John Pescatore - SANS Director of Emerging Security Trends
Driving IT Operations to Move to Essential Security Practices Needs to Be Job 1
This week's Drilldown will focus on two items (included below) from NewsBites Issue 4, which discusses related issues: a DHS CISA report that points out that the lack of essential security practices enables most damaging clouds breaches and Cisco’s release of more than 70 patches for high-severity vulnerabilities in its products.
What I’m calling "essential security practices" are essentially required life support for any IT system. They are a subset of what has been highlighted in the Center for Internet Security Critical Security Controls Implementation Group 1 and the Australian Signals Directorate Essential 8:
- Ø Patch high-severity software vulnerabilities rapidly.
- Ø Have configuration standards and detect misconfigurations promptly.
- Ø Minimize admin privileges and monitor where in use.
- Ø Use strong authentication for all privileged access.
There is a lot of mythology out there that these four things are hard to do, but they are all IT operations processes that are widely done by organizations that don't show up in the news for serious breaches or significant financial impact from ransomware attacks. The difficulty is in convincing IT management and operations to adopt these processes, not in how hard the processes are to implement. The key is getting across to management that these processes are essential, just as certain financial standards are essential to avoiding financial disaster and customers' loss of trust.
These four security processes alone will not stop every attack. For example, patching faster would have meant you installed the compromised SolarWinds software faster. But if SolarWinds had implemented these essential security practices, it is likely it would have either avoided or more quickly noticed the compromise. At a minimum, reaching the essential security practices level reduces the level of noise from well-known vulnerabilities being exploited by well-known attacks--increasing the likelihood that your security team would more quickly notice the signs of advanced targeted attacks in process. Requiring your supply chain to demonstrate that same essential level further increases safety.
CISA: Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments
(January 13 and 14, 2021)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released Analysis Report AR21-013A, "Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services," after becoming aware of cyberattacks leveraging weaknesses in cloud security services. Threat actors are leveraging phishing and other techniques to exploit poor cyber hygiene practices and misconfigurations in cloud services. CISA has listed steps organizations can take to improve their cloud security posture.
[Paller] The false belief that "cloud equals more secure" is so pervasive that one of the largest cloud providers has an employee (a senior retired FBI agent) whose nearly full-time job is explaining to clients that the system images they bought from the cloud provider were "no more secure than the servers and desktops they bought from Best Buy." In a meeting in Washington, he told the other attendees his nickname at the company was "CAO." When asked what that meant, he said, "chief apology officer." It takes skilled professionals to make cloud systems secure, though the cloud providers offer wonderful tools to enable clients to make their systems more secure. SANS has in-depth, up-to-date courses on how to use those tools (www.sans.org/blog/sans-cloud-security-curriculum/)[LJ1] , and all three top cloud providers allow you to order system images preconfigured according to the Center for Internet Security configuration guidelines: Everything You Need to Know About CIS Hardened Images.
[Neely] The report includes great recommendations to improve cloud security. Make sure that you're adequately securing cloud environments; at a minimum make sure you're following the service's security guidance. Review that guidance annually for improvements and needed changes. Make sure that direct access requires multifactor authentication (MFA). Verify that conditional access is both enabled and operates as planned. Evaluate the risks of enabling SSO from corporate desktops. Be sure that cloud service logs are being reviewed regularly, ideally forwarded automatically to your centralized logging and SIEM.
[Pescatore] Poor configuration management, authentication, privilege management, and secure configuration IT ops practices don't get better just because the application is now running in the cloud. Too often it just means that the wrong things can be done faster. None of CISA's recommendations are cloud-specific. The best approach is to focus on essential security practices on-premises, then extend to the cloud.
Read more in:
US-CERT-CISA: Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments
CISA: Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services
Bleeping Computer: CISA: Hackers bypassed MFA to access cloud service accounts
Threatpost: Cloud Attacks Are Bypassing MFA, Feds Warn
Security Week: CISA Warns Organizations About Attacks on Cloud Services
MeriTalk: Threat Actors Exploiting Poor Cyber Hygiene of Cloud Environments, CISA Warns
Cisco Updates Include Fix for Serious Vulnerability in CMX and 70 Other High-Severity Flaws
(January 13 and 14, 2021)
Cisco has released fixes for nearly 70 high-severity flaws in a variety of products. One of the most serious vulnerabilities affects Cisco Connected Mobile Experiences (CMX) and could be exploited to "allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system." Cisco has also released fixes for vulnerabilities in its RV routers, but it is not releasing updates for older RV routers that have reached end-of-life (EOL). The devices in question, which include Cisco Small Business RV110W, RV130, RV130W, and RV215W systems, reached EOL in 2017 and 2018, and paid extended support contracts expired on December 1, 2020. Cisco is urging customers using older versions of its RV routers to upgrade to newer, actively supported models.
[Neely] Exploiting the vulnerabilities requires existing credentials on the devices. One of the mitigations is to disable the web UI for managing the configuration. Because these are devices used by small businesses, which may not have the expertise to manage them using the command line, replacement of these EOL devices is a much better choice. Review the configuration to ensure that only authorized devices and users are able to update the configuration. Make sure that you are regularly checking for and applying updates and verifying the configuration as well as changing credentials after support staff turnover.
[Pescatore] Demolition experts find a small number of key support points and use a small number of explosives to bring down very large buildings. IT infrastructure elements, like network management systems (e.g., SolarWinds), VPN servers (e.g., Pulse Secure), and all routers/switchers/load balancers, etc., are high-priority/high-level targeted "support points" that can cause catastrophic damage if left vulnerable and exploitable. Downtime for patching/securely configuring key infrastructure elements must be fought for.
Read more in:
Threatpost: High-Severity Cisco Flaw Found in CMX Software For Retailers
ZDNet: Cisco says it won't patch 74 security bugs in older RV routers that reached EOL
Cisco: Cisco Connected Mobile Experiences Privilege Escalation Vulnerability
[LJ1]Link goes to 404.