hackers took advantage of a vulnerability in a web application called Apache Struts.  

patch

Here’s the worst part: there was a patch available for this vulnerability in March. That makes the second time this year that a major incident occurred after a patch was already available. The outbreak of the WannaCry ransomware incident occurred in May, while a patch was also released in March.

I may sound like a broken record here, talking about the importance of patching; however, I still see a lot of lax patching procedures when I am performing information security risk assessments for credit unions. For those who have procedures in place, it is also very easy to become complacent and let those procedures slip.

Here are some quick tips for strong patching procedures:

Windows Updates
For smaller credit unions, ensure that Windows Automatic Updates are configured on all of your workstations. This will automatically apply the security patches each month when released by Microsoft. 

As an added layer, check all workstations on a monthly basis to ensure the updates were installed successfully. For larger credit unions in a domain environment, Microsoft offers Windows Server Update Services (WSUS), free of charge, which can manage the Microsoft updates for all workstations and servers on the network from a central server. 

The WSUS system can also provide robust reporting on the patch level of all machines. There are other endpoint system management solutions, such as Dell KACE, Kaseya, or LabTech that can help automate the patch management program and even provide automated alerts for out-of-date software.

Other Software Updates
It may seem like you are constantly getting the annoying popup in your system tray for Java and Adobe updates, but it's important not to ignore these, especially when a critical patch is released.

Adobe Reader and Acrobat now offer automatic updates, which are recommended. Java allows you to setup automatic downloads of the updates and will notify you when ready to install. Also, as noted above, endpoint system management solutions are available that can manage all of these updates from a central server.

Browser Updates
Updates for Microsoft’s Internet Explorer will be addressed as part of the Windows Updates above. However, if you are using a different Internet browser, such as Chrome or Firefox, you will want to ensure these are always updated with the latest security patches. Both Chrome and Firefox do a great job of updating automatically, but it is a good, proactive practice to periodically check these manually to ensure you have the latest updates. As noted, some endpoint system management solutions can provide automated alerts for out-of-date software.

Antivirus Updates
Antivirus software vendors release virus-definition updates almost daily. It is important to ensure that your antivirus program is staying up-to-date. Most antivirus vendors now offer central administration where all of your workstations can be monitored from a single workstation or server and can alert you when a client is not up-to-date.

Vulnerability Scanning
A vulnerability scan of your network will provide you an extra layer of protection by identifying any vulnerabilities in your systems. These scans would not only check for missing patches, but also alert you to misconfigurations that need correcting. For optimal security review and monitoring, both internal and external scans are recommended.

Information Sharing and Threat Monitoring
Finally, I know you probably get hundreds of email newsletters, but one you should consider adding to the list is a good alerting service for patches and vulnerabilities. Examples of a couple I like to follow are from the National Credit Union Information Sharing and Analysis Organization (ncuisao.org) and the United States Computer Emergency Readiness Team (US-CERT), available at www.us-cert.gov. I know we can get fatigued with so many newsletters, but it is important to filter out those that are actionable.

In light of the recent breach, now is a great time for you to revisit your patching strategies and make sure they are up to par. You, and especially your members, do not want to be the victim of the next breach that could have easily been avoided.


Credit Union Resources has Technology Consulting & Compliance Services available for credit unions of all sizes.  For additional information, please contact Deana Brown (dbrown@curesources.coop) or Idrees Rafiq (irafiq@curesources.coop).