Week After Week Vulnerability After Vulnerability
Another week, another critical vulnerability from Microsoft. Does it seem to you that this is an ongoing problem with older versions of Microsoft operating systems?
Microsoft announced a patch two weeks ago for this vulnerability known as BlueKeep. The full name is Common Vulnerability, and Exposure 2019-0708 (CVE-2019-0708) is found in past versions and no longer supported versions of the Windows operating systems as part of the Remote Desktop Protocol (RDP) service.
Because it can be exploited remotely and does not require any physical access to the actual machine, Microsoft classifies BlueKeep as a Remote Desktop Services Remote Code Execution Vulnerability.
Additionally, it acts like a worm, which means that companies are ripe targets. Why? Many organizations take a long time to install their security patches, and that means that they have several machines on their network that are vulnerable for hackers to attack. Additionally, they often lose track of all exposed devices, and many go unpatched for years.
NSA Says, Patch!
To keep from repeating a cascading problem like that which occurred in WannaCry, even the NSA released a rare security advisory. That is how dangerous they feel this is.
Security researchers are confident that malicious actors are currently actively exploiting CVE-2019-0708.
Me Worried? I’m Not A Business
Malicious actors don’t care who they target. They are scanning for any device with the vulnerability. Any sensitive data they can get their hands on is acceptable to them. If they can “blackmail” or hold your information for ransom, they will.
What Versions Are Exploitable
This latest vulnerability affects all the following operating system versions.
Windows Server 2008 R2
Windows Server 2008
It’s Old Tech…
Even though the patches for this vulnerability were released two weeks ago, you might be surprised to learn that over a million machines connected to the Internet are using operating systems with this vulnerability.
Many businesses, including those who help to maintain our critical infrastructure, are at risk. Why? They rely on embedded systems. These systems use these older operating systems, and many go unpatched for years.
Dark Matter of the Corporate Network Universe
The embedded systems most people don’t think about include:
Handheld Devices (Inventory wands/scanners)
Key Entry Systems
Manufacturing Control Systems
Point of Sale Systems
Process Control Systems
Smart Phones, iPhones, iPads
Smart Lightbulbs and Hubs
Thermostats, Environmental Controls
Video Conferencing Systems
Wireless Access Points
You see each of these devices has an IP address of its own and if forgotten represent more of a security threat than you might think. That means that they are susceptible to hacking. If they are running this operating system with this vulnerability, patching is essential. Don’t forget these devices when you are patching your systems. Anything connected to your network must be tracked, secured, maintained, and managed.
Earlier in the technology life cycle, embedded systems use proprietary operating systems, but now these vendors are using general-purpose operating systems that have a wider distribution because they cost less and their software can be developed faster using open source libraries. However, that means that they are now subject to these same vulnerabilities. Additionally, some of these lightweight embedded systems like those on appliances used in your employee break-room or that smart lighting system or webcams that maintenance purchased and installed come with default passwords or worse yet no password at all. So exploiting this vulnerability, any malicious actor can turn off your webcam, open your door locks automatically and walk through your front door.
Tampering With Your Systems
Have you patched your thermostat or other environmental control systems? No. Did you know it is very vulnerable? A malicious attacker can use the vulnerability to raise the temperature in your server room, causing your servers to overheat and shut down.
Now that you understand how risky unpatched embedded systems are to your business lets get down to brass tacks and fix it.
What To Do Next…
Patch Instructions for CVE-2019-0708 <https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708>
Step one: Inventory everything embedded device can connect to your network — don’t forget “shadow IT.” You must track every IP address in use even those intermittently.
Step two: Create a policy that limits the devices allowed on your network
Don’t allow devices with fixed accounts or passwords. Be sure to work with the vendor that supplied them to be sure they get fully patched.
Step three: Create a plan to keep every device’s software up to date. Who supplies the updates? Vendor? Manufacturer? What is the cost? Ar you allowed to do OS updates and security updates yourself?
Step four: Patch everything. Locate all default and maintenance accounts on every device and reset all default password with robust and unique passwords. Figure out what operating system version each is running and update the firmware of each.
Step five: Create a patching plan. Be sure that it includes the ability to track and patch all operating system vulnerabilities on every embedded device on your company network. Never purchase any device from a vendor who insists that embedded systems are immune to viruses and malware.
Step six: Secure your networks using segmentation. Segment your network for different classes of devices and make sure that all your embedded devices are on a separate firewalled networks.
Step seven: Secure all your devices through the use of scanning tools, check to find all unexpected and unnecessary services that these embedded devices provide. Turn off those unneeded. If you are unable to turn services off as needed, talk to the vendor or manufacturer. You might find that the inexpensive consumer-grade device might be impossible or costly to manage than a professional-grade device that might cost just a little more.
Step Eight: Be sure you Monitor everything. You must consistently monitor the state of every device on your network, embedded, and those visibly connected.
Step Nine: Manage the life-cycle of all your equipment. Create life-cycle criteria for asset tracking for all embedded and network-attached devices and enforce it. You must track the purchase date, deployment date, all maintenance conducted on the device, data, and hard disk removal and destruction before proper disposal.