homepage
Open menu Go one level top
  • Train and Certify
    • Get Started in Cyber
    • Courses & Certifications
    • Training Roadmap
    • Search For Training
    • Online Training
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • NICE Framework
    • DoDD 8140
    • Specials
  • Manage Your Team
    • Overview
    • Security Awareness Training
    • Voucher Program
    • Private Training
    • Workforce Development
    • Skill Assessments
    • Hiring Opportunities
  • Resources
    • Overview
    • Reading Room
    • Webcasts
    • Newsletters
    • Blog
    • Tip of The Day
    • Posters
    • Top 25 Programming Errors
    • The Critical Security Controls
    • Security Policy Project
    • Critical Vulnerability Recaps
    • Affiliate Directory
  • Focus Areas
    • Blue Team Operations
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • SANS Community
    • CyberTalent
    • Work Study
    • Instructor Development
    • Sponsorship Opportunities
    • COINS
  • About
    • About SANS
    • Why SANS?
    • Instructors
    • Cybersecurity Innovation Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press Room
  • Log In
  • Join
  • Contact Us
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  1. Home >
  2. Blog >
  3. NewsBites Drilldown for the Week Ending 15 January 2021
370x370_john-pescatore.jpg
John Pescatore

NewsBites Drilldown for the Week Ending 15 January 2021

January 19, 2021

Newsbites.jpg

John Pescatore - SANS Director of Emerging Security Trends

Driving IT Operations to Move to Essential Security Practices Needs to Be Job 1

This week's Drilldown will focus on two items (included below) from NewsBites Issue 4, which discusses related issues: a DHS CISA report that points out that the lack of essential security practices enables most damaging clouds breaches and Cisco’s release of more than 70 patches for high-severity vulnerabilities in its products.

What I’m calling "essential security practices" are essentially required life support for any IT system. They are a subset of what has been highlighted in the Center for Internet Security Critical Security Controls Implementation Group 1 and the Australian Signals Directorate Essential 8:

  • Ø Patch high-severity software vulnerabilities rapidly.
  • Ø Have configuration standards and detect misconfigurations promptly.
  • Ø Minimize admin privileges and monitor where in use.
  • Ø Use strong authentication for all privileged access.

There is a lot of mythology out there that these four things are hard to do, but they are all IT operations processes that are widely done by organizations that don't show up in the news for serious breaches or significant financial impact from ransomware attacks. The difficulty is in convincing IT management and operations to adopt these processes, not in how hard the processes are to implement. The key is getting across to management that these processes are essential, just as certain financial standards are essential to avoiding financial disaster and customers' loss of trust.

These four security processes alone will not stop every attack. For example, patching faster would have meant you installed the compromised SolarWinds software faster. But if SolarWinds had implemented these essential security practices, it is likely it would have either avoided or more quickly noticed the compromise. At a minimum, reaching the essential security practices level reduces the level of noise from well-known vulnerabilities being exploited by well-known attacks--increasing the likelihood that your security team would more quickly notice the signs of advanced targeted attacks in process. Requiring your supply chain to demonstrate that same essential level further increases safety.

______________________________________________________________________________

CISA: Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments

(January 13 and 14, 2021)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released Analysis Report AR21-013A, "Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services," after becoming aware of cyberattacks leveraging weaknesses in cloud security services. Threat actors are leveraging phishing and other techniques to exploit poor cyber hygiene practices and misconfigurations in cloud services. CISA has listed steps organizations can take to improve their cloud security posture.

[Editor Comments]

[Paller] The false belief that "cloud equals more secure" is so pervasive that one of the largest cloud providers has an employee (a senior retired FBI agent) whose nearly full-time job is explaining to clients that the system images they bought from the cloud provider were "no more secure than the servers and desktops they bought from Best Buy." In a meeting in Washington, he told the other attendees his nickname at the company was "CAO." When asked what that meant, he said, "chief apology officer." It takes skilled professionals to make cloud systems secure, though the cloud providers offer wonderful tools to enable clients to make their systems more secure. SANS has in-depth, up-to-date courses on how to use those tools (www.sans.org/blog/sans-cloud-security-curriculum/)[LJ1] , and all three top cloud providers allow you to order system images preconfigured according to the Center for Internet Security configuration guidelines: Everything You Need to Know About CIS Hardened Images.

[Neely] The report includes great recommendations to improve cloud security. Make sure that you're adequately securing cloud environments; at a minimum make sure you're following the service's security guidance. Review that guidance annually for improvements and needed changes. Make sure that direct access requires multifactor authentication (MFA). Verify that conditional access is both enabled and operates as planned. Evaluate the risks of enabling SSO from corporate desktops. Be sure that cloud service logs are being reviewed regularly, ideally forwarded automatically to your centralized logging and SIEM.

[Pescatore] Poor configuration management, authentication, privilege management, and secure configuration IT ops practices don't get better just because the application is now running in the cloud. Too often it just means that the wrong things can be done faster. None of CISA's recommendations are cloud-specific. The best approach is to focus on essential security practices on-premises, then extend to the cloud.

Read more in:

US-CERT-CISA: Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments

https://us-cert.cisa.gov/ncas/current-activity/2021/01/13/attackers-exploit-poor-cyber-hygiene-compromise-cloud-security

CISA: Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-013a

Bleeping Computer: CISA: Hackers bypassed MFA to access cloud service accounts

www.bleepingcomputer.com/news/security/cisa-hackers-bypassed-mfa-to-access-cloud-service-accounts/

Threatpost: Cloud Attacks Are Bypassing MFA, Feds Warn

https://threatpost.com/cloud-attacks-bypass-mfa-feds/163056/

Security Week: CISA Warns Organizations About Attacks on Cloud Services

www.securityweek.com/cisa-warns-organizations-about-attacks-cloud-services

MeriTalk: Threat Actors Exploiting Poor Cyber Hygiene of Cloud Environments, CISA Warns

www.meritalk.com/articles/threat-actors-exploiting-poor-cyber-hygiene-of-cloud-environments-cisa-warns/

Cisco Updates Include Fix for Serious Vulnerability in CMX and 70 Other High-Severity Flaws

(January 13 and 14, 2021)

Cisco has released fixes for nearly 70 high-severity flaws in a variety of products. One of the most serious vulnerabilities affects Cisco Connected Mobile Experiences (CMX) and could be exploited to "allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system." Cisco has also released fixes for vulnerabilities in its RV routers, but it is not releasing updates for older RV routers that have reached end-of-life (EOL). The devices in question, which include Cisco Small Business RV110W, RV130, RV130W, and RV215W systems, reached EOL in 2017 and 2018, and paid extended support contracts expired on December 1, 2020. Cisco is urging customers using older versions of its RV routers to upgrade to newer, actively supported models.

[Editor Comments]

[Neely] Exploiting the vulnerabilities requires existing credentials on the devices. One of the mitigations is to disable the web UI for managing the configuration. Because these are devices used by small businesses, which may not have the expertise to manage them using the command line, replacement of these EOL devices is a much better choice. Review the configuration to ensure that only authorized devices and users are able to update the configuration. Make sure that you are regularly checking for and applying updates and verifying the configuration as well as changing credentials after support staff turnover.

[Pescatore] Demolition experts find a small number of key support points and use a small number of explosives to bring down very large buildings. IT infrastructure elements, like network management systems (e.g., SolarWinds), VPN servers (e.g., Pulse Secure), and all routers/switchers/load balancers, etc., are high-priority/high-level targeted "support points" that can cause catastrophic damage if left vulnerable and exploitable. Downtime for patching/securely configuring key infrastructure elements must be fought for.

Read more in:

Threatpost: High-Severity Cisco Flaw Found in CMX Software For Retailers

https://threatpost.com/cisco-flaw-cmx-software-retailers/163027/

ZDNet: Cisco says it won't patch 74 security bugs in older RV routers that reached EOL

www.zdnet.com/article/cisco-says-it-wont-patch-74-security-bugs-in-older-rv-routers-that-reached-eol/

Cisco: Cisco Connected Mobile Experiences Privilege Escalation Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxpe-75Asy9k

[LJ1]Link goes to 404.


Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

Tags:
  • Cybersecurity Insights

Related Content

Blog
Newsbites.jpg
Cybersecurity Insights
March 2, 2021
NewsBites Drilldown for the Week Ending 26 February 2021
John Pescatore - SANS Director of Emerging Security Trends Show How Security Improvements Reduce Business Outages This week's Drilldown will focus on an item (included below) from NewsBites Issue 16 reporting that the U.S. Federal Reserve System had an outage that was not a cybersecurity incident....
370x370_john-pescatore.jpg
John Pescatore
read more
Blog
Newsbites.jpg
Cybersecurity Insights
February 16, 2021
NewsBites Drilldown for the Week Ending 12 February 2021
John Pescatore - SANS Director of Emerging Security Trends Rogue IT has seen the benefit of using the cloud, too! This week’s Drilldown will focus on an item (included below) from NewsBites Issue 12, reporting that three small web hosting companies were compromised and one (No Support Linux...
370x370_john-pescatore.jpg
John Pescatore
read more
Blog
Newsbites.jpg
Cybersecurity Insights
February 9, 2021
NewsBites Drilldown for the Week Ending 5 February 2021
John Pescatore - SANS Director of Emerging Security Trends Patches are like vaccines: Low quality leads to long-lasting resistance and self-inflicted wounds. This week's Drilldown will focus on an item (included below) from NewsBites Issue 10, where a Google security researcher reported that 30%...
370x370_john-pescatore.jpg
John Pescatore
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters
  • The Critical Security Controls
  • Focus Areas
  • Blue Team Operations
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe
  • © 2021 SANS™ Institute
  • Privacy Policy
  • Contact
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn