Nations Target COVID-19 Research; 250,000 Windows Systems Not Patched Against Critical Vulnerabilities

With the pressure to be first to market with an effective vaccine, countries are willing to reach that goal by any means necessary. Organizations working to create the drugs are in the crosshairs, in ways they are not prepared for or resourced to defend against. Microsoft is offering AccountGuard as a free service to healthcare organizations to help raise the bar on their email account security. (See https://www.microsoftaccountguard.com/healthcare/) It also includes notifications, direct links to Microsoft Customer Security and Trust team and security webinars and workshops, which should help focus limited resources as well as better prepare to protect systems without a significant time or cash outlay.

Lee Neely

Before anybody blames the pandemic for this, going back to the "early day" of Code Red and SQL Slammer, the result has been the same: most systems get patched in 30 days. The rest never get patched. Some organizations care, others do not. Many of these systems are essentially abandoned from any meaningful maintenance and are waiting to die a slow dead of ransomware and hardware neglect, lonely and forgotten in some server closet. We are not talking about hard-to-patch IoT devices for which it can be difficult to even find updates. These are for the most part Windows and Linux systems. Microsoft has provided more and better tools to make patching easier, more reliable, and less risky. Same for all major Linux distributions. But if organizations do not care to learn about these new tools, and just do what they always did (= nothing), we will end up with the equivalent of loaded unsecured shotguns scattered over the Internet waiting to be picked up and used by a random kid walking past them.

Johannes Ullrich

With everyone working remotely, patching those systems is challenging but is a solvable problem. Options to increase success include providing update services which can be reached without VPN by authorized systems, notifying users when to leave systems connected during patch windows, rather than patching while working and allowing the VPN to connect prior to login to mitigate risks of cached credential loss.

Lee Neely

Lots of indication that IT operations have been consumed with keeping Work from Home up and running and patching performance has declined even at organizations that had strong SLAs pre-pandemic.

John Pescatore

Data stolen includes both customer and employee PII. Beware of password reset actions attempting to use this data. The Ragnar Locker group is seeking ransom for both the decryption key and for not publishing the data. If you've used the password from your Capcom account anywhere else, change it now to something unique for each service.

Lee Neely

This is the second fine in recent weeks that the ICO has issued in relation to insecure implementations on a company's website; the other company is British Airways. Of note with this fine is the ICO not only highlighted the failure of Ticketmaster to properly assess the risks associated with the installation of the chat-bot onto its website, but also its failure to "Identify the source of suggested fraudulent activity in a timely manner." https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/11/ico-fines-ticketmaster-uk-limited-125million-for-failing-to-protect-customers-payment-details/: ICO fines Ticketmaster UK Limited #1.25million for failing to protect customers' payment details.

Brian Honan

A full restoration from backup can be painful and involved. Verify that your backups and restoration procedures are sufficient for a full-service restoration, including interdependencies. Practice service restoration, including rebuilding and operating services on fresh hardware or instances. Verify these are accurate and functional annually. Make sure that you don't overlook processes performed locally on end-user systems.

Lee Neely

Many small enterprises, including small municipalities, often lack the resources to create effective plans to cope with breaches. While outside services may be helpful, any effective plan will require the participation and training of those responsible for implementing the plan.

William Hugh Murray

As these exploits require physical access, your servers aren't the target as much as all those systems now running at home. Make sure that your threat model not only includes protections for mitigations for system on travel, in cars, etc. but also those in homes, or being delivered to users, particularly where the system configuration is completed externally. Consider disabling sleep mode for hibernate to mitigate vulnerabilities which access encryption keys in memory.

Lee Neely

Exploitation involves accessing the network associated with the devices and vulnerable services. Mitigations include regularly patching the servers and segmenting services utilizing firewalls and ACLs so only authorized devices able to interoperate.

Lee Neely

Vertafore is offering a year of credit monitoring and repair to affected individuals, which is a good start. If you are affected and don't already have that service, sign up, and expect to keep it long term. While passing verification of security requirements to external providers is not new, the consequence of error is much higher with Internet-facing systems they use, particularly as those systems may have third-party services which also need to follow those requirements. Remember to regularly verify controls are in place and working beyond the initial acquisition and acceptance testing phases, including breach notification and indemnity agreements.

Lee Neely