With the number of attacks on unpatched software increasing it is imperative that we patch all systems and applications in a timely manner. Best practice is to also immediately update or remove all components and software nearing or past their end-of-life. Where possible, enable automatic patching processes for all software and hardware devices that include authenticity and integrity validation. Leverage threat intelligence to identify active threats and ensure exposed systems and infrastructure are protected. Secure software assets through an asset management program that includes a product lifecycle process. CORSA members may be utilizing one very popular software platform - Cold Fusion. It is important to immediately check to see if your software is updated with all current patches and if the version you are using has past it's end-of-life it is immediately taken out of service. CISA (The U.S. Cybersecurity and Infrastructure Security Agency) has added a new vulnerability to its Known Exploited Vulnerabilities Catalog: CVE-2023-26360 Adobe ColdFusion Improper Access Control Vulnerability https://www.cisa.gov/news-events/alerts/2023/03/15/cisa-adds-one-known-explo... I am attaching a valuable resource published by CISA: Cybersecurity Best Practices for Smart Cities The guidance is applicable to Counties as well as Cities. CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog One final note, please pay extra attention around holidays as we have seen an increase in attacks near to and on holidays. Bad actors will use the holiday as their "hook". Here is some additional information: https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-243a James Hale, ARM-P, ARM-E, CPSI Risk Control Consultant County Risk Sharing Authority 209 East State Street Columbus, OH 43215 614.246.1630 FAX 614.220.0209 " The leader in providing Ohio Counties with exceptional value, service, and protection of assets." [cid:image001.png@01D98E46.E3E2B240] CONFIDENTIALITY NOTICE: This e-mail message (including any attachments) is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy this message and all attachments.
