“Just plugin and if it works, we’re done.” This is a philosophy many unregulated countries have when it comes to their cabling systems, and those systems end up looking like the pictured telephone pole. This philosophy is also an unfortunate reality for a lot of small and medium-sized businesses’ IT networks and systems.
Due to shrinking budgets, overworked and under-resourced IT staff, and the exponential curve of new technologies and systems being added to an organization’s technology landscape, many companies are still building onto their old systems in a piecemeal approach, while at the same time neglecting or ignoring the need to upgrade or patch their existing systems for vulnerabilities in fear of breaking the entire network.
This method works — but it is a house of cards that’s easily toppled because of the unmanageable nature of such an approach. It eventually leads to hundreds or even thousands of security and stability risks, leaving your business susceptible to a breach.
This is what we’re seeing with the BlueKeep vulnerability. The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued an “update now” warning for Microsoft Windows users months ago, so why are there over a million machines still unpatched against this vulnerability?
Many of these systems are likely part of a tangled cobweb-like information system, hopelessly buried in layer after layer of undocumented in-the-moment fixes or add-ons. It’s likely that in some cases it’s so risky to patch them that the system owners are practically throwing their hands up in the air and simply hoping nothing happens.
CISA researchers tested BlueKeep with Windows 2000 machines, achieved remote access to a computer and were able to make changes to anything connected to these machines. This exploit can move across a network, rapidly spreading to anything and everything. That means it can infect, replicate and spread through an organization’s entire infrastructure in seconds – much like the devasting NotPeyta malware.
The systems that are susceptible are both out-of-support systems (Windows 2003 and Windows XP), and unpatched in-support systems (Windows 7, Windows Server 2008 R2, and Windows Server 2008). However, Windows 8 and 10 are not impacted.
Millions of systems are still at risk, but Microsoft has already released patches for all infected systems. Here are the tips CISA has offered to fix this vulnerability:
- Install available patches released by Microsoft – even for systems that are longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003.
- Upgrade end-of-life (EOL) operating systems. You should upgrade systems that are no longer supported by Microsoft to supported ones, such as Windows 10.
- Disable anything that the OS isn’t using.
- Enable a Network Level Authentication. Doing this forces a session request to be authenticated and effectively mitigates against BlueKeep.
- Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall. Because port 3389 is used to initiate and RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network. However, this blocks RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.
How to Dig Out and Break the Cycle: Prevent Vulnerabilities in the Future
If you aren’t using one of these susceptible Microsoft systems, that’s great, but that doesn’t mean you’re safe. Creating a safe and secure environment to prevent a vulnerability like BlueKeep from leading to a data breach is only achieved by first understanding your IT systems and security environment and by making sure software and OS systems are up to date. This can be achieved by performing a security audit and practicing good IT hygiene, which can minimize your risks from a vulnerability like BlueKeep.
1. Security Asset Management
This is the first and often most overlooked step in the process of creating a comprehensive cybersecurity plan. When companies grow, their IT network becomes more and more complex. Not knowing exactly what and how your networks are being used, which devices are connected to your systems, and what systems are accessing sensitive data is a recipe for extended downtime when a problem occurs, not to mention that the resulting mess opens security holes to the Nth degree as your systems scale.
A security audit can help with security asset management, which is the first step to keeping your network secure. A security asset management tool and proactive asset replacement program could have protected an organization from the BlueKeep vulnerability as early as 2010 for Windows 2000 machines, due to the end of life for that OS.
To create an inventory, you will need to know all the machines within the company, including all computers and devices connected to the network (i.e. printers, computers, mobile devices, etc.). Create unique identifiers for the devices to better locate information about each.
Next, set up an automated way to track the information by each device.
- Serial numbers/Unique ID’s
- IP Addresses
- OS versions
- Software installed and versions
- Status of the software – how many licenses and when it is up for renewal
- Planned maintenance
- Warranty information
- Life expectancy
Creating an asset inventory can help you understand your IT environment which will lead to better decisions when it comes to tools for cybersecurity. With easily accessible information on the inventory, you can also understand what devices are connected to your network and how they are connected. This is especially useful for maintaining awareness when software or OS systems are at the end-of-life or need necessary patches applied to prevent any breaches.
2. Good IT Hygiene
- Having the right “first-level” protection mechanisms such as anti-virus software, a next-gen firewall and email/spam filtering.
- Update everything routinely. With BlueKeep, susceptible organizations aren’t updating their systems which has opened the door wide for cybercriminals.
- Enforce best password practices – Ensure your employees follow best password practices and implement two-factor authentication.
- Make sure remote workers have secure and encrypted methods of access– Remote workers should use a tool such as a virtual private network (VPN) to allow for encrypted connections from outside the trusted corporate network.
If you need further assistance in performing an asset inventory or putting good IT hygiene practices in place for your business, Stratosphere Networks can help. With our wide range of advanced cybersecurity solutions and in-depth knowledge, we provide our clients with the most up-to-date and secure resources available. Contact 877-599-3999 or email email@example.com to get in touch with one of your security advisors today.