FBI Warns on Windows 7; NSA on Mobile Devices Location Data; Canon and Lafayette (CO) Hit With Ransomware

Over the last five months, much of the corporate infrastructure has been operated remotely; new systems may have been made remotely accessible which were previously isolated; and lifecycle plans were placed on hold. The security posture of Windows 7 has not improved during this time. Make sure that you don't allow either direct internet access to Windows 7 systems or direct access to your corporate network, remotely or locally from them. Remote workers running Windows 7, not currently behind the corporate perimeter, should be at the top of the equipment replacement list.

Lee Neely

While companies should migrate to more modern operating systems, the reality is that some computers will remain on older platforms. This is due to dependencies in legacy applications, embedded operating systems in devices, or lack of budget. Your vulnerability management strategy should include how you manage the risks associated with outdated operating systems and software for which no patches or updates may be available. Things to consider should include enhanced monitoring, filtering of network traffic, segmenting vulnerable systems from other parts of your network, and updating both your incident response and business continuity plans.

Brian Honan

Some location exposure will always be there if you carry a constantly-transmitting device with you all the time. But, Apple and Google on the phone OS side, the wireless carriers on the service side, and (probably most importantly) the FCC on the rules and enforcement side really need to change the priorities to put privacy first, exposure by exception as the norm. Where we are today is like when full SSN and credit card numbers used to be printed on every receipt and displayed everywhere - it doesn't have to happen.

John Pescatore

Ten years ago, keeping location services disabled was a reasonable option for users. Today, so many devices and mobile activities rely on or leverage location, for some users disabling these services is akin to going offline; NSA acknowledges these measures are impractical for most users. The advice is spot-on for not revealing a sensitive location or staff and should be assessed in those contexts. As John says, the protection measures around location services need to evolve to limit exposure and access to this information.

Lee Neely

Please remember to conduct your own risk assessment before following this guide. The recommendations are good, and it represents a very nice and concise guide to limit location data you leak. But some recommendations, like anti-theft features on the phone, may be better left enabled. It all depends on what you consider the greater risk.

Johannes Ullrich

To reach the point where their systems are trusted requires an appropriate vulnerability disclosure model, devices that are resistant to attacks and sufficient transparency around the security to permit informed decisions related to product selection. Partnering with a company like Synack that has experience with vulnerability disclosure and bug bounties is important to successfully implement that model.

Lee Neely

Election security is tricky. The goal is not just to secure the process, but also to be transparent so the public trusts the results. Opening up the vulnerability discovery process and working with the community may improve the public perception of election security.

Johannes Ullrich

This is a good first step for an organization that has long denied there were problems, but ES&S has definitely not yet earned the trust for anyone to believe that the broad terms in the policy (like "Work in good faith with you...", "Strive to keep you informed" , "Work to remediate discovered vulnerabilities in a timely manner", etc.) will be translated into timely action. ES&S did announce they are working with Synack on a managed bug bounty bug program (a good thing) but I would have really liked to see ES&S CEO Tom Burt do what then Microsoft CEO Bill Gates did in 2002, and what Zoom CEO Eric Yuan did this year when both companies were rocked by severe vulnerabilities in their companies' products: declare security is job 1, stop feature/functionality additions, and put the entire focus on a security push. As the old saying goes, the fish really does swim the way the head is pointed.

John Pescatore

Consider policies and controls that isolate social networking, browsing, and e-mail applications from mission critical ones.

William Hugh Murray

It is important to understand and track the lifecycle of all the ICS components, particularly those with security functions such as gateways or protocol translators, to keep them updated. Additionally, consider further segmentation of the environment to insulate the system from inappropriate access and achieve defense in depth.

Lee Neely

Have you verified that your physical protection measures are resistant to attack? Check for improperly configured single-factor security measures, such as strike plates on electronic locks that don't properly fit the latch, allowing them to be opened with a hook or credit card; motion-based lock releases located above doors that can be triggered externally; or horizontal door levers that can be triggered by sliding a hook under the door. Most importantly, make sure that doors and closets with IT assets are, in fact, kept locked.

Lee Neely

Recently, we've been getting distracted by stories of leaked data with a corresponding ransom demand, which could result in the data no longer being available on line. This time, core information is available which could be used to develop new bios/firmware hacks which will be difficult to mitigate. The hack was successful not only because an unprotected share on their CDN was used, but also because confidential files within that storage had easy-to-guess passwords, such as Intel123. Verify that the security on your CDN is equivalent to or better than your systems, and when using passwords to protect files, use long passphrases that are resistant to cracking or guessing attempts. If user selectable encryption is available, use strong options such as AES to thwart brute force access methods.

Lee Neely