NSA and FERC/NERC Issue Extremely Valuable Security Guides; CISA Emergency Directive on Windows

There is information in the first document we can all leverage as we are all connecting assets to a personal or other non-company managed networks, providing IoCs and mitigations for home users, including aggressive measures if your home network is actively compromised. The second document not only outlines out-of-band management practices, it also provides alternatives for either physical or virtual separations, which help raise the bar on corporate IT devices and services.

Lee Neely

Excellent resources.

Brian Honan

This is a great source of best practices and successes. Leverage this report to see if you've missed anything, as well as a source for solutions you may not have derived on your own, possibly facilitating that "ah ha!" moment.

Lee Neely

Good to see FERC/NERC highlighting common successful practices across very individual security programs of the eight utilities interviewed. There is no shortage of information about failures in security - finding out how others have overcome the barriers to higher levels of security is what is needed. During my years at Gartner, Case Study research notes were among the highest page views of all Gartner documents and here at SANS the What Works program continues that approach. The value is not in "I never thought of doing that," it is in the "Oh, that is how they were able to do that."

John Pescatore

The flaw can be leveraged for an unauthenticated attacker to obtain administrative privileges on your domain controller. Double check that you applied the update to all your Domain Controllers. The fix applies to Windows Server 2008 or later. Next, build a plan for the required post-patch activities prior to the Q1 2021 DC enforcement phase to avoid devices losing access:

Lee Neely

We are at the point where most enterprises should apply Windows patches by default. The risk of not doing so now exceeds that of applying without testing for their impact on applications.

William Hugh Murray

The CheckPoint blog notes that most of the targets of this campaign are "Iranian Nationals" (and a few neighbors), those seen as opponents of the regime. While the blog did point to tools (including CheckPoint products) useful for resisting this campaign, this editor was unable to find indicators of compromise (IOCs). The investigation is of interest, but this campaign does not represent a risk for most of our readers.

William Hugh Murray

There were three separate updates to the rules as incremental fixes were quickly released, rather than delaying to only release the comprehensive fix; make sure you have the latest which fully addresses the problem. Initial exploits were possible as a parameter could be changed to move to the less secure v1 code base, either by request manipulation or CSRF. Both exploit paths are closed. If you're relying on the free Wordfence firewall, rules were released September 19th and 20th. Rules for the paid version were released 30 days previously.

Lee Neely

It is now routine to identify vulnerabilities in WordPress Plug-ins. Many of these remain unpatched, in part because the decision to include the plug-in was made casually, at a low-level of management, and was not documented. Said another way, no one is responsible for knowing what plug-ins are in use, much less for patching them. If you are using WordPress, identify and minimize the plug-ins that are in place, and monitor announcements about those that you continue to use.

William Hugh Murray