Turn on Zoom Client AutoUpdate; Verizon Report Hits and Misses; Check If Your Cloud Service Provider is Using Unpatched Quanta Servers

The client-side fix was out in April. All Zoom client software now supports auto-update for faster patching – make sure it is turned on for managed devices and encourage users to enable auto update on personal devices. Same advice applies to most PC/Mac client software these days.

John Pescatore

A few things happening here: XMPP parsing inconsistencies allowed inclusion of malicious content, known as XMPP Stanza Smuggling) and could be used to cause the client to connect to another server which could be a MITM; the update installer didn't fully check that what was being installed was really an update, allowing the client to be tricked into installing an older version with known vulnerabilities. The good news is Zoom has auto-update capabilities working on Mac and Windows now, the bad news is you may have to manually update to get to that version. Make sure your systems are running at least 5.10.0.

Lee Neely

Enable the auto-update feature in your Zoom and every other piece of software that allows it. Do it for your friends and family as well.

Jorge Orchilles

Verizon no longer includes the most valuable data they have from their investigations – what vulnerabilities enabled the attacks to succeed? They used to show this in a table mapping the exploited vulnerabilities to the Critical Security Controls. It was a great graphic to use in explaining the critical need to at least get to basic security hygiene levels and avoid 70% or more of those attacks. Another point: the DBIR and others often show phishing and “use of stolen credential” statistics separately, where a high percentage of stolen credentials were obtained through phishing. Don’t underestimate the urgency of reducing used of reusable passwords on high value accounts.

John Pescatore

In 2022, we as security professionals should all reject the idea of “human element” as something that “accounts for” 82% of breaches, especially of a breach that is worthy of inclusion in the DBIR. Yes, individual people will click a link, or click an attachment, or enter their password into a fake form. That's gonna happen, and the job of the security profession is to make those basically as low impact as possible. Security professionals are failing to properly architect and implement basic controls (in some cases, for legitimate reasons, such as lack of budget, etc), and then blame users for clicking links that make it through the corporate email filters, then saw through the entire network from an unprivileged user laptop... This is not a good statistic to bandy around. All the awareness training won't remove the click, it just reduces the CLICK RATE, which, even if low, the click eventually happens. Then what? Controls beyond the user's scope of work should kick in.

Gal Shpantzer

The human element, as in problem exists between keyboard and chair, is our greatest and best challenge. This doesn't mean we need to stop raising the bar on technology to reduce the opportunities for error, it means we need to work just as diligently on relevant training and support. Pay attention to feedback. Don't ignore reports of people checking out in the middle of a session, or questions of relevance to life the universe and everything, rather partner and pull the thread to find out why your message and their mission don't match, then team up to fix it.

Lee Neely

For the past 4 years the VZ DBIR has identified people as the primary attack vector and top driver of breaches. For the past two years they even put a number on it (over 80% of breaches for past two reports). Cybersecurity is no longer just a technology challenge but also a human one. Until we start also addressing the human side of cybersecurity, to include security culture, we are going to continue to lose this battle.

Lance Spitzner

That 82% of breaches are due to human issues demonstrates how badly we are failing as an industry and highlights the fallacy that many vendors and security practitioners have on focusing on APT and/or zero day attacks. Similar to how modern automobile safety features protect drivers when they make a mistake, our security controls should act as the equivalent of crumple zones, seat belts, and airbags to protect people when they are duped into clicking on a link or an attachment.

Brian Honan

Must reading. One of the best open sources of intelligence for security professionals. Other key findings: Insider risk is far greater from error than from malice. Credential compromise is far more likely from social engineering than from brute force attacks. Therefore, prefer strong authentication to strong passwords. I asked the authors if they could see the impact of Strong Authentication. They responded “Not really. If one is using MFA one is not likely to be in the database of breaches.” Finally, healthcare and finance stand out in the data. For different reasons, each industry may be better at reporting than others.

William Hugh Murray

Do not assume that systems arrive from OEMs fully patched and "secure." Sadly, in this case, you will not even be offered a patched firmware for update. What makes this worse is that attacks against BMCs can be very difficult to recover from (if you are even able to detect them).

Johannes Ullrich

Firmware security is a real thing and it's underappreciated. Imagine a chip maker putting a null-auth webserver in the firmware, for example.... From 2017 https://www.intel.com/content/www/us/en/architecture-and-technology/intel-amt-vulnerability-announcement.html

Gal Shpantzer

Any procurements for cloud services, especially if going outside the major providers like Google, and Microsoft, should include questions about vendor patch status/practices and clauses for cloud service provider liability. None of that protects you or your customers but it raises the visibility of security to smaller/less expensive cloud services providers and can point out the danger of selecting them.

John Pescatore

BMCs are leveraged to manage systems at scale, allow for raw-iron management for activities like a full OS reinstall, about as close as you can get to physically accessing the box, which makes certain attacks much easier. (Such as a single-user boot.) As such, addressing vulnerabilities and lifecycle replacements where updates are not available are critical. Quanta's model of quietly working customer by customer is not sufficiently transparent for you to truly assess your risk envelope.

Lee Neely

India's businesses were already facing the task of implementing the new incident response orders within 60 days; this directive is focused on market infrastructure institutions (MIIs), aka stock exchanges, clearing corporations and depositories, which must have their board sign off on their critical systems and report status of the larger requirements in the circular within ten days. Most boards I know need significantly more time before voting on a significant issue, let alone reporting on the progress towards implementation. The intent of the framework is to raise the bar consistent with the modern threat landscape, which is to be commended, and a more realistic timeframe is appropriate, such as 100 or more days. We all should have accurate hardware, software, and vulnerability data, and be performing regular security testing and reviews to make sure we're not overlooking.

Lee Neely

I welcome the focus on detection and response vs. the goal of preventing an attack. Assume breach and focus on testing, measuring, and improving your people, process, and technology – make sure your team is trained in Purple Team processes and techniques.

Jorge Orchilles

Ransomware is the final action on objectives. You have multiple detection opportunities before the malicious actors get to that step. Tabletops are a great resource but go further with a data and evidence-based approach by actually testing yourself. Train like you will fight the adversaries.

Jorge Orchilles

Good news: they were able to contain and remediate the ransomware attack quickly. The bad news is interdependent systems were impacted, resulting in delays and confusion from passengers who were not aware of what was happening. Two takeaways - first, communicate fully and as comprehensively as possible when you know what is going on; second, make sure dependencies are not only documented but understood. Sometimes recovery of one system may need another to roll back transactions, or have transactions manually applied to achieve full recovery to operational status. Trust me, you don't want to discover this during an incident.

Lee Neely

Last year applicants came from over 250 school districts, which is an indicator we have a gap that companies like IBM can fill. IBM is not just sending money, they are sending tools and resources, which not only aids success, but also is a model you could follow to help your local schools by leveraging existing staff, products, and processes, no matter which country you're in.

Lee Neely

I welcome this and other initiatives that teach security earlier in life. NewsBites readers: challenge yourself to share what you know to the next generation. Every little thing helps, from career day presentations to demos to teaching. We need a security focused culture from the beginning.

Jorge Orchilles

Lesson here is to make sure that when scraping data make sure that operation is allowed by the sources you're obtaining information from, and, more importantly, make sure that your use and storage of that data is consistent with the regulations in the area you're operating in. As more privacy laws are enacted, their relevance/applicability is going to become increasingly important to avoid legal entanglements.

Lee Neely

The team at Palo Alto's Unit 42 have been tracking this individual since 2017, meaning that apprehending parties behind BEC can take a lot longer that you expect. In the meantime, double down on making sure you and your staff are prepared to recognize and avoid BEC attempts. Don't forget to talk to your service providers, internal or external, to ensure you're leveraging all the tools in their arsenal.

Lee Neely

We don’t hear much about BEC even though it is one of the most profitable attacks by adversaries. Kudos to law enforcement for this arrest.

Jorge Orchilles

A big well done to all those involved in this operation and in making the online world a little bit safer.

Brian Honan

The trick is to filter both for products you're using and for updates you're already applying to spot gaps. Separately, you should be checking post-patch that the updates you think are applied are really applied.

Lee Neely

This is a start, DHS CISA will also have to provide funds and expertise to make progress improving cybersecurity at state/local managed critical services like water, just as they had to do for election systems.

John Pescatore

The trick is enlisting water companies both large and small. Small operations will need to leverage external services. If you don't have sufficient support for your operation, reach out to your local ISAC or CISA branch to get connected with resources. Remember CISA services are taxpayer funded.

Lee Neely