Microsoft rapid response to Windows patching after security scare


Users and organisations using out of support Windows Operating systems Windows XP, Windows 7, Windows Server 2003, Windows 2008 R2, Windows 2008 are being urged by Microsoft to undertake urgent patching measures, following Microsoft’s discovery of a critical remote code execution vulnerability.

The severity of its potential impact worldwide has prompted Microsoft to step in to release patches for the out of support Windows XP and Windows Server 2003.  Windows XP users will need to download the patch (Remote Code Execution CVE-2019-0708) from the Microsoft Update Catalogue.

Microsoft spokesman and Director of Incident Response, Simon Pope, speaking from their Security Response Centre advised that this exploit vulnerability was ‘wormable’.  This means that the user doesn’t have to ‘do’ anything themselves to cause the damage.  Any malware created by hackers in response to this vulnerability that links to this Microsoft code, would cause a ripple effect by cross-infecting computers through Remote Desktop Protocol (RDP). RDP would facilitate the hacker’s ability to send requests enabling arbitrary code to be run, to view, change or delete data, or create new accounts with full user rights. This was the experience in 2017 when the Wannacry attack went global.

With millions of users still using Windows 7 machines, Microsoft are not taking any chances and are taking the same holistic steps as in 2017 to seek to protect users whether using supported or unsupported systems.

Unfortunately, there doesn’t appear to be a killswitch for someone to discover in this vulnerability unlike with Wannacry, but prudent and expeditious action taken promptly by organisations and their inhouse IT teams, (or through the direct intervention of IT MSPs like Amicus ITS), can take the mitigation steps to limit impact.  Amicus ITS have already taken immediate steps to instigate the patching for all our customers. In addition, the RDP vulnerability can be mitigated by good access control and firewall management our Network Team are undertaking.

I would advise vulnerable organisations to update to the latest operating system (currently Windows 10), but check the following paths as part of risk mitigation consideration:

1. Upgrade to the latest or near latest operating systems – full mitigation
2. Consider migrating to the 365 / Azure platforms – server mitigation
3. Take up an advanced patching service via Amicus ITS – server and device patch assurance

Any organisations seeking advice or support can contact our Sales team in the first instance by calling +44 (0)2380 429429 or by emailing enquiries@amicusits.co.uk quoting ‘Microsoft Code Exploit 2019’

JP Norman is the Director of Technology, Security and Governance at Amicus ITS

Week’s Technology News – 27th February 2015

Boards acknowledge cyber risk on their 2015 agenda

Back in 2013, following a KPMG report that cyber leaks at FTSE 350 firms were putting the UK’s economic growth and national security at risk, the heads of UK intelligence agencies MI5 and GCHQ then asked leading businesses to take part in a Cyber Governance Health Check.  The results were a stark wake up call.

As we reported in our blog on 19th December, Board engagement is pivotal to the success of any cyber security plan and thwarting the eye popping 80% of preventable attacks in 2014.

The 2015 Cyber Governance Health Check has just been published and reveals that 88% of companies are including cyber risk on their Risk Register with 58%+ anticipating an increased risk over the next 12 months.  However, only 21% say their boards get comprehensive information and only 17% regard themselves as having a full understanding of the risks. This is clearly insufficient in the light of the continuing squeeze on data security and compliance measures.

You do not have to be a FTSE 350 to want continued trust from clients and the comfort of having up to date data security measures.   So wake up and smell the budding roses of 2015 and do your own health check review now:

  • Re-evaluate what the unique crown jewels of your organisation are (key information and data assets) as they may have changed in in the 12 months.
  • Review risk from any 3rd party suppliers and avoid contractual complacency – get into active compliance.
  • Be pro-active about risk and create a competitive advantage of rivals.
  • Arrange for a ‘pen test’ and get in shape to be security fit for purpose in 2015.

GCHQ


Windows Server 2003 is dying – but Windows Server 2012 will offer an elixir

With the forthcoming end of life for Windows Server 2003 and cessation of support from Microsoft on 15th July 2015, the effect will be severe for the many business still running this server in their data centre with exposure to cyber attack, unless considered steps are taken now to plan for upgrade.

Microsoft’s own survey recently confirmed that there were 22 million ‘instances’ (database environments) with WS2003 still running.

Organisations clearly need to plan their migration strategy – and quickly – if they are going to protect their infrastructure. End of support means no patches, no safe haven and no compliance.  Any company continuing to run WS2003 beyond July will fail regulatory compliance audits which could result in losing commercial contracts. So delays are not only expensive but highly risky.

The advances in the data centre with Windows Server 2012 RT offer integrated virtualisiation of compute, storage and networking along with enterprise class scalability and security.  The Cloud options of Microsoft Azure and Office 365 will deliver applications faster and increase productivity and flexibility – and take away risk.

Security implications

  • Software and Hardware compatibility – If you are running a mixture of physical and virtualised servers, then priority should go to addressing physical assets, as most WS2003 licences are tied to the physical hardware.
  • Compliance against many industry requirements has moved from a best practice ‘good to have’, to a mandatory requirement, so no option.
  • Payment Card Industry Data Security Standard (PCI DSS) v2, v3 – providing adequate assurance levels to meet the requirements of PCI will fail.
  • UK Government – connecting to the Public Services Network (PSN), whether through an assured connection or via an Inter Provider Encryption Domain (IPED) will be a headache if updates cannot be supported securely.
  • Industry standards Industry standards such as ISO 27001:2013 and the Cloud Security Alliance all require you ensure your systems and applications are up to date.
  • Disaster Recovery and Resilience  How do you re-start servers that are no longer supported? If DR is key to you business then migrating is a necessity will be fairly expensive.

Planning to move

  • Integrate your servers and their lifecycle into your strategy and risk management process.
  • Check what the servers do for you and do data mapping, flow and services exercise.
  • Identify your core assets and check them against confidentiality, integrity, availability and likelihood of compromise to help future design and investment decisions.
  • Create fit-for-purpose security architecture within your Cloud (ie should you need to retain legacy data which is rarely used – create security zones using layered firewalls, ingress and egress controls, file integrity and protective monitoring.
  • Test – lots – and then get a 3rd party certified security professional to conduct an ethical hack.
  • Failure to plan is planning to fail – do not let your business suffer by putting your head in the sand.

885284