Bad News for Barracuda, but What’s the Larger Lesson?
6–12–2023 (Monday)
Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday, June 12th, and last week I said it felt like we were heading into a busy stretch - and I was right. That busy stretch is here, so let’s dig right in.
Bad News for Barracuda, but What’s the Larger Lesson?
The most talked about piece of security news from last week had to do with a new attack technique against an Email Security Gateway made by Barracuda. It’s not just that it’s a novel attack - though it is a new zero-day vulnerability - but rather the remediation action that Barracuda recommends.
That recommendation? “full replacement of the impacted Email Security Gateway” - that’s right. This vulnerability is so bad or difficult to fix, that the solution is to scrap that machine entirely and move to another solution. Security firm Mandiant has disclosed that they’ve seen indications of exploitation of this vulnerability stretching back as far as October 2022.
While Barracuda has issued a couple of patches for this fix, the idea that a device in your security stack - or, frankly, anywhere in your IT stack - is suddenly unavailable (for whatever reason) puts a new focus on our need to shift these security conversations from goals around being compliant or being secure to becoming more resilient.
We need to ask ourselves if we’re making choices that give us more flexibility or less. Being resilient doesn’t mean that you won’t take a hit - it’s that you’ve got the capacity (in whatever way) to absorb the hit, respond and recover at a cost that doesn’t become an existential threat to the organization.
Attackers are going to continue to push the envelope in terms of their actions, and we need to be working on the business side to improve our own capabilities.
Last week, as you may recall, we saw the breach of the MOVEit file transfer appliance to propagate ransomware. We’re learning about more victims in the time since the announcement, including a string of “fourth party” impacts - where a payroll provider who used the MOVEit appliance then impacted their clients in the UK. But, we’re also seeing more patches being released by this vendor - because additional attackers are now putting more energy into finding additional vulnerabilities.
This is so often the nature of things, too, whether it’s a novel exploitation technique that’s applied to different systems, or an exposed system that is then explored for novel exposure methods. It should serve as a good reminder that in the same way that the attacks are not “one and done,” neither are the solutions. Barracuda has released multiple patches for their impacted appliance, but still can’t resolve the issue.
Canadian firewall provider Fortinet is once again facing disclosure of new zero-day vulnerabilities impacting their VPN solution that can be exploited even if multi-factor authentication is enabled.
While it may seem like a never ending fight to secure our systems and our businesses against these attacks, we need to think about it much more in terms of the way we view fitness - in two ways. First of all, fitness enables us to enjoy a quality of life that supports the rest of the things we do. Second, fitness takes more than just working out - it includes things like diet, stress management, mental health, sleep and recovery, etc.
Security and resilience is much the same. It should be seen as something that enables our business to continue to grow and succeed, takes a multi-disciplinary approach, and looks a lot more like a journey than a destination.
If conversations in your organization aren’t aligned with this approach, now is the best time to start changing them.
Fundraising
From a fundraising perspective, a slight uptick from last week, totaling just over $13B, including some new large buyout funds by Archimed and The Jordan Company, and a $7.3B direct lending fund from HPS Investment partners.
Should be over $200B for Q2 as we look at the last couple of weeks ahead.
You can find all the links to the stories we covered in the section below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.
Links
https://www.securityweek.com/barracuda-urges-customers-to-replace-hacked-email-security-appliances/