Background Checks are Critical for All With Privileged Access; Google Data Shows Major OS Providers Are Reducing Time to Fix; Move Away from Magento if You Can, Assume Current Installations Are Compromised

Good reminder for security teams and IT teams: background checks should be a regular part of hiring anyone who will be given privileged system access. Not a popular topic, but critical. While you’re working with human resources/employment, make sure that when the decision is made to terminate an employee turning off all internal and remote access is part of the process.

John Pescatore

The employee had two prior convictions for fraud which, when discovered, resulted in his termination. It is better to do background checks up front, even though they may slow the onboarding processes, rather than having to deal with a disgruntled employee who may have privileged access. For those already doing background checks, how many of you are revisiting them at some interval? I have seen good people make bad choices; I’ve seen employers help that employee retain their job and recover from those decisions.

Lee Neely

A privileged, insider threat is one of the toughest to detect and respond to. I am familiar with only a few organizations that have dedicated insider threat programs and teams. As usual, consider your threat model and maturity level without focusing on only a single type of threat.

Jorge Orchilles

Great to see that vendors are responding faster to vulnerabilities, and great to see open-source software leading the pack. Looks like "bullying" by Google with its hard 90-day disclosure timeline works. But as an end user, you will still have to apply these patches to mitigate vulnerabilities.

Johannes Ullrich

The good news is time to fix has been trending down across the board. However, at Google’s level of data collection, you can’t see the reason for the length of time to fix. In the old days of much longer software life cycles, easy to find/quick to fix bugs happened early and hard to find/long time to fix bugs were expected later in the life cycle. When time to fix is low because input validation errors (and other OWASP top 10 vulnerabilities) are still being built into software, that is not really a good thing.

John Pescatore

This is a great improvement. One wonders what the trend for vulnerabilities introduced via third-party or local coding flaws looks like. As suppliers get a handle on remediation and we’ve got mad skills testing and deploying updates, emphasis on secure coding and assessing included components needs to increase to reduce the likelihood of flaw inclusion in the first place.

Lee Neely

This is a great report that is easy to read and understand; highly recommend taking a couple of minutes to read it. I love the transparency and look for more vendors to share this type of data.

Jorge Orchilles

Patching may already be too late by the time you read this. Treat any unpatched systems as compromised. This vulnerability was discovered and reported to Adobe after it already had been exploited. Exploitation is pretty straightforward. Web application firewalls will likely not protect you. Magento is the gift that keeps on giving for attackers. Also noteworthy that the patch arrived as an actual “patch” file, and needs to be applied manually. If you can: Take Magento out back and put it out of its misery while replacing it with something... anything... else.

Johannes Ullrich

This corrects an improper input validation flaw (CVE-2022-24086) with a CVSS base score of 9.8. Note that this is for the 2.4.3-p1 or 2.3.7-p2 and earlier versions of Adobe Commerce or Magento Open Source. If you’re on Magento 1.x, you still need to update to Magento version 2 to get the fix.

Lee Neely

Each addition to the database includes a remediation date. Some of these flaws date back to 2017; they are included because they are still being exploited. Don’t forget to capture the due dates as you’re digesting the new flaws.

Lee Neely

Kudos to CISA for developing the Known Exploited Vulnerability Database. All companies should ensure that they have the Known Exploited Vulnerability Database included as part of their vulnerability management program.

Brian Honan

One hopes that actual remediation will be measured in days, rather than weeks to months.

William Hugh Murray

Viewing the source of a web page and discovering a flaw cannot be characterized as hacking nor committing an illegal act. The journalist is to be commended for responsibly reporting what they found. And while nobody likes being told they have a flaw in their code (particularly me), I would rather learn via a disclosure process than by reading an incident response or data loss report.

Lee Neely

And this is why SMS as a validator is dangerous. In this scenario, your coverage drops when the duplicate SIM is activated but depending on timing, you don’t notice the interruption, and by then it’s all over. Beyond ensuring all the security for your mobile carrier is in place to prevent unauthorized porting/etc., configure SMS or phone calls for account validation only as a last resort.

Lee Neely

The carriers have made SIM swapping harder, but as this item points out it is still possible. While SMS messaging does not reduce risk to zero, it is far better than staying at reusable passwords. As Microsoft’s report pointed out, 99.9% of successful phishing attacks would have failed if just SMS messaging was in use. Use authenticator apps and biometrics wherever possible but don’t stay with reusable passwords if those are not options.

John Pescatore

The fixes were made last September and the ICS Advisory (ICSA-21-278-03) was released October 5, 2021. The primary mitigation is to update to version 3.2.4; additionally, use strong passwords rotated regularly and restrict access to the system, particularly port 8883 to known authorized systems. Make sure that you’re properly segmenting these systems away from business systems.

Lee Neely

Should the escalating tensions in that region turn into an outright conflict there will be a cyber dimension to that conflict. That cyber dimension won’t be restricted by borders or regions so I recommend you check your supply chain to see how dependent you are on any providers based in Ukraine and how you can continue your operations in the event they become unavailable. I also recommend you heighten your cybersecurity preparedness to prevent your organisation from becoming a collateral victim by following the guidelines issued by the UK government’s NCSC at https://www.ncsc.gov.uk/news/uk-organisations-encouraged-to-take-action-around-ukraine-situation

Brian Honan

When abandoning, exchanging, or otherwise surrendering equipment, making sure it is fully purged of data is a critical step. Don’t forget copiers, printers, phones, and anything else that has data storage. Additionally, destruction of equipment may be necessary to prevent an adversary from obtaining unwanted technical advantages or insight.

Lee Neely

Two Colorado counties have had serious violations of maintaining the integrity of election systems and data. These violations pointed out that politically motivated insider malicious behavior is a bigger threat than external hacking. The temporary rules seems like they should have been in place before and as a part of an overall review would likely become permanent.

John Pescatore

Much publicity has focused on validating those wishing to cast a ballot; these measures will increase the integrity and security of the systems used to count and process ballots once cast. These measures are appropriate for any system processing sensitive data where integrity is a core requirement. While password complexity is called for, it’s time to phase out passwords in favor of replay and phishing resistant authenticators.

Lee Neely

As practitioners, we often forget that for the security of systems of public trust, there are two important qualities: actual security and the perception of security. Here's hoping this commendable move by Colorado brings both!

Christopher Elgee