Take Advantage of GitHub Push Protection; Start Working Now to Meet 2025 PCI Security Enhancements; US Bill Would Give FDA Authority to Compel Medical Device Providers to Build in Security and Patching

Nice improvement. Also note that Trufflehog released a new version with some significant improvements to find secrets like API keys left in code. Secrets like passwords and in particular API keys leaking in source code repository is an increasing problem. Modern distributed applications rely more and more on these secrets and many developers do not manage them properly.

Johannes Ullrich

Including authentication secrets in repositories continues to be a problem. This option will augment your processes designed to prevent that from happening. Verify developers don’t disable it.

Lee Neely

This revision has about 60 new requirements, 40 of which don’t kick in until 2025. Those 40 longer term requirements represent most of the security gains – requiring software inventories of internal and external software in use, user and application privilege management, increased use of MFA, more focus on encryption, etc. If you have PCI exposure, use those requirements to justify starting improvements now. There are also additional requirements specifically for service providers. PCI DSS 1.0 came out in 2004; the requirement updates have tried to keep up with changes in threats but the requirements and rigor around the assessment process that governs how the 389 PCI Council certified security assessors operate has been much slower to be upgraded.

John Pescatore

Regarding penetration testing, section 11.4 of v4.0 still requires internal and external network testing at least annually but gets more prescriptive in how it is to be done.

Christopher Elgee

More MFA is always better. But at this point, your question shouldn't be if you need MFA. The question should shift to what kind of MFA is sufficient for a particular application.

Johannes Ullrich

Don’t wait until 2024 to implement the updated standard. Begin assessing the changes and getting your implementation together now. Note the scope of encryption requirements including removable media as well as requirements for protecting the PAN during RDP sessions. Also note that some best practices have expiration dates.

Lee Neely

PCI DSS was introduced as a stop-gap measure until the introduction and implementation of EMV (and to transfer as much of the fraud risk as possible to the merchants, their customers). However, it has taken on a life of its own, in part because the issuers continue to publish the Primary Account Number (PAN) in the clear. The PAN is then used in “card not present” fraud. Merchants accept the risk of accepting PANs, in preference to more secure proxies like PayPal, Apple Pay, Google Pay, and others, in part because the transaction cost is a little lower. However, the risk plus the cost of PCI DSS really makes accepting PANs much more expensive than the proxies.

William Hugh Murray

For close to 20 years, much of the medical device industry has avoided taking the responsibility for building secure/safe and supportable/patchable networked devices. The FDA has issued many directives about this over the years – this bill will give the agency the needed power to enforce.

John Pescatore

While this legislation attempts to raise the bar of new devices being produced, healthcare providers need to make sure their current environment architecture implements security. That includes segmentation, MFA, and monitoring. The new legislation also provides for ongoing security updates. One hopes manufacturers take advantage of this so one can plan for update and lifecycle events in the operations schedule.

Lee Neely

I welcome legislation that attempts to shift security left, especially for devices that are traditionally released with trivial vulnerabilities and rarely get patched.

Jorge Orchilles

Train users to always verify the credentials and legitimacy of data requests, emergency or otherwise. Use out of band mechanisms, not verification mechanisms provided by the requester. Don’t forget to include yourself and your security team in that training.

Lee Neely

This is a perfect example of the need for Red Team. A new process has been implemented and no one looked at it holistically (people, process, and tech) from the adversary’s point of view.

Jorge Orchilles

EDRs are often, not to say routinely, used in lieu of warrants in investigations; warrants are then sought after the fact if the product of the investigation is to be used as evidence in a prosecution.

William Hugh Murray

GitLab releases updates on the 22nd of the month. Get their application into your monthly patch cadence. Yes, there were hard coded credentials in their code; time to see how your code fares in that respect. There are also XSS issues relating to improperly handling user input. Again, time to make sure you’re not in the same boat, preferably after you apply the update.

Lee Neely

While this sounds like added bureaucratic overhead, I believe this new bureau will allow State to focus on cyber requirements appropriate to their mission in support of the NIST RMF as well as moving towards the requirements in EO 14028 such as MFA, zero trust and cloud adoption.

Lee Neely

Weekly reminder: Do not expose these type of admin interfaces to the internet. This will not be the last vulnerability in a router/firewall/VPN admin interface. Not exposing these interfaces will significantly reduce the chance of the flaw being exploited.

Johannes Ullrich

In essence an ACL was not implemented in the CGI allowing it to be executed without authentication. Change advised to patch (in the bulletin) to patch now. Also make sure the administration interface is not accessible from the WAN.

Lee Neely

Read the bulletin carefully. This is not just a patch and go fix. Note the raw CVSS 3 score is 10.0 so you need to make sure you have your ducks in order PDQ. You may need to recompile and reload user program code. Also, make sure your PLCs are properly segmented so only authorized systems and users can interact with them. Monitor all interaction for unwelcome advances.

Lee Neely

CVE-2022-22965 has a CVSS score of 9.8 and you’re going to need to read the workaround where patches are pending. (There are no workarounds for the patched products, just patch them.) There are multiple manual steps to the workaround so have a fully backed up environment to get them right. Doubly so if you don’t have a non-production environment. Note that the workaround will stay in place even if you perform a VM resurrection or upgrade your TKGI file.

Lee Neely

When the arrests occurred, the Lapsus$ gang reported some of its members were taking a vacation and work continued with a posting last Wednesday of information pilfered from an Argentinian software development group. Don’t assume a group of malicious actors are out of commission until you have authoritative information that their entire operation is shuttered. Even so, expect those not arrested to reappear in a new form soon.

Lee Neely

Similar to the Viasat attack, this is intended to get a jump on the IT used to control wind turbine systems in Ukraine, and possibly other places, obtaining inside intel into operation beyond what can be obtained via OSINT. If you have these systems, you need to focus on the security of any access mechanism. If remotely connected, make sure those connections are both secure and genuine, that media and data flowing to and from them is properly sanitized, and that you are monitoring any connections or activity.

Lee Neely