UK, Canada, and US Say Russian Hackers Targeting Vaccine Research; Hackers Hijacked High-Profile Twitter Accounts; US Legislators Adding Solarium Report Recommendations to Bill

The hijacked accounts had "Verified" status, which indicates that the account takeover was from the use of Twitter administrator accounts. Multifactor authentication for administrator accounts cannot be optional. Further, limiting where they can login from should be considered.

Lee Neely

Overall, Twitter has kept its infrastructure pretty secure over the years, but this event would be a good hook for raising the "What security actions are needed if our company will continue to rely on social media in general, and Twitter in particular, as a reliable place for business communications functions?" issue to CXOs and Boards of Directors. The flood of disinformation on Twitter and Facebook and others is so high that the risk vs. business value needs to be consciously examined.

John Pescatore

After an earlier incident like this one, Twitter made a strong authentication option available to its users. These users are the ones for which use of strong authentication is strongly indicated.

William Hugh Murray

This is a great example of why it is so important to have restrictions and fail-safes set into your systems for high privilege accounts. Applying the CIS Critical Security Controls for Effective Cyber Defense and in particular enhanced authentication, verification, and alerting on unusual behaviours are just some of the controls that should be considered to protect these accounts from themselves.

Brian Honan

This is a busy patch week. The trick is getting all these patches installed remotely, with systems which remain on-premise and user systems being remote. Making patch services available to off-site trusted devices without requiring a VPN can increase success and provide for automating patches for those remote systems. Remember that some on-premise systems may need human intervention to reboot after patching, which requires planning and communication.

Lee Neely

Pay attention to the backdoor ("Static Default Credential") Cisco removed from the VPN for its small business RV110W devices. This could be used to obtain unauthorized access to a network protected by the device.

Johannes Ullrich

Much of the responsibility for and cost of quality of our infrastructure has shifted from the developers to the users. This multiplies the cost and reduces the effectiveness in proportion to the popularity of the product.

William Hugh Murray

Expect working exploits for CVE-2020-1350 ("SigRed" Microsoft DNS Server Vulnerability) soon, maybe today. So far, only a DoS exploit has been made public. Of course, this vulnerability caught the most attention out of all of the issues patched. Another interesting vulnerability was patched in Outlook. Sadly, this patch caused a lot of problems for Outlook users, and some had to remove it.

Johannes Ullrich

The DNS flaw was highlighted in CISA Emergency Directive 20-03 (https://us-cert.cisa.gov/ncas/current-activity/2020/07/16/cisa-releases-emergency-directive-critical-microsoft-vulnerability), which urges immediate patching. If you cannot patch immediately, apply the registry fix mitigation to Windows servers running DNS services immediately while completing your regression testing. Note, per Binding Operational Directive 19-0 (https://cyber.dhs.gov/bod/19-02/), Federal Agencies have 15 days to apply this patch.

Lee Neely

Another reminder that IT operations patching performance may have suffered during the transition to working from home. The rise in infection rate in areas of the US and the world may cause more degradation. Worth checking and pushing tighter levels of mitigation if IT ops has been unable to meet patching SLAs or norms.

John Pescatore

The patches include updates for iOS 12.4.8 and watchOS 5.3.8 which contain no CVE entries. The updates to Kernel, Audio, WebKit and Safari occur across the updates with CVE entries, and as such need to be rolled out with your other patch Tuesday updates.

Lee Neely

Be careful where you buy equipment. This isn't a new issue. Counterfeit equipment has also been responsible for datacenter fires in the past due to substandard power supplies. Here is an example from 2008: https://www.zdnet.com/article/cisco-partners-sell-fake-routers-to-us-military/: Cisco partners sell fake routers to US military.

Johannes Ullrich

Back in 2008, the FBI operation "Cisco Raider" found over 3,500 counterfeit Cisco devices sold to US government, industry and power plants. The procurement side of supply chain security obviously failed again. Good item to prompt a review of internal procurement controls to prevent this and important to blacklist any integrator or channel supplier that is found to have sold counterfeit gear.

John Pescatore

These counterfeit devices did not include any discoverable backdoors, indicating these were financially motivated replacements that were very difficult to differentiate from genuine products. The F-Secure analysis provides insight into the steps taken to ensure the fake devices would run the genuine Cisco firmware, including how integrity checks were bypassed. Make sure that your suppliers have adequate controls to assure genuine products are delivered as well as understanding the response plan if a counterfeit device is discovered.

Lee Neely

The first article is about forensics, the second about "counterfeiting" of Cisco devices. It ends with four recommendations the most important of which is "Source all your devices from authorized resellers," to which I would add "expect to pay market prices."

William Hugh Murray

This is a complex issue; make sure your legal counsel is aware of the change. The most immediate pressure will be on companies defined as "Electronic Communication Service Providers" under 50 US 1881. That will be pressure for additional safeguards beyond what might have been defined in existing Standard Contractual Clauses and increased demand for EU citizen data only being stored in EU-located data centers that are under EU regulations and not subject to US mandated surveillance.

John Pescatore

At the core of this decision was the lack of assurances that could be demonstrated to the ECJ that personal data belonging to those in the EU would not be subjected to US surveillance laws when transferred to the US. This will have implications for many cloud based companies and for US companies operating in the EU who need to transfer personal data back to the US. While the court has deemed the Standard Contractual Clauses as an alternative to relying on Privacy Shield, this could change and more stringent legal agreements put in place. Of note is the statement from the office of the Irish Data Protection Commission (who brought the case to the ECJ) which says "This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis". So watch this space.

Brian Honan

I've used the ITRC data for years - one important caveat is that most ransomware attacks have not been considered "breaches" in the past and are often not reported formally or at all. That is starting to change, but many state and local organizations that tightened up controls around sensitive databases to prevent breaches were impacted by ransomware. The main point is to make sure you have basic security hygiene in place before you address attack specific controls.

John Pescatore

Just about every piece of electronic gear contains persistent storage. Decommissioning, repair, warranty returns, and upgrade activities need to include processes for analyzing what is stored and enact device wipe or media removal where appropriate. NIST SP 800-88 has a lot of information and clearing processes, including validation, which can be leveraged. In some cases, where a wipe cannot be assured, working with a recycler that can shred or otherwise destroy the device can make sure that's done properly and avoid the consequences of inadvertent data loss.

Lee Neely