SonicWall Vulnerabilities; Cloud Accounts Exploited In Aviation and High-Tech Networks; UofSC Cybersecurity Grads More Desirable To Employers

This is a 0-Day exploit of the SonicWall SMA 100 series of appliances, not their NetExtender VPN as previously thought. Until a patch is released, make sure you have 2FA enabled on your SMA 100s; enable End Point Control to verify devices prior to connection; and consider using Geo-IP/botnet filtering to block access from countries you shouldn't see access from as well as limiting times accounts can login. While good mitigations, these actions need careful considerations when you have users who travel internationally, or work from multiple time zones.

Lee Neely

Yet another incident that fits into the larger "supply chain" attack theme. This may be more severe than the SolarWinds issue as it may affect a lot more users. I hope SonicWall caught the attack quickly and were able to limit impact. At last year's SANS keynote panel at RSA, I talked about the issues with vulnerable perimeter devices. While companies are dissolving perimeters quickly, we still rely on VPNs and Firewalls and just assume (perhaps incorrectly) these devices to work.

Johannes Ullrich

Phishing and password compromise were cited as how the attackers gained initial access - as is the case in the majority of all attacks and more than 90% of incidents when major cloud services are the access point. Strong authentication on cloud admin services would have closed that path. Enhanced monitoring of all admin-privileged accounts would have reduced the time to detect in the unlikely event that strong authentication was compromised.

John Pescatore

Three years dwell time is easily explained with missing controls around cloud services. In particular SaaS providers do not always offer tools to audit access from authorized users.

Johannes Ullrich

The attackers used credential stuffing, password spraying, and brute force techniques to compromise credentials used for cloud services, and had a long dwell time. Monitoring, not only for the attacks, but also unusual user activity would have revealed the hackers much sooner. Additionally, make sure account lockout actions are configured and tested. Lastly, verify multi-factor authentication is enabled for all accounts on services which can be directly accessed from the Internet, cloud or otherwise. Your IDP can be configured to vary the strength of authentication required based on many factors, including domain membership, location, and time, to maintain a frictionless experience for legitimate users.

Lee Neely

This program is an awesome opportunity. If you're in the UofSC Aiken cybersecurity degree program, with a GPA of 2.5 or better, you can apply to the SANS undergraduate program, complete one SANS course per semester in your Junior and Senior years, and come out with four GIAC certifications, and hands-on knowledge which makes you a very attractive candidate for an employer as you not only have a breadth of critical current knowledge but also experience applying it during the program.

Lee Neely

As a part of SANS.edu, I am very excited about the expansion of our undergraduate program. Not only will this fill a critical gap in training new cyber security talent, but I am in particular excited to see what great content these students will create as part of the included internship with the Internet Storm Center.

Johannes Ullrich

A bachelors degree is about being ready for life; depending in part upon the program, it may or may not prepare the student for the first job out of school. Certificates are about being ready for the job; they are becoming increasingly useful to employers and candidates.

William Hugh Murray

Privacy laws and corresponding legislation around mobile device location data continue to evolve. While cellular providers have location data from cell towers, location services on your device also provide individual applications' location data which may be used by their providers. As it is largely impractical to blanket-disable location services and Apple and Google are working to limit what applications can do with location data, only enable it for the applications that truly need it. As law enforcement is able to obtain non-anonymized location data, which then includes information about US and non-US citizens, guidance and practices need to evolve to support not only the 4th Amendment, but also foreign privacy laws. If you're in the federal government, you also have to watch for Executive Order 12333 when accessing the data. https://www.archives.gov/federal-register/codification/executive-order/12333.html

Lee Neely

SEPA is taking a hard line on not paying ransomware operators, which supports their continued operation, but also not paying organizations or individuals which are on the International sanctions lists; which is illegal in the US & UK. To support that position, your organization needs not only good differential backups, but also practice restoring systems from those backups, without dependencies on remaining systems which may be compromised.

Lee Neely

The SolarWinds compromise points out that if someone can steal your digital intellectual property, odds are high that they could also modify it. Tesla needs to assure its customers that its source code management systems are better at integrity control than they apparently were at access control.

John Pescatore

The question is: could you detect employees within your organization taking similar actions? Raise the bar by limiting access to authorized cloud services and only allowing approved USB storage devices to be connected to systems. Actively monitor cloud and peripheral use to detect anomalous behavior. Training and policy need to be in place to support/reinforce these controls and include requirements for protection of Intellectual Property, particularly trade secrets.

Lee Neely

Verify any business systems still reliant on Flash and make sure there is an active plan to remove that dependency. While reverting to an older version of Flash may restore the functionality, that action also re-introduces the vulnerabilities in the older player as well.

Lee Neely

ADT has implemented technical and procedural actions designed to prevent and detect recurrence. All providers need to implement similar controls. As a consumer, you also need to take action. If you have security cameras, to include your doorbell camera, which can be viewed remotely, assume they can be accessed by that provider and verify the accounts which have access to that content. Also review your agreement to verify what other access and use is granted along the retention periods. Also refrain from putting cameras in areas you don't wish activities to be viewed by others.

Lee Neely