By Owais Sultan
Running a business can be challenging for many reasons but having access to modern technology has definitely made…
This is a post from HackRead.com Read the original post: The Importance of Cybersecurity Solutions for Your Business

Running a business can be challenging for many reasons but having access to modern technology has definitely made things easier in this respect. Unfortunately, while modern tech brings with it a host of benefits for businesses, it also brings certain risks such as the threat of cybercrime.

This is why it is so important for all businesses to assess their needs when it comes to cybersecurity solutions. This then enables you to determine the right solutions for your business as well as your budget, which means that you can better protect your business.

There are many reasons why finding the right solutions has become so important over recent years. While security solutions have become more sophisticated these days, so have the methods used by cybercriminals to attack systems and cause devastation to businesses.

Making sure you find the perfect solution to protect your business can make a huge difference in many ways, and it can save you a lot of problems in the future. In this article, we will look at the importance of ensuring you find the right cybersecurity solutions for your business.

**Some of the Benefits of the Right Solution**

As a business owner, you can look forward to many benefits when you have the right solutions in place to protect your business from cyberattacks. Some of these include:

**Protection Against a Range of Issue**

With the right cybersecurity solution, you can protect your business from a range of issues and problems. These days, there are many different types of cyberattacks that are carried out, many of which are targeted at businesses. The right solution can help to ensure you reduce the risk of falling victim to this wide range of issues, and this means that you can better protect your business. 

**Higher Level of Security**

With the right solution, you can benefit from a much higher level of security for your business, and this can save you a lot of stress, headaches, and even money in the long run. While there are basic solutions that you can consider, these are often not adequate to provide the level of security and protection that you need for your business.

However, by finding the right solution that offers comprehensive protection, you can ensure your business has the necessary security in place to avoid cybercrime issues. 

**Peace of Mind**

There are many worries and challenges that business owners have to deal with, and cybersecurity is often high up on this list. The last thing you want is to be worrying constantly about your security solutions and whether your business is properly protected. This can cause unnecessary stress and means that you cannot focus on the actual running of the business.

With the right solution in place, you can benefit from far greater peace of mind, as you can be safe in the knowledge that you have an excellent level of security in place. These are some of the reasons you need to ensure you invest in the right solution. 

**More Cybersecurity Topics**

1.  The Human Factor in Cybersecurity
2.  Brand Protection is Essential for Cybersecurity
3.  How to use AI (Artificial Intelligence) in cybersecurity?
4.  CISA Publishes List of Free Cybersecurity Tools and Services
5.  Mobile Cybersecurity Firm Cirotta Launches Anti-Hacking Phone Cases

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

The Importance of Cybersecurity Solutions for Your Business

"Retbleed" bypasses a commonly used mechanism for protecting against a certain kind of side-channel attack.

Researchers at ETH Zurich have found a way to overcome a commonly used defense mechanism against so-called speculative execution attacks targeting modern microprocessors.

In a technical paper published this week, the researchers described how attackers could use their technique — dubbed "Retbleed" — to steal sensitive data from the memory of systems with Intel and AMD microprocessors that are vulnerable to the issue. The researchers built their proof-of concept code for Linux but said some Windows and Apple computers with the affected microprocessors likely have the issue as well.

Their discovery prompted Intel and AMD to issue advisories this week describing mitigations against the new attack method. In an emailed statement, Intel said it had worked with industry partners, the Linux community, and Virtual Machine Manager (VMM) vendors to make mitigations available to customers. "Windows systems are not affected as they already have these mitigations by default," Intel noted.

AMD said the issue the researchers had identified potentially allows arbitrary speculative code execution under certain microarchitecture conditions. "As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks," AMD said in an emailed statement. "That guidance is found in a new AMD whitepaper now available."

Both chipmakers said they were not aware of any active exploits in the wild related to the issue that the researchers at ETH Zurich discovered and reported.

**A Dangerous Attack Vector**

Security researchers consider speculative execution attacks as dangerous because they give attackers a way to access and steal sensitive data — including passwords and encryption keys — in a computer's memory. It's an issue that is especially of concern in shared environments such as public cloud services and shared enterprise infrastructure.

Speculative execution is a performance-enhancing mechanism in modern microprocessors where instructions in code are executed in advance of when they are needed, without waiting for previous instructions to be completed. The technique can help speed up microprocessor performance. If the microprocessor guesses wrong and executes an instruction that is not needed, it discards that instruction. But in doing so, it sometimes leaves artifacts from system memory in the processor's buffers or cache.

Threat actors have taken advantage of this fact to devise so-called side channel attacks where they get the microprocessor to speculatively execute code in such a way as to get it to access — and reveal — sensitive information in the system memory. The issue became a major concern in 2018 with the disclosure of the Spectre and Meltdown vulnerabilities in most microprocessors used in everything from servers to PCs, laptops, and mobile devices.

Since then, chipmakers like Intel and AMD have introduced changes and mitigations to make it harder for adversaries to carry out speculative execution side-channel attacks.

One widely used mitigation against speculative execution attacks is called "Retpoline," a Google-developed approach for controlling how a microprocessor performs speculation when handling certain instructions — so-called indirect "jumps" and "calls".

**'Crazy Trick'**

Retpolines work by replacing indirect jumps and calls with the "return" function, says Johannes Wikner, one of the researchers at ETH Zurich who developed the new exploit. "Retpoline replaces indirect jumps with returns using a crazy trick," Wikner says. "It tricks the processor to believe there has been a 'call' made from the location where the indirect jump was intended to lead."

The motivation for replacing indirect jumps and calls with returns was because the return function was considered impractical to exploit, he says.

But that is not the case, Wikner says. Their research showed that it is possible to trigger microarchitectural conditions on Intel and AMD CPUs that force the return function to be speculatively executed just like was possible with indirect jumps and calls. "Retpoline does not \[consider\] the fact the returns can be exploited, into account," he says. "This allows us to bypass the Retpoline defense."

Wikner says it took the researchers some work to exploit the issue on Intel microprocessors and required their finding a sequence of deep function call stacks to trigger it. "We found on AMD that all returns can be exploited regardless of the function call stack," he says. "We built a framework to make it easy also on Intel."

Bogdan Botezatu, director of threat research at Bitdefender, which last year developed a side-channel attack of its own against Intel CPUs, says Retbleed appears to be a side-channel attack as well one that bypasses a mitigation set in place for Spectre. "This is yet another way in which modern CPUs can be exploited to inadvertently leak information that should be considered secret — and for which hardware defenses are burnt into the silicon," he says.

He says two things are worth mentioning when talking about this type of attack. Conceptually, it beats measures built into chips to prevent data from leaking from one realm to the other. "In the hands of a patient and properly positioned attacker, this vulnerability can exfiltrate important information from shared computers or virtualized servers. This is bad," he says.

**Complex to Execute**

At the same time, such attacks require significant knowledge and logistics to successfully result in exfiltration of the data sought by a potential attacker. High-profile targets should be worried about the existence of this vulnerability and should deploy Intel and AMD's recommended mitigations. "Side-channel attacks are effective, but difficult to execute and exfiltrate exactly that piece of information that attackers are after," Botezatu says.

Intel said that two security advisories it published Tuesday address the research. One of them is here and the other here. The company described the issue as impacting some of its Skylake generation processors that do not have a feature called enhanced Indirect Branch Restricted Speculation (eIBRS). "Intel worked with the Linux community and VMM vendors to provide customers with software mitigations to enable Indirect Branch Restricted Speculation (IBRS), and enhanced Indirect Branch Restricted Speculation (eIBRS) where supported."

Windows systems are not affected because they use IBRS by default, the Intel statement noted.

Researchers Devise New Speculative Execution Attacks Against Some Intel, AMD CPUs

Rhonabwy before v1.1.5 was discovered to contain a buffer overflow via the component r_jwe_aesgcm_key_unwrap. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted JWE token.

**Rhonabwy - Javascript Object Signing and Encryption (JOSE) library - JWK, JWKS, JWS, JWE and JWT**

 

*   Create, modify, parse, import or export JSON Web Keys (JWK) and JSON Web Keys Set (JWKS)
*   Create, modify, parse, validate or serialize JSON Web Signatures (JWS)
*   Create, modify, parse, validate or serialize JSON Web Encryption (JWE)
*   Create, modify, parse, validate or serialize JSON Web Token (JWT)

JWT Relies on JWS and JWE functions, so it supports the same functionalities as the other 2. JWT functionalities also support nesting serialization (JWE nested in a JWS or the opposite).

*   Supported Cryptographic Algorithms (alg) for Digital Signatures and MACs:

"alg" Param Value

Digital Signature or MAC Algorithm

Supported

HS256

HMAC using SHA-256

**YES**

HS384

HMAC using SHA-384

**YES**

HS512

HMAC using SHA-512

**YES**

RS256

RSASSA-PKCS1-v1\_5 using SHA-256

**YES**

RS384

RSASSA-PKCS1-v1\_5 using SHA-384

**YES**

RS512

RSASSA-PKCS1-v1\_5 using SHA-512

**YES**

ES256

ECDSA using P-256 and SHA-256

**YES**(1)

ES384

ECDSA using P-384 and SHA-384

**YES**(1)

ES512

ECDSA using P-521 and SHA-512

**YES**(1)

PS256

RSASSA-PSS using SHA-256 and MGF1 with SHA-256

**YES**(1)

PS384

RSASSA-PSS using SHA-384 and MGF1 with SHA-384

**YES**(1)

PS512

RSASSA-PSS using SHA-512 and MGF1 with SHA-512

**YES**(1)

none

No digital signature or MAC performed

**YES**

EdDSA

Digital Signature with Ed25519 Elliptic Curve

**YES**(1)

ES256K

Digital Signature with secp256k1 Curve Key

_NO_

(1) GnuTLS 3.6 minimum is required for ECDSA, Ed25519 (EdDSA) and RSA-PSS signatures.

*   Supported Encryption Algorithm (enc) for JWE payload encryption:

"enc" Param Value

Content Encryption Algorithm

Supported

A128CBC-HS256

AES\_128\_CBC\_HMAC\_SHA\_256 authenticated encryption algorithm, as defined in Section 5.2.3

**YES**

A192CBC-HS384

AES\_192\_CBC\_HMAC\_SHA\_384 authenticated encryption algorithm, as defined in Section 5.2.4

**YES**

A256CBC-HS512

AES\_256\_CBC\_HMAC\_SHA\_512 authenticated encryption algorithm, as defined in Section 5.2.5

**YES**

A128GCM

AES GCM using 128-bit key

**YES**

A192GCM

AES GCM using 192-bit key

**YES** (2)

A256GCM

AES GCM using 256-bit key

**YES**

(2) GnuTLS 3.6.14 minimum is required for A192GCM enc.

*   Supported Cryptographic Algorithms (alg) for Key Management:

"alg" Param Value

Key Management Algorithm

Supported

RSA1\_5

RSAES-PKCS1-v1\_5

**YES**

RSA-OAEP

RSAES OAEP using default parameters

**YES**(3)

RSA-OAEP-256

RSAES OAEP using SHA-256 and MGF1 with SHA-256

**YES**

A128KW

AES Key Wrap with default initial value using 128-bit key

**YES**(3)

A192KW

AES Key Wrap with default initial value using 192-bit key

**YES**(3)

A256KW

AES Key Wrap with default initial value using 256-bit key

**YES**(3)

dir

Direct use of a shared symmetric key as the CEK

**YES**

ECDH-ES

Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF

**YES**(4)

ECDH-ES+A128KW

ECDH-ES using Concat KDF and CEK wrapped with "A128KW"

**YES**(4)

ECDH-ES+A192KW

ECDH-ES using Concat KDF and CEK wrapped with "A192KW"

**YES**(4)

ECDH-ES+A256KW

ECDH-ES using Concat KDF and CEK wrapped with "A256KW"

**YES**(4)

A128GCMKW

Key wrapping with AES GCM using 128-bit key

**YES**

A192GCMKW

Key wrapping with AES GCM using 192-bit key

**YES**(5)

A256GCMKW

Key wrapping with AES GCM using 256-bit key

**YES**

PBES2-HS256+A128KW

PBES2 with HMAC SHA-256 and "A128KW" wrapping

**YES**(5)

PBES2-HS384+A192KW

PBES2 with HMAC SHA-384 and "A192KW" wrapping

**YES**(5)

PBES2-HS512+A256KW

PBES2 with HMAC SHA-512 and "A256KW" wrapping

**YES**(5)

(3) Nettle 3.4 minimum is required for RSA-OAEP and AES key Wrap

(4) Nettle 3.6 minimum is required for ECDH-ES

(5) GnuTLS 3.6.14 minimum is required for A192GCMKW, PBES2-HS256+A128KW, PBES2-HS384+A192KW and PBES2-HS512+A256KW key wrapping algorithms.

**rnbyc, Rhonabwy command-line tool**

This command-line program can be used to:

*   Generate and/or parse keys and output the result in a JWKS or a public/private pair of JWKS files.
*   Parse, decrypt, and/or verify signature of a JWT, using given key
*   Serialize a JWT, the JWT can be signed, encrypted or nested

Example commands to generate a RSA2048 key pair, serialize a JWT signed with the private key, then parse the serialized token and verifies the signature with the public key.

$ rnbyc -j -g RSA2048 -o priv.jwks -p pub.jwks
$ rnbyc -s '{"iss":"https://rhonabwy.tld","aud":"abcxyz1234"}' -K priv.jwks -a RS256
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImVNdnI3bktBX2I5QUI4NGpMU05zTFFKZHRmdHpadnllV2M1V0VVMjhnRFkifQ.eyJpc3MiOiJodHRwczovL3Job25hYnd5LnRsZCIsImF1ZCI6ImFiY3h5ejEyMzQifQ.j6v-yxcWvHhyLIc-r3Nzn5rCF9yeJJzgyLSHW\_10wREfckspbzf8UTof5Zsrwg8JvKNlJ4Tt4ZffJC4BkkehdBYXPrgcfq9NtvNYsRmAdiNJhOXtZCU9j9X89j2xhY7pRBgWENI9c3730cmAUgaC-IUKsoNRw\_dd-eboyrgYKIzUCYRnuwqDB31T2oUSVjy6CckoenyoeHJhHg-x384G-g4ovP1l-L4YpjgCyr6BR8mjBFwHU56MP6hNN299HpUd56usQ3vMn7z5hL6QqE92qz-SsJBySrv8whLWjjN9J4Wq5g3\_R7Qw00x60bFnuCDhPBjg3EPXXGqlI0x0vwgwHw
$ rnbyc -P pub.jwks -t eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImVNdnI3bktBX2I5QUI4NGpMU05zTFFKZHRmdHpadnllV2M1V0VVMjhnRFkifQ.eyJpc3MiOiJodHRwczovL3Job25hYnd5LnRsZCIsImF1ZCI6ImFiY3h5ejEyMzQifQ.j6v-yxcWvHhyLIc-r3Nzn5rCF9yeJJzgyLSHW\_10wREfckspbzf8UTof5Zsrwg8JvKNlJ4Tt4ZffJC4BkkehdBYXPrgcfq9NtvNYsRmAdiNJhOXtZCU9j9X89j2xhY7pRBgWENI9c3730cmAUgaC-IUKsoNRw\_dd-eboyrgYKIzUCYRnuwqDB31T2oUSVjy6CckoenyoeHJhHg-x384G-g4ovP1l-L4YpjgCyr6BR8mjBFwHU56MP6hNN299HpUd56usQ3vMn7z5hL6QqE92qz-SsJBySrv8whLWjjN9J4Wq5g3\_R7Qw00x60bFnuCDhPBjg3EPXXGqlI0x0vwgwHw
Token signature verified
{
  "iss": "https://rhonabwy.tld",
  "aud": "abcxyz1234"
}

Check its documentation

**API Documentation**

Documentation is available in the documentation page: https://babelouest.github.io/rhonabwy/

Example program to parse and verify the signature of a JWT using its public key in JWK format:

/\*\*
 \* To compile this program run:
 \* gcc -o demo\_rhonabwy demo\_rhonabwy.c -lrhonabwy
 \*/
#include <stdio.h\>
#include <rhonabwy.h\>

int main(void) {
  const char token\[\] = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjEifQ."                                     // Header
                       "eyJzdHIiOiJwbG9wIiwiaW50Ijo0Miwib2JqIjp0cnVlfQ."                                         // Claims
                       "ooXNEt3JWFGMuvkGUM-szUOU1QTu4DvyC3qQP64UGeeJQuMGupBCVATnGkiqNLiPSJ9uBsjZbyUrWe8z7Iag\_A"; // Signature

  const char jwk\_pubkey\_ecdsa\_str\[\] = "{"
                                        "\\"kty\\":\\"EC\\","
                                        "\\"crv\\":\\"P-256\\","
                                        "\\"alg\\":\\"ES256\\","
                                        "\\"x\\":\\"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4\\","
                                        "\\"y\\":\\"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM\\","
                                        "\\"kid\\":\\"1\\","
                                        "\\"use\\":\\"sig\\""
                                      "}";

  unsigned char output\[2048\];
  size\_t output\_len = 2048;
  jwk\_t \* jwk = NULL;
  jwt\_t \* jwt = NULL;
  char \* claims;

  if ((jwk = r\_jwk\_quick\_import(R\_IMPORT\_JSON\_STR, jwk\_pubkey\_ecdsa\_str)) != NULL && (jwt = r\_jwt\_quick\_parse(token, R\_PARSE\_NONE, 0)) != NULL) {
    if (r\_jwk\_export\_to\_pem\_der(jwk, R\_FORMAT\_PEM, output, &output\_len, 0) == RHN\_OK) {
      printf("Exported key:\\n%.\*s\\n", (int)output\_len, output);
      if (r\_jwt\_verify\_signature(jwt, jwk, 0) == RHN\_OK) {
        claims = r\_jwt\_get\_full\_claims\_str(jwt);
        printf("Verified payload:\\n%s\\n", claims);
        r\_free(claims);
      } else {
        fprintf(stderr, "Error r\_jwt\_verify\_signature\\n");
      }
    } else {
      fprintf(stderr, "Error r\_jwk\_export\_to\_pem\_der\\n");
    }
  } else {
    fprintf(stderr, "Error parsing\\n");
  }
  r\_jwk\_free(jwk);
  r\_jwt\_free(jwt);

  return 0;
}

**Installation**

Rhonabwy is available in the following distributions.

**Dependencies**

Rhonabwy is based on Nettle, GnuTLS, Jansson, zlib, libcurl and libsystemd (if possible), you must install those libraries first before building Rhonabwy.

You also need check and Ulfius to run the tests.

**Prerequisites**

You need Orcania and Yder.

Those libraries are included in the package rhonabwy-dev-full_{x.x.x}_{OS}_{ARCH}.tar.gz in the Latest release page. If you're building with CMake, they will be automatically downloaded and installed if missing.

**Pre-compiled packages**

You can install Rhonabwy with a pre-compiled package available in the release pages.

**rhonabwy-dev-full packages**

The rhonabwy-dev-full contain 4 different packages:

*   liborcania-dev\_x.x.x\_.ext
*   libyder-dev\_y.y.y\_.ext
*   libulfius-dev\_z.z.z\_.ext
*   librhonabwy-dev\_a.a.a\_.ext

You only need to install liborcania-dev_*, libyder-dev_* for librhonabwy-dev_* to work. libulfius-dev_* isn't required unless you want to run the test suite.

**Manual install****CMake - Multi architecture**

CMake minimum 3.5 is required.

Run the CMake script in a sub-directory, example:

$ git clone https://github.com/babelouest/rhonabwy.git
$ cd rhonabwy/
$ mkdir build
$ cd build
$ cmake ..
$ make && sudo make install

The available options for CMake are:

*   -DWITH_JOURNALD=[on|off] (default on): Build with journald (SystemD) support
*   -BUILD_RHONABWY_TESTING=[on|off] (default off): Build unit tests
*   -DINSTALL_HEADER=[on|off] (default on): Install header file rhonabwy.h
*   -DBUILD_RPM=[on|off] (default off): Build RPM package when running make package
*   -DCMAKE_BUILD_TYPE=[Debug|Release] (default Release): Compile with debugging symbols or not
*   -DBUILD_STATIC=[on|off] (default off): Compile static library
*   -DBUILD_RHONABWY_DOCUMENTATION=[on|off] (default off): Build documentation with doxygen
*   -DWITH_CURL=[on|off] (default on): Use libcurl to download remote content

**Good ol' Makefile**

Download Rhonabwy from GitHub repository, compile and install.

$ git clone https://github.com/babelouest/rhonabwy.git
$ cd rhonabwy/src
$ make
$ sudo make install

To disable curl library on build (to avoid its dependencies), you can pass the option DISABLE_CURL=1 to the make command.

$ cd rhonabwy/src
$ make DISABLE\_CURL=1
$ sudo make install

By default, the shared library and the header file will be installed in the /usr/local location. To change this setting, you can modify the DESTDIR value in the src/Makefile.

Example: install Rhonabwy in /tmp/lib directory

$ cd src
$ make && make DESTDIR=/tmp install

You can install Rhonabwy without root permission if your user has write access to $(DESTDIR). A ldconfig command is executed at the end of the install, it will probably fail if you don't have root permission, but this is harmless. If you choose to install Rhonabwy in another directory, you must set your environment variable LD_LIBRARY_PATH properly.

CVE-2022-32096: GitHub - babelouest/rhonabwy: Javascript Object Signing and Encryption (JOSE) library - JWK, JWKS, JWS, JWE and JWT

Upgrades to the Exostar platform promote secure, compliant collaboration and handling of controlled unclassified information.

**HERNDON, VA, July 12, 2022 –** Exostar, a leader in trusted, secure business collaboration in highly regulated industries including aerospace and defense, today announced the availability of updates to The Exostar Platform that allow small and medium-sized businesses (SMBs) to overcome the technology, time, and cost obstacles of preparing for and demonstrating compliance with Department of Defense (DoD) cybersecurity requirements.

Firms throughout the Defense Industrial Base (DIB), including SMBs deep in the DoD supply chain, will have to acquire Cybersecurity Maturity Model Certification (CMMC) 2.0 certification as soon as May 2023 to participate in subsequent DoD contract solicitations. According to CMMC version 2.0, any member of the DIB that stores or handles Controlled Unclassified Information (CUI) during program execution must meet the 110 practices defined at CMMC Maturity Level 2. Many SMBs simply do not possess the expertise, bandwidth, or budget to go it alone.

Exostar’s Managed Microsoft 365 for CMMC directly addresses these challenges. This managed solution, based on Microsoft Teams and hosted in a Microsoft 365 Government Cloud Computing (GCC) High environment, is designed specifically for SMBs and delivers benefits including:

*   A secure workspace for SMB users within GCC High – without the expense and burden of acquiring, setting up, and managing their own tenant.
*   Rapid onboarding – subscribe today and be working tomorrow.
*   Implementation of the security controls necessary to properly protect CUI – and facilitate compliance with CMMC 2.0 and other DoD cybersecurity standards.
*   Enterprise-grade security at a price SMBs can afford, with room to grow for an enterprise license.

In addition to the launch of Exostar’s Managed Microsoft 365 for CMMC, the company has updated and upgraded its CMMC Ready Suite within The Exostar Platform to provide out-of-the-box support to accelerate SMBs throughout their CMMC 2.0 accreditation journeys:

*   Certification Assistant – Offers plainspoken descriptions of CMMC practices at all three Maturity Levels, helping SMBs to conduct compliance self-assessments and scoring, gather documentation, and prepare for any necessary third-party audits ahead of accreditation.
*   Exostar PolicyPro – Evaluates existing policies (including gap analysis) and/or generates new ones in accordance with all policy requirements defined in CMMC 2.0 practices.
*   CMMC 2.0 Basic Assessment – Provides expert guidance from Exostar-vetted cybersecurity compliance specialist partners who use Exostar’s CMMC Ready Suite to address an SMB’s unique circumstances and accelerate the accreditation process.

“SMBs are the lifeblood of the DIB. While they must improve their cybersecurity capabilities to better protect CUI throughout the DoD supply chain, CMMC 2.0 represents a heavy lift for many of these companies,” said Tony Farinaro, Exostar’s Chief Revenue Officer. “We continue to enhance and expand our CMMC offerings to make it easier and more cost effective for SMBs to meet their obligations so they can stay in the DIB, win business, and keep innovating on behalf of the DoD.”

In addition to SMBs, enterprises also can subscribe to Exostar’s Managed Microsoft 365 for CMMC, as well as purchase the other applications and services in The Exostar Platform’s CMMC Ready Suite, today.

**About Exostar**

The Exostar Platform supports exclusive communities within highly regulated industries where organizations securely collaborate, share information, and operate compliantly. Within these communities, we build trust. More than 150,000 companies and agencies in 175 countries trust Exostar to strengthen security, reduce expenditures, raise productivity, and help them achieve their digital transformation initiatives. Nearly half of the Defense Industrial Base, including 98 of the top 100, transact business over The Exostar Platform. Eleven of the top twenty global biopharmaceutical companies rely on The Exostar Platform to help them speed new medicines and therapies to market. Exostar is a Gartner Cool Vendor. For more information, please visit www.exostar.com, and follow Exostar on LinkedIn and Twitter.

Exostar Empowers SMBs with Enhanced, Low-Cost, Easy-to-Use Microsoft 365 and CMMC 2.0 Solutions

Often, organizations think of firewall security as a one-and-done type of solution. They install firewalls, then assume that they are "good to go" without investigating whether or not these solutions are actually protecting their systems in the best way possible. "Set it and forget it!"
Instead of just relying on firewalls and assuming that they will always protect their businesses from cyber

Often, organizations think of firewall security as a one-and-done type of solution. They install firewalls, then assume that they are "good to go" without investigating whether or not these solutions are actually protecting their systems in the best way possible. "Set it and forget it!"

Instead of just relying on firewalls and assuming that they will always protect their businesses from cyber risk, executives need to start asking deeper questions about them. As with most areas of business, it's important to take a critical look at each solution that your organization relies on for security. So, let's break down a few questions that you and your team should be asking about firewall security to get a more accurate view into your network defense posture.

****1 — What does your team's firewall knowledge look like?****

In order to properly service and upkeep firewalls, your team needs to have at least a baseline knowledge of how firewalls operate. It's especially important to understand what a firewall can and can't do. For instance, next-generation firewall solutions are built to perform deep packet inspection, meaning they look into individual pieces of information that enter and exit your system – a "gatekeeper" for your systems, per se. They perform this function well, but only when they can actually see the data in the payload. This is becoming more and more difficult in the age of "encrypt-everything".

****2 — Does your security team spend time understanding the "other side"?****

Who is on the other side of malicious attacks? In order to understand how to safeguard your network from harm, your team needs to understand what - and who - they're defending against. The landscape of cyber-attacks has drastically changed over the past few years, and malicious actors have accelerated in skill. With the advancement in technologies comes more efficient and dangerous cyber-criminals.

Hackers in the 2020s have more powerful tools than ever before, literally at their fingertips. They're intelligent people, driven by tools that cost them little to nothing to obtain. As an example, credential stuffing attacks (taking a username and password from one site, and trying it out on other sites to access additional credentials) can be executed easily with a free, open-source tool called OpenBullet.

Security teams need to take all of this into account, as they consider their existing firewall solutions. They also need to consider the fact that most next-generation firewall solutions pre-date many of these powerful hacking tools by 10-20 years, and have changed little over the past two decades.

****3 — Can your next-generation firewall solution really encrypt and de-encrypt all of your data?****

Unlike 20 years ago, when firewalls were first introduced, almost all data packets that travel in and out of systems are encrypted. This means that in order for deep packet inspection to work, your firewall needs to be able to de-encrypt the data, look through the contents for any indications of malicious activity, and then, in many situations, re-encrypt them to adhere to modern-day compliance standards.

This can take an enormous amount of processing power and time, so your firewall solution not only needs to have the capability to encrypt and de-encrypt, but your system needs to have the bandwidth to support these activities. Worse, modern encryption techniques driven by the global demand for privacy, are making it more and more difficult to decrypt and re-encrypt data in the first place.

****4 — How many IP addresses can your firewall solution block?****

As we've explored above, deep packet inspection in a world of encrypted data can be a time-consuming process, which can then become a roadblock for today's fast-paced network environments. And because of this, your firewall technology should have a way to complement deep packet inspections, in case de-encryption can't happen in time and packets containing malicious payloads slip through the cracks.

The best way to ensure that nothing gets past your firewall unnoticed? By implementing IP address filtering as well. Since all traffic is identified by a unique IP address, it's a simple way to catch any packets coming from (or going to) known malicious locations and block them, without even needing to check their contents.

But there's an unfortunate reality about IP address filtering: most well-known firewall security vendors cite that their solutions can only recognize and block around 100,000-1 million IP addresses, at the very most. There are millions (or billions) of known bad IP circulating in the world right now. That's crazy, right?! We thought so too, and created ThreatBlockr as a solution that solely focused on IP address blocking to fill this evident gap. Our solution can support up to 150 million IPs and Domains - about 1,000 times more than firewalls can support. This is because we designed ThreatBlockr specifically for this use case. Firewalls weren't built for this use case - they were built for deep packet inspection, which is a very different engineering problem.

****5 — Is your team supplementing your firewall solution with other security practices?****

As powerful as firewall solutions can be, they are only as strong as the humans at your organization. No matter how vigilant and advanced your security team's initiatives are, if a single employee clicks on a phishing email link, those efforts could all be for nothing.

It's important to consider cybersecurity awareness training, right alongside security solutions such as firewalls. When your employees can avoid phishing schemes and create (and rotate) secure passwords, they will contribute positively to your overall security program, making your purchased solutions all the more effective. When your IT team is rigorous about the timely installation of the latest software security patches across your entire business software ecosystem, your security posture will improve immensely.

The bottom line: firewalls aren't a magical, black box solution that can fix all security flaws. Firewalls are clearly not a silver bullet. If they were, no one would be getting hacked. Yet, here we are, in 2022, with new breaches and threats identified every day. Firewalls have their place in a security team's toolkit but need to be complemented with gap-filling solutions, methodologies, and company-wide best practices. Only then can effective cyber security truly be realized.

For organizations looking to understand what threats are getting through their existing security stacks, ThreatBlockr offers a free threat risk assessment to get a comprehensive network security audit.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

5 Questions You Need to Ask About Your Firewall Security

This Tech Tip outlines how system administrators can get started with automated continuous patching for their Windows devices and applications.

The Windows Autopatch service, which allows enterprises to automatically roll out updates for Windows 10, Windows 11, Microsoft Edge, and Microsoft 365 software, is now live, Microsoft said this week. Autopatch is intended to streamline updating operations and reduce the time it takes for systems to be patched. Originally announced in April, the feature has been in public preview since May.  

"Essentially Microsoft engineers use the Windows Update for Business client policies and deployment service tools on your behalf," wrote Lior Bela, senior product marketing manager at Microsoft, on the Microsoft IT Pro blog. "The service creates testing rings and monitors rollouts—pausing and even rolling back changes where possible."

This Tech Tip summarizes the prerequisites for using Autopatch and instructions on enabling the new feature.

**Very Specific Prerequisites**

Customers must have Windows 10/11 Enterprise E3 or E5 licenses. The organization must also have Azure Active Directory Premium and Microsoft Intune. A proxy or firewall that uses TLS 1.2 is also required.

"Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join," Microsoft said in the deployment guide.

The endpoints that will be enrolled into Windows Autopatch must be managed by either Microsoft Intune or Configuration Manager Co-Management. Intune must be set as the mobile device management (MDM) authority or co-management must be turned on and enabled on the endpoints. The endpoints being enrolled must also have connected with Microsoft Intune within the last 28 days in order to be registered with Autopatch.

The endpoints, which must be corporate-owned (bring-your-own-device is not currently supported) should have 64-bit editions of Windows 10/11 Pro, Windows 10/11 Enterprise, or Windows 10/11 Pro for Workstations. However, Windows Autopatch will support updating of Windows 365 cloud PCs in mid-July.

**Configuring the Environment**

Since Autopatch is cloud-based, there are specific Microsoft services that must be available at all times. The four URLs that must be on the allowed list of the proxy or firewall are _mmdcustomer.microsoft.com_, _mmdls.microsoft.com_, _logcollection.mmd.microsoft.com_, and _support.mmd.microsoft.com_. 

The deployment guide lists other firewall configurations, IP ranges, and port requirements for Azure Active Directory, Microsoft Intune, Windows Update for Business, and individual Microsoft applications.

Azure Active Directory must have security defaults enabled and not have any user names that conflict with the ones Autopatch needs to use: _MsAdmin_, _MsAdminInt_, and _MsTest_. Azure AD must also be set so that conditional access policies and multifactor authentication aren’t assigned to all users. The point is that Autopatch can’t be required to have multifactor authentication enabled. 

"Your conditional access policies must not prevent our service accounts from accessing the service and must not require multi-factor authentication," Microsoft said.

**How Do I Get Started?**

Customers with Windows Enterprise E3 and E5 licenses will find Tenant Administration in the Microsoft Endpoint Manager administrator center. The option _Tenant enrollment_ in the Windows Autopatch section will begin the process to set up and configure Autopatch.

But first, Microsoft will run the online Readiness assessment tool to check the settings in Microsoft Intune and Azure Active Directory to ensure they are properly configured to work with Windows Autopatch. If issues are found, the administrator must fix them before continuing.

Once everything is ready, the tool will show an _Enroll_ button to kick off the enrollment. During the enrollment process, administrators will be guided to create the policies, groups, and accounts necessary to run Autopatch.

"Once you've enrolled devices into Autopatch, the service does most of the work. But through the Autopatch blade in Microsoft Endpoint Manager, you can fine-tune ring membership, access the service health dashboard, generate reports, and file support requests," Microsoft said.

**What Sysadmins Can’t Do**

*   It would not be possible to schedule the updates to roll out on certain days or times. The decision of when to move to the next ring is also not configurable.
*   Once a device is registered with Windows Autopatch, updates are rolled out to the devices according to its ring assignment. Currently, there is no support for individual device level control.
*   Windows Autopatch doesn't support managing update ring membership using your Azure AD groups.
*   There is currently no programmatic access via PowerShell to Autopatch

Getting Up and Running with Windows Autopatch

A SQL injection issue was discovered in the lux extension before 17.6.1, and 18.x through 24.x before 24.0.2, for TYPO3.

Tue. 12th July, 2022

It has been discovered that the extension "LUX - TYPO3 Marketing Automation" (lux) is susceptible to SQL Injection.

*   Release Date: July 12, 2022
*   Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
*   Component: "LUX - TYPO3 Marketing Automation" (lux)
*   Composer Package Name: in2code/lux
*   Vulnerability Type: SQL Injection
*   Affected Versions: 17.6.0 and below, 18.0.0 - 24.0.1
*   Severity: High
*   Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C
*   References: CVE-2022-35628, CWE-89

**Problem Description**

The extension fails to properly sanitize user input and is susceptible to SQL Injection.

**Solution**

Updated versions 17.6.1 and 24.0.2 are available from the TYPO3 extension manager, packagist and at  
https://extensions.typo3.org/extension/download/lux/17.6.1/zip  
https://extensions.typo3.org/extension/download/lux/24.0.2/zip  
Users of the extension are advised to update the extension as soon as possible.

**Credits**

Thanks to Alex Kellner for providing updated versions of the extension.

**General Advice**

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

CVE-2022-35628: SQL Injection in extension "LUX - TYPO3 Marketing Automation" (lux)

The gridelements (aka Grid Elements) extension through 7.6.1, 8.x through 8.7.0, 9.x through 9.7.0, and 10.x through 10.2.0 extension for TYPO3 allows XSS.

Tue. 26th April, 2022

It has been discovered that the extension "Grid Elements" (gridelements) is susceptible to Cross-Site Scripting.

*   Release Date: April 26, 2022
*   Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
*   Component: "Grid Elements" (gridelements)
*   Vulnerability Type: Cross-Site Scripting
*   Affected Versions: 7.6.1 and below, 8.0.0 - 8.7.0, 9.0.0 - 9.7.0 and 10.0.0 - 10.2.0
*   Severity: Medium
*   Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
*   References: CVE-2022-29602

**Problem Description**

The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability.

**Solution**

Updated versions 7.7.0, 8.8.0, 9.8.0 and 10.3.0 are available from the TYPO3 extension manager, packagist and at   
https://extensions.typo3.org/extension/download/gridelements/10.3.0/zip  
https://extensions.typo3.org/extension/download/gridelements/9.8.0/zip  
https://extensions.typo3.org/extension/download/gridelements/8.8.0/zip  
https://extensions.typo3.org/extension/download/gridelements/7.7.0/zip  
Users of the extension are advised to update the extension as soon as possible.

**Credits**

Thanks to TYPO3 Security Team member Oliver Hader for reporting the vulnerability and to Jo Hasenau  for providing updated versions of the extension.

**General Advice**

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

CVE-2022-29602: Cross-Site Scripting in extension "Grid Elements" (gridelements)

The ameos_tarteaucitron (aka AMEOS - TarteAuCitron GDPR cookie banner and tracking management / French RGPD compatible) extension before 1.2.23 for TYPO3 allows XSS.

Tue. 14th June, 2022

It has been discovered that the extension "AMEOS - TarteAuCitron (GDPR cookie banner and tracking management / French RGPD compatible)" (ameos\_tarteaucitron) is susceptible to Cross-Site Scripting.

*   Release Date: June 14, 2022
*   Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
*   Component: "AMEOS - TarteAuCitron (GDPR cookie banner and tracking management / French RGPD compatible)" (ameos\_tarteaucitron)
*   Vulnerability Type: Cross-Site Scripting
*   Affected Versions: 1.2.22 and below
*   Severity: Medium
*   Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
*   References: CVE-2022-33155

**Problem Description**

The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability.

**Solution**

An updated version 1.2.23 is available from the TYPO3 extension manager, packagist and at    
https://extensions.typo3.org/extension/download/ameos\_tarteaucitron/1.2.23/zip  
Users of the extension are advised to update the extension as soon as possible.

**Credits**

Thanks to TYPO3 Security Team member Torben Hansen for reporting the vulnerability and to Luc Muller for providing an updated version of the extension.

**General Advice**

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

CVE-2022-33155: Cross-Site Scripting in extension "AMEOS - TarteAuCitron (GDPR cookie banner and tracking management / French RGPD compatible)" (ameos_tarteaucitron)

The schema (aka Embedding schema.org vocabulary) extension before 1.13.1 and 2.x before 2.5.1 for TYPO3 allows XSS.

Tue. 14th June, 2022

It has been discovered that the extension "Embedding schema.org vocabulary" (schema) is susceptible to Cross-Site Scripting.

*   Release Date: June 14, 2022
*   Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
*   Component: "Embedding schema.org vocabulary" (schema)
*   Vulnerability Type: Cross-Site Scripting
*   Affected Versions: 1.13.0 and below, 2.0.0 - 2.5.0
*   Severity: Medium
*   Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
*   References: CVE-2022-33154

**Problem Description**

The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability.

**Solution**

Updated versions 1.13.1 and 2.5.1 are available from the TYPO3 extension manager, packagist and at  
https://extensions.typo3.org/extension/download/schema/1.13.1/zip  
https://extensions.typo3.org/extension/download/schema/2.5.1/zip  
Users of the extension are advised to update the extension as soon as possible.

**Credits**

Thanks to Chris Müller for reporting the vulnerability and for providing updated versions of the extension.

**General Advice**

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

Tag

#perl