Cybersecurity Executive Order to Drive 2FA and Encryption; Microsoft Patch Tuesday; Vulnerabilities Affect Millions of Wi-Fi Devices; FTC Report on Right to Repair

Plenty of fluff in the Executive Order but three very good things: (1) Establishing the Cyber Safety Review Board, modeled after the National Transportation Safety board; (2) 180-day deadline for moving to multi-factor authentication and encrypting data at rest; and (3) the federal government using its buying power to drive higher levels of supply chain security. While deadlines will inevitably be missed, these three things are critical and measurable bar-raisers. The “Zero Trust” mandate less so – until any organization first gets to essential security hygiene then puts strong authentication in place, it is not possible to even come close to implementing “zero trust.”

John Pescatore

While the order is codified into regular requirements, take the time to assess your environment and start planning your implementations. Increased cloud adoption and zero trust require supporting monitoring, validation, and assessment processes to make sure that you don’t lower your security or become the victim of the next cloud data breach. Look to NIST and CISA as well as industry analysts to develop guidelines. While it will be incredibly valuable to talk to peer agencies to leverage lessons learned from similar implementations, make sure you clearly understand what type of information and systems they were protecting. Expect vendors to come calling with solutions, verify they are actually aligned with requirements prior to jumping in.

Lee Neely

Better than not. However, if top-down executive orders were effective, our government would long since have been more secure than commerce. We may govern top-down but we implement from the bottom up. If government buying power was effective, would there still be the overwhelming market preference for open, general, flexible, and feature rich over security?

William Hugh Murray

The number of vulnerabilities patched is small. But the http.sys vulnerability should be addressed as soon as possible. Luckily, it only applies to specific (very recent) versions of Windows. Currently I am not aware of a public exploit. Expect one to be released in a couple of weeks. You likely have about a week to get this one patched before you will join Colonial Pipeline and others in the news.

Johannes Ullrich

Good news only 55 security issues, bad news, four are critical – including CVE-2021-31166 – which applies to desktops and servers. CVE-2021-25419 applies to IE 11, on desktops and servers. Assume IE 11 is still on systems, unless you’re explicitly removing it. You should be off IE 11 this year. Look at Edge’s IE Compatibility mode option for applications which expect IE. And there are also four more patches for Exchange. Even if you’re on MS 365, make sure you’re not still in hybrid mode which means you would still have legacy Exchange servers which need patching.

Lee Neely

The vulnerabilities themselves aren't critical, but need to be patched as vendors release updates. Consider all Wifi gear that is Linux based vulnerable (which is probably 90% of it). I do suggest you read the writeup to learn more about how these Wifi protocols work, and why there may be more vulnerabilities where these came from.

Johannes Ullrich

Joshua Wright identified many of these vulnerabilities ten years ago. What’s new here is the identification of flawed implementations. While flaws in the 802.11 standard aren’t going to be rectified soon if at all, implementation flaws are being addressed. CVE-2020-24586, CVE-2020-24587 and CVE-2020-24588 weaknesses are generally low risk because they require close proximity to the AP to exploit and have very limited impact when exploited. Even so, it’s a good time to make sure your wireless firmware is updated.

Lee Neely

While perhaps counter-intuitive, one is far more likely to be attacked on the wire side than on the air side.

William Hugh Murray

This is a victory for repair shops and technicians who want to repair devices and may elect to not use OEM parts. Even so, review the risks of having your devices serviced by third parties. Look to how you can be assured that information is not compromised and that non-OEM hardware doesn’t introduce disallowed functions or procedures. Decide if you want to allow employees to take a corporate device to be repaired at their own discretion or if you want a more rigorous process followed.

Lee Neely

One more attack vector? Maintenance and repair are part of the supply chain.

William Hugh Murray

As someone who is passionately focused on the human side of cybersecurity, this year’s report is exciting as it brings far more visibility into the role people play. As a huge fan of the VZDBIR, I’ve always struggled to piece together all the Action elements to better understand the broad role people play; this year the DBIR team did that for us, getting the numbers of 85%. This year they also added a new Pattern (Social Engineering) and a call-out on Security Culture. Cybersecurity is no longer just a technical challenge but a human one also, and the VZDBIR provides the data to help us better understand and address that challenge.

Lance Spitzner

Changing human behavior is critical, but we know safety controls are always required even in very mature areas like “don’t use your blow dryer in the tub” – that is why we required Ground Fault Interrupt circuits for all outlets near water. The majority of attacks still start with a phishing front end to obtain credentials – non-resuable passwords pair user awareness to reduce clicks rates are the solution, not one or the other.

John Pescatore

While true, we did not need the DBIR to tell us that. It should not be the case that one user clicking on a bait message should compromise an entire enterprise. Strong authentication and network segmentation, not to mention "zero trust," would make us far more robust than we are. At a minimum, we should be isolating systems used for browsing and e-mail from mission critical applications, e.g., operating a pipeline. These are widely applicable and efficient measures. We know what to do. Can't we just get on with it?

William Hugh Murray

Note that even with the application or decryption key to restore your encrypted systems, progress may not be as rapid as expected. You may need to use multiple approaches, such as also continuing to rebuild systems from backup to get back online in a timely fashion. Ask how long it would take to rebuild your infrastructure from backup, then compare that with your expected RTO/RPO. Conduct exercises to make sure you actually can rebuild systems; run test transactions to make sure they match your production systems. Adjust where needed.

Lee Neely

Three key things really popped out for me on this one. First, it appears that it was not the OT networks that were infected but Colonial’s IT billing system. One of the reasons Colonial stopped the flow of gas is because they would not be able to bill for it. Two, even though that they paid the ransom they still could not decrypt their data. This surprised me as this was such a high-visibility incident, most likely the cyber criminals made a mistake. Finally, this incident really reinforced for me how the scale and sophistication of the RaaS community has exploded.

Lance Spitzner

Compared to other recent ransomware incidents, this payout sounds small. But I am sure the ransomware gang will invest it right back into better tooling for its next attack.

Johannes Ullrich

Those who pay extortion may not get the protection that they pay for and their neighbors will be more at risk.

William Hugh Murray

DarkSide is a ransomware as a service organization; effectively anyone can use their services so specific attribution is complex if not impossible. The focus needs to be on mitigations and preparedness. In OT and critical infrastructure, Availability is key versus the Integrity or Confidentiality legs of the CIA triad. Verify that those systems can operate reliably without your supporting IT systems, and make sure you don’t have unexpected avenues of compromise.

Lee Neely

I’m the only one that hoped that post-Flash Acrobat and Reader patches would slow down, right? Your creative cloud users should have an update all queued up. For the rest of your systems, add this to the patches you’re rolling out. Note users will have to restart the app to apply the update. Uninstall where they are not needed to reduce future avenues of attack.

Lee Neely

With Flash gone, Adobe's patches dropped from the headlines somewhat. But they are still making a number of other wonderful products. Many of them, not just Acrobat, receive patches these days. For example, Magento is one of those wonderful products that was patched again (even if it was just a minor problem: It is easier to patch continuously as patches are released vs. making it a fire drill each time a critical vulnerability is released.)

Johannes Ullrich

Reader and Acrobat continue to be a problem. Everyone has them but not everyone needs or uses them. One favorite bait message continues to be "Click here to update Adobe Reader."

William Hugh Murray