Use the CISA Known Exploited Vulnerabilities Catalogue to Improve Your Patching Program

Cyber criminals are finding and exploiting vulnerabilities in programs and equipment faster than ever. For an example, just this week the Cybersecurity and Infrastructure Security Agency (CISA) warned of two vulnerabilities with CVE ratings of 9.8 that are being actively exploited in the wild to attack unpatched versions of multiple product lines from VMware and of BIG-IP software from F5. According to an advisory published Wednesday, the vulnerabilities (tracked as CVE-2022-22960 and CVE-2022-22960) were reverse engineered by attackers, an exploit was developed, and unpatched devices were being attacked within 48 hours of the release. Currently, this kind of rapid exploitation is not at all unusual. This means that to keep in step, organizations not only must monitor all of their IT assets for vulnerabilities, they must patch them quickly and intelligently.

This is where the CISA Known Exploited Vulnerabilities Catalogue (also known as the “must patch list”) can be a real help. It is free to all, regularly updated, and can be accessed at What is nice about this tool is that it only includes vulnerabilities that are known to be currently exploited and dangerous. This helps you avoid wasting time and effort patching vulnerabilities that can wait. The catalogue also helps prevent organizations from concentrating too much on Microsoft systems. When you view the current catalogue, you will see exploited vulnerabilities in Apple, Cisco, VMWare, Big-IP, Fortinet, Chrome and IBM just to name a few.

As we have emphasized before, it is very important to track all of your IT assets. That is why maintaining current inventories of all hardware devices, software applications, operating systems and firmware applications on your networks is listed as Job #1 in cutting-edge information security guidance. Once you have a process in place to ensure that your inventories are complete and regularly updated, why not leverage all of that work to inform your patching and security maintenance program? You can simply compare the must patch list with your IT asset inventories and see if any of the currently exploited vulnerabilities pertain to your systems. If they do, that gives you a quick guide on which systems should be immediately patched. Remember that in the current threat environment, speed is indeed of the essence!

How to Rotate Your SSH Keys

SSH keys are used to secure access to and authenticate authorized users to remote servers. They are stored locally on the client machine and are encrypted using public-key cryptography. These keys are used to encrypt communications between the client and server and provide secure remote access.

When you log into a remote machine, you must provide a valid private key to decrypt the traffic. As long as the private key remains secret, only you can access the server. However, if someone obtains your private key, they can impersonate you on the network.

SSH key rotation helps prevent this type of unauthorized access. It reduces the risk that someone has access to your private key, and helps prevent malicious users from being able to impersonate you on your network.

Most security policies and best practices call for rotating your key files on a periodic basis, ranging from yearly to quarterly, depending on the sensitivity of the data on the system. Such policies go a long way to ensuring the security of authentication credentials and the authentication process for sensitive machines.

There are two ways to rotate your keys: manually, and automatically.


To manually perform key rotation, you need to generate a new pair of keys. Each time you do this, you create a new key pair. You then upload the public key file to the server you wish to connect to. Once uploaded, the server uses the public key to verify that you are who you say you are.


An alternative approach is to use automatic key rotation. With automatic rotation, you don’t need to generate a new key pair each time you change your password. Instead, you simply update the permissions on your existing key file.

The following steps show how to configure automatic rotation.

1. Generate a new keypair

2. Upload the public key to the remote server

3. Configure the remote server to use the new keypair

4. Update the permissions on the old keypair file

5. Delete the old keypair

6. Logout from the remote server

More Information

On Linux systems, use the “man” command to learn more about the following:

    • ssh-keygen command
    • ssh-public-key command
    • upload-ssh-public-key command

The examples should provide options for command parameters and sample command output for your operating system.

For more information about the SSH protocol, you can review the Wikipedia article here.


Four Uses for the Raspberry Pi in Small Business Security

With Raspberry Pi systems now available fully decked out for under $100, there are many uses that small business security teams can find for these versatile devices. Here are four of our favorites for using them in security roles.

1. Honeypot for Detecting Attackers on Your Network

Our HoneyPoint™ Agent runs on the Pi. It allows you to monitor for potential network compromises and attempts to breach your network by offering a fake system for attackers to target. Since the system has no real use, any interaction with it is suspicious at best, and malicious at worst. This allows for an easy-to-manage detection tool for your business.

2. Nessus Scanning Engine for Vulnerability Management

Nessus now supports running on the Pi 4 with 8 Gigs of RAM. Nessus is a very popular and powerful vulnerability scanner. With it, you can scan your network for vulnerabilities and find out what software needs updating.

3. Run Pi-Hole for Content Filtering

Pi-Hole is one of the best open-source security tools on the Internet. It provides enterprise-quality content filtering for free. Drop this on your network and implement it following the online instructions, and you’ve got affordable protection against malicious advertising, bad content, and many types of malware that inject via the browser.

4. Build a Cheap VPN Server

PiVPN makes setting a VPN for your small business needs incredibly simple. You can use this feature to access systems while you’re away or just to stay safer on public wireless networks. Most folks can deploy this in under an hour, and it can save you an immense amount of risk.

Using a Pi for some other risk management or security purpose? We’d love to hear about it. Drop me a line on Twitter (@lbhuston) and let me know what you’re up to. We’ll feature any ground breaking ideas in future posts.


A Cynefin Risk Management Use Case

Lately, I have been working on using the Cynefin framework to help a client with supply chain risk management. I’m not going to dig into the specifics here, but I wanted to share a quick workflow that we used during this process that has been very useful for us.

Risk Matrix

First, we built a risk matrix for supply chain risk. Basically, there are a number of these available via the various search engines. We took some of the most common ones and tore them down to commonalities, then built them into our matrix. We turned this into a simple spreadsheet.

Heat Mapping

Next, once we had our risk matrix, we did an exercise where we heat mapped the various risks, scoring them high/medium/low subjectively. This gave us an excellent tool to monitor our situation and communicate it with our stakeholders.

Applying Cynefin

Next, we mapped all of the high risks into the cynefin framework by researching the present state of each, whether best practices were available and relevant, being developed, or still in the experimental stage. This gave us a good idea of which problems we could simply focus on using known techniques and skills against, which ones we needed to take existing decent practices and optimize them, and which problems we needed to experiment with solutions for.

Sharing and Feedback

Overall, the exercise took around an hour to complete once we compiled the basic templates and completed the risk matrix research. For those of you facing complex risk management problems, this workflow might assist. Let me know on social media (@lbhuston) if it provides any help or if you have suggestions and feedback. Thanks for reading!

Patching Perfection Now a Must for All Organizations

Look at the state of cybersecurity now. What a mess! Things have been getting steadily worse now for years and there seems to be no end in sight. Every time we seem to be getting a handle on one new malware campaign another one comes online to bedevil us. The latest iteration is the Log4j debacle. In its wake, the government has demanded that their departments increase their efficiency and timeliness in the patching of their systems. Non-government organizations should take a cue from this and also increase their efforts to patch their systems in a timely manner. It is certain that cybercriminals are not wasting any time in exploiting unpatched vulnerabilities on the computer networks of all kinds of organizations.

One thing to keep in mind in the present environment is that the most serious and far-ranging exploits against computer networks in the last several years are coming from nation states and government sponsored hackers. These groups are developing very cleaver attacks and then striking selected targets all at once. Once they have taken their pound of flesh, they are then ensuring that their exploits are shared with cybercriminals around the world so that they too may get on board the gravy train. That means that organizations that are not a part of the original attack list have some amount of time make their systems secure. But this lag time may be of rather short duration. It would be unwise to simply wait for the next patching cycle to address these virulent new exploits. This means that organizations need to institute programs of continuous vulnerability monitoring and patching, despite the headaches such programs bring with them.

Another thing to keep in mind is that organizations need to ensure that all network entities are included in the patching program, not just Windows machines. All operating systems, software applications, hardware devices and firmware applications present on the network should be addressed. To ensure that all these network entities are included, we advocate combining vulnerability management programs with hardware and software inventories. That way you can ensure that no systems on the network are “falling through the cracks” when it comes to monitoring and patching.

Although perfect patching is not a panacea, and is reactive rather than proactive in nature, it goes a long way in preventing successful attacks against the average organization. This is especially true if your reaction time is short!

3 Common Challenges Implementing Multi-Factor Authentication

Multi-factor authentication is becoming increasingly popular among businesses and consumers alike.

However, many organizations struggle to implement the technology successfully.

Here are three challenges organizations face when implementing multi-factor authentication.

1. Lack of Awareness

Many organizations don’t understand what multi-factor authentication is or why they should use it.

They think it’s too complicated, expensive, or unnecessary.

This misconception leads to a lack of awareness about the security risks posed by weak passwords and phishing attacks.

2. Security Concerns

Some organizations believe that multi-factor authentication adds complexity and cost to their IT infrastructure.

But, in reality, multi-factor authentication doesn’t add much overhead.

Instead, it provides additional layers of protection against cyberattacks.

3. Complexity

Organizations sometimes find it difficult to integrate multi-factor authentication into their existing systems.

For example, they might have to replace old software or change user interfaces.

Some Potential Solution Ideas

If you’re struggling to implement multi-factor authentication, here are some tips to help you overcome these challenges.

1. Educate Employees About Multi-Factor Authentication

Educating employees about multi-factor authentication helps them understand its importance.

Make sure employees know that using multi-factor authentication reduces the likelihood of fraud and improves overall security.

2. Use Technology That Works For You

Multi-factor authentication tools are becoming more popular by the day. Many low-cost, or even free, solutions exist from vendors like Microsoft, DUOand others.

Look for solutions that have easy integration with your existing business infrastructure and systems.

3. Work With A Partner

A partner who has experience implementing multi-factor authentication can be helpful.

An experienced partner can provide guidance and support throughout the implementation process.

4. Make Sure The Solution Is Right For You

Before choosing a solution, make sure it meets your organization’s needs.

As always, if we can be of assistance, drop us a line to We’d be happy to help!

3 Essential Raspberry Pi Hardening Steps

Raspberry Pi hardening is essential for securing your device against attacks.

Here are three essential Raspberry Pi hardening steps:

1. Disable SSH If You Don’t Need It

Disable SSH access to your Raspberry Pi using the following command:

sudo raspi-config

Choose “Advanced Options” and then choose “No ssh”.

2. Change Your Password

Change your password to something secure. You can use the following command:


3. Update Raspbian

Update your Raspberry Pi’s operating system to the latest version available. This ensures that your device is up to date with security patches and bug fixes.

To update your Raspberry Pi, follow these instructions:

sudo apt-get update

sudo apt-get upgrade

In summary, hardening your device by following these steps will help you protect your Pi from attacks. Making these three basic steps a part of every Pi install you do will go a long way to giving you a safer, more dependable, and more private experience.



What Is The Danger of Leaked Source Code?

Source code leaks are one of the biggest risks facing software developers today. It exposes sensitive business secrets, intellectual property, and trade secrets. It also puts the source code itself at risk of being used maliciously.

When source code leaks, it can lead to a number of issues. For instance, it could allow hackers to steal valuable IP. It could expose sensitive customer information. It could put employees at risk of having their identities stolen. And it could cause legal problems for companies.

In fact, according to a recent study conducted by KPMG, nearly half of respondents said that they had experienced a leak of confidential or proprietary information. Of those, almost two-thirds said that the leak was due to a developer leaving the company.

To learn more about our solution to helping customers detect and respond to source code leaks (along with other forms of critical data), check out our ClawBack™ product. The page contains several videos, pricing, and use cases. Give us a call at 1-614-351-1237 or drop us a line at to learn more or discuss how ClawBack can go to work for you!

The Biggest Challenges to Firms using Cyber Threat Intelligence

Cyber threat intelligence is one of the hottest topics in cybersecurity today. Many firms are investing heavily in developing and deploying solutions to identify and respond to cyber threats. But despite the hype surrounding cyber threat intelligence, many firms still struggle to make sense of the data they collect.

Why are firms struggling to make sense of their data, and how they can overcome this challenge? We asked around. It looks like three key challenges emerged, and here they are:

1. Data quality – How do we know if our data is accurate?

2. Data volume – How much data do we need to store?

3. Data integration – How do we combine multiple sources of data?

We’re working on ideas around these 3 most common problems. We’re working with firms of all sizes to help solve them. When we get to firm, across-the-board answers, we’ll post them. In the meantime, knowing the most common issues firms are facing in the threat intelligence arena gives us all a good place to start.

Got workarounds or solutions to these issues? Drop me a line on Twitter (@lbhuston) and let me know how you’re doing it. We’ll share the great ideas as they are proven out.

How to Calculate Cyber Security Risk Value and Cyber Security Risk

There has been a lot of interest lately in formulas for calculating cyber security risk value. That is not at all surprising given the crisis in cyber security that has intensified so greatly in the last few years. Every interest from large government organizations and corporations to small businesses and even individuals are struggling to get a handle on data breaches, ransomware, supply chain attacks, malware incursions and all the other cyber-ills that are besetting us from every angle. And to gain that handle, interests must be able to assign relative value to their information assets and systems. It only makes sense that you provide the highest level of protection to those information assets that are the most critical to the organization, or those that contain the most sensitive information. Hence, the need for the ability to calculate risk value.

The formula for risk value, as it pertains to cyber security, is simply stated as the probability of occurrence x impact. This should not be confused with the formula for calculating cyber security risk, which is risk = (threat x vulnerability x probability of occurrence x impact)/controls in place. As can be seen, cyber security risk value is a subset of the larger cyber security risk calculation. It is useful because it allows the organization to assign a value to the risk, either in terms of the level of risk (i.e. high, medium or low) or the actual cost of the risk (i.e. dollars, time or reputation). The more realistically risk value can be calculated, the better an interest can rate the actual value of an information asset to the organization. In other words, it is the meat of risk assessment.

So, lets take a look at the two factors in risk value and see how we can calculate them. First is possibility of occurrence (or likelihood) determination. According to NIST, to derive the overall likelihood of a vulnerability being realized in a particular threat environment, three governing factors must be considered:

  1. Threat source motivation and capability: Is the threat source liable to be interested in the information asset? Can they make money or gain advantage from it? Do they have the ability to get at the asset? Is there known malware or social engineering techniques that may be able to get at the asset?
  2. Nature of the vulnerability: Is the vulnerability due to human nature? Is it a weakness in coding? Is it easily exercised or is it difficult to exercise? Is it presently being exploited in the wild?
  3. Existence and effectiveness of current controls: What security mechanisms are in place that could possibly prevent or detect exercise of the vulnerability? Have these controls been useful in stopping similar exploits in the past? Have other organizations demonstrated controls that have been effective in countering exercise of the vulnerability?

There is also a handy table for rating the likelihood of occurrence as high, medium or low:


Likelihood Level Likelihood Definition


The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.


The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.


The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.


Now let’s look at the other factor: impact. When judging the impact of the compromise of an information asset, we need to carefully consider a couple of factors:

  1. System and/or data criticality: What would happen if the information asset was illicitly modified? (Loss of integrity) What would happen if the information asset or system was not accessible or working? (Loss of availability) What would happen if the privacy of the information asset was compromised? (Loss of confidentiality) How much money per time period would the organization lose if the information asset was compromised?
  2. System and/or data sensitivity: Is the information asset proprietary to the organization? Is the information asset protected by government or industry regulation? Could compromise of the information asset lead to lawsuits? Could compromise of the information asset lead to loss of reputation or business share?

It should be noted that impact levels can be gauged in two ways: Quantitatively or qualitatively. Judging impact quantitatively means putting an actual dollar value on the successful compromise of an information asset. This type of impact analysis is very useful to business management, but is very difficult to accurately calculate in many cases. In my opinion, quantitative impact analysis works best when the complexity of the system is small. As complexity grows, so does the inaccuracy of the calculation.

Qualitative impact is easier to calculate, and is liable to be more useful when judging impact of complex systems or the enterprise as a whole. Qualitative impact ratings result in levels of impact such as high, medium or low, although I have seen impact level granularity of five or more levels. NIST has a handy table for judging the magnitude of a business impact:


Magnitude of Impact Impact Definition


Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury.


Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury.


Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.


I personally have employed these paradigms and definitions in performing risk assessments for a number of organizations of many types over the last two decades and have found them very useful in assigning both risk value and overall risk to organizations. They help me to be inclusive and clear in in my judgments while operating in a world of complexity and uncertainty.