Android Permissions Auto Reset Will Work Back to Android 6; NIST Workshop on IoT Security Labelling Approach; FERC Seeks Input on Ways to Decrease Workload Caused by CIP Reporting

Android is providing users with a relatively fine-grained system to assign permissions to applications. But these permissions are often confusing, and consumers often do not understand why an application needs certain permissions or how they could be abused. The result is that consumers will often just click "ok". Resetting the permissions is an interesting and maybe a bit radical approach to force users to "Start over". Let’s hope this doesn't lead to a flood of popup messages as applications are asking to have their permissions back.

Johannes Ullrich

Notice there haven’t been many stories of negative user experiences since Google rolled this out in Android 11. Imagine if the Windows operating system had more “reset to least privilege access” features baked in.

John Pescatore

This is a good measure as we continue to run into issues with over-permissioned applications. Additionally, review your installed applications, uninstalling those you are not, or no longer, using. If you created accounts for those applications, be sure to also close those out.

Lee Neely

A number of countries have put forward labeling schemes like this. It is the goal of these programs to make it easy for consumers to make informed decisions about the security features of a particular device. Akin to a nutrition label or restaurant health inspection grades, the information should be easy to comprehend and will hopefully lead to companies proactively improving the security of their devices to obtain a better rating. But to work, a significant number of manufacturers need to participate.

Johannes Ullrich

I think it took the FDA about 20 years to go from the original push for nutrition labels for food to get to the point where testing of products could be done in standard manners by industry and audited to some level by the FDA. Labeling schemes without defined testing requirements are useless.

John Pescatore

There has been legislation proposed to require federal agencies to purchase IoT devices which meet security standards. Labelling needs to not only indicate the standards met, but also include information on verification. The current plan allows companies to self-attest to their security to expedite the process. Without independent verification against published standards, you cannot be sure the level of security is where you need it to be. Trust but verify.

Lee Neely

Comments are being solicited around the cost/benefit of the CIP Reliability Standards reporting requirements, not on the security requirements themselves. In 2018 and 2019 FERC expanded incident reporting requirements, on top of previous reporting and documentation requirements. Good opportunity for the industry to suggest ways to streamline the reporting flow to reduce the time spent.

John Pescatore

A core part of the message here is that unmitigated or unpatched vulnerabilities are key to successful ransomware attacks. Leverage the CISA ransomware self-assessment security audit tool (released in June) as well as the information on response and prevention on the stopransomware.gov site to make sure that you’re well positioned for a ransomware attack.

Lee Neely

Patch management is a prevention goal, especially for vulnerabilities being exploited in the wild. Unfortunately, 0-days will not have patches and the ability to detect and respond to the inevitable breach is now a requirement for all organizations.

Jorge Orchilles

Earlier this year Biden asked Russia to steer clear of 16 critical sectors of the U.S. Economy. Among those is “food and agriculture.” The BlackMatter group, which is behind the Iowa attack, is claiming that the volume of production from their victims doesn’t meet the definition of critical. While ransomware groups may have their own code of “ethics” regarding what is and is not “off-limits,” don’t assume they are on the same page. Operate on a model that everything is fair game and protect your systems accordingly.

Lee Neely

Poke a nation in the eye enough times, and your fortunes might just change... “Even six months ago, we probably would have said, ‘Ransomware, that’s criminal activity,’ But if it has an impact on a nation, like we’ve seen, then it becomes a national security issue. If it’s a national security issue, then certainly we’re going to surge toward it.” -GEN Paul Nakasone, Director of NSA and commander, USCYBERCOM

Christopher Elgee

TTEC provides customer support to large companies such as Verizon, Bank of America, Best Buy, Credit Karma, USAA, Dish Network and Kaiser Permanente. In this scenario there are two challenges: first, providing alternate customer service, or accepting long wait times; second verifying what data is stored with the service provider and of that data, what has been released or lost. Engage your legal team to understand what third-party liability clauses are in play and examine impacts on your service level agreements to your customers. Work closely with your provider to understand their service level and anticipated recovery plan.

Lee Neely

This is a very simple and cheap (free) way to provide current contact information to security researchers. You certainly should take advantage of this standard. For a description of various "well-known" files like security.txt, see https://isc.sans.edu/forums/diary/Not+Everything+About+wellknown+is+Well+Known/26564/: Not Everything About ".well-known" is Well Known. Unless of course you would rather not know about any security issues with your website/network.

Johannes Ullrich

While standards are still solidifying, it’s a good idea to implement this file, particularly if you’ve got a bug bounty program. Put it at the top of your web sites or known location such as /.well-known/ (see RFC8615.) Consider digitally signing your security.txt file. Make sure that the identified accounts are both monitored and have junk/spam filters enabled. More on the standard can be found on the securitytxt.org web site (https://securitytxt.org).

Lee Neely

If you have critical infrastructure, make sure that your plans are updated, to include information sharing, incident response and physical protections. The recommendations in the report can be leveraged to make sure you’re properly prepared. Make sure that you’ve established relationships with organizations such as the CISA and FBI well before you need them; don’t forget to maintain those relationships. You don’t want to find out that your contact has left or number changed in the midst of an incident.

Lee Neely