Medtronic Recalls Insulin Pump Remote Controllers with Life Threatening Vulnerability; TSA to Raise Security Requirements for Railway and Aviation Operators; Prioritize Patching Apache HTTP Servers

This vulnerability was discovered, and the initial limited recall announced, back in 2018. I hope the Medtronic Board of Directors, especially the members of the Medtronic Board’s Quality Committee read the opening line of the FDA medical device recall announcement “The FDA has identified this as a Class I recall, the most serious type of recall. Use of these devices may cause serious injuries or death.” While the attack path is not simple, avoiding life threatening vulnerabilities and the cost of product recalls should be pretty high on the Product Quality priority list but does not seem to have been.

John Pescatore

It is estimated that 31,000 devices need to be replaced. The balance between life-safety and security always comes down on the life-safety side. In the past, we’ve seen security flaws in medical devices which didn’t warrant this level of response; as exploitation of medical devices can be fatal, it is hoped that the threat of recalls like this will push suppliers to implement higher levels of security.

Lee Neely

My biggest fear with medical devices is not cyber attackers targeting and exploiting these vulnerabilities, but some random malware accidentally infecting and spreading through medical devices, causes unintended havoc and harm. In the military we called this “collateral damage.”

Lance Spitzner

The plan requires three actions (1) improve their cybersecurity processes, (2) identify a chief cyber official, and (3) inform the government when their network has been breached and have a draft cyber recovery plan on-hand to recover from the incident. While not obvious, incident reporting allows CISA/DHS to keep overall tabs on security across the nation and setting that up will help foster the needed relationship if you need to call upon them for their resources or expertise.

Lee Neely

This is just an initial step – any railway and aviation operator that didn’t have a named CSO and an incident recovery plan in this day and age should fire their CEO and replace their Board of Directors. Regulatory push to make essential security hygiene a mandatory cost of doing business is needed across most of the critical infrastructure sectors.

John Pescatore

I really hope TSA takes the approach NIST does and works hard to (and provides the time for) community input, feedback and involvement.

Lance Spitzner

In version 2.4.49, Apache re-wrote a large part of the code that validates URLs. The goal was to improve the speed of this code. Sadly, the rewrite missed some common URL issues like URL encoding. Luckily the error was discovered quickly. I don't think this version of Apache made it into any Linux distributions. Note that the initial fix, Apache 2.4.50, was incomplete and you should now be running Apache 2.4.51. But do not worry if you are running an earlier version. Many Linux distributions will stick to a particular version and only back-port security fixes. 2.4.49 and 2.4.50 are the only vulnerable versions that they were only "current" from September 15th to October 7th.

Johannes Ullrich

Be aware of the Apache server version your distribution supports when looking at the update. For example, RHEL 7 is based on Apache version 2.4.6 while RHEL 8 uses 2.4.37 and patches will be applied to those versions rather than providing version 2.4.51, this is documented in the distribution backporting policy. Use this information to verify that your vulnerability scanners aren’t providing a false positive on the patched version.

Lee Neely

This year seems to be the year of constant critical vulnerabilities and highlights that patching alone is insufficient for defenders to rely on for protection. A comprehensive vulnerability management program should be developed to determine how an organization can mitigate the impact of vulnerabilities while awaiting the application of patches or upgrades.

Brian Honan

We have several decades of data that says lawsuits rarely result in enduring increases in security. I’d much rather see contractors and suppliers that commit fraud by not following required cybersecurity standards be suspended or barred from doing business with the federal government. The Federal Accounting Regulations already support doing so.

John Pescatore

Disclosure of breaches or incidents hits many companies square in the reputation risk soft spot. Part of disclosure must include an acceptable level of protection of that information. All of us with outsource, service or cloud contracts should verify they already include cyber provisions which include incident response and notification requirements as well as consequences for failure to report or meet information protection requirements. Verification that a provider is meeting required security standards is critical to ensuring your information is properly protected. That verification is not “one and done.” It needs to be updated regularly.

Lee Neely

Cyber guidelines are exactly that, guidelines, a baseline or minimum. Take the opportunity to use them to find gaps. If there are controls that don’t make sense or are unachievable, document that, and be prepared to defend that conclusion to your regulator or auditor. Leverage your relationships with peers facing the same standards to find workable mechanisms to not only meet the requirements, but also increase security as well as make the overall process easier.

Lee Neely

This appears heavily rushed with very little industry input. There is a wealth of knowledge in our community. By taking more time to gather that community feedback, not only does TSA create a far stronger framework, but more likely to gain industry by in. NIST does a fantastic job doing this with their CFC process (Call For Comments) for NIST related frameworks and guidelines.

Lance Spitzner

While fascinating, these types of increases in cyberattacks could probably apply to pretty much any industry that is heavily connected to and dependent on technology.

Lance Spitzner

Cybersecurity is essential to any network connected infrastructure. Yet such cautions and prescriptions continue to be necessary. Join and support the Surface Transportation ISAC.

William Hugh Murray

We have repeatedly seen the need for concise, clear, understandable communication in the event of an incident. The guidance is intended to help develop a message non-technical users can understand and then take the needed action properly. Even with the best plan, users may still not read or understand what is expected; backup the message with a responsive contact center armed with simple guidance they can walk the users through.

Lee Neely

Syniverse, which processes messages for 300 carriers with a volume of about 740 billion messages/year, says they have fixed the identified vulnerabilities and are continuing to investigate the breach to determine if additional access paths exist. As their primary customer is the carriers rather than the customer whose messages are delivered, you will have to rely on your carrier for any notifications of impact or required follow-up actions.

Lee Neely

Yet another nail in the coffin of the use of SMS for security. Sadly, SMS replacement standards like RCS that would avoid relying on a "secure" forwarding network have never quite taken off.

Johannes Ullrich

This is a major breach that could have long term implications given the sheer volume of data and messages that could have been accessed in that time. It also highlights the importance of ensuring any sensitive communications should be done via end to end encrypted solutions and not rely solely on the security of the messaging infrastructure.

Brian Honan

Having an expedited access termination process for employees involuntarily separated is critical to preventing retaliatory actions like this. Verify that the process is comprehensive, particularly with outsourced or cloud services which may have external entry points. Also expire or lock any MFA tokens. If accounts are disabled rather than removed, make sure any access or attempted reactivation is closely monitored.

Lee Neely

Having an expedited access termination process for employees involuntarily separated is critical to preventing retaliatory actions like this. Verify that the process is comprehensive, particularly with outsourced or cloud services which may have external entry points. Also expire or lock any MFA tokens. If accounts are disabled rather than removed, make sure any access or attempted reactivation is closely monitored.

John Pescatore

School systems often have very small IT staffs, resulting in a concentration of privilege and independence from knowledgeable supervision. Business enterprises are more likely to have sufficient staff that new hires need not be given administrative privileges and be subject to knowledgeable supervision.

William Hugh Murray

These are large industrial process controllers and as such access should be limited to authorized devices and services only. Make sure access is closely monitored to detect attempts to exploit the weakness. Start planning the outage to update the firmware now.

Lee Neely