More Exploits of Pulse Secure Vulnerabilities; IBM Funds Schools System Security Improvements; NIST Paper on Biometrics for First Responders

Pulse Secure had to patch multiple vulnerabilities this last year, and they have been exploited extensively.

Johannes Ullrich

We are now almost 18 months past the first advisories to patch the initial wave of Pulse Secure VPN vulnerabilities, and several months ago advisories came out about additional Pulse Secure vulnerabilities. Many IT operations have been struggling just to keep remote access for Work From Home running and patching has suffered – more compromise hunting is required to detect malware installs that occurred before patching, as recent DHS/CERT advisories have pointed out.

John Pescatore

With a shift to increased remote work, your boundary protections are critical. Today’s combination traditional VPN, Zero Trust, CASB, VDI, and EDR require attention to detail including security configuration, judicious application of updates, and active monitoring (and response) for malfeasance. Make sure that you have the right skillsets on hand, supported with adequate, training funding and depth of coverage.

Lee Neely

Breaches of infrastructure systems may not be obvious and may not be immediately exploited. Nation state attackers may save them for later use. Think “zero trust” and “least privilege.” Think urgency; the longer these systems remain vulnerable, the greater the risk that they are covertly compromised.

William Hugh Murray

Two of the most critical services governments provide are public education and election services. In the US, the way those two areas are governed and funded is antiquated and resistant to change. Volunteer and private industry support for increased security levels in both of those areas has really been needed and has turned into good investments for business as stability and security in those areas is good for business.

John Pescatore

The need for shoring up security in the education sector has become clear with the past year of successful attacks on school systems. Ransomware preparedness and response is at the top of the list for the IBM team help with “pain points.” The need is far greater than IBM alone can address; as cyber security professionals we should all be reaching out to our local school systems, leveraging our enterprise community outreach functions if possible, to see if we can help.

Lee Neely

The limited impact of these expenditures illustrates how big this problem is and how difficult it will be to remedy on a district-by-district basis. We need to make the public networks a safer environment for all users. It is time to operate these networks as the infrastructure that they are.

William Hugh Murray

Have first responders read and respond to the draft. Responders I have talked to already leverage biometrics, and remind me to look at scenarios where biometric options fail, e.g, using fingerprint readers while wearing PPE. When creating security profiles for mobile devices, ensure that your device protections don’t interfere with life safety needs of responders. Safety needs to trump security, which means you may have a different configuration on some devices. Have clear support for those decisions at the highest levels.

Lee Neely

This report is more of a tutorial around mobile device biometrics that is strong on the challenges and really weak on “how to implement” guidance. Microsoft’s research showed that 99.9% of phishing attacks would be defeated just by mobile device text messaging, and over 80% of successful ransomware attacks start with successful phishing attacks. While first responders do have unique needs, we are in an emergency situation where reusable passwords have to be considered as dangerous as carcinogens like lead in consumer products or e coli in meat.

John Pescatore

Ben Wright of SANS and I have done a recent series of talks and a white paper around the ransomware issues. Key point (1) is that no security group or manager makes the pay/don’t pay decision – that will always be a business or legal/regulatory-driven decision. But Key Point (1a) is that security managers can provide critical input into required strategies and changes needed to reduce the risk of ransomware to an acceptable level that will enable the business decision to be “we don’t need to pay the ransom.” Brian Honan makes Key Point (1b) below.

John Pescatore

Private sector companies are primarily driven by profit goals and anything that does not help achieve those goals will always be neglected. Until we start speaking about cybersecurity in terms of business risk, private sector companies will continue to treat security as an IT problem and as a cost. And this cost-based focus is what has led many companies to have such poor cybersecurity protections. It is time we start to move our focus away from technical solutions and speak more about business risks to our boards and colleagues. I think one thing we need to get into the debate about ransomware is that paying the ransom does not make the cost of recovery any cheaper. In the case of Colonial Pipeline, who paid $4m for the decryption tool, they still reverted to their backups to restore their systems. The HSE in Ireland who got the decryption tool for free had to use a third party tool to make it work effectively. In both cases the IR teams are still having to go to each individual machine, verify that it is clean, remediate it, recover data onto it, and then bring it online – this has to happen whether you have the decryption key or not. So paying for the decryption key is not a magic wand that gets all your systems back online overnight. You are still looking at weeks if not months of work to get large estates back up and running.

Brian Honan

When reviewing your response plan, look carefully at your downtime procedures. Are you able to provide some level of service or will you be hard down? Consider the case of the Massachusetts Steamship Authority where they were still able to process cash ticket sales and operate their ferries. Make sure that your situational awareness is as good or better than your adversaries’. Start with the core CIS controls, making sure you know what hardware and software you have, that it is securely configured and your data is protected.

Lee Neely

And do not forget strong authentication (at least two kinds of evidence, at least one of which is resistant to replay). Credential replay is implicated in many ransomware attacks and other breaches. While this measure may not be sufficient for targets of choice, it will get most out of the target of opportunity population.

William Hugh Murray

This is much needed and gives me hope. No matter how good any company is at security, if threat actors can operate any way they want without fear of retribution, anyone can and will be compromised. I think it's interesting the government is taking the terrorism angle, as the motives of terrorists and criminals are very different, but as we are seeing, the impact at the human level can, in many ways, be the same. The sense of urgency appears to be great enough now to force the US government to take political and economic actions against other countries.

Lance Spitzner

What this does is add to the list of topics which require expedient information sharing/reporting with Washington. Prioritizing activities also requires providing funds needed to acquire and train staff and equipment needed to support the work.

Lee Neely

REvil is known for “double extortion” tactics, demanding ransom not only for the decryption key but also for not selling exfiltrated information, leveraging any potentially damaging content if possible. JBS wisely engaged help from the Australian Signals Directorate and the FBI to respond to the criminal aspects of the attack while working with their incident response provider to quickly restore operations.

Lee Neely

As with other service related attacks, OT systems are able to operate, but supporting systems, in this case online ticketing and reservations, are unavailable. Even so, they are able to process cash transactions.

Lee Neely

The fact that a "Steamship Authority" can be crippled by ransomware shows that everybody can be affected.

Johannes Ullrich

Jeh Johnson commented on TV this morning that the extortion demands are tailored to the ability to pay and lower than the cost of recovery by other means, such that, as in Colonial Pipeline, paying it is an attractive individual business choice while collectively it perpetuates the problem.

William Hugh Murray

Limiting the scope of the CFAA is a huge win for cyber security research. Having clear permission and defined scope when accessing and researching systems is still critical. Discovery of a device in a search engine, running with default credentials doesn’t by itself constitute permission to access or configure it.

Lee Neely

While not technically a violation of the CFAA, Van Buren was guilty of an abuse of his privilege and should be subject to other discipline. This is simply one more indication, as if any were needed, that the CFAA needs to be rewritten with more emphasis on what is done, i.e., misuse and abuse, and less on the concept of “authorization.”

William Hugh Murray

This is an opt-out service. If you take no action, you will be opted-in. The idea is to provide better connectivity for your Amazon devices where your network may have gaps, essentially an 80Kbps connection. Amazon cites the case of using their tracking devices to find a lost pet. The success of Sidewalk is dependent on the number of participating devices in any area. The downside is you have no visibility into which devices are connected to your network and what they are doing. The good news is you can opt out at your account level, not just the device level. In the Ring App, sidewalk is under the Control Center, in the Alexa App it is under Settings -> Account Settings -> Amazon Sidewalk. The option is only present when you’re connected to your Ring or Echo devices.

Lee Neely

By choosing to make this an opt-out service, Amazon is showing why updates to US national privacy laws are badly needed. When I worked on surveillance cases for the US Secret Service in the 1980s, to put a vehicle tracker on a suspect’s car that was connected to the car's 12v system, we needed to get a court order because of the unauthorized use of the car owner’s “services.” What Amazon is doing here seems no different to me.

John Pescatore

If one is not expecting a communication, one should simply throw it away. It is almost always the safest move. If one feels that they cannot do that, pick up the phone. Out-of-band confirmations are cheap and effective; they work in both directions.

William Hugh Murray

The most successful mergers/acquisitions over the past 5 years or so have been the big cloud platform players, like Salesforce, Amazon AWS, Google, and Microsoft buying small, innovative security vendors to build higher levels of security into their cloud infrastructure. The least successful cybersecurity M&As have been big IT companies buying security product companies just to increase revenue by selling security products. Building security in, versus “spending in depth,” is the key to real and sustainable levels of business protection.

John Pescatore

With the recent rash of firmware-related vulnerabilities, ReFirm (the authors of Binwalk) should give Microsoft a huge leg up in analysis and response to firmware security issues including IoT and embedded device use cases. This acquisition further broadens the scope of protections offered under the Azure Defender umbrella, specifically Azure Defender IoT.

Lee Neely

The ban is essentially unenforceable; it is good OPSEC guidance. It’s still a good idea to be aware of the devices in your workspace. Just as you would question a stranger in a meeting, consider what these devices can capture and take action to remove or disable them when appropriate. Higher priority for the enterprise is making sure that you have good visibility into endpoint security and actions so you can respond appropriately.

Lee Neely

Security is a space in which intuition does not serve us well, where “obvious” choices are wrong. Cooler heads have prevailed here. However, since many smart devices inside the SOHO router establish connections to the public networks by default, it will be difficult to give directions that are practical. We need standards, perhaps even regulation, that require smart devices to both encrypt and disclose what connections they make. While most home users will ignore the disclosures, they will empower WFH users.

William Hugh Murray