Cybersecurity does not always have to be advanced or difficult. If we take the CVE-2024-38063 vulnerability as an example, it became known just over a month ago, a really nasty security hole in the implementation of IPv6 in Windows. It creates a remote code execution (RCE) vulnerability that allows an attacker to execute arbitrary code on other systems.

This type of security hole reminds me of the motto that you should turn off functionality that is not used. If you are actively using IPv6, it is not a bad idea to continue using NAT. It is therefore important to at least have a firewall in front of the endpoints and only allow traffic that you know you need. It provides protection against quite a lot, if threat actors do not access the machines, similar security holes become more difficult to exploit.

RCEs that can be exploited without human error or interaction create the possibility of creating worms, i.e. malicious code that can jump from system to system. Microsoft had a patch out that fixed that before it was used in the wild (as far as we know). This is also why patching systems, as soon as possible, is important. It doesn’t always require the most advanced security features and new products. Often, a lot can be done with what is available, and the minimum level can be raised through patching and segmentation. Therefore, it is important not to have end of life products in the environment that do not receive new security updates, as an example.

So some recommendations are to:

You don’t have to do everything in one day. If you take small steps every day that increase safety a little at a time, step by step, you are well on your way. If you increase safety by 1% per day, you have increased it about 10 times from the starting point in a whole working year1. This means that small steps often, rather than a big single boost, are preferable! A common challenge is that customers have too big a scope when increasing their safety, which sometimes results in it becoming overly complex or the budget not being sufficient and ultimately not being carried out. Grab that machine that may not have been patched for a while, do something small. Start with the low hanging fruit! Common sense and a healthy paranoia will get you far!


I hope that someone can get some value out of what I write, I intend to write a little from time to time, when I have something mainly in cybersecurity, to write about!


Rasmus Hammarborg
Architect Cyber Security Aranya AB
LinkedIn
Aranya AB

  1. Based on approximately 230 days in a working year ↩︎