Moving Patch Management to the Front Burner - WST

As tensions mount in Europe, our clients have reached out for advice on how to counter the possibility of foreign attacks. A few weeks ago, we released helpful tips related to strengthening security fundamentals, https://10dsecurity.com/wst/cybersecurity-fundamentals.html. As we continue to bolster our defenses, now is a great time to schedule any delinquent patch management across your environment. Patching efforts should include (but not be limited to) the following:

• Network equipment: routers, switches, firewalls, etc.
• Virtual infrastructure: hypervisor(s), management consoles, and client tools
• Workstation & server operating systems: Windows, Linux, IBM PTFs & Cumulative Releases
• Antivirus: traditional & next generation AV clients
• VPN clients: With more of us occasionally working from home, be sure that your remote staff endpoints have the latest client version installed, and all Endpoint Controls (EPCs) are enabled, properly configured, and up to date
• Log collection agents: Provision and apply verbose additional logging as space allows; these logs may prove invaluable when applied to cyberattack forensics
• IaaS/PaaS: Don’t forget that although this equipment likely resides outside of your premises, patching responsibility generally falls on the institution’s shoulders

To include a current real-world scenario as a reminder of patching importance, it has been reported by the Cybersecurity Infrastructure Security Agency (CISA), along with NSA and FBI backing, that a new malware variant called “Cyclops Blink” has come to life. These agencies “have previously attributed the Sandworm actor to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST)” (https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-054a). The variant has been primarily deployed to WatchGuard devices at this time, creating a potential web of devices available for the bad guys to exploit on our own turf! That is, unless you have patches applied from May 2021 onwards that specifically address this known vulnerability.

As is thankfully the case, many hardware and software vulnerabilities are known well in advance of exploitation. WatchGuard even has a free tool readily available to detect Cyclops Blink and offers a remediation plan, https://detection.watchguard.com/.

Whatever the equipment and technology you have deployed, now is a great time to move your patch management efforts to the front burner. I’m sure if your systems could talk, they would give you a series of congratulatory beeps to thank you for your efforts!

Authored by: Ben Caruso