US, UK, Australian Governments Warn of Attacks Targeting Healthcare and Transportation; Patch Those Netgear Products; GitHub Moves to 2FA for Maintainers and Admins in 2022

Review the mitigations in the bulletin irrespective of whether you see yourself as a target. Make sure that you’re keeping systems patched and updated. Take another look at allow/deny lists, particularly on servers which are purpose built to block the execution of unknown software. Make sure that you are always using MFA on privileged accounts and on any remotely accessible services.

Lee Neely

As usual: Please update. Even if your router is not affected by this vulnerability: Double check if there is new firmware for it. It is so easy to miss an update. The UPNP protocol has had various issues over the years, and it should be disabled in your router if possible. It could be used to remove firewall rules, even if it works as designed.

Johannes Ullrich

UPnP allows applications to setup forwarding automatically, rather than manually configuring these on your router. Even so, consider disabling it if you don’t need it. If you don’t have an option to automatically update your firmware, make sure that your processes include monitoring for security updates and verification of their timely installation. Disable unneeded services. Verify you’re on the distribution lists for your vendor’s security notifications. Check with your vendor to verify you remain eligible for updates, which may include service contracts or active lifecycle management.

Lee Neely

Good steps by GitHub to mitigate some of the larger issues around npm. At this point, there have been just too many compromised npm packages. I like GitHub proactively scanning for malicious code. Now we will have to see if the scans are sufficient to make a difference.

Johannes Ullrich

Every movement away from reusable passwords is a good thing. Do your IT admins and other privileged user accounts still rely on reusable passwords for authentication?

John Pescatore

Active enforcement of mitigations, such as requiring strong authentications, versus providing it and waiting for users to maybe implement it, is a much stronger position to be in. Even if you’re not npm, you should ensure that 2FA is enabled for accounts updating your content.

Lee Neely

Opt-in to strong authentication leaves the balance between security and convenience to the end user. That is an appropriate default for many applications. As noted when this problem was first reported, this is not one of them.

William Hugh Murray

Having controls on technology which impacts critical or sensitive processes and systems is important. When a product you’re using is merged or acquired, it’s a good idea to assess the new company to see if they remain in a supportive position. In government this is even more important. The intent of this legislation is good. The included categories are very broad, could allow for challenges relating to applicability.

Lee Neely

There is also a promise that future versions of these playbooks will be used outside FCEB agencies. The practices currently captured already have broad applicability beyond the intended audience and include areas such as incident response, detection & analysis to containment, eradication, and recovery. The playbooks do include CISA/DHS reporting requirements, which are less applicable to the private sector; you’ll want to map those to your regulators. Lastly, leverage CISA resources and consulting to help you verify you’re good to go. These services are covered by tax dollars and are free to businesses within the US.

Lee Neely

Having a playbook is a good first step. Like everything else, it requires practice. Ensure the correct people are briefed and trained as much as possible. The more you test and measure people and process, the more opportunities to improve before the real test.

Jorge Orchilles

Check the notice for the specific technologies affected. If you’re using any of them, you need to follow the advice from MS to secure these credentials.

Lee Neely

A key success factor will be using market-based pay rather than the old government GS scale wage. DHS has around 1,500 cyber security vacancies, 1,000 of which fit into CTMS, and looking for 150 people to hire in 2022.

Lee Neely

As a part-time government employee, infosec professional, and MBA, I've been amazed at how little the US Government (and much of industry, frankly) has done to try and attract top talent. The DoD figured this out years ago for medical professionals by instituting significant incentives above and beyond standard pay rates. Kudos to DHS for offering the same in infosec.

Christopher Elgee

The trick is there are not spare cycles on these systems to implement encryption or other hardening steps, and like OT, their lifecycle is measured in decades not years. It will likely take a phased approach, where replacement services are secure enough; the trick is funding that model as you can’t practically just land and re-launch existing infrastructure after modifications.

Lee Neely

Our acceptance, use of, and reliance on these services has exceeded our wildest expectations when they were introduced. They are so much a part of our daily lives that we are likely to notice them mostly in the breach. It should be obvious that the risks can only increase, perhaps exponentially, in proportion to our use and reliance; the issue is mitigating them.

William Hugh Murray

Rather than say "minor security lapses" I'd say "initial penetration was successful due to lapses in basic security hygiene which are easily preventable." Not to mention that "weak password" is an oxymoron.

John Pescatore

Don’t forget to verify the small things are also done, such as account disablement, active monitoring and response, clear incident POC information, not just on your web site and DR plans, but also with your regulator, or security sector. Leverage security.txt files to provide contact information. Consider a security@yourdomain email list, which you are parsing with your SIEM, not directly reading.

Lee Neely