[WEBINAR] Financial Aid Staffing Shortages: Actionable Tips to Enhance Office Efficiency While Short-Staffed

There is an unfortunate and pervasive issue facing Aid Offices today: Staffing shortages.

In a recent NASFAA article, more than ¾ of survey respondents said “they are concerned about their ability to be administratively capable and more than half are concerned about their ability to adequately serve students, as staffing has generally decreased while the amount of aid disbursed has increased.”

Please join us for a complimentary webinar on Wednesday, June 22nd at 2pm ET as Ferrilli Financial Aid Consultants Amy Christen and Susan Kannenwischer share actionable tips to enhance aid office efficiency while short-staffed.

Amy and Susan have stood in your shoes and understand the unique challenges Aid Offices around the country face, especially in today’s tumultuous times. They will cover a variety of highly relevant topics, including:

  • Legacy system optimization
  • Process documentation best practices
  • Staff training and development
  • Audits/program reviews
  • Reporting (FISAP/IPEDS)
  • Student service tips
  • More

Please click here to register.

We look forward to seeing you there!

See you at Slate Summit 2022!

We’re excited to be attending the Technolutions Slate Summit in Nashville from June 16-17, 2022!

As a Slate Gold Preferred Partner, we empower admissions teams to get the most out of Slate.

Connect with Ferrilli’s Ashleigh Mayer, Kelly Sinacola, Dixie McNally, Joshua Flick, Bethann Corey, and Joshua Weiler at the summit to find out how.

We look forward to seeing you there!

See You At CCA 2022!

We’re excited to be attending the 29th annual Community Colleges of Appalachia Conference this Sunday, June 5th, through June 7th, in Asheville, NC!

Connect with Ferrilli’s Robert Ferrilli, Marcia A. Daniel and Ashleigh Mayer during the event to learn about our tireless commitment to enhancing institutional effectiveness and enriching the student experience both in the region and across the country.  

We look forward to seeing you there!

Connect with Ferrilli at ACCTC 2022!

Attending the Arizona Community Colleges Technical Conference at Yavapai College, June 1-2, 2022?

Be sure to connect with us throughout the event. Ferrilli is committed to providing the services Arizona Community Colleges need to streamline operations, reduce costs and position students for success.

We look forward to seeing you there!

ACCT Quarterly Article: Diminishing the Cyber Threat

Check out Ferrilli Chief Client Officer Marcia A. Daniel’s latest article in the ACCT Trustee Quarterly: Diminishing the Cyber Threat: A conversation with cybersecurity legal expert Allen Sattler reveals key steps colleges must take to minimize the impact of breaches.

Thank you to Allen Sattler, Partner and Vice Chair of Data Privacy & Cybersecurity at Lewis Brisbois Bisgaard & Smith LLP, for contributing his knowledge and expertise to this timely piece on the steps colleges must take to minimize the impact of cyber attacks.

At Ferrilli, security is never secondary. If your institution has fallen victim to a cyber attack, please click here to receive 100 hours of complimentary security services.

SEE YOU AT UBUG 2022!

UBUG 2022 attendees, make sure to stop by and see us during the conference on Friday, May 13th at Utah State University!

We’ll be standing by to address all your Banner-related questions. As an Ellucian Platinum Services Partner we have the knowledge and expertise to help your institution maximize its Ellucian Banner investment.

You can also check out our breakout session at 11am MT in Room 311, ‘A Cloud 360 Approach: Meeting the Demands of a Digital-First Era’ with Ferrilli Senior Vice President Carol Thomas.

We look forward to seeing you there!

Connect with Ferrilli at the MEEC Member Conference and Vendor Showcase

We’re excited to be appearing at the Maryland Education Enterprise Consortium (MEEC) Member Conference and Vendor Showcase on Wednesday, April 27, at Martin’s West!

Stop by Booth 38 to learn how Ferrilli, as an official MEEC IT professional consulting services vendor, is uniquely positioned to help your institution maximize its technology investment.

We will also be hosting a live session during the conference:

Cloud 360: Addressing the Demands of Cloud Service Delivery
Session Time: 1:30 – 2:20 pm ET
Session Location: Camelia

We look forward to connecting with you!

CONNECT WITH US AT THE SALESFORCE.ORG EDUCATION SUMMIT 2022

We’re excited to be a sponsor at the Salesforce.org Education Summit 2022, starting April 20th!

As a Salesforce Consulting Partner, we are here to help institutions grow enrollment, improve retention, support fundraising and advancement, and foster productive relationships with constituents both on and off campus.

Click here to access the virtual conference and connect with us.

Ferrilli Security Alert: Patch recent vulnerabilities from Google and Microsoft

By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant

We’re alerting our higher education community to act quickly and patch the latest vulnerabilities from Google and Microsoft:

  • Google Chrome: An exploit for CVE-2022-1364 exists and it is strongly recommended that everyone install the latest Google Chrome update (100.0.4896.127) as soon as possible.
  • Microsoft RDP: Critical Windows RPC CVE-2022-26809 flaw raises concerns due to its potential for widespread, significant cyberattacks. Therefore, all organizations need to apply Windows security updates as soon as possible.

Note: While our focus is on getting the academic systems updated, please remind your faculty, staff, and students to patch their personal devices.

More info about the vulnerabilities: 

​​​​
Google Chrome

  • Google officials did not release many details about the flaw, saying that information and links about the bug are being restricted until most users are updated. The emergency updates the company issued this week impacted almost 3 billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, Brave and Vivaldi. They will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but have not yet fixed. The vulnerability is a so-called “confusion” weakness in Chrome’s V8 JavaScript engine. This type of flaw often leads to browser crashes, but the high severity label for this specific vulnerability suggests that it could be the rarer kind that allows attackers to execute damaging code depending on the privileges associated with the application. An attacker could view, change, or delete data, according to the Center for Internet Security.

Microsoft RDP: CVSS:3.1 9.8 / 8.5

  • Microsoft fixed this vulnerability as part of the April 2022 Patch Tuesday updates and rated it as ‘Critical,’ as it allows unauthorized remote code execution through a bug in the Microsoft Remote Procedure Call (RPC) communication protocol (TCP 445 and 135). If exploited, any commands will be executed at the same privilege level as the RPC server, which in many cases has elevated or SYSTEM level permissions, providing full administrative access to the exploited device. Security researchers believe the bug has the potential to be exploited in widespread attacks, like what we saw with the 2003 Blaster worm and 2017 Wannacry attacks utilizing the Eternal Blue vulnerability. Currently there are over 1.3 million devices exposing port 445 to the Internet, offering a massive pool of targets to exploit. It is important to stress that institutions should apply the patch because it can surface in several configurations of both client and server RPC services. This vulnerability is ideal for spreading laterally in a network and security experts believe we will surely see it used by ransomware gangs in the future.

What Version Should You Be on Google Chrome?
The latest fix will bring Chrome to version 100.0.4896.127 across Windows, Linux, and Mac platforms. Remind your users to close their browsers so the Chrome updates will be applied in the coming days and weeks, as Chrome automatically installs the latest patch when the browser is closed and relaunched.

If you have any questions or need assistance, please click here.

Stop by Booth 501 at Ellucian Live 2022 and take your shot at $50k

We’re going for the green at Ellucian Live 2022!

Stop by Booth 501 on Sunday, April 10th – Tuesday, April 12th, to play Ferrilli’s $50,000, hole-in-one challenge!

We’ll also be raffling off a once-in-a-lifetime trip to the beautiful Pebble Beach Resorts, located between picturesque Monterey and Carmel, California.

Our team of talented higher education technology experts will be there to cheer you on … and, of course, answer any questions you have about optimizing your institution’s Ellucian technology.

You do not want to miss this! Just look for the massive, state-of-the-art golf simulator and come over to take your shot!

Ferrilli Live Sessions at eLive 2022!

We’re excited to be presenting three live sessions at Ellucian Live 2022:

Solution Showcase Demo: Ferrilli’s Automated Degree & Certificate Evaluator for Colleague

Monday, April 11th – 2:30 PM – 2:45 PM (MDT)

Lead Presenter: Kelly Sinacola, Executive Vice President, Ferrilli

Go Serverless and Take Off to the Cloud with Ferrilli, Ellucian, and AWS

Tuesday, April 12 – 3:45 – 4:30 PM (MDT)

Lead Presenter: Robert Ferrilli, CEO, Ferrilli

Rethinking Student Affairs Roles: Dynamic Technology and Student Populations

Wednesday, April 13 – 9:00 – 9:45 AM (MDT)

Lead Presenter: Kathryn Starkey, Associate Dean of Adult Learning, Colorado State University Pueblo

Co-Presenters: Linda Bloom, Senior Consultant, Ferrilli & Carol Larson, Registrar, Colorado State University Pueblo

Ferrilli Security Alert: Russian Cyber Activity Updates & Preparation Advice

We’re following up from our Russian Cyber Activity webinar earlier this month to provide our higher education community with the latest updates and advice on the Russian cyber threat:

The U.S. Government has called the current moment “critical” in working towards enhancing its cybersecurity defenses and believes the threat of cyberattack from Russia is looming against the United States.

Government officials stated this reinforces the urgent need for all organizations, large and small, and even individuals to act now to protect themselves against malicious cyber activity.

The following information can help you be prepared:

Report anomalous cyber activity and/or cyber incidents as soon as possible!

The CISA is working closely with federal and industry partners to monitor the threat environment 24/7 and they stand ready to help organizations respond to and recover from cyberattacks.

Visit CISA.gov/Shields-Up for information on how to protect your network(s) and how to report anomalous cyber activity and/or incidents. When cyber activity/incidents are reported quickly, it can contribute to stopping further attacks.

  • report@cisa.gov
  • (888) 282-0870, or
  • Your FBI Field Office or CISA Regional Office

What Can Be Done?

  • Treat people as your first line of defense – Educate your employees on common tactics (email and websites) and how to report suspicious activity and investigate their reports promptly and thoroughly.
  • Test your emergency procedures for backups and restoring services/data. Ensure you have offline backups beyond the reach of malicious actors.
  • Encrypt your data so it can not be used if stolen.
  • Verify your communication channels work and know the players and their roles in your Emergency Response Team.
  • Ensure software and hardware patching is current and up to date.
  • Enable multifactor authentication on all accounts/systems/devices connecting to your network(s).
  • Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents.

Cybersecurity advice to share with co-workers, family and friends

  • Pay extra attention to email: Your work email address, as well as any personal email addresses, are the most common starting places for a targeted attack.
  • Protect yourself:
    • DO NOT FOLLOW LINKS contained in emails or in text messages – If you feel the communication is legitimate, navigate to the main website by typing in the primary site address and then navigate to the desired page/resource. o    Verify the email using a different contact method – Voice calling is particularly powerful in vetting outreach.
    • Use strong passwords and multi-factor authentication to reduce compromises by unwanted hackers.
    • Protect your devices and home network – keep them up to date and use antivirus software. Use the latest supported versions, apply security patches promptly, use anti-virus and scan regularly to guard against known malware threats.
    • Beware of new outreach in social media platforms (Twitter, Instagram, Snapchat, Facebook, etc.) and text messages from unknown phone numbers or groups.
  • Protect others:
    • REPORT any suspected communications or activity to your Helpdesk or IT department.
    • Report suspicious outreach received at your personal email addresses by reporting them to your service provider via their published resources.
    • DO NOT FORWARD or share:
      • unvetted outreach or “recommended” content.
      • suspicious messages Delete them immediately.

Thank you and please stay safe!​

Ferrilli Alert: Federal Fiscal Year 2022 Budget Impact on Pell Grant Awards

With the passage of the Fiscal Year 2022 Federal budget on March 15, 2022, new Pell entitlement figures have been approved, increasing the maximum Pell grant award $400, to $6,895 for the 2022-23 award year.

While this increase is beneficial for students, it will also require action for Financial Aid Offices that have already begun packaging students for the upcoming year.

Impacts for Previously Award Students

The increase to the maximum Pell grant award may have several impacts to the aid packages of students who have previously been awarded for the 2022-23 award year.

  • Students awarded Pell grants will likely see an increase to their award entitlement.
  • An increased Pell award may require adjustment to other Federal and institutional awards, as the higher Pell amount will reduce the student’s overall unmet need.
  • Depending on the institution’s SIS/ERP packaging configuration and functionality, adjustments to student awards may require software updates and/or manual review and adjustment.

How to Prepare for Updating Student Pell Awards and Award Packages

There are several steps Financial Aid Offices can take to prepare to implement these changes in their SIS/ERP systems and repackage previously awarded students.

  • Identify any previously packaged students who received Pell as part of their 2022-23 award package. Since this population will need to be reviewed, identifying the population in advance will allow Financial Aid Office staff to better prepare for award revisions when the SIS/ERP is capable of processing them.
  • Monitor communication from your institution’s SIS/ERP vendor indicating what system changes need to be made to accommodate the new Pell entitlements. Generally, this may only require parameter updates for the new amounts but depending on other changes that may have been made to the entitlement grids, software updates may be required as well.
  • Monitor communications from the Department of Education regarding the reprocessing of ISIRs to reflect the updated Pell amounts. Even if your software vendor provides guidance/updates for accommodating the increased award amounts, a new ISIR transaction will still need to be received to correctly calculate a student’s award.
  • Determine if your institution will make adjustments to any previously awarded institutional need-based aid. In other words, if Pell is increased will your institution decrease its need-based award offer or allow previous amounts to remain unchanged. If the latter option is chosen, this may result in the need to revise Subsidized Stafford Loan amounts in the student’s award package.
  • Identify any not yet packaged students with Pell grant eligibility. Excluding these students from the packaging process until the necessary system changes and reprocessed ISIRs have been received will prevent providing inaccurate awards to students and reduce the need for additional repackaging by Financial Aid Office staff.
  • Communicate with your students about revisions to their awards. When students and their families see news of these changes due to the approval of the Federal Budget, they may have questions about how they will be impacted and when they will see revisions to their award package. Providing this information preemptively to both students needing revisions as well as student who may have their packages delayed may help to allay their concerns and reduce inquiries to their institution’s Financial Aid Office.

Please don’t hesitate to contact us if you require assistance updating student Pell awards and award packages. We’re here to help!​​​​​

Webinar Recording: Protect Your Institution from Russian Cyber Activity

Our emergency webinar addressed the rise in Russian-Ukraine themed threats and cyber-attack activity. This webinar helps institutions “Know What Their Attackers Know,” and position themselves for defense.

CISOA Technology Summit: Stop by Booth 301 & 302!

We’re excited to be a Diamond Sponsor at the 2022 CISOA Technology Summit in Ontario, CA, March 20-23, 2022!

Stop by Booth 301 & 302 to learn how Ferrilli can help your institution maximize its technology investment.

And don’t forget to check out our live session on Monday, March 21st from 11:15 a.m. to 12:15 p.m. PT: Learn about SJECCD’s Cloud Experience with Ferrilli, Ellucian, & AWS with San Jose Evergreen Community College District’s Director of Enterprise Applications Sergio Oklander.

We look forward to connecting with you!

NERCOMP 2022: Visit Ferrilli at Booth 402!

We’re excited to be a sponsor at the 2022 NERCOMP Annual Conference in Providence, Rhode Island, March 14-16!

Stop by Booth 402 throughout the event to connect with our knowledgeable higher education technology experts and learn about the special benefits we offer to NERCOMP members.

And be sure to check out our live session on Tuesday, March 15th from 8:30-9:15am (ET) in Room 553: A Different Approach – How One College Took its IT Services to the Next Level.

We look forward to seeing you at the conference and sharing how Ferrilli can help your institution maximize its technology investment!

To learn more about our services and the special benefits we offer to NERCOMP members, please visit our vendor page on the NERCOMP website.

Ferrilli Security Update: Protect Your Institution from Increased Russian Cyber Activity

By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant

Higher education institutions should be more on guard than ever for cyber attacks. Due to the current political climate, we are seeing an increase in attacks, especially attacks originating from Russia.

In the past week, our security team has seen two Russian attacks on U.S. institutions; as well as two other institutions hit hard by phishing schemes.

We will be holding an emergency webinar on Thursday, March 17th, 2022, to discuss the threat and provide action steps for protection. Stay tuned for more details. And please stay safe!

Ferrilli Security Alert: Experts Warn to Prepare for More Russian Cyber Activity

By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant

As the U.S. imposes sanctions on Russia for its ongoing aggression with Ukraine; security experts at the Wall Street Journal’s virtual CIO Network Summit this week recommended that the U.S. should prepare for possible cyber retaliation.

Recommendations and Awareness

Recommendations that came from the Summit included locking accounts after two or three failed login attempts and being aware that the Russian operatives could be using password spraying attacks; recycling passwords from past password data dumps; and may likely be using artificial intelligence to access networks.

Russia has been known to use hybrid warfare strategies and utilize cyberattacks against their adversaries. Professionals who monitor cyber threats, both for governments and corporations, are concerned that the worst is yet to come, in the form of both direct attacks by Russia and collateral damage from their cyber attacks.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued a warning to U.S. business that says they should be prepared to defend against cyber attacks originating from Russia. “Every organization—large and small—must be prepared to respond to disruptive cyber activity.”

Russian Hackers began at least as early as January targeting Ukraine with “wiper” malware which is designed to destroy hard drive data by wiping their contents completely. Professionals who monitor cyber threats, both for governments and corporations, are on high alert because Russia has a history of unleashing cyberweapons that wreak havoc far beyond the computers and networks that were their original targets.

What Can You Do to Protect Your Student and Employee Data?

The House Armed Services Committee recommends institutions be testing procedures for backups and restoring data, enabling multifactor authentication on devices connected to their networks, and ensuring software is up to date on patching to protect their networks from known vulnerabilities.

Here are Some Additional Mitigating Tips and Helpful Layers of Defense

  • Prepare by documenting what you have. Identify every application and asset running in your IT environment. This level of granularity will allow you to quickly map critical assets, data, and backups, and to identify vulnerabilities and risks. By having a complete picture of your network and data environments, you’ll be able to respond and act quickly during an attack or breach.
  • Utilize segmentation and alerting where possible to help prevent ransomware propagation and lateral movement. Create perimeters around critical applications, backups, file servers and databases. Restrict traffic between users, applications, and devices to help block lateral movement. These blocked access attempts become your indicators of compromise. Incorporate reputation-based detection that alerts to the presence of known malicious domains and processes. Set up security monitoring so you are collecting the data that will be needed to analyze network intrusions.
  • Test your backups and recovery methods. Make sure to have backups off-site and visualization capabilities that support phased recovery strategies in which connectivity is gradually restored as different areas of the network are validated as “all clear.”
  • Do not expose management interfaces of network devices to the internet. The management interface is a significant attack surface, so not exposing them reduces your risk. Web based interfaces are convenient for managing networking equipment, but under no circumstances should these be open to the world and the internet.
  • Protect your devices and networks by keeping them up to date. Use the latest supported versions, apply security patches promptly, use anti-virus and scan regularly to guard against known malware threats.
  • Use multi-factor authentication to reduce the impact of password compromises.
  • Treat people as your first line of defense. Tell staff how to report suspected phishing emails, and ensure they feel confident to do so. They are your first line of defense, investigate their reports promptly and thoroughly. Never punish users for clicking phishing links or opening attachments.

VMware Alert: Patch These Vulnerabilities Immediately!

By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant

VMware is urging customers to patch bugs in ESXi, Workstation, Fusion and Cloud Foundation running in on-premises or co-located settings.

The ramifications of the combined vulnerabilities are serious, especially if attackers have access to workloads inside your environments.

The patches fix a total of five (5) CVEs in those products that were disclosed during the Tianfu Cup, a Chinese security event that VMware participates in.

We’re increasing awareness for our higher education community

Knowing that most academic institutions have increased their use of VMware to help with the increase of remote work and labs from home for their employees and students.

Ferrilli is increasing the awareness and recommending that institutions pay extra close attention to failed VMware patches on their systems. Double-check that all systems have been properly patched (servers, workstations, and laptops).

**Remind all your users to patch their personal devices.**

More info about the vulnerabilities

The VMware vulnerabilities include use-after-free (UAF) bugs, double-fetch, unauthorized access, and denial of service bugs. While the individual bugs don’t reach the critical level, VMware says the combined bugs should be treated as such because they can be combined to result in higher severity.

  • ESXi, Workstation and Fusion contain:
    • A UAF bug (CVE-2021-22040) in XHCI USB controller that could allow a bad actor with local admin privileges on a virtual machine to execute code as he virtual machine’s VMZ process running on the host.
    • A double-fetch bug (CVE-2021-22041) that could also lead to unauthorized code execution on the virtual machine’s VMX process running on the host.
  • ESXi also contains:
    • An unauthorized access vulnerability (CVE-2021-22042) due to VMX having access to settings authorization tickets. A malicious actor with privileges in the VMX process only could access settings service running as a high priority user.
    • A Time-of-check Time-of-use bug (CVE-2021-22043) that exists in the way temporary files ae handled that could be used to escalate privileges by writing arbitrary files.
    • A slow HTTP Post denial-of-service vulnerability in rhttpproxy that could be used to create a denial-of-service condition by overwhelming rhttpproxy service with multiple requests.

For more information on workarounds and patching these vulnerabilities, read VMware’s advisory and the company’s associated blog.

If you have any questions or need assistance, please click here to get help.

Ferrilli Security Alert: Google Patches Actively Exploited Chrome Zero-Day Vulnerability

By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant

Google has released a NEW update for the Chrome browser for Windows, Mac, and Linux, to fix a high-severity, zero-day vulnerability used by threat actors in attacks.

“Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild.”

It is it strongly recommended that everyone install yesterday’s (2/15/2022) Google Chrome update as soon as possible.

We’re increasing awareness for our higher education community

Ferrilli is recommending that academic institutions pay close attention to failed patches on their systems and double-check that all systems have been patched (workstations, laptops, and servers). Please remind your faculty, staff, and students to patch their personal devices.

More info about the vulnerability

This is the first Chrome zero-day fix for this year . This vulnerability was discovered by Google’s Threat Analysis Group. While Google said they have detected attacks exploiting this zero-day, it did not share any additional info regarding these incidents or technical details about the vulnerability.

Very few details of the security flaw have been revealed but UAF vulnerabilities typically facilitate attacks such as arbitrary code execution and data corruption in unpatched software and can lead to the takeover of a victim’s machine.

The zero-day, tracked as CVE-2022-0609 is carrying a CVSSv3 score of 9.8/10.

What Version Should You Be On?

The latest stable build (98.0.4758.102) for Windows, Mac, and Linux brings with it a total of 11 security fixes, with many of the highest-severity flaws relating to use after free (UAF) vulnerabilities.

If you have any questions or need assistance, please click here to get help.

Zooming In On Zero-Click Exploits (Patch Your Zoom Software!)

By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant

A zero-click attack surface for the popular video conferencing solution Zoom has yielded two security vulnerabilities that could have been exploited to crash the service, execute malicious code, and even leak arbitrary areas of its memory.

The weaknesses have been addressed by Zoom as part of their updates. Failure to patch all your systems could provide the needed pivot-point for threat actors to gain access into your network environment.

We’re increasing awareness for our higher education community:

Ferrilli is recommending that academic institutions pay close attention to failed patches on their systems and double-check that all systems have been patched (workstations, laptops, and multimedia router (MMR) servers). Also, remind your faculty, staff, and students to patch their personal devices.

More info about the vulnerabilities:

A zero-click attack against the Windows Zoom client was revealed at Pwn2Own (a security event designed to identify and flag vulnerabilities before they’re exploited by threat actors) showing that it does indeed have a fully remote attack surface. This resulted in two vulnerabilities being reported to Zoom. One was a buffer overflow that affected both Zoom clients and MMR servers, and one was an info leak that is only useful to attackers on MMR servers.

Here are the CVE numbers associated with the two flaws that were identified:

  • CVE-2021-34423 (CVSS score: 9.8) – A buffer overflow vulnerability that can be leveraged to crash the service or application or execute arbitrary code.
  • CVE-2021-34424 (CVSS score: 7.5) – A process memory exposure flaw that could be used to potentially gain insight into arbitrary areas of the product’s memory.

Goal of a zero-click attack:

For threat actors to stealthily gain control over the victim’s device without requiring any kind of interaction from the user (such as clicking on a link). A key trait of zero-click hacks is their ability not to leave behind traces of malicious activity, making them very difficult to detect.

If you have any questions or need assistance, please click here.

Critical Security Updates for Microsoft Exchange and Windows OS

By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant

We’re alerting our higher education technology community that yesterday’s (1/11/2022) Microsoft Patch Tuesday released critical security updates for Exchange and Windows OS that addresses several serious security vulnerabilities.

In the updates there are fixes for 97 total vulnerabilities, 9 of these are remote code exploits (RCE), 6 of them are classed as Zero-Day, and 1 of them is Wormable.

A wormable exploit means that it could self-propagate through a network with no user interaction. This vulnerability exploits how the OS processes unauthenticated HTTP traffic and carries a severity rating of 9.8 on a scale of 10. Windows Server 2019 and 2022, plus Windows 10 and 11 are affected.

Microsoft suggests patching all affected Windows versions as soon as possible, publicly facing servers with open HTTP and HTTPS ports are the most critical. The security updates for Exchange affect 2013, 2016, and 2019 and this includes hybrid servers for Office 365.

The update has only been released for the latest Cumulative Update (CU) for Exchange Server 2013 (CU23), and the last two CUs for 2016 (CU21 and CU22) and 2019 (CU10 and CU11). This means you will need to patch to one of these CUs before being able to apply this security update.

If you have any questions or need assistance, please click here.

For your reference, click here to read the Microsoft Exchange Team posted a blog about the update and patch process.

Webinar Recording: Log4j Vulnerability Advice & Updates

We held a complimentary emergency webinar with our most trusted security experts on Wednesday, December 15th, to explain the Log4j threat, address questions, and offer remediation advice.

Ferrilli Security Alert: Log4j Vulnerability Affects All Industries

By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant

We’re alerting our higher education technology community that on December 9, a remote code execution vulnerability, dubbed CVE-2021-44228, was disclosed in Apache’s Log4j.

Apache Log4j is an open-source logging utility used by almost all major Java-based applications and currently running on 3 billion devices worldwide.

Log4j has been exposed to a very high-risk vulnerability under active and vigorous exploitation. The exploitation of this vulnerability is simple and only requires the attacker to enter a piece of code into the target triggering the vulnerability, allowing the attacker to remotely control the user victim’s server.

How Do I Tell If I’m at Risk?

Chances are, you have a system(s) at risk. While advanced features of many popular Next Generation Firewalls (NGFWs) or Web Application Firewalls (WAFs) may offer some protection, you still need to patch quickly. We recommend two immediate steps to figure out your level of exposure.

Continue reading “Ferrilli Security Alert: Log4j Vulnerability Affects All Industries”

Join Us at the SACSCOC 2021 (Virtual) Annual Meeting

Attending SACSCOC 2021 virtual?

Then be sure to stop by our booth to chat live with our team of experts and learn how your institution can maximize its technology investment!

We’ll also be hosting 3(!) live video sessions:

Friday, December 3rd @ 11 am ET – Increase Completion Rates with Ferrilli’s Automated Degree & Certificate Evaluator for Ellucian Banner (with Ferrilli’s Senior Vice President Carol Thomas)

Friday, December 3rd @ 3:45 pm ET – Increase Efficiency with Program Requirement Managed Services (with Ferrilli’s Executive Vice President Kelly Sinacola)

Monday, December 6th @ 1:15 pm ET – Increase Completion Rates with Ferrilli’s Automated Degree & Certificate Evaluator for Ellucian Colleague (with Kelly Sinacola)

We look forward to connecting with you!

Data Security: It Takes a Village

By Marcia Daniel, Chief Client Officer, Ferrilli

When I meet with institutional leaders across the higher education landscape, I am continually astounded at just how tech-savvy they have become. Provosts are asking about about degree audit software. Registrars want to discuss how best to deploy chatbots. Vice Presidents of Student Life are exploring the benefits of digital nudges. Just about everyone in higher education is a technology expert these days – except in the area that matters most.

Because when I ask them about what they’re doing to ensure data security, there’s a familiar refrain I hear all too often: “Oh, our CIO handles that.”

Continue reading “Data Security: It Takes a Village”

Stop By Our Booth at EDUCAUSE 2021 and Take Your Shot at $50k

We’re going for the green at EDUCAUSE 2021!

Be sure to stop by Booth 101 on Wednesday, October 27th and Thursday, October 28th, to play Ferrilli’s $50,000, hole-in-one challenge!

We’ll also be raffling off a once-in-a-lifetime trip to the beautiful Pebble Beach Resorts, located between picturesque Monterey and Carmel, California.

Our team of talented higher education technology experts will be there to cheer you on … and, of course, answer any questions you have about optimizing your institution’s technology investment.

You do not want to miss this! Just look for the massive, state-of-the-art golf simulator and come over to take your shot!

Check out our article in the Fall 2021 ACCT Trustee Quarterly!

If you missed Ferrilli Chief Client Officer Marcia A. Daniel’s article Want to Improve Graduation Rates? Make it Easier to Graduate, in the Fall 2021 ACCT Trustee Quarterly, you can read it now by clicking the link below.

In the piece, Marcia posits that automatically awarding degrees shifts the balance from institutions to students in ways that benefit both.

Click here to access the Fall 2021 ACCT Trustee Quarterly and read the article.

Virtual Roundtable Recording: Analytics in Higher Education

Watch Ferrilli’s Anthology Practice Director Dan Mongeluzi lead a roundtable discussion on Analytics in Higher Education.

Dan covers how far we have come with analytics in education, discusses useful business cases, and (hopefully) motives folks to take action!