vpn desktop
Fabrizio Baiardi

Fabrizio Baiardi

Fabrizio Baiardi is a Full Professor at Università di Pisa where he has chaired one of the first degree on security of ICT infrastructures. His main research interests are formal approaches to risk assessment and resilience of critical ICT infrastructures. Fabrizio Baiardi has been involved in the risk assessment and management of several systems and of industrial control systems with SCADA components. He has authored several papers on ICT security and currently teaches university courses on security related topics.

Beware of VPN! – on the Importance of Patch Scheduling

It is known that any new software module you run on your system may increase your attack surface. In other words, this module may suffer because of some vulnerabilities an attacker may exploit to control your system and steal some information. Hardening is a well known defense strategy that strips away from your system all the software modules you do not need, even if they are included in the standard distribution/configuration. In most cases, you do not even know you are running these modules.

The law “more software/more vulnerabilities” also holds for all the software we are currently using for remote or smart working. As an example, it holds for the module to build a VPN that connects you at home with your working place. Bloomberg reports that according to the Cybersecurity & Infrastructure Security Agency, known as CISA, an unnamed federal agency has been successfully attacked. The attack has  exploited a well known vulnerability in the Pulse VPN Server. The  vulnerability and the patch to apply had been published in April 2019 in the advisory CVE-2019-11510. Then, in April 2020 a further advice had been published to speed up the patch deployment. The advice stressed that exploitation of the vulnerability was demonstrated at various events and proved to be highly impactful due to the direct access to admin privileges and the consequent ability to infect multiple VPN connected users and their desktops. In other words, all the VPN users can be attacked through this vulnerability.

In spite of these efforts and the huge risk, after 17 months the unnamed federal agency still had to deploy the patch. This shows one more time the importance of patch scheduling and the benefits of knowing which patches you need to deploy to minimize your cyber risk.

Links:

https://www.bloomberg.com/news/articles/2020-09-24/hacker-accessed-network-of-u-s-agency-and-downloaded-data

https://us-cert.cisa.gov/ncas/alerts/aa20-010a

More to explore

Leave a Comment

Your email address will not be published. Required fields are marked *

en_US
it_IT en_US