NewsBites Volume XXIV – Issue 36

Top of the News

2022-05-06

SANS.edu Sentinels Win the team and the individual National Cyber Leagues Spring 2022 Competition

Over 10,000 students from more than 300 colleges and universities across the US compete each year in the National Cyber Leagues competition. Congratulations to the SANS.edu Sentinels for winning both the team and the individual Spring 2022 competition. Not only did SANS.edu win this competition, but SANS.edu teams also ranked at #3, #5, and #9 out of more than 1,000 teams nationwide. Go Sentinels!

https://www.sans.org/press/announcements/sans-technology-institute-sentinels-take-top-prizes-spring-2022-national-cyber-league-competition/

2022-05-05

GitHub Will Require 2FA for Developers and Other Contributors by End of 2023

GitHub says that it will require all code contributors to enable two-factor authentication (2FA) by the end of next year. GitHub CSO Mike Hanley wrote that “Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain.”

Editor's Note

This is awesome. Comprehensive 2FA is essential to prevent bypass use cases. Be proactive and enable 2FA for your account now rather than scrambling, and getting stressed, after a hard deadline. Check out the npm 2FA phased rollout timeline to be aware of when you may fall into an enforcement window and to model a plan for getting your staff and contributors on 2FA.

Lee Neely

Github had previously said only developers and admins would have the 2FA requirement, good to see strong authentication mandate extended.

John Pescatore

Apple, Microsoft and Google Will Support Passwordless Authentication

Microsoft, Apple, and Google have announced that they will implement standards developed by the FIDO Alliance and World Wide Web Consortium (W3C) intended to eliminate passwords. The new standards will allow users to authenticate with PINs or biometric information.

Editor's Note

This is by far the most promising effort to solve the authentication challenge. In my opinion, the most important part of this standard is that it will not require users to buy a new device, but instead they may use devices they already own and know how to use as authenticators. If you haven't done so yet: Look into what it will take to integrate these standards with your web application.

Johannes Ullrich

Great to see but most previous attempts at getting standards to be agreed upon and implemented by these “big three’ have failed. I think this has a much better chance of success. Fewer passwords in use are better than more, but important to see the protocols and implementations thoroughly pounded on by researchers before any releases.

John Pescatore

Adoption of new stronger authentication technology can be hastened by it being easier and faster than the old technology. The new standards from FIDO and W3C being implemented in Office, Azure, iPhones, Chrome, Gmail, and iCloud are intended to do just that, enabling access to existing passkeys, allowing mobile devices to be used for authentication on a nearby computer. It's time to see where these activities lie on your IDP or service provider's roadmap to build a path forward towards passwordless authentication for your users.

Lee Neely

White House National Security Memorandum on Quantum Computing

The White House has issued a new National Security Memorandum that “identifies key steps needed to maintain the Nation’s competitive advantage in quantum information science (QIS), while mitigating the risks of quantum computers to the Nation’s cyber, economic, and national security.” Agencies that fund quantum computer research or develop or acquire quantum computers have 90 days to “coordinate with the Director of the Office of Science and Technology Policy to ensure a coherent national strategy for quantum information science (QIS) promotion and technology protection.”

Editor's Note

The risks posed by a cryptanalytically relevant quantum computer would pose to all existing use of public key crypto have been long known and discussed. But, quantum has kinda been another Y2K-like risk, but without a deadline. Good to see a proactive, but reasonably timed, effort being put in place (public comment period to open in 90 days) to lead a new federal crypto standard by 2024. This memorandum also recognizes that US adversaries will focus on stealing quantum technology being developed in the US and mandates extra protections be implemented by all development organizations.

John Pescatore

Implementing new encryption algorithms will take years or even decades. This is why we need to worry about this now. The threat from quantum computing may never materialize, but it doesn't hurt to think ahead now.

Johannes Ullrich

The goal is to move to cryptographic agility, allowing for migration to encryption which is resistant to decryption by a cryptanalytically relevant quantum computer (CRQC) attack. Within one year of the memo, all agencies are expected to report on information systems which have not mitigated risks of CRQCs. The challenge will be availability of products which meet updated NIST cryptographic standards (FIPS 140) which agencies are required to implement along with maintaining backwards compatibility to support collaboration with others who have not implemented support for these new standards.

Lee Neely

The Rest of the Week's News

2022-05-03

Dept. of Health and Human Services FISMA Compliance Audit

An Office of Inspector General (OIG) audit of the US Department of Health and Human Services’ (HHS) compliance with the Federal Information Security Modernization Act (FISMA) found the agency’s security program ineffective. “The determination was made based on HHS not meeting the ‘Managed and Measurable’ maturity level for the Identify, Protect, Detect, and Recover function areas as required by DHS guidance and the FY 2021 Inspector General FISMA Reporting Metrics.”

Editor's Note

Most of the deficiencies stemmed from lack of full implementation of continuous monitoring based on tools/platforms from the DHS Continuous Diagnostics and Mitigation (CDM) Program. HHS, like many, has a distributed responsibility model from HQ to operational divisions to contractors. This complicates asset inventory, configuration management and full monitoring/reporting but is the realistic model for most organizations. Takes more support from the top, and often some additional funding, to completely move the operating divisions away from legacy security controls that have already been paid for.

John Pescatore

As an agency, this is not what you want to hear from your IG. The audit was performed by E&Y on behalf of the HHS OIG. While the report (https://oig.hhs.gov/oas/reports/region18/182111200.pdf) notes improvements since the 2020 evaluation, they are not sufficient to meet the requirements, highlighting the need for stronger supply chain security controls, something we're all dealing with. Read through the management responses in the report; many areas of concerns are things we're all dealing with, identity management, identification and categorization of systems, configuration management, appropriate visibility into current state and making sure that security remains in place. Note the challenges identified in a federated environment and think about how that applies to your own autonomous or semi-autonomous business units or partners when meeting your cybersecurity and interoperation goals.

Lee Neely

Operational Continuity-Cyber Incident Checklist for Healthcare

The Health Sector Coordinating Council’s (HSCC) Cybersecurity Working Group (CWG) has developed an Operational Continuity-Cyber Incident checklist. The checklist “is intended to provide a flexible template for operational staff and executive management of healthcare organizations to respond to and recover from an extended enterprise outage due to a serious cyber-attack. Its suggested operational structures and tasks can be modified or refined according to an organization’s size, resources, complexity, and capabilities.”

Editor's Note

If you are in healthcare or related medical services, this a good checklist to apply against your existing playbooks and processes.

John Pescatore

While this is intended as a tactical measure in response to collateral damage from current cyberwarfare activities, this is a good checklist beyond the healthcare industry. Note that this checklist [https://healthsectorcouncil.org/occi] is a collection of homework assignments, many of which you've already completed. Make sure that you've got validated copies in known locations which are accessible during an incident. If you're keeping physical copies in binders, make sure they are maintained on a regular, non-optional basis.

Lee Neely

This kind of guidance is preferable to that (such as HIPAA) which expects buyers and end users to do "risk assessments" which require knowledge and experience that most do not have. While efficient security must be risk based, the most significant risks are common to most organizations. We know what they are; we should not expect each organization to discover them de novo.

William Hugh Murray

Heroku Acknowledges Cyberattack, Resets User Passwords

Cloud platform as a service Heroku has acknowledged that customer account credentials were compromised in a cyberattack a month ago. Heroku began resetting user account passwords earlier this week.

Editor's Note

Heroku notes that some customers may also receive notifications directly from Salesforce relating to actions required after the breach. The exfiltrated passwords are salted and hashed; even so, a forced rotation is a great idea. In addition to password rotations, integration with GitHub and the Heroku dashboard or automation remains disabled, the status updated from April 26th includes instructions for deploying their apps until the integration is restored.

Lee Neely

VPN Providers Find India’s New Rules Onerous

VPN companies have said they might not comply with a new rule from India’s Computer Emergency Response Team (CERT-In) that requires them to collect customer information and retain it for several years. CERT-In wants the companies to keep the information to help with potential cybercrime investigations. Some VPN companies say they might stop operating within the country.

Editor's Note

If your business model is based on anonymity, or not providing logs, this new law makes doing business in India a non-starter. As a user, use of a VPN to secure traffic where your network connection is untrusted remains a best practice. Keep an eye on guidance from your provider when planning use in foreign countries to avoid regulatory entanglements.

Lee Neely

New Framework for Apps and Technology Not Covered by HIPAA

The American College of Physicians, the American Telemedicine Association, and the Organization for the Review of Care and Health Applications have jointly developed a framework to help secure health-related technology and apps that are not subject to the Health Insurance Portability and Accountability Act (HIPAA).

Editor's Note

The new framework is being piloted, and uses technology which isn't incorporated into the current HIPAA act. In parallel, a new Health Data Use and Privacy Commission Act is in committee. This new act is intended to update the HIPAA requirements allowing for better alignment with modern technology. The trick is to create a framework which provides guidance that is not technology-specific to support advancement and innovation.

Lee Neely

NIST Updates Supply Chain Risk Guidance

The US National Institute of Standards and Technology (NIST) has published updated guidelines for software supply chain risk management. The document is the result of two earlier drafts and is part of NIST’s response to Executive Order 14028: Improving the Nation’s Cybersecurity.

Editor's Note

This will help you get your arms around beefing up your supply chain security efforts. Watch for an upcoming “quick start” guide to help start your processes. While some actions may require resources and funding, progress can be made with tweaks to existing processes and procedures you can implement today.

Lee Neely

“The primary audience for the revised publication is acquirers and end users of products, software and service.” Caveat Emptor. Buyers and end-users cannot solve this problem. The solution rests with suppliers, with their transparency and accountability. Start with a digital software bill of materials.

William Hugh Murray

F5 Big-IP Critical Remote Code Execution Flaw

F5 has released fixes to address a critical vulnerability in the Big-IP iControl REST component; the flaw could be exploited to bypass authentication and potentially take control of vulnerable systems. F5 has released fixes for affected 13.x, 14.x, 15.x, and 16.x versions of Big-IP, but will not be issuing fixes for affected 11.x and 12.x versions.

Editor's Note

This is an authentication bypass flaw with a 9.8 CVSS score. As your Big-IP is often an Internet-facing device, you're going to want to verify the plans to remediate or mitigate this vulnerability. The mitigations may be more complex than simply applying the update. Even so, make sure that you're limiting access to your iControl REST and other management interfaces for your F5 products. If you're on devices running versions prior to 13.x of BIG-IP, you need to update or replace them (The current version is 17.x) Note that BIG-IQ, F5OS-A/C and Traffix SDC devices are not affected.