Kaseya VSA Patch Available But First Check for Compromise; Colorado Data Privacy Law Doesn’t Take Effect Until 2023; Patch SolarWinds Serv-U If In Use; Secure All Remote Management Services

The patch does alter some of the VSA module's functionality. Read Kaseya's documentation for details. Kaseya published a hardening guide for on premise customers to go with the patch. It strongly recommends to first verify that the system is not already compromised, and Kaseya does offer links to tools to assist. Users will need to reset passwords after applying the patch.

Johannes Ullrich

Restarting services after an outage is tricky and requires planning, practice, and communications to prevent a crash or other denial of service. While you have plans for limited scope maintenance outages, have you looked at what happens if you had to turn everything off and on? If you’re using dynamic scaling, do you have a sufficient minimum level of services before turning the entry point (typically a load balancer/WAF) on? Did you remember to include the state of supporting services? Now that you’ve got that figured out on-premise, talk to your cloud and outsource providers about what their plans are and how it impacts your users.

Lee Neely

Ideally, before this takes effect in July 2023 there will be national privacy legislation to set a standard minimum level across all states in the US. The Colorado wording has lots of exclusions compared to California and Virginia andlike CA and VA and most draft state legislation, includes the require for a Data Protection Assessment but doesn’t define the term. The EU GDPR regime published a template for the Data Protection Impact Assessment required by GDPR, can be found at https://gdpr.eu/wp-content/uploads/2019/03/dpia-template-v1.pdf

John Pescatore

Having added states passing privacy laws raises the bar and complicates things for organizations doing business in multiple locations. You’re going to have to make sure your employees are trained on the requirements to fully comply with the regulations. The training program has to be derived from the data you collect and process, and builds on cyber hygiene practices such as only collecting the minimum amount of required data, not storing it any longer than needed, protecting it at rest and in transit, as well as defining what actions a request to “be forgotten” entail.

Lee Neely

Not sure how much this helps. With each state pushing to have its own privacy laws it becomes a nightmare for business to adhere to them. Sooner or later we most likely will need some type of single, encompassing federal privacy law that organizations can follow.

Lance Spitzner

Serv-U is a distinct product implementing remote access via SSH. Not all SolarWinds customers will have this component installed. If you do have it installed, review your logs for access from odd source IPs. This component has already been exploited in some targeted attacks.

Johannes Ullrich

Defenders seem more careful lately about exposing RDP to the internet, but penetration testers (and attackers!) still find remote management services and even SIEMs exposed. When they are, it's often a matter of guessing single-factor user credentials, trying manufacturer default credentials, or firing the latest exploit from Metasploit or Github. These become much harder targets when access is restricted to necessary source IPs or when they're behind multifactor VPNs - patched and well-configured!

Christopher Elgee

Fifteen months of extreme telecommuting has driven a huge spike in remote management and remote access services, which already were targets. With an increasingly target rich environment, you need to make sure that your services are properly secured, maintained, and identified. Look for new or unauthorized entry points, and make sure they are either converted to your enterprise solution or managed and secured to the same level as those enterprise options. This is more than war-dialing to find modems; this is now looking for connections to remote access cloud services as well as exposed services at your perimeter.

Lee Neely

Additive Manufacturing is specialized IT, aka OT. It provides incredible just-in-time capabilities, and just like a CNC machine, it needs to be properly segmented, updated and monitored. Also like those CNC machines, they may not be able to run current operating systems, which drives the need to have additional protections. Remember you’re not only protecting them from inappropriate access, you are also protecting the rest of your network from potentially higher risk devices just like other OT components.

Lee Neely

Make sure that your endpoint protections can detect fileless malware. This attack is using spoofed email and typosquatting to trick users into clicking. Make sure that you’ve implemented DMARC/DKIM/SPF in reject mode to reduce the likelihood of messages slipping through. With everything else going on, make sure that you didn’t put UAT on hold; studies have shown that information gets “stale” in under six months without reinforcement.

Lee Neely

Phishing has always been a primary attack vector (see VZ DBIR for past four years) simply because it works. What has changed is cyber attackers are continuing to improve their phishing kung fu, gaining better intel on their intended targets and learning what emotional triggers are the most effective. To prevent these types of attacks requires both technical controls and human training. No, AI is not going to solve this one.

Lance Spitzner

Knowing what is connected to your network and categorizing what you find is one of the essential security hygiene requirements, such as in Implementation Group 1 of the CIS Critical Security Controls. Many Network Access Control products can identify or categorize IP phones or IoT devices that are detected on your networks.

John Pescatore

The vulnerability is in the Broadcom chipset, which means that a complete fix requires both Cisco and Broadcom updates. Exploitation needs physical access, removing the backplate, and sending specific impulses to the chipset, meaning unattended devices (in conference rooms, hallways, lobbies, etc.) are possible targets. Make sure you’re applying Cisco’s hardening and securing practices. Think of these as small computers, not just phones, when looking at risks. Check the Cisco site to see if you’re running impacted devices. If you are, deploy the update and keep an eye out for further patches.

Lee Neely

As a father of three, stories like this break my heart. Most elementary schools are struggling to just teach the next generation. Ransomware attacks can devastate not only networks and budgets but the future lives of kids. Remember, cyber criminals have no ethics; absolutely anyone is a target. Until there is pain applied to the cyber criminal community, they will simply continue.

Lance Spitzner

CNA is ranked as the seventh-largest commercial insurance provider in the U.S. and was a target of the Phoenix CryptoLocker attack. This ransomware uses remote desktop and compromised credentials to get a foothold. It even masquerades as legitimate software signed by “Saturday City Limited.” Make sure that your exposed services don’t allow reusable credentials. Never expose RDP directly to the Internet; place it behind a VPN with multi-factor authentication. Check regularly for newly exposed access paths, and either secure or remove them.

Lee Neely

Brandon Wales has been acting director since November 2020, and doing a great job, it will be easier for CISA to move forward with a formally appointed leader. Easterly is the third cyber position in the Biden administration with roots in the NSA, joining Chris Inglis, national cyber director and Anne Neuberger, National Security Council.

Lee Neely