U.S. intelligence agencies, including the FBI, the Office of the Director of National Intelligence, the National Security Agency and the Cybersecurity and Infrastructure Security Agency, have confirmed that Russia was behind the SolarWinds hack. It is reported that the FBI is investigating whether Russia hacked into project management software JetBrains’ TeamCity DevOps tool to originally plant its malware in SolarWinds Orion, causing a cascade of downstream opportunities for Russia to access numerous governmental agencies’ systems, as well as thousands of private company systems.

In the fall-out, the Department of Justice, which includes the FBI, the Drug Enforcement Agency and the U.S. Marshal’s Service, announced this week that 3 percent of its employees’ emails were compromised as a result of the SolarWinds hack. This is very concerning and shows the magnitude and seriousness of the incident.

In more disturbing news, Microsoft has confirmed that the hackers behind the SolarWinds incident were able to access its systems and that some of its source code was viewed by the hackers. Notably, Microsoft confirmed that the code was not modified and that the Russians did not access its products or services, including customer information.

Cybersecurity firms are offering free solutions for companies to use to identify the SUNBURST malware variant and whether they have been affected, including Palo Alto Networks and SentinelOne.

We will continue to see significant fall-out from this devastating incident. If your company has not assessed its risk of being affected by the SolarWinds hack, you may wish to consider devoting time and resources to help make that determination now

Patching vulnerabilities has always been challenging, but these days, it is getting more and more complicated as manufacturers try to stay abreast of zero-day vulnerabilities and issue patches as quickly as they can.

Microsoft is well-known for its Patch Tuesday, which is a monthly roll-out of the patches for vulnerabilities it has become aware of in the past month. This past Tuesday, October 13, 2020, was Patch Tuesday for the month of October. It was not the largest release that Microsoft has had on Patch Tuesday this year, with a mere 87 patches. That is down from more than 100 patches released every month between March and September of 2020. In September, Patch Tuesday produced 129 patches.

When IT professionals receive 87 patches from one manufacturer in a month, it puts in perspective just how complicated and hard it is to keep up with all of the patches received from every software vendor and manufacturing companies are using in day to day operations. It could be a full-time job.

The failure to patch a vulnerability in a timely manner has been the cause of well-known security incidents and data breaches, which magnified the importance of timely patching. However, the number of patches continues to grow exponentially, making it difficult for IT professionals to keep up with the alerts. It is hard to imagine how they don’t become a little numb to the issuance of another patch.

When issuing the patches on Patch Tuesday, Microsoft categorizes the patches into “critical,” “important” and “moderate” in severity so that IT professionals can prioritize the patches when applying them to systems. They also provide helpful information about whether the vulnerabilities are known to be actively exploited by criminals at the time of the release. This month, 11 of the 87 patches were categorized as critical, 75 were categorized as important, and one was classified as moderate. Six of the vulnerabilities were publicly known at the time of the release, so were potentially available to criminals before the release.

According to reports by security experts, the recently released patches IT professionals may wish to concentrate on first this month are the ones that address vulnerabilities in remote code execution or RCEs, which allow attackers access to a system without user action—like clicking on a phishing email. Once in the system, the attacker can obtain privileges, start a ransomware attack or steal data.

Although patching gets more and more complicated, it is important for IT systems to continue to prioritize them and stay on top of security alerts from vendors regarding vulnerabilities. It is easy to become numb to the number and frequency of the issuance of patches, but it is critical to minimizing risk.