A free new Heartbleed vulnerability scanner tool
- Consult with your Vulnerability and Threat Management Team/Individual (VTM)
- Ensure the VTM Team/Individual has discovered all vulnerable devices to the Heartbleed vulnerability
- Verify the keys and certificates have been replaced on your vulnerable SSL Servers
- Request the team to validate the vulnerability has been cleaned up by running the crowdstrike scanner or a similar scanner which can give you the results of your remediation efforts. A rescan will also allow you to see any servers that may have been missed in the initial scan or scans due to downtime or servers that were not discovered because they were no longer on the network.
Crowdstrike Blog detailing tool
Download Free Crowdstrike Scanner
AIG’s new addition to Cyber Security Coverage
- Consult your Risk Management team to see if your company has any cybersecurity insurance.
- If you have coverage, ensure the organization has performed an information security risk assessment to see if the current coverage is adequate for your company’s risk appetite. If you do not have coverage, consider performing an information security risk assessment to transfer potential financial loss in case there is a need to pay for forensic investigations, credit monitoring, reputation management, business interruption, and compliance with state breach notification laws in the case of a data breach.
- Evaluate whether a failure of any of your information systems have the potential to cause bodily injury to customers or employees.
- Bring in an Insurance company who is able to provide physical security coverage to perform a coverage feasibility assessment which will tell you if your company is eligible, as well as the terms and costs of your coverage
AIG Cyber Edge PC Insurance
Apple’s series of security updates
- Perform an asset inventory of all company owned Apple assets using IOS and OSX operating systems including desktops, laptops, iPhone 4 and later, iPod touch (5th generation) and later and iPad 2 and later. Your company should have a configuration management database to show which devices have which operating systems versions. For non-company owned assets in a Bring your own device model, notify your employees accessing data with their personal apple assets to apply the security update 2014-002 to their devices.Back up a set of test devices for each of the IOS and OSX systems Apply Security updates 2014-002 to the test devices.
- Test business functionality of each type of device and record any issues impacting any business functions on the devices.
- If no issues result in the testing, deploy the security updates to the production systems. If functionality impacting issues occur on the test devices, engage Apple support and/or vendor support if specific applications are negatively impacted
- Finally, as always it is good practice to run a vulnerability scan against the devices
- If you have a mobile device management solution for BYOD employees, enforce policies to deny devices without the update access to the network if possible.
**If you do not have a mobile device management solution in a BYOD model, Strongly recommend users to install the security updates. Failure to do so may result in your employees devices compromising your company information and/or costing the employees or your organization a ton of money**
Apple support knowledge base
CIO Magazine on BYOD
Inc Magazine on BYOD