Pratum Blog

A new federal advisory warns users of four VMware products to take immediate action on vulnerabilities that allow hackers to execute remote code.

The Cybersecurity and Infrastructure Agency (CISA) has issued an emergency directive ordering federal civilian executive branch agencies running specific types of VMware to update them immediately or remove them from networks. Private organizations should obviously assess their own risk with these products. CISA says the VMware products’ users should assume they’ve been compromised, disconnect the product from the network and start threat-hunting activities.

VMware, a subsidiary of Dell, offers virtualization and cloud computing software.

The May 18 CISA advisory responds to observed or expected exploitation of vulnerabilities in these VMware products:

  • VMware Workspace ONE Access (Access) .
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation, vRealize Suite Lifecycle Manager (impacted VMware products)

Hackers can use the four vulnerabilities to execute remote code on a system without authentication; elevate privileges; and obtain administrative access without the need to authenticate. Hackers have already begun exploiting CVE 2022-22954 and CVE 2022-22960, and experts expect them to exploit the other two in the near future.

The links below provide details on the vulnerabilities and recommended mitigation steps:

While CISA’s emergency directive applies only to federal agencies, CISA Director Jen Easterly said, “We strongly urge every organization—large and small—to follow the federal government’s lead and take similar steps to safeguard their networks.”

Note that VMWare released updates for CVE 2022-22954 and CVE 2022-22960 in April, but threat actors reverse-engineered the updates within 48 hours and began exploiting the vulnerabilities. Experts expect threat actors to do the same with updates related to CVE 2022-22972 and CVE 2022-22973.

For guidance on how these vulnerabilities may affect your system, contact Pratum today.

Team of employees sitting around table doing incident response tabletop exercises

Tabletop exercises provide one of the most effective methods for testing your incident response (IR) plan, short of experiencing an actual breach.

Incident response planning in general has moved up the priority list for most organizations as weekly reports prove that no one is immune to cyberattack. But unless you test your incident response plan, you won’t really know if it covers all the right steps. A tabletop exercise throws your team into a simulated breach, which quickly helps everyone start recognizing the incident response plan as a real-world lifeline, not just a dusty policy statement. Most mature organizations conduct a tabletop exercise at least once a year, and some conduct several each year to cover various parts of the organization.

The guidelines below help you plan and carry out a tabletop exercise (also known as a TTX) that pays immediate dividends in finding places to improve your incident response plan and focusing your team’s attention on the potential challenges. (If you want to take a deep dive into tabletop exercise planning and don’t mind government-speak, review the CISA Tabletop Exercise Package.)

Write Clear Objectives and Outcomes

The exercise’s organizers should have a specific idea of how the tabletop fits into the overall strategy for testing your incident response plan. And since the incident response plan will drive the tabletop exercise, make sure that all participants have a copy of the incident response plan before the exercise. Let everyone know that they’re expected to review it prior to the exercise and to bring a copy to the meeting.

Invite the Right People

With a clear concept of your exercise’s purpose, you’ll know whom to have participate and what kind of scenario to use. The best tabletop exercises include representatives beyond the IT team. While your tech folks will be tasked with the immediate jobs of understanding and stopping a breach, key decisions require perspectives beyond the IT staff. For example, an operations representative should be there to explain the real-world ramifications if someone from IT always suggests “shut it down” as a solution to a breach. Representatives from the public relations and legal teams can help manage messaging and highlight legal traps to avoid. And, if you can get them to come, it’s best to have a member of the C-suite attend so they get a firsthand sense of the potential risks and what it will take to mitigate them. If you’ve identified a full Disaster Recovery team, inviting those people will probably check most of the above boxes.

Create Meaningful Scenarios

The scenario’s quality determines much of the success of the tabletop exercise. An experienced cybersecurity expert can help craft a scenario that reflects the latest real-world threats. They can pace the reveal of information to mimic how actual breaches develop. They can build in multiple attack vectors like the ones you’ll see in real life. The scenario should also bring in third-party concerns, such as clients calling to ask why your services aren’t working or issues that start cascading through your supply chain. The best scenarios typically take a key leader out of the equation by declaring them unreachable during the crisis. That prevents everyone from saying, “We’ll just call the boss, and she’ll know what to do.”

Take It Seriously, But Encourage Honesty

Managers should set the tone by treating the entire exercise with urgency. Don’t let participants short-circuit the process by skipping steps or brushing something off as unrealistic. Following the defined steps is all part of the exercise. This prepares you for the fact that, in some industries, you may not be able to file a cyber insurance claim for a real incident without showing a full root cause analysis (RCA) of the breach. So work the problem as described in the scenario and require everyone to be specific with their answers. But cultivate an atmosphere where people can admit it when they don’t know what to do. After all, you run these exercises to identify exactly those kinds of gaps.

Use an Outside Facilitator

You’ll usually get better results with an experienced third-party expert facilitating the process. They’ll work with the test’s leader to plan a strong scenario, and they’ll keep everyone on track during the actual exercise. They know how to ask the right questions and won’t be held up by internal politics. The facilitator also helps drive everyone to identify action items at the end.

Commit to Follow-Up Steps

Your session should include an immediate discussion about how the exercise went (what CISA calls a “hot wash”). Task someone (your facilitator often handles this step) to write down and assign specific to-do items from the meeting. Those often include updating portions of the incident response plan, getting more information about how your backup system works, etc. Set a deadline for completing the to-do list and/or holding a follow-up meeting to check progress.

Pratum’s consultants lead dozens of tabletop exercises every year for clients of all sizes. Contact us today to learn how we can help you get the most from your next exercise.

Best Practices for Information Security Risk Assessments

If you’re considering how to get the most value from your information security risk assessment—or whether you even need one—use these best practices shared by Pratum vCISO Ben Hall. Ben and the rest of the Pratum team conduct numerous information security risk assessments each year, giving them deep insight into how you can maximize this key part of your cybersecurity strategy.

Pratum vCISO Ben Hall
Ben Hall
vCISO, Pratum


What’s the most common risk you see?


We always see issues with access controls, whether that be access to the network, access to applications or access to the facility. There is always some gap in control when it relates to giving an individual user access to those resources. A lot of times, we see organizations give administrator privileges to an end-user that may not be doing development activities. So not only can they make changes to their local workstation, but they can also make changes to an application or to something like customer data when it may not be necessary for their job role.


What’s another common challenge that comes up in assessments?


Change management comes up a lot as well. A lot of organizations think they have pretty robust change management controls in place, but we can typically identify that it’s not the case when we ask for selections. So if it’s firewall changes and you make changes every Wednesday, we’re going to ask if there are tickets to back that up. If you’re doing development changes where you’re going from one version to another, where’s the development process within that? How are you evaluating that the development change is actually good and will fit within the environment? Is there a quality assurance (QA) test?


Are there other policies or controls that you recommend everyone should have based on all the risk assessments you perform each year?


Incident response comes up now more than ever based on all the news we’re seeing, the ransomware events, the actions of malicious employees, etc. With all that going on, it’s crucial to be able to get your team together and properly respond to an incident.


What kinds of things tend to surprise IT leaders when they read the report from their IT risk assessment?


They almost always find something surprising in there. Most people tend to think their environment is more secure than it really is. And that’s the benefit of bringing in a third-party for the risk assessment. We can provide that objective view. We’re not intimate with those controls, so we can ask the questions of why they exist in the first place. So the risk posture they expect versus the reality comes up a lot, and it can make those meetings a little interesting.


You cast a wide net during a risk assessment by talking to people in a variety of departments. Why is it important to get all those perspectives within the organization?


Something that comes up often is a lot of shadow IT controls and applications that exist. You may be aware, for example, of what your Accounts Payable department is using to make sure all the statements are paid. But there may be additional things like cloud-sharing tools that you were unaware of and that the team tells the external auditor about. We also like to meet with the finance team and CFO or others in the C-suite to get that additional insight as to what’s existing today and what their expectations are for IT. It sheds a lot of light on what the CEO expects IT to do but has never told them about and that IT has never even considered.


How do you coach people to read through a risk assessment report and start deciding on next steps?


One thing we do with every report is identify the 5-10 items that we’d start with if it was our program. So we help you set that prioritization focusing on Implementation Level 1: This is what needs to take place, all the way through. We also provide a risk register that lists any additional opportunities for improvement discovered through the risk assessment. So that way you not only have that executive overview of these 10 things to do immediately, but you have that other comprehensive list of activities that can be incorporated throughout the year.


What trends have you been seeing in risk assessments this year?


The thing that surprises me the most is the lack of multifactor authentication across the board. You would think that with 2020 and that immediate shift to remote workforce, everyone would have widely implemented some kind of MFA or 2FA by now, I’m surprised that it’s still a gap with a lot of organizations that still have pretty substantial applications open to the network. A lot of times you’ll see that maybe they have put in some kind of VPN, but even that still doesn’t have MFA or 2FA tied to it. This remote shift is going to stay a while, so if you don’t already have plans to implement MFA or 2FA, that would probably be my #1 thing to start working toward this year.


After an organization has done a risk assessment, when do they need to start thinking about another one?


Best practice is to do it at least annually. Even better practice is to have that annual risk assessment, but then have some kind of risk management committee. So not only are you evaluating those controls identified in the risk assessment and utilizing your risk register to manage a lot of that, but you’re also meeting on a quarterly or even monthly basis to look through what exists, adding new risks that have been identified throughout the year to that list and talking through a remediation plan. So you need that continuous evolution of quarterly processes reviewing that process in addition to the annual formalized risk assessment.


Can an organization realistically evaluate its own risk using its internal team?


You could, and we often encourage that. But if you look at it like going to a gym and hiring a trainer, you really benefit from getting an expert opinion on what kind of workout makes the most sense for you. That can tie into risk assessments, too. You want that external opinion from subject matter experts who do this on a daily basis and can truly assess your organization with that independent lens. As a control owner within that organization, you tend to be a little guarded as far as to what some of those activities could be. In comparison, an independent auditor or assessor can look at those processes objectively and point out potential flaws that exist in the remediation activity. Hard questions will be asked during a good risk assessment. But that said, it’s not a tough engagement. We’re there to help you get better. So it’s best to give us those open, honest answers. We’re here to help you get stronger and get better. There are no wrong answers in a risk assessment.

If you’d like to talk with a Pratum consultant about how to plan a risk assessment in your environment, contact us today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.