Home
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

Welcome to your Cyber Risk Report for the period of March 2017.
This CRR was produced on the 21st of March 2017 by the CISP team at Hedgehog Security. If you have any questions, you can email the team at intel@hedgehogsecurity.co.uk.
This month the Cyber Risk Level is rated as Moderate for the Small and Medium Enterprise. For SME's who wish to understand further their exposure to the external threats, contact the CISP team to arrange a free vulnerability assessment and phishing test.
This Cyber Risk Report uses the POST intelligence model.

Political RiskOperational RiskSecurity (Cyber) RiskThreats to SME's




Political Risk

Domestic Government and Oppositions

The UK is facing an ongoing, persistent threat of cyber-attack from foreign nation states, terrorists and criminals operating in cyberspace. Principle targets are those directly connected to the National Critical Infrastructure although targets of opportunity, those connected within the governments supply chain, are being sought.

Foreign Governments

There are a number of actions being taken by Russia and associated countries, conducting continual cyber attacks against the UK’s national critical infrastructure. This should be kept in mind for organisations that deal with public sector systems, such as organisations with an entry point to the NHS N3 network.


Operational Risk

Microsoft Patches

Following Microsoft's skipped update release in February, this month is a little heavy. 18 patches in all have been release and 50% of them are rated critical.
While most of the updates are for Windows, there is also a patch for Exchange Server and a couple for Office. We also have the usual Internet Explorer and Edge browser cumulative updates. In addition, some of the updates are for Windows roles or features that not everyone will have enabled.
 

Critical updates

MS17-006This is the monthly cumulative update for Internet Explorer versions 9, 10 and 11, running on all currently supported versions of Windows. It is rated critical for client operating systems and moderate for servers.
The update addresses 12 vulnerabilities. Vulnerability types include remote code execution, browser spoofing, elevation of privilege, information disclosure and security feature bypass, with memory corruption issues that can lead to RCE being the most serious. There are no mitigations or workarounds published. The update fixes the problems by changing the way the browsers, JScript and VBScript handle objects in memory, parse HTTP responses, and restricting what information is returned to affected browsers.
MS17-007This is the monthly cumulative update for the Edge browser, running on Windows 10 and Server 2016. It’s rated critical for the client and moderate for the server.
The update addresses an impressive 32 vulnerabilities, which include a plethora of memory corruption issues that can be exploited for remote code execution, along with browser spoofing, elevation of privilege, information disclosure and security feature bypass. There is an interesting PDF memory corruption vulnerability by which Windows 10 systems with Edge set as default browser could be compromised simply by viewing a web site.
The update fixes the problems by changing the way the browsers, JScript and VBScript handle objects in memory, parse HTTP responses, and restricting what information is returned to affected browsers.
MS17-008This is an update for Hyper-V in Windows, running on all supported versions of Windows client and server operating systems. Some of these vulnerabilities affect the server core installation. It is rated critical for all.
The update addresses 11 vulnerabilities, which include remote code execution, denial of service, and information disclosure. In all cases, systems that do not have the Hyper-V role enabled are not affected.
MS17-009This is an update for the Windows PDF Library in Windows 8.1 and RT 8.1, Windows 10, and Windows Server 2012, 2012 R2, and 2016. It is rated critical for all.
The update addresses a single vulnerability, which is a PDF memory corruption issue (also addressed and discussed in the cumulative browser update above). Windows 10 systems with Microsoft Edge set as the default browser can be compromised simply by viewing a website. The browsers for other affected operating systems do not automatically render PDF content, so an attacker would have no way to force users to view attacker-controlled content.
MS17-010This is an update for the Windows SMB Server service in all supported versions of Windows, including RT and the server core installations. It is rated critical for both client and server operating systems.
The update addresses six vulnerabilities, which include five SMB remote code execution vulnerabilities and one SMB information disclosure issue. There is an identified workaround that involves disabling SMBv1 and is described in the security bulletin at https://technet.microsoft.com/library/security/MS17-010
MS17-011This is an update for Uniscribe in all supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows RT 8.1, Windows Server 2012 R2, Windows 10, Windows 10 Version 1511, Windows 10 Version 1607, and Windows Server 2016. It is rated critical for all. (Uniscribe is the Microsoft Windows set of services for rendering Unicode-encoded text). The update addresses 29 vulnerabilities of both the remote code execution and information disclosure type.  They could be exploited via web-based or file-sharing attacks. There are no identified mitigations or workarounds.
MS17-012This is an update for Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 10 Version 1607 and Windows Server 2016, and Important for Windows Vista, Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, and Windows 10 Version 1511. It is rated critical for all. The update addresses six vulnerabilities that include security feature bypass in Device Guard, denial of service issues in SMB 2.0 and 3.0 clients, and a remote code execution issue related to Windows DLL loading, along with a DNS query information disclosure issue, an elevation of privilege issue caused by the way Helpane.exe authenticates clients, and an iSNS Server memory corruption vulnerability.
MS17-013This is an update for the Microsoft graphics component in Windows, Microsoft Office, Skype for Business, Microsoft Lync, and Microsoft Silverlight. It is rated critical for all. The update addresses twelve vulnerabilities, which include multiple Windows GDI elevation of privilege issues, information disclosure vulnerabilities related to GDI, GDI+ and Microsoft Color Management, and multiple remote code execution vulnerabilities.
MS17-023This is an update for Adobe Flash Player installed on IE 10 and 11 and the Edge browser running on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016. It is rated critical for all.
The update addresses seven vulnerabilities in the Flash Player software that include a buffer overflow vulnerability that could lead to code execution,  memory corruption vulnerabilities that could lead to code execution, a random number generator vulnerability used for constant blinding that could lead to information disclosure, and use-after-free vulnerabilities that could lead to code execution.
 

Important updates

MS17-014This is an update for Microsoft Office 2007, 2010, 2013, 2013 RT and 2016, Office for Mac 2011 and 2016, Office Services and Web Apps,Microsoft Server Software, Microsoft Communications Platforms and Software. It is rated important for all.
MS17-015This is an update for the Outlook Web Access component in Microsoft Exchange Server 2013 and 2016. It is rated important for both.
MS17-016This is an update for the Internet Information Services (IIS) web server component in all supported versions of Windows client and server operating systems. It is rated important for all.
MS17-017This is an update for the Windows kernel in all supported versions of Windows client and server operating systems. It is rated important for all.
MS17-018This is an update for the Windows kernel-mode drivers in all currently supported versions of the Windows client and server operating systems, including RT and the server core installations. It is rated important.
MS17-019This is an update the Active Directory Federation Services (AD FS) in supported releases of Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. It is rated important for all.
MS17-020This is an update for Windows DVD Maker in Windows Vista and Windows 7. It is rated important for both.
MS17-021This is an update for DirectShow in all currently supported versions of Windows. It is rated important for all.
MS17-022This is an update for the Microsoft XML Core Services in all currently supported versions of Windows. It is rated important for all.
 

Laws, Rules and Regulations

The European General Data Protection Regulation is now just over a year away from becoming law. The UK's Information Commissioner has released this article on the GDPR: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
There are no updates to the standard set of monitored laws within the UK.

Regulatory Environment

There are no updates to ISO27001, ISO9001, PCI-DSS, LEXCEL or the NGS-IGT to report on for this period.
If you have a regulatory control would you like to have added to this list, please email intel@hedgehogsecurity.co.uk.

In the News

Gift cards or the iPhone gets it: Hackers threaten Apple with millions of remote wipes Hackers who claim to have gained access to over 300 million iCloud and Apple email accounts are threatening to wipe user data unless Apple pays a ransom. The self-styled "Turkish Crime Family" are threatening to remotely wipe data from those millions of Apple devices unless Apple pays it $75,000 in crypto-currency or $100,000 worth of iTunes gift cards before a 7 April deadline.
eBay dumps users into insecure authentication mechanismWeb tat bazaar eBay appears to be suggesting its readers adopt known-to-be-insecure practices when logging on to the service. eBay has long offered customers the chance to get their hands on a hard token that generates one-time-passwords. But Krebs on Security reports (http://krebsonsecurity.com/2017/03/ebay-asks-users-to-downgrade-security/) that a reader received an email from eBay telling customers “We're going to make 2 step verification more convenient by texting you a PIN instead of having you use your token.”
PoS terminal manufacturer Verifone breachedRetail systems vendor Verifone is investigating a breach of its internal networks that may have affected customers running its point-of-sale (PoS) terminals. Verifone is the second largest credit and debit card terminal manufacturer in the world, and it sells PoS …


Security (Cyber) Risk

Intelligence Feed

Proprietary data not available within the CISP report version.


Threats (Cyber)

At this time, there are no highlighted threats from the “cyber” world other than random attacks from scripted automation systems, chaotic actors and opportunistic malware. Threats remain as follows:
 
PhishingThe threat of phishing is Severe, with a marked increase in the complexity of the phishing attacks being observed globally.
Known MalwareThe direct threat of malware is reduced to Low due to the complexities of exploitation within generic environment.
Zero-day MalwareZero day malware remains a problem and when combined with the current trends in Phishing this poses a Severe risk to general organisations.
Script Kiddie AttackThe threat posed by “script kiddies” is Low. The technical mitigations in place for organisations compliant with Cyber Essentials Plus should defeat these generic script based attackers.
Hacker AttackThe threat from a skilled hacker is Moderate.
Activist MovementProprietary data not available within the CISP report version.
Insider AttackProprietary data not available within the CISP report version.