October 18, 2024 at 06:34PM
A critical security update for the Jetpack WordPress plugin has been released due to a vulnerability that could expose user data. Site administrators are advised to ensure the latest version is installed. Meanwhile, the EU has implemented new reporting rules for cybersecurity incidents, and a free DNS service for UK schools is being extended.
### Meeting Notes Takeaways
1. **Jetpack Security Update**:
– A critical security update for the Jetpack WordPress plugin has been released.
– Site administrators must ensure they have the latest version to maintain security.
– The update addresses vulnerabilities present since version 3.9.9 (2016), particularly affecting the Contact Form feature.
– There is no evidence of the vulnerability being exploited yet, but caution is advised.
2. **Veeam Backup Vulnerability**:
– A critical vulnerability (CVE-2024-40711) in Veeam Backup & Replication software allows remote code execution and has a CVSS score of 9.8.
– Users should update to the latest version immediately.
– Other vulnerabilities with high CVSS scores also patched this week.
3. **New EU Cyber Incident Reporting Rules**:
– The EU has finalized rules under NIS2 that require critical infrastructure companies to report cyber incidents within 24 hours.
– Non-compliance may lead to fines of up to €10 million or 2% of global turnover.
– This aims to enhance reporting and threat intelligence consolidation among critical firms.
4. **CISA’s Call for Feedback on Security Practices**:
– CISA and the FBI are soliciting public input on a document detailing bad product security practices.
– The recommendations apply broadly, not just to critical infrastructure software manufacturers.
– Feedback will be accepted until December 2, 2024.
5. **Free Cybersecurity Service for UK Schools**:
– The UK National Cyber Security Centre is expanding a successful protective DNS service to a wider range of educational institutions.
– The service, which is free, provides DNS filtering to safeguard against malware.
6. **Accelerated Cybercriminal Exploitation**:
– Research shows that the time for cybercriminals to exploit newly-found vulnerabilities has decreased significantly, from 32 days in 2022 to just 5 days in 2023.
– The ratio of exploiting zero-day vulnerabilities has increased, underscoring the urgency for timely patching.
### Action Items:
– Jetpack users should verify their plugin version and ensure it is updated.
– Veeam users must install the critical update immediately.
– Critical infrastructure companies in the EU need to prepare for new reporting requirements.
– Those interested in CISA’s document should consider contributing feedback before the deadline.
– Educational institutions in the UK should sign up for the free cybersecurity service.