The National Cyber Security Centre Finland’s weekly review – 2/2023
Information security now!
This is the weekly review of the National Cyber Security Centre Finland (NCSC-FI) (reporting period 6–12 January 2023). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cyber security specialists to regular citizens.
Topics covered in this week’s review
- Remember to take care of the information security of your devices
- Updates and patches safeguard business activities
- Follow us on social media!
- Vulnerability: Chrome and Chromium browsers
Remember to take care of the information security of your devices
For many of us, using the internet is an everyday and essential activity. Because of this, it is important for every internet user to take care of their security. In practice, this means that you need to both critically examine your own operating methods and ensure the security of your devices and software. Modern IT devices and software are so complex that bugs and vulnerabilities usually continue to be found even after their release. When a bug is discovered, the manufacturer can fix it in the next firmware or software version, which is distributed to existing devices via the internet. In fact, the regular updating of devices and software is the single most important aspect of information security for individual users.
When an updated version of a phone operating system, for example, becomes available, you should update it as soon as possible. Responsible manufacturers communicate actively about the updates that they release. Besides mobile phones, other devices that need to be regularly updated include other mobile devices, computers, modems, routers and other household smart devices. In addition to devices, you should also regularly update the operating systems and software that you use, such as your internet browser and security software. It is also important to keep any work devices provided by your employer updated in accordance with your employer’s instructions.
More information on the updating of devices can be found in our article ‘Remember to update devices, software and applications!’
Nowadays more and more household devices, such as home appliances, can be connected to the internet and controlled via a smartphone app, for example. When purchasing these types of new smart devices, it is important to consider the information security of the device as well. A good way of doing so is to ask the seller about the information security features of the device. Will the device receive software updates? Can you set a password for the device?
To help assess the information security of devices, the NCSC-FI has created the Cybersecurity Label. The Cybersecurity Label indicates that the product or service bearing it has been designed to be information secure and meets Traficom’s information security requirements. The label is used on smart consumer devices that can be connected to the internet, meaning so-called IoT devices. These include smart TVs, smart bracelets and household routers, for example.
Learn more about the Cybersecurity Label (External link)
Here is a brief list of measures that you can carry out to improve information security when getting started with a new device:
- When setting up a new device or service, create a sufficiently strong password for it. Use a different password for every service.
Read more: The longer the better — How to create a strong password
- Do not ignore software updates. Automate them, if possible. Software updates also contain important security updates.
Read more: Remember to update devices, software and applications!
- An old product may present an information security risk if the manufacturer is no longer providing security updates for it. Check the life cycle of the product on the manufacturer’s website.
Read more: How to safely recycle your devices (article in Finnish) (External link)
- Choose a product that has been granted an information security certificate, if possible. Information security certification is constantly being developed, with more and more certified products available on the market.
Updates and patches safeguard business activities
In 2020, the National Emergency Supply Agency published its most recent report on the current state of cyber security in Finland (External link), which covered over 100 organisations in 12 different industries. The report showed that there was a great deal of variation in companies’ level of preparedness for various cyber threats. Regardless of these observations and preparedness, the fact is that every company should carry out continuous measures for maintaining and developing information and cyber security as part of their normal operations. After all, it makes little difference to the criminals operating online whether a company is a one-person business or a multinational group with sales measured in the hundreds of millions. As such, companies should take care of cyber security in the same way that they take care of the physical security of their facilities by keeping their doors locked.
Above, we provided a brief list of measures that every user should carry out to maintain their personal cyber security. When it comes to companies, the parties ultimately responsible for overall security are the managing director, the executive group and the company board. Responsibility for administering and updating systems, on the other hand, can be assigned to specific employees, while responsibility for devices handed over to employees ultimately rests with the employees themselves. As for self-employed persons, they have to bear all of these responsibilities themselves.
Hardware and software developers release not only regular updates, such as the patches released by Microsoft on the second Tuesday of every month, but also urgent updates outside of normal update cycles. It is also important to make sure that any instructions and documentation related to update processes are up to date when they are needed. A critical security update or patch typically fixes a software vulnerability or bug while also improving information security. If left unpatched, vulnerabilities can potentially be exploited by criminals to hijack devices, execute arbitrary code or bypass authentication processes, for example. As such, companies need to be familiar with the systems and software that they use and prepare for manufacturers’ regular updates and update schedules.
Information on unscheduled updates and identified vulnerabilities is provided in the NCSC-FI’s daily vulnerability digest , for example. Vulnerabilities that we have highlighted this week include the server and workstation vulnerabilities published by CPU manufacturer AMD and the BitLocker vulnerability related to Microsoft Windows operating systems. The vulnerability published by AMD could potentially be exploited to install a so-called rootkit onto a computer’s CPU, preventing the operating system from detecting malicious activity. The BitLocker vulnerability, on the other hand, makes it possible to bypass encryption on unpatched systems.
At the international level, ransomware is still one of the most notable cyber security threats faced by organisations and companies, and one of the attack vectors for ransomware targeting companies is unpatched software. The unpatched component can be either a service directly open to the internet or a system in the company’s internal network. These are often accessed directly, or, in the case of internal network systems, via phishing attacks.
Information security company CrowdStrike’s 2022 Global Threat Report (External link) provides insight on the average speed of attackers. According to the report, it takes an average of 1 hour and 38 minutes for an attacker to penetrate deeper into a system after initially gaining access. Meanwhile a white paper (External link) by another information security company examined the speed of ransomware encryption. According to the white paper, the currently circulating LockBit ransomware was able to encrypt approximately 100,000 files and 54 GB of material in as little as 4 minutes and 9 seconds. The median time for ten different ransomware variants to encrypt the same material was 42 minutes and 52 seconds. According to statistics collected in the United Sates in 2021 (External link), the average time it took for companies hit by a ransomware attack to recover from the attack was 22 days.
Follow us on social media!
Have you found us on social media already? We provide information on e.g. currently circulating scams, topical cyber security issues and open jobs on social media.
Did you know that Traficom is involved in nearly all aspects of transport and communications? These social media channels explore land, sea, air and data networks.
CVE: CVE-2023-0128, CVE-2023-0129 (External link) and 15 lower ones
What: 17 different vulnerabilities in Chrome and Chromium browsers The most severe (high) vulnerabilities allowed an attacker who convinced a user to engage in specific UI interactions or install a malicious extension to potentially exploit heap corruption.
Product: Chrome and Chromium browsers
Fix: Update to version 109.0.5414.74 (Linux), 109.0.5414.74/.75 (Windows) and 109.0.5414.87(Mac)