Microsoft has released optional cumulative update previews for Windows 11, Windows 10 version 1809, and Windows Server 2022, with fixes for Direct3D issues impacting client and server systems.
The updates are part of Microsoft’s scheduled April 2022 monthly “C” updates, allowing Windows users to test the fixes released on June 15th as part of next month’s Patch Tuesday.
Unlike regular Patch Tuesday Windows updates, scheduled non-security preview updates are optional. They are issued to test bug fixes and performance improvements before the general release, and they don’t provide security updates.
To install the updates, you have to go to Settings > Windows Update and manually ‘Check for updates.’ Windows will not install them until you click the ‘Download now’ button because they’re optional updates.
You can also manually download and install these cumulative update previews from the Microsoft Update Catalog.
“The preview update for other supported versions of Windows 10 will be available in the near term,” Microsoft said.
Windows 11 KB5014019 update (BleepingComputer)
KB5014019 fixes Direct3D app crashes
Today’s Windows optional updates come with fixes for issues that might cause some applications to crash or trigger various problems.
As Microsoft explained, KB5014019 “addresses an issue that might affect some apps that use d3d9.dll with certain graphics cards and might cause those apps to close unexpectedly.”
The same cumulative update also fixes a known issue affecting specific GPUs and could “cause apps to close unexpectedly or cause intermittent issues that affect some apps that use Direct3D 9.”
This update also fixes an issue that might cause file copying to be slower and another one preventing BitLocker from encrypting when using the silent encryption option.
KB5014019 addresses a known issue impacting the Trusted Platform Module (TPM) driver that might increase the system’s startup time.
What’s new in today’s Windows updates
After installing the KB5014019 non-security cumulative update preview, Windows 11 will have the build number changed to 22000.708.
Addresses an issue that causes blurry app icons in Search results when the display’s dots per inch (dpi) scaling is greater than 100%.
New! Windows spotlight on the desktop brings the world to your desktop with new background pictures. With this feature, new pictures will automatically appear as your desktop background. This feature already exists for the lock screen. To turn on this feature, go to Settings > Personalization > Background > Personalize your background. Choose Windows spotlight.
Addresses an issue that fails to maintain the display brightness after changing the display mode.
This week’s Windows optional cumulative update previews have introduced a compatibility issue with some of Trend Micro’s security products that breaks some of their capabilities, including the ransomware protection feature.
“The UMH component used by several Trend Micro endpoint and server protection products is responsible for some advanced features such as ransomware protection,” the antivirus vendor revealed.
“Trend Micro is aware of an potential issue where customers who apply the optional Microsoft Windows 11 or Windows 2022 optional preview patches (KB5014019) and reboot would then find that the Trend Micro UMH driver would stop.”
The known issue affects the User Mode Hooking (UMH) component used by several Trend Micro endpoint solutions, including Apex One 2019, Worry-Free Business Security Advanced 10.0, Apex One as a Service 2019, Deep Security 20.0, Deep Security 12.0, and Worry-Free Business Security Services 6.7.
The Japanese cybersecurity company is now working on a fix to address this issue before the update previews are pushed to all Windows customers as part of the June 2022 Patch Tuesday.
How to restore Trend Micro endpoint solution capabilities
Luckily, unlike regular Patch Tuesday Windows updates, this week’s preview updates are optional and they were issued to test bug fixes and performance improvements before the general release.
Windows users have to manually check for them from Settings > Windows Update. They will not be installed until you click the ‘Download now’ button, limiting the number of potentially impacted users.
Impacted Windows platforms include both client and server versions with the problems experienced on systems running Windows 11, Windows 10 version 1809, and Windows Server 2022.
Trend Micro customers who have installed the optional Windows optional patch may either uninstall the patch temporarily or reach out to support to get a UMH debug module that should revive their security solution’s capabilities.
Windows users can remove the preview updates using the following commands from an Elevated Command Prompt.
Windows 10 1809: wusa /uninstall /kb:5014022
Windows 11: wusa /uninstall /kb:5014019
Windows Server 2022: wusa /uninstall /kb:5014021
A poor password at the highest levels of an organisation can cost a company millions in losses.
Recent findings show that half of IT leaders store passwords in shared documents. On top of that, it seems that folks at executive level are not picking good passwords either. Researchers from NordPass combed through a large list of CEO and business owner breaches. Their findings should renew considerations for additional security measures at executive level.
The findings
The five most common passwords among C-level executives, managers, and business owners were “123456”, “password”, “12345”, “123456789”, and our old friend “qwerty”. Terrifyingly, but perhaps not surprisingly, this looks exactly like every other list of the most frequently used passwords, suggesting no extra precautions are in place (or enforced) at the top.
Executives really love to use the names “Tiffany”, “Charlie”, Michael”, and “Jordan” for their passwords. I was curious to know if these are the names of executives’ name their kids. My entirely unscientific trawl for the names of CEO’s children turned up list of CEOs themselves. Henry, William, Jack, James, and David are all very popular names. This doesn’t match up with our list of password names. However, there is one list which claims that the Michaels of this world are most likely to become CEOs. Are CEOs naming their passwords after themselves? I’d like to think not, but then I probably wouldn’t have expected to be writing about “123456” either.
Animals and mythical creatures are popular choices. When not naming passwords after themselves, dragons and monkeys are both incredibly popular and also incredibly easy to guess.
Breaking and entering
Common ways corporate breaches and basic passwords spill all over the floor are issues we’ve covered at length. We recently highlighted recommendations from the Cybersecurity and Infrastructure Security Agency which deal with most of the causes of CEO password loss.
A combination of weak and reused passwords, and risky password-sharing habits make up the majority of hits on the “these passwords can lead to nothing good” indicator.
What happens when you combine bad password practices with human error and poor security infrastructure? These weak and obvious passwords just help to bring the whole thing crashing down that little bit faster.
There are some very smart attacks and compromises out there. Clever attackers can exfiltrate data from a network for weeks or months before making a more overt move. You’d expect people hijacking CEO data to be made to really work for it at every level. Sadly this research seems to suggest the opposite is happening in a lot of cases.
If nothing else, I’d love to see the actual response on the part of the criminals. What do they think when pulling down a C-Level executive’s data and discovering their email password is “sandwich”? Are they surprised? Is it business as usual? Do they think it can’t possibly be real, and they’re staring down the wrong end of a prank or law enforcement bust?
Is the CEO password sky falling? A word of caution…
There are some caveats here. The research doesn’t go into detail with regard to additional security measures in place. Yes, a CEO may have the worst password you’ve ever seen. That doesn’t mean the business has been popped right open.
Maybe they had two-factor authentication (2FA) set up. The password may be gone, but unless the attacker also has access to the CEO’s authentication app on their phone, it may not be much use. The CEO may use a hardware authentication token plugged into their desktop. Admins may have set up that one machine specifically for use by the CEO, for all CEO-related activity. It may not be usable remotely, and could be tied to a VPN an added precaution.
Having said all of that…
Manager? Use a password manager
If we’re talking purely about fixing the short, terrible, obvious passwords, then some additional work is required. 2FA, lockouts, and hardware tokens are great. Ultimately they’re fixing a myriad of additional problems regardless of whether the password is good or bad.
To fix bad password practices, we need to look to tools which can improve them and help keep them a bit more secure at the same time. I am talking about password managers, of course.
A password manager is a software application that gets around the twin evils of poor passwords and password reuse by creating strong, random passwords and then remembering them.
They can function online, so they are accessible via the web and can sync passwords between devices, or they can work entirely offline. Offline password managers are arguably more secure. Online components can add additional risk factors and a way for someone to break in via exploits. The important part is to keep the master password to access your vault secure, and to use 2FA if available for an additional layer of protection. Make your master password long and complex—don’t use “qwerty”.
Password managers with browser extensions can help deter phishing. Your password manager will object to entering a password into the wrong website, no matter how convincing it looks. No more risk of accidental logins!
Some password manager tools allow you to share logins with other users in a secure fashion. They don’t show or display the password to the other users, rather they just grant a form of access managed by the tool or app itself. If your CEO has no option but to share a password with somebody else, this is the only safe way to do it.
There’s never been a better time to wean ourselves away from shared password documents and the name “Michael” as the digital keys to an organisation’s kingdom. It’s perhaps time for CEOs and other executives to lead from the front where security is concerned.
It’s only been 4 months since the previous major release but we’re already excited to welcome WordPress 6.0. Of course, as with every other major release, you can expect loads of loads of improvements and exciting new features. This new version is no different. WordPress 6.0 continues to refine and iterate on the tools and features introduced in earlier releases. Let’s dive deeper into what WordPress 6.0 brings to your table!
For starters, this release will include all the great new features, enhancements and gains from Gutenberg 12.0 and 13.0. At the same time, developers and contributors continue to work on bug fixes and improvements that significantly impact the overall user experience on WordPress. This translates to over 400 updates, 500 bug fixes, and 91 new features in just one release, which is huge!
We’re getting an improved list view experience, style theme variations, additional templates, new blocks, new enhancements to the block editors and many more. Since there are many new things coming in this release, we’d like to bring your attention to some of the features and improvements that will likely have an impact on the way you use WordPress.
Full site editing enhancements and new features
Full site editing was the talk of the town when this major feature was introduced in previous releases. WordPress 6.0 continues to build upon the groundwork laid in 5.9 and further improves on what you can do with full site editing. You will need to use a block-based theme such as WordPress’s Twenty-Twenty-Two to take advantage of full site editing.
Style variations and global style switcher
Many people in the WordPress community are excited about this feature in the Site editor. You’ll be able to use theme variations derived from one single theme using various color and font combinations. It’s kind of like having several child themes but integrated into one single theme. And it’s incredibly easy to apply a new style variation across your entire site. From now on, you’ll be able to change the look and feel of your website with just a click.
Easily change the look and feel of your site using style variations
Theme export capability
Another huge improvement to full site editing specifically and the WordPress platform as a whole is the ability to export block themes. Any templates, layouts and style changes you made can be saved and exported to a .zip file. This feature is huge because it’s paving the way for visual theme building. You can create a WordPress theme just by purely using Gutenberg blocks. And of course, no coding knowledge is required!
To export your theme, go to your Site editor and click on the 3 dots icon in your top right corner. There should appear a menu with the option to download your theme.
New templates
Being able to use and customize templates to build your website content is great because it helps you to save time. We had templates to work with in previous WordPress versions, but the options were limited. WordPress 6.0 expands on this and introduces several new templates for specific functions. These include templates for displaying posts from a specific author, category, date, tag, or taxonomy.
New template options in the site editor
List view enhancements
When you access the list view in WordPress 6.0, you will see that your blocks are grouped together and collapsed instead of showing everything like in previous versions. This will make navigating the list view much easier. Next to this, when you’re working on a page with the list view open and you click anywhere on the page, it will highlight precisely where you are in the list view. Anyone who regularly works on complex pages should appreciate this enhancement.
The improved list view experience in WordPress 6.0
Block editor enhancements
New core blocks
WordPress 6.0 will ship with several new blocks including post author biography, avatar, no result in query loop and read more. We want to point you to the new comment query loop block because it further ‘blockifies’ the comment section of your post. With this new block, you’ll get plenty of customization options to design the comment section the way you want to.
The comment query loop block lets you customize your comment section
More features and enhancements
There are quite a lot of improvements and enhancements to the block editor that we can’t cover everything in this post. Instead, we will mention a few that we think will be the most beneficial for you.
The first new enhancement in the block editor we want to introduce is block locking. Moving forward, you’ll be able to lock a block so it can’t be moved and/or edited. A locked block will display a padlock when you click on it. And when you open the list view, you’ll also see the padlock indicating a locked block. This feature is especially useful if you work a lot with reusable blocks and don’t want anyone messing around with those blocks. It’s also beneficial for preserving design layouts when you’re creating templates or working with clients.
The new block locking UI
Next to that, in WordPress 6.0, when you customize a button and then add a new button using the plus button, it will have the same style as the one you’ve just customized. Before, you would need to redo all the customization if you want to add several buttons with the same style.
Another cool feature in this new version is style retention. It’s now possible to keep a block’s style when transforming certain blocks from one type to another and vice versa. It works with quite a few blocks, ranging from quote, list, code, heading, pullquote, verse, etcetera.
Lastly, the cover block can now dynamically grab your featured image and set it as the background for the cover block. All you have to do is select the ‘use featured image‘ setting and WordPress will do the rest.
The cover block can now dynamically grab your post’s featured image and use it as a background
Writing improvements
You can expect several notable writing improvements in this new version of WordPress. They are not major changes by any means, but you’ll definitely notice and appreciate the refinement in your overall writing experience.
Have you ever tried selecting text from 2 separate blocks and got annoyed because it automatically selected all the text from both blocks? Well, you won’t be bothered by that anymore. From WordPress 6.0 onwards, you can easily select text across blocks and edit it to your liking. This is definitely a quality of life improvement.
You can conveniently select text across blocks in WordPress 6.0
Also coming your way is a new link completer shortcut. You can access this shortcut anytime by typing “[[” and it will show you a list of links on your site. This feature can be handy when you’re doing internal linkings, for instance.
Lastly, WordPress will remind you to add tags and categories as the last step before you can publish a post. When you publish a lot of posts, it can be easy to forget this step so this is quite a neat feature for forgetful folks.
Design and layout tools
We won’t be diving too much into the improvements in design and layout tools, but we do think the following two features deserve a mention.
The first one is transparency control for background, which is very useful when you want to use a background with columns. You’ll surely elevate your post design if you can make use of this feature. The next fun addition to WordPress 6.0 is gap support for the gallery block. This just means you have more control over the spacing of your images, giving you a bit more freedom on how you want to display your image gallery. Anyone can take advantage of these 2 new features, but photography and fashion website runners can probably appreciate them the most.
Thanks to the Malwarebytes Threat Intelligence Team for the information they provided for this article.
Understandably, a lot of cybersecurity research and commentary focuses on the act of breaking into computers undetected. But threat actors are often just as concerned with the act of breaking out of computers undetected too.
Malware with the intent of surveillance or espionage needs to operate undetected, but the chances are it also needs to exfiltrate data or exchange messages with its command and control infrastructure, both of which could reveal its presence to threat hunters.
One of the stealthy communication techniques employed by malware trying to avoid detection is DNS Tunnelling, which hides messages inside ordinary-looking DNS requests.
The Malwarebytes Threat Intelligence team recently published research about an attack on the Jordanian government by the Iranian Advanced Persistent Threat (APT) group APT34 that used its own innovative version of this method.
The payload in the attack was a backdoor called Saitama, a finite state machine that used DNS to communicate. Our original article provides an educational deep dive into the operation of Saitama and is well worth a read.
Here we will expand on the tricks that Saitama used to keep its DNS tunelling hidden.
Saitama’s DNS tunnelling
DNS is the Internet’s “address book” that allows computers to lookup human-readable domain names, like malwarebytes.com, and find their IP addresses, like 54.192.137.126.
DNS information isn’t held in a single database. Instead it’s distributed, and each domain has name servers that are responsible for answering questions about them. Threat actors can use DNS to communicate by having their malware make DNS lookups that are answered by name servers they control.
DNS is so important it’s almost never blocked by corporate firewalls, and the enormous volume of DNS traffic on corporate networks provides plenty of cover for malicious communication.
Saitama’s messages are shaped by two important concerns: DNS traffic is still largely unencrypted, so messages have to be obscured so their purpose isn’t obvious; and DNS records are often cached heavily, so identical messages have to look different to reach the APT-controlled name servers.
Saitama’s messages
In the attack on the Jordanian foreign ministry, Saitama’s domain lookups used the following syntax:
domain = message, counter'.'root domain
The root domain is always one of uber-asia.com, asiaworldremit.com or joexpediagroup.com, which are used interchangeably.
The sub-domain portion of each lookup consists of a message followed by a counter. The counter is used to encode the message, and is sent to the command and control (C2) server with each lookup so the C2 can decode the message.
Four types of message can be sent:
1. Make contact
The first time it is executed, Saitama starts its counter by choosing a random number between 0 and 46655. In this example our randomly-generated counter is 7805.
The DNS lookup derived from that counter is:
nbn4vxanrj.joexpediagroup.com
The counter itself is encoded using a hard-coded base36 alphabet that is shared by the name server. In base36 each digit is represented by one of the 36 characters 0-9 and A-Z. In the standard base36, alphabet 7805 is written 60t (6 x 1296 + 0 x 36 + 30 x 1). However, in Saitama’s custom alphabet 7805 is nrj.
The counter is also used to generate a custom alphabet that will be used to encode the message using a simple substitution. The first message sent home is the command 0, base36-encoded to a, which tells the server it has a new victim, prepended to the string haruto, making aharuto.
A simple substitution using the alphabet generated by the counter yields the message nbn4vxa.
a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9
↓ ↓ ↓ ↓ ↓ ↓
n j 1 6 9 k p b h d 0 7 y i a 2 g 4 u xv 3 e s w f 5 8 r o c q t l z m
The C2 name server decodes the counter using the shared, hard-coded alphabet, and then uses the counter to derive the alphabet used to encode aharuto.
It responds to the contact request with an IP address that contains an ID for Saitama to use in future communications. The first three octets can be anything, and Saitama ignores them. The final octet contains the ID. In our example we will use the ID 203:
75.99.87.203
2. Ask for a command
Now that it has an ID from the C2 server, Saitama increments its counter to 7806 and signals its readiness to receive a command as follows: The counter is used to generate a new custom alaphabet, which encodes the ID, 203, as ao. The counter itself is encoded using the malware’s hard-coded base36 alphabet, to nrc, and one of Saitama’s three root domains is chosen at random, resulting in:
aonrc.uber-asia.com
The C2 server responds to the request with the size of the payload Saitama should expect. Saitama will use this to determine how many requests it will need to make to retrieve the full payload.
The first octet of the IP address the C2 responds with is any number between 129 and 255, while the second, third and fourth octets signify the first, second, and third bytes of the size of the payload. In this case the payload will be four bytes.
129.0.0.4
3. Get a command
Now that it knows the size of the payload it will receive, Saitama makes one or more RECEIVE requests to the server to get its instructions. It increments its counter by one each time, starting at 7807. Multiple requests may be necessary in this step because some command names require more than the four bytes of information an IP address can carry. In this case it has been told to retrieve four bytes of information so it will only need to make one request.
The message from Saitama consists of three parts: The digit 2, indicating the RECEIVE command; the ID 203; and an offset indicating which part of the payload is required. These are individually base36-encoded and concatenated together. The resulting string is encoded using a custom base36 alphabet derived from the counter 7807, giving us the message k7myyy.
The counter is encoded using the hard-coded alphabet to nr6, and one of Saitama’s three root domains is chosen at random, giving us:
k7myyynr6.asiaworldremit.com
The C2 indicates which function it wants to run using two-digit integers. It can ask Saitama to run any of five different functions:
C2
Saitama
43
Static
70
Cmd
71
CompressedCmd
95
File
96
CompressedFile
Saitama functions
In this case the C2 wants to run the command ver using Saitama’s Cmd function. (In the previous request the C2 indicated that it would be sending Saitama a four byte payload: One byte for 70, and three bytes for ver.)
In its response, the C2 uses the first octet of the IP address to indicate the function it wants to run, 70, and then the remaining three octets to spell out the command name ver using the ASCII codepoints for the lowercase characters “v”, “e”, and “r”:
70.118.101.114
4. Run the command
Saitama runs the command it has been given and sends the resulting output to the C2 server in one or more DNS requests. The counter is incremented by one each time, starting at 7808 in our example. Multiple requests may be necessary in this step because some command names require more than the four bytes an IP address can carry.
The counter is encoded using the hard-coded alphabet to nrb, and one of Saitama’s three root domains is chosen at random.
In this case the message consists of five parts: The digit 2, indicating the RECEIVE command; the ID 203; and an offset indicating which part of the response is being sent; the size of the buffer; and a twelve-byte chunk of the output. These are individually base36-encoded and concatenated together. The resulting string is encoded using a custom base36 alphabet derived from the counter 7808, giving us the message p6yqqqqp0b67gcj5c2r3gn3l9epzt.
American car manufacturer General Motors (GM) says it experienced a credential stuffing attack last month. During the attack customer information and reward points were stolen.
The subject of the attack was an online platform, run by GM, to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles to manage their bills, services, and redeem rewards points.
Credential stuffing
Credential stuffing is a special type of brute force attack where the attacker uses existing username and password combinations, usually ones that were stolen in a data breach on another service.
The intention of such an attack is not to take over the website or platform, but merely to get as many valid user account credentials and use that access to commit fraud, or sell the valid credentials to other criminals.
To stop a target from just blocking their IP address, an attacker will typically use rotating proxies. A rotating proxy is a proxy server that assigns a new IP address from the proxy pool for every connection.
The attack
GM disclosed that it detected the malicious login activity between April 11 and April 29, 2022, and confirmed that the threat actors exchanged customer reward bonuses of some customers for gift certificates.
The My GM Rewards program allows members to earn and redeem points toward buying or leasing a new GM vehicle, as well as for parts, accessories, paid Certified Service, and select OnStar and Connected Services plans.
GM says it immediately investigated the issue and notified affected customers of the issues.
Victims
GM contacted victims of the breach, advising them to follow instructions to recover their GM account. GM is also forcing affected users to reset their passwords before logging in to their accounts again. In the notification for affected customers, GM said it will be restoring rewards points for all customers affected by this breach.
GM specifically pointed out that the credentials used in the attack did not come from GM itself.
“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself. We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”
Username and phone number for registered family members tied to the account
Last known and saved favorite location information
Search and destination information
Other information that was available was car mileage history, service history, emergency contacts, Wi-Fi hotspot settings (including passwords), and currently subscribed OnStar package (if applicable).
GM is offering credit monitoring for a year.
Mitigation
What could GM have done to prevent the attack? It doesn’t currently offer multi-factor authentication (MFA)which would have stopped the attackers from gaining access to the accounts. GM does ask customers to add a PIN for all purchases.
This incident demonstrates how dangerous it is to re-use your passwords for sites, services and platforms. Even if the account doesn’t seem that important to you, the information obtainable by accessing the account could very well be something you wish to keep private.
Always use a different password for every service you use, and consider using a password manager to store them all. You can read some more of our tips on passwords in our blog dedicated to World Password Day.
Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.
Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google Project Zero has been credited with discovering and reporting all the four flaws in February 2022.
The list of bugs is as follows –
CVE-2022-22784 (CVSS score: 8.1) – Improper XML Parsing in Zoom Client for Meetings
CVE-2022-22785 (CVSS score: 5.9) – Improperly constrained session cookies in Zoom Client for Meetings
CVE-2022-22786 (CVSS score: 7.5) – Update package downgrade in Zoom Client for Meetings for Windows
CVE-2022-22787 (CVSS score: 5.9) – Insufficient hostname validation during server switch in Zoom Client for Meetings
With Zoom’s chat functionality built on top of the XMPP standard, successful exploitation of the issues could enable an attacker to force a vulnerable client to masquerade a Zoom user, connect to a malicious server, and even download a rogue update, resulting in arbitrary code execution stemming from a downgrade attack.
Fratric dubbed the zero-click attack sequence as a case of “XMPP Stanza Smuggling,” adding “one user might be able to spoof messages as if coming from another user” and that “an attacker can send control messages which will be accepted as if coming from the server.”
At its core, the issues take advantage of parsing inconsistencies between XML parsers in Zoom’s client and server to “smuggle” arbitrary XMPP stanzas — a basic unit of communication in XMPP — to the victim client.
Specifically, the exploit chain can be weaponized to hijack the software update mechanism and make the client connect to a man-in-the-middle server that serves up an old, less secure version of the Zoom client.
While the downgrade attack singles out the Windows version of the app, CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impact Android, iOS, Linux, macOS, and Windows.
The patches arrive less than a month after Zoom addressed two high-severity flaws (CVE-2022-22782 and CVE-2022-22783) that could lead to local privilege escalation and exposure of memory contents in its on-premise Meeting services. Also fixed was another instance of a downgrade attack (CVE-2022-22781) in Zoom’s macOS app.
Users of the application are recommended to update to the latest version (5.10.0) to mitigate any potential threats arising out of active exploitation of the flaws.
Security incidents occur. It’s not a matter of “if,” but of “when.” That’s why you implemented security products and procedures to optimize the incident response (IR) process.
However, many security pros who are doing an excellent job in handling incidents find effectively communicating the ongoing process with their management a much more challenging task.
Feels familiar?
In many organizations, leadership is not security savvy, and they aren’t interested in the details regarding all the bits and bytes in which the security pro masters.
Luckily, there is a template that security leads can use when presenting to management. It’s called the IR Reporting for Management template, providing CISOs and CIOs with a clear and intuitive tool to report both the ongoing IR process and its conclusion.
The IR Reporting for Management template enables CISOs and CIOs to communicate with the two key points that management cares about—assurance that the incident is under control and a clear understanding of implications and root cause.
Control is a key aspect of IR processes, in the sense that at any given moment, there is full transparency of what is addressed, what is known and needs to be remediated, and what further investigation is needed to unveil parts of the attack that are yet unknown.
Management doesn’t think in terms of trojans, exploits, and lateral movement, but rather they think in terms of business productivity — downtime, man-hours, loss of sensitive data.
Mapping a high-level description of the attack route to damage that is caused is paramount to get the management’s understanding and involvement – especially if the IR process requires additional spending.
The IR Reporting for Management template follows the SANSNIST IR framework and will help you walk your management through the following stages:
Identification
Attacker presence is detected beyond doubt. Follow the template to answer key questions:
Was the detection made in-house or by a third-party?
How mature is the attack (in terms of its progress along the kill chain)?
What is the estimated risk?
Will the following steps be taken with internal resources or is there a need to engage a service provider?
Containment
First aid to stop the immediate bleeding before any further investigation, the attack root cause, the number of entities taken offline (endpoints, servers, user accounts), current status, and onward steps.
Eradication
Full cleanup of all malicious infrastructure and activities, a complete report on the attack’s route and assumed objectives, overall business impact (man-hours, lost data, regulatory implications, and others per the varying context).
Recovery
Recovery rate in terms of endpoints, servers, applications, cloud workloads, and data.
Lessons Learned
How did that attack happen? Was it a lack of adequate security technology in place, insecure workforce practices, or something else? And how can we mend these issues? Provide a reflection on the previous stages across the IR process timeline, searching for what to preserve and what to improve.
Naturally, there is no one-size-fits-all in a security incident. For example, there might be cases in which the identification and containment will take place almost instantly together, while in other events, the containment might take longer, requiring several presentations on its interim status. That’s why this template is modular and can be easily adjustable to any variant.
Communication with management is not a nice-to-have but a critical part of the IR process itself. The definitive IR Reporting to Management template helps security team leads make their efforts and results crystal clear to their management.
We’ve invested in Windows Server for nearly 30 years, and we continue to find new ways to empower businesses who trust Windows Server as the operating system for their workloads. Over this time, we understand that business requirements have become more complex and demanding. Thus, we are energized when we hear how customers continue to trust Windows Server to navigate these ever-evolving requirements and run business and mission-critical workloads.
We want to continue to invest in your organizations’ success and enable you to get the most out of Windows Server by keeping you informed of the latest product announcements, news, and overall best practices. Here are the top five to-do’s for you to make the most out of Windows Server:
1. Patch and install security updates without rebooting with Hotpatch
2. Take the recently available Windows Server Hybrid Administrator Certification
Invest in your career and skills with this brand-new Windows Server certification. With this certification, you can keep the Windows Server knowledge you have built your career on and learn how to apply it in the current state of hybrid cloud computing. Earn this certification for managing, monitoring, and securing applications on-premises, in Azure, and at the edge. Learn more about Windows Server Hybrid Administrator Associate certification today.
3. Upgrade to Windows Server 2022
With Windows Server 2022, get the latest innovation for you to continue running your workloads securely, enable new hybrid cloud scenarios, and modernize applications to meet your ever-evolving business requirements. Learn more about investing in your success with Windows Server.
4. Protect your workloads by taking advantage of free extended security updates (ESUs) in Azure
While many customers have adopted Windows Server 2022, we also understand that some need more time to modernize as support for older versions of Windows Server will eventually end.
For Windows Server 2012/2012 R2 customers, the end of support date is October 10, 2023.
For Windows Server 2008/2008 R2 customers, the third year of extended security updates are coming to an end on January 10, 2023. Customers can get an additional fourth year of free extended security updates (ESUs-only) on Azure (including Azure Stack HCI, Azure Stack Hub, and other Azure products). With this, customers will have until January 9, 2024 for Windows Server 2008/2008 R2 to upgrade to a supported release.
5. Combine extended security updates with Azure Hybrid Benefit to save even more
In addition to all the innovative Windows Server capabilities available only on Azure, it also has offers for you to start migrating your workloads with Azure Hybrid Benefit. It is a licensing benefit that allows you to save even more by using existing Windows Server licenses on Azure. Learn more about how much you can save with Azure Hybrid Benefit.
Ask questions and engage in our community
Get started implementing these Windows Server best practices today! Join the conversation by sharing stories or questions you have here:
Datacenters are a core part of any IT infrastructure for businesses that run mission-critical workloads. However, with components across compute, networking, and storage, as well as the advancement in cloud technologies, the management of your datacenter environment can quickly become complex. Ever since its release in 2008, Microsoft System Center has been the solution that simplifies datacenter management across your IT environments.
Today, we are excited to announce the general availability of System Center 2022, which includes System Center Operations Manager (SCOM), Virtual Machine Manager (VMM), System Center Orchestrator (SCORCH), Service Manager (SM), and Data Protection Manager (DPM). With this release, we are continuing to bring new capabilities for best-in-class datacenter management across diverse IT environments that could be comprised of Windows Server, Azure Stack HCI, or VMWare deployments. We have been energized to hear of organizations such as Olympia, Schaeffler, and Entain who have validated the capabilities of System Center 2022 during the preview. Now, let us dive into what is new with System Center 2022.
Why upgrade to System Center 2022
Best-in-class datacenter management
Your IT environments are ever-evolving to have applications running on a diverse set of hardware. Your workforce is spread across multiple locations and remote management is the new normal. System Center 2022 focuses on simplifying collaboration and providing consistent control for all your environments.
Enhanced access control capabilities in SCOM facilitate simpler management of permissions on the monitoring data and alert actions. A critical piece toward adoption of DevOps practices, empowering the users with the right level of control. The integration with Microsoft Teams and management of alert closures reduce the circle time between the application owners and the SCOM administrator. The developers can get notified about alerts for their applications on the Teams channels.
Additionally, to meet the needs of growing environments, you can now assign both IPv4 and IPv6 IP addresses to the software-defined networking (SDN) deployments with VMM. Performance and technology optimizations to the data protection manager mean you get more control and speed on the backups and restores.
Overall, this release gives you more control in managing the environment and working with the DevOps teams.
Flexible infrastructure platform
Datacenters are becoming more heterogeneous, with multiple host platforms and hypervisors, Windows/Linux, VMware, and Hyper-Converged Infrastructure (HCI). System Center 2022 enables the unification of management practices for the datacenter, irrespective of the platform in use.
System Center 2022 is the best toolset to manage your Windows Server 2022 and SQL Server infrastructure. This includes using Windows Server 2022 for the management infrastructure and managing the Windows Server 2022 based environment. In addition to a comprehensive management experience for Windows Server 2022 workloads, this release of System Center adds support for managing Azure Stack HCI 21H2, VMware 7.0 hosts, and the latest Linux distros. You can create, configure, and register HCI 21H2 clusters, control virtual machines on the HCI clusters, set up SDN controllers, and manage storage pools from VMM. There are new management packs in SCOM for monitoring the Azure Stack HCI clusters. To protect the virtual machines on Stack HCI clusters, Microsoft Azure Backup Server can now be used.
Hybrid management with Azure
Efficiently managing IT resources that are sprawled across various locations without slowing down developer innovation is a key challenge that IT leaders face today. Azure Arc enables you to seamlessly govern, manage, and secure Windows and Linux servers, Kubernetes clusters, and applications across on-premises, multiple clouds, and the edge from a single control plane.
We will be bringing hybrid capabilities with System Center 2022 to standardize management and governance across on-premises and cloud environments while reusing your existing investments in System Center.
Stay tuned for more on these exciting capabilities!
