Jump to content
Pulseway 9.14 🔥

Pulseway Response in Light of Recent Cyber-Attack

This announcement is no longer active

Jamie Taylor

Jamie Taylor
07/06/21


The security of our customers and partners has always been our top priority so we understand your concern in light of the recent serious cyber-attack that exploited vulnerabilities in other RMM platforms. We want to reassure you that our systems have been operating normally and we have not seen any indication of similar attacks taking place, compromises, or suspicious activity, and we continue to closely monitor our production environment.

Our platform has been designed with a strong focus on security. In addition to not requiring inbound network ports to be opened, not leaving any ports open and using AES (256) transport and message encryption, our development, hosting, and NOC practices align with and follow internal best security practices, such as ISO27000 series and NIST Cybersecurity framework, as well as our own Secure SDLC. Code scanning and pen tests are part of our regular process.

Continuing this commitment to providing a secure environment, we will proactively introduce additional security features in the coming weeks. While these are not directly related to recent attacks, they have been designed to provide additional peace of mind for our users as they continue to use Pulseway and help them implement enhanced security practices.

These additional security features are actively in development and will include:

  • We have always recommended that Pulseway customers enforce 2FA for all users as part of security best practice. Going forward, 2FA will also be required in order to add or modify any scripts. Scripts are one of the most common attack vectors and this change ensures that only verified users are permitted to add or modify scripts. Full instructions on enabling and enforcing 2FA are available here.
  • Additional enhancements to the WebApp login regarding 2FA designed to streamline the login process.
  • Optionally, any change of password or a 2FA reconfiguration to an administrator account could restrict that account’s ability to perform system-wide actions for a predefined period of time. By default, this will be 24 hours. The account restriction can be lifted sooner by any other administrator. When an account is restricted, the user can still view systems, reports and other metrics but will be unable to issue commands, add or modify scripts, automation workflows, third party patching custom titles and more.
  • We will also provide an option for notifying administrators of any significant account changes for any users (2FA, passwords, new device added, etc.).

We remain committed to providing you with a secure and productive environment. If you have any questions, please do not hesitate to get in touch.

Read Pulseway Official Statement here.