On May 1, 2014, Microsoft released a critical security update announcing a patch for all versions of Microsoft Internet Explorer (IE), including the XP version, which contained a security flaw making computers and their networks highly vulnerable to malicious hacker attacks. The patch, which fixes this vulnerability, should have been downloaded and installed soon after the release on most computers that were turned on and have the feature for auto-updates from Microsoft turned on. The patch may need to be tested and manually installed on many corporate enterprise networks, however. Below, we explain the nature of the vulnerability that exists on all unpatched versions of IE and provide tips for the development of an action plan to deal with this and future cyber security threats.
The old weather proverb about March, in like a lion and out like a lamb, hit April in the reverse in the world of cyber security. While the first six days of April seemed relatively calm in the cyber world, on Monday, April 7, 2014, the Heartbleed flaw in encryption security was announced (see our previous post here). As of April 26, 2014, the month was still roaring like a lion with yet another newly discovered cyber security threat to Internet Explorer (IE), first announced by FireEye Research Labs. Microsoft quickly confirmed the flaw on its Security TechCenter webpage.
IE’s Vulnerability Dubbed “Operation Clandestine Fox.” FireEye named the flaw “Operation Clandestine Fox” for a couple of reasons. One is that hackers are already exploiting the vulnerability in an active “campaign.” Further, FireEye said the exploits are “clandestine” because the hackers lure computer users to malicious web code, like a “fox” who lures prey to a watering hole and then moves in for the kill.
With the IE vulnerability, the hacker can use Adobe Flash content, a popular website or an email to bait the computer user to click on malicious HTML code. This allows the hacker to download the malicious software to the user’s computer. Once downloaded, the hacker gains access to the user’s computer, and can then gather the information needed to access other programs and networks accessed by the user. Such access can include otherwise secure servers, databases and networks. The risk was perceived as sufficiently significant to prompt the U.S. Department of Homeland Security to issue a security advisory to its CERT Vulnerability Alerts Database webpage. Microsoft and Homeland Security were updating their advisories almost daily before the patch, requiring vigilance on the part of Chief Information Officers (CIOs) to keep up with the updates in order to develop a responsive action plan. Below are some tips for preparing for the next inevitable cyber security risk.
Develop An Action Plan. CIOs should immediately assess newly-identified cyber security vulnerabilities posed to its networks and develop an action plan to address them. The risk assessment should include an evaluation of how confidential electronic data, including customer, employee, student, personal and financial data, is accessed by others such as employees, customers and third-party vendors. Ensuring security is especially critical for those who can remotely access your company’s confidential or sensitive information.
Consider Workarounds and alternative browser options. The action plan should include, among other things, disabling vulnerable add-ons (e.g., Flash Player on IE before it is patched), an evaluation of workarounds for the continued use of vulnerable browsers and software and whether other internet browsers are available to employees, customers and vendors who access or exchange confidential data on the entity's systems. Assess the feasibility of implementing the workarounds suggested by the software vendor on devices controlled by the organization. Microsoft and Homeland Security issued workarounds until a patch was available, but some security experts considered them too complex for the average computer user to implement on their own computers and mobile devices. Accordingly, for an identified browser vulnerability, the organization may need to advise employees and customers to use others browsers for remote access to the organization's network. If using another browser is the preferred approach, determine and recommend the browser (including the version number) that will work best with the organization's network. Before recommending an alternative browser, check for security alerts on that browser. (For example, on April 29, 2014, only a few days after the IE bug was announced, Mozilla issued Firefox Version 29 to fix a critical vulnerability in a prior browser version that allows the installation of malicious code that required no user interaction beyond normal browsing.)
Change Passwords. Security experts recommend changing log-in passwords to all potentially affected access points after an internet, website or network vulnerability has been identified. Organizations should consider implementing a forced, mandatory password change for all authorized users before allowing continued access to the organization’s network. Advise authorized users to select a password for the organization’s networks that is different from the password they use for personal websites. Additionally, because of the Heartbleed issue announced on April 7, 2014, passwords used on any website vulnerable to Heartbleed before that website was patched and new certificates issued are not secure and should not be recycled.
Safe Internet and Computer Use. Remind those with access to your network to always use special caution when visiting websites, to avoid clicking suspicious links, or opening email messages from unfamiliar senders, regardless of what internet browser they use.
IT Support. The organization's technology alerts should include help desk support. Ensure that help desk personnel are adequately resourced and prepared to assist users in implementing suggested responsive action to a vulnerability threat.
Cyber Security Management Plan & Continued Vigilance. Finally, use April's cyber security lessons to develop a written cyber security management plan that includes a procedure with steps to address the next cyber security crisis. Set up a knowledgeable cyber security team responsible for monitoring cyber security advisories including, among others, the Homeland Security CERT website, and include an internal notification procedure when new risks are identified. For smaller organizations, consider rotating the responsibility among members of the team to prevent cyber security risk identification fatigue. If you use a third-party vendor to manage your network, ask to see the vendor's cyber security management plan.
There's simply no rest for the weary CIO!