Patching is a complex task that most companies struggle with or overlook, but keeping systems, and therefore patches, updated is considered one of the most basic and necessary security measures. This article looks at the most dangerous of the 883 bugs that were patched by Microsoft in 2021. These patches can wreak havoc on companies that have not applied them yet, so it’s important to update software often. It’s also recommended to often review and refresh the software update policies and audit the processes linked to it.
Another list of a series of breaches that occurred in 2021 to companies that rely on the cloud. This list reinforces Medical Web Expert’s stance that the cloud is not secure by default. Those who manage and configure cloud environments should take a deep dive into securing environments and keeping up with the latest security vulnerabilities found on those platforms.
One example, that unfortunately still happens today, are the leaks on S3 buckets or similar solutions from other vendors. Access management and audits should apply to every service on the cloud, as to not overlook common issues of sensitive information being exposed publicly.
A German company, Building Automated Systems, was attacked by hackers, who accessed the software that controls the lighting and power of one of its buildings. The hackers took control of 75% of the devices, locking down the system in a “physical” denial-of-service attack against the building. Fortunately, the automation manufacturer was able to revert the hack, but this is not the only case so far. As more and more companies rely on automated systems, they should also take into consideration the associated security aspects in order to protect the system against intruders.
CISA and five other international security agencies released guidelines to mitigate the famous log4shell attack, of which millions of systems (and hardware devices that cannot be patched) are victims. The detailed guideline should be thoroughly reviewed in the case that your company relies on this module, or has some system that has log4j included in them. The original patch that was released during the first days of the attack was not able to mitigate the attack, and more vulnerabilities have been found since then.