< ciso
brief />
Tag Banner

All news with #patch management tag

105 articles · page 4 of 6

OpenEoX and BOD 26-02: Standardizing EOS Management

🔒 CISA warns that unsupported edge hardware and software pose systemic risks and highlights Binding Operational Directive BOD 26-02 as a federal step to identify, replace, and patch end-of-support (EOS) devices. The article introduces OpenEoX, an OASIS OPEN, machine-readable JSON standard that standardizes product lifecycle information and integrates with SBOMs and CSAF. By enabling producers to publish EOS milestones and consumers to automate lifecycle tracking, OpenEoX aims to reduce exposure and streamline vulnerability management. The piece urges rapid, communitywide adoption to close doors on threat actors exploiting outdated products.
read more →

CVE Volumes Surge: CISOs Must Prioritize Signal Effectively

🔍 A new forecast from FIRST projects a median of roughly 59,000 CVEs in 2026 and warns that under extreme scenarios the count could approach 118,000, up from about 48,000 in 2025. Experts stress this growth reflects improved discovery and disclosure — more CNAs, bug bounties, and scrutiny of long-neglected code — rather than a sudden rise in attacker capability. Historically, only a small fraction of published CVEs are weaponized: recent data shows fewer than 3,000 had public proof-of-concept exploits and only about 700 showed evidence of exploitation in the wild. The primary challenge for CISOs is separating signal from noise through prioritization, automation, and capacity planning rather than trying to patch every disclosed flaw.
read more →

CISA Orders Removal of Unsupported Edge Devices Nationwide

🔒 CISA ordered federal agencies to remove edge devices that no longer receive vendor security updates and to strengthen lifecycle management within 12–18 months. Directive 26-02 requires agencies to catalog devices, update supported software immediately, report end-of-support items in three months, and decommission listed devices in 12 months and others in 18 months. CISA published an end-of-support edge device list and highlighted routers, firewalls, load balancers, wireless access points and IoT edge gear as high-risk targets for exploitation.
read more →

CISA directs removal of unsupported federal edge devices

🔒 CISA has ordered Federal Civilian Executive Branch agencies to inventory, update where possible, and remove all end-of-support edge devices—firewalls, routers, VPN gateways, load balancers, and other network security appliances—within an 18-month timeline. Agencies must report inventories within three months and begin removals within 12 months. CISA warned unsupported devices represent a substantial and constant threat and urged private sector adoption of similar measures.
read more →

CISA Orders Federal Agencies to Replace EOL Edge Devices

⚠️ CISA has issued BOD 26-02 requiring U.S. federal agencies to identify and remove end-of-life (EOL) network edge devices such as routers, firewalls, and switches that no longer receive security updates. Agencies must inventory devices on CISA's end-of-support list within three months, decommission pre-directive EOL devices within 12 months, and replace all identified EOL edge equipment within 18 months. The directive also requires agencies to implement continuous discovery processes within 24 months and encourages non-federal organizations to follow CISA's guidance to mitigate exploitation risks.
read more →

Reducing Attack Surface from End-of-Support Edge Devices

🔒 This fact sheet from CISA, the FBI, and the U.K. NCSC urges organizations to mitigate risks posed by end-of-support (EOS) edge devices such as firewalls, routers, load balancers, and VPN gateways. It highlights BOD 26-02 for U.S. federal agencies and recommends maintaining asset inventories, replacing EOS hardware, and applying timely updates and patches to reduce exposure to nation-state threat actors.
read more →

FBI Launches Winter SHIELD to Strengthen Cyber Defenses

🔐 The FBI has launched Operation Winter SHIELD, a ten-week campaign outlining ten concrete actions organisations should adopt to improve cyber resilience across IT and OT environments. Developed with domestic and international partners and informed by recent investigations, the initiative connects observed adversary behaviour to practical defenses such as phish-resistant authentication, immutable offline backups, vulnerability management and reduced administrator privileges. Aligned with the US National Cyber Strategy and the FBI Cyber Strategy, the effort aims to harden critical infrastructure and reduce the attack surface.
read more →

CISA Adds Gogs Path Traversal to KEV Catalog - Remediate

⚠️ CISA added CVE-2025-8110 to its Known Exploited Vulnerabilities (KEV) Catalog for a Gogs path traversal vulnerability after evidence of active exploitation. The advisory cites BOD 22-01 requirements for Federal Civilian Executive Branch agencies to remediate cataloged KEV entries by the due date. CISA strongly urges all organizations to prioritize timely patching to reduce exposure. CISA will continue to add vulnerabilities that meet the specified criteria.
read more →

CISA Retires 10 Emergency Cybersecurity Directives

🔒 CISA has retired 10 Emergency Directives issued between 2019 and 2024 that were intended to protect Federal Civilian Executive Branch (FCEB) agencies from high-risk vulnerabilities. The directives covered DNS tampering, multiple Windows Patch Tuesday flaws, SolarWinds, Microsoft Exchange, Pulse Connect Secure, Print Spooler, VMware, and a nation-state compromise of Microsoft corporate email. CISA said the required actions were completed or are now enforced through BOD 22-01, and emphasized continued advancement of Secure by Design principles across federal systems.
read more →

CISA Retires Ten Emergency Cyber Directives at Once

🛡️ CISA has retired ten Emergency Directives issued between 2019 and 2024, stating the required mitigations have been completed or are now encompassed by BOD 22-01. The agency said this is the largest single closure of Emergency Directives to date. The action moves responsibility for ongoing remediation to the Known Exploited Vulnerabilities (KEV) catalog and its mandated federal patching timelines. CISA retains authority to require accelerated fixes for high-risk flaws, as in a recent one-day order for exploited Cisco CVEs.
read more →

Integrating Cyber Hygiene into Everyday Personal Habits

🔒 Cyber hygiene is presented as an essential, routine set of practices to reduce digital risk and protect personal data. The article gives targeted, practical advice for three audiences: beginners (use a password manager, create long random passwords and enable MFA), intermediate users (prioritize patch management, remove unused extensions, secure home routers and IoT, and use VPNs), and cybersecurity professionals (model good behavior and build a security-aware culture). Small, regular actions can greatly reduce exposure and improve resilience.
read more →

SecAlerts: Faster, Smarter Vulnerability Tracking Platform

🔔 SecAlerts provides a streamlined, cloud-native vulnerability notification service that maps new advisories directly to the software you run, avoiding intrusive scans or local installs. Using near-real-time sources rather than relying solely on the NVD, it reduces alert noise through configurable Stacks, Channels, and Alerts, so teams only receive actionable notifications. The platform includes a searchable Feed, visualised severity metrics, per-client properties for MSSPs, an API for integrations, and audit-ready reporting to accelerate remediation.
read more →

Webinar: Safely Patching Systems Using Community Tools

🔒 Community-driven package managers like Chocolatey and Winget speed deployments but can introduce supply-chain risks when packages are added or updated without rigorous vetting. Gene Moody, Field CTO at Action1, will lead a free webinar that tests these tools in practice, highlights common weak points, and demonstrates pragmatic safeguards such as source pinning, allow-lists, and hash/signature verification. The session focuses on actionable steps to help teams prioritize updates using known-exploited vulnerability data (KEV) and to choose whether to rely on community repos, vendor sources, or a hybrid approach while maintaining operational velocity.
read more →

What Keeps CISOs Awake - Zurich's Approach to Resilience

😴 At the Global Cyber Conference 2025 in Zurich, CISOs openly confronted a profession-wide exhaustion tied to escalating cyber risk. Tim Brown distilled the anxiety into five core threats: shrinking exploit windows, persistent adversaries, third-party risk, an AI arms race, and staff burnout. The Swiss Cyber Institute's vendor-free format created a trust-based forum where peers share IOCs, run joint table-tops and adopt risk-based patching and UEBA to speed response and restore resilience.
read more →

SCCM and WSUS in Hybrid Environments: Adopt Cloud Patching

☁️ Legacy Windows patching tools like SCCM and WSUS are struggling to meet the needs of distributed workforces because they depend on LAN or VPN check‑ins. The piece highlights WSUS deprecation and frequent synchronization, database, and re‑indexing failures that stall remediation. Cloud‑native, SaaS patch management (for example, Action1) allows endpoints to check in securely over the internet, use global delivery networks, and deliver faster, more consistent compliance without on‑prem infrastructure.
read more →

Microsoft to Remove WINS Support After Windows Server 2025

⚠️ Microsoft announced that WINS support will be removed from Windows Server releases after Windows Server 2025, with standard support for that final LTSC build continuing through November 2034. The legacy NetBIOS name registration and resolution service was deprecated in Windows Server 2022. Microsoft said WINS components, management snap-ins and automation APIs will be removed, and urged administrators to audit dependencies and migrate to DNS-based solutions to avoid disruptions.
read more →

AWS Organizations adds upgrade rollout policy for RDS

🔔 AWS Organizations now supports an upgrade rollout policy for Amazon Aurora and Amazon RDS, enabling staggered automatic minor version upgrades across accounts and resources. Administrators can define simple sequences (first, second, last) via account-level policies or resource tags so upgrades begin in development and progress to production only after validation. AWS Health notifications between phases, built-in validation periods, and the ability to pause progression provide control and observability. The feature is available in all commercial Regions and AWS GovCloud (US); RDS for Oracle support applies to engine versions released after January 2026.
read more →

Turn Windows 11 Migration into a Security Opportunity

🔒 Organizations should treat the Windows 11 migration as a strategic security opportunity rather than a routine OS update. While some users resist moving from Windows 10 or explore alternatives like Linux or legacy releases, those choices can introduce operational headaches and security gaps, especially as Microsoft phases out support. Use the transition to validate backups, recovery objectives, and patch posture to reduce exposure to unpatched vulnerabilities that increasingly target MSPs and their clients.
read more →

AWS launches Supplementary Packages for Amazon Linux

📦 AWS announced the general availability of Supplementary Packages for Amazon Linux (SPAL), a curated repository offering thousands of pre-built EPEL9-compatible packages for Amazon Linux 2023 (AL2023). SPAL reduces the need to compile software from source, accelerating deployments and lowering operational overhead for developers, system administrators, and DevOps teams. Packages are derived from community EPEL9 sources with AWS applying security patches as they become available upstream. SPAL is available across all AWS Commercial Regions, including GovCloud and China.
read more →

Amazon RDS for PostgreSQL: New Minor Versions Available

🐘 Amazon RDS for PostgreSQL now supports minor versions 17.7, 16.11, 15.15, 14.20, and 13.23; AWS recommends upgrading to address known security vulnerabilities and receive community bug fixes. The release adds the pgcollection extension for RDS PostgreSQL 15.15 and above (including 16.11 and 17.7), providing an ordered, efficient key-value collection type usable inside PostgreSQL functions to speed in-memory data processing. Extension updates include pg_tle 1.5.2 and H3_PG 4.2.3, and operators can use automatic minor version upgrades or Blue/Green deployments to minimize disruption during upgrades.
read more →