It is known that any new software module you run on your system may increase your attack surface. In other words, this module may suffer because of some vulnerabilities an attacker may exploit to control your system and steal some information. Hardening is a well known defense strategy that strips away from your system all the software modules you do not need, even if they are included in the standard distribution/configuration. In most cases, you do not even know you are running these modules.
The law “more software/more vulnerabilities” also holds for all the software we are currently using for remote or smart working. As an example, it holds for the module to build a VPN that connects you at home with your working place. Bloomberg reports that according to the Cybersecurity & Infrastructure Security Agency, known as CISA, an unnamed federal agency has been successfully attacked. The attack has exploited a well known vulnerability in the Pulse VPN Server. The vulnerability and the patch to apply had been published in April 2019 in the advisory CVE-2019-11510. Then, in April 2020 a further advice had been published to speed up the patch deployment. The advice stressed that exploitation of the vulnerability was demonstrated at various events and proved to be highly impactful due to the direct access to admin privileges and the consequent ability to infect multiple VPN connected users and their desktops. In other words, all the VPN users can be attacked through this vulnerability.
In spite of these efforts and the huge risk, after 17 months the unnamed federal agency still had to deploy the patch. This shows one more time the importance of patch scheduling and the benefits of knowing which patches you need to deploy to minimize your cyber risk.
Links:
