Splunk On-Premise Users Need to Patch ASAP; Microsoft Finally Releases Follina Fixes; Microsoft Slow on Releasing Azure Vulnerability Patches

If you're on Splunk 9.0, you will need to apply the patch. Due to the newness of the patch, you may wish to wait for any updates/issues to be squared away, If you're doing that, you need to disable the deployment server unless you're actively using it to deploy configuration updates. The ISC blog below has details on this approach. If you're not on Splunk 9.0, time to roll up your sleeves and get that update going.

Lee Neely

This does not impact Splunk Cloud users, so relevant to a bit more than half of Splunk customers. SaaS vendors have a simpler patching issue than IaaS vendors, but in procurement very important to ask about and evaluate the vendors patch time commitments, their use of external Cloud Service Providers and DoS protection as well as broader security processes and controls. Like many security software vendors, Splunk is seeing it cloud business grow more than twice as fast as on-premises deployments. But margins (profit on sales) are still lower for cloud sales vs. on-premise. Important to keep the pressure on all security vendors to make sure cloud security of their own offering is Job 1, even as they look to constrain costs to improve cloud profit.

John Pescatore

The Follina fix was issued with a release date of May 30th, which caused a bit of confusion as it wasn't part of the June 14th set of patches. But it is included in the rollup patches. Please apply expeditiously. Also note the NFS patch. While not enabled by default, this is the third month in a row for NFS patches and this time, additional details regarding the vulnerability have been published by the discoverer making an exploit more likely.

Johannes Ullrich

The patches address both the MSDT flaw and the Windows Network File System flaws. The NFS 4.1 fix is for your servers, and while critical, you may wish to test prior to wide deployment. Also, in case you're missing it, June 15 is the de-support date for IE - take care of your support and IT teams this month, it's going to be busy.

Lee Neely

Using the cloud (aka “someone else's computer”) requires trust. Delayed fixes and missing transparency about the risks your data is exposed to does not build trust. On the other hand: As long as it is cheap and easy enough, people will probably use it anyway.

Johannes Ullrich

I started Gartner’s coverage of cloud service security back in 2010 or so and a key issue was how cloud service providers would patch their underlying infrastructure. Testing patches to make sure a 10,000 user enterprise isn’t impacted is tough enough – Microsoft has over 700M users on Azure Active Directory. Obviously, Microsoft has the biggest problem since Windows vulnerabilities get outed the quickest, but Amazon AWS has the biggest market share (over 1M users). They have to walk the line between risk of customers being compromised by attackers exploiting the vulnerability and too-fast push out of patches that aren’t fully testing, leading to downtime at hundreds to thousands of customers. Right now, Microsoft is erring on the side of avoiding the latter, which is probably prudent since some recent MSFT patches have had to be recalled.

John Pescatore

It took Microsoft three tries to fix the vulnerability; the full fix was released in May. We have seen multiple patch cycles previously. The risk is that with cloud services you're not only dependent on the software provider for the fix, just as with on-prem, but also restricted to the mitigations they provide, which is unlike on-premise services. Make sure that you're considering this risk, weighed against the providers track record of deploying updates and inclusion of possible compensating security measures.

Lee Neely

This is just a port of the paper version of the OCR Security Risk Assessment tool to electronic/spreadsheet format. So, if you were already using the paper version, much easier to use. But the questionnaire is heavy on policy and compliance, much lighter on actual security defenses/controls. A decent starting point if you are starting from scratch but will also need tailoring for most environments. There are 64 questions with “I don’t know” as possible answers. The spreadsheet logic will show those as yellow for if you use that answer, but a “Huh?” response should be high risk/red – if you answer “I don’t know” on more than a handful, time to stop and get a detailed security assessment performed.

John Pescatore

Download the tool from the HealthIT.gov Security Risk Assessment Tool website (see link below). It is available as an application for windows 7/8/10/11 systems which stores data locally, or an Excel workbook. The questions include guidance for each of your possible answers, whether it is required, and the source for the question. Sections also include Threats and Vulnerabilities questions which you can leverage to see your risk score. Allow sufficient time to honestly assess yourself, resist the blame game. If you find yourself with a lot of critical or high-risk scores, or I-don't-know answers, consider a professional engagement to help you both verify your assessment and devise a risk-based path forward.

Lee Neely

Most of the reaction has been because HHS OCR is asking many questions on how best to determine monetary penalties for failure to protect personal health information. HIPAA has been out since 1996, HITECH since 2009, OCR enforcement actions did not start until 2017 and have been mostly driven by complaints not by proactive assessments – since 2017, OCR has had 105,189 complaints and only 1,739 Compliance reviews and fines were assessed in only .06% of cases, roughly only 1 out of 1500. Bottom line: most likely outcome is language accepting use of widely accepted frameworks, followed by increase proactive assessment and higher occurrence of fines. Legislation moves slowly – earliest start is probably FY 24. So, develop a 2-3 year strategic gap closure plan to convince management to fund progress over that period to avoid future punitive actions (sounds scarier than just saying fines…)

John Pescatore

Security frameworks need to be viewed from both a risk perspective and a as a minimum bar. Use them to identify potential gaps in your protections, document your decisions.

Lee Neely

Since extended DDoS attacks can cause cloud service providers to start failing to meet service level agreements, the larger CSPs generally have strong DDoS filtering in place, usually a mixture on in their data centers and used of services like Cloudflare or Akamai/Prolexic. Make sure the security group is involved in evaluating cloud service procurements to assure thatsuch hybrid DDoS protection is part of the bid – payoffs on SLA failure only give your company rebates on future bills, no level of business interruption costs are included.

John Pescatore

Even though this thwarted attack was targeting services on the free tier Cloudflare plan, verify your CDN provides DDoS protections on the service you're using. Cloudflare is comparing the relative impact for small device/IoT botnets (730,000 devices) versus smaller collections of server class nodes (5,067 devices). The larger botnet only generates 1.3 million rps, meaning while protecting your IoT devices is key, it's still paramount to consider your physical and virtual servers as high value targets for acquisition. Pay particular attention to unexpected workload bursts, consistent with DDoS attack duration.

Lee Neely

This is about cyber hygiene. Attackers are leveraging compromised credentials, which is best mitigated through the use of MFA. If you must hang on to reusable credentials, use services to check breach dumps for compromised credentials, to include rapid action for discovered compromised accounts.

Lee Neely

We have witnessed successful ransomware attacks against public sector bodies throughout the United States and Europe. There is no reason not to expect similar types of victims in other regions such as Latin America.

Brian Honan

On the Internet, anything beyond the network jack in your system should be considered hostile anyway. Russia would be negligent not to reroute networks they physically control.

Johannes Ullrich

This is why end-to-end encryption is so important. Encryption is not just a tool to protect privacy, it is also a critical security tool which not only protects data but, as exemplified here, can protect people’s lives and their freedoms. Those looking for backdoors into encryption need to role play what would happen if a hostile and/or oppressive government had access to individuals’ internet traffic.

Brian Honan

The Ukrainian ISPs don't have a lot of choice here, as the Russians are able to make the changes if they refuse, and have physical access to the network equipment to obtain access. Watch to see if users can successfully use VPNs to bypass anticipated restrictions of access and attempted monitoring. If you are unsure of the network, wired/wireless or cellular you're using, use a VPN to secure the connection to a trusted exit point. Note that some services filter connection methods some VPNs use, so be prepared to use alternate offerings.

Lee Neely

Short response is no single action is alone complete for determining, let alone mitigating, software supply chain risks or any risk. SBOMs will have to part of the solution, but the starting point is enterprises having accurate software inventories – the most likely apps to be compromised are the ones that are NOT in ITs configuration management database or spreadsheet of software license.

John Pescatore

Information to make informed decisions is important. The usefulness of SBOMs will depend on how we consume/analyze them. It may become tricky to keep up with SBOM evaluation due to rate of update or complexity unless we have trusted automation to identify risks.

Lee Neely

[Neely] The report includes business impact, key takeaways, examples, and security guidance for each of these risks. Use this to develop processes to ensure minimum security practices are implemented for your current and future cloud services. https://cloudsecurityalliance.org/artifacts/top-threats-to-cloud-computing-pandemic-eleven/

Lee Neely

This is similar to moving from arresting and sentencing one person buying drugs or weapons to doing so to a dealer selling to dozens – obviously a good thing. The next step is going after the sketchy hosting/IaaS companies providing capacity to some “cybercrime as a service” criminals. Even better would be ISP ingress and egress filtering of obviously malicious traffic.

John Pescatore

Having DDoS protection must become SOP for internet facing services. While court cases like this may provide some deterrence, having active technical countermeasures in place will provide a more rapid return, and possibly help your CISO sleep at night.

Lee Neely