Put Detections in Place Until Microsoft Fully Fixes Windows Installer Flaw; Health-ISAC Says Improve Identity Security; UK Law Would Establish Minimum Essential IoT Security Requirements

Not much you can do about this right now. But remember, that this is “just” a privilege escalation flaw. Sadly, privilege escalation flaws are common enough to always assume that there are a few being exploited for which no patch is available.

Johannes Ullrich

This is a great example of where vulnerability management and purple teams will provide value added to the organization. The VM team should be on top of situations like this where a patch doesn't completely remediate the vulnerability. The purple team should be ready to assist in crafting detections that align with the organization's telemetry. For those with neither team, know that this is a Local Privilege Escalation (LPE) vulnerability and can only be triggered by a threat actor who already has gained execution on the system. It also poses increased risks for insider threats who might seek to elevate their privileges.

Jake Williams

The flaw allows for privilege escalation using an existing account. While the long-term fix is another update from Microsoft, in the short term you can leverage the Snort rule SSID’s 5865 and 58636 to block exploitation. Note these are in the Snort Subscriber Ruleset, not the free Community Ruleset.

Lee Neely

Pen testers: it's good to exploit these types of flaws, but do consider what your recommendation is beyond, “Implement patch when available.” What detections can you recommend? What possible follow-on actions might defenders look for? Are there other compensating controls (specific to their environment) that can lessen the frequency or severity of privilege escalation vulnerabilities like this one?

Christopher Elgee

Exposing these systems directly to patients requires strong identity management practices, as outlined in the guidance. While MFA is optional, there are risks to not implementing it: think HIPAA violations and associated penalties. Prepare to federate authentication by leveraging OAuth and OpenID Connect, monitor your API use, respond to anomalous activity.

Lee Neely

Back in the early 2000's, the firewall was a mark of the rise of infosec. Firewalls separated friends from enemies – and weak defenders from strong. Now that “identity is the new perimeter,” secure, easy-to-use identity solutions are becoming a new mark. As traditional username:password continues to disappoint, what technology will fit your organization well?

Christopher Elgee

In an attempt to avoid being overly prescriptive, HIPAA required covered entities to do risk assessments that they were poorly equipped to do. One effect was to retard the adoption of electronic health records by a generation.

William Hugh Murray

It's easy to joke about the limited impact of eliminating universal default passwords, but the impact is substantial. Just last week NewsBites reported on a DNS rebinding vulnerability in Sky routers that allowed full device takeover. But this was only possible because of universal default passwords. I'm also excited about the prospect of increasing transparency, but that's much harder to measure and only time will tell how this is implemented.

Jake Williams

A number of governments have put forward initiatives to make it easier for consumers to recognize secure devices. This is the first one I am aware of that spells out mandatory requirements to be allowed to sell devices. I like the idea to put the responsibility at the manufacturer instead of the consumer. It is no longer the consumer failing to change default passwords, but it calls manufacturers out for delivering devices with common default passwords. My wishlist for IoT security also includes well-defined "end of support" dates.

Johannes Ullrich

While the legislation is likely to be modified before final passage, imposing fines for non-compliance to security standards should help motivate vendors to meet the required minimums. What is needed is equivalent standards in multiple countries to raise the bar across the board.

Lee Neely

This is a small but important step forward. These few requirements will not make IoT fully secure but they establish an important floor, kind of like restaurants being required to at least have working refrigerators and rodent control systems or they can be shut down. Doesn’t mean the food can’t still be poisonous but people are still safer for it.

John Pescatore

Good News/Bad News: The Good News is this doesn’t impact desktop or other non-server Windows distributions; the Bad News is the problematic patch only affects Windows Server systems running the Windows Defender service. If you’re using a different endpoint protection service, you’re not impacted. Note that if you are using Windows Server versions for desktop virtualization, such as AWS Workspaces, you should make sure you’ve got another endpoint protection service running.

Lee Neely

I want to be surprised, but I can't be. This sounds like it is really part of a building management network, a specific type of ICS. Unfortunately, in most cases building management networks are installed and configured by vendors and maintained by staff that are more comfortable with a wrench than a command prompt. It is not at all uncommon to discover building management networks very poorly secured. Work with your organization to determine how your connected building management systems fall under the purview of the cybersecurity team. If not, make a strong case to secure them. When the proverbial poop hits the fan (or a threat actor just turns the fans off), it *will* be considered a cybersecurity problem.

Jake Williams

These interfaces were intended to allow for remote management and optimization of the system. While wireless control is often a provided component, it must be secured during deployment. The added problem is many ICS/IoT systems have default credentials, which are published in documentation which is generally accessible online. In short make sure that your wireless interfaces are securely configured, and that you change default credentials. Verify these credentials and configuration remain set after a reboot or power cycle.

Lee Neely

Vestas is still recovering from the incident, so don’t expect a full recounting until that completes and the incident investigation completes. Research by Coveware shows the average downtime from Ransomware to be 16.2 days and average payment is $140,000 in Bitcoin.

Lee Neely

Online services have gotten more complex. That increases the difficulty of protecting them, but also the difficulty of assuring required service level agreements can be meant at all reliably. If one service relies on 5 suppliers with .99 SLAs, you can still on average meet a .95 SLA requirement. But, if any supplier is at or below .95, you can’t. Protecting against cyberattacks means keeping availability above the required level – if all margin has been consumed by unreliable service, even a minor incident can result in major financial damage.

John Pescatore

This comment is for the DBS story and the Vestas story above. Traditionally cybersecurity has focused on confidentiality and integrity of data, as that is where the value is for both cyber criminals and nation state actors. But within the past 18 months it seems we have seen a dramatic rise in availability issues also. By availability I mean the operational capability for an organization to fulfill its mission. In most cases the shutting down of operations is not the end goal of the threat actor, but either merely a means to an end (extortion) or accidental collateral damage (NotPetya like incidents). Most likely these availability impacts will only increase as our world becomes more interconnected and interdependent on each other. Finally, unlike confidentiality and integrity incidents, availability based incidents can have an immediate and physical impact to people at a large scale.

Lance Spitzner

It is interesting to note that Singapore data protection laws require data breaches to be reported to the government; failure to report can result in a fine of about $7,300 or a two-year jail sentence. The full details of this incident may only be revealed in that reporting process.

Lee Neely

This checklist is device agnostic. Consider the points in the checklist making sure you can detect compliance and non-compliance with your chosen options. For example how granular is your OS version/update detection and will that match your patch/update requirement enforcement? Consider what sorts of data persist on your mobile devices and what applications you allow them to access, and how you can isolate enterprise applications and data on the devices. I created a similar checklist in which used to be included in the SANS SEC 575 course, the trick is maintaining it to keep it relevant.

Lee Neely

Recommendations should distinguish between enterprises managed and user-managed devices.

William Hugh Murray

Where are you getting guidance and support for cyber security? Are you following up-to-date guides or are you still looking back to information published "a while ago?” Look for updated versions of your current guidance. If they don’t exist, then look to alternate references for alternatives. Make sure that your self-assessments include effectiveness reviews of your cyber security protections, to include your MSP if used.

Lee Neely