Cyber Security Roundup for March 2017

Security researchers found there were able to find numerous sensitive documents by searching Microsoft’s Office 365 documents made publically accessible through the Docs.com website. Documents found included business confidential information, passwords and personal data. The issue was not caused by any security vulnerability in O365, but by its users misconfiguring or not understand the access permissions on their Microsoft O365 file storage, inadvertently permitting public access to their confidential data.  Businesses and users need to meet cloud services halfway when it comes to security, that starts obtaining a clear understanding of what security the cloud service does and does not do, so ensure your security homework is done before adopting the cloud.

A patch for a critical vulnerability in Apache (Server) Struts was released this month, the vulnerability, which is being actively exploited by cyber criminals in ransomware attacks, allows the remote execution of commands on the server. Non-Microsoft patches are more likely to be missed, given the patch process of Apache servers is often a manual one. It is essential to check any Apache server software facing the internet is constantly kept up to date, in this case, make sure the Struts framework element as used with Java EE web apps, is running a non-vulnerable version, either Struts 2.3.32 or Struts 2.5.10.1

It is the official ‘goodbye Vista’ next month as of 11 April 2017, Microsoft will no longer support Windows Vista, which means no further security updates to fix new vulnerabilities, either free or via paid assisted support options. So if you have Windows Vista, either upgrade or apply additional security measures such as application whitelisting to be safe. It is less overhead and cheaper long-term to upgrade to a supported Operating System in my view.

Finally, the UK Government Digital and Culture Minister, Matt Hanock, is pushing for further adoption of the Cyber Essentials scheme, insisting all governance contractors hold a Cyber Essentials certificate. A number of businesses have also agreed to require their suppliers to achieve Cyber Essentials, including Barclays, BT, Vodafone, Astra Zeneca, Airbus Defence & Space and Intel Security.  Hancock said   “We know the scale of the threat is significant: one in three small firms and 65% of large businesses are known to have experienced a cyber-breach or attack in the past year. Of those large firms breached, a quarter was known to have been attacked at least once per month.” Cyber-security is one of the seven pillars of the government’s digital strategy, he said. “It’s absolutely crucial UK industry is protected against this threat – because our economy is a digital economy.” 

News

Awareness, Education and Threat Intelligence

Reports

This is a Security Bloggers Network syndicated blog post authored by Dave Whitelegg. Read the original post at: IT Security Expert Blog