Critical VMware Vulnerability Requires Prioritized Patching; Turn On Auto Update in Chrome Browser; White House Cyber Advisor Wants Feds to Focus on Essential Security Hygiene and Skills

Limit access to your vCenter infrastructure to authorized devices only, just as you would limit access to system consoles to prevent unauthorized attempts to “fiddle” with things. Note that the vulnerable Virtual SAN Health plugin is present even if you don’t have a VMware VSAN. The vulnerable plugins can be disabled by setting them to incompatible not disabled as a temporary mitigation; the long term fix is to rapidly apply the updates. There are three CVEs impacting five plugins. If you disable the plugins, they remain disabled after the patch until you explicitly re-enable them. Note that some third-party plugins may no longer function after the update as additional changes were made in vCenter Server to improve overall security.

Lee Neely

Not only should you patch this flaw as soon as possible, but you should also double check that the vSphere console is not exposed to the Internet. Access should only be possible via a VPN or from a local management network. As a quick workaround: disable the vSAN client if you are not using it.

Johannes Ullrich

Here in Maryland the 17-year cicadas are coming out of the ground. When they last went underground in 2004, we were just recovering from the impact of Windows buffer overflow/input validation flaws being exploited in the Slammer/Blaster/Sasser and other attacks. Sad to see VMWare shipping software all these years later with those same well-known software development mistakes in such a mission critical product. Critical not just to patch your systems but to make sure your supply chain does so as well.

John Pescatore

Input validation is difficult but necessary. Failure to do it properly is a continuing and widespread problem. It is aggravated by the fact that the developer cannot easily foresee the environment in which his code may run. It is simplified when the use of the input is tightly constrained, e.g., to a limited code set. Allowing special characters, especially in repetition or combination, which may trigger escape from processes down in the stack, is particularly dangerous. Anecdotal evidence suggests that input validation is not taught in training programs, or even in colleges and universities.

William Hugh Murray

Google Chrome has a reasonable robust auto-update. As you are reading this: Exit Google Chrome, start it up again, and check if you are up to date. It is a good idea to restart Google Chrome from time to time anyway, and it can help keep it up to date.

Johannes Ullrich

When I see use after free bugs, I flash back to teaching myself C; memory management requires discipline as well as tools to make sure that you didn’t miss anything. When deploying the update, watch for Chromium based browsers, Edge, Brave, etc. If you’re manually updating, check to make sure you’re all the way to version 91.0.4472.77.

Lee Neely

The bad news is the US government is like an enormous ship and often inputs from the captain and top staff seem to get lost in the long and torturous path to the engines and rudder. The good news is that even small course corrections can have a huge impact and occasionally (like mandates to government agencies to move to DNSSEC and DMARC, or to buy only certified, testing cryptographic software) the government can actually lead private industry. There is an opportunity for that to happen here.

John Pescatore

Agencies already have requirements to implement endpoint protections, continuous monitoring, ongoing validation of secure baselines, dynamic software to allow and deny capabilities with regular reporting to DHS through the CDM program. That program provided for first year licensing of products and an added year of maintenance. Where it falls short is the resources to implement are unfunded, licenses are difficult to obtain, and the new processes can create disruption to existing processes intended to keep systems within an acceptable level of risk. The new EO seeks to further raise the bar on federal systems, but success will require ongoing funding for staff at the agencies and sites which need to implement the new controls as well as training and hiring of SOC staff. Care must be taken not to assume all incidents can be monitored and responded to from a centralized control point.

Lee Neely

“Secure software” and “supply chain” are related but separate problems. One has no reason to believe that SolarWinds' code was not tested or secure. The problem was that they distributed code that they did not even know was there. Caveat Emptor will not solve the supply chain problem, even when the buyer has the market power of the sovereign. Suppliers must be accountable for what they distribute.

William Hugh Murray

While we assume we’re largely ignoring email streams from services like Constant Contact, make sure that your users truly are looking at the legitimacy of messages and reporting/blocking them as needed as these services are an excellent way to craft a really convincing looking phish.

Lee Neely

The requirement that the identified Cybersecurity Coordinator be a U.S. Citizen eligible for a security clearance sets the stage for CISA and DHS to communicate sensitive or classified threat intelligence data in the future. The challenge for operators is to designate more than one Cybersecurity Coordinator for depth of coverage, and make sure that all coordinators meet the requirements. If you’ve outsourced your monitoring and response capabilities, make sure the provider can meet the requirements before designating them. Develop supporting processes and templates for consistent reporting to CISA. Make sure external incident reporting doesn’t exclude internal awareness.

Lee Neely

While pipelines are, at one level, transportation mechanisms, they are also part of the energy infrastructure. DHS should be asking whether TSA is the most appropriate regulator. Note that the Internet, the attack vector, is both unregulated and supranational.

William Hugh Murray

Some agencies are still stuck in the forensics/remediation stages of the Solar Winds events and haven’t come up for air yet. When you do, don’t forget to consider the impacts of open source code implemented in your own products. Sometimes the cost of analysis for weaknesses and remediating them exceeds the gains of using pre-written code. Think carefully before adopting a model to wait for bug fixes to come from the open source community as those may not only impact your time to deliver but also, themselves, introduce new issues. When planning/making changes in supply chain security, make sure your procurement and legal teams have a seat at the table.

Lee Neely

Suppliers must be held accountable if they recklessly or negligently distribute malicious code.

William Hugh Murray

NASA is a distributed agency with multiple data centers and locations with external partnerships and collaborations resulting in a very porous network. Even so, the process of establishing access to one of their systems and processing data is rigorous, with validation of the far end system and clear definitions of responsibilities, data protection, and incident reporting requirements. Security is further complicated by the mixture of institutional IT and mission-specific systems. While many business functions can be centralized, mission systems are unlikely to be, which means you need a distributed security team empowered to manage the risks for mission systems and assure conventional IT remains within the enterprise risk boundaries. This requires teamwork and open lines of communication.

Lee Neely

To be meaningful, IT and security architectures must consider how business/mission and IT governance work. NASA is like many companies in private industry, with a dozen Centers (business units) that have CIOs and much local authority and lots of local use of contractors, insourcing and outsourcing. Too often in security I see “bring back the mainframe – that will solve the security problems” architectures that don’t match the business/mission needs or governance methods. Security processes need to support the way business is done, not try to effect organizational change to match old approaches to security.

John Pescatore

The same could be said for just about every public, private, and non-profit organization in the world. This is not easy.

Lance Spitzner

To quote Harry DeMaio, “security architecture is derivative of and subservient to the IT architecture.” As a security architect, one's first step is to ask for an expression of the IT architecture. In response, one is often met with a list of the materials used but with no description of how they were used or related to one another.

William Hugh Murray

Those continuous differential backups you’ve implemented will also help you recover from a disk wipe attack. Be sure you know what is (and what is not) backed up when planning your recovery strategy. Note that this campaign is setting up persistent back doors and exfiltrating data, as well as using the victim’s VPN services, so make sure you’ve got plans to validate and secure your VPN as well as re-imaging systems where not necessarily wiped but have their webshells and IPsec Helper. Be prepared for data release ransom requests.

Lee Neely

If one is vulnerable to breaches, the availability, integrity, reliability, and usefulness of one's data is at risk. Extortion may be the least of one's worries.

William Hugh Murray

Decreasing feature size and hardware optimizations for performance will make it more and more difficult to defend against these attacks.

Johannes Ullrich

The Colonial Pipeline ransomware-driven shutdown and the Oldsmar, FL water contamination attack are recent examples where simple vulnerabilities were exploited, pointing out a lack of even the first level of essential security controls. The TSA and DHS are pushing security regulations onto the pipeline industry; industries in other critical infrastructure verticals where years of “self-regulation” have not kept up with modern IT architectures and modern attacker techniques should expect to see regulatory action as well.

John Pescatore

The same could be said for almost any industry. In the vast majority of incidents, cyber attackers (especially criminals) are going to come in the easiest way possible. As several SANS Instructors have told me, cyber attackers do not get extra points or bonuses for using super advanced techniques; they are normal people just trying to get a job done. For the past four years, phishing and passwords have been the top two drivers of breaches in the VZ DBIR. Yes, there are some exceptionally advanced attacks (SolarWinds is a prime example) that have huge impact, but it is the fundamental TTPs that are driving most of today’s breaches.

Lance Spitzner

Hard-coded passwords are sadly a standard "feature" in too many devices. Note that the password has been published. Particularly sad is that Trend Micro is selling this device to protect your network. One of the advertised features of this product is to protect you from "weak passwords".

Johannes Ullrich

Hard-coded passwords are tempting and solve fewer problems than they fix. Not throwing Trend Micro under the bus here; I’ve fallen into that trap. If you have the affected product, update it. If your home workers have these devices, make sure they are updating to help protect the integrity of those remote networks.

Lee Neely

SOHO users of only one of these devices, may find it more convenient to update the device rather than the firmware.

William Hugh Murray

Make sure that your plugin is all the way to 2.0.4, released May 5; the April 15 patch didn’t fully address the problem. Verify it’s actually being used and uninstall it if not. Wordfence firewall rules were released April 8th and May 8th to the paid and free versions respectively.

Lee Neely

WordPress plugins greatly and cheaply add value to WordPress. However, they are used "as is" with no representation of quality. They should be used only by design and intent, never by default, and must be scrupulously managed and maintained.

William Hugh Murray