Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Vulnerability Management, GRC, Cyber Risk Management

Examining the Follina and Confluence Vulnerabilities | SureCloud

Examining the Follina and Confluence Vulnerabilities | SureCloud
Written by

Hugh Raynor

Published on

22 Nov 2022

Examining the Follina and Confluence Vulnerabilities: Risks, Remediation, and Vulnerability Management


No single piece of software is perfect, and vulnerabilities are common; but when you consider that the average cost of a data breach was over $4 million in 2021, it is of paramount importance to consider how your business prepares for and reacts to vulnerabilities with a robust software risk management plan


Two high-profile vulnerabilities that recently made headlines were Follina, a Microsoft Office zero-day, and a bug in Atlassian’s Confluence Server and Data Center. Patches have been released for both, and it’s critical that organizations update their systems; otherwise, cybercriminals will continue to exploit the flaws. 


Have you updated yours? 


Let’s take a closer look at what Follina and Confluence are and how best to stay on top of vulnerability management.  



Follina Vulnerability 

Follina is a critical zero-day vulnerability that impacted all major versions of Windows, including Windows 11, Windows 10, Windows 8.1 and Windows 7. Follina allows hackers to run malware remotely on Windows without being identified by Windows Defender or any other security software. 


The exploit got the name Follina because the sample file references 0438, which is the area code of Follina, Italy. 


The attack was explicitly linked to the Microsoft Support Diagnostic Tool (MSDT), with hackers running PowerShell commands through MSDT when opening malicious Office documents. It targeted Word’s remote template feature to retrieve an HTML file from a remote web server and then used the MSDT protocol to load code and execute the PowerShell commands. 



Confluence Vulnerability 

Atlassian recently disclosed a critical vulnerability affecting its Confluence Server and Data Center that enabled an unauthenticated attacker to execute arbitrary code on an affected instance. The vulnerability existed in an app, Questions for Confluence, which, when enabled on a Confluence Server or Data Center, created a user account with a hardcoded password that would migrate data from the app to the cloud. The password was published on social media, allowing attackers to log in remotely and exploit sensitive data.  


If you’re self-hosting Atlassian Confluence, you must get the patch deployed as quickly as possible.



Take a collective approach to vulnerability management

Follina and Confluence have highlighted a lack of visibility within organizations regarding cybersecurity policies and processes, which is a common issue. Take vulnerability management, for example. The fewer people involved in this process, the greater the risk, as it leaves you with limited knowledge of any potential threats.


Agreeing on a collective approach to vulnerability management is critical to business-as-usual activities. 


This is especially true when you consider that many issues arise as a result of employees independently adopting certain types of software in an attempt to make their job easier, without much thought for security. It’s important to take a risk-based approach to vulnerability management and use simple techniques, such as scanning the right assets regularly to identify potential threats or gaps in your security. This includes applications that aren’t routinely used but still form part of your operations. 


Establishing a clear vulnerability management plan, or software risk management plan, that onboards all team members can help identify threats that are not straightforward to fix. This will help ensure that these threats are addressed as early as possible. The top three key things to consider are: 


  • Assess all systems – When it comes to conducting threat assessments, don’t just look at systems that are in everyday use. Consider all platforms deemed critical to your business, even those that aren’t used regularly.


  • Vulnerability scanning  Utilize scanning to observe and manage the entire vulnerability lifecycle. This will not only identify potential threats within your network but also reduce the risk of exposure. 


  • Think outside the box – It’s important to remember that the threat landscape is constantly evolving. As a result, you must protect yourself and your organization against techniques that are outside the norm, such as SMiShing, which is on the rise. 



What is SMiShing? 

In recent years, there has been a sharp rise in the number of SMiShing, or SMS phishing, attacks. What looks like an innocent text message from a reputable company can, in fact, be far more sinister. In 2020 alone, the FBI estimated that this new form of cyberattack cost US citizens over $50 million


Hackers send SMS messages that appear to be a demand for late payment, encouraging people to click a link and submit secure information to avoid further action. What has actually happened is that an individual has unwittingly downloaded malware or shared sensitive details with cybercriminals, which can then be used to exploit the organization.


Unfortunately, it’s becoming increasingly difficult to distinguish a real SMS from a SMiShing message. As technology becomes more sophisticated, so do hackers’ techniques; yet, the average human remains easy to fool. Just because a message says it’s from Amazon, how do we know it actually is? For this reason, many businesses are turning to applications such as ‘Android for Business’, which ensures all sensitive data is sandboxed from external users. 


At SureCloud, we provide sophisticated social engineering tests to illuminate where vulnerabilities like SMiShing might exist. Take a look at our Social Engineering & Phishing Simulation Services for more information.



To learn more about the latest cyber threats to your organization and what you can do about them, check out this episode from our Capability-Centric GRC & Cyber Security podcast



Or, for information on developing a software risk management plan, get in touch with our experts using the form below.