Food Processing Company Paid $11M Ransom; Fastly Outage Disrupts Internet; GitHub Expands Token Scanning; Microsoft’s Vulnerability Tuesday is Mostly Privilege Escalation

Some common threads between JBS USA and the Colonial Pipeline failures, beyond the initial lack of essential security hygiene and the decision to pay ransom: (1) Failure to detect large volumes of data exfiltration over long periods of active exploitation; and (2) lack of a tested process and plan for how to deal with an incident to minimize service interruptions. For JBS, this happened despite their stated IT spending and IT employee count being significantly higher than industry averages. All of this indicates a lack of investment in both IT processes to minimize vulnerabilities and security skills, planning, and processes to mitigate and respond.

John Pescatore

Make sure that your detection capabilities are where they need to be. Are all your locations protected at the same levels? Attackers were not only in the JBS Network for three months, but also exfiltrated 5 TB of data. Are you continuously watching for compromised passwords and taking steps to change them promptly when discovered? Are you looking for unexpected connections or unusual volumes of traffic? Verify your boundary protection and access devices are updated and secured. Ensure MFA is comprehensively enabled for all internet facing services. Augment your internal processes with periodic third-party assessments of your security posture.

Lee Neely

Wow, this is a big check. Profits like this will only fuel more aggressive attacks. However, to keep things in perspective, the FBI reported over $1.8 billion in losses due to BEC/CEO Fraud for 2020. We just don’t hear about these attacks because a while successful BEC attack does not shut down infrastructure, ransomware does.

Lance Spitzner

One must have a capability to detect breaches in hours to days. Extortion demands as the first indication of a breach is unacceptable.

William Hugh Murray

Promises to do better and not make mistakes in the future don’t carry the weight of a signed SLA for outsourced services. Make sure your SLA includes defined and measurable service delivery levels and corresponding financial penalties. Even though the disruption was detected in under a minute, it took most of an hour to achieve 95% restoration. External dependencies, with interrelated systems can extend recovery time even further. Document your configuration and known dependencies to aid troubleshooting and manage recovery expectations.

Lee Neely

One of the promises of cloud providers is to isolate customers from each other, and to keep one customer's bad configuration from affecting others. While Fastly was quickly able to mitigate the underlying issue, I do not like the statement that the outage was triggered by a customer configuration change. It was triggered by a bug in Fastly's code that allowed a single innocent customer to take down their system.

Johannes Ullrich

Another good lesson about cloud service level agreements. Looks like this was about a maximum of a 3 hour outage, which according to Fastly’s SLAs would mean Gold and Enterprise customers impacted that long (or up to 7 hours) can request and get a 10% credit against their monthly charges. For many businesses, that will not come close to any business disruption costs. Internet connectivity overall has to be thought of just as electricity is thought of – backup plans need to be in place for long outages that may not even trigger any SLA credits, let alone cover disruption costs.

John Pescatore

Careful. Fastly and its customers are "edge" providers. While this failure impacted the "world wide web," the internet, the transport layer, performed as intended.

William Hugh Murray

Thanks to GitHub for helping secure the open source ecosystem. With so many projects using GitHub, any change like this will help.

Johannes Ullrich

GitHub has been pretty good over the years at adding bottom-up security features and services, including code testing tools and a well-managed bug bounty program. Looks like Microsoft’s acquisition of GitHub in 2018 did not negatively impact that, which is a good thing. There will not be a single top-down answer to supply chain security in software, any more than there is for the security/safety of the supply chain that runs from restaurants back to farms.

John Pescatore

This patch Tuesday is probably best characterized as "Mostly Harmless." It contains a number of already exploited vulnerabilities, but for the most part, these are privilege escalation vulnerabilities.

Johannes Ullrich

Patches for 0-Days, to include those actively exploited is becoming commonplace. And with current trends, privilege escalation flaws (CVE-2021-31956, CVE-2021-33639, CVE-2021-31201 and CVE-2021-31199) are just as valuable as RCE flaws such as CVE-2010-33742 since they provide more ways for the attacker to elevate privileges once they have an initial foothold. Regrettably, as indicated by the Colonial Pipeline and JBS attacks, the bar for initial entry is not where it needs to be. Judicious updates and application of security baselines is also a component in raising that bar.

Lee Neely

Remember the “For Want of a Nail” proverb. Could you be undone by the use of a compromised password? Do you have remote access which requires only a reusable password? Did you really decommission old insecure access methods or were they left enabled “just in case?” The complexity and pace of a modern enterprise stresses the ability to pay attention to all the details, and with the current ROI on hacking, it is more critical than ever to do so. Encourage your analysts to automate themselves out of a job, meaning to automate repetitive and mundane tasks so they have the bandwidth to keep up with the changes and growth of adopted technology. Participate in their implementation to make sure you have visibility and relationships established up front.

Lee Neely

Adobe's Acrobat and Reader updates need to be applied quickly. For Intel, the tricky part is BIOS updates. For some of them, you may need to wait for OEM patches instead of applying Intel's patches directly.

Johannes Ullrich

We’re not catching a break this month. Adobe Creative Cloud, which can drive the updates to their other products on endpoints, itself needs updating and should do so automatically. The affected applications will not apply updates until they are quit and relaunched. As this month’s Microsoft and Apple OS patches require reboots, leverage that, by forcing the reboot immediately or via a maximum timeout.

Lee Neely

Patching continues to be an expensive and inefficient way to achieve quality. At best, it is only marginally effective.

William Hugh Murray

Chromium browsers are not far behind. The group which developed the exploit for CVE-2021-30544 also developed the exploit to MSHTML (CVE-2021-33742), making it prudent to update Chrome and Chromium browsers expeditiously Where possible push the updates rather than waiting on user action.

Lee Neely

Google Chrome vulnerabilities are becoming common entry points for more targeted attacks. This vulnerability is already being exploited; expect more soon. The easiest way to improve your chances of having an up-to-date Google Chrome is to exit it once a day and restart it. With all the time we spend using web browsers, they are often just left running which may prevent updates from being applied. Restarting your browser is like rebooting your operating system after applying a patch.

Johannes Ullrich

It is really time that more vendors start to push out software with security fixes when the fixes are ready and proven stable and IT groups update configuration management processes away from the antiquated “wait for Vulnerability Tuesday” (or worse for servers) to patch everything at once.

John Pescatore

Storing a credential in the clear in a configuration file that you read without verification isn’t something we can afford to do anymore, no matter that it was easy and how well it worked. Apply the updates to ISaGRAF Runtime, restrict access to the ICS, particularly TCP ports 1131 and 1132, and restrict access to the Runtime’s folder.

Lee Neely

The "Right to Repair" does have significant impact on security. Locked down devices are too often left vulnerable after vendors abandon support for them and customers are left with costly replacements as their only option.

Johannes Ullrich

As more states consider the user’s right to repair, it opens options for users to more affordably maintain their own equipment and small businesses to enter the space. This is a good time to review your acceptance of risks for employees having their issued systems repaired. Consider the risks of OEM versus after-market components as well as data protection requirements irrespective of who, how or where the work is done.

Lee Neely

In our space, the impact of state legislation may extend way beyond the boundaries of the state. Congress has the responsibility and authority to regulate interstate commerce. State initiatives such as this occur when Congress fails. As with most legislation, “the devil is in the details.” Drafting legislation that accomplishes its goal while avoiding unintended consequences is difficult.

William Hugh Murray