The National Cyber Security Centre Finland’s weekly review – 51/2022
Information security now!
This is the weekly review of the National Cyber Security Centre Finland (NCSC-FI) (reporting period 16–22 December 2022). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cyber security specialists to regular citizens.
Topics covered in this week’s review
- Ensure the information security of your Christmas presents
- Microsoft Exchange OWASSRF vulnerability
- Have a peaceful Christmas!
Ensure the information security of your Christmas presents
If Santa brought you a smart device this Christmas, there are a few things that you should keep in mind before you start using it. You should also take information security into consideration when buying smart toys for younger family members. A secure toy has been manufactured in accordance with good information security practices. This means that it will protect its user’s data and prevent third parties from gaining control of it. Toy manufacturers are responsible for ensuring the information security of their products.
Smart devices include mobile phones, computers, tablets, smart watches and smart rings. Although the intended uses of these devices differ, they are all subject to certain basic information security principles.
The internet can be a dangerous place, so here are some tips from Cyber Santa on how to stay safe. Not every device needs to be connected to the internet, even if they offer the option. With the products listed as examples above, one of the first things that you should do is to configure them to download and install updates automatically. This way you can avoid using smart devices that were last updated years ago. In addition to providing a smoother user experience, the latest updates also improve the information security of smart devices.
Getting started with a new smart device
If you receive a smart device as a present, it is safe to assume that the person who gave it to you put some thought into why the device is suitable and necessary for you. That being said, there are a few things that you should always take care of when getting started with a new device.
- Enable automatic updates.
- Enable or install antivirus software.
- Change default passwords.
- Install applications only from official application stores.
- Enable multi-factor authentication.
Getting rid of old devices safely
Take care when getting rid of your old smart devices. Surprisingly many devices contain data that needs to be securely managed.
In addition to computers, mobile phones and memory sticks, certain printers can also contain sensitive data, for example. In fact, part of the challenge is identifying the devices that have sensitive data stored in them.
Is it safe to buy or sell used devices?
Many companies sell used smart devices that have been checked to make sure that they are safe and operational. If you are purchasing a smart device from a private individual instead, using common sense and exercising due caution goes a long way.
The identities of both the buyer and the seller should be verified before the purchase to avoid potential discrepancies. A mobile phone that has undergone a factory reset is safe to use, and a used computer can always be taken to a store to be checked and wiped to make it safe, if necessary.
Selling a smart device is safe as long as you have copied all the data that you need on the device and then wiped the device and carried out a factory reset.
More information
Microsoft Exchange OWASSRF vulnerability
In the autumn, several vulnerabilities were discovered in the Microsoft Exchange email server that make it possible for an authenticated user to execute arbitrary code.
Information security researchers recently discovered a new and actively utilised way of exploiting the vulnerabilities. Microsoft’s previously recommended method for restricting the vulnerability does not prevent this new exploit, and a proof of concept (PoC) of it is publicly available. As such, the NCSC-FI recommends installing Microsoft’s updates. Microsoft’s update KB5019758 (External link)(published on 8 November 2022) fixes the vulnerabilities (CVE-2022-41040, CVE-2022-41082 and CVE-2022-41080).
More information on the vulnerability is available on the NCSC-FI’s website (External link)(in Finnish).
The NCSC-FI recommends that organisations should stay vigilant for cyber security incidents during the holidays as well. The NCSC-FI is monitoring the situation and will provide information on any vulnerabilities that require immediate action, for example.
During the holiday seasons, organisations often operate with fewer resources than normal, which means that they have fewer resources available for tackling information security matters as well. This makes the holidays an opportune time for attackers to carry out operations without anyone noticing. As such, it is vital for organisations to be aware of cyber security risks and monitor the situation over the holidays as well – and allocate sufficient human resources for the holiday season, if possible. In relation to this, Tripwire has published an article (External link) that details the most common threat during the holiday season.
Have a peaceful Christmas!
With the year nearing its end, now is a good time to rest and look back on the past year. That being said, the NCSC-FI will be staying vigilant over the holidays as well, making sure that everyone in Finland can enjoy a peaceful Christmas. If you notice an information security breach during or after the holidays, be sure to notify us (External link).
Subscribe to the NCSC-FI’s newsletters (External link)or RSS feeds (External link)to be notified as soon as new information is published.