Disconnect My Book NAS Devices to Prevent Remote Wipe; Firmware Updates Required to Prevent Dell SupportAssist Arbitrary Code Execution; Medicare Conditions of Participation Ignore Connected Medical Device Network Security

I will say it yet again: DO NOT EXPOSE NETWORK ATTACHED STORAGE TO THE INTERNET. This is not just a problem with Western Digital. All of these devices have had numerous vulnerabilities. These devices are marketed for simple Internet file sharing, but their rich history of vulnerabilities shows how they should never be used for anything other than internal file sharing.

Johannes Ullrich

Unfortunately, users almost certainly connected these devices directly to the Internet. But we can't blame users for this. They paid a premium for hardware that promised to provide a service. Western Digital suspended the program in 2015, leaving users who wanted to continue to use the devices as advertised with little choice but to expose the devices. Users unwittingly gravitated to the availability leg of the CIA triad (probably without even realizing said triad exists).

Jake Williams

“Remote factory reset command” – what could possibly go wrong? Network-Attached Storage devices should be on a network segment that is not visible to the Internet.

William Hugh Murray

Dell's SupportAssist has a level of access to your system unlike any other software. To provide remote support with the ability to not only recover systems with corrupt boot partitions, but also be able to flash BIOS, SupportAssist has the ability to completely take over your system, and these vulnerabilities will transfer this ability to an attacker. Note that this will require a BIOS update, not just a “software update.”

Johannes Ullrich

This highlights why enterprises need to look very carefully at OEM software and ensure that it is removed where not needed. Dell SupportAssist is not something most organizations would want/need and yet is installed on practically every Dell machine sold. Security 101 mandates minimizing attack surface and this is no exception. Take this opportunity to review the other applications (particularly OEMs) installed on your golden image and remove anything not explicitly needed by a large percentage of your workforce.

Jake Williams

The best mitigation is to apply the BIOS updates now, then apply the updates to BIOSConnect when they are released in July. Don’t use BIOSConnect to update the BIOS; use other patching mechanisms to install updates with verified signatures. Alternatively, you can disable BIOSConnect, which can be done locally, but may be better performed using their DCC remote system management tool. Don’t let users locally update their systems via the “BIOS Flash Update – Remote” (F12) option until the system has the known good BIOS installed.

Lee Neely

This past year has raised the bar on hospital attacks, taking advantage of potentially weakened security or shortness of staffing. This comes back to the core critical controls – knowing what you have and what it’s supposed to be doing, as well as keeping it updated. This requires monitoring and alerting; use caution as some active processes, such as scanning, can be harmful to OT devices. Segment wherever possible, particularly guest, staff and operational network services. Schedule validation of your security posture, hire a trusted partner to identify issues overlooked and opportunities to improve, then work to implement them. Don’t overlook staff or training shortfalls.

Lee Neely

In the US, the oversight of security of medical devices has multiple agencies involved, and many different forms of “certification” – but all continue to suffer from lack of enforcement to drive changes in procurement and operations issues to increase security levels. On the privacy side, HIPAA has started to have some teeth – I think the privacy aspect will be the more likely avenue for progress than any hope for meaningful raising of the CMS bar in the security related elements of the Conditions of Participation in the Medicare program.

John Pescatore

Again, intuition serves us poorly. The first step in medical device security is to hide them. Healthcare in general, and patient care institutions in particular, need to segment their networks, such that medical devices are hidden, and patient care apps are hidden from those applications that, like e-mail and browsing, must be connected to the public networks.

William Hugh Murray

Google is pushing forward with schema and interchange standards that it finds value in, while larger industry efforts like the Open Source Security Foundation (which Google is part of) continue to move slowly. The Internet has a long history of that, while the telecoms space has a long history of large industry group efforts going on forever without security gains.

John Pescatore

Security of the open source components is an increasing concern. Google is attempting to move forward with a standard to help solve this problem at Internet speed, which will help identify and provide the focus necessary to increase the overall security of open source. Even so, make sure that the open source components or libraries you use are actively maintained and include fixes for flaws identified.

Lee Neely

CISA can and does provide excellent guidance, but individual agencies implement according to their situation and accepted level of risk. With the current information sharing efforts, CISA will be better prepared to see overall trends and best practices to help make their guidance even more relevant. Keep an eye on their bulletins watching for gaps in your overall protections, even if you’re not a federal agency, and participate in their information sharing to help with the fidelity of CISA’s recommendations.

Lee Neely

This is a tough one. Sometimes the only way to get significant improvements in security posture is to introduce regulatory requirements to avoid the temptation to opt out or otherwise minimize cybersecurity efforts. And the accompanying reporting/validation requirements can be burdensome and regarded as purely bureaucratic. While the proposal offers federal aid and legal protection to sweeten the pot, releasing the draft for public comment would go a long way toward building the needed partnership with industry as well as helping to solicit input on keeping the overhead minimalized. Working with industry peers to develop resource and information sharing, while protecting privacy and reputation of those involved also goes a long way toward helping organizations raise their own bar.

Lee Neely

The Positive Security writeup includes the information necessary to replicate the exploit. If you haven’t seen how that works, it’s worth a look. Another lesson here is to watch for bug reports coming to posted contacts to support responsible discovery. Reports need to be responded to and acted on as well as treated as an attempt to help. Respect the input from the third party even if you disagree. Expect disclosure and be prepared with fixes or mitigations.

Lee Neely

Network access to the management server is required to exploit the vulnerability; there are no workarounds other than applying the update. Make sure you are monitoring the access to that server and allow logins only from authorized devices. While you’re looking at VMware, be sure you’re pushing out the updates for VMware tools for Windows, VMRC for Windows and VMware App Volumes.

Lee Neely

It is always a sad day when a security product suffers from very elemental security vulnerabilities. An attacker will be able to bypass Carbon Black, or maybe even use it against you. Apply the hotfix.

Johannes Ullrich

Incomplete patches like this make it even more difficult for defenders to track vulnerabilities. In addition, these types of vulnerabilities have been exploited in several recent ransomware attacks.

Johannes Ullrich

The fix was released June 22nd and you need to roll it out. While this vulnerability is not being actively exploited, SonicWall VPN and email security products remain a target for multiple exploits including the new FIVEHANDS ransomware, so don’t wait too long to deploy.

Lee Neely

Wolfe Eye Clinic did engage third-party IT specialists and forensic investigators to help determine the scope of the compromise and information exposure; you should have similar plans in place should you become a victim. Add FBI reporting to the list if it’s not already there. Working with FBI still allows you to make decisions regarding payment or recovery while helping them identify and ultimately take action against ransomware gangs.

Lee Neely