SolarWinds Even More Victims; $2 Million In Scholarships for talented students interested in cyber

It is highly likely that at least one hostile nation state has gained persistent access to our infrastructure. While much of the access may never be exploited, its existence constitutes an existential threat to our national security. It is time to stop admiring the problem.

William Hugh Murray

Good cybersecurity tools can find the persistent presence of those nation states only when they are deeply and continuously adapted to local conditions by people with elite cyber talent like the folks who found the SolarWinds infection at Mandiant/FireEye. Tools don't find these problems without those hunters and tool adapters, and no nation will be able to withstand sustained cyber attacks without a cadre of world-class hunters. Hunters will be as important in future conflicts as fighter pilots were in World War II. The National Cyber Scholarship Foundation launched a $2 million scholarship program to identify and support the next generation of hunters; more than 25,000 high school students are participating this winter and spring. A parallel collegiate program will be announced in late January.

Alan Paller

CISA has three categories of network/systems for response guidance as well as whether or not you were running an impacted version of SolarWinds. If you don't have the required forensic capabilities, CISA will help you locate a qualified provider. CISA also warns that there may be other vulnerabilities in SolarWinds Orion the threat actors have yet to exploit. The best plan for reintroduction of Orion into your environment is to build on freshly provisioned servers from the most current version. Before implementing CISA measures, make sure your organization is not taking a more conservative approach.

Lee Neely

Given the number of successful attacks against healthcare institutions, it is fair to infer that far too many such institutions are accepting the risk of such attacks. While this may be justified, it simply cannot be acceptable to take that risk while also failing to have a plan for timely remediation.

William Hugh Murray

FedRAMP provides a level playing field for assessing the security of cloud services to a known standard, including ongoing monitoring and visibility to issues and responses, known as POA&Ms. Assessing the security of a FedRAMP authorized service is much easier than trying to exercise your "right to audit" and mapping their practices to your security standards. FedRAMP also adds the requirements to support strong authentication, e.g. PIV/SmartCard. Even so, it's up to the agency to either implement the use of smart cards or obtain approval not to from their authorizing official; all FedRAMP customer responsibilities must be addressed in order to obtain an approval to operate (ATO).

Lee Neely

In many areas of information security the federal government lags behind private industry. But FedRAMP and DMARC and DNSSEC are areas where the federal government used its buying power to drive higher levels of security in the broader commercial markets and led the way in adopting more secure use of the Internet and Internet-based services. I'd like to see application security and strong authentication get added to that list for future government adoption to drive markets.

John Pescatore

One agrees with John Pescatore on strong authentication. It resists the fraudulent reuse of compromised credentials, a pervasive risk. It is, at least arguably, our most efficient security measure. One also agrees that application security, especially applications common across enterprises, is essential, though much more difficult to specify or legislate. However, particularly on the desktop, applications are a small part of the attack surface. Most desktops have ten to a hundred times the amount of system code than is actually required by the applications. The vulnerabilities in this code are common and exploited across enterprises. Consider reducing your attack surface by eliminating gratuitous functions.

William Hugh Murray

Stradis terminated Dobbins's regular accounts after he was terminated but missed the secret account he created. Accounts should be validated regularly. Not only after creation but on a regular basis to ensure only legitimate and active accounts are enabled. Account creation, particularly when assigned privileges, should create an alert or trigger an action.

Lee Neely

Hard to do anything but cheer the sentencing. But, the question of how a "secret account" existed should be a spur to making sure privileged accounts are limited and routinely audited - if not regularly revoked to require regular re-justification for access.

John Pescatore

Transparency and accountability are the primary controls over privileged users. In enterprises with more than one or two such users, consideration should be given to Privileged Access Management software.

William Hugh Murray

The server had default (admin/admin) credentials. As much has been done of late to make services available to remote workers, verifying the security, including the presence of default credentials, has to be part of service delivery. Security also should be re-verified after installing patches, upgrades, or significant changes.

Lee Neely

NSA Cyber also set up a valuable GitHub repo with tools (https://github.com/nsacyber/Mitigating-Obsolete-TLS). A tool that should probably be added is Zeek which is ideally suited to detect the use of outdated TLS configurations. It can also be used to verify that certain outdated versions and ciphers are no longer in use, and that it is safe to disable them.

Johannes Ullrich

When implementing strong encryption, be sure to disable weak algorithms as well. The weak algorithms in TLS 1.2 are NULL, RC2, RC4, DES, IDEA, and TDES/3DES. While TLS 1.3 removes these, if you're also supporting TLS 1.2, use an external scanner verify they are disabled.

Lee Neely

In emergency situations, in particular, it is important to have automated tools to secure systems. During an evacuation, people should focus on leaving the area, not securing their screen. This has happened at hotels when thieves used fire alarms to evacuate buildings before stealing laptops.

Johannes Ullrich

Can't fault people fleeing violent mobs or burning airplanes for leaving the laptops on behind them, but this is a good news item for reminding decision makers why screenlock and timeout timers are beneficial to the health of the business in any instance where a computing device may be left unattended even in normal circumstances.

John Pescatore

The first priority during a crisis is preservation of life and limb. Typically drill/test scenarios don't include facility breach, so unlocked or unattended systems are not at risk. Even so, implementing idle timers which lock the screen have to be SOP. NIST SP 800-53 controls require this on federal information systems. Similar requirements stem from NIST SP 800-171 which apply to non-federal systems processing sensitive USG information.

Lee Neely