Cybersecurity Insights

CVEs Swept Under Rug

CVE Management: Removing CVEs Swept Under the Rug

IT leadership builds and manages strong, diverse teams to ensure secure and stable operations. However, sometimes departments overlap resulting in confusion and miscommunication. Such is the case with networking and security departments when it comes to CVE management. It is important to address responsibility early on. Who should be held accountable for any unpatched known vulnerabilities generated by networking tools? 

The Nature of Why CVEs Go Unpatched

Organizations spend an incredible amount of time and money to secure their digital landscape. Even the strongest offensive strategy cannot fully protect an organization against publicly known vulnerabilities. Unpatched CVEs leave well-known entrance points into an otherwise secured environment. Unmitigated vulnerabilities lead to havoc-wreaking breaches that cost millions of dollars in damage.  

The most obvious response is to quickly patch the known vulnerabilities before it is used as an entrance point. The challenge is that patching CVEs can be very time-consuming and expensive while also requiring scheduled downtime. Keeping up with patches can be an impossible task when there are many vulnerabilities or confusion on which department holds responsibility.  

Who is Responsible for Networking CVEs?

CVEs produced by networking tools can be considered the responsibility of either the networking team or security team: the networking team because they are the owner of the toolset and the security team because of the vulnerability to the organization. This often results in a dispute over which department is responsible for the tracking and patching of critical CVEs. Departments may shuffle them back and forth or sweep them under the rug completely. This is often the case when there is an exorbitant number of CVEs. 

One team ideally takes ownership of the often-daunting task to ensure CVEs are properly handled. The good news is that there is a way to significantly reduce the number of vulnerabilities making CVE management easier for either team.  

Arista Cloud Networking – The Solution to Fewer CVEs

Ease the pain of CVE mitigation by selecting a networking solution that has a low annual number of CVEs. In 2021, there were over 600 created CVEs just for Cisco products alone. That same year a data-driven cloud networking technology provider named Arista had only 12 CVEs. Having 50x fewer CVEs translates to far fewer being swept under the rug and an increased security posture.  

Arista dedicates resources to extensive development and testing. The end result is a significantly more stable product, a manageable number of CVEs and minimized security risk.   

In Conclusion

CVE detection is only half the battle. Mitigation is the other half. A CVE vulnerability can turn into a threat if left unmitigated. Even worse, it could turn into an actual cyberattack. Luckily the epic battle between CVE detection and remediation can be eased by selecting a new generation of networking solution like Arista. Extensive testing prior to release and low annual CVE counts allows either networking or security teams to have a chance at full repair.  

Comparing tech with CVEs

Comparing Technology Solutions with CVEs

Your organization has a well-planned security strategy. The perimeter and devices are protected. End users are trained. Critical data is safeguarded. With the immense effort and expense of securing an environment, why would anyone still leave the metaphorical front door open to known vulnerabilities? The ease of use of the MITRE Corporation’s publicly available CVE (common vulnerabilities and exposures) database makes it easy to identify cracked doors to your network. CVEs can also be used to compare how stable different technology solutions are.

What is a CVE?

A CVE is a known software flaw accompanied by a description and an ID number. The goal of the CVE database is to provide a readily available list of cybersecurity vulnerabilities for organizations to reference and ultimately patch. However, the list itself does not offer information on fixes, risks or impacts. CVEs are all about awareness of detection vulnerabilities. 

The Impact of Unpatched CVEs

Every CVE needs to be patched. Patching requires planning resources and scheduled downtime. It can be very time-consuming and expensive when there are a considerable number. The front door is left open and security plans are undermined when CVEs are not patched quickly. Ultimately, the more unpatched CVEs an organization has, the less secure the organization is. 

Using CVEs to Compare Technology Solutions

Consider this: A less than scrupulous provider may choose to release new technologies to the market without thorough testing. This results in more CVEs and a need for more patches down the line. On the other hand, a security-focused provider will wait to launch a product until it has been thoroughly developed and tested. That means less vulnerabilities and fewer patches.  

Keep in mind that hitting a 0% CVE rate is next to impossible because new CVEs come out on a weekly basis. To make your infrastructure as secure as possible, select a technology provider with a low number of annual CVEs. 

Networking Tools – A Common Cause of CVEs

Networking tools have historically been notorious for causing CVEs. The most common networking vendor produced over 600 CVEs in 2021 alone.  

Arista tells a completely different story with its data-driven cloud networking solution. Arista had only 12 CVEs created for the entirety of 2021 – far less than the leading competitor had in an average month. The stark difference in CVE count displays Arista’s emphasis on development and testing. Facing only 12 networking CVEs for the year means teams can easily manage remediation.  

The bottom line – a manageable number of known vulnerabilities translates to swift patching and increased overall security. Select your networking toolset wisely. 

In Conclusion 

CVEs are an important part of cybersecurity vulnerability management. Networks will be stronger and more secure if an organization has fewer CVEs. Compare CVEs and partner with a networking provider that has a low annual number for increased network security and stability. 

Ready for a more secure networking solution? Learn how Arista can benefit your business

How to Spot Phishing Scams During COVID-19

Two years into the pandemic and phishers are devious as ever. It is no longer enough to consider yourself protected by recognizing traditional phishing email scams. It is essential to stay up to date with current tactics that are being used in COVID-19 phishing scams and the language that hackers use. Failing to do so will leave you vulnerable to having your personal data infiltrated. 

How to Spot COVID-19 Phishing

Here are four COVID-19 phishing ploys that our BriteProtect User Awareness training team is currently seeing across the board. Let’s go through them one by one to find out exactly what makes them “phishy.” 

CDC, Testing & Vaccine Scams

Phishing emails that surround the topic of COVID-19 itself have skyrocketed. Anything related to coronavirus, especially if it contains the words “urgent,” should raise an eyebrow. Be wary of fake COVID tests and testing sites, free tests, kits, and vaccines. Be suspicious of emails from the CDC about confirmed cases, too. If you do receive an email such as these, look at it carefully. Is it from a non-government URL? Is it from a similar domain, but it isn’t quite correct? Do not click on it.  

Take a Look

Example of covid vaccine phishing scam

Red Flags
This one is a bit tricky look at the subject line. If the email is so “urgent” then why isn’t there any important information in the body of the email? The only thing in there is a document to download. Sketchy.  

Travel Scams

Travel scams have taken off and aren’t slowing down anytime soon. Information surrounding vacation policy or itinerary updates, travel cancellations and restrictions are common. Keep your eyes peeled for shady offers for cheap deals or upgrades as well. These emails typically don’t come from a legitimate business source like a travel agency or airline. Rather, they come from janky email addresses. 

Take a Look

Example of covid travel phishing scam

Red Flags
This is a nice-looking email, isn’t it? Not so fast! Look closely at the “from” email address. Does that URL look like a credible business email to you? We didn’t think so either.  

Workplace Scams

All sorts of workplace phishing scams have popped up surrounding COVID-19. Look for language related to reopening, hour changes, work from home policies, mask updates and HR vaccine status requests. Also common are emails from IT, help desks and survey requests. If you get an email like this, make sure you know it’s legitimate before clicking on any links.  

Take a Look

Example of workplace covid phishing scam

Red Flags
Talk about poor grammar. Fragment sentences, incorrect use of commas and wrong capitalization plague this email. Check out the strange link, too – it starts with gcc02 – that is not very credible. Most damning of all, the author threatens to delete the reader from the database if they fail to act. No legitimate IT department would do such a thing.   

Insurance & Bank Scams

Attackers can easily dupe users with insurance and bank scams since these businesses deal with sensitive information on a regular basis. Branch reopening schedules and hour changes are common as well as password change prompts. Be on the lookout for anything that wants you to take immediate action. 

Take a Look

Example of covid insurance phishing scam

Red Flag
For starters, this email refers to COVID-19 insurance. Ask yourself this – did you buy any insurance from the sender? If not, you know it’s phony. Other ways to tell this is a hoax include the interesting spelling of “update,” or should we say “up-date,” along with some missing periods at the end of sentences. Overall, the text just doesn’t read well.  

Be Prepared
Treat your inbox like a warzone – always be on the lookout for the next landmine. Analyze every email before opening and be sure it’s legitimate before clicking any links. It’s tedious to have to constantly watch your every step, yet necessary to keep your data safe.  

Remember, the more prepared you are the better. Many businesses have found success in user awareness training programs which educate employees on the foundations of spam, phishing and spear phishing, malware, ransomware and social engineering. Employees are then able to use their elevated knowledge in their day-to-day jobs.  

In Conclusion
Phishing attacks are constantly evolving and take advantage of any situation – even a global pandemic like COVID-19 – to get what they want. Stay on top of the current language, recognize the red flags and educate yourself so you can spot phishing scams and attacks when – not if – they hit your inbox.  

Learn more about how to protect yourself from phishing scams.

Signs of phishing email scam

7 Signs of a Phishing Email Scam

It is difficult for readers to decipher attacks from legitimate emails because phishing email scams are maliciously designed to be manipulative and deceitful. They are so effective that data from 2021 showed 30% of phishing emails were opened by targeted users and 12% of those users clicked on the malicious attachment or link. Those statistics are quite frankly not very optimistic.  

Keep reading to discover a handful of tips to identify phishing email scams as they hit your inbox and avoid becoming a statistic for 2022’s data.   

Think Inside the (In)box 

Most inboxes are hit with tens to hundreds of new emails each day. You must be attentive each time you open your inbox and check your unread messages. A successful phishing email scam has the victim complete an action, such as click a link, enter login credentials, wire money, etc. You may fall prey to one of these prompts if you are not focused on the task at hand and vigilant of potential threats. 

The risk of being scammed increases the more distractions there are. Reduce distractions so you can sift through your inbox strategically – turn off the television, set down the sandwich and put the car in park.  

Signs of Phishing Email Scams 

Here’s the checklist of criteria our team of cybersecurity professionals put together to determine if an email is suspicious:  

1. Inconsistent URLs, links and email addresses 

Check for small changes in common domains to see if link URLs are consistent with the sender domain. An easy way to do this is to hover over the link inside the email message. Be wary if the URL doesn’t belong to the company that supposedly sent the message.  

2. Incorrect spelling and grammar 

The reason poor spelling and grammar are used in phishing email scams is twofold. First, some scams originate overseas where English is not the actor’s first language. Second, devious actors strategically use subpar spelling and grammar to weed out critical people leaving those who fall prey to phishing more likely to complete the desired action.  

3. Threats or demands for action 

No credible organization threatens its customers with serious consequences. Consider it suspicious if an email sender demands that you click a link, open an attachment, or reply with personal information (i.e. financial information) or else face legal action or a frozen account.  

4. Request from a vendor to an unassociated email address 

Know which email addresses are associated with each account you have if you have multiple ones. Be skeptical of requests to non-associated addresses. For example, assume phishing if you receive an email from Amazon to your professional email and the account is not linked to it.   

5. Unexpected email or attachments 

Use caution if you’re not expecting to hear from someone via email. The same goes for unexpected attachments. Don’t click on it. Give the sender a call to see if they truly emailed you an attachment.  

6. Low-resolution logo 

Phishers often use crude tactics like “cut and paste” to grab a logo from an organization’s website to pass it off as their own. Chances are the sender doesn’t work there if a government agency, bank or other legitimate organization’s logo is low quality, blurry or just not prominent.   

7. Offers for free stuff or cheap deals 

Offers that sound too good to be true probably are too good to be true. Things like free products and services, cheap bargains, sweepstakes and prizes should raise an eyebrow and an alarm.  

Remember 

DO 

  • Be vigilant when checking emails. Always give full attention to the task at hand and never give any suspicious sender the benefit of the doubt. 
  • Look at the “from” address. An email is fraudulent if it says it’s from a legitimate organization (e.g. a bank or financial institution) but comes from something like a Gmail account.  
  • Make sure your endpoint protection and patches are current. 

DON’T 

  • Don’t give out personal information or financial data. 
  • Don’t click on a link, open an attachment or call phone numbers provided in unexpected emails.  
  • Don’t use the same password for every account. Using varied passwords for each account will protect you if you do get hacked. The hacker will have trouble accessing the other accounts even if one account is phished. Also, change passwords right away if you think you have been breached. 

 

Be prepared – phishing email scam tactics are always evolving. Stay up-to-date and learn as much as you can about the latest methods that attackers are using. You will be able to better identify advanced techniques the more educated you are and the more exposure you have.  

Businesses may also consider implementing anti-phishing and user awareness training programs to educate all of their employees. Contact us with any questions about phishing or to start your user awareness training program today!  

Sneaky Data Leaks

What if we told you that you could be responsible for your own identity theft? The amount of personal information shared on social media networks can be used to gather the right mix of personal information that attackers then use to steal your identity and access your accounts.

Most of the time, social media is a fun space to stay connected with friends and family. However, as it continues to be the norm to share all details of life, it is jeopardizing your data and information.

What are attackers after?

The simple answer is money. And if they cannot get cash, then personal information becomes just as valuable. Why? Personal information is required in all aspects of life. Personally identifiable information includes:

  • Name
  • Date of birth
  • Social security number
  • Driver’s license number
  • Address
  • Email address

Think about what that information is associated with – bank accounts, mortgage, retirement, etc. The dedicated attackers will use whatever they can access to achieve their goal, which is to profit.

Where do you have personal information living?

Protecting online information is a lot like locking your house and car. It is just something we have all learned and know to do. The first step in protecting information is recognizing the type of information you have shared online, especially on social media platforms.

For example, security question answers are being given away. Whether it is in listicle-style posts or back to school, fun trends on social media ask specific questions that overlap with common security questions, putting your identity at great risk.

At the end of the day, second-guess what you are posting and the information you’re revealing. You might think that you know all your connections and it is simply fun with friends and family, but malicious people are everywhere online.

Ask yourself, is this post worth risking my identity?

2022 Cybersecurity Trends Graphic

2022 Cybersecurity Trends

Whether you’re chasing compliance, optimizing operations or reducing overall risk, here are the great 8 cybersecurity trends for 2022 to accomplish your goals.

The State of Cybersecurity in 2022

As we enter 2022, more time separates us from the whirlwind of 2020 and the scramble to secure and manage different environments. Yet, conditions created in 2020 continue to influence cybersecurity trends and projects as security teams work to protect organizations.

The great 8 Security Projects + How to Achieve (with results)

Identity Access Management (IAM)

IAM programs have gained significant traction in recent years, and in 2022 are a must-have. An organization-wide program shifts proactive risk mitigation from networks and devices to people. Gain control by defining and managing roles of who has access to what, no matter where they are physically located.  IAM is a true program, not a quick fix.

Luckily, Brite worked with our partner Integral Partners to compile a guide on The Right Way to Create an IAM Strategy and Roadmap.

Accurate Asset Inventory

Take advantage of the new year and kickoff a blind spot-eliminating, accurate asset inventory. We can’t protect what we don’t know exists. For this reason, most of the common security frameworks list asset inventory as control number 1.  Implementing the right visibility tool goes beyond device asset inventory and also provides real-time data to make informed decisions, especially when trying to implement a zero trust strategy.

What tool do we recommend for the job? Forescout of course! Forescout’s real-time device visibility, control and orchestration makes it an invaluable cybersecurity pocketknife.

Vulnerability Management

Vulnerabilities: the epitome of cybersecurity and obviously not a new concept. The difference in 2022 is the how they are effectively managed.  Risk-based vulnerability management automatically prioritizes the most critical vulnerabilities, so resource strained operational teams understand where to focus efforts. Effective vulnerability management greatly reduces the potential attack surface, yet many organizations struggle to reliably scan and remediate systems. Combine expert appliance configuration, ongoing maintenance, and threat investigation and response for a wholesome approach to vulnerability management.

Remote Access

With our work environment forever changed, we need to secure the remote work systems and their access to critical applications wherever they are hosted.  Cloud migrations accelerated in 2020 and 2021 out of necessity. With these changes, increased the need for advanced protection and visibility from Cloud Access Security Broker (CASB) and Secure Access Service Edge (SASE) technologies. With the right execution, your team can re-gain on-premise level visibility, application control and data protection for your remote devices.

Zero Trust

Like IAM, Zero Trust is continuing the narrative of access and placing the attention on users. Zero Trust uses a “never trust, always verify” approach to monitor and validate users, devices and privileges. Instead of the traditional “trust, then verify” method, this ensures that there is no unauthorized access to data by any actor – be it malicious or unintentional.

Again, since Zero Trust is a company-wide program and not a single project, proper planning is necessary for success. Our Guide to Planning a Zero Trust Strategy will help set you in the right direction.  Also check out our recent webinar How to Enable a Zero Trust Strategy with Forescout.

User Awareness Training

Have you picked up on a theme yet? Users are becoming increasingly more important in establishing secure defenses. A hands-on, comprehensive training program empowers all users to identify attacks and become a proactive last line of defense instead of a liability.  Additionally, as more insurance policies require user awareness training programs, organizations can gain compliance and become more secure with a customized user awareness program.  

XDR

Tools are great. We at Brite love a strong tool set. What we don’t love is disjointed alerts that exhaust security teams. XDR rounds out your security approach by normalizing data from any source, correlating that data and then allowing for automated and appropriate response when desired.  XDR is what everyone hoped a SIEM would be, effective and actionable.  A co-managed open XDR platform allows previously disconnected security tools to be leveraged for quicker incident detection and response.

How do your top priorities for 2022 align with Brite cybersecurity trends?

Phishing Emails Are Getting Smarter - Are You Blog Graphic with fish hook and padlock to promote security awareness training

Phishing Emails Are Getting Smarter – Are You?

We’re all aware of the threat of phishing attacks. It’s sometimes assumed that technical minded people are invincible to phishing attacks, but even the most savvy can be duped. The latest phishing attack making headlines has a 90% success rate. You may be familiar with the standard phishing language below, but what about non-traditional methods?

Standard Phishing Language:

  1. Please see your invoice attached
  2. Click here to open your scanned document
  3. Your package has shipped – your shipping receipt is attached
  4. I want to place an order for the attached list
  5. Please verify this transaction

COVID Phishing Language:

  1. Password Check Required Immediately
  2. Vacation Policy Update
  3. Branch/Corporate Reopening Schedule
  4. COVID Awareness
  5. Free COVID Tests (from un-trusted source)

Top Tips to Not “Bite”

Brite’s partner, Proofpoint, presents their research on employee’s interaction with phishing emails in ‘The Human Factor’ report.  This research shows that every organization has at least one user will click on a malicious email. To protect your organization, users, and data against the latest attacks we recommend the following:

  • Invest in mail gateway solutions capable of detecting and preventing advanced attacks and those that do not involve malware. This step helps minimize the number of threats coming into the network. Once these threats are the network, malware and malicious traffic may be more difficult to detect and distinguish from legitimate business traffic.
  • Never allow emails with attached executable code to be delivered. Likewise, do not allow people to share code over email. Enact simple rules that block .exe or .js attachments to prevent obvious malicious exploits from entering your environment.
  • Deploy security solutions that can correlate activity across threat vectors. That capability gives you deeper insight into attacks to help you resolve them, block future attacks, and more easily detect those that do get through.

Have concerns if your organization is protected from phishing attacks?  Contact us and we’ll connect you with a Brite representative.

3 Steps If You Receive a Business Fraud Email

Business email fraud is a highly specific and targeted tactic used in phishing emails for monetary gain. Would you rather learn how to spot one, or cost your company thousands? Hopefully, it’s the former because this blog shares insights into:

  • What is business email fraud?
  • How to spot it.
  • 3 steps if you receive a business fraud email

What is business email fraud?

We hinted at it above yet let’s dive into what business fraud is. Business fraud (also known as CEO fraud or business email compromise) is when a business leader or executive sends an urgent request for an exchange of money with a third party. These requests often correlate to strategic events taking place in their personal or professional lives. Common requests include:

  • Pay unexpected invoice immediately
  • Wire a large sum of money to third party
  • Buy 100 Apple gift cards from a specific link

In any case, large amounts of money are lost – and not retrievable. Since the monetary value is high, attackers spend time researching targets to create accurate asks that are relevant to operations or correspond to life events.

3 steps if you receive a business fraud email

There are three best practices to do when you suspect business email compromise.

  1. Use common sense. If it smells like a fish, it is probably a fish.
  2. Do not reply or share any information.
  3. Call the sender directly or start a new email chain to confirm the requested action. It is better to follow up with the individual than to cost the company thousands of dollars.

Remember the theme of business fraud emails is financial requests. Those in accounting, HR and management should be aware and educated on business fraud to prevent detrimental attacks. People are the last line of defense, let’s #BeCyberSmart.

5 Ways to Spot Phishing Emails

Scam artists – sneaky, deceitful, intentional – whether it’s someone on the street, the phone or online. We’ve all been exposed, or worst have been a victim of a scam. Today, modern pickpocketers have carefully orchestrated phishing emails designed to manipulate and target people’s instincts. That leaves us to be educated on how to spot phishing emails.

The right inbox mentality

How many unread emails do you have right now? Our inboxes are consistently bombarded with new messages. With that, you must open your inbox with an attentive mentality. A successful phishing email has the victim complete an action – enter login information, wire money, purchase gift cards, etc. When you’re not focused and vigilant your risk greatly increases.

After a quick scroll through hundreds of emails, it is easy to glance over one and think it is legitimate. Especially when you think it’s from a trusted source – Amazon, your boss or even the CEO.

Bottom line is that you need to minimize distraction when you decide to tackle your inbox strategically and safely.

How to spot phishing emails

There’s a checklist of criteria to evaluate each email to determine if it is legitimate once you’re in your inbox. Some are more obvious than others, but you should always check:

  1. Inconsistent domains, links and email addresses.
    Look for slight changes in well-known domains and see if link URLs are consistent with the sender domain.
  2. Poor spelling and grammar.
    Bad actors often strategically use poor grammar and misspellings to filter out the more critical people, leaving those who act more likely to complete the desired action.
  3. Suspicious demand for action.
    Think it is odd that your password is being requested via email link, or that your boss wants you to buy 10 gift cards from a website? It probably is.
  4. Request from a vendor to an unassociated email address.
    Know which email address is associated with each account. Be wary of requests to non-associated addresses.
  5. Unexpected attachments or email.
    Not expecting to hear from someone or to see an attachment? Follow your instincts and be suspicious.

And tactics are ever-evolving. Stay up-to-date on the latest methods to always be prepared. Attackers prey on and manipulate human instinct and emotion. The more exposure you have to evolving tactics, the more prepared you will be to spot them. Also, consider having your organization implement anti-phishing and user awareness training programs to collectively educate all users.

Password Fails.

Ah, passwords. The annoying gate to access every digital account. And since it’s 2021 and everything is online – the accounts and passwords add up. Just like we pay taxes and wear seatbelts, it feels as if we need to make an account just to do simple browsing. Nonetheless, passwords are a necessary evil of the world. They exist to keep your data and information protected. It is important to talk about how to avoid common password fails that jeopardize your identity.

Password fails: What not to do

We’re sorry to say that 123465789 is not a strong, secure password. Attackers can research targets and piece together information. When using an easily guessable password, they can not only access the account but use that information to access multiple accounts.

How can you avoid that from happening? Stop using these common password fails:

  • Significant other’s name
  • Kids’ names
  • Pet names
  • 123
  • 123456789
  • qwerty
  • Your house number
  • Birthday
  • Anniversary

Not only are those bad but saving your passwords on post-it notes out in the open (like on your keyboard or a Word doc on your desktop) is asking for identity theft.

Taking the time to create strong passwords habits now will save you bigger headaches in the future.

How to create a strong password

Long and complex is the key to a strong password. Passwords have those lists of requirements for a reason. Use that as a guide along with:

  1. Use a mix of characters (capitalization, symbols, numbers)
  2. Avoid common substitutions (0 for O, or 1 for I, etc.)
  3. Again, make it loooooooooooooooooong (12 or more characters)
  4. A different password for every account. Never repeat.

Password management

Look we get it. Just the thought of a different, complex password for every account is dreadful. Luckily, there are several solutions out there to help. Password managers are a lifesaver and incredibly easy to use. For example, LastPass, or simply the built-in password vaults from Apple and Google, are a starting point for managing and protecting passwords. Be sure to do your own due diligence and research into the security features and reputations of each.

At the end of the day, we each have the responsibility of protecting our identity and passwords. Good habits start today. Go update your accounts and passwords with the guide above.

Scroll to Top