Patching the Meltdown Patch

Patching the Meltdown Patch

meltdown errorAccording to meltdownattack.com, these hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

It turns out the patch that Microsoft created for Meltdown could be worse than the original Meltdown vulnerability. Ulf Frisk, a Swedish penetration tester, warns in his blog:

“Did you think Meltdown was bad? Unprivileged applications being able to read kernel memory at speeds possibly as high as megabytes per second was not a good thing.

Meet the Windows 7 Meltdown patch from January. It stopped Meltdown but opened up a vulnerability way worse … It allowed any process to read the complete memory contents at gigabytes per second, oh – it was possible to write to arbitrary memory as well.

How is this possible?
In short – the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself.”

Read more at https://blog.frizk.net/

Last week, Microsoft released an out-of-cycle security patch to address the problems created for the original patch.

Meltdown Patch: CVE-2018-1038 | Windows Kernel Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.

The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.

More on the update from Microsoft: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038#ID0EWIAC

Patch Management Policy

Patching is a common issue that we discuss, in fact, it’s one of the top 5 common cyber threats. Did you know:

  • 45% of companies are not using a dedicated patch management solution to distribute and manage software updates.
  • 72% of decision-makers do not deploy a patch within 24 hours after it is released to the public.
  • Failure to patch caused the infamous Equifax breach, releasing the data of 143 million people.

In a recent interview, Chris Goetti, director of product management at Ivanti, says the vulnerability created by the Microsoft patch is pretty significant and something that needs to be addressed with haste, if possible.

“When Microsoft issued a fix for Windows 7 and Windows Server 2008, they made a mistake and ended up opening up read and write access in RAM so anybody could access anything in memory and write to it,” he says. “It is a significant vulnerability and leaves those systems pretty much exposed” without the update.

If you don’t have time to test the new patch, a best practice may be to roll back to the March update and wait for Microsoft’s next update on  April 11.

“We are close to the April update,” Goetti says. “Our guidance is to either apply the new update or roll back the March update,” for Windows 7 x64-bit systems and Windows Server 2008 x64-bit systems, he says.

Patches a Problem?

Feds kick out Kaspersky – here’s why you should too.

Feds kick out Kaspersky – here’s why you should too.

As you may have heard, the Federal Government is requiring the removal of all Kaspersky software. Federal departments and agencies are required to identify any use or presence of Kaspersky products on their information systems and discontinue present and future use of the products by November 13 and remove the products by December 13. https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-directive-17-01  

The reason? 

This action is based on the information security risks presented by the use of Kaspersky products on federal information systems. Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems. The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.

Any organizations (including contractors, universities, etc.) that receive federal funding should consider removing Kaspersky since your funding could be at risk. Consider our alternative approach because there is a better way. 

Alternative Approach

Traditional antivirus software only detects around 40% of all malware, which means 60% of malware goes undetected. With CylancePROTECT, it’s possible to prevent over 99% of malware before it can execute. Cylance isn’t a “detect and respond” antivirus solution that will leave your systems open to continual attacks.

Cybriant offers Cylance as an endpoint security solution or as a managed service. Cybriant can assist you in the migration from your old anti-virus product and in the implementation, tuning, and management of your Cylance deployment.

Why Cylance?

Cybersecurity firm Cylance uses lightweight artificial intelligence (instead of heavy signatures) to provide customers with security that “predicts, prevents, and protects.” They have recently caught Gartner’s attention by being considered a Visionary in the Endpoint Security realm.

According to Gartner’s 2017 report, Cylance is “by far the fastest-growing EPP vendor” in the market. This is due in great part to its 2016 implementation of CylanceProtect with OPTICS, an endpoint detection and response solution that enables users to “see” the root cause of attacks. With the new OPTICS system, Cylance also released a powerful cocktail of updated support for scripted control, memory protection, and application and device control features.

Gartner also praises OPTICS as a highly versatile system that can seamlessly operate on-premise or can be cloud-enabled. As reported by Gartner, Cylance customers related that OPTICS had “easy deployment and management, low-performance impact, and high-execution detection rates against new threat variants.”

Learn more about artificial intelligence for threat detection. 

Prevent Cyberattacks with Artificial Intelligence

Think Beyond the Costs of a Cyberattack

Think Beyond the Costs of a Cyberattack

The costs of a security breach extend well beyond the immediate liabilities and remediation expenses:

  • 29 percent of businesses that are breached lose revenue
  • 23 percent of businesses lose new opportunities
  • 22 percent of businesses lose existing customers

Security breaches can affect all aspects of a targeted company, from its operations and finance to its brand reputation and customer loyalty.

Small businesses risk losing more than just money if they don’t protect themselves. A recent report published by the Better Business Bureau (BBB) states half of the small businesses couldn’t stay profitable more than 30 days if they lost critical data.

The BBB reports out of the 1,100 businesses they surveyed in North America, less than half provide cybersecurity education to their employees. That’s troubling considering how many cyber attacks occur due to an unsuspecting employee clicking on a hyperlink in a fake email. Ninety-one percent of hacks on businesses start with a spear phishing email scam, according to KnowBe4, a company specializing in security awareness training for employees.

Cybersecurity awareness training is the most cost-effective cybersecurity prevention tool.  But, it’s just one piece of the puzzle. Cybersecurity is a highly dynamic realm. It requires daily immersion to remain current on the landscape. As critical as this expertise has become, most small and mid-size businesses cannot financially justify having these types of resources on-board full time.

How to protect your business and your customers from cyber risk

Here are the steps we typically recommend, but the easiest thing to do is start a conversation with us. We’ll be happy to walk you through the process.

1. Find out where your security gaps are.

A complete security strategy is a composite of people, processes, and technology orchestrated to protect your business and in many cases meet government-dictated policy standards. A professional security risk assessment will analyze all three critical areas and evaluate your company’s performance relative to intended company objectives and security best practices. With the information developed from the assessment, you will be able to design strategies to strengthen, reinforce, or modify your security posture in order to anticipate evolving threats and satisfy the present needs of your business.

2. Improve and harden your organization’s security program.

Penetration tests, compromise, and vulnerability assessments should be performed on an ongoing basis. No matter your size, all organizations should regularly check their applications, networks, and systems for vulnerabilities that can allow outsiders to have access to their critical data. They should also assess whether their environment is already compromised if they have not consistently monitored their security program, or are planning significant changes to their existing environment.

Learn More

3. Strengthen your human firewall.

Your users are often the weakest link in your cyber defense program. You must have an integrated, ongoing security awareness training program to make them assets of rather than liabilities to your security posture.

4. Monitor your security infrastructure.

You should have round-the-clock vigilant oversight of your security infrastructure and your critic assets performed by security experts. The quicker you can identify a suspicious actor or event the better you can prevent or minimize any intended damage.

5. Make sure data is accessible no matter what.

If your defenses are overcome, you must be postured to prevent a disruption of your business operations. A strategic and functional disaster recovery plan formally integrated within your security program will ensure your business and reputation will remain resilient to a malicious cyber event.

Cybriant was created to aid organizations in making sound business decisions regarding their cyber defense strategies and investments, and to help implement and manage these strategies if needed. Whether its professional expertise to design and implement a formal cyber risk management program or services to aid the management your existing information security environment, Cybriant can help.

Ready to talk?