Government Agencies That Have Lagged in Updating Legacy Systems May Lag in Implementing MFA; Check and Patch Android Phones Again; Warn Users About Risks of Using Facebook Messenger

Implementing MFA usually implies implementing some form of SSO/IAM. Many organizations struggle not only with legacy systems, but also new SAAS offerings that only offer integration with standards like SAML for a substantial additional fee. 100% MFA is (sadly) not always realistic and you will have to consider other controls for systems that do not support MFA. For example, you could require access via a VPN that uses MFA. For SaaS platforms: Pay up or find an alternative.

Johannes Ullrich

Over the years this has been the “the dog ate my homework” excuse for government agencies that are slow to make basic security hygiene improvements. History note: in 2001 a federal judge ordered the Bureau of Indian affairs to disconnect from the Internet because it could not protect Native American trust information. Some BIA offices were not allowed to reconnect until *2008*. We are at the point where failure to move away from reusable passwords on government networks (all networks, really) is a reason to say, “No Internet for you.”

John Pescatore

Many initiatives which expect MFA implementations assume applications are modernized to support current authentication mechanisms, such as SAML and a federated IDP, where enforcing MFA is a configuration task. Legacy applications are sometimes fitted with new entry points which themselves support MFA; in so doing, care must be taken to not leave a path to the old less secure entry point. In the past we have raised the bar by implementing solutions which leveraged the password field for their one-time authenticator and then augmenting the password validation process. Note that current directives require phishing-resistant MFA, which means this too may need updating. When replacing legacy systems, plan carefully, not only for acquisition and implementation but also business process re-engineering. Avoid the trap of modification of the new solution to implement old business models which can result in an increased mortgage and make future updates challenging if not impossible.

Lee Neely

Systems that are resistant to such a simple but powerful measure should be candidates for replacement rather than simply upgrade. While some argue that strong authentication is the most efficient security measure, it is unarguable that it is in the top three.

William Hugh Murray

Some Android phones (such as Google Pixel models) will get these updates fast, others (in the past most Samsung phones) will not. Spot check a few different makes of phones across your security team and warn users of those phones they are at risk.

John Pescatore

Note that the source code for the fixes is released to the ASOP repository 48 hours after the security bulletin is released, and your device manufacturers are notified a month before this is published. Which all means that attackers can now start reverse engineering the flaws and, more importantly, don't wait on applying updates once published. If your OEM is not providing updates rapidly, you may want to assess the risk of their lagging behind and decide if another provider is appropriate.

Lee Neely

Facebook Direct Messenger is kinda like the Red Dye #2 of Internet communications – it really ought to be banned and replaced with something that at least has the same level of filtering that all email and SMS messaging gets these days. A warning about Facebook Messenger should be part of your security awareness outreach, as all too often security awareness videos that users have to watch will just talk generically – in many cases, warnings about using specific products and services are justified and needed.

John Pescatore

The attack includes about 400 unique Facebook phishing pages; analysis of 17 found an average of 985,228 visits. The attacker claims they net about $150 for every 1000 visits. Be careful with FB messenger: make sure that messages are really coming from your friends, particularly when one shows up from someone you're not accustomed to using Messenger with. I suggest verifying their status through other mechanisms. The URLs shared are using common URL generators like litch.me, famouis.co, amaze.co and funnel-preview.com, which are also used by legitimate apps. That said, if you're not used to getting links from these domains, don't click them.

Lee Neely

A key here is when training your workforce on “phishing,” emphasize that phishing is no longer just email attacks, but SMS, voice phishing or on social media. Focus less on the medium that is used and more on the most common indicators of a social engineering attack; they are often the same, tremendous sense of urgency being one of the most common.

Lance Spitzner

This is essentially good old-fashioned NAC (Network Access Control) which is really the foundation for any form of “Zero Trust.” (History note: Microsoft called it Network Access Protection and Cisco called it Network Admission Control back in the day.) NAC got a bad name 15 years ago due to interoperability issues across vendors and because it was mainly used to keep unpatched PCs from connecting - which punished the users for an IT ops failure to patch. Prioritize a testbed network segment to try it out – you will likely need to do some upskilling to deal with false positives, defining “contain” to balance security with disruption, and in threat hunting skills to investigate the devices being contained.

John Pescatore

Pay attention to how this works. If it fits your environment, you should definitely start piloting the capability. You can only use this capability on MDE devices, and the controls only work against other MDE devices. That said, this is an effective way of removing access to resources for devices which are compromised or otherwise don't meet your acceptable level of risk. Also, containment is tied to machine identity rather than IP address, so access is blocked irrespective of connection location or IP.

Lee Neely

Make sure your detection and response capabilities are where they need to be. Talk to your defenders to find where they have gaps, then take steps to address them. Make sure that you're leveraging all the tools and automation available from your services. If you're too small to insource your defense, talk to your service provider to make sure you have sufficient coverage. Lastly, schedule regular assessments and tests to verify you're where you should be. Don't forget to leverage resources from your local CISA, ISAC etc.

Lee Neely

While not a good statistic, it is better than in years past when average dwell time was measured in months, not weeks. However, the most recent DBIR report had a disturbing metric about dwell time: over 50% of breaches were self-reported by the cyber attacker. In other words, the victim found out about the breach from the attacker themselves (primarily ransomware).

Lance Spitzner

Remember we were holding off on disabling MSDT? It's time to re-assess. Your endpoint and other protection services are updating their protections. The attacks are coming from multiple well-resourced organizations. You need defense in depth.

Lee Neely

These are not new vulnerabilities. They range from 2017 to 2021, and most are in network equipment (firewalls, switches, access points, NAS.) It is paramount to make sure that your boundary protection and network devices are kept updated and secure, particularly as more segmentation and NAC solutions are implemented to support a more flexible service access model such as zero trust.

Lee Neely

CISA has been working hard to raise the bar for both public and private sector cyber security. Even so, it has been noted that some of the CISA directives are not viable in the real world. This is an exciting opportunity to infuse real world experience and expertise into their processes as well as gain insight and understanding you can bring back. They are looking for a broad range of expertise including AI, ML, Cyber Risk, Remediation, Cloud, SBOM and Threat intel. If you’re interested read the CISA Prospective Cyber Fellow Candidates page for details: https://www.cisa.gov/prospective-cyber-fellow-candidates

Lee Neely

Note that there are multiple vulnerabilities which can be resolved with a single update, such as pushing the latest Chromium, Acrobat and Microsoft updates. Note there are some Flash Player issues listed. It is past time to remove Flash with extreme prejudice. CISA has also updated their guidance and FAQs associated with the KEV catalog: https://www.cisa.gov/uscert/ncas/current-activity/2022/06/07/cisa-provides-criteria-and-process-updates-kev-catalog

Lee Neely

This database is becoming quite large. It demonstrates how porous our environment is. Items in the catalog should get priority when patching.

William Hugh Murray